Interview with John Zeppos, Winner Business Continuity Manager of the year 2012 BCI Global Awards 2012
When it comes to Crisis Manage- ment, there are a few people around that can be of help and do their best in order for the com- pany to survive. But when things really go wrong and you have to face asymmetric threats, there are just a couple of profes- sionals around, which will really stand the grounds of their reputation.
John Zeppos has been into Business Continuity and Crisis Management for more than 10 years. Having gained ex- tensive business and technical acumen while successfully undertaking interna- tional cross-cultural Business Continuity programmes in 5 countries, spanning in Telecommunications, Retail, Customer Services, HR, Education and Olympic Games Athens 2004. Currently, he is the Group BCM & ERM Deputy Director for one of the leading Telecommunication companies in Europe and is responsible for setting the overall strategy, while guiding and overseeing the design, development and enhancement of the group’s Business Continuity Manage- ment System.
John successfully drove the company’s BCM Certification process directly with BSI UK in 2011 and now leads the tran- sition to the new Business Continuity Management International Standard ISO22301:2012.
He posseses highly demonstrable com- prehensive knowledge of the modern management systems and methodolo- gies, as well as global best practices, ca- pable of strategically and successfully managing the most unexpected of situ- ations.
Following his own guidance, his team has continuously achieved to rank in the top 3 positions globally for 2 years in a row as BCM Team of the Year, while he was nominated as Global Highly Com- mended Business Continuity Manager of the Year 2011 by 2 separate organisa- tions (CIR & Business Continuity Insti- tute) and won the relevant prizes awar- ded by his industry peers in London, UK. He is a strong believer of life long learning, having gained extensive pro- fessional qualifications on Business learning, having gained extensive pro- fessional qualifications on Business Continuity as well as on other “neigh- boring” disciplines such as Enterprise Risk Management, Physical & Informa- tion Security Management and Project Management that add value to the core discipline of Business Continuity Man- agement, in order to always excel and be even more efficient in driving and deliv- ering such programmes in complicated environments.
He closely cooperates with the Greek Ministry of Infrastructure, Transport and Networks, by representing the Greek Government at NATO regarding BCM re- quirements globally in the specific fields of Emergency Management and Opera- tional Capability matters, as needed.
Depending on his availability, he also en- joys the role of being a keynote speaker and guest lecturer on Business Continu- ity Management (BCM), Enterprise Risk Management (ERM), Crisis & Disaster Management throughout Europe. John currently lives and works in Athens, Greece.
Hello John, why a company needs a Business Continuity Manager?
All modern companies operate in a diffi- cult, highly competitive and sometimes quite unstable environment which makes surviving the run, a tough cookie. Now add to this the possibility of un- foreseen incidents that might impact hard one’s operations and you have an interesting mixture of high uncertainty that might as well lead to panic and consequently wrong decisions and ac- tions. Today’s Business Continuity Man- ager holds a pivotal position within the corporate organization chart as this is the person that will get the company prepared, trained and well-rehearsed in order to withstand almost any incident, making sure that the critical and vital operations are always delivered undis- rupted to the customers. The BCM Man- ager is – and must always be seen as – an integral part of the company’s strategic planning, always there to mitigate new risks as well as to manage Crises should they occur.
Business Continuity is a tough sell when everything is going fine… so how do you do it?
Business Continuity Management and it’s buy-in are always directly related to the corporate culture and if the board wants to be seen like strategizing and planning on a solid basis including all operational risks mapping as well as implementing mitigation measures and rehearsals, they can only afford to have the best professionals their budget can buy, knowing that this is a serious invest- ment for the company’s future as well as keeping their Interested Parties assured that all continuity strategies are officially signed off and their investment is well protected.
In order to give you a practical example, tell me, do you visit your doctor daily? The answer is negative, unless you have a reason to, but you always have a spe- cial one you trust that will recover your health as soon as practical, right ? The exact same goes for the Business Continuity Managers and the companies they work for. They are there for them, taking care of all atrocities, making board’s life easier.
That said, one can quite easily under- stand that the need for a Business Con- tinuity Management System and a good BCM Manager behind that, is much more appreciated, during and after a success- ful crisis management. Until the next one comes around the corner that is.
What is the key to a successful bud- get?
Business Continuity Management and Crisis Management are both no different than all other disciplines when it comes to budgeting and financing and because of that it needs a careful financial plan- ning in order to have all the alternate solutions in place, keeping the right bal- ance between high spending and qual- ity of the solutions. As we say, you do not really need a sledgehammer in order to just break a nut, so whatever the need is, the budget covering it, should cer- tainly be sufficient but always keeping in mind that top notch solutions do not always deliver what is promised, so try to keep it simple and appropriate. That said, every Business Continuity Manag- er has to plan ahead and try to foresee the company’s needs within the next 12-16 months and then ask for approv- als by the CFO for both OpEx and CapEx needs. Another important thing is to keep track of specific recurring costs, as well as specific product’s life cycles. Last bit to add is, when the BCM Manager is also responsible for other countries, one should take into consideration the local cost of living for each place and in such cases, one thing that will keep costs rela- tively lower is to try to procure all needs centrally, gaining another important bit : that of standardization of solutions and equipment.
Which strategies you recommend to manage risk?
As soon as specific Risks are properly identified, a Risk Matrix is populated and presented to the board, there are nu- merous ways to manage them, mostly depending on the company’s culture itself as well as how much residual risk is the board willing to allow after taking all the signed off measures. Generally speaking, organizations tend to draw a line called risk appetite, where their risk taking stops and specific risks have to be mitigated and strategize around them in order to minimize their impact, should they ever materialize. One can simply accept a risk identified, share the risk with a business partner, pass it over to an insurance company or simply put measures and solutions in place that will either minimize it or in some cases take it completely off the radar.
Again, it all comes down to the budget reserved for Business Continuity Opera- tional Risks Mitigation and how much risk the company is willing to take, keeping a balance between spending and being practicable with the solutions that always have to be fit-for-purpose.
Please share an effective method you have used to develop disaster recov- ery plans.
Again, there is no a single solution that fits every need, but since you are asking about “Disaster Recovery Plans” I sus- pect that you are talking about Techni- cal recovery and not business recovery which falls under Business Continuity re- sponsibility as well, right ? There are nu- merous techniques to do so, but a safe methodology is to start off by perform- ing a full Business Impact Analysis along with the relevant Risk Assessments and Single Point of Failure reviews for all your critical sites and infrastructure so as to identify your gaps.
Start by filling those initially discovered gaps and that will immediately increase redundancy by a huge percentage! Next, identify your most critical systems and applications based on revenue loss per day if the systems were unavailable. Once you’ve populated a list with 10-15 of those, you can start drafting plans and recovery strategies per single ele- ment based on best practice and past experience within the organization.
This – as one understands – is a task to be fully undertaken by the Technical people who are the owners of the sys- tems, in cooperation with the critical business processes who will set the ex- act requirements for maximum accept- able period of disruption. When ready, put in place a thorough plan that will be used to test the plans and strategies annually and always document results properly!
How do you identify acceptable re- covery time periods and resource requirements?
The ones to define these are and will always be the business owners of each critical function. Still, there is always the danger that the business owners will try to exaggerate about the necessity of the system as well as the number of critical people needed to support the recovery be it the technical or the business one. The Business Continuity Manager’s role is to be able to challenge what the own- ers are asking and come up with what is practical and really makes sense. There is no reason to have 1 hour recovery time objective for a system that has no real impact to the business and there is no logic to also have recovery time ob- jective of 1 week for a business critical system at the same time. It all depends on the criticality of the service the busi- ness wants to be recovered as when you try to implement such measures, bring- ing the RTO down by just 1 hour might mean an investment of thousands of Euros to do so, much more than the real loss of the system’s unavailability.
Let’s talk about John now, how is a day in your life and what drives you?
A typical day would be packed with meetings with different business own- ers of every company within the group, responding to emails dealing with spe- cific requirements that need to be set for each activity, lots of planning regarding the next steps and juggling around with the different Business Continuity matu- rity levels within the Group companies, in order to always be giving them the right information regarding their next steps. Other than that, one has to know that a day never ends for a Business Continuity Manager as there are always incoming calls, texts or emails from al- most every part of the company that are either dealing with an incident or their perception is that they are having a cri- sis and you need to relax them, demon- strating the leadership skills needed to make ends meet.
In my case, there are always new chal- lenges, either dealing with new inci- dents and crises that need to be dealt with or with actions that take the Busi- ness Continuity Management System to the next level, thinking much more creatively than most people and always thriving for excellence. I also have a fu- ture view of managing to get both Prac- titioners and Academics work together for a common goal: that of increased resilience. I am currently seen as an evangelist on this specific field, but it’s a huge personal driving force! For me, be- ing the best has simply become a habit.
Let us know about your future projects
My future projects currently have to do with the certification of as many of the Group companies as we can, in order to be able to demonstrate and evidence our superiority in planning and in deal- ing with incidents and crises globally. This is a tough cookie of course but my vision would be to implement the same world class arrangements that we did in the mobile business to all the other companies as well, develop all the re- gional Business Continuity Managers in order for all of them to stand out of the crowd and teach them how to reach the same level of skills and knowledge on the subject as myself and – why not – go even further than that.
The awards I got last year from both Continuity Insurance & Risk Magazine
– International CIR awards as well as the Global Business Continuity Institute awards as Highly Commended Business Continuity Manager of the year 2011, is just a stepping stone for me and a per- sonal benchmark in order to become even better than that. Lately, I am keen on challenging and coordinating local community resilience as well, as my vi- sion would be to try and make tomor- row’s citizens much more risk aware as it might be the only way to decrease real life incidents, crises and losses. Resil- ience is not only meant to be at an orga- nizational level, it has to reach down to everyone’s home and family, in order for the future to be much more secure for all of us and I’ll continue to be giving my best in order to achieve that!
Mr. John Zeppos can be reached via : E-mail : firstname.lastname@example.org
Mobile : +30 697 9666844
Follow John on Twitter : @JZeppos