BUSINESS RESILIENCE READY OR NOT

Transcription

1 BUSINESS RESILIENCE READY OR NOT EDC Whitepaper 2014

2 Table of Contents Executive Summary 2 Need for Effective BCM 2 Government requirements for BCM 4 The Challenge - Disasters and Threats 4 Pandemic and biological threats 4 Natural Disasters 5 Other threats 5 The Global Experience 6 Current State of BCM - Australia 7 Plans in place but not comprehensive 7 Crisis Management 7 Business Continuity Management a wise investment! 7 Business Resilience 8 Bridge the gap 8 BCM Culture 8 Organisational Trends for Business Resilience 8 Solution - Focus your BCM Investment 9 Outsourcing or contracting the services of BCM to specialists 11 Benefits of Outsourcing 11 Summary 12 EDC - End To End Solutions for Disaster Recovery and Business Continuity 13 Page 01

3 Executive Summary A survey was undertaken by Victorian Government with analysis by Enterprise Data Corporation (EDC) a leading BCM provider. This exercise benchmarked the current state of business resilience and business continuity within government departments against global good practice, based on a comprehensive survey of Victorian State Departments. The results indicated there are several areas where government departments have adopted principles of good practice business continuity in managing business resilience. However, there were also areas of concern, especially given the increased demand on power and also power failures both on a global scale and within Australia. This increased demand for power, combined with a spiralling increase in natural disasters, has made business resilience one of the top 10 risks faced by company boards and government executive management. Risks that result from disasters are often interrelated, requiring 360 degree visibility and accountability on an enterprise-wide scale, calling for a fully integrated disaster recovery and business continuity management plan. The need to manage these risks and ensure business continuity in a proactive manner using real-time analysis of current data as disaster events unfold has called for the wider and greater use of technology. Dependencies on supply-chain and interdependencies between organisations and departments are highlighted within this study as a growing concern, with management of the entire supply chain becoming increasingly critical. Most of the 38 countries used as benchmarks have embedded business continuity and resilience planning within corporate planning to support the delivery of organisational objectives. Like risk management, BCM is everyone s responsibility. Each and every employee has a part to play in the continued success of the organisation. Need for Effective BCM In this current environment, the need for effective Business Continuity Management (BCM) is so top of mind that it is no longer a nice to have but an integral part of the risk management framework within an organisation. Effective BCM relies on the expertise from within the organisation. It is the people that understand the organisation, its business, processes and business interruption risks, and it is the people that you rely on to resume operations quickly. However, it is not assumed that everyone is an expert in the field of BCM but it is expected that everyone has an accepted risk management and business continuity management framework in place. Page 02

4 With this in mind, it is important to validate that there is an understanding across an organisation of the maximum time the business can survive without key business functions before the Business Continuity Plan / Program (BCP) must be initiated and recovery procedures must commence. In the business continuity management process, it is important to consider what plans are already in place, so effort is not wasted. Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities. However, preventative controls and other proactive treatments are no guarantee that risk events will not occur, that is, they cannot entirely eliminate their likelihood of occurrence. Therefore, for effective risk management, it is equally important that organisations design controls that are implemented once a risk event has occurred. For effective business continuity management organisations need to view being prepared as addressing not if something should happen but when it does, what should we do. The primary output from the business continuity management process is the BCP. The BCP comprises many elements, which collectively define the approach to dealing with a break in business continuity, and which prescribes the steps an organisation should take to recover lost business functions. Page 03

5 Government requirements for BCM Fundamentally, BCM in government ensures that essential functions can continue during and after a disaster. This includes the prevention of mission critical service interruptions, and the ability to re-establish full functionality as quickly as possible. According to the Australian Government Attorney-General's Department, there is a mandatory requirement for government agencies to establish a business continuity management (BCM) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment. Agencies must: Develop a governance structure establishing authorities and responsibilities for a BCM program, and for the development and approval of business continuity plans; Within the context of the identification of assets, undertake impact analysis to identify and prioritise the agency s critical services and assets, including identifying and prioritising information exchanges provided by, or to other agencies or external parties; Develop plans, measures and arrangements to ensure the continued availability of critical services and assets, and of any other service or asset when warranted by a threat and risk assessment; Undertake activities to monitor the agency s level of overall preparedness; and Make provision for the continuous review, testing and audit of business continuity plans. The Challenge - Disasters and Threats There is a variety of emergency situations that require BCM throughout federal, state and local governments. Emergency situations prompted by natural disasters have the potential to cause widespread impact on organisations and government agencies supporting the public, due to the immediate threat of loss. However, other threats also need to be considered. Pandemic and biological threats A pandemic is an epidemic of infectious disease that spreads through human populations across a large region; for example across multiple continents, or even globally. Examples are 2009 H1N1 Flu (sometimes called swine flu ), Avian influenza and Severe Acute Respiratory Syndrome (SARS). Biological threats are diseases that impact humans and animals, for example plague, smallpox, Anthrax, West Nile Virus, Foot and Mouth Disease. Natural Disasters According to the Australian Bureau of Meteorology and World Meteorological Organization, Australia is located in one of the most vulnerable regions of the world for natural disasters, including drought, tropical cyclones, tsunamis, floods and bushfires. Australian Government Attorney General s Office, Protective Security Policy Framework, Section 5.11: rk/5governance/pages/511businesscontinuitymanagem ent.asp Page 04

6 These threats can have a catastrophic impact on normal business operations, as they are extreme and occur quickly and without a lot of warning. Recent examples are the 2009 Victorian bushfires, 2011 Queensland floods and Tropical Cyclone Yasi. Other threats The final categories of emergency situations are human-caused events and intentional terrorist activities. In the last decade more attention has been placed on the latter, owing to the rise of anti-terrorism measures following the 2001 September 11 attack on the World Trade Centre and the fact that extremist groups have far-reaching effects on a government s ability to continue daily operations. However, Australian terrorist activity most recently has focused on Australian nationals travelling outside Australia. Examples include 2002 Bali Bombing and the 2004 Australian embassy bombing, also in Indonesia, although there has since been many people convicted of planning a terrorist attack, including the Holsworthy Barracks terror plot (2009), Benbrika Group in Melbourne (2008) and Sydney Five (2005). More likely to cause damage and disrupt business continuity are events related to human-caused accidents, such as hazardous material spills or release, explosions or fire, transportation accidents, building structure collapse, energy/power/utility failure, fuel/resource shortages, air/water pollution, contamination, water control structure/dam failure, financial issues, economic depression, inflation, financial system collapse and communications systems interruptions. If any of the above were to occur the effect on government would be a denial of service to the users of the services. As each government agency increasingly relies upon sophisticated systems to supply information needed to perform their operations they are increasingly faced with new and unique vulnerabilities. Page 05

7 The Global Experience Key findings from the survey across 35 countries and 15 industry sectors indicated that more than 90% of the global organisations demonstrated an increase of events causing business disruptions in several key areas: Adverse weather was the main cause of disruption around the world, with 53% citing it, up from 29% last year. Unplanned IT and telecommunication outages was the second most likely disruption and the failure of service provision by outsourcers was third, up to 35% from 20% in These incidents led to a loss of productivity for over half of businesses. 49% estimated that the cost to their business of supply chain incidents in the last 12 months was between $10,000 and $500,000, with a further 10% reporting a cost of $500,000 or more. The average number of identified supply chain risks in the past 12 months was 5, with some organisations reporting over % admitted they had suffered damage to their brand or reputation as a result of these disruptions. The survey also indicated some positive trends within the surveyed organisations making moves towards business resilience. In particular, it found that 50% of government departments have tried to optimise their businesses through outsourcing, consolidating suppliers, adopting Just-In-Time (JIT), or lean manufacturing techniques. Where businesses have shifted production to low cost countries they are significantly more likely to experience supply chain disruptions, with 83% experiencing disruption. The main causes were transport networks and supplier insolvency. Only 7% had been fully successful in ensuring suppliers adopted BCM practices to meet their needs, with nearly a quarter not taking this step. Even when suppliers were regarded as key to their business, nearly half of respondents had not checked or validated their supplier s business continuity plans. 24 hours is the typical period within which businesses look to recover critical activities, since sustained disruption beyond this period will cause significant economic and service delivery problems in many sectors. Very few organisations plan for disruption lasting longer than one week. Although only a number of organisations faced sustainability disruption issues - defined in the report as environmental, health and safety or business ethics - those exposed to such risks fared badly when problems did arise, with much higher levels of adverse media coverage and brand damage with 37% admitting that they had suffered damage to their brand or reputation. Page 06

8 Current State of BCM - Australia In the current environment, the need for effective and practical BCM needs to be top of mind, requiring involvement from the Board, the CEO and Executive to set the tone at the top and then have employees aligned in the commitment to effective BCM. 67.2% of Australian respondents have direct involvement at the executive, director or board level, which compared favourably against the global benchmark, where direct board involvement has increased from 43% in 2009 to 72% in In several areas, organisations have adopted the principles of good practice business continuity management in managing business resilience through a combination of factors that include: Increased board awareness; Focus on enterprise-wide risk management; Proactively budgeting for business resilience as a strategic objective to ensure that the enterprise s strategic objectives are met; and Managing business resilience holistically including the need for secure data centres, secure business continuity seats and infrastructure including making use of the latest technologies to ensure the robustness of organisations and enterprises alike. Plans in place but not comprehensive While there is an increased focus on enterprise-wide risk management, it is not yet comprehensive. 58% of respondents stated that where Business Continuity Plans / Programs (BCP) have been developed, the plan is organisational wide. There are already some parts of the BCP that organisations have in place as part of its normal business operations, including: Increased board awareness; Focus on enterprise-wide risk management; Proactively budgeting for business resilience as a strategic objective to ensure that the enterprise s strategic objectives are met; and Managing business resilience holistically including the need for secure data centres, secure business continuity seats and infrastructure including making use of the latest technologies to ensure the robustness of organisations and enterprises alike. However, these alone do not constitute a complete BCP, but are important elements of a robust continuity plan. Crisis Management 35% of respondents stated that the organisation has a clearly articulated and current Crisis Management Plan. Business Continuity Management a wise investment! 66% of respondents indicated that organisation wide BCM activities is well supported by senior management commitment and is an established priority for the organisation. Page 07

9 Business Resilience For the most recent business interruption, recovery objectives were completely met by 48% of respondents and service levels were completely maintained by 47% of respondents. Bridge the gap BCM is NOT just part of the IT department s responsibilities. It is imperative that an organisation works together to bridge the gap between IT and other departments when it comes to business continuity. BCM Culture It is critical to ensure that BCM practices address the human element of disasters. Organisations must understand the risks related to employee resiliency that could arise in a crisis and provide a framework for addressing them. Organisational Trends for Business Resilience As a leader in the field of Business Continuity Management EDC has identified three management imperatives for tomorrow s leading organisations and governments: 1. Risk leadership 2. Knowledge leadership 3. Technology exploration Mastering and developing good practices in each area will be the key to sustaining a competitive edge and attaining long-term strategic goals. These three imperative of risk leadership, knowledge leadership and technology efficiency are interlinked and mutually supportive. Three new imperatives for high performing organisations Certainty of Objectives Risk Leadership Organisation Excellence Innovation and Strategy Business Resilience Knowledge Leadership Technology Efficiency Business Resilience Page 08

10 With the recent global events of earthquakes, floods and other natural disasters, organisations and governments priorities are quickly changing to being better prepared. These emerging priorities are based on war time modes of simplicity, as opposed to peace time due diligence. This trend is also driving simplicity and integration between governance, risk and compliance (GRC) and BCM. It s no longer a matter of what if something happens, but more when it happens, what do we do? This means organisations and departments will need to take GRC and BCM to a higher level, which EDC terms Business Resilience. Solution - Focus your BCM Investment Make sure that the people involved in BCM within your organisation are given the time, authority, accountability and support to put your own system in place. The goal is to have BCM become part your business routine. This can be done by implementing a tailored and effective BCM structure for your organisation. Appoint a Business Continuity Management Manager at senior management level who has overall responsibility for BCM and is directly accountable for ensuring the continued success of this capability and for making sure adequate funding is available. Appoint a Business Continuity Management Steering Committee. Creating a Steering Committee where management, staff and other interested parties meet regularly to discuss and sort out BCM issues. Issues could include: Estimating your funding requirements and spending the budget; Developing BCM policy and strategy; Coordinating and overseeing the Business Impact Analysis process; Ensuring effective input from staff; Coordinating and overseeing the development of plans and arrangements for business continuity; Establishing, where necessary, working groups and teams and defining their responsibilities; and Coordinating training; and providing for the regular review, testing and auditing of BCM system. Appoint BCM champions within the business, across the different departments, functions or locations depending on the size, scale and complexity of your business. These champions should be actively involved in encouraging compliance and getting staff feedback, in terms of constructive criticism and suggestions for improvement. Appoint an Incident Response Team. Their duties should involve invoking and executing the Business Continuity Management Plan in response to a major disruption. Provide administrative support. Encourage CIOs to work with the Business Continuity Management Steering Committee and IT specialists to plan for the effective recovery and restoration of IT services. This appointment depends on the size and nature of your IT requirements. Page 09

11 Appoint specialist service providers. Not all of the resources you need to respond to a disruption are necessarily available in-house. For example: Data recovery and back-up IT facilities Emergency telecommunications Cleaning and restoration Document restoration Salvage and decontamination Building and facilities Counselling Security Public relations Your plans should identify where and how these resources can be obtained. It is a good idea to make your arrangements in advance of any disruption. In this way, you will be contractually protected against their inability to deliver their service in a disaster situation. Integrate the roles, accountabilities, responsibilities and authorities into their job descriptions and into your company's appraisal, reward and recognition policy. Your company's audit process should review these responsibilities to make sure they address all the various aspects of the Business Continuity Management Plan and that they reflect any changes within your company's structure or business activities. The process of assigning responsibilities raises important considerations in determining a person's level of competency: To be effective people tasked with overseeing or implementing BCM or in the invocation of the Business Continuity Management Plan in response to a disruption must be competent in carrying out their duties. You need to: Determine what competencies exist within your company and what training is needed; Provide training; Evaluate the effectiveness of the training provided; Keep records of a person's experience, training and qualifications; and Give your team latest Business Resilience tools and technologies to automate the process to help them decipher data to into information that will speed the prevention and recovery process. The real-benefit of BCM is that it focuses your attention on identifying and protecting business key activities and then planning and rehearsing your response to a disruption of services. If you have the specialist do this work for you, you will have lost this benefit and will undermine your position to deal with an emergency because you will be unfamiliar with the Business Continuity Management Plan. It is vital your organisation builds up in-house BCM expertise. Firstly, so that you can effectively respond to a disruption, and secondly, so you can adapt your BCM program to deal with any changes in business processes, staff, equipment and so on. BCM tools like ReadiNow bring increased expertise to both new and expert managers of the Business Resilience process. Page 10

12 Outsourcing or contracting the services of BCM to specialists Specialists can provide extremely useful help in each of the stages of developing and implementing your BCM program. Satisfy yourself as to the company's credentials and their industry background before appointing a BCM provider. For example: How long has the company been providing specialist BCM services? Does the BCM service provider have a bias towards or dependence on vendor, technology or service solution? Does the service provider offer crisis management services and provide proactive support during a disaster? Does the service provider offer end to end business continuity solutions for the recovery of data, voice and people accommodation in the same location? Benefits of Outsourcing Companies like EDC have access to years of experience in handling real live disasters for leading organisations from: Implementation; Responding to emergencies; Recovery of critical business functions; Restoration of resources and assets; and Resumption of business to normal operations. EDC has the necessary experience and expertise to help you through the readiness phase to unsure minimal downtime in the event of an unexpected disruption or disaster to your business. The benefits of outsourcing your BCM requirements include: Access to a one stop end-to-end solution; Industry proven track record assures peace of mind; A single point of contact and accountability to reduce the complexity of your business continuity environment, manage your systems, and protect your investments; Nationwide support with 24 hour help desk providing access for disaster notification; and Account management services tailored to meet your unique needs with flexibility as your operations and technology change. Page 11

13 Summary Every day across the globe, business continuity-related events are taking place. Simply reading news headlines, several questions come to mind, for example: - How could this apply to your organisation? - Will your organisation survive such an event? - How will you be able to respond to such a disaster? - Are you armed with the right knowledge and tools? The survey results, benchmarked against global organisations, show we still have a tough journey ahead. It is a challenge we have to and will embrace. An effective business continuity management program is vital and fundamental to increasing business performance. It is important for people in organisations to know of the advances business continuity management has made in recent years. EDC s analysis illustrates that although government departments are moving in the right direction, we need to do more if we want to align to the global benchmark for business resilience in the future. This is an era where governments globally fail, electricity has become a scarce commodity, large scale natural disasters are on the increase, corporations and governments collapse overnight not only for political reasons but for failing to be resilient against all risks, financial, legal, political, supply-chain management and not the least of all, the environment. EDC - End To End Solutions for Disaster Recovery and Business Continuity EDC is a leading business continuity and disaster recovery specialist. As a result of many years of experience in handling real live disasters for leading organisations from: Implementation; Responding to emergencies; Recovery of critical business functions; Restoration of resources and assets; and Resumption of business to normal operations. As a result, EDC has the necessary experience and expertise to help clients through the readiness phase to unsure minimal downtime in the event of an unexpected disruption or disaster to their business. We specialise in highly-customised turn-key business continuity and recovery solutions. Page 12

14 Benefits of EDC's business continuity solutions: One stop end-to-end solution; Industry proven track record assures peace of mind; A single point of contact and accountability to reduce the complexity of your business continuity environment, manage your systems, and protect your investments; Nationwide support with 24 hour help desk providing access for disaster notification; and Account management services tailored to meet your own unique business needs with flexibility as your business grows and technology changes. For an on-site presentation of our approach and deliverables, please contact us on Copyright Enterprise Data Corporation 2014 Enterprise Data Corporation Norwest Business Park Baulkham Hills, NSW 2153 Australia Produced in Australia All Rights Reserved EDC and the EDC logo are trademarks of Enterprise Data Corporation in Australia, other countries or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to EDC products and services do not imply that EDC intends to make them available in all countries in which EDC operates. Page 13