Resilience

Resources April 2008, Issue 01

 Global Home
 Search Jobs Presidentspeaks
 Upcoming course
Our mission at BCM Institute, without question, is to create a common
May/June base knowledge of BC Management and DR Planning, to certify qualified
o BCM-100 individuals, and to create credibility by raising the professionalism – bar of
Macau (20/05/08) our certified BC and DR experts. As we kick off our e-newsletter,
o BCM-200
Resilience, we hope that this would be a credible platform to present
New Delhi (03/05/08) and exchange technical revelations, corporate BC/DR experiences as well
Macau ( 21/05/08) as report on the BC/DR community activities in this region.

o BCM-300 Dictionaries will explain that having Resilience, or being resilient, is synonymous with hardiness
Singapore (05/05/08) and resourcefulness, and individuals who are said to display resiliency have exhibited positive
Kuala Lumpur (07/05/08) behavioural adaptation. And the circumstances in which one is deemed as possessing this
Mumbai (12/05/08) positive attribute is often characterized by stress and catastrophe; adapting to difficult, negative
Manila (14/05/08) events.
Beijing (19/05/08)
New Delhi (03/06/08) As practitioners and advocates of BC and DR, this explanation of resilience would immediately
Bangkok (18/06/08) bring to our minds our professional mandate as we serve in our respective roles – the need to
Kuala Lumpur (18/06/08) prepare ourselves individually and instil such a mindset company-wide so much so that our
continuity is not only assured but guaranteed because of our dedication to BCM.
o BCM-400
Singapore(13/05/08) I hope you’d enjoy this newsletter, which I commend to your reading pleasure!
Beijing (23/06/08)
Kuala Lumpur (25/06/08) Dr Goh Moh Heng
President
o DRP-300 BCM Institute
Macau(24/06/08)
Technicalpapers
o BCM-810
Singapore (27/06/08)
Exploring Business Impact Analysis
o BCM-830 Russel Ghem, BCCS
Singapore(29/05/08)
Singapore(18/06/08) Looking back at today’s organization, it operates and behaves exactly like a human anatomy. It
has relevant important departments or business units that create the vital organs of an
o BCM-5000 organization. The blood to an organization in this case is the business processes undertaken by
Mumbai(13/05/08) each staff keep all departments functioning. So the question is, how can we, as a BC
professional, help to take precautionary steps to ensure survivability of the organization?

Resilience | BCM Institute | April 2008

o DRP-5000
Hong Kong (05/05/08)
Singapore(09/06/08)
Newsletter Options
 Unsubscribe Newsletter
 Contact Us
Learn more
Testing a Disaster Recovery Plan
Shad Hafeez, BCCS
The business continuity management process and the
Business Continuity Plan (BCP) need to bring together all
such elements to ensure they adequately address the
organisation's business interruption risks. Designing an effective business continuity plan usually
starts with identifying worst possible post disaster situation. Experiences suggest that the
companies that have experienced a disaster generally divide post disaster activities into two
streams. Learn more

1
People&Events

Interview with Mr. John Decruz from Shell Brunei

Mr DeCruz cited his desire to reinforce his BCP skills and to sharpen
his knowledge of BC principles as two of the key reasons for attending the
recent BCM-5000 course. He was pleased that he also picked up some
nuggets of best practices in BCM from the class interaction. Learn more

Interview with Mr. Wong Mum Thong from Ministry of Home Affairs

BCM Institute’s Resilience interviewer also asked BCM 5000 participant

Wong Mum Thong whether there are any salient differences in the ways
activities for BCP are conducted between government and private sectors.
He answered, ‘…be it a Business Continuity Management (BCM) or Crisis
Management, both are referring to how to deal with (a) crisis.’
Learn more

Meet the Experts

On Friday 18th April, BCM Institute in Singapore

conducted its first Meet The Expert session. Held
at the Furama Riverfront Hotel, the event
attracted 60+ members and their guests who set
aside an afternoon to listen to 3 Experts– Dr
David Smith, BCM Institute’s course instructor
and representative in UK and Africa; Mr Philip
Kee, Managing Director of British Standards
Institution; and Mr Anthony Lee, Honorary
Chairman of ASIS International.
Learn more | Click here for Photo Gallery

Upcoming Courses
Learning is an ongoing process and BCM Institute
is here to provide you with the latest trainings in
Business Continuity & Disaster Recovery Best
Practices. BCM-300 Fundamentals of Implementation
leading to Business Continuity Certified Specialist (BCCS)
certification is a 2 ½ days intermediate course. Followed
by the BCM-400 Advanced Best Practices course leading
to Business Continuity Certified Expert (BCCE) certification in 4 ½ days.

Resilience | BCM Institute | April 2008

ASIS members get 10% discount for upcoming BCM-300 May class.
Sign up both BCM-300 & BCM-400 May classes and get SGD100 off!

News&Views

Dr Goh Moh Heng on the Road

Busy as a bee – This is an exact description of Dr Goh’s schedule. As a professional who is
constantly on top of the latest news and happenings in the Business Continuity and
Disaster Recovery field, Dr Goh is widely known for his skills in conducting informative and
interesting workshops. This is why MNCs from industries across the globe has approached him to
share his knowledge with the aim in enriching their employees with the fundamentals of BC/DR.
Learn more
2
 BCM Forum, http://bcmi.collectivex.com

Come and join the new home for all BC and DR professionals in the world. BCM Forum is
now bigger, faster and better on CollectiveX. BCM Institute aims to build an online community
for the Business Continuity and Disaster Recovery
members to share industry knowledge, exchange
ideas, help one another within the community and
awareness of Business Continuity Management. It
was launched in April 2008 and currently house
more than 330 BC and DR professionals from 22
countries and 54 MMCs!
Learn more

BCM Institute Live, Podcasts

BCM Institute Live is a podcast programme brought to you by BCM Institute editorial
team. BCM Institute Live analyses the Business Continuity Management (BCM) Planning Process
that forms part of the BCM Institute’s training curriculum. In the month of May 2008, a three
brand new weekly podcast series will be released at BCM Forum, 1. BCM-Institute.org series, 2.
BCM Planning Methodology series and 3. “What is” Series, making BCM Institute Live the hub for
BC and DR professionals conversations.
Learn more

ReadingPleasure

The Top 10 IT Disasters of All Time

While technology wasn't to blame per se in the HMRC data loss, there are plenty of
recorded examples where faulty hardware and software have cost the organizations concerned
dearly, both financially and in terms of reputation — and resulted in some near misses for the
public. Here's our considered list of some of the worst IT-related disasters and failures. The order
is subjective — with number one being the worst.
Learn more

Staff&Stuff

Sujoy, Deputy Program Manager

BCM Institute India

Our featured staff for this issue of Resilience is Sujoy from BCMI India.
He is the Deputy Program Manager and is responsible for managing the
sales and logistics for both in-house and public training programs across
India & the Middle East.

Resilience | BCM Institute | April 2008

Learn more

Resilience-Your Feedback Needed

In order to improve your newsletter, we welcome any and all suggestions. Please send
them to resilience@bcm-institute.org.

Copyright 2008 BCM Institute All rights reserved.

Selling, re-distributing or reproducing the information on these pages without prior permission from BCM Institute is strictly prohibited. BCM Institute shall not be
liable for any errors or delays in the content, or for any actions taken in reliance thereon. Members’ technical papers and/or articles and their views therein are not
necessarily the views held by BCM Institute.
BCM Institute, Resilience Newsletter, 315 Outram Road #15-04 Tan Boon Liat Building Singapore 169074
3
Technicalpapers

Exploring Business Impact Analysis

Russel Ghem, BCCS

Business Impact Analysis (BIA) is well known to any BC professional as one of the fundamental focus after Risk Assessment. Before
we start to talk about Business Impact Analysis, we need to know what the purpose of conducting a BIA.

For illustration purposes, a human anatomy is used as an example and reference in this article. We all know that different organs
within a human body perform different critical functions. The heart keeps the blood pumping through the entire body and the lungs
bringing oxygen to the body. Blood and the blood vessels in a human body transport nutrients and oxygen across all vital organs.
Assuming if there is a deadly virus that attacks a human body, it can cause devastating damage or harm. If the human body is not
strong enough to heal against the virus attack, the human body may succumb to failure and maybe death may occur. Seeking
medical attention will allow a doctor to diagnose the problem and prescribed necessary medication to heal or cure the virus attack.
From experience learnt, one may take precautionary steps to immunize the body against virus attack. This is how a human behaves
and survive.

Looking back at today’s organization, it operates and behaves exactly like a human anatomy. It has relevant important departments
or business units that create the vital organs of an organization. The blood to an organization in this case is the business processes
undertaken by each staff keep all departments functioning. So the question is, how can we, as a BC professional, help to take
precautionary steps to ensure survivability of the organization? Base to earlier illustration, we must first of all understand what it
takes for an impact to hit an organization and to find out as much information as possible based on such impact on an organization.
The process of finding out the information is through a conduct of BIA.

By conducting a BIA, it will enable the BC professional to understand an organization’s critical business processes and ranking of
critical processes by time scale. A well structured BIA can further determine business unit or business process workflow and process
dependency. From the data and information gathered from BIA, a BC professional can develop necessary strategies to prevent a
potential impact to an organization – immunization.

Conducting BIA is always a time consuming process, therefore BC professional should plan ahead before attempting to have staff
participation. It is definitely important and required to obtain full management support from executives or senior management
before a BIA is attempted or carried out. It is very unlikely that mangers or staff will be prepared to dedicate time to this exercise
unless this management support is gained or demonstrated. Depending on the data information exhaustiveness one wish to gather
on BIA, more time is definitely required from the staff.

The data or information obtained from BIA primarily comes from the questionnaire answered by the organization staff. Staffs from
various department or business units are usually the key to the provision of authentic data and information through answering the
BIA questions. It is very important to have top executive or most senior management group to support the conduct of BIA. Line
managers or middle management will unlikely be prepared to dedicate their time for this BIA unless executive or senior
management support is demonstrated.

Resilience | BCM Institute | April 2008

There are few areas a BC professional should take note before conducting BIA as to ensure the effectiveness of the BIA survey:

1. Interview method or through questionnaire answering

There are various methods of asking relevant BIA questions and to gather the answer from the staff or end user. Interview method is
much preferred but on the flip side, it is time consuming. On the other hand, through questionnaire handout to end user, it may be a
quick and time efficient way to perform the BIA. Staff can easily answer the questions directly on the handout. Do bear in mind; the
quality of information may suffer.

4
2. Open ended or close ended questions
Open ended questions are much preferred if you are adopting interviewing method for your conduct of BIA but never set an open
ended question in your questionnaire handout. Open ended question in questionnaire handout will yield unwanted or erroneous
answer to the question. Always pose or set close ended question in the questionnaire handout as this will help the end user to focus
on the question.

As a rule of thumb, always set or ask question where end user can understand and avoid misleading question or jargon. Do not use
industry lingo or acronyms in the questions. If acronyms have to be used, it must be explained as a footnote or in glossary page.

3. Exhaustive or simple information gathering

As pointed out in point 1, depending on your planning schedule, exhaustive information gathering on BIA is always a good start for
organization that is new to Business Continuity. This will yield a fundamental foundation of information for the BC professional to
work on relevant activities and business continuity strategies.

However, depending on the complexity of the department or business unit, a BC professional should decide between practicalities
versus time factor during BC planning.

4. Mode of data gathering (i.e. off-the-shelf BIA software tool or manual template creation)
There are several available tools on market where BC professional can purchase to assist in their BIA conduct. One common tool
known to the BC industry is known as BIA professional by Strohl. Alternatively, one could also develop a simple BIA template out of
Microsoft word or excel depending on which is more preferable. There are pros and cons to each method described above but BC
professional should take an objective view to select what is the most practical approach for the organization.

5. Analyzing BIA data

Once the BIA data are gathered and consolidated, it must be further analyzed and mapped across system technology. It is advisable
that Information Technology (IT) subject matter experts (SME) are invited to provide relevant important technical guidance,
information and advice. The participation from Information Technology is critical to help the BC professional to fully understand the
business processes’ dependency on systems and technology. Unless a particular business process is manual driven, then IT advice is
kept minimal.

Above pointers are just some general guidelines and tips that a BC professional may follow as a guide. The degree of complexity on
BIA questions depends very much on the organization structure. Complex organization structure will require a more complex and
comprehensive BIA in order to capture the true authenticity of data gathered.

Do not get into a pitfall by setting or asking too many or complicated questions or jargons are used in the questions during the
conduct of BIA. BC professional will definitely know what the question is asking but, do take note that end users may not be BC
trained and may not understand the question at all. It is important to note that the questions set or asked should be end user
oriented. The trick is to put yourself in the end user’s environment and help them to understand the questions that you want to ask.
Great deal of time is always lost when BIA answers from end user do not yield what you want or if it is in correct. Time is spent again
on answer clarifications with the end user.

Before you embark on this time consuming BIA task, do ensure that sufficient time is allocated and proper project management to

Resilience | BCM Institute | April 2008

ensure the BIA completes on time. If not, it is going to have a detrimental impact to the rest of the Business Continuity planning
activities.

About the author:

Russell Ghem is a Business Continuity Manager with Visa Inc for Asia Pacific region. He is also a Business Continuity Certified Specialist (BCCS) with
Business Continuity Management Institute (BCM Institute) and Certified Business Continuity Practitioner (CBCP) with Disaster Recovery Institute (DRI). He
is responsible for 22 regional offices’ Business Continuity Management program in Asia Pacific. Russell also ensures the Business Continuity
Management program is well adopted and implemented for all offices in accordance to company’s control objectives and standards.

5
 Testing a Disaster Recovery Plan
Shadah Hafeez

A common misconception among most of the companies implementing BCP DRP is that the management tends to relax as soon as a
plan is put in place. They begin to feel good about the fact that they are now compliant with some well known regulatory bodies as
they now have a full fledged BC DR plan in place. They are unmindful of the fact that the very plan that they have used to gain
credits and bag new projects has to be TESTED first to check for effectiveness.

Its been observed in one of the opinion polls conducted by Disaster Recovery Journal that over 60% of the respondents had not
tested their DR plans since the implementation, and around 22% of the respondents had tested their plans not more than thrice
post the implementation. I am certain most of these respondents would’ve begun testing their plans post 9/11. However, does one
need a 9/11, a Katrina or a Tsunami to realize the importance of testing our plans? Sadly, most organizations gave importance to BC
DR in the wake of 9/11.

This shift in priority came as the management was now a lot keener on acquiring and implementing the concept of disaster recovery.
In other words, CIOs around the world felt that the only way to proceed was to plan for, and ensure continuity in operations under
any circumstances. In my opinion, 2001 was the time when DR clearly started moving up the priority list of many organizations

As in many other fields in the business community, management buy-in for any activity is very important. Apart from the financial
support (which is important), involvement of top tier management in the DR planning entrusts a feeling of seriousness in the entire
activity. This is probably one of the reasons why at the end of each phase in the BC or DR planning, a management sign off is
suggested as a requirement. Some of the key factors that push the management in exercising a DR plan are:

 Incase of a disaster, an untested plan could actually turn out to be a lot more dangerous as the assumptions mentioned in
the plan were never really weighed out.
 DR planning is an ongoing activity and so testing or exercising of plans are always integral parts of the DR planning.

Now, the most important question comes into picture

What do we test first?

To answer this, we would have to get into the core of the planning process. Each process which has been classified as critical should
be reassessed based on the findings from the Business Impact Analysis and the Residual Risk (portion of risks remaining after the
security measures have been applied) from the Risk Assessment. The personnel responsible for recovery should ideally look at
simplifying the process by introducing some kind of a grading system, based on which the management can take effective decisions.

From the above methodology, you can identify which elements to test. So, our next question would be,

How do we look at putting our theory into practice?

Resilience | BCM Institute | April 2008

This would be achieved by selecting appropriate testing strategies.

Organizations such as eBRP and Strohl Systems have come out with their full fledged BCP DRP toolkits. These toolkits do have the
capability to prepare different types of testing strategies. This by the way makes the job of BC DR Planners a lot easier. The world of
BC DR planning has come a long way from the age of customized templates (I must say which is still widely being used) to the new
sophisticated toolkits. But the underlying idea behind the testing strategy remains the same and it is:

 The plan should be tested to its maximum extent.

 There are no service disruptions or minimal service disruptions.
 Each and every test should given ample reassurance in the recovery capabilities and thereby adding valuable information to
the plan maintenance.

6
Let me list some of the most commonly used testing strategies. Some of them can be classified as the most valuable tools for a DR
team.

1. Usage of Check Lists:

Check lists are one of the most common and by far the most pocket friendly (I mean inexpensive) tool in DR planner’s
repertoire. It can also act as a backbone to the entire testing cycle. To make an effective checklist, try to partition out the
areas of responsibility and teams for each business. It’s always good to use the people within the business to prepare the
checklist, the primary motivation being that they are aware of all the things that are critical to their business. For example,
a checklist for a critical technical helpdesk would comprise of the following:

 Call tree verification.

 Key standard operating procedure validation.
 List of the hardware and software requirements for the process.
 Availability of process specific resources during the DR implementation. (Such as login ids, call master ids etc)
 Recovery plans and all necessary manuals.

2. Conducting Walk Throughs:

Walk Throughs are often used in tandem with the checklists used from a prior exercise. The main idea behind a walk
through is to check for the effectiveness of the plan or identify any gaps in the plan. This type of test allows you to include a
large group of people into the test so that their knowledge and experience can be used to a great extent.

3. Conducting a Simulation:
As the name suggests, a simulation of a disaster is used so that normal operations are not interrupted during a testing
exercise. Hardware, software, personnel, transportation and alternate site processing should be tested in a simulation test.
Moving of equipment or the elimination of voice or data communications may not be practical during a simulated test.

Here you can use checklists, as they provide a reasonable level of assurance for some of the scenarios.

It’s considered as a best practice, if the simulation test is implemented only after the checklists and walk through exercise
results have been validated.

Make sure that you have analyzed the output of the earlier tests carefully before the simulation is done to ensure the
changes proposed after the previous tests have been incorporated into the plan.

4. Conducting a Parallel Test:

One of the most critical tests and can be used in tandem with the checklist test or simulation test. In this test, historical
transactions such as the prior day’s transactions are processed against preceding day’s backup at hot site. All the reports
produced at the alternate site for the current business date should agree with those reports produced at the alternate
processing site.

5. Conducting a Full Interruption Test:

Yes!! You guessed it right. This test activates the entire disaster recovery plan. Let me tell you, this test can be very costly

Resilience | BCM Institute | April 2008

and can also lead to disruption of normal operations, and therefore should be approached with caution.

In all the different types of tests discussed, one thing remains common - to maintain due diligence with respect to previous phases
of the cycle.

Industry experience also states that there will be huge surprises and unexpected results in the first few tests that you conduct. The
more you refine your testing strategies the better are your chances for reducing any errors. I would prefer extensively using the
Checklists and conducting Walk Throughs in the early stages of the cycle.

It isn’t necessary that the 5 steps mentioned above have to be followed to conduct an effective exercise. But ideally, the Checklists,
Walk Throughs and Simulations should be a part of any testing exercise.

As I close this article (which I presume would be helpful) I would like to reiterate the fact that regular DR testing would always show
us whether or not our plan is capable of restoring the business in case of a disaster. 7
References:

Disaster Recovery Journal Current Surveys

URL: http://www.drj.com/surveys/robpoll/drj_surveys.htm

Disaster Recovery Journal Glossary

URL: http://www.drj.com/glossary/glossleft.htm

About the Author

Shadah Hafeez is an Information Security Professional working for GENPACT, INDIA. For the last 5.5 years, his activities in BCP/DRP include
preparing analyzing, preparing plans & BIA for clients. He uses 3rd party s/w like eBRP and Strohl. He also conducts DR tests for clients, and
occasionally teaches at workshops on BC planning. Shah is currently assigned to USA for 2 years, and likes techno trance music, paints occasionally
and hopes one day to learn music.

People&Events

Interview with Mr. John Decruz from Shell Brunei

Mr DeCruz cited his desire to reinforce his BCP skills and to sharpen his knowledge of BC principles as
two of the key reasons for attending the recent BCM-5000 course. He was pleased that he also picked up some
nuggets of best practices in BCM from the class interaction.

When asked about challenges faced as a senior BC practitioner, Mr DeCruz said that it is always important to
get senior management’s awareness and their approval. A way to achieve this, he offered, is to conducting internal awareness
workshops to get information across for buy-in. It is imperative that key personnel know about the relevance of BCP at all levels, and
foster a top down emphasis with this conviction. In relation to this, he added, roles & responsibilities in each BU are important and
should be honed by conducting annual simulations & exercises

BCM Institute’s Resilience interviewer also asked Mr DeCruz about the qualities Shell looks for in a BCP manager / coordinator, to
which he replied, ‘…(to succeed)..he/she must be dedicated and with good interpersonal skills and not someone new to the
org….must understand the business function well ...’

Interview with Mr. Wong Mum Thong from Ministry of Home Affairs

BCM Institute’s Resilience interviewer also asked BCM 5000 participant Wong Mum Thong whether there are
any distinct difference in the way activities for BCP are conducted between government and private sectors. He
answered, ‘…be it a Business Continuity Management (BCM) or Crisis Management, both are referring to how

Resilience | BCM Institute | April 2008

to deal with disruption in the norm and instability in the status quo.’

Mr Wong mentioned that from his perspective, ‘Crisis, from a business perspective maybe one of the
disruptions to their critical business function or processes, from the perspective of the government, crisis can mean disruptions
impacting the whole nation, life and social orders. He further added that it is important for all sectors to be concerned with BCM and
in crisis management. He commented further that participating in the program enables him to understand the concept of BCM as
applied in the corporate world and would facilitate his engagement of the corporate sector in crisis management.

8
 Meet the Experts

Meet the Expert event in Singapore Friday 18th April 2008-04-21

On Friday 18th April, BCM Institute in Singapore conducted its first Meet The Expert session. Held at
the Furama Waterfront Hotel, the event attracted 60+ members and their guests who set aside an
afternoon to listen to 3 Experts– Dr David Smith, BCM Institute’s course instructor and
representative in UK and Africa; Mr Philip Kee, Managing Director of British Standards Institution;
and Mr Anthony Lee, Honorary Chairman of ASIS International.

The objective of this bi-monthly session is to present critical thinking on BC & DR and current
industry practice from the viewpoint of seasoned practitioners, and for members to engage experts vis a vis their own environment.

Dr Smith (far left) entitled his presentation Flood, Fire and Fraud. It was centred on recent
disasters in the UK, and the extent to which it affected the environment and businesses.
Mr Kee (left) talked about BS25999 which is the UK standard equivalent of the TR19
standard for BCM. Lastly, Mr Lee brought up the issue, ‘Challenging Environments in Asia
requires Response Planning’.

Immediately following the presentations, a Q&A was convened and a 4 member

expert panel formed, comprised the 3 speakers, with Mr Nicholas Rushton-Young (far
right, seated next to Mr Anthony Lee), one of our members and instructor forming the
4th expert. Member David Chin challenged the panel with his question ‘Should BC
Professionals be held legally responsible should BC Plans fail when activated’ –
(summarized by editor). This prompted lively discussion from both the floor and the
panel.

The event ended with an Awards Ceremony, a regular feature of BCM Institute’s gathering, to
recognize recent awardees with their certificates. One of the 6 recipients, Ms Carolynn Lock, is
shown here receiving her BCCE certificate from Sim Cher Young, BCM Institute’s Executive

Resilience | BCM Institute | April 2008

Director. (Editor’s note: 28 members were awarded certification, but only 6 could attend the
event that day).

Click here for Photo Gallery

9
News&Views

Dr Goh Moh Heng on the Road

Busy as a bee – This is an exact description of Dr Goh’s schedule. As a professional who is constantly on top of the latest news
and happenings in the Business Continuity and Disaster Recovery field, Dr Goh is widely known for his skills in conducting
informative and interesting workshops. This is why MNCs from industries across the globe has approached him to share his
knowledge with the aim in enriching their employees with the fundamentals of BC/DR.

In this section, the Resilience team would like to share with its readers a few notable events which Dr Goh participated in, namely
a Tabletop exercise for Housing Board Development (HDB) based on BCM Institute’s BCM-2050: Practical Tools for Conducting the
Disaster Simulation Exercise in January (Singapore); receipt of token from the Minister of Manpower at the CEP conference on 1st
April (Singapore); and last but not least, a Bangkok BCP Seminar conducted in March where Dr Goh was voted 2 nd best speaker out
of eighteen presentations.

In addition, Dr Goh is actively involved in conducting in-house courses and has specially flown in to countries like Finland, as well as
Asian countries like Thailand, Malaysia, India and Philippines in the first quarter of 2008 for these workshops.

Please tune back to this section on the next issue of Resilience for more updates on Dr Goh and his travels. Till then!

BCM Forum has moved to CollectiveX!

http://bcmi.collectivex.com

Come and join the new home for all BC and DR professionals in the world. BCM Forum is now
bigger, faster and better on CollectiveX. BCM Institute aims to build an online community for
the Business Continuity and Disaster Recovery members to share industry knowledge,
exchange ideas, help one another within the community and awareness of Business
Continuity Management. It was launched in April 2008 and currently house more than 340 BC and DR professionals from 22
countries and 54 MMCs!

The objectives of this forum are, to keep the online community the latest BC and/or DR news and development, global and local
disasters, events, pandemic flu, standards; one stop site for all BC and DR knowledge and more importantly for BCM Institute
members to network, share knowledge and learn from global BC and/or DR experts and peers and job opportunities.

If you have not done so, please do so by visiting http://bcmi.collectivex.com/join

BCM Institute Live, Podcasts

Resilience | BCM Institute | April 2008

BCM Institute Live is a podcast programme brought to you by BCM Institute editorial team. BCM Institute Live analyses the
Business Continuity Management (BCM) Planning Process that forms part of the BCM Institute’s training curriculum. In the month of
May 2008, a three brand new series will be released at BCM Forum, the BCM-Institute.org series, BCM Planning Methodology series
and “What is” Series, making BCM Institute Live the hub for BC and DR professionals conversations.

1
0
 The top 10 IT disasters of all time*

While technology wasn't to blame per se in the HMRC data loss, there are plenty of recorded examples where faulty hardware and
software have cost the organizations concerned dearly, both financially and in terms of reputation — and resulted in some near
misses for the public.

Here's our considered list of some of the worst IT-related disasters and failures. The order is subjective — with number one being
the worst.

1. Faulty Soviet early warning system nearly causes WWIII (1983)

The threat of computers purposefully starting World War III is still the stuff of Science Fiction, but accidental software glitches have
brought us worryingly close in the past.

Although there are numerous alleged events of this ilk, the secrecy around military systems makes it hard to sort the urban myths
from the real incidents. However, one example that is well recorded happened back in 1983, and was the direct result of a software
bug in the Soviet early warning system.

The Russians' system told them that the US had launched five ballistic missiles. However, the duty officer for the system, one Lt Col
Stanislav Petrov, claims he had a "...funny feeling in my gut", and reasoned if the US was really attacking they would launch more
than five missiles.

The trigger for the near apocalyptic disaster was traced to a fault in software that was supposed to filter out false missile detections
caused by satellites picking up sunlight reflections off cloud-tops.

2. The AT&T network collapse (1990)

In 1990, 75 million phone calls across the US went unanswered after a single switch at one of AT&T's 114 switching centres suffered
a minor mechanical problem, which shut down the centre. When the centre came back up soon afterwards, it sent a message to
other centres, which in turn caused them to trip and shut down and reset.

The culprit turned out to be an error in a single line of code — not hackers, as some claimed at the time — that had been added
during a highly complex software upgrade. American Airlines alone estimated this small error cost it 200,000 reservations.

3. The explosion of the Ariane 5 (1996)

In 1996, Europe's newest and unmanned satellite-launching rocket, the Ariane 5, was intentionally blown up just seconds after
taking off on its maiden flight from Kourou, French Guiana. The European Space Agency estimated that total development of Ariane
5 cost more than $8bn (£4bn). On board Ariane 5 was a $500m (£240m) set of four scientific satellites created to study how the
Earth's magnetic field interacts with Solar Winds.

According to a piece in the New York Times Magazine, the self-destruction was triggered by software trying to stuff "a 64-bit number
into a 16-bit space"."This shutdown occurred 36.7 seconds after launch, when the guidance system's own computer tried to convert

Resilience | BCM Institute | April 2008

one piece of data — the sideways velocity of the rocket — from a 64-bit format to a 16-bit format. The number was too big, and an
overflow error resulted.

When the guidance system shut down, it passed control to an identical redundant unit, which was there to provide backup in case of
just such a failure. But the second unit had failed in the identical manner a few milliseconds before. And why not? It was running the
same software," the article stated.

4. Airbus A380 suffers from incompatible software issues (2006)

The Airbus issue of 2006 highlighted a problem many companies can have with software: what happens when one program doesn't
talk to the another. In this case, the problem was caused by two halves of the same program, the CATIA software that is used to
design and assemble one of the world's largest aircraft, the Airbus A380.

This was a major European undertaking and, according to Business Week, the problem arose with communications between two
organisations in the group: the French Dassault Aviation and a Hamburg factory.
1
1
Put simply, the German system used an out-of-date version of CATIA and the French system used the latest version. So when Airbus
was bringing together two halves of the aircraft, the different software meant that the wiring on one did not match the wiring in the
other. The cables could not meet up without being changed.
The problem was eventually fixed, but only at a cost that nobody seems to want to put an absolute figure on. But all agreed it cost a
lot, and put the project back a year or more.

5. Mars Climate Observer metric problem (1998)

Two spacecraft, the Mars Climate Orbiter and the Mars Polar Lander, were part of a space programme that, in 1998, was supposed
to study the Martian weather, climate, and water and carbon dioxide content of the atmosphere. But a problem occurred when a
navigation error caused the lander to fly too low in the atmosphere and it was destroyed.

What caused the error? A sub-contractor on the Nasa programme had used imperial units (as used in the US), rather than the Nasa-
specified metric units (as used in Europe).

6. EDS and the Child Support Agency (2004)

Business services giant EDS waded in with this spectacular disaster, which assisted in the destruction of the Child Support Agency
(CSA) and cost the taxpayer over a billion pounds.

EDS's CS2 computer system somehow managed to overpay 1.9 million people and underpay around 700,000, partly because the
Department for Work and Pensions (DWP) decided to reform the CSA at the same time as bringing in CS2.

Edward Leigh, chairman of the Public Accounts Committee, was outraged when the National Audit Office subsequently picked
through the wreckage: "Ignoring ample warnings, the DWP, the CSA and IT contractor EDS introduced a large, complex IT system at
the same time as restructuring the agency. The new system was brought in and, as night follows day, stumbled and now has
enormous operational difficulties."

7. The two-digit year-2000 problem (1999/2000)

A lot of IT vendors and contractors did very well out of the billions spent to avoid what many feared would be the disaster related to
the Millennium Bug. Rumours of astronomical contract rates and retainers abounded.

And the sound of clocks striking midnight in time zones around the world was followed by... not panic, not crashing computer
systems, in fact nothing more than new year celebrations.

So why include it here? That the predictions of doom came to naught is irrelevant, as we're not talking about the disaster that was
averted, but the original disastrous decision to use and keep using for longer than was either necessary or prudent double digits for
the date field in computer programs. A report by the House of Commons Library pegged the cost of fixing the bug at £400bn. And
that is why the Millennium Bug deserves a place in the top 10.

8. When the laptops exploded (2006)

Resilience | BCM Institute | April 2008

It all began simply, but certainly not quietly, when a laptop manufactured by Dell burst into flames at a trade show in Japan. There
had been rumours of laptops catching fire, but the difference here was that the Dell laptop managed to do it in the full glare of
publicity and video captured it in full colour. (Unfortunately, the video capturing the incident appears to have vanished from the
web. If you happen to own a copy, please send it to us as it should make interesting viewing again.)

"We have captured the notebook and have begun investigating the event," Dell spokeswoman Anne Camden reported at the time,
and investigate Dell did. At the end of these investigations the problem was traced to an issue with the battery/power supply on the
individual laptop that had overheated and caught fire. It was an expensive issue for Dell to sort out. As a result of its investigation
Dell decided that it would be prudent to recall and replace 4.1m laptop batteries. Company chief executive Michael Dell eventually
laid the blame the for the faulty batteries with the manufacturer of the battery cells — Sony. But that wasn’t the end of it.

Apple reported issues for iPods and Macbooks and many PC suppliers reported the same.Matsushita alone has had to recall around
54 million devices. Sony estimated at the time that the overall cost of supporting the recall programmes of Apple and Dell would
amount to between ¥20bn (£90m) and ¥30bn
1
2
9. Siemens and the passport system (1999)

It was the summer of 1999, and half a million British citizens were less than happy to discover that their new passports couldn't be
issued on time because the Passport Agency had brought in a new Siemens computer system without sufficiently testing it and
training staff first.

Hundreds of people missed their holidays and the Home Office had to pay millions in compensation, staff overtime and umbrellas
for the poor people queuing in the rain for passports. But why such an unexpectedly huge demand for passports? The law had
recently changed to demand, for the first time, that all children under 16 had to get one if they were travelling abroad.

Tory MP Anne Widdecombe summed it up well while berating the then home secretary, Jack Straw, over the fiasco: "Common sense
should have told him that to change the law on child passports at the same time as introducing a new computer system into the
agency was storing up trouble for the future."

10. LA Airport flights grounded (2007)

Some 17,000 planes were grounded at Los Angeles International Airport earlier this year because of a software problem. The
problem that hit systems at United States Customs and Border Protection (USCBP) agency was a simple one caused in a piece of
lowly, inexpensive equipment.

The device in question was a network card that, instead of shutting down as perhaps it should have done, persisted in sending the
incorrect data out across the network. The data then cascaded out until it hit the entire network at the USCBP and brought it to a
standstill. Nobody could be authorised to leave or enter the US through the airport for eight hours. Passengers were not impressed.
[*Written by Colin Barker, ZDNetUK, News.com Posted on ZDNet News: Nov 27, 2007 12:00:00 AM. Also posted as ZDNet UK’s list of top 10 IT
failures by Michael Krigsman @ 7:39 am]

Staff&Stuff

Sujoy, Deputy Program Manager

BCM Institute India

Sujoy works with BCMI India as a Deputy Program Manager for the last 1 ½ years. He is responsible for
managing the sales and logistics of our in-house and public training programs across India & the Middle
East.

He gives a description of himself: “I was born in early 1984 and graduated with a Bachelor of Business
Studies (Marketing) from Delhi University in 2005. I am currently single, and intend pursuing an MBA once I
have gain relevant work experience. .

Resilience | BCM Institute | April 2008

I believe in making life as exciting as possible, raising my personal standards at every opportunity. Since BCP is still at its growth stage
in India, marketing and selling BC programs is exciting and a challenge that I look forward to everyday. Indian companies need BCP
expertise and I view my work in BCM Institute as a valued service to these organizations. It has been a highly satisfying, learning
experience. I feel especially proud whenever we are regarded as domain experts and “gurus” by some of the world’s most respected
organizations.

I enjoy motorcycling in the mountains, travel, adventure sports like white water rafting, playing computer games and reading books
on military topics. “

1
3