Risky Thinking
October 2013
Michael Z. Bell, Principal Consultant

Risky Thinking is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management.

To subscribe, visit: http://www.RiskyThinking.com/newsletter

For more information and articles, visit the RiskyThinking website at

In This Issue
  • Why Business Continuity Needs Standards
  • New Risk Assessment Toolkit
  • News: CrypoLocker, Risk Ranking of Cities, Terror after Osama Bin Laden, and more
  • Risk Assessment / BIA Seminar Dates and Locations
  • Administrivia, Subscribing and Unsubscribing

Why Business Continuity Needs Standards

It's possible (and quite common) to create a business continuity plan (and a business continuity program) without standards. 

Why then should you consider the use of a standard?

There are two major reasons:

  1. The supply chain may require it.
  2. Your lawyers may demand it.

The Supply Chain Reason

Let's imagine you are part of a complex supply chain. You produce a product critical to your company's operations, and in order to produce that product, you consume the products and services of ten other companies.

Naturally, you have a business continuity plan in place. It is (genuinely) a wonderful plan. You know it is a wonderful plan. It's been tested (as far as is possible), and you are completely happy with it. 

But what you are less sure about is your suppliers. You know that there is a significant (if not large) risk that any company can suffer a major incident. From reading around, you have decided that this risk is about 5% a year. i.e. a company can expect to suffer a major incident about once in twenty years. 

Now you start doing the math. If each of your ten suppliers has a 5% risk of an incident in a year, then the probability of you having a problem this year due to at least one  supplier is 40%. [Not a misprint. If you thought it was 50% you either didn't read the previous sentence carefully or didn't pay enough attention at school.] That's significant. It 's considerably bigger than your own probability of having an incident. And it's not under your direct control. 

So you write to each of your suppliers, asking them what Business Continuity Program they have in place. 

They write back:

" Of course we have a business continuity plan in place. It's an excellent plan, truly worthy of its place in the pantheon of business continuity plans."

You re not so sure, you ask to see the plan.

There's a little bit of hesitancy at this point. Some of the suppliers make excuses (probably "for confidentiality reasons") and some of those excuses sound a little dubious. But some let you look. And then you realize: even if you look at the plan you have no idea from a simple reading of their plan whether their plan will work or not . What is more, you have to do this for all ten of your major suppliers.

It's at this point one of your key customers asks you the same question. You are (we hope) happy to share your plan with them, having removed any parts that contain personal data or confidential information. And they have exactly the same problem as you. Although you can assure them that the plan is wonderful and will work, they have no idea of whether your plan will work either

Now each of the plans was truly wonderful and did everything a plan should do. But without standards nobody else can tell that without examining each plan and understanding each business.  A business continuity program, certified as being in accordance with a standard solves the problem, in the same way that a quality program certified as being in accordance with ISO 9000 simplifies assessment of supplier quality procedures.

The Legal Reason

Imagine that a disaster has happened.

Your company lost millions of dollars due to a fire at the main office. Shareholders are angry, and launch a class action lawsuit. Customers are angry, and launch lawsuits for breech of contract. Employees are angry because they have been laid off. You are called to the stand to testify. The cross examination runs something like this:

    So you were responsible for the company's business continuity program?


    And did your company conduct a Business Impact Assessment warning of the losses that might occur if your operations at the main office were disrupted?

    Well, no. We just created our plan assuming that...

    An answer yes or no will do.


    Did you have a Risk Register, identifying the risk of a fire at your head office and the associated losses?

    No but...

    And did you have a business continuity plan?


    And was this plan built in accordance with any standards?

You :
    Well, we used what we considered to be good industry practice. But no specific standard...

    So let me get this straight. You didn't do a business impact analysis to understand potential losses, you didn't have a risk register to identify potential risks, you didn't use any recognized standards, and when you put your plan into action your company lost millions of dollars. It can't have been a very good plan, can it?  No further questions.

    *    *    *    *    *

As you can see, the problem is not that the plan wasn't good. It's that with perfect hindsight it demonstrably wasn't good enough.

This is not a problem unique to business continuity. It's a widespread problem in product design and civil engineering. One defense against negligence (applicable in many jurisdictions) is that the work done met generally accepted standards. If your plan is only based on your own standards, it's very hard to prove that it meets that criteria. 

So you need a standard - but which?

So even though your plan may be excellent and comfortably exceed the expectations of any standard, there are important reasons to seek standards compliance. 

If your plan's quality needs to be assessed by other companies in the supply chain, it will one day need to be certified to a recognized standard purely for market efficiency reasons. And if your plan is ever examined in retrospect, a plan which doesn't reference common standards is going to be unpleasant to defend in court. 

For supply chain purposes, you need a standard you can be audited and certified against. This used to mean BS 25999-2, but now means ISO 22301.

For legal purposes, other standards are possible. You need a widely-accepted standard and preferably an external audit. The external audit is desirable because otherwise your will effectively be certifying yourself. Self-certification has a major problem. We are in a profession where things go wrong. Suppose you were a brain surgeon. Would you believe a self-certified brain surgeon was competent when the operation went wrong?  

New Risk Assessment Toolkit

One of the reasons that this issue of the Risky Thinking newsletter was delayed was that we were busy with the first release of the Risk Assessment Toolkit. This toolkit is designed to assist you in creating and maintaining a Risk Register and Business Impact Analysis by modeling dependencies, simulating disruptions, and calculating losses. Please take a look if you are interested in finding a better way to do these things.

Download Evaluation Copy / Watch Video Demo

News: CryptoLocker - Backup vs Availability
A new piece of malware, CrytpoLocker, is doing the rounds. 

It works like this. When activated, it contacts a server and downloads a public encryption key. It then encrypts (using asymmetric encryption) any of a wide variety of files types on your PC (or on accessible network shares), then locks the machine and demands money for the decryption key. Since it uses strong asymmetric encryption, the decryption key is never on your PC. It is therefore not possible to decrypt the files without paying the ransom. 

Unfortunately one of the lessons some companies are learning is the difference between backups and replication. Backups defend against this sort of file corruption (as well as accidental or deliberate deletion of files). Replication merely ensures that all copies of a file are similarly corrupted.

Microsoft malware description:

Register article describing one person's experience:

Terror After Osama Bin Laden

As the recent attack on the Westgate mall in Nairobi shows, the terrorist threat from Al Quaeda and its affiliates is still very real. Tara McKelvey has written an interesting article for BBC Magazine on how, with the change of leadership following the killing of Osama Bin Laden, there has also been significant changes in strategy and membership. Extreme terrorist groups, who were rejected under Bin Laden's leadershp, are now becoming affiliated to the group under Ayman al-Zawahiri. Ironically, without its charismatic figurehead, the organization is actually growing larger. While the risk of terrorism may be small for most organizations and locations, the risk probably hasn't significantly diminished in size since Bin Laden's death, and may even have increased.

Tara McKelvey's BBC Magazine article:

Global ranking of cities under threat from natural disasters

Swiss Re, an international re-insurance company, has issued an report which ranks major cities according to their estimated risk of loss from natural disasters. The report maps the risks from storms, coastal flooding, river flooding, earthquakes and tsunamis, and estimates the number of people likely to be affected as well as the effect of the event on the relevant country's economy (in terms of working days lost).

Tokyo-Yokohama, Manila, Los Angeles, Jakarta, and Amsterdam are some of the major cities that feature near the top of these risks lists.  If you register with Swiss Re you can get access to results and maps for cities which were lucky enough not to make the top ten riskiest cities lists. 

Swiss Re Report on cities at risk:

Backup Generators and Food Stamps

A strange story here. Failure of a backup generator during testing apparently disabled limits on electronic food stamp cards, creating havoc as unscrupulous shoppers realized that they could buy as much food as they wanted at two branches of Walmart. I'm not familiar with the electronic food stamp system in use, but it seems that Walmart may be on the hook for any losses since it did not put into place any manual system of checks when the system went (partially) down. An expensive reminder that everybody needs to know what to do when a system they rely on fails or behaves strangely.

Walmart Food Stamp Frenzy

Fire and Proximity

New Seminar Dates and Locations

Our Business Impact Analysis / Risk Assessment training seminars have some new dates and locations. We are also including a free copy of the Risk Assessment Toolkit (worth US$995) with each seminar seat. Hopefully I will get a chance to meet you there.

Seminar Details:

Administrivia, Subscribing, and Unsubscribing

RISKY THINKING is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management. You can subscribe on the web at http://www.RiskyThinking.com/newsletter.

Please feel free to forward RISKY THINKING to colleagues or friends who will find it valuable. You may reprint this newsletter providing it is reprinted in its entirety.