The Business of Continuity

Transcription

1 The Business of Continuity The loss of, or serious disruption to, any critical process, function or system can have a significant impact on an organisation; in some cases threatening its very survival. Business continuity management and information security management are concerned with assessing and addressing risks to the business and its supporting infrastructure. They are the means by which a strategy is developed, implemented and maintained, to ensure an organisation is capable of responding to, coping with and recovering from major security breaches and disruptions to normal operations. They involve the implementation of risk management strategies to avoid major incidents or crises occurring, and recovery strategies to ensure that, if the worst does happen, an organisation is capable of an effective response and recovery. Business continuity management and information security management are about protecting all critical parts of the business. The overriding objective is to ensure that an organisation can provide an acceptable level of service to all stakeholders, including customers and other business partners, regardless of any disruptive events or incidents that might occur. Achieving this at reasonable cost and within reasonable timescales are key requirements. for independence Our independence means we are not tied to a single methodology and enables us to offer truly impartial advice. acumen ak ū-men, n. the ability to judge well; insight. [from Latin: sharpness, from acuere to sharpen, from acus needle] for experience Our consultants have a wealth of practical, real-life experience in helping organisations plan and prepare to respond to and recover from disruptive incidents. for service Project management Scoping exercise Information security review Plan health check/capability review Business impact analysis Risk analysis Dependency modelling Emergency response planning and crisis management Strategy development/implementation of solutions Plan development Exercising and testing Training and awareness Review, maintenance and continuous improvement Crisis media communications for excellence Our innovative style is based upon a sound working knowledge of industry best practice and a partnership approach with our clients. Acumen has the skills and experience to assist companies to produce effective and workable business continuity and IT recovery plans.

2 Company Profile Formed in 1997, Acumen Business Services Ltd specialises in the provision of independent business continuity management, risk management and information security management consultancy services. Acumen has provided consultancy support to a number of well-known organisations, across a wide range of industry types, including insurance, financial services, manufacturing, distribution, pharmaceutical, petrochemical, retail, local government, publishing, education, transport, housing, utilities and IT services. In addition to our own direct client list we are regularly involved with some of the UK s leading providers of business continuity and IT recovery services in managing and participating in projects for their clients. Our managing consultants are either Fellows or Members of the Business Continuity Institute and have a wealth of practical experience in business continuity and IT recovery planning. We are actively involved in supporting the ongoing business continuity management programmes of a number of major organisations. Acumen s philosophy is one of capability-based planning, whereby we aim to develop and enhance the client s business continuity capability rather than merely providing a business continuity plan. To this end, Acumen s style is to work closely with our clients as part of their business continuity management team, with the emphasis on working with rather than for them. We believe that we adopt an innovative approach that is based upon a sound working knowledge of industry best practice. Being independent enables us to offer truly impartial advice based upon over twelve years of business continuity management involvement backed by invaluable practical experience. We are not tied to a particular working methodology and prefer a partnership approach. This approach has proved successful in a number of assignments, where a close working relationship has been a contributing factor in the successful implementation of the client s business continuity objectives. Acumen has the skills and experience to assist our clients in producing effective and workable business continuity plans. Scoping Exercise Organisations embarking on a business continuity project for the first time are often unclear as to what the project should involve. Where this is the case, it is beneficial to conduct a scoping exercise, to determine the full extent of the work that needs to be carried out. A scoping exercise, conducted by experienced Acumen consultants, involves interviews with key personnel and analysis of relevant documentation to: Determine the existing level of business continuity capability; Assess the level of business continuity awareness within the organisation; Identify the steps required to implement an appropriate business continuity programme; Estimate project timescales and resource requirements (internal and external); Identify budget costs; Provide an outline project plan. On completion of the review a report is produced, which includes the above findings and recommendations. A scoping exercise will help to ensure that your business continuity programme is appropriate to the needs of the organisation, and will help get the project off to the right start.

3 Business Continuity Health Check/Capability Review For clients who have already developed and implemented business continuity plans it can be extremely useful to obtain a fresh perspective from someone not connected with the organisation. Often, the responsibility for plan development is given to someone who does not have in-depth experience of business continuity management. An assessment of the plans against industry best practice will confirm whether all key considerations have been addressed. A plan health check and capability review, carried out by experienced Acumen consultants, enables you to have confidence in the viability of your plans and will highlight any areas for improvement. It will clarify whether your plans meet, or how they fall short of, business requirements. The study, which is tailored to the specific requirements of the client, includes interviews with key personnel and analysis of the plan documents. It will typically include a review of: The business continuity policy and strategy; Underlying recovery solutions; Your ability to meet the stated recovery time and recovery point objectives; The crisis/incident management framework; The business continuity plan structure, format and content; Staff awareness and training; Change management and plan updates. On completion of the review a report is produced, which includes observations and recommendations. The likelihood is that you will have invested a significant amount of time and money in the development of your plans. The Health Check and Capability Review can give you confidence that your investment has been worthwhile.

4 Business Impact Analysis To enable an appropriate and cost-effective business continuity strategy to be developed, an organisation needs to know, in measurable terms, just what impact an interruption would have on the business. The following questions, therefore, need to be answered: How much will the business lose, or how much additional expense will accrue, if the business is disrupted for varying periods of time? What reputational impact will a disruption have on the business? How much disruption to other areas of the business will occur? How quickly do the critical business functions need to be recovered following an interruption? How much data loss can the organisation tolerate? Conducting a formal business impact analysis (BIA) will provide this crucial information, and assist in the identification and justification of an appropriate business continuity strategy. The BIA is a study which identifies critical business functions and systems and the impacts on the business (financial, operational and regulatory) which would result if those functions or systems were unavailable. Impacts are measured in both quantitative (financial) and qualitative (e.g. reputation) terms. To be effective, the BIA has to be an interactive process involving input from key management groups. Project Initiation Business function rep s identified Questionnaires tailored Presentations, etc scheduled Kick-off & impacts workshop Participants briefed Impacts identified RTOs set Questionnaires distributed Recovery req ts interviews Structured interviews Questionnaires discussed/completed Follow-up meetings Issues resolved Analysis Findings collated and analysed Concurrence Draft findings presented/discussed Working group approval Report & presentation Draft report produced Feedback/updates Final report issued On completion of the process a detailed report is delivered which includes an analysis of the organisation's business functions and critical systems, an outline of the client's financial and operational exposure, a recommended recovery strategy and a summary of recovery requirements. The BIA provides senior management with the information necessary to enable them to make informed decisions on business continuity management strategies, and is an essential first step in the business continuity management project.

5 Risk Analysis All businesses are constantly faced with a number of risks, from fires and floods to commercial risks such as negative cash flow, loss of a major client or litigation. Significant risks have the potential to seriously affect an organisation s business continuity. It is therefore important to understand the probability and potential impact of a particular risk materialising, so that priority can be given to mitigating the significant risks. A risk analysis will identify particular threats and vulnerabilities to the business and its support facilities and recommend risk reduction measures that can be implemented to mitigate them. The analysis is based on a site survey and discussions with key business and support facility managers. The resulting report will include a list of vulnerabilities together with risk reduction options. X Y Z Risk* Classification* Probability* Impact* Rating* Countermeasures** * Classification, based on probability and impact (eg High/Medium/Low, Red/Amber/Green, 1/2/3, etc), indicating significance of each risk to the organisation ** Risk mitigation measures to be considered The risk analysis, in conjunction with the business impact analysis, enables senior management to make informed decisions regarding the business continuity strategies that are appropriate for the organisation. Emergency Response and Crisis/Incident Management Planning The Emergency Response and Crisis Management structures that will come into play at-time-of-disaster are likely to be very different from your normal, day-to-day organisational structure. Decisions will have to be made quickly under unfamiliar and extremely stressful conditions. It is essential that there is a Crisis or Incident Management Team framework in place that can manage the overall recovery process effectively. The Home Office recommends a 3-tiered approach to Emergency Response and Incident Management, and this structure is used by the emergency services. Strategic (Gold) Strategic co-ordinating group Authority to make executive decisions Focus for high-level communication (eg Gov't) Based away from scene of incident Imposes control Reports status Tactical (Silver) Overall general management Prioritises allocation of resources Plans and co-ordinates tasks Based at or near to scene of incident Imposes control Reports status Operational (Bronze) Assesses extent of problem Performs tasks within own area of responsibility Operates at incident/recovery location(s)

6 An example of this structure applied to an organisation s business continuity plans follows: Strategic Executive Management Team (EMT) MAIN DUTIES Policy decisions Strategic direction High level liaison Tactical Incident Management Team (IMT) MAIN DUTIES Damage assessment Incident management Recovery support Operational Infrastructure Recovery Team (IRT) Business Recovery Teams (BRTs) MAIN DUTIES Facilities restoration IT & network recovery Salvage MAIN DUTIES Business recovery It is essential that the personnel nominated to make up these teams are fully aware of the structure that will apply in an emergency and of their own roles and responsibilities within that structure. Training and exercising, therefore, form an important part of the construction of the teams. Acumen s experienced consultants can provide advice and guidance with the formation of the Crisis Management and Recovery Teams; address the training needs of the various team members; and assist with the production, maintenance and exercising of the associated plans. Crisis Media Communications Effective management of the media is a crucial element of effective crisis or incident management, which requires careful planning and particular skills. Successful management of a crisis is not only about taking the appropriate actions to remedy the situation, it is also about being seen to be taking them and being heard to say the right things. In other words, your stakeholders perception of your crisis management capability is their reality. And the best business or technical recovery plans in the world may come to nothing if that perception is not managed effectively. Unfortunately, history is littered with the casualties of poor crisis media communications. A robust and positive public relations policy is therefore a key part of your crisis management capability. And it is essential that your nominated media spokespeople are sufficiently trained and practised in the role. But it is also important that your planning efforts are not restricted to your senior spokespeople, as experience has shown that managers and front-line personnel on the ground are likely to be the first target for the media.

7 Acumen s specialist media consultants, all of whom have previously worked as journalists and therefore have first hand experience of how the media operates, can offer expert advice, guidance and training to ensure that your key people are ready to face anything the media may throw at them. This includes: Basic media awareness training for those who may come into contact with the media or be tasked with assisting media communications planning Crisis media training, including mock interviews and news conferences One-to-one (or small group) training and mentoring for media spokespeople Media focussed crisis/incident management exercises Business Continuity Plan Development Your business continuity programme should address the following four elements: Planning Emergency Response Business Recovery Crisis Management The documented business continuity plan is the culmination of the planning activity, which includes Business Impact Analysis, risk analysis, and selection and implementation of appropriate continuity strategies. It is the document that will be used at the time of a disaster or major incident to aid the various recovery teams in ensuring the recovery of your critical business functions. The business continuity plan should include the following elements: Emergency Response Escalation and invocation Callout Damage assessment Crisis Management Command centres Recovery strategies HR issues Media management Business Recovery Recovery Team structure Team members Key contact details (staff, customers, suppliers, etc) Vital records Infrastructure recovery (premises and IT) Key processes and tasks There are various styles of business continuity plan and the style you choose should reflect the needs and culture of your organisation. Whichever style you choose, the plan needs to be easy to follow and usable under unfamiliar and stressful conditions.

8 A good business continuity plan is seen as a living document that will change as your organisation changes. It is essential that it is kept up-to-date the survival of your organisation could depend on it. Acumen s experienced consultants will work as part of your business continuity management team to provide expert advice and guidance on all of the above elements. They will help you to develop and maintain an effective and workable business continuity plan that reflects the needs of your business. Strategy Development/Implementation of Solutions The Business Impact Analysis and Risk Analysis processes will have resulted in a number of recommended strategies for business recovery, risk mitigation and information security management, such as: Internal arrangements, eg: Spare office accommodation Standby computer facilities Mirroring of critical systems Reciprocal arrangements with other parts of the group Specialist external services, eg: Warm restart computer sites Workarea recovery sites Cold restart sites Ship-in services Expert salvage and restoration services Environmental improvements, eg: Fire, water and intruder detection Physical security Diverse routing of power and telecommunications circuits Information security and data protection measures, eg: Data security policy Procedural changes Data backups Virus checking Firewalls The objective of the implementation phase is to deliver the chosen strategies within approved time, resource and financial constraints. It incorporates: Project management 3 rd party ITT processes for appropriate maintenance, support and recovery services; Implementation of resilience countermeasures; Provision of operational documentation and procedures; Implementation of backup strategies; Development of business continuity and information security plans; Executive and user awareness training. Acumen can provide expert assistance in all of the above areas, helping you meet your business continuity and information security objectives.

9 Exercising and Testing Exercising and testing is a vital part of the long term business continuity or information security management lifecycle, which will prove the viability of your plans and highlight areas for further improvement. It also provides an ideal training opportunity for those involved in the key activities. Testing can often be time consuming and expensive, so it is important that adequate planning and preparation takes place to ensure that maximum benefit is gained. All testing must be carefully managed and co-ordinated to ensure low risk to the business but maximum return on the effort put in. An effective test will contain most, if not all, of the following elements: A body responsible for control and co-ordination Objectives and success criteria A test plan and schedule Briefing of participants Management and co-ordination Event logs and post-exercise critique forms Independent observers Post-test reporting and follow-up Acumen s consultants have extensive, practical experience of the full range of testing methods, including: Callout tests Talk through reviews of recovery plans Scenario-based walkthrough exercises Component tests (eg IT, communications or departmental recovery) Integrated tests (eg multiple systems and/or business processes) Relocation tests (technical and business recovery) Real disaster simulations Network penetration tests Incident Management/Business Recovery Exercising Exercising and testing is a vital part of the long term business continuity management lifecycle, which will prove the viability of your plans and highlight areas for further improvement. It also provides an ideal training opportunity for those involved in the key activities. A scenario-based exercise, involving the crisis/incident management team and/or business recovery teams, will: Raise awareness of likely issues in the event of an emergency occurring; Provide practical experience of business continuity issues for the participants; Confirm the viability of the business continuity plans and recovery strategies; Test the assumptions contained in the business continuity plans; Identify areas for improvement and follow-up actions.

10 Information feeds Facilitators Incident Management Team Information feeds Observers Observers Acumen s experienced consultants will prepare and facilitate the exercise, which is run as an interactive workshop. Participants will be presented with a disaster scenario and be asked to role play their responses as if the incident were real. A number of incident updates will be provided throughout the exercise, which is run using a combination of real time and accelerated time. Participants are debriefed at the end of the exercise and a report produced detailing relevant observations, recommendations and follow-up actions. Training and Awareness Training and awareness are crucial elements of a business continuity or information security management strategy. All personnel within an organisation need to be aware of their roles and responsibilities within the company s business continuity plans and information security management system. Key players need to develop the skills and confidence needed to play their part, whether it be managing risk, implementing business continuity and information security solutions, maintaining and exercising the plans or successfully recovering their business operations following a disaster or information security breach. Training Acumen offers a range of training courses and workshops to assist your staff to gain and practice the skills required for effective business continuity and information security management. The workshops are tailored to the precise needs of your business rather than being off the shelf packages, and are presented and facilitated by highly experienced business continuity and information security management practitioners. Workshops are run at a location that best suits the client, for instance at the client s own premises or at a local hotel or conference facility. Topics include: Introduction to business continuity management Introduction to information security management Business impact and risk analysis Emergency response planning and crisis management Developing continuity strategies and plans Media communications Scenario-based exercises and workshops

11 Awareness Programmes In addition to the workshops described above, Acumen can assist with a comprehensive business continuity and/or information security awareness programme that is tailored to the needs of the organisation. This may include any or all of the following : Newsletters Seminars Road shows Videos Executive and staff briefings Guidebooks and leaflets Training courses and workshops