2. Ms Rinske Geerlings
MD, Founder and Principal
Consultant/ Trainer @
Business As Usual (Sydney,
Australia)
Risk Consultant of the Year 2017
(RMIA)
Outstanding Security Consultant of
the Year 2019 (OSPAs Finalist)
Pandemic: Crisis or Opportunity?
ISO 22301 best practice implementation tips for your BCP
3. Kindly Note:
Speaker will take
your questions
automatically.
If you have any
question, please
comment that in
chat box.
Please keep your
mic mute.
22/10/2020
4. Presenter background
Rinske Geerlings, Founder & Principal Consultant, Business As Usual
• 20+ years of management consultancy experience globally
• Business As Usual (since 2006): Concultancy & training to 14 Central
Banks and 100s of other Government/SME/Corporate organisations
across Australia, Asia, Africa, Europe and Latin-America
• Accredited in Business Continuity (BCM), IT Management, Information
Security and Risk Management (trained 1000s of professionals)
• Specific regulatory experience
• Risk Consultant of the Year 2017 - RMIA (Australasia)
• Outstanding Security Consultant of the Year 2019 Finalist - OSPAs
• Australian Business Woman of the Year 2010-13 - BPW (global NGO)
• Alumnus of the Year 2013 – TU Delft
5. Business Continuity and COVID-19
‘The good, the bad and the ugly’
• Not everyone had a pandemic plan, and even less had actually tested it
• Little consistency in responses and primarily ad-hoc forms of recovery
• Lack of available (and properly validated) tools for staff to work ‘en masse’ from home
(incl hardware, software, connectivity)
• Communication and management styles not always
appropriate for the new ways of work
• Apathy... And laziness!
• ‘Single Points of Failure’ (SPoF)
• Renewed focus on what staff actually love to be/do/have
• Financial damages... But also upsides
22. … plus a LOT of humour!
“At the end of
COVID, you are
required to wear
your mask for 2
weeks in this
way, so that your
ears can get
back to their
normal position.”
23. Common BCP pitfalls
• The BCP is too long, or too short, or it resembles ‘Swiss cheese’
• Documents are inconsistent and it’s unclear how they all ‘hang together’
• The right versions are unfindable and the plan is not retrievable when the IT systems are down/unreachable
• The plan doesn’t have clear, easy-to-perform steps and/or no clear role/ask discription
• The BCP was built with a free template ‘off the Internet’ - and is as such not ‘fit for purpose’
• There is no pre-agreed list of BCP team members, nor any ‘additionals’ and their contact details
(and team members not knowing their name is on a list of critical staff)
• No proper tests/rehearsals, nor any (induction) training on the BCP is taking place
• The IT Disaster Recovery Plan has not been validated end-to-end (rather just only piece-meal style)
• Recovery Time Objectives (RTOs) are determined per application, but go ‘out the window’ if multiple
applications are down at the same time
• No centralised notification process, nor a suitable tool that has acknowledgement of message receipt and that
works with multiple platforms (e.g. 4G/5G, email etc)
• Overall ignorance about the importance of future BCP activities (“We did pretty well through COVID, right?”)
All in all, staff are not actually ‘incident ready’
24. 1. BC Facilitator team (i.e. not just 1 BCP manager)
2. Dynamic, browser-based BCM framework
> prevent ‘collecting dust on the shelf’ (e.g. on secure network location /
Sharepoint). Colourful, matrix style documentation. Hyperlink/utilise
what is already there in your organisation.
3. Multi-disciplinary team structure across disaster ‘stages’ (to cater for
fatigue and enable feasible exercise scope)
4. Consequence-based planning (i.e. not cause-based)
5. Toolkit approach to BCP activation (‘80/20 rule’ – KISS)
6. ‘Top down’ approach based on time-critical processes
7. Strong focus on communication/notification planning
(including acknowledgement, pull communication etc)
8. Prioritise (be selective in order to achieve a few processes to work end-to-end )
9. Develop, agree, document and validate any initial/manual workarounds
10.Training, awareness, rehearsing, exercising... To the point of boredom!
Best practice BCP: How really make ISO 22301 work for you?