BUSINESS CONTINUITY MANAGEMENT SYSTEM STEP BY STEP GUIDE TO DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM REPUBLIC OF IRELAND

Similar documents
Business Continuity Management

Business Continuity Policy

BUSINESS CONTINUITY POLICY RM03

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Business Continuity Management Framework

Business Continuity Policy

Coping with a major business disruption. Some practical advice

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Business Continuity Policy

Business Continuity Plan

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Solihull Clinical Commissioning Group

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

Statement of Guidance

Business Continuity Management Policy

BUSINESS CONTINUITY POLICY

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Management

Business Continuity Policy

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning

Emergency Response and Business Continuity Management Policy

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

Staying In Business. A Business Continuity White Paper by. Paul O Brien and Gerard Joyce. LinkResQ Limited

Prudential Practice Guide

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Company Management System. Business Continuity in SIA

How To Manage A Disruption Event

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Proposal for Business Continuity Plan and Management Review 6 August 2008

Business continuity plan

Principles for BCM requirements for the Dutch financial sector and its providers.

BCP and DR. P K Patel AGM, MoF

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

[INSERT NAME OF SCHOOL] BUSINESS CONTINUITY PLAN

NHS Durham Dales, Easington and Sedgefield Clinical Commissioning Group. Business Continuity Plan

It s the Business! Business continuity considerations for all organisations

Table of Contents... 1

Prudential Practice Guide

BUSINESS CONTINUITY MANAGEMENT POLICY

I attach the following documents in response:

BUSINESS CONTINUITY PLAN

Business Continuity Management

BUSINESS CONTINUITY PLAN

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Business Continuity Policy and Business Continuity Management System

Business Continuity Planning in IT

BUSINESS CONTINUITY ASSESSMENT CHECKLIST

Risk Management Guidelines

Business Continuity Planning advice for Businesses with employees

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

Business Continuity Management Policy

BUSINESS CONTINUITY POLICY

Business Continuity Management. Policy Statement and Strategy

1.0 Policy Statement / Intentions (FOIA - Open)

Business Continuity Plan Template

disaster recovery and contingency plan RISK MANAGEMENT MADE TO MEASURE

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

BUSINESS CONTINUITY PLAN

Business Continuity Management Policy and Plan

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

NHS Lancashire North CCG Business Continuity Management Policy and Plan

Disaster Recovery and Business Continuity Plan

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

Business Continuity Management Framework

Business Continuity Management Policy and Plan

BUSINESS CONTINUITY MANAGEMENT PLAN

Business Continuity Plan

Update from the Business Continuity Working Group

Information Security: Business Assurance Guidelines

Business Continuity Planning. A guide to loss prevention

Business Continuity Planning

THORNBURG INVESTMENT MANAGEMENT THORNBURG INVESTMENT TRUST. Business Continuity Plan

BUSINESS CONTINUITY PLANNING

Update from the Business Continuity Working Group

NHS Commissioning Board Business Continuity Management Framework (service resilience)

Business Continuity Management Policy

IT Disaster Recovery Plan Template

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

Good Security. Good Business

Risk Engineering. Helping our customers understand and protect themselves from risk

Business Continuity Plan Toolkit

Transcription:

BUSINESS CONTINUITY MANAGEMENT SYSTEM STEP BY STEP GUIDE TO DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM REPUBLIC OF IRELAND

YOUR QUICK REFERENCE GUIDE TO THE PROCESS DEVELOPING A BUSINESS CONTINUITY MANAGEM Desi the Bu Contin

OF ENT SYSTEM gn siness uity

OUR MISSION To build a world-class business that puts you at the centre of our organisation and society at the heart of our goals. OUR VISION As a mutual, we care about people. We understand that our progress is dependent on all our stakeholders, including our Members, staff, broker partners, clients and the community at large. We are committed to delivering innovative, world-class business practices underlined by our ethical approach and our clear vision. OUR COMMITMENT A sustainable business depends on meeting the needs of all stakeholders. Our continued success depends on meeting and beating our clients expectations. This means recognising and rewarding local initiatives in building a better Ireland. In 2012, IPB announced its first social dividend, focusing on Youth and Community, Education, Sport, Business Innovation and Diaspora.

CONTENTS Introduction P/04 Definitions P/05 Business continuity model P/06 Insurance P/18 Claims P/20 References P/20

03 IPB INSURANCE THIS IS THE START OF YOUR JOURNEY We will guide you through the process of developing a business continuity management system. THIS WAY TO A SAFER FUTURE the Busi Continui DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

04 IPB INSURANCE INTRODUCTION A business continuity management system presents a holistic approach to the planning, implementation, management, and continual improvement of an organisation s systems. Business ning and disaster planning are frequently interpreted as being the same; however, they are different. A Business provides for the identification of the risks that could result in business interruption. It includes impact assessment of the risks that could prevent the continuity of an organisation and the steps to be taken so that if a serious incident occurred, the organisation would not be adversely impacted. A disaster plan documents how an organisation would recover the critical components of a business if a serious incident occurred, how the organisation would manage the incident and how long the phase would continue so that the organisation remains viable. This guidance was developed to help organisations to create both a Business and a disaster plan. Should an incident happen, creating and implementing the such business plans will mean that the organisation continuity is as well risks placed as possible to deal with it effectively. Please note that this guide is not intended to be a definitive guide on the management of all risks associated with business continuity. This guide is designed to complement the directives, recommendations and advice given in legislation and various publications (some of which are outlined on page 20). Management need to create and update their own policy and procedures for dealing with business continuity and disaster. the Busi Continui DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

05 IPB INSURANCE DEFINITIONS Business continuity The capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident (ISO 22300). Business continuity management The holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause. This provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities (ISO 22301). Business The documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. This typically covers resources, services and activities required to ensure the continuity of critical business functions (ISO 22300). Business impact analysis The process of analysing activities and the effect that a business disruption might have upon them (ISO 22300). Incident A situation that might be, or could lead to, a disruption, loss, emergency or crisis (ISO 22300). Risk appetite (ISO 22301). The amount and type of risk that an organisation is willing to pursue or retain the Busi Continui DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

06 IPB INSURANCE BUSINESS CONTINUITY MODEL The decision to develop a Business should be taken by the executive management team. The Business to be adopted should be developed following the identification of as recorded in the Risk Register. Reference should be made to the International Standards Organisation (ISO 22301: Societal Security Business Continuity Management Systems Requirements). This Standard applies the -Do- Check-Act (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organisation s business continuity management system. The benefit of applying the PDCA model is that it ensures a degree of consistency with other management systems and standards, such as: ISO 9001 (Quality Management Systems) ISO 14001 (Environmental Management Systems) ISO/IEC 27001 (Information Security Management Systems) ISO 20000-1 (Information the Technology business Service Management) ISO 28000 (Specification for Security Management Systems for the Supply Chain) The figure overleaf illustrates how a business continuity management system takes interested parties and requirements as inputs for continuity management and, through the necessary actions and processes, produces continuity outcomes (i.e. managed business continuity) that meet those requirements (ISO 22301). the Busi Continui DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

FIGURE 1: PDCA MODEL APPLIED TO BCMS PROCESSES (REFERENCE: ISO 22301) Continual improvement of Business Continuity Management System (BCMS) Interested parties Establish a team, the the context risks () Interested parties the Busi Continui Maintain and improve (Act) Implement and operate (Do) Requirements for business continuity Monitor and review (Check) Managed business continuity DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

IDENTIFY PLAN DEVELOPING A BUSINESS and CONTINUITY critical MODEL ASSESS the Busi Continui TEST DESIGN DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

09 IPB INSURANCE The organisation s business continuity model should be underpinned by the risk management model already implemented in the organisation. It should include the following steps: 1 a project team to develop The members of the team should include a project team leader who is a member of the executive management team that has decision making capacity, supported by the heads/managers of the following functions: Communication/Marketing/PR. This is a key role, the importance of which should not be underestimated. Information management. Facilities management, including security. Representatives from critical business functions across the organisation. Staff representation. 2 3 business These may include fire, flood, power failure, IT interruption, industrial dispute(s), withdrawal of financial support, pandemic, natural disaster, and supply chain failure. These may already have been identified on your Risk Register. critical This will include: People employees, customers, suppliers, third-party service providers. Buildings what sites are available; where are they located; what is the capacity of each site; what is contained at the site; which is the preferred site? Infrastructure roads and communication pathways, e.g. telephones, emails, web, social networks. Equipment what is critical for the organisation to continue its business (e.g. equipment ordinarily required for day-to-day operations and availability of a standby generator, etc.)? IT such as hardware and software, e.g. database of customers, suppliers, etc. DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

10 IPB INSURANCE 4 business What is the likelihood of the risk(s) occurring, and what is impact of each of the identified risks on the achievement of the strategic plans of the organisation? The following should be considered: Customers. Employees. Regulations Reference should be made to the organisation s regulatory universe (relevant legislation, codes of practice, standards and guidance). Built environment What will be critical to ensure that the organisation continues with minimal interruption? Consideration should be given to the availability of a standby generator and battery backup equipment. IT, such as server(s), computers, printers, facsimile machines. Communications, such as telephones (landline and mobile), email, web and social networks. Location of hot site to support business continuity. It is good practice to visit the hot site that will be used to re-establish the organisation and consider the following: Location. How close is the hot site to the current location? For example, if it is immediately next door, consider if the hot site will be viable if there was a fire, explosion, civil unrest. Access and egress. What is available to enable employees to access the hot site, e.g. road; rail; air; transport such as car, bicycle, light-rail, boat/ferry. Security. What security arrangements need to be provided to secure the hot site and make it available at any time (day/night/weekend) and while the hot site is being used to re-establish the organisation? DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

11 IPB INSURANCE Compliance with legislation, such as: > Fire safety. > Safety, Health and Welfare. > Legionella. > Data Protection. > Building Control Regulations. > Other regulatory requirements relevant to the organisation. Model each of the critical risks identified to ensure all critical information has been gathered. The input of employees will be invaluable in this exercise, particularly those employees who will be called upon to respond if the risk materialises.

13 IPB INSURANCE 5 The Business should be made available to all employees in hard or soft copy and kept in a secure location that is accessible in an emergency. The level of detail in the plan should be commensurate with the size of the organisation and the number of critical functions to be undertaken. Consider including the following: The organisational structure and who will be the responsible person(s) appointed for: Coordination of the plan if it is implemented. Communication with key stakeholders, such as: > Employees. > Customers. > Media. > Government and statutory agencies. Records of all employees and contact details, which should be maintained and up-to-date (while being aware of data protection requirements). Maintenance of compliance with relevant legislation, codes of practice, standards and guidance. Impact of the risk(s) at the strategic and operational levels of the organisation, as well as on the financial position and the reputation of the organisation. A higher level of preparedness will be expected from organisations that have a statutory responsibility to support the critical of the country, such as local authorities and utilities. Emergency planning to include procedures for processes to be undertaken in an emergency, such as the relocation of critical assets from high-risk environments (e.g. how to move IT hardware and servers from a basement location to a higher level in the event of a flood alert, how to evacuate a building in the event of a fire or explosion, or how to rescue people from flooded buildings). Procedures may also be needed on how to isolate critical utilities, such as electricity, gas, petroleum and water. DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

14 IPB INSURANCE Define what the organisation deems to be the short, medium and long term. This will enable the organisation to determine critical timeframes e.g. short term for one organisation may be a week, while for another it may be a month, and long term for one organisation may be a month, while for another it could be a year. Location of the hot site, which will be the alternative location for to continue in the short term. It should be remembered that may have to continue from the hot site for a much longer period of time than was initially identified. Consider if the same location can be used or whether an alternative location will be required for the medium to long term. Training should be included as part of and the training plan should be updated if necessary following any testing of the plan. 6 ing allows identification of the following: Appropriateness of the plan in meeting the organisation s strategic plan. Deficits in the planning process, such as absence of a generator in the event of an electricity failure. Effectiveness of the means of communication chosen for contacting employees, e.g. the use of mobile phones/landlines/social media. Availability of employees to respond to a business interruption. Accessibility of the hot site, including the length of time it would take for each employee to respond and relocate to the site following the activation of the Business. Availability of adequate office, such as desks/chairs. Other issues, such as availability of safe drinking water, food, etc. Consider if overnight accommodation will be required due to the location of the hot site and the travel distance for employees. DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

17 IPB INSURANCE 7 The disaster plan should be focused on recovering the organisational functions so that there is minimal interruption. With reference to the critical described at point 3 on page 9, decide on the plan of action and timetable for: The return of employees to full-time working at the hot site, at alternative work locations or from home. It is important to remember that employers continue to have the same responsibility to employees, such as compliance with Safety, Health and Welfare legislation, even if they are working form home. The maintenance of the customer database. The return of the original working environment to its pre-interruption condition. Consider if refurbishment will be required or if the site will require clearance and a new build. Perhaps a permanent relocation is needed; if so, identify alternative available sites. The maintenance of the organisational. Is the current communications and IT adequate or has it been damaged? If so, what will be the timetable for replacement and will training for employees be required for the new systems? DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

18 IPB INSURANCE INSURANCE Insurance should be viewed as a key component of any Business, providing an organisation with the ability to transfer risks of damage and interruption to following a loss. IPB Insurance has extensive experience in dealing with our customers following losses to their assets and interruption to their business. Property Insurance Property Insurance covers damage to property following an insured event, and seeks to replace/repair or reinstate the property in the quickest time possible in order to minimise any disruption to the organisation. To ensure the smooth handling of any property claim following any loss, reinstatement/replacement values must be considered prior to setting up or renewing any of your property insurance policies. Are all buildings/structures/assets insured for their current reinstatement value? The cost of reinstatement of the property should take into account the cost of rebuilding the premises to a condition equivalent to, or substantially the same as, but not better or more extensive than, its condition when new. Consider the following items when finalising valuations: The additional cost of reinstatement to comply with Public Authority Requirements or European Legislation. Professional fees, e.g. architects, engineers, etc. Debris removal costs to clear the site following loss. Clients should also ensure that their Asset Register is related to their Insurance Schedule so that none of the property or its contents are overlooked or uninsured. Clients should consult with their insurance advisor prior to arranging property valuations. Business Interruption Insurance In the event of damage to a property, the insurance will, if the values are correct, ensure that there is sufficient money available to repair/replace the damaged property. However, repairs or replacements could take time and could impact financially DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

19 IPB INSURANCE on the organisation through lost income or through extra incurred costs in order to keep the organisation running (e.g. rental on other premises, machinery hire, additional over time and travel expenses for employees). Increased Cost of Working (ICOW) insurance is provided by insurers to help organisations cover the increased costs necessarily and reasonably incurred by the organisation to minimise any interruption or interference with the running of the organisation during the period following damage. To obtain details of cover in your Property or Business Interruption Policy, please refer to your IPB Insurance Property Policy and Schedule. You should also discuss the adequacy of your cover with your insurance advisor. DEVELOPING THE BUSINESS CONTINUITY MANAGEMENT SYSTEM

20 IPB INSURANCE CLAIMS If an incident occurs that threatens the viability of your organisation or that could result in any level of interruption to your business, you should contact claims@ipb.ie REFERENCES www.iso.22301:2012 www.iso.223001 www.bsigroup.com/en-gb/iso-22301-business-continuity Local Authority Risk: excellence in governance through best practice risk management (IPB 2005). TOOLKIT to support Local Authority Risk: excellence in governance through best practice risk management (IPB 2006). VEC Risk: excellence in governance through best practice risk management (2009). ISO 22301: 2012 Societal security Business Continuity Management Systems Requirements. DEVELOPING A BUSINESS CONTINUITY MANAGEMENT SYSTEM

ed by FUDGE Creative fudgecreative.ie BUSCON 1214 V1

WORKING TO MAKE A DIFFERENCE IPB Insurance 1 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland Tel: +353 1 639 5500 Fax: +353 1 639 5510 Email: info@ipb.ie www.ipb.ie Reg. No. 7532 Republic of Ireland. Irish Public Bodies Mutual Insurances Ltd. trading as IPB Insurance is regulated by the Central Bank of Ireland.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information