Chapter I: Fundamentals of Business Continuity Management



Similar documents
Chapter II: Business Continuity Management Organization

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Disaster Recovery and Business Continuity Plan

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

HB A Practitioners Guide to Business Continuity Management

Business Continuity Management

Coping with a major business disruption. Some practical advice

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Business Continuity Management

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Business Continuity Planning and Disaster Recovery Planning

The PNC Financial Services Group, Inc. Business Continuity Program

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

BUSINESS CONTINUITY MANAGEMENT POLICY

Disaster Recovery Plan The Business Imperatives

Creating a Business Continuity Plan for your Health Center

BUSINESS CONTINUITY PLANNING

Company Management System. Business Continuity in SIA

Business Continuity Planning (800)

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business continuity plan

Table of Contents... 1

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Business Continuity and Disaster Recovery Planning

Emergency Response and Business Continuity Management Policy

Desktop Scenario Self Assessment Exercise Page 1

The PNC Financial Services Group, Inc. Business Continuity Program

Principles for BCM requirements for the Dutch financial sector and its providers.

Business continuity management policy

Chapter 1: An Overview of Emergency Preparedness and Business Continuity

BUSINESS CONTINUITY POLICY

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

Business Continuity Management Policy

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Business Continuity Management

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Prudential Practice Guide

Business Continuity Business Continuity Management Policy

Kuala Lumpur, Malaysia, May Report

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

Business Continuity Management

Business Continuity Management Review

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers

BCP and DR. P K Patel AGM, MoF

How To Manage A Disruption Event

Regulatory Framework for Disaster Recovery Planning for the ICT Industry

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Unit Guide to Business Continuity/Resumption Planning

Overview TECHIS Manage information security business resilience activities

Information Technology Project Management (ITPM)

Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

Risk & Audit Committee California Public Employees Retirement System

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Documentation. Disclaimer

Business Continuity Policy

Vendor Management. Outsourcing Technology Services

Building and Maintaining a Business Continuity Program

Sound Practices for the Management of Operational Risk

Business Continuity and Disaster Planning

Business Continuity Plan

Business Continuity Management Program Development Guide

Incident Management, Business Continuity and IT Disaster Recovery

PBSi Business Continuity Planning

Corporate Risk Management Policy

Disaster Recovery. Continuity in an Uncertain World

Supervisory Policy Manual

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business, Resiliency and Effective Disaster Recovery. Anne Kleffner, PhD Haskayne School of Business, University of Calgary

Solihull Clinical Commissioning Group

Business Continuity & Disaster Recovery

White Paper on Financial Institution Vendor Management

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Development, Acquisition, Implementation, and Maintenance of Application Systems

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Disaster Prevention and Recovery for School System Technology

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Transcription:

Chapter I: Fundamentals of Business Continuity Management Objectives Define Business Continuity Management (BCM) Define the relationship between BCM and risk management Review BCM responsibilities Identify BCM benefits, costs and the commitment required Examine the BCM development process Review the use of a project management approach within BCM Review the data collection process for BCM Present an overview of professional standards and terminology Review the relationship between information technology and business continuity Define Green BCM. Business Continuity and Risk Management Planning for disasters may take a backseat to more immediate concerns, especially for a manager who considers such events as improbable and who has not thought through the potential impact of being unprepared. However, a prudent manager will develop contingency plans to provide for the continuation of essential operations. Senior managers should review the criticality of the organization s products and services to determine priorities and when operations must resume in order to avoid significant losses. Operations will be disrupted if one or several required resources are unavailable. The event of the loss of a resource can be due to any one of several potential disasters. Identifying these possible events requires a review of all internal and external resources required to deliver an organization s products and services. Planning must focus on those events that can result in significant losses. Such events are identified by comparing the expected recovery time associated with the event to the length of time operations can be interrupted before incurring significant losses. Alternative strategies can reduce the risk of an event. The selection of the set of alternatives to be used will depend on their respective costs and benefits. In certain cases the decision is obvious. When the selection is not obvious a cost-benefit analysis may be required. Business continuity refers to the actions taken to sustain and/or resume operations impacted by crisis events. Frequently the term business continuity by itself also implies recovery. Business Continuity Management (BCM) is a holistic management program that identifies potential events that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, the environment, reputation, brand and value creating activities. Resilience is the ability of an organization to withstand the impact of a crisis event. 1

Risk management is comprised of the processes of risk assessment, risk communication and risk treatment. Risk management and BCM are sometimes mistakenly seen as competing fields. However, risk management and BCM are strongly tied together and viewing the fields separately is unhelpful. Risk management tends to be preventative, whereas BCM tends to deal more with consequences. Risk management processes provide important inputs for BCM and also deals with control for risks. On the other hand, BCM goes beyond risk management to plan for the inevitable disaster. Utilizing business continuity and risk management in an integrated fashion is coherent and productive. There are multiple purposes for BCM. BCM is used to prevent serious disruptions, if possible, and to mitigate the impact of occurring disruptions. BCM is designed to provide safety for people and the environment, minimize the interruption of operations, mitigate damages, maintain customer service standards, maintain quality controls, reduce legal exposures and comply with regulations. Risk management is the foundation of comprehensive BCM and provides an analytic basis and an economic justification for decision making regarding the allocation of resources. Risk management is a continual process of decisions resulting in how risks are treated, whether accepted, avoided, reduced or transferred. Conceptually, risk management decisions are extremely difficult. The difficulty arises because these decisions must come to grips with uncertainties surrounding highly unlikely events with major, potential adverse impact upon the operation of an organization. The use of risk management for contingency planning can provide an organization with considerable savings through effective use of insurance and implementation of cost-effective loss reduction strategies. BCM Responsibility There are many challenges facing organizations regarding BCM. Communication of the benefits of BCM and similarly communication of the risk of not having a BCM program are foremost among these challenges. BCM should be partnered strategically with the organization to be most beneficial and the effectiveness of the program should be thoroughly evaluated. There is a need for regulations to ensure compliance, and likewise, there is a need for industry standards to promote widespread implementation of BCM. The Board of Directors is an organization s highest management authority and has ultimate responsibility for the organization's performance. The Board of Directors must establish policies and objectives to ensure the organization s survival and fulfillment of its mission. Law imposes strict duties on directors because they exercise control and management over the organization. Internal control is the direct responsibility of the directors and these duties apply to each director separately. Senior management holds specific powers conferred by the authority of the Board of Directors and has the responsibility of managing the organization. Senior management is responsible to initiate and oversee BCM to ensure the organization s preparedness and resiliency for a broad spectrum of critical events. It is the responsibility of all employees of an organization to understand their role in BCM and to actively participate as directed.

2 If there is a management of money or property among two or more parties a fiduciary responsibility is created. Although fiduciary responsibilities vary somewhat between different countries, a fiduciary is required to perform duties to the highest standards and to avoid any conflicts of interest. BCM Benefits Communication is a critical factor in obtaining support for BCM. Senior management should be made aware of the dangers of not having BCM. Examples of disasters in relevant industries are useful in establishing the necessity of BCM and obtaining support. Highlighting actual incidents that could have been disasters is also most useful. There are many benefits to an organization to have comprehensive BCM. Effective BCM decreases exposure, reduces downtime, secures assets and improves security. The process of developing BCM improves employee understanding and provides cross-functional training. Also, BCM protects markets, provides legal compliance and helps avoid liability. A presentation to senior management should relate BCM to the organization s mission, explain the risks to which the organization is vulnerable, explain management s accountability and liability and provide a foundation to develop BCM policy. BCM Costs The cost-justification of BCM is similar to the cost-justification of a good insurance policy: there is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis. Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective. BCM is not a vehicle that will likely produce a short term return on investment. However, as with any other venture, BCM must ultimately be cost effective to remain funded. Many of the important benefits of BCM (for example, employee goodwill and customer satisfaction) are clearly important but are difficult to measure. All of these factors contribute to the challenge of securing a financial commitment from senior management for BCM. The cost of establishing and maintaining BCM includes both initial and ongoing expenses related to various activities and assets, including: Developing BCM analysis and documentation. Backup facilities and equipment. Organization assets dedicated to emergency response. Physical improvements designed to mitigate damages. Training programs for employees. Exercising the BCM program. Maintaining BCM documentation. Insurance.

BCM Commitment 3 Before any program can commence and be successful, a commitment must be secured from the highest levels of the organization. Significant senior management-level participation at the corporate level is needed to oversee the program. Sufficient authority and resources have to be allocated to the BCM program for it to be successful. A senior executive should act as sponsor and champion of the BCM program. Management is typically aware of the need for business continuity planning but may need assistance in many aspects of project initiation and management. Senior management should ensure that prudent precautions are in place to prevent or mitigate a crisis, with the primary emphasis being on having the organization prepared to respond to safeguard people. Fundamentally, senior management is responsible for protecting the organization. Senior management needs to develop and implement a business continuity policy tailored to its needs. The organization should define a BCM policy so that all operational components have documented and exercised plans for the full range of resources required. A generic example of such a statement is: We are committed to providing continuous operations for our entire organization under normal circumstances and rapid recovery from disruptive events. BCM is not a short term project that comes to completion, but rather it is an ongoing, continuous program. BCM should be comprehensive across the entire organization and prioritized by operational needs. To be effective, BCM should always be current and properly tested to ensure that the proper measures are taken in the event of a situation requiring BCM activation. It is necessary to develop an approach with a budget and a timeframe. Key decisions are needed to resolve several questions as follows: Do we have the internal expertise to complete the program? Do we want to use the services of a consultant? The consultant may shorten the time necessary to develop the BCM program and also add much value to it. Which software should be utilized for the BCM program? Word processing templates come in a variety of packages from basic to rather comprehensive. More expensive menu-driven software packages may be a better value for organizations with more complex planning needs. BCM Development Process BCM should strive to determine and implement the most cost-effective strategies that accomplish the business continuity objectives. Identifying potential events that threaten an organization and providing a framework for building resilience with the capability for an effective response involves actions before an event, during an event and after an event. BCM should be based on operational requirements and led by an empowered team. The

deliverable is a verified plan that modifies the impact of crisis events to acceptable levels. 4 The first priority of BCM must always be the protection of human life. BCM must also have as a priority the protection of the environment. BCM enables effective decisions during a crisis, minimizes asset loss, facilitates timely recovery and maintains the organization s reputation. Business Continuity Phases are the steps to be taken before, during and after a crisis and include: prevention, mitigation, response, recovery and restoration. Prevention steps are designed to lessen the likelihood of a crisis event. Mitigation steps are designed to make the impact of an event less severe. Response is the reaction of an organization to an event to address immediate effects. Recovery is the stabilization and resumption of operations. Restoration is the process of returning to normal operations at a permanent location. BCM is a program consisting of three major stages: development, implementation and maintenance. As depicted in Figure 1.1, the program is continuous and cycles through these steps for the various entities of an organization. Figure 1.1 - The Cycle of BCM Stages Development Maintenance Implementation Continued

Copyright (c) 2012 Kurt J. Engemann and Douglas M. Henderson. This is an excerpt from the book Business Continuity and Risk Management: Essentials of Organizational Resiliency, ISBN 978-1-931332-54-5. Rothstein Associates Inc., publisher (info@rothstein.com). See http://www.rothstein.com/textbooks/business-continuity-and-riskmanagement.html This excerpt may be used solely in the evaluation of this textbook for course adoption. It may not be reproduced or distributed or used for any other purpose without the express permission of the Publisher.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information