Business Continuity Planning Is Running Against The Tide In Nigeria – Philip Keshiro, MD/CEO, Disaster Recovery Institute (DRI) Nigeria



Mr Philip Keshiro is the MD/CEO and Lead Consultant for Disaster Recovery Institute (DRI) Nigeria, which is into training and certification of business continuity and disaster recovery management professionals. In this interview with Safety Record Newspaper’s News Editor, John Ogunsemore, he talks about the profession and its challenges in Nigeria. Excerpt.

May we meet you?

My name is Philip Keshiro. Our organisation is the course and examination provider for Disaster Recovery Institute International (DRI International).  DRI International is the pioneer institute recognised worldwide in Business Continuity Management course while offering other courses such as Business Continuity for Information Technology / Disaster Recovery (ITDR), Business Continuity for Auditors (with certification) Business Continuity for Risk Management Professionals. These courses give insight to the concept of managing incidents and disasters.

Going through your professional profile, one could see that you garnered vast experience across many organisations, especially in the banking sector. Why did you decide to go into business continuity or set up DRI Nigeria?

The first thing is that my professional lineage is into IT (Information Technology); IT professionals manage some form of disasters such as data loss, application downtime etc. After the bank’s merger, I was inspired to go into Business Continuity Management since 2004/2005. I have been focusing on business continuity since then.

Can you tell us what DRI Nigeria does?

What we do first of all is to provide training and certify people in business continuity. That means you register for the five-day course and on the fifth day, you sit for the certification examination. If you pass, you will be granted the right as a professional, a professional in the sense that you can now manage incidents and disasters within organisation, outside the organisation, local government, state, and even at national level. The training is rigorous but it exposes you to the nitty-gritty of what it takes to manage a disaster.

What is the proper way of handling or managing disaster?

There are three basic steps; I will try to simplify this. The three steps are the following:  Get your facts or information, Plan and do Post-planning activities. When you talk about getting your facts or information, which is also called data collection, it is to conduct a risk assessment and Business Impact Analysis. The risk assessment helps to discover threats within and outside your working environment; you also look at how vulnerable you are and the Probability of threats using areas of vulnerability to impact assets which include people.  If you are vulnerable, you better start to put in place control measures to limit the impact. Control measures are like counter-terrorism in the military, hardening of weak areas, measures to prevent hacking into networks etc.

Business Impact Analysis tells you what your response time should be. BIA is used to gather information relating to processes, requirements if processes should go down, minimum staff to work, tools required and the timing (agreed upon) for response, recovery and to return. It is a transparent process, no need to cover up because you know that it concerns saving of human lives.

With the combined knowledge of Risk Assessment and Business Impact Analysis, you can now start your planning for disaster management.  Your planning helps you to respond in a timely manner, with trained personnel and in an orderly manner.

As I said after the information gathering, you look into emergency preparedness and response; you need to think deeply looking at worst case scenario – looking at your company vis-a-vis your external environment. You identify potential emergencies that can occur, and the scenarios and impact, and you identify your response capability. Do you have the capability to respond, do you have options to mitigate impacts?  You also need to create teams to handle specific threats.

The third stage is to create awareness of those risks and threats that you have found. Create the awareness among the staff or communities as the case may be. Let them know what is prevalent in area where they live or work, and how to mitigate those risks, tell them what actions are necessary. After that, you do your test and exercise regularly, either with the locals or if you are doing a business continuity program for a company. That way, it goes into people’s psyche on how to respond. Immediately you have those problems, they respond accurately.

After that, we start to talk about communicating with the external agencies around you, before disaster occurs. You should know the name of the person you are to contact within the disaster management or within the office of the agencies; if you do not carry out Risk Assessment and Business Impact Analysis – You will be chasing after disaster, after the incident has occurred.

This process should be carried out within companies in each sector of the economy, government agencies, to Local Governments, and States and the Federal Government. This is when you can talk of preparedness and a resilient nation.

What opportunities exist for a business continuity and disaster recovery management professional?

There’s a lot of opportunity. Number one, not many people know about Business Continuity Planning (BCP). Not many. Even our cousins in safety, not many of them understand what BCP is about. And really, they should be the next person to understand BCP. BCP is an open course for Engineers, Doctors, and Health Workers, Bankers and so on; however it is for those aspiring for management position or those at management level.

We are still few; BCP knowledge can be combined with other functions. Let me say it is a new Profession.

 Is there a difference between a core safety professional and business continuity professional?

There is a difference.

But let me come in from our similarities. Every one of us is trying to prevent incidents and disasters. Why BCP is different is that we focus more on response and recovery efforts during or following a disaster. The role of disaster management is appropriate response.  You know, when safety fails, the question is why did it fail in the first place? They are naturally told to step down. That is natural response, not trying to put them down. Now for the business continuity professional, we carry out some function/s that makes us stand out – that is the Business Impact Analysis from which we derive Response Time Objective (RTO). We also have concepts and standards for managing incidents within an organisation and when incidents spreads beyond organisations, through the knowledge of Emergency Operation Centre (EOC), the Incident Command Centre (ICC), and the Unified Command Centre. These are functions or concepts that help in managing disaster occurrence on field or within an enterprise.

When there is a major disaster and you say you are a Business Continuity Professional, it means that you understand the workings of the coordination of the agencies and how they should interact. You understand the Emergency Operation Centre and how it links to the Incident Command Centre and the communication flow. If this knowledge is lacking, you have confusion at the scene of incidents.

There should also be different means of communication at the scene, between the incident command, while the Emergency Operation Centre is providing resources for those at the scene of incident.

In summary, safety does the nitty-gritty of allowing a process not to fail while a business continuity planner looks at things at the macro level; he may not necessarily be an hands-on person, like a safety professional but the BCP professional sits back and says, if there is a fire in this environment, what are the things that we need to have in place to mitigate the fire. He or she tries to think deeply and ask, yes everything is in place, BUT what happens if all these safe measures fail, what are the plans to mitigate and safe lives, looking and thinking deep into scenarios that could cause disasters.

For example, a case of vehicle falling off a bridge or suicide attempt, the Recovery Time Objective (RTO) should be 5 minutes or less. Therefore you need to train people to be able to swim / dive with appropriate equipment in all known beaches – if truly you want to save lives.  There should be a team under LASEMA known as divers’ team stationed at major beaches or highways with appropriate alert system and procedures. There are other options.

What are the requirements for undergoing business continuity training?

The beauty of it is that to become a business continuity professional is open to other professions. So, it is not about you having one core (profession). Once you are a graduate of a particular discipline, you are free to become a business continuity professional; the door is open. Nobody is excluded but one important thing that you need to have passion for human lives.

What is the cost implication of becoming a business continuity professional?

Because this is a course that is United States denominated, it may appear like the cost is on the high side. But if people are interested and they make contact, we can factor in the present economic situation and ensure that the bar is not raised so high.

How long does it take to conclude the training?

It is five-day course. After the initial training, you are expected to have appetite to increase your knowledge because the certification that you will be given is from the US – the same certification that all participants from other countries are given. For instance, I went to Malaysia to take the course. In the class, we had 19 seated from different nations.

How recognised are your certifications?

DRI has presence in over 50 countries and we have certified professionals in over 100 countries. Our classes are offered in 14 languages and we have over 16,000 professionals with current certification. The certification is recognised, even in Nigeria where many people do not know about it yet. We have trained 12 people in NEMA at two different occasions. So if NEMA sought for it for its staff, from the rank of Assistant Director upward, you’ll know it is acceptable. And it is the quality of what you get that will show you that this certification ranks as the best internationally in Business Continuity.

The number one (consideration) is this: everyone has to do the examination. Some other related BCP institutes accept our certification from DRI professionals without taking their certification exam.  They actively canvassed for DRI-trained professionals to join them without having to do their own certification exam. But we do not accept professionals from other institutes without taking our certification exams.

Why is that?

It is because of the superiority of DRI certifications and because ours is knowledge-based, and it requires that you pass the exam, whereas some other institutes are what you call membership based. Because they are membership based, they always want more people to come in. That’s why they say if you have these (DRI) certifications like ABCP, FBCP, CBCP or MBCP, come and join us. DRI believes that you should prove your knowledge, show us by taking our certification exams. That’s the difference.

What is the course format – online or physical classroom session?

Participants come in for now or we go to their offices. The examination is online, but you can also choose to write it on paper. We have that option for those who prefer physical exam.

Can organisations arrange for their staff to be trained by DRI Nigeria?

Yes, we do in-house training, or you send your staff to us.

Business continuity harps on planning but planning seems to be something hard to do in Nigeria. In light of this, do you think business continuity is a viable enterprise in Nigeria?

That’s a very good question because it is a profession that is running against the tide in Nigeria and Africa. And the name of the profession seems confusing too, because I have been to NEMA and I heard somebody say: what has BCP got to do with disaster management? So you need to sit that person down and start to explain at great length. There are times you send proposal to very top management staff and then he will look at it and say, ‘I want to make a decision on disaster management and this guy is bringing a proposal on business continuity. What is this?’

The issue is that we are trying. I have been on radio, on TV and national newspapers and I have been trying also to get to meet the LASEMA (Lagos State Emergency Management Agency) General Manager and Lagos State Safety Commission’s Director General, spent years talking to ISPON. The issue is that this is a tool they all need, even in the fight against terrorism.

It is not safety that will help you when you talk of kidnapping in schools. It can work to a certain extent but what you need is a Business Continuity Plan for schools and universities. If you go on the internet and search for ‘business continuity and schools’, you will find a whole lot of materials. Meanwhile, those that are in charge seem not to understand that this is the main tool that they need in order to mitigate and even reduce disaster within the country. So, BCP is running against the tide in Nigeria.

In Malaysia, which is more prone to natural disasters, in a BCP class, you can have about 20 participants. In Nigeria, it will take a lot of time and energy to have five (5) participants. When I did my own training, the cost was US$2,550. Imagine having 20 people in a class despite the cost. The issue is that not many of those at the heads of disaster management in Nigeria understand Business Continuity Planning. So to get to them and for them to understand and agree with you, you need to meet them four or seven times which could take you three or four months for just one client. So, it is a lot of work in Nigeria, it is like going against the trend or tide.

I have been in this since 2005 and I have encountered a lot of obstacles but all that I know is that this BCP will sell. The banks have started asking for BCP but it is not just about the banks; it is about  SEMAs and NEMA having the understanding of what BCP is all about so that it can be used as a tool to help in response and in making sure that the states are resilient. People are doing BCP for the sake of regulatory authorities but if SEMAs (LASEMA) understands it very well, it will greatly improve their ability to plan and reduce incidents turning into disasters.

Look, for example, banks or organisations that are in 10 to 25-storey buildings or more. If there is fire on the third floor, how do people on the tenth floor above come down? Nobody is looking at that and that is a potential disaster waiting to happen. It has happened in Great Nigeria (House, Lagos in November 2013). That was a bit fair because it happened in the morning (around 5.00am). What about the one that could happen at 11am, 12noon or 3pm when everyone is seated?

A fire outbreak on the third floor would cause panic; it is not about safety at this point but responding and executing all mitigating options that are in place. Unfortunately the company may not have any mitigating options in place. This is an area that government and agencies should critically think about. It will be difficult without the knowledge of BCP.

The present NIGERIAN PANDEMIC RESPONSE PLAN has Business Continuity Planning mentioned 43 times, yet implementation across the required segment of the economy is nothing to write home. That is why I sometimes say we are sitting on a keg of gunpowder if we have serious disaster or real pandemic.

Check out on the Internet, World Conference on Disaster Management – the yearly agenda has about 80% BCP related topics. When you compare, 90% of people handling disasters in the country do not know or have not heard about BCP.  That is the issue.

We are swimming against the tide, trying to impart this critical knowledge to save lives.