Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
"11 PM (...) The man who took over command of the control room was a Bengali Hindu named Suman Dey. Twenty-six years old, with a degree in science from the University of California, he was both competent and respected. The seventy-five dials lit up in front of him made up the factory’s control panel. Every needle, every luminous indicator supplied information, showed the state of activity in each section, signaled an eventual anomaly. Temperatures, pressures, levels, outputs—in his capacity as officer of the watch, Suman Dey was kept constantly apprised of the condition of the plant. At least that was the theory, because, for some time now, some of the apparatus had been breaking down. Dey was therefore obliged to go and get his information on site. He was not always able to. For the past several days, because of a fault in the transmission circuit, there had been no temperature reading coming through from tank 610. To calm his own frustration, he meditated on the words of a large notice hanging on the wall above the dials: “SAFETY IS EVERYBODY’S BUSINESS.” There was nothing definite, however, to make the young Bengali believe that the safety of the factory was not assured."
(Dominique Lapierre, Javier Moro - Five Past Midnight in Bhopal)
In the passage above, we can find many references to the ISO 22301 standard (ISO 22301:2019 Security and Resilience — Business Continuity management Systems - Requirements):
But within one hour, one of the most famous industrial disasters of the last century is about to begin, a disaster which is often cited as a negative case study in business continuity courses.
In the ISO vocabulary, Business Continuity Management is defined as:
"holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities."
So we can say that the job of business continuity is to implement a framework that:
The standard follows the ISO Annex SL (renamed in Annex L in 2019) structure, as many others do:
Clause 8 "Operation" is the most interesting because it contains the indication on how to implement a business continuity impact analysis, develop business continuity strategies and solutions, and create business continuity plans and procedures.
Business Impact Analysis (BIA) allows the organization to identify the effects of a business disruption. It's also useful for the decision-making process related to recovery priorities and strategies.
Through the use of questionnaires, meetings, interviews, documentation reviews, and an in-depth analysis of their business, organizations can summarize:
Therefore, the functions and processes with the highest operational and financial impacts become a priority within a recovery plan.
The time when those functions and processes are recovered before the occurrence of any unacceptable consequences is known as the Recovery Time Objective (RTO).
Other essential parameters that BIA needs to define are:
"The Union Carbide company was quite unready for the emergency. It could render to aid to people. For all the good they did, the thousand employees and the Indian and world network of 100 00 employees and hundreds of offices and factories and outlets might as well have been on holiday."
(Alfred De Grazia - A cloud over Bhopal - Causes, consequences and constructive solutions)
The business continuity standard ISO 22301 was first published in 2012 but as a form of crisis management. Business continuity management (BCM) has evolved since the 1970s in response to the technical and operational risks that threaten an organization's recovery from hazards and interruptions.
In the 'Dow Chemical - Union Carbide' plant in Bhopal, there were some emergency procedures but not enough to handle that type of emergency, and, worst of all, the security measures were neglected and not adequately followed by personnel.
The Business Continuity Strategies collect the BIA output and form the basis for the Business Continuity Plan. It is related to the determination and selection of alternative operating strategies to be used to maintain the organization's critical activities. Experience and good practice identified that the early provision of an organizational BC Strategy would ensure that Business Continuity Management activities are aligned and support the organization's overall business strategy.
In general, there are six approaches for developing a BC Strategy:
1. Multi-site operation
2. Backup arrangement
3. Standby arrangement
4. Third-party arrangement
6. Combined arrangement
The BCP is a framework that enables organizations to respond to an incident and deal with the recovery of their activities.
The procedures have to address all aspects of responding to an incident, with particular regard to life safety issues and achieve the timely resumption of the organization's delivery product and services (RTO).
The components and content of a BCP vary from organization to organization based on criticality, importance, and technical complexity. In general, it is possible to identify and include:
"On December 3, 1984, one of the most tragic incidents in the history of the chemical industry occurred in Bhopal, India. Those of us in the industry remember that day well, and the following days, when many people died and others were injured as a result of exposure to gas released from a plant owned and operated by Union Carbide India Limited.
Although Dow never owned nor operated the plant, we - along with the rest of the chemical industry have learned from this tragic event, and we have tried to do all we can to assure that similar incidents never happen again.
To that end, the chemical industry learned and grew as a result of Bhopal – creating the Responsible Care program with its strengthened focus on process safety standards, emergency preparedness, and community awareness. The industry also has worked with governmental regulators to assure that industry best practices are implemented through regulations for the protection of workers and communities.
We have led the industry in the implementation of Responsible Care to drive global industry performance improvements. Responsible Care standards are essential for the protection of our employees and the communities where we live and work. While Dow has no responsibility for Bhopal, our pledge and our commitment is the full implementation of Responsible Care everywhere we do business around the world."
Statement of The Dow Chemical Company Regarding the Bhopal Tragedy
In the official press release, the company communicates important Responsible Care initiatives that would be implemented, but reveals the lack of a sense of ownership and says nothing about prevention activities to avoid the recurrence of similar disasters. This is a clear example of no brand-reputation protection.
Communication is essential during a crisis, and a Communication Plan needs to be included in the BC Plan. Organizations have to communicate with their personnel, stakeholders, suppliers, clients, emergency forces authorities, and with the media.
Each of them needs to know different detail at different times, so it's of great importance that a Communication Plan is in place and is regularly reviewed and tested.
An efficient communication strategy is based on five principles:
I cited in this article the disaster of Bhopal, which happened almost 40 years ago. Still, recent natural disasters, environmental accidents, and also the current pandemic flu, have demonstrated that disasters can happen, impacting private and public sectors alike.
Today's threats require the creation of an ongoing, dynamic, and interactive process that assures the survival and sustainability of an organization's core activities before, during, and after a disruptive event.
ISO 22301 helps the organizations in this great challenge. Advantio's Data Protection experts have helped many organizations worldwide to improve their sustainability and security. To start your ISO journey book a free call with us.
I am the Senior Data Protection Consultant in Advantio. I have great experience in ICT and Telco services, where I covered several roles and responsibilities. In the last 10 years, I focused my attention in information security and business continuity compliance.