1 Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems 9 April, 2008
2 2 Presentation content Drivers for Business Continuity Standards and definitions. BCMS. model and implementation. Assessment and certification process. Training. Benefits of BCMS.
3 3 Drivers for BS and BCM More business continuity awareness Civil contingencies / Homeland security Corporate governance & compliance Protection of corporate value and reputation Supply chain & outsourcing confidence Commitments to customers Duty of care to stakeholders Protect the interests of shareholders Give confidence to insurers
4 Source: Business Continuity Management
5 5 Increased awareness in BCM BCM seen as part of overall Risk Management profile. Recognition that it can help reduce business interruptions. Can add value to the business by identifying opportunities for improvement Should be integrated across all business functions; should not be seen as an IT specialty. Better understanding of business benefits among increasing numbers of organizations.
6 6 BS committee profile Committee Profile: 33 people Businesses (Cable & Wireless, Sainsbury's, Siemens, RBS, Thames Water, Scottish Power, AON, Marsh, KPMG, Deloitte) Institutes & Associations (CBI, IOD, FSB, Software & IT, IEM) Academic (Coventry University) Government (DTI, FSA, Civil Contingencies, ALARM) ABCB is represented on the committee Robert Whitcher (BSI Management Systems)
7 7 Early interest in BS Draft for public comment (DPC) Published August, 2006 Over 5,000 copies were downloaded (a record) other similar standards had less than 250 Over 70 set of comments About 300 pages of comments mostly positive
8 8 BS :2006 Code of practice for business continuity management Establishes the BCM processes, principles and terminology Provides a basis for understanding, developing and implementing business continuity within organizations of any size or from any sector Provides a comprehensive methodology based on BCM best practice and the whole BCM lifecycle Business driven
9 9 BS Code of practice contents 1 Scope and applicability 2 Terms and definitions 3 Overview of business continuity management (BCM) 4 The Business Continuity Management policy 5 BCM Programme Management 6 Understanding the organization 7 Determining business continuity strategy 8 Developing and implementing a BCM response 9 Exercising, maintaining and reviewing BCM arrangements 10 Embedding BCM in the organization's culture
10 10 BS Code of practice contents 1 Scope and applicability 2 Terms and definitions 3 Overview of business continuity management (BCM) 4 The Business Continuity Management policy 5 BCM Programme Management 6 Understanding the organization 7 Determining business continuity strategy 8 Developing and implementing a BCM response 9 Exercising, maintaining and reviewing BCM arrangements 10 Embedding BCM in the organization's culture
11 BS :2007 Requirements for business continuity management Establishes requirements for there to be a BCM system of policy and processes. Understanding the organization Determining strategy Implementing a response Exercising and reviewing Making sure there is a cultural awareness of BCM in the organization.
12 BS Development Timeline 12
13 13 What is Business Continuity Management? 2.4 business continuity management (BCM) holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities NOTE: Business continuity management involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall programme through training, exercises and reviews, to ensure the business continuity plans) stays current and up-to-date. Source: BS
14 14 Incident timeline Incident! Overall recovery objective: Back-to-normal as quickly as possible Timeline Within minutes to hours: Staff and visitors accounted for, casualties dealt with, damage containment / limitation, damage assessment, Invocation of BCP Incident response Within minutes to days: Contact staff, customers, suppliers, etc. Recovery of critical business processes Rebuild lost work-in-progress Business Continuity Within weeks to months: Damage repair / replacement Relocation to permanent place of work Recovery of costs from insurers Recovery / resumption back-to-normal
15 Look at the BIG picture..
16 BCM Model
17 Assessment and certification process
18 Gap analysis/pre-assessment (optional) Informal check, relationship building, discussing scope. Stage 1 Audit Review of documents and records Stage 2 Audit Confirm that the organisation adheres to its own policies, objectives and procedures. Testing and evaluation. Continual Assesment Visits (CAV's) Ongoing reviews
19 Training Awareness of BCM 1 day Implementing BS Course 2 day BS Internal Auditor Course 3 day BS Lead Auditor Course 5 day
20 Benefits of BS Provides a common framework, based on international best practice, to manage business continuity Proactively improves your resilience when faced with disruptions to your ability to achieve key objectives Provides a rehearsed method of restoring your ability to supply critical products and services to an agreed level and timeframe following a disruption Delivers a proven response for managing a disruption
21 Benefits of BS Helps protect and enhance your reputation and brand Opens new markets and helps you win new business Enables a clearer understanding of how your entire organization works which can identify opportunities for improvement Demonstrates that applicable laws and regulations are being observed Creates an opportunity to reduce the burden of internal and external BCM audits and may reduce business interruption insurance premiums
22 The likelihood of something very unlikely happening, is very likely! If you think business continuity is expensive, try having an incident! You can t predict the incident, but you can predict the outcome.
BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
ITIL glossary and abbreviations English This glossary may be freely downloaded. See www.itil-officialsite.com/internationalactivities/itilglossaries.aspx for details of licence terms. 1 Acknowledgements
What Every Director Should Know How to get the most from your internal audit Endorsed by Foreword This is the second edition of our flagship governance guide What every director should know. Since we published
ISO 9001 It s in the detail Your implementation guide ISO 9001 - Quality Management Background ISO 9001 is the world s most popular quality management system standard and is all about keeping customers
Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7
The Auditor-General Audit Report No.49 2013 14 Performance Audit Australian Crime Commission Geoscience Australia Royal Australian Mint Australian National Audit Office Commonwealth of Australia 2014 ISSN
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
Good Governance Practices Guideline for Managing Health and Safety Risks The board and directors are best placed to ensure that the company effectively manages health and safety. They should provide the
Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS www.fic.gov.bc.ca INTRODUCTION The Financial Institutions Commission 1 (FICOM) holds the Board of Directors 2 (board) accountable for the stewardship
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
INTOSAI GOV 9150 The International Standards of Supreme Audit Institutions, ISSAIs, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org
This image cannot currently be displayed. D-G4-L4-241 Predictive analytics (software as service) Deloitte LLP Service for G-Cloud IV September 2013 Contents 1 Service Overview 1 2 Detailed Service Description
Guidelines for smart phones, tablets and other mobile devices Summary Smart phones, tablets and other similar mobile devices are being used increasingly both privately and in organisations. Another emerging
1 Develop productive working relationships with colleagues Unit Summary What is the unit about? This unit is about developing working relationships with colleagues, within your own organisation and within
Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including
EMPLOYING BUSINESS IMPROVEMENT TECHNIQUES TO IMPROVE PERFORMANCE AND REDUCE RISK IN SERVICES OUTSOURCING Ronan McIvor EMPLOYING BUSINESS IMPROVEMENT TECHNIQUES TO IMPROVE PERFORMANCE AND REDUCE RISK IN
WHITE PAPER Cybersecurity in Modern Critical Infrastructure Environments SECURE-ICS Be in Control Securing Industrial Automation & Control Systems This document is part of CGI s SECURE-ICS family of cyber
Fraud Control in Australian Government Entities Better Practice Guide March 2011 This Better Practice Guide was prepared by the Australian National Audit Office and KPMG. ISBN No. 0 642 81180 6 Commonwealth
manufacturing service small business nonprofit government education health care Baldrige Excellence Builder Key questions for improving your organization s performance Improve Your Performance The Baldrige
State Mitigation Plan Review Guide Released March 2015 Effective March 2016 FP 302-094-2 This page is intentionally blank. Table of Contents List of Acronyms and Abbreviations... iii SECTION 1: INTRODUCTION...
Departm 2007 10 C o r p o r at e p l a n adding value to public sector performance and accountability Commonwealth of Australia 2007 ISBN 0 642 80955 0 This work is copyright. Apart from any use permitted