how prepared are we to deal with disruptions? · 2018. 6. 12. · how prepared are we to deal with...
TRANSCRIPT
EDP – DGR – Ricardo Messias
3rd IMPROVER/ERNCIP Operators Workshop on Resilience for CI
HOW PREPARED ARE WE TO DEAL WITH DISRUPTIONS?Lisbon, 23-24 May 2018
EDP – DGR – Ricardo Messias
How prepared are we to deal with disruptions?Objectives
2/12
What is a disruption? How traditional preparedness works.
How holistic business continuity management
works.
1 2 3
Key points to build resilience.
4
EDP – DGR – Ricardo Messias
How prepared are we to deal with disruptions?What is a disruption?
3/12
What is a disruption? How traditional preparedness works.
How holistic business continuity management
works.
1 2 3
Key points to build resilience.
4
EDP – DGR – Ricardo Messias 4/12
Unknown Unknowns
Uncertain events
Known Unknowns
- +Identified Not identified
Unce
rtai
nty
occu
rren
ce &
impa
ct
+
-
Unexpected events
Specific events
Unknown KnownsKnown Knowns
Forgotten events
How prepared are we to deal with disruptions?Disruption framework
EDP – DGR – Ricardo Messias
How prepared are we to deal with disruptions?How traditional preparedness works.
5/12
What is a disruption? How traditional preparedness works.
How holistic business continuity management
works.
1 2 3
Key points to build resilience.
4
EDP – DGR – Ricardo Messias 6/12
How prepared are we to deal with disruptions?How traditional preparedness works
Unknown Unknowns
Uncertain events
Known Unknowns
- +Identified Not identified
Unce
rtai
nty
occu
rren
ce &
impa
ct
+
-
Unexpected events
Specific events
Unknown KnownsKnown Knowns
Forgotten events
I have specific emergency and contingency plans. Let’s hope that will be enough to contain it.
I have specific catastrophes plans. Let’s hope that will be like we
had exercised.
Was something unprecedented, how do you expect that I have a
plan?
Nooo!!! Let’s see how can I explain …. (maybe I can say it’s unprecedented or
blame someone)
EDP – DGR – Ricardo Messias
How prepared are we to deal with disruptions?How holistic business continuity management works.
7/12
What is a disruption? How traditional preparedness works.
How holistic business continuity management
works.
1 2 3
Key points to build resilience.
4
EDP – DGR – Ricardo Messias 8/12
How prepared are we to deal with disruptions?
Unknown Unknowns
Uncertain events
Known Unknowns
- +Identified Not identified
Unce
rtai
nty
occu
rren
ce &
impa
ct
+
-
Unexpected events
Specific events
Unknown KnownsKnown Knowns
Forgotten events
I have specific emergency and contingency plans. If not enough to contain it I
have broad plans.
I have broad plans by resource, flexible enough to respond to uncertainty,
and a crisis structure.
Was something unprecedented, but broad plans and crisis structure are prepare to respond to
it.
My cyclical business continuity analysis enable
to remember us about forgotten vulnerabilities.
How holistic business continuity management works
EDP – DGR – Ricardo Messias 9/12
Specific plans:v Emergency plansv Contingency plansv Recovery procedures
+Disruptions frameworkResponse framework
Broad plans:v Business Continuity Plansv Crisis Management Plansv Crisis Communications Plans
Broad plans:v Business Continuity Plansv Crisis Management Plansv Crisis Communications Plans
Unknown Unknowns
v Extreme natural eventsv Pandemicsv Cyberattacks
Known Unknowns
- +Identified Not identified
Unce
rtai
nty
of o
ccur
renc
e an
d im
pact
+
-
v Unexpected events
v Firev Substation failurev SCADA failure
Unknown KnownsKnown Knowns
v Forgotten events
How prepared are we to deal with disruptions?How holistic business continuity management works
EDP – DGR – Ricardo Messias
How prepared are we to deal with disruptions?Key points to build resilience.
10/12
What is a disruption? How traditional preparedness works.
How holistic business continuity management
works.
1 2 3
Key points to build resilience.
4
EDP – DGR – Ricardo Messias 11/12
asset management (BS ISO 55000)
risk management (ISO 31000)
stakeholder and collaboration management (BS 11000) reputation management
horizon scanning
environmental management (ISO 14001)
health and safety (ISO 45001)
fraud control business continuity (ISO 22301)
ICT continuity (ISO 27031)
cyber security (PAS 555)
information security (ISO 27001)
physical security
facilities management
emergency management
crisis management (BS 11200)
supply chain (ISO 28000)
human resource planning
financial control
quality management (ISO 9001)
change management
How prepared are we to deal with disruptions?Work together, not in silos.
EDP – DGR – Ricardo Messias 12/12
How prepared are we to deal with disruptions?You cannot predict every scenarios!
EDP – DGR – Ricardo Messias 13/12
Resource categories:
1 People2 Physical Infrastructure3 Technological Infrastructure4 Suppliers
How prepared are we to deal with disruptions?You cannot predict every scenarios! Go for Resource Loss-based instead of Scenario-based.
EDP – DGR – Ricardo Messias 14/12
BUSINESS IMPACT ANALYSIS RISK ASSESSMENT
BUSINESS CONTINUITY PLANS
How prepared are we to deal with disruptions?You cannot predict every scenarios! Go for Resource Loss-based instead of Scenario-based.
MUCH MORE FOCUSED MUCH MORE COMPREHENSIVE
EDP – DGR – Ricardo Messias
Risk assessment is not only about your event history!
15/12
Impact if you loss a resource category
Probability of a threat exploits a vulnerability
Risk = Impact x Probability
How prepared are we to deal with disruptions?
EDP – DGR – Ricardo Messias 16/12
Exercise! Exercise! Exercise! You must confront the perspectives of the different actors!How prepared are we to deal with disruptions?
EDP – DGR – Ricardo Messias
THANK [email protected]
17/12
How prepared are we to deal with disruptions?