Do these 10 questions assess BCM awareness?

Here are ten (10) questions to assess employees’ business continuity management (BCM) awareness at a bank in Singapore.  My guiding principle in creating the questions was, ‘What should everyone in a company know about BCM?’

Screen Shot 2014-04-14 at 2.38.29 pmThe context: all employees of this bank must  complete each year an online awareness quiz on information security and BCM; 10 questions on infosec and 5 on BCM (so they’ll use 5 of my BCM questions each year).  Employees can take the quiz any time during a year; passing requires eleven (11) correct answers (a “gentleman’s C“). The bank has had BCPs for many years, but only one-third of the bank’s 200 employees are directly involved in the bank’s BCM program – annual plan reviews, continuity strategy decisions, annual recovery site exercises – as department heads or recovery team members. Two-thirds of the employees, then, may know nothing about BCM.

The bank had never assessed BCM awareness. Good BCM practice starts with a baseline assessment of  ’who knows what’, for which these questions were designed, followed by appropriate training for those who have BCM responsibilities. After the first round of assessment, the bank can decide on desired levels of awareness and competence for employees at strategic,  tactical and operational levels, as described in the BCI Good Practice Guidelines Module 2 Embedding Business Continuity, see pages 44-45).  For everyone else, this quiz may be all they get.

The cost of lost experience…and passion

What’s the cost to an organization and the BCM community of losing years of experience and passion?

LinkedIn placeholder image for counting costLate in 2013 the head of BCM for one of Asia’s largest banks voluntarily transferred within his bank to a job entirely unrelated to BCM. He is the most-experienced, knowledgeable and highest-paid non-expatriate BCM professional I know in Asia.

I wondered why anyone with eleven (11) years of full-time BCM experience and a compensation package the envy of his peers would suddenly take a powder. He agreed to answer my questions on-the-record if I didn’t use his name or identify his employer.

How old are you?
[laughs] You can say ’42 plus’.

What you’d do before you did BCM?
I was in business consulting.

Do you come from an IT background?
My education is in IT, but I never [worked in] IT. I did IT audit.

How did you get into BCM, and when?
I got into BCM by a fluke chance, like everybody else. I was doing consulting in Thailand [in 2002]. It was supposed to be a 6-month contract. At the opportune moment [the end of the contract] – at that exact moment – [a bank in Asia] called and said, ‘Hey, do you want to try out BCM.’  I said, ‘I don’t care what it is, I’ll try it.’

Как управлять непрерывностью бизнеса в условиях гражданских беспорядков?

English-to-Russian translation by Artem Rumiantsev, Kiev, Ukraine.

Мой коллега Натаниэль Форбс недавно написал отличную статью на тему событий в Киеве 18-21 февраля 2014 года, которая будет интересна профессионалам в сфере управления непрерывностью бизнеса (business continuity) в банковских учреждениях. Он также попросил меня перевести его статью для русскоязычной аудитории, что я с удовольствием и сделал.

Прочесть статью на английском языке: What’s the BCP for an insurrection?

Банки Украины с офисами не только непосредственно на киевском Майдане (Площадь Независимости), но и вокруг него, хорошо осведомлены о вероятности и последствиях гражданских беспорядков, которые происходили здесь в феврале 2014 года. Множество крупных публичных мероприятий проводятся на этой огромной символичной площади в коммерческом центре города. Дежавю́: украинская Оранжевая революция 2004 года происходила при участии практических тех же протестующих по той же самой причине на том же самом месте.

Легко представить, что протесты в Бангкоке, которые начались практически одновременно с событиями в Киеве, завершатся тем же насилием или сменой правительства, как это случилось в Украине в феврале 2014 года.

На этом панорамном обзоре киевского Майдана расположены приблизительно 3 головных офиса и 10 отделений различных банков. Отделения Банка Надра и Райффайзен Банка Аваль в Доме Профсоюзов (потемневшее от дыма здание в верхнем правом углу) сильно пострадали от пожара. Фото по ссылке сделано Ильей Варламовым. Разметка на фотографии – Артем Румянцев.

What’s the BCP for an insurrection?

Banks in Ukraine with offices in and around Kiev’s Majdan Nezalezhnosti (Independence Square or “the Maidan”) are well aware of the likelihood and impact of civil unrest (0:52 YouTube) that occurred there in February. Many large, public gatherings take place in its expansive, symbolic plaza in the commercial center of the city. Déjà vu: Ukraine’s Orange Revolution in 2004 featured the same combatants having the same conflict over the same issues in the same place.

It’s easy to imagine the current protests in Bangkok, which started about the same time, ending in similar violence or a change of government, as they did in Ukraine last month.

Banks Maidan Artem Feb 2014
There are three (3) bank head offices and ten (10) branches in this panoramic view of Kiev’s Majdan. Branches of Nadra Bank and Raiffeisen Bank Aval in the Trade Union Building (smoke-blackened building in upper right quadrant) were burned. Photo from by Ilya Varlamov. Labelling by Artem Rumiantsev.

My colleague Artem Rumiantsev, BCM Project Manager at a European multinational bank in Kiev, sent me his notes about the business impact of events between 18 and 21 February last week, “the most stressful days of riot.” I have supplemented his notes with comments translated to English – and many high-definition photos – from Ilya Varlamov’s LiveJournal.

Hitting the Target in crisis communication

targetI received this email (right) from the CEO of U.S. retailer Target Corp. (“Expect more. Pay less.”) in January. Target sent it to 70 million past and present customers. I thought it was a scam or spam because I haven’t had a Target account for 20 years. My son got the same message, and he discovered it wasn’t a scam:

Background: Hackers stole card numbers and personal information of maybe 100 million Target store customers (not online shoppers) in a two-week rip-off during the year’s busiest shopping season. New York Times

Timeline of Target’s “data breach”

I was in Minnesota on 19 December when the theft was announced (Target is headquartered there) and have watched the company’s crisis communication since then. I.T. professionals will know more than I about lapses in Target’s information security, but I think the company’s crisis communication has been remarkably well-organized.

  • Once you know it’s real, the letter is simple and clear. The CEO is apologetic, offers a remedy and a Target website to go to get more information.
  • His email has the company’s logo but no other graphics, and the links in his message are in plain text, not HTML. Someone in Target’s Guest Relations or Press Relations understands the basics of email security.

After a murder at work, traumatic stress & leaked video

A violent robbery in Malaysia highlights the importance of having a trained peer support team

An employee of Malaysia’s AmBank, 37-year old Norazita bte Abu Talib, was shot and killed by the bank’s own security guard as she opened the vault at a branch in Kuala Lumpur last Thursday evening (24 October 2013).

The murder and robbery were captured on the bank’s closed circuit monitoring system; a segment of the video was released without authorization and posted on YouTube.

What was the bank’s crisis response to the incident?

According to an AmBank employee who spoke without authorization:

  • The bank’s Crisis Management Team (CMT) was activated as soon as emergency response was triggered.  Escalation to the CMT occurred almost immediately after the Police were informed.
  • The branch was closed for two (2) days while the Police investigated the crime scene.
  • Other branch employees who witnessed the shooting were offered counseling.
  • A management representative was assigned to the family.
  • The bank’s General Managing Director sent email to all employees [about 12,000 nationwide] “to manage, console and update on what would be done and how we should align our expectations the way forward.”

From that information, I’d say the bank’s response was competent.

Why PSA’s don’t work

For preparedness messages, as in stand-up comedy, timing is everything.

After thousands of Public Service Announcements (PSAs) like “preparedness for individuals” (in English and in Spanish), “preparedness for business” and “preparedness for New York City,” and websites like, only 6% of Americans have done any preparation at all, and just 17% say they’re ”very prepared” for disasters. You might conclude, as the authors of this article did, that The Preparedness Message Isn’t Reaching the Public (from the November 2012 issue of EmergencyMgmt magazine).

PSA’s do reach lots of people, of course, but they don’t seem to motivate people to prepare. Why?

No one is motivated by gory pictures or finger-wagging lectures from public figures. I know I’m not – and I’m generally receptive to preparation messages because I make my living spreading them. In fact, images of leaking nuclear power plants, collapsed houses, flooded villages, even distraught victims don’t motivate us; they overwhelm us. ‘Well, it’s hopeless’, we think to ourselves, or ‘I can’t do anything about it anyway.

Yet thousands of people all over the world donate generously to relief efforts for people they’ve never met in other countries- in Haiti, in Japan, in Indonesia – out of desire to help after a disaster. They won’t prepare themselves in advance, but they’ll willingly help others afterward.

Crowd-sourcing haze response in Asia

To stop annual fires that threaten the health of millions of people in Southeast Asia, separate the science of location from the politics of responsibility

A few months ago smoke from illegal burning in Indonesia represented an immediate danger to life and health in Singapore, where I live. On Friday June 21, “haze” originating in Indonesia caused Singapore’s Pollutants Standard Index (PSI) to peg the meter at 401, an airborne contamination level at which it is not only hazardous, but genuinely difficult, to breathe.

I think life-threatening haze from illegal fires fits into any broad definition of the word “disaster.” Haze reaches Singapore most years in the dry season when land in Indonesia is cleared for farming, but the consequences hadn’t been so miserable since the “large-scale air quality disaster” of 1997. There is no reason to expect it will stop until its perpetrators (by whom I mean landowners of palm and pulpwood concessions, not just the farmers who do their bidding) are stopped. Resilience professionals – emergency managers, business continuity managers, risk managers, crisis managers, security managers – could help.

As a downwind resident and as a resilience professional, I really want to know exactly where the burning plot is located so someone can figure out who owns it and who is responsible for burning it illegally. Helpless in the haze, Singapore government agencies pressed officials in Indonesia to make their land-ownership maps public specifically for those purposes.

Designing better emergency procedures

I recently found this two-page sheet of emergency procedures for Chevron House, an office building in Singapore’s Raffles Place. Chevron House has for many years had biometric fingerprint readers for access control, the only building in Singapore at which I’ve seen them. They must take security and emergency preparation seriously. I’m glad the property manager thought it worthwhile to create instructions for tenants (a visitor wouldn’t be answering a bomb threat call).

If you were designing something similar for your workplace, I’d suggest these improvements.

  1. The Office Emergency Procedure side says, “Please keep this in a prominent place”, but the Bomb Threat Checklist side says “Place this card under your telephone.” Both are good advice – for separate sheets of paper. The bomb threat side should be laminated if it is to survive under the phone on your desk for months or years.
  2. The Egress Plan view (upper left corner) is much too small to be read, especially through smoke in a fire (but I can’t read architectural floor plans even with clear light and eyeglasses). It should certainly have a ‘You are here’ label to orient the viewer. It should be posted next to stairwell exits and in elevator (lift) lobbies. It should be larger, of course, but the only sure way to learn evacuation is to practice, practice, practice.

Climate change table-top exercise

I’m running a day-long, pre-conference, table-top exercise on climate change on Wednesday, 28 August in Manila. Exercise participants will be in teams of six (6) people; half the teams will tackle sea-level rise, the other half will wrestle with drought. Each team will present its strategies at the end of the day. I’ll be speaking at the Resiliency Forum Asia on Thursday and Friday 29 and 30 August. Registration is just USD 840 for my exercise and the two-day conference (just $280 per day). Sign up by filling out the last page of this brochure: