Philippe Dann, Heaf of Risk & Business Advisory & Christophe Rupper, Senior Consultant, EBRC

Interview published on the November edition of the LG.

Any organisation, whether in the public or private sector, will sooner or later have to implement a resilience plan if it wants to survive in an increasingly competitive market. To help companies define and use effective Business Continuity Systems, EBRC has developed Cyber-Resilience Portal, an online tool that centralises the entire BCMS process (Business Continuity Management System) and that aims to create a documented Management System. An update with Philippe Dann, Head of Risk & Business Advisory, and Christophe Ruppert, Senior Consultant Business Continuity Management – Practice Lead.

What innovation does the Cyber-Resilience Portal provide to companies that have implemented or wish to implement a Business Continuity System?

Philippe Dann: Our service offer mainly covers activities relating to risk management, compliance with operational security and the IT transformation. There is often a gap between the level of requirements expressed by businesses and the current ability of the IT systems to meet those requirements. Our aim is to ensure that both of those parties are aligned so that in the event of a major incident, the company has access to a solution adapted to the business and that the IT system is able to deliver that one. To achieve this, we support our customers in developing a BIA (Business Impact Analysis) followed by a Business Continuity plan. The innovation contributed by EBRC consists in centralising all of that analysis work per business and per service within a central platform called the Cyber-Resilience Portal. Beyond the practical and security aspects of the centralisation of BIA storage and other components of a Business Continuity Management System, the Cyber-Resilience Portal makes it possible to create scenarios in real time to facilitate decision-making. Let us not forget that a Business Continuity approach is a long-term approach using the PDCA method (Plan Do Check Act). The Cyber-Resilience Portal makes it easier to implement this recurring process that contributes to improve organisations’ resilience by providing managers with the resources to select from among the best options. Our solution provides them with access to various alternatives, enabling them to take a decision after understanding the potential ROI of each improvement considered.

Christophe Ruppert: Thanks to our support, our customers will be able to adopt good business continuity practices and implement a continuous improvement process based on the ISO 22301 standard. ISO 22301 specifies the requirements for planning, establishing, installing and implementing, auditing, revising, maintaining and continuously improving a documented Management system in order to create a layer of protection against disruptive incidents, reduce the probability of their occurrence, prepare for such incidents, and recover when they occur.

What is your added value compared to the competition?

Philippe Dann: Our added value, both in the completion of service missions and in the development of the Cyber-Resilience Portal, lies in our perfect knowledge of the ISO 22301 standard. Our methodology is based on that standard, and we continuously adapt it based on current events. The ISO 22301 standard will be updated this year, to be published in late 2019, in order to become an umbrella standard that will cover information security and quality levels. We have prepared for this. We can also provide our customers with valuable feedback. Another thing that sets us apart is the fact that we have become more than just continuity theorists, as we have followed the same pathway as that which we recommended to our customers, and the fact that we achieved ISO 22301 certification in 2016.

We can provide our customers with valuable feedback as we too have achieved ISO 22301 certification

What are the main markets covered by your services?

Christophe Ruppert: Our team, which comprises very varied profiles, enables us to use a fairly diversified approach. Our customers and our prospects work in sectors such as finance, insurance, transport, health, agri-food and aeronautics. We regularly support customers throughout the process of obtaining ISO 22301 certification. This was the case for Arendt Services, in particular, a specialised PFS offering a full range of services aimed at helping companies to establish and manage themselves in Luxembourg, as well as for the Banque de Patrimoines Privés, Luxembourg’s first financial institution to have implemented a Business Continuity Management System which is fully compliant with the standard.

How can your customers leverage the contributions of a resilience mission?

Philippe Dann: They have an undeniable commercial and competitive advantage that sets them apart from their competitors. As a result, customers which we have supported up in achieving the ISO 22301 certification have gained market shares thanks to the additional guarantee they are able to offer. In particular, they have been granted tenders because they were able to prove, thanks to their certification, that they had implemented all the measures for ensuring business continuity. In a “digital-dependent” economy, risk takes on a whole new dimension due to its rapid spread and its ability to impact your value chain. Being able to anticipate and prepare, and having ready-to-use solutions are the objectives of a standardisation process. Cyber-Resilience does not consist solely of meeting regulatory obligations, it has become a business imperative, a tangible vector of trust.

How to start a resilience process

Business Resilience can be summarised in 5 points.

Starting from the business to evaluate impacts.

The first step consists of considering the business and analysing the gaps between the current situation and the requirements of the ISO 22301 standard.

Identifying critical activities.

The effects of business interruption on each team must be assessed using various criteria such as the Recovery Time Objective (RTO), the Recovery Point Objective (RPO) and the Maximum Acceptable Outage (MAO).

Evaluating the IT system’s business continuity abilities.

This step consists of drawing up a list of the actions to be carried out in order to align the IT system with the business’ needs.

Defining and testing crisis management components.

It is important to carry out crisis management exercises that match the current situation as closely as possible. This is one of the possibilities offered by the simulation and training platform of the Cybersecurity Competence Center (C3) with which EBRC has a partnership.

Raising awareness and providing information to employees.

Cyber-Resilience is everybody’s business. Every employer, at their own level, must know what to do in the event of a crisis.