/

01.07.2024

Alexey Juraev: "It is almost impossible to think through all scenarios, so often strategies describe a plan of action"

Business continuity is becoming an increasingly critical component of modern corporate governance, especially in the face of a rapidly changing information landscape and increasing threats. This specialization at the intersection of information security, technology, physical protection, risk management and crisis management requires not only deep knowledge in each of these areas, but also the ability to integrate them into a single strategic approach.

In "J News" interview with By Alexey Juraev, a recognized expert in the field of business continuity. Alexey has extensive experience working with large organizations, helping them not only prevent potential crisis situations, but also effectively manage them if necessary. In our conversation, we discussed key aspects of implementing business continuity systems, current challenges and trends in this area, as well as prospects for the development of this specialization in Uzbekistan and beyond.

  • Alexeyplease tell us how you came to specialize in business continuity.

A.D.: I was doing my master's degree in international security when I was invited to take a technical position in one of the firm's internal departments PwC Russia (audit company, Big4), where I worked on several projects before finishing my master's degree. After receiving my degree, I realized that there was no career development waiting for me in a technical position and started looking for career development options, including inside PwC. In the course of my search, I came across the business continuity team, which functioned inside the cybersecurity group. The guys wanted to strengthen their expertise on an international level, and my education and existing experience suited them. I worked in this team for 3 years, after which (for a number of reasons) I left the company. After that, I worked on information security and business continuity at a Russian IT integrator, where my colleagues and I were responsible for restoring this project area. Now I am engaged in continuity, including in-house in one of the companies in Tashkent.

  • What is the main task of the business continuity system and why is it so important for modern organizations?

A.D.: If you take the definition from the international standard on continuity (ISO 22301), continuity is the strategic and tactical ability of an organization to plan its work in the event of an incident and disruption of its activities, aimed at ensuring business continuity at a set acceptable level.

The main task of the business continuity system (Business Continuity Management System, BCMSThe main goal of this strategy is to ensure that the organization is able to continue its critical functions and operations in the event of significant disruptions or disasters. This includes reducing downtime and reducing financial losses associated with business process disruptions. The system allows the organization to adapt and continue to function in the face of uncertainty and changes in the external environment, while remaining competitive. Also BCMS protects the interests of employees, customers, partners, and other stakeholders.

Within the framework of the system, critical processes are defined in the company, i.e. those without which the company will not be able to perform its main activities for a significant time or will not be able to function in principle. BCMS also allows you to understand in advance what resources (personnel, equipment, infrastructure, etc.) and to what extent the company needs to maintain critical processes at the minimum acceptable level.

The implementation of BCMS allows the company to determine in advance the current and most likely threats and risks, such as earthquakes, abnormal weather conditions, man-made incidents, social or geopolitical instability. After that, various scenarios and strategies are worked out in advance. This allows you to respond quickly and with minimal errors.

Let me give you an example: there is a cyberattack on a data center, and abnormal heat causes problems with cooling servers, and some of them stop responding. In such a situation, it is more difficult for information security specialists to quickly detect an attacker inside the company's perimeter. Within the framework of BCMS operation, events of varying degrees of probability are considered, and response strategies are written for such cases, so that the company's specialists can and should know in advance how to act in such situations. Of course, it is almost impossible to think through all scenarios, so strategies often describe an action plan that applies to a specific situation, threat, or group of threats, such as responding to a cyberattack (not to a specific one, but to the threat as a whole).

You also create detailed recovery plans for your organization that include procedures for restoring critical operations, including IT systems, infrastructure, personnel, and other resources.

BCMS allows you to identify new possible risks for the company, which without this system could not even be evaluated.

  • What are the main components included in the business continuity management system?

A.D.: BCMS includes a number of activities and documents under development:

  1. Business Impact Analysis (BIA) is an analysis that helps you identify the critical processes and resources that I mentioned above.
  2. Risk assessment-analysis and assessment of continuity risks and threats that are relevant for a particular region, industry, or company.
  3. Develop scenarios and strategies for responding to loss of continuity.
  4. Develop detailed incident recovery plans.

The system also necessarily includes employees with defined areas of responsibility, powers, and responsibilities, ranging from a continuity manager, supervisor, and incident recovery teams.

And one more important point. The company, preferably at the policy level, should have an understanding and desire to ensure survival in the market, and it is also documented that such a system is needed and will be developed, since the implementation of BCMS is to some extent a bureaucratization of processes. Of course, I haven't listed all of them. These are the key things.

  • How does your expertise in information, IT, physical security, risk and crisis management help you develop and implement such systems?

A.D.: Expertise in information, IT, physical security, risk and crisis management key roles in the implementation of Business Continuity Management Systems (BCMS).

High-quality, regular and documented backup of certain data and systems is one of the key components of BCMS, which includes such important concepts as RTO and RPO.

Within the framework of physical security, BCMS focuses on such aspects as infrastructure protection (ensuring the security of physical objects and assets, which minimizes the risks of theft, vandalism, and disasters), access control (implementing access control systems, video surveillance, and other aspects of physical and technical security to prevent unauthorized access to critical objects), and evacuation plans and employee safety.

For BCMS, it is also important to understand risk management, namely risk identification and assessment (risk management specialists conduct risk assessment of the organization within their field, which simplifies the process of identifying and prioritizing continuity threats).

You also asked about the importance of crisis management. Business continuity is aimed at ensuring the continuous operation of certain processes in the company and reducing the impact on the organization in the event of an incident. Crisis management is activated at the moment when the incident occurred, so it is an integral part of the BCMS. This includes planning employees ' actions in the event of an incident, managing all communications, and a specific set of actions and steps after the crisis is resolved. Without understanding crisis management, it is impossible to build a full-fledged BCMS.

  • What are the most frequent crisis situations you see in the banking and fintech sectors, and how does the business continuity system help minimize their consequences?

A.D.: Based on various studies of recent years, I can say that these are cyber attacks, failures of various IT systems, technical failures, natural disasters, various incidents related to suppliers and partners, regulatory and legal changes.

The implemented BCMS allows you to identify these risks and prepare action plans in the event of a particular threat. For example, developing actions in case of problems with the supplier, diversifying suppliers, regularly checking partners, alternative supply chains, regularly monitoring regulatory changes, adapting business processes, developing plans for restoring IT systems, etc. You can list many possible actions for different threats.

BCMS allows you to identify these possible threats and quickly respond to them, so that the consequences are not critical for the company. Collectively, BCMS provides a comprehensive approach to preparing for, responding to, and recovering from crisis situations, which helps minimize their impact on the business and maintain the organization's long-term sustainability.

  • Can you give examples of successful implementation of a business continuity system in real companies?

A.D.: Yes, of course. If we take the international market, then such examples can be the following companies::

  • JPMorgan Chase. In 2012, when Hurricane Sandy hit the East Coast of the United States, the bank was able to quickly restore its operations. With pre-prepared plans and redundant data centers, JPMorgan Chase has managed to minimize downtime and continue to serve customers despite massive power outages and flooding.
  • MasterCard. MasterCard successfully used its BCMS during the COVID-19 pandemic. The system allowed the company to quickly switch to remote work, while ensuring the security and availability of payment services.
  • Walmart. Retail giant Walmart also successfully switched to a remote format of work. In a professional environment, I have seen stories that Walmart suffered minimal financial losses compared to other companies in the United States, although I did not look for official confirmation of this.
  • Toyota. After the 2011 earthquake and tsunami in Japan, Toyota quickly restored its production capacity, despite severe damage.
  • Southwest Airlines. In 2017, the airline experienced massive disruptions in its IT system, resulting in flight delays and cancellations. Thanks to pre-designed plans and trained employees, Southwest Airlines was able to quickly restore operations and minimize inconvenience to passengers.

If we take the CIS countries, then I will give an example of the Jet Infosystems company, in which a fire occurred on January 25, 2003. The office was completely inaccessible, but thanks to the implemented BCMS, new premises were found by the evening of the 26th and the main processes of the company were restored. Customers didn't even notice service interruptions.

I can also note that in 2022, the PwC service center and office in Lviv (Ukraine) did not stop working.

Of the companies where BCMS is implemented in some form, you can list: VEB.Russian Federation, T-Bank, Sber, Gazprom, MTS (Russia), Kyivstar (Ukrainian telecom provider).

In Uzbekistan, some organizations also have or are implementing BCMS. We are also developing in this direction, although not as fast as we would like.

  • How do you assess the level of awareness and readiness of Uzbek companies to implement such systems?

A.D.: I only do full-fledged analytics, so it's hard for me to say for sure, but there are companies where this system is fully implemented and works perfectly. There are companies that are just implementing or planning to implement BCMS. There are some that seem to have something in them, but it doesn't function. Some banks have this situation. And there are companies where one or two proactive employees understand the importance of ensuring continuity, but face a total lack of understanding on the part of higher managers. There are a lot of companies that have not heard anything about this and have not planned to implement it and do not plan to.

  • What steps should a company take to start working on a business continuity management system?

A.D.: There are many steps that enable Business Continuity Management (BCMS): updating the relevant risk matrix, conducting business impact analysis, regular testing, determining the maximum possible amount of permanently lost data (RPO) and the capacity required for recovery, and others.

The main problem in the event of an emergency is stupor and not knowing who to turn to for instructions and explanations. After preparing the top-level plans, you can think about deepening the issue of continuity.

I once wrote an article that roughly answers this question, so I'll use the checklist that was developed at that time:

  • Identify business continuity risks that are relevant to your company and coordinate them with other key employees. You don't need to use a super-complex method for determining risks and threats. For example, you can use the Delphi method.
  • Identify key systems and processes for your company. A small questionnaire is enough to communicate with the business. It should contain information about the system: who is responsible for it, the time it takes to recover, and the maximum allowed period of time for which you are ready to lose data from it.
  • Check your key system backup settings: Are all business-approved RpoS maintained? The system could have been created many years ago, and no one remembers how copying takes place. Ask the technical owners of critical systems what makes them functional: what maintenance they need, what components they need, and how soon their licenses will run out.
  • Check IBS security. As a rule, modern IBS already have built-in protection mechanisms against cryptographers: Honeypot, deduplication database protection. Make sure that these settings are activated, that the system is separated into a separate segment, and that basic security measures are implemented.
  • Determine the circle of people who will make decisions in case of critical emergencies, for example, to urgently "turn off" all servers. Sometimes precious time is lost, because there is no understanding who should give the "target instruction" for such actions.
  • Develop a communication plan for IT and SB. It should be as simple as possible.
  • Create an alternative communication channel in case of an emergency. For example, a group in a secure messenger (Telegram/Signal), where all responsible employees and key managers will be added.
  • Make memos for users. The memo may contain the text: "In case of emergency, call this number." And the numbers will be listed below.
  • Make memos for IT administrators to mitigate key risks. Specify in them who you can contact in case of IT equipment failure, if something has happened to the communication channel, and so on.
  • Check at least on paper the prepared response plan. You can use it as a flowchart for clarity.

By implementing these simple steps, you will move on to a more mature process of ensuring continuity in your company.

  • In which industries, other than banking and fintech, can business continuity systems be most useful?

A.D.:

  • Healthcare (it is critical to maintain continuous operations in hospitals and health centers to ensure patient safety).
  • Energy and utilities (companies that provide electricity, gas, water, and other utilities must ensure continuity of supply).
  • Telecommunications (telecommunications service providers must ensure continuity of communication for their customers).
  • Transport and logistics (continuous operation of transport companies and logistics operators is critical for global supply chains).

You can also identify various companies that are associated with increased risk to their employees or customers, such as mining companies, mines, oil and gas fields, airports, and others.

  • What are the key risks you see in the absence of a business continuity system in organizations?

A.D.:

  • Downtime and loss of productivity: unexpected interruptions in operations can lead to downtime in production processes, which in turn reduces productivity and efficiency.
  • Financial losses: Downtime and disruption to business processes can result in significant financial losses due to lost revenue, additional recovery costs, and missed opportunities.
  • Data and information loss: The lack of proper data protection measures may result in data loss or damage as a result of cyber attacks, technical failures, or natural disasters.
  • Deterioration of customer reputation and trust: failure to respond to incidents in a timely manner and failure to ensure continuity of services can negatively affect the company's reputation and customer trust.
  • Supply chain issues: interruptions in operations can cause disruptions in supply chains, resulting in delays and resource constraints.
  • Regulatory and legal consequences: Failure to comply with regulatory requirements and business continuity standards may result in penalties and sanctions from regulatory authorities. Also, certain actions or omissions in a crisis can lead to various regulatory sanctions.
  • What hardware and software is usually required for effective business continuity management?

A.D.: I would say that the most important thing is the support from above. As I have already mentioned, implementing BCMS requires red tape in some processes, and employees may be reluctant to do so, especially when it comes to learning and automating steps and actions in case of incidents.

As for the rest, companies where BCMS is installed usually use the existing infrastructure, if the organization does not have chaos in business processes and there is a sufficiently built IT infrastructure (backup systems, incident monitoring) and PR and GR processes are formed, if the company is large enough.

  • What trends and innovations do you see in the field of business continuity at the international level?

A.D.: In addition to global trends such as Big Data and machine learning, which also affect business continuity, the following areas can be distinguished:

  • Increasing regulatory pressure and standards, such as the recently adopted DORA act in the EU, aimed at regulating digital operational sustainability.
  • Strengthening supply chains.
  • Increased attention to sustainability in general and climate risks.

Separately, it is worth noting the development of a culture of continuity and sustainability, as well as the digitalization of this area. I haven't worked with such software, but there are companies that specialize in developing software designed exclusively for BCMS, ranging from automating business impact analysis to monitoring 24/7 continuity threats. After learning about these developments (for example, such a company exists in the UAE), I understand how important it is to follow the latest global trends.

  • How do your methods and approaches differ from other specialists in this field?

A.D.: I don't have 10, 15 or 20 years of experience in this field to say that my methods are radically different from the generally accepted methods based on the best world practices. I try to take into account all possible factors and influences, not limited to one area, as BCMS requires IT integration, information security, and risk management.

  • What advice would you give to CEOs who are considering implementing a business continuity system but don't know where to start?

A.D.: Assess the current state of affairs and analyze your company's current risks and vulnerabilities, including the most likely man-made, natural, and social risks. Identify key employees who can lead the development of such a system and join the incident recovery team. Study the existing standards: although this may not lead to an instant implementation of a well-established system, you will be able to understand what you have to do. Ask experts and consultants for help. Create a culture of sustainability by spreading awareness among employees about the importance of business continuity and their role in ensuring the company's sustainability. And of course, follow the steps I mentioned above.

  • What are your plans for the future and how do you see the development of this specialization in Uzbekistan in the coming years?

A.D.: Over time, specialization in business continuity will begin to be regulated by the Central Bank. I have heard from Uzbek experts that the local regulator often adapts or accepts regulations from the Central Bank of Russia, where the sphere of business continuity and operational reliability is highly regulated. For example, in Russia, the Central Bank has established that the automated banking system must be restored within 2 hours after a failure or downtime. The local market is not yet ready for such strict requirements. In communication with representatives of the Central Bank of the Republic of Uzbekistan, I was told that no significant changes are planned in the next 3-5 years, although there is already a decree No. 3431 that requires payment system operators to have business continuity plans. However, how strictly these requirements are met in practice and how effectively such plans work, I cannot say.

However, at various forums and events, I am increasingly hearing about the importance of business continuity, especially from CIOs, CEOs and other managers of large organizations, which makes me very happy. My immediate plans include speaking at thematic events, writing articles on this topic, and possibly running social networks to spread knowledge about business continuity among the audience in Uzbekistan. This will help prepare businesses for future Central Bank requirements and reduce confusion when introducing new continuity regulations.

Subscribe to my profile page Telegram channel, articles on business continuity will be published there soon.

  • Thank you for the interview.

A.D.: Thank you.

More interesting articles