29 March 2025

Battle-Tested Strategies: for Mission Critical Activities...

Mission Critical Activity (MCA)

Critical operational and/or business support, service or product related activity (provided internally or externally), including its dependencies and single points of failure, which enables an organization to achieve its business objective(s), taking into account seasonal trends and/or critical timing issues.

The trend to create "virtual" organizations raises a number of new issues as it pertains to interdependencies and single points of failure. The ability to provide sourcing alternatives in the event of a catastrophic failure of an MCA provider is a key priority. As the trend becomes more operational and logistically complex organizations must exercise more often to determine where processes or systems weaknesses occur.

An organizational Business Crisis & Continuity Management (BCCM) strategy ensures resilience and high reliability of MCA's. At the process level is a documented framework that identifies the organizations MCA's in the context of products or services.

Each MCA should have it's own BCM strategy that provides clarity of how the organization will provide protection for the MCA.

One key outcome is the definition of the BCCM relationship, positioning and connection with other risk related functions, e.g. Operational Risk Management (ORM) A critical component of getting this BCCM relationship connected with the risk management culture is through awareness and education training.

Merely documenting a strategy and plan provides a narrow and limited method of fully developing a true BCCM culture.

Ownership of BCCM by organizational lines of business, especially where Operational Risk originates and resides is paramount. No matter how well designed a strategy may be, exercising and testing on a regular basis is necessary to identify potential issues during a real incident.  

Good quality exercises rely on specific and relevant scenarios in the actual locations, facilities and with normal personnel in place.

And no BCCM is complete without measurement and audit. You must verify compliance independently to highlight key material deficiencies and issues to ensure their resolution.

Each stage of the BCCM life-cycle may require a unique audit process depending on that stage of the life cycles maturity.

At the end of the day, the question is this.

Has the organization introduced risk management controls to eliminate, mitigate, reduce, transfer the effects of identified threats, vulnerabilities, exposures or liabilities to MCA's?

Posted by at No comments:
Labels: , , , , ,

22 March 2025

Corporate Directors: Continuous Continuity (C2) of the Enterprise...

The modern enterprise that effectively manages the myriad of potential threats to its people, processes, systems and critical infrastructures stands to be better equipped for sustained continuity.

A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing. Corporate Directors must scrutinize organizational survivability on a global basis.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C2, or "Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare.

These nightmares are "Loss Events" that could have been prevented or mitigated all together.

The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

  • Table-top testing: Discussing how business recovery arrangements would react by using example interruptions
  • Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles
  • Technical recovery testing: Testing to ensure information systems can be restored effectively
  • Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location
  • Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions
  • Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions

Many of these best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here.

What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as supply chain management. The effective BCCM framework will become a core process within the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C2, or "Continuous Continuity”.

Having survived several large quakes in Southern California in years past, we are not sure that all of the testing in the world can prepare people for human behaviors that come from within.

"People literally lose all sense of common sense when you are on the 42nd floor of the 50+ sky scraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people."

Certainly the largest organizations realize that the external threats are taking on new and different forms than the standard fire, flood, earthquake and twister scenarios. These historically large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the internal facets of the organization having to do with people, processes and systems.

Corporate Boards of Director’s are now being continuously subjected to regulatory scrutiny across the globe to ensure the continuity and survivability of the enterprise.

It is their duty and responsibility to their shareholders to make sure this occurs on a continuous basis. The world can only hope that our Global 500 companies are well on their way to achieving C2 already.

Corporate Directors are ultimately responsible for Continuous Continuity (C2) of the Enterprise…

Posted by at No comments:
Labels: , , , , , , , , ,

15 March 2025

Security Governance: Corporate Emergency Response Team (CERT)...

You can be a proud CxO if you can confidently say that in the event of a "Crisis" your employees are trained and ready to handle it.

You can never predict human behavior in the face of a sudden and shocking incident.

If your company doesn't have "Corporate Emergency Response Teams" (CERT) exercising test scenarios monthly or quarterly, you face the consequences of poor Operational Risk Management (ORM); losses that could have been prevented.

We are still amazed at how many “Executive Rows” we visit that still doesn’t have an AED within arms reach in the event of a heart attack.

Protecting corporate assets first begins with common sense and then expands exponentially from there.

How will you and your CxO’s provide your employees with the privacy as a U.S. citizen and remain vigilant with all potential insider threats?

Programatic Data Privacy and Integrity is the real issue at stake here.

“Enterprise Security Governance will provide the mechanisms and controls necessary for the Patriot Act to operate with the highest degree of assurance.”

Our civil liberties are still in force and will be there to protect everyone who is an American.

What we must not waiver on is the need to modernize, to re-equip and to create more robust "Correlation Centers”. Perhaps with AI and always with trained Intel Analysts.

The fact is, our intelligence analysts in enforcement are under attack every day by more savvy and increasingly powerful adversaries.

The establishment of a more robust, pervasive and technologically superior force to defend our Homeland today is still in the maturation stages.

What is paramount now at this stage of growth, is the framework for your own organizations “Security Governance” to be injected into each stakeholder.

The policies, ethics and controls must be there to guide those who are protecting our privacy while simultaneously allowing us to accelerate our countermeasures to Deter, Detect and Defend against those who will continue to attack us.

The Patriot Act will remain a powerful asset to those who wake every morning to ensure the Confidentiality, Integrity and Availability of information in our country and to protect the American people…

Posted by at No comments:
Labels: , , , , , , , ,

09 March 2025

The Third Alternative: A Precarious Future...

 If we really believe what we say we believe- if we really think that home is elsewhere and that this life is a "wandering to find home", why should we not look forward to the arrival. There are, aren't there, only three things we can do about death: to desire it, to fear it, or to ignore it. The third alternative, which is the one the modern world calls "healthy" is surely the most uneasy and precarious of all."  C.S. Lewis (Letters to an American Lady)

How will your life change, now that she is gone and she is truly home?

Have faith in the journey ahead with the confidence she is safe, sound and secure forever.

Your mission forward shall be to explore your own course of activities and actions to continue to give back. To invest in those new people who need you most now.

You see, your mission ahead is to find ways to help others you care about who can thrive from your advice. Your love. Your experience.

Relationships. >>>>> Results. >>>>> Rewards.

Find the time to build on your relationships with others and to increase the true value of the relationship mutually.

The increased value of the relationship will take time to discover and yet the trust and sharing will produce the most favored results.

Count the results and realize what and how the results will continue forward in time. Analyze the results and determine the changes that might be necessary.

Feel and process the rewards. Cherish the time and feelings you now have earned.

Look up...

Recognize that your time and your efforts are valuable and that it all begins with the “relate.”

You know, the way you behave initially with that person each time, to further build the relationship.

Your words and your actions collaborating with others shall provide you with the ongoing satisfaction and desirable outcomes you shall always seek.

Continue to cherish those Relationships, Results and Rewards that will make her so proud of you, before you see her again…

Godspeed!

Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)