ContinuitySA Quarterly Newsletter

1. M
arch enters us into the Business Continuity Awareness Week
(BCAW 2013) which takes place from the 18th to 22nd March
2013, and this edition is filled with line-up of events presented
by ContinuitySA.
ContinuitySA is hosting breakfast talks in both Johannesburg and Cape
Town on the International Standard for Business Continuity, ISO22301 as well
as a host of webinars for you to choose from, covering portable recovery,
ICT protection and recovery methods and enterprise migration and adop-
tion of the cloud.
ContinuitySA is also facilitating the Good Practice Guidelines eLearning
course from the BCI so if you want to brush up on the Good Practice
Guidelines or just want to educate yourself then you need to book for this
8 hour interactive session.
All the events are free so ensure not to miss out on any of them.
A practical perspective is brought to us by Eugene Taylor around Organi-
sation Resilience, where resilience disciplines are highlighted and how they
relate to each other, and of course showing organisations how they can approach and encourage a culture of
resilience building.
We highlight again the complexity that underpins the top business continuity issues for 2013, which focuses on a
set of six interrelated risks.
Triple4 discusses backup strategies and the importance of testing as well as how they successfully launched their
4CustomerZone.
ContinuitySA was one of the CGF Research Institutes, sponsors at their breakfast event they had on the 21st Feb-
ruary and have therefore included the abridged version of the breakfast talk, Looking Back and Going Forward.
As you would have noticed the ContinuitySA website got a facelift and incorporates a Blog and is more inter-
active and user friendly.
As a reminder, you are welcome to send us your news, views and articles to be included in our next issue of the
chronicles. Thank you again to everyone who has contributed so far.
Editor
Cindy Bodenstein
cindy.bodenstein@continuitysa.co.za
marketing@continuitysa.co.za
www.continuitysa.co.za
Q1 2013
Keeping ContinuitySA
clients informed
1
This year has got off to a great start and at a sprint if I might
add and must be a definite indication of the year ahead.
In this Issue
2 Complexity
underpins the
top business
continuity issues
for 20133
4 4CustomerZone
Lives
Backup strate-
gies and the
importance of
testing
6 Organisational
Resilience: Use it
- or Lose it!
10 Business
Continuity
Awareness
Week
11 ContinuitySA
ISO22301
Breakfast Talks
12 Webinars
13 Good Practice
Guidelines
e-Learning
Course
14 ContinuitySA
Training Dates
15 Extracts from
Breakfast talk:
Looking Back &
Going Forward
Editor’s Note
All Links
now Interactive
and Live!

2. 2
Complexity underpins the top
business continuity issues for
2013
The mere fact that you are reading this article implies that the last days predicted by modern-day
Mayans and other apocalyptic have not arrived on schedule. “In fact, the risks we all face as we go
into 2013 are much more complex, and thus much more difficult to counter,” says Michael Davies, CEO
of ContinuitySA, Africa’s leading provider of business continuity services.
...Continued on next page
I
n what has become an annual exer-
cise, Davies and members of his exec-
utive team met late in 2012 to review
their predictions for the year and pon-
der what the coming year might hold for
risk managers.
“What became very clear is it has be-
come almost impossible to consider indi-
vidual risks without taking the overall risk
into consideration,” Davies observes.
“Globalisation and the profound connect-
edness between individuals, companies
and countries promoted by technology
means that risk, too, must be seen
broadly.”
Bearing this observation in mind, Davies
and the ContinuitySA team have identi-
fied the following set of six interrelated risks
for 2013.
1. Social malfunction grows. Across the
world, it is increasingly clear that estab-
lished certainties and beliefs about how
the world is structured are becoming fluid.
From the Arab Spring to Occupy Wall
Street and protests against austerity in
Greece and elsewhere, there is an overall
loss of faith in society’s institutions and their
ability to deliver a just world order.
In South Africa, persistent dissatisfaction
with service delivery has exploded into
widespread and violent protests against
the very nature of the system. In that re-
spect, the miners’ revolt in Marikana has
been a watershed event, as it bypassed
both the settlements negotiated by the
miners’ own representatives and the nor-
mal processes of democracy.
Democratic process, it seems, is either pro-
foundly misunderstood or mistrusted.
This impatience with society’s existing insti-
tutions and processes appears to be
spreading and there are worrying signs
that even the middle class, on whose
shoulders society’s prosperity and stability
ultimately depend, are also losing faith in
basic concepts. The extreme passions
roused by the ongoing e-toll saga in Gaut-
eng is an obvious example of this trend. For
the middle classes, this type of feeling gen-
erally translates into a reluctance to pay
tax, an action that can fatally undermine
the state itself.
2. Global economic and financial volatil-
ity. It appears that the 2008 financial crisis
is both more far-reaching and profound
than first expected. Markets and
economies seem unable to regain an
even keel, and many commentators are
seeing this volatility as “the new normal”.
The flipside is an increasing regulatory bur-
den as governments and other institutions
attempt to rein in uncontrolled capitalism
and protect investors.
For South African businesses, important as-
sociated risks are the volatility of commod-
ity prices, greater competition internally
and in export markets, and an unstable
currency.
3. Environmental risk. If volatility is the new
economic normal, then there is every indi-
cation that climatic volatility is also be-
coming a feature of life. For South Africa,
climate fluctuations may be expected to
increase the risk of water and even food
shortages. Thus far, global and national en-
vironmental initiatives are gaining traction
too slowly, and seem likely to add to the
cost of doing business in the short term—
giving rise to a classic case of how to bal-
ance short- and long-term risk.
4. Infrastructural risk. A common African
business risk is inadequate and poorly
maintained infrastructure.
Water and power are the two obvious risks
that threaten business, but the road and
rail networks also present challenges. Gov-
ernment efforts to address these problems
are affected by the principle of intercon-
nectedness: opposition to e-tolling, one
feels, is more influenced by wider dissatis-
factions rather than the principle of “user
pays”.
Many South African businesses are taking
extraordinary measures to mitigate infra-
structural risks by assuming responsibility for
all or some of the infrastructure needed for
their projects.
by Michael Davies – Chief Executive Officer, ContinuitySA

3. Property developers, for example, are
often providing roads and sewerage, and
factories some of their own energy – and
think of corporate involvement in points
people to ameliorate the effects of faulty
traffic lights and schemes to fill in potholes.
5. Data risk. Data is becoming more impor-
tant as a way for companies to assess risk
and compete more effectively—this is the
phenomenon of Big Data. It’s probably
true to say that most companies are still
coming to terms with the concept and,
more importantly, how to use data effec-
tively. Nonetheless, data privacy regula-
tions have already sprung up to protect
personal data, creating a set of risks relat-
ing to data security. One is the growing
menace of cybercrime.
Another is the whole question of data sov-
ereignty – as companies try to safeguard
their data while reducing costs, they may
opt for the security of cloud solutions. How-
ever, when those data centres are lo-
cated and/or owned offshore, it becomes
difficult to be sure of data security and ac-
countability for lapses.
“Our approach is to use a hybrid public
and private cloud model for our clients for
just these reasons,” comments Davies.
“This approach allows clients to retain tight
control over sensitive data, as is increas-
ingly mandated by law, and to take full
advantage of the cost and flexibility of
public services where appropriate.”
An associated risk is the peaking trend of
IT consumerisation, so-called BYOD (bring
your own device – the use of private mo-
bile devices to access corporate data).
BYOD offers both advantages and disad-
vantages: boards and their CIOs need to
think carefully about how to protect their
data against potential threats – and how
to use the available technology wisely to
obtain a competitive advantage.
6. Business continuity remains misunder-
stood. Risk management has definitely be-
come integrated into the corporate
agenda, and is maturing.
This may be seen by the replacement of
the existing BS25999 standard by ISO22301.
The BS25999 standard set the standard for
business continuity management, but the
new ISO223301 standard is much more de-
tailed in its requirements, and requires
much more documentation of the
processes followed. It also requires com-
mitted board-level leadership, thus effec-
tively putting risk management into the
spotlight.
However, in practical terms, the broader
concept of business continuity manage-
ment is becoming absorbed into the IT
budget, with a concurrent diminishing of
focus on operational matters. At the same
time, budgets in general are under pres-
sure.
“Ironically, then, the biggest overall risk has
become corporate myopia about the true
nature of risk – and this at a time when risk
has become much more integrated into
corporate strategy. Boards must resist see-
ing risk in terms of technology alone. Busi-
ness continuity is a much more useful
concept, one that takes into account the
interconnectedness of risk today. When
considering risk, business leaders need to
take a broad view of organisational re-
silience before honing in on their particular
company’s situation,” Davies concludes.
“Risk is now systemic, and so the approach
to risk must also be systemic and have op-
erational relevance to the organisation.”
3

4. By Scott Orton, Sales director of Triple4.
4
T
he first phase of the portal offers management of Triple4’s Hosted Business Resources, Email and related support service manage-
ment and other account driven functions; and is completely cross-browser compatible and touch-centric meaning it will work
from a tablet as well as it works from a desktop browser.
Following phases will see additional services being added, such as Communication, Collaboration and Hosted Virtual Resources as
well as tighter integration with Triple4's customer relationship management platforms for better service delivery.
Customers will be contacted individually, as they are migrated over.
In keeping with the managed cloud theme, Triple4 will always be involved with the creation of the customer and the initial setup.
The portal is accessible by link from the website or directly via https://customerzone.triple4cloud.com
4CustomerZone
Lives
Backup strategies and
the importance of testing
By Kevin Mortimer, Manging director of Triple4.
Triple4 have now successfully launched the 4CustomerZone, which allows for the
management of one's subscribed services. The portal has been designed to be
light and effective for typical day-to-day tasks that power-users need to complete
for their users.
Most organizations that have an IT environment adding some value to their
business are doing backups in some way or another. Some companies will sim-
ply copy data to an external drive; others use backup programs to do the same.
It is often seen that backups are not really taken seriously until data loss has
actually happened, then some serious attention gets put in place. In general,
the more serious the IT environment is to a business, the more serious the organ-
ization is about backups, well that is how it should be anyway. A backup
strategy should be the foremost part of a disaster recovery strategy.
...Continued on next page

5. 5
In our experience at Triple4 throughout the
years, whether a company is taking a risk
using a R 500 external drive or doing back-
ups to an expensive tape device and
housing tapes offsite, it is not often seen
that an organization has a working
backup solution that is actually tested. As
long as backups are seen as successful
within the various backup programs, the
support team and business seem to be
happy to rely on that. It cannot be
stressed how important it is to test your
backups regardless of the strategy you
have in place, yes even if you have an on-
line strategy!
We recently did a consulting trip and per-
formed an IT business impact analysis for
an organization. This involved setting up
meetings with business unit owners about
which business applications are used and
the criticality of them. A Report was then
drawn up against what the business actu-
ally needed from IT systems and what was
being backed up.
It was quite eye opening to see the results
and made us realize what an important
exercise it is to perform on your business.
Bottom line it highlighted how important it
is not just to rely on IT staff to ensure the
correct information is backed up and
backed up properly. Business should be in-
volved to ensure that all aspects are
thought about, no matter how big or small
the applications may seem. Also the im-
portance of ensuring you can actually re-
store the data that is part of your backup
sets is critical.
So if the data and integrity of business ap-
plications is important, we strongly suggest
getting some standby equipment and
fully test your backup strategy to ensure
you are safe from a disaster. Or better yet
if you don’t have the time, equipment or
know how, we can assist, analyze, test
and report back for you.
For more information contact Triple4
or visit www.triple4.co.za
Should you have any enquiries as to how you can make
a difference or would like to be included in regularly
communication, please contact Louise Theunissen (MBCI)(PMP), BCI Board Member
Mobile: +27 82 928 7158 or Mail to: louise.theunissen@continuitysa.co.za
BCI Forum South Africa

6. Organisational Resilience
6
1. It’s not new – it’s just
different
Let’s be practical about Organisational
Resilience and what needs to be consid-
ered to get the resilience bit right.
We prefer to use the term Business
Resilience but because there is such
imbedded global focus on the term
"Organisational Resilience" we will use the
two references interchangeably in this ar-
ticle – but it’s really the resilience piece we
are focussing on – and not strictly in line
with the semantics of legal entities or for-
mal publications.
It’s fair to say that the manner in which
modern day businesses are resourced has
changed significantly over the past 10
years. For example, we are more reliant on
highly technical equipment and cen-
tralised infrastructures. As globalisation
merges previously localised communities
there is an upsurge in demand on the
supply chain to comply with more strin-
gent customer requirements.
Many years back, when we relied more on
local infrastructure, local resource pools
and localised technology, resilience was
something a General Manager would look
after. It might have been called something
different then but included the main
themes, for example, disaster contingency
planning; health and safety; facilities and
utilities; warehousing, transport, logistics
and security. These “disciplines” could
generally be addressed in slow time.
It’s a very different world now – high speed
everything!
Money travels in milliseconds across the
globe, as do communications and so (al-
most) does the next model mobile phone.
Diversity of high tech product develop-
ment has seen an unprecedented explo-
sion at rates which even competitors
struggle to keep up with. As a result the
supply chain is now ever more complex
with a multitude of suppliers to choose
from – some stable, some not – some
surviving, some not.
Although there is more speed, higher rates
of technological developments and more
competition - there are also more people,
more governance, more legislation, more
markets and more compliance require-
ments - and more mavericks! Because of
this modern day evolution many of the
resilience disciplines that were pure com-
mon sense needed to become more spe-
cialised with specialist peer groups and
specialist consultants. These disciplines are
generally dotted all over a company with
varying degrees of culture, authority, ac-
countability and connectivity - depending
on their rating by the executives.
The same threats and risks seek to under-
mine business resilience though - just differ-
ent looking and a bit more complex to
manage, if you let them be.
2. Why now?
Greater awareness of the volatility of the
risk environment in recent years, together
with the regulatory impetus provided by
governance requirements, has placed
effective organisation resilience develop-
ment high on the corporate agenda.
The need to change attitudes to risk
management has also resulted in the
need for a more comprehensive and
proactive approach in managing expo-
sures and vulnerabilities.
During this evolutionary process imple-
mentation of management systems has
emerged as an increasingly important
requirement of an organisation’s resilience
building strategy. The recent explosion
of international management system stan-
dards (driven by business) is testimony to
this desire.
Developing out of the modern organisa-
tional resilience arena, evolving manage-
ment systems such as effective Business
Continuity, Information Security, Quality,
Service Delivery and Enterprise Risk man-
agement systems (to name a few) can en-
able an organisation to reduce its
vulnerability to disruptive events, improve
its efficiencies and cost base, implement
mechanisms to limit the impact of inci-
dents on business processes and opera-
tions, and provide reputational resilience
even in the most difficult of circumstances.
However, a lack of consistency in
approach, disconnected management
system approaches, confusion over
definitions and terms and the inability to
comprehensively benchmark resilience
strategies have hindered business from
adequately developing and implement-
ing suitable management systems in
harmony - despite the existence of widely
accepted published standards.
3. Let's cut to the chase!
Based upon proven methodologies and
with a wealth of experience across many
management systems I am convinced
that consolidation of resilience disciplines
under one banner is the way forward.
By Eugene Taylor MBCI,
Managing Director, TaGza (RSA & UK)
Durban / London
www.TaGza.Biz
Use it - or Lose it!

7. 7
This article will not provide the reader with
background or academia on why you
need resilience disciplines or the many
evident consequences of not applying re-
silience disciplines. These can be obtained
from the plethora of publications avail-
able. In the future we might even find a
management system “standard” on re-
silience (keep an eye out for BS 45000).
There are moves afoot by some standards
technical committees to go this route.
I get chills at the thought.
Resilience development is a strategic
product of a business and not something
that can or should be tested against a
management system standard. Doing
that would move it from a strategic prod-
uct to a compliance product and that's
not a good idea. I don’t want to get too
involved in the debate on "why", but in our
experience management system stan-
dards are a framework for requirements
compliance and relatively clinical to im-
plement. Developing a resilient business
through the right strategy and the right
tools demands a lot of intelligence and
requires a connected approach in adopt-
ing and improving the right business
disciplines.
There is a level of bravado needed for this
modern approach.
I hope to leave you with a simple view of
Organisational Resilience and arm you
with some fundamentals to adopt, mature
and measure within your business. I also
hope to give you some insight into stan-
dards you can either adopt or reference.
These are really great publications to use
when developing your resilience strategy.
(Hopefully those bits won't bore you).
4. The beginning ....
No money - no honey!
Arguably the most important resource is
people – but without adequate liquidity a
business may not be able to afford to get
or keep the right people (or enough of
them). Any wealthy business with loads of
spare cash and integrity could weather
most disasters, be those reputational or
otherwise - but that luxury belongs to a
select few.
At the outset it must be understood that
all resilience disciplines need to collec-
tively “body guard” the bottom line whilst
contributing to the business “treasure
chest” in some way.
4.1A Business needs some basics
Let’s briefly examine the fundamental
properties of a business and see how we
can go about giving thought to a re-
silience strategy - or perhaps just tidying
up what we already have.
4.1.1 Money and Liquidity
It’s basically all about revenues (funding)
versus costs, but without sound financial
investment and healthy business culture
the spare cash won't be there to allow an
opportunity to invest in resilience - or to
adequately recover from a disaster. There
is a fundamental need for those responsi-
ble for liquidity strategy to engage with
those tasked with delivering the resilience
disciplines to ensure these are adequately
funded - all too often this is not the case.
4.1.2 Quality products and services
Quality products are for those businesses
intending to survive the long term – of
course.
Quality products and services at the right
price will maintain demand, but beyond
that will be reliance on the health of the
relationship the business has with its stake-
holders. If the business collaborates whole
heartedly with stakeholders in developing
the resilience of their businesses - and con-
sequently its products and services - then
relationships are more likely to sustain mul-
tiple impacts.
4.1.3 People to do the work, a place to
work and “things” to work with
There is a huge amount of information
from the Business Continuity and Societal
Security professions to guide you in deter-
mining which services and supporting re-
sources are vital to your business.
Start with the Business Continuity Institute's
Good Practice Guide (GPG) and then
have a look at SANS/ISO 22301 (The inter-
national Business Continuity Management
System standard).
Of all the resilience disciplines Business
Continuity Management is the one which
mandates covering the entire business
with many unique requirements facilitat-
ing inter-relationships with the other disci-
plines.
4.1.4 An efficient "production"
environment
Most “production” environments these
days cannot afford to be without some
level of technology.
Any quality "production" line that has ro-
bust processes and uses robust resources
efficiently is likely to keep its costs down.
The "production" line will also need to be
designed so that adaptation to change is
cost effective and easy. This requires a
closer link with suppliers and consequently
a better understanding of supplier re-
silience capability.
4.1.5 Compliance with legislative and
stakeholder requirements
Local compliance could be mandatory,
strategic, voluntary or customer driven but
in many countries these are now being
driven through legislature. Governments in
particular are beginning to enforce a
number of internationally accepted stan-
dards within the public sector – and this
will ultimately drive compliance require-
ments in the private sector.
One would really take resilience adoption
as a given for any business these days but
this is more about looking past the basic
requirements and adopting processes
and efficiencies that make compliance
and culture second nature even when not
mandated by any stakeholder.
4.1.6 Customers and suppliers.
Well, without them you have nobody to
provide anything to - so what’s the point
of your business if you’re not going to look
after your customers!
Customer responsibility is a massive prod-
uct of any business and Customers are the
ones you need to convince of your
resilience (internally and externally). Trust
me - a PowerPoint presentation of all your
compliance and award certificates is just
not going to do the job on its own
anymore.
Just a reminder - you are a customer of
your supplier. Don’t therefore expect your
customer to be any less demanding
around your products and services than
you would be on your suppliers.

8. 8
4.2 That's it then. We have a busi-
ness and we want it resilient - yes?
At this point it might be worth a quick note
that the resilience strategy is not to pre-
pare for when things go wrong (that's part
of Business Continuity - and therefore fits
nicely in that component of the resilience
discipline suite).
The resilience strategy is there for your
business to withstand impacts, repeatedly
and with varying degrees of severity, with
little or no change to your supply of prod-
ucts and services - but more importantly
with no significant impact to the bottom
line, particularly the cost and revenue
base.
You need to develop your resilience com-
ponents during Business As Usual (BAU)
and not on the fly while dealing with
impacts or issues.
5. The resilience suite uncut (get
some coffee for this piece)
We now move the focus of this article to
look at some common elements that con-
tribute to the resilience suite and for the
most part give executives pain – when
really there shouldn’t be that pain.
To make a bit more sense of the following
part of this article it will be easier to start
with the picture below. It’s by no means
the complete picture but does serve to
provide a platform for discussion and
strategic planning.
Here we have our business made up of
the parts mentioned earlier. The idea is not
to suggest an organogram of the business
but to rather look at strategic compo-
nents – which in most cases are likely to
have multiple owners and reporting lines.
Assume that the executives prefer to focus
on sales, keeping the bottom line intact
and maintaining a happy work force - yet
still desire business resilience with all the
trimmings – then this approach is for them.
1. This represents the fundamental busi-
ness components mentioned earlier in
this article.
2. This represents the centralised compli-
ance or governance structure that
looks after all the resilience disciplines
and could well include an audit arm.
It’s depicted as being outside the “busi-
ness” in that it should not have any bias
within the business. For example – it
would be wrong for a functional direc-
torate to own this level of strategy,
particularly when their directorate has
to deliver some of the resilience prod-
ucts - unless of course the “compli-
ance/resilience” unit is firmly placed
as a direct component within the Chief
Executive Office.
3. These represent fundamental resilience
discipline bands and note how they
spread across the business functions –
no exclusions. In each resilience band
are examples of published standards
(*or those being developed or consid-
ered for development) that could
be considered when designing or
improving the resilience strategy – and
some of these standards have symbi-
otic relationships with multiple discipline
bands.
In addition - previous studies have iden-
tified many organisational mechanisms
and characteristics embedded in
everyday practices that also contribute
to an organisation’s resilience. These in-
clude organisational cultures that are
flexible, just and promote learning in a
way that the corresponding behav-
ioural manifestations of these cultures
are displayed by staff members at all
levels during business as usual.

9. 9
Specifically, behaviours that have been
identified as being displayed by resilient
organisations include monitoring, de-
tecting and reacting to issues that
could have an impact on the organisa-
tion’s performance (thereby building
awareness), and the promotion of con-
tinuous improvement through sensitivity
to failures and tolerance of errors.
The existence of these cultures and their
accompanying behavioural manifesta-
tions therefore directly enhance organ-
isational resilience by creating, for
example, the following business char-
acteristics to a greater or lesser degree:
• Redundancy – Where a business
has plenty of multiplicity and fall-
back options
• Reliability – Where up time, consis-
tency and efficiency of service is
exemplary
• Anticipation – Where forward think-
ing is fine tuned, inventive and cus-
tomer focussed
• Preparedness – Where the business
can accommodate change and
evolution
• Adaptive capacity – Where the
business can easily adapt to
change – or spurious demand
surges
• Learning capacity – Where the
business can measure itself and
progress improvements
Resilience is a concept rather than a
discipline, function or process. Organisa-
tions strive to achieve it as a goal. Thus it
has key dimensions or capabilities forming
the parts that make it a whole.
In order to expand an understanding of
organisational resilience, those disciplines
which contribute to development of the
above capabilities need to be identified,
and the relationships between those
disciplines and business resilience
established.
Take Business Continuity for example;
there are five brilliant publications that
support mechanisms for applying a Busi-
ness Continuity Management System
aligned to ISO 22301 - but these go further
to encompass other disciplines as is obvi-
ous in their titles and content;
• PAS 200: Guidance and Good Practice
- Crisis Management
Discipline relationship examples:
Security, Quality, Service Delivery,
H&S, Environmental, Financial Control
• PD 25111: Guidance - Human
Aspects of Business Continuity
Discipline relationship examples: Serv-
ice Delivery, H&S, Environmental, Risk
Management (succession planning)
• PD 25222: Guidance - Supply Chain
Continuity
Discipline relationship examples:
Quality, Service Delivery, Financial
Control
• PD 25666: Guidance - Exercising and
Testing for Business Continuity
Discipline relationship examples:
Security, Service Delivery, Financial
Control, Crisis Management
• PD 25888: Guidance – Recovery
following disruptive incidents
Discipline relationship examples: Crisis
Management, Service Delivery
To maintain successful but separate disci-
plines is not enough to create resilience.
Disciplines must be integrated and coher-
ent to generate the ultimate resilience
product.
The current status is that many organisa-
tions retain silos of excellence, with very lit-
tle cross over in key areas and often not
much consolidated control within an over-
arching approach.
This article should not and does not set out
to seek a solution to this situation but
rather to demonstrate where the key con-
tributions could lie in terms of the disci-
plines - and to then consolidate those.
From an initial perspective, by consolidat-
ing the disciplines we can establish those
areas of overlap or inter connectivity, as
suggested with the Business Continuity ex-
ample above.
This article is concerned with how inde-
pendent yet related disciplines that exist
within organisations may serve to encour-
age, create and enhance organisational
resilience.
Those disciplines that contribute to the key
dimensions and beneficial organisational
characteristics should at least include:
• Business Continuity Management:
Benefit: (e.g.) Anticipation, Adaptation,
Recovery, Redundancy
• Crisis and Communication Manage-
ment: Benefit: (e.g.) Response,
Adaptation, Recovery
• Health and Safety Management: Bene-
fit: (e.g.) Anticipation, Preparedness
• Information Security Management:
Benefit: (e.g.) Anticipation, Protection,
Response, Redundancy
• Physical Security Management: Benefit:
(e.g.) Protection
• Quality Management: Benefit: (e.g.)
Improvement, Reliability, Reputation
• Service Delivery Management: Benefit:
(e.g.) Robust, Efficient, Flexible,
Reliable, Secure
• Environmental Management: Benefit:
(e.g.) Anticipation, Preparedness,
Recovery
• Risk Management: Benefit: (e.g.)
Preparedness, Learning capacity
6. Summing up!
In this article we put together a number of
resilience disciplines and showed how they
ought to relate to each other but clearly
there could be a multitude of business sub
processes, particularly with businesses that
are spread across the globe or in diverse
parts of their mother country. The contribu-
tion of these and other disciplines is subjec-
tive and will differ by organisation. There
are arguments for the inclusion of Human
Resources, Financial Management and
Strategic Planning as well as other key
areas which will contribute to resilience.
For the purposes of this article, it is felt that
those disciplines outlined in this article are
probably the most relevant and provide a
good starting point.
It might take longer for established busi-
nesses to suddenly change the way they
do things and implement modern ap-
proaches. In some cases this may be a
daunting option even in the face of all the
benefits, BUT there is little reason why they
can’t put the approach into long term
plans, or at least start encouraging a cul-
ture of resilience building.
Use it - or Lose it!
It’s your business.

10. 10
T
he theme for BCAW2013 is” Business Continuity – for the risks
you can see and the ones you can’t”. With a world that is
in constant change, organisations are continually con-
fronted with an ever growing range of risks that they need
to deal with. The role of Business Continuity in helping organisa-
tions to become more resilient has never been greater thaan
now.
Closely related to the discipline of Risk Management, Business
Continuity enables an organisation to increase its capability to
respond to any existing, emerging or unknown risk by focussing
on mitigating the impact of any disruption on the most urgent
and high priority activities.
The challenge organisations face is to fully understand the po-
tential impact of any disruption, regardless of its scale or com-
plexity. By looking within and across our organisations and by
understanding what we need to have in place to keep our busi-
ness running, we can ensure we are able to continue to operate
whatever the scale or cause of the disruption. With the knowl-
edge and strength of our continuity planning to support us, we
can be more confident that we are able to face whatever the
world challenges us with, including the risks we can see and the
ones we can’t.
In support of BCAW2013, ContinuitySA has scheduled a host of
events to keep the informative message going. We have a
breakfast talk around ISO22301 which will be hosted in both
Johannesburg and Cape Town, as well as webinars and we will
also be offering the BCI Good Practice Guidelines eLearning
Course.
Should you wish to know more about Business Continuity or even
how your organisation can get involved then please feel free to
contact Cindy Bodenstein
BUSINESS CONTINUITY AWARENESS WEEK
Business Continuity Awareness
Week (BCAW2013) is an annual
global event that is facilitated by
the BCI and takes place from the
18th – 22nd March 2013. As a Gold
Partner of the BCI, ContinuitySA will
be focusing on a host of events to
showcase the value of business
continuity as an integrated part of
any organisation’s strategy.

11. ContinuitySA is hosting two breakfast events, one in Somerset West, Cape Town on
the 19th March and the other in Midrand, Johannesburg on the 20th March.
The talks are on ISO22301the International Business Continuity standard.
Eugene Taylor, former Chairman of the BCI Partnership Steering Group, who repre-
sents the UK Institute of Directors on the TC 223 committee and who has imple-
mented certified Business Continuity Management Systems for the past 5 years will
cover the following topics:
• Standards: The World and the South African position
• SANS/ ISO22301 – the rationale and what it is – explained in brief
• The framework needed to mature a BCMS to align with or be certified to
SANS/ ISO22301
• The benefits of alignment and certification to SANS/ ISO22301
• Other Resilience Discipline Supporting Standards and Publications (Local and
International)
• What’s on the horizon with standards development that relate to SANS/ ISO22301
and Organisational Resilience in general
Click Here to Register for the
Johannesburg Event
Click Here to Register for the
Somerset West, Cape Town Event
11
ContinuitySA
ISO22301
Breakfast Talks
Be serious about your organisational resilience capability – Be
serious about adopting SANS/ISO 22301 – We can make it easy.

12. 12
ContinuitySA has scheduled
three webinars as additional
informative sessions for
BCAW2013.
Webinars
Sensible ICT Protection and Re-
covery Methods
Overview: Overwhelmed by the muddle of conflicting tech-
nology terms, jargon, buzzwords and misinformation. CIOs and
IT Managers are finding it increasingly difficult to objectively
compare the different ICT Protection and Recovery Methods
available to them and pick an approach that both matches
their existing requirement and empowers their long term strat-
egy. In this webinar we clarify the difference between High
Availability, Replication, Backup and Archiving and give a rec-
ommended approach to entrench resilience into your ICT sys-
tems and your business.
Presenter: Bradley Janse van Rensburg
Solutions Design Manager, ContinuitySA
Date: Friday 22nd March
Time: 13:00 GMT+2
Mobile Recovery
Overview: Portable recovery solutions for partial disaster situa-
tions.
Presenter: Mark Beverley
General Manager: Service Delivery,
ContinuitySA
Date: Monday 18th March
Time: 13:00 GMT+2

13. 13
Webinars continued
BCI Good Practice Guidelines eLearning Course
Overview: Analysing the factors which promote migration to
cloud based solutions and environments which are best
suited for cloud.
The webinar will talk around the migration plan for corpo-
rates into cloud services, what are the factors to consider
and planning that should be looked into when considering
a cloud based solutions. What are the various steps along
the way and potential pitfalls which are present.
Presenter: Shaheen Kalla
Manager: Managed
Services, ContinuitySA
Date: Tuesday 19th March
Time: 13:00 GMT+2
The BCI has opened up its Good Practice Guidelines eLearning Course for FREE for the
duration of the week of BCAW2013.
ContinuitySA is offering all our valued readers and clients the opportunity to register and
come through to our facility on Monday 18th March 2013 where Lynn Jackson our trainer
will facilitate the eLearning course. Its 8 hours long and will start from 8am to 4pm.
This introduction to the principles of Business Continuity Management will help those new to the discipline who want an overview of
the subject matter or those who want support as they revise for the BCI Certificate examination.
Incorporating the BCM lifecycle, this eLearning programme runs to approximately 8 hours and includes built in tests to check progress
and an end of course review to assess readiness for those who plan to take the BCI Certificate exam.
Content is based on the six BCM Professional Practices found in the Good Practice Guidelines.
Module 1 – An Introduction – What is Business Continuity Management?
Module 2 – GPG Section 1 – How do I establish and manage Business Continuity?
Module 3 – GPG Section 2 – How do I embed Business Continuity within the organisation?
Module 4 – GPG Section 3 – How do I analyze the organisation?
Module 5 – GPG Section 4 – How do I determine the strategies and tactics to use?
Module 6 – GPG Section 5 – What plans do I develop and how?
Module 7 – GPG Section 6 – How do I improve the organisation’s Business Continuity capability?
Module 8 – End of course Assessment
Enterprise migration and adoption of cloud

14. The two-day course, the IT Service Continuity Training is
targeted at IT and Business Continuity Management (BCM) pro-
fessionals responsible for the continued uptime of IT services
within their organisations.
Key elements of the IT Service Continuity Course include:
• The link between BCM and IT Service Continuity Manage-
ment;
• The evolution of IT Service Continuity;
• The latest concepts and trends in IT Service Continuity;
• Conducting an Infrastructure Impact Analysis;
• Formulating and implementing cost effective IT Service Con-
tinuity strategies to meet business requirements;
• Security management in IT Service Continuity;
• Testing the IT Service Continuity framework; and
• A Continuity-as-a-Service case study.
Attendees will not simply be bombarded with theory, but will be
taught skills proven in the real world by active BCM practitioners
with MBCI (Member of the Business Continuity Institute) certifica-
tions.
The course is based on the Good Practice Guidelines of the BCI
and complies with the British Standard BS 25999 to ensure it is on
par with international best practices.
Dates for the IT Service Continuity course are as follows:
IT Service Continuity Programme (2 Day Training)
13th & 14th March – Cape Town
15th & 16th May – Botswana
29th & 30th May – Johannesburg
19th & 20th June – Cape Town
The 5 day Complete Continuity® Practitioners
Programme is designed to equip business continuity prac-
titioners within any organisation in all aspects of implementing,
managing and maintaining an effective business continuity
framework in their respective environments.
The course is based on the Business Continuity Institute’s Good
Practice guidelines and is fully ISETT SETA accredited with 149
credits at NQF Level 6.
Key elements of the 5 day Complete Continuity® Practitioners
Programme include:
• Introduction and Origins of BCM
• Trends and Observations
• Standards and Compliance
• Elements of the BCM Lifecycle
• BCM policy and Programme Management
• Embedding BCM in the Organisations culture
• Understanding the organisation
- Business Impact Analysis
- Continuity Requirements Analysis
- Risk Assessment
• Determining BC Strategy
- Selecting strategies and tactical responses
- Consolidating Resource levels
• Developing and Implementing a BC response
• Exercising, Maintaining and Reviewing
• Measuring BC Maturity
Dates for the 5 day programme are as follows:
Complete Continuity Practitioner Programme
(5 Day Training)
4th to 8th March – Botswana
6th to 10th May – Johannesburg
10th to 14th June – Cape Town
ContinuitySA
Training Dates
Africa’s largest Business Continuity service provider, ContinuitySA,
has enhanced its Complete Continuity Training Academy
For more information on these courses,
contact training@continuitysa.co.za,
or call +27 (0)11 554 8000.
14

15. 15
I will be providing a macro-approach in
the world of governance and risk as it per-
tains some of the important issues facing
South African directors and their compa-
nies; taking a quick view ‘from the outside
in’ and sketching a scenario which may
beg questions for your organisation’s gen-
eral strategic thinking and future direction.
Many a board member may think he’s on
top of matters, only to discover that some-
one has changed the rules of the game.
Most often, and more so in our rapidly
evolving and highly technical business
world, the rules are being changed daily.
So, the question is; ‘just how prepared are
we really’ as leaders to anticipate future
change and are we practicing a more
agile way of coping with the new thinking
and its challenges?
Our own journey within CGF has had its
own tribulations and successes as we look
back on these incredible years of learning
more about what good and poor gover-
nance entails. As we have learned so
much about our own business, and shared
many a lesson with our clients through the
years, we realize how much there is still to
learn as we look forward to the future
challenges that will define our own exis-
tence as a company and its sustainability.
Indeed, these lessons can be shared with
our clients so that we need not “re-invent
the wheel” as the saying goes.
It is on this note that one realizes in life that
to excel in business, it’s not necessarily
about how hard one works to achieve the
goal, but rather about how smart one is
about achieving the goals at hand. At
the outset may I suggest -- in real business
terms -- that some business leaders are
‘smarter’ than others, and through their
mental agility and stealth strategies, they
perform better than others.
That said, let’s also agree that most of us
are all in business to make money -- and
hopefully lots of it -- so that we can claim
the end prize. Whilst this statement may
appear somewhat direct, it remains true
for many, even though we don’t want to
admit it.
Now that we have been bold enough to
concede this truth, from a governance
perspective it’s not important how much
money was made, but more importantly
how the money was made and how it is
being spent that matters. In other words,
we need to know that the money was
made legally and according to ethical
standards and such where appropriate
portions of this money is used to build and
strengthen business and social communi-
ties so that the entire supply chain –
at global and local levels – remain
sustainable.
These are some of the principles con-
tained in King III and no doubt contained
within many business journals and MBA
programmes worldwide.
So, its about money at the end of the day;
it’s about appropriate risk taking, it’s
about knowing how far to push or pull
back, it’s about judgement calls, ethics,
morality and ‘humanness’ – these are the
factors that we contend with in business
each day. Some of us are more evolved
(or business savvy) to deal with these pa-
rameters, others less so and averse to risk
taking.
Notwithstanding the levels of our experi-
ence, we are all on a journey where real-
istically speaking there may be no real
beginning and no real end and these
‘truths of business’ have become more
vague in recent years with the advent of
e-business, cloud computing and so forth.
Our many types of boundaries – be these
at geographic levels, societal levels, cul-
tural, business or legal levels have be-
come so blurred, that it’s becoming
increasingly difficult as leaders to survive
in business terms, let alone thrive!
Perhaps this is then the right juncture to
ask whether or not South Africa has clearly
understood the difficulty and challenges
of these boundaries, and whether its strat-
egy could withstand the test and scrutiny
of its citizens, South Africa’s stakeholders,
regarding the soundness of its strategy
and plan?
May I assure you this will not be a govern-
ment bashing talk; whilst there are many
critics out there who don’t foresee the Na-
tional Development Plan (NDP) achieving
its objectives, you will no doubt have al-
ready formulated your own opinion re-
garding the road South Africa is currently
travelling.
LOOKING BACK &
GOING FORWARD
breakfast talk:
By Terry Booysen, CEO of CGF Research Institute
www.cgfresearchinstitute.com
(Extracts from talk on 21 Feb 2013-02-20)

16. 16
All over the news in SA, and in other parts
of the world, SA is being lambasted by its
investors - local and foreign - such where
matters such as crime, corruption, unem-
ployment get the main focus and brunt.
Even the Auditor General has had his say
regarding dysfunction where his 2013
report shows many poor governance
practices within national and local gov-
ernment departments and cause for
major concern.
Interestingly, last week I had the occasion
to address a high level audience straight
after Clem Sunter - a foxy man - and whilst
this was not the first occasion I have done
so, I have to admit that it was really good
allowing Clem to set my scene for a
change.
Normally, I am the person delivering
gloomy messages attached to poor gov-
ernance, such as when I predicted in Oc-
tober 2011 that SA would see social unrest
of epic proportions if the gap between
the rich and poor, educated and unedu-
cated, employed and unemployed did
not become less.
Expectedly, my critics scoffed the idea;
and South Africa’s global ratings still hang
in the balance . . .
SA is now generally rated at BBB+ by all
three international rating agencies (Sept
’12) and is considered a much higher risk
for foreign investors.
In Clem’s latest talk, he suggests that
South Africa is in a fairly rapid decline, and
what was previously a 10% blip on the
geo-political play card, has now become
a 25% probability of SA becoming a failed
state. Putting this into perspective; 10%
predictability scoring at the time probably
meant “let’s keep an eye on this potential
problem”, whilst 25% now means “what
will we do to fix the problem?”
We need to however be mindful of the
fact that according to recent statistics, SA
Inc. has lost almost 45% of its FDI in the
2011/12 period, and almost 450,000 SME
businesses have closed in SA over the last
4-5 years! Of course this does not bode
well, particularly knowing that the NDP of
President Zuma hopes to build 5m new
jobs by 2020. Of course critics have said
we should rather be talking about creat-
ing new businesses (as opposed to simply
trying to get existing businesses to create
more jobs in an already pressurized cook-
ing pot). By creating new businesses
through the appropriate government
grants and tax incentives -- particularly in
the SME sectors where currently almost
67% of our existing employment comes
from – new and entrepreneurial growth
will flourish instead of;
• trying to bolster existing State-Owned
Organsations with even more employ-
ees and ineptness (SOEs currently offer
circa 22 % employment), and
• placing yet more pressure and burden
upon existing businesses to create
‘decent’ new jobs.
In just the past few weeks it has become
very evident of the tensions between
business and government, through for
example;
• the political tensions and uncertainties
of South Africa’s future
• the drop in SA’s sovereign credit ratings
• the weakening of the Rand
• the lowering of SA’s GDP forecasts by
the IMF for global growth in 2012 to
3.3%, from its July forecast of 3.5%,
with its 2013 forecast falling to 3.6%
from 3.9%
• the social and labour unrest
• increasing unemployment & debt bur-
dens at both country and consumer
levels
• lack of clear strategy & growth of the
country
• drop of local & foreign investor’s confi-
dence in SA
• political interferences with business
in SA
• greater state involvement in mining,
falling short of outright nationalisation
• high demands by labour and radical
unions
Graphic: Fritz Jooste (fritzjooste.com): The Auditor General audited a sample of 8 out
of 45 national departments and only 124 contracts worth R5.5 bn were audited. Find-
ings were made against all 8 departments

17. * The World in 2050 The BRICs and Beyond: Prospects, challenges and opportunities
– a PwC Report
17
• regulatory uncertainty evidenced
through the massive resurgence of
BBBEE, EE and LRA (SA has a very poor
record in terms of LRA. According to
the World Economic Forum's Global
Competitiveness Report, SA is the worst
of 142 countries assessed in terms of co-
operation in labour-employer relations)
• constraining legislation is proposed
for the media, civil society, and the
Judiciary
• unbalanced and increasing tax bur-
dens upon business and high net worth
individuals.
Perhaps, and in additional to the above,
South Africa Inc. doesn’t have a clear
plan for the road ahead; and many critics
and businesses in SA believe the NDP will
amount to nothing more than what GEAR
tried to achieve and have referred to
South Africa’s journey ahead as a Long
Dark Night.
Remember SA Inc. has put together a few
paper-good strategies/plans (ASGISA,
IPAP 1 & 2, NGP and now the NDP) and
yet details to achieve any of these illustri-
ous plans have fallen short of their marks.
Arguably, many also feel that NEDLAC
and BUSA have failed to achieve the part-
nership levels that are so desperately
required between government and busi-
ness in order to get SA back on the road
to success.
Regrettably, President Zuma’s SONA failed
to create inspiration amongst the much
needed support of business and mistrust
may now have deepened.
So how are SA CEO’s feeling right now?
In the latest PwC 16th Annual Global CEO
Survey (Jan 2013), aptly entitled Making
Strides to Survive & Thrive, CEOs across
many industries of 56 publically listed and
privately owned businesses in South Africa
had this to say;
• Firstly, there’s a cautious optimism in SA
(CEOs: 2012)
• 3%-16% of SA CEOs believe the global
economy is showing positive devel-
opments across a range of macro
economic areas, whilst between
15%-18% their international counter-
parts are more positive
• 90% of SA CEOs are bullish about their
prospects for revenue growth in next
12 months (short-term), but most
CEOs are not confident that they will
make their revenue growth in the
next 3 years
• 98% of SA CEOs have key operations
in other parts of Africa, and 81% of SA
CEOs expect to grow key operations
in other parts of Africa in next 12
months
• Many SA CEOs rate China, Nigeria,
India & Brazil ahead of the traditional
economic power houses of Western
Europe. 17% of CEOs expect their key
operations in Western Europe to de-
cline in the next 12 months
• The World in 2050 Report* concludes
that emerging economies are set to
grow much faster in ave. growth of
GDP than their counterparts over
next 4 decades, with Nigeria in front,
followed by Vietnam, India, Indone-
sia, China, Saudi Arabia & South
Africa
• 75% of SA CEOs expect to see head-
count to either increase or stay the
same
BUT then there’s the worries;
Macro risks in SA (CEOs: 2012)
• Availability of key skills (88%)
• Bribery & corruption (75%)
• Uncertain or volatile economic
growth (75%)
• Exchange rate volatility (70%)
• Social unrest (68%)
• Over-regulation (66%)
• Lack of stability in capital markets
(64%)
• Government response to fiscal
deficit & debt burden (63%)
• Energy & raw material costs (59%)
• Protectionist tendencies of na-
tional govts.(59%)
• Increasing tax burden (48%)
• Inflation (47%)
• New market entrants (43%)
• Changes to consumer spending
& behaviour (41%)
• Inability to finance growth (39%)
• Inadequacy of basic infrastructure
(39%)
• Supply chain disruption (32%)
Moving forward, CEO’s in SA and world-
wide foresee their strategies including;
• Growing customer base
(SA 64%:Global: 51%)
• Improving operational effective-
ness (SA 48%:Global 49%)
• Enhancing customer service
(SA 43%:Global 38%)
• New M&As / JVs / strategic
alliances (SA 34%:Global 33%)
• Filling talent gaps (SA 34%:Global
27%)
• Implementing new technology
(SA 27%:Global 26%)
• Manufacturing capacity
(SA 20%:Global 19%)
• R&D and innovation
(SA 18%:Global 32%)
• Securing raw materials or compo-
nents (SA 7%:Global 9% )
Let me emphasis this somewhat gloomy
picture is in no way the end of the road;
SA Inc. is still a new democracy and has
many issues to address. Somehow, no
matter how worrying the future may be,
visitors to our country have generally con-
cluded that “it is a lovely place – but that
SA cannot possibly last another 5 years.
Time and time again, experience has
proved the pessimists wrong.”
To conclude my presentation, for SA Inc.
to resurge and “lift its game to the higher
league”, we will need to see, amongst
others:
• a move towards the deregulation of
labour markets
• reduced excessive legislation linked to
employment equity and empower-
ment requirements
• abandon the idea of large-scale state
led industrial and social policy such as
a state owned miner or steel maker
and the National Health Insurance
scheme
• maintain conservative fiscal and
monetary policies such as inflation
targeting
• provide lucrative incentives for SMEs
to develop to absorb large sectors of
the unemployed.
Thank you.