Business Continuity Planning Public Entities Risk Management Forum 5 th July 2012 Presented by Mark Penberthy FBCI
Overcoming Practical Challenges Business Continuity Management (BCM) AGENDA 1. What is BCM? 2. Relationship with Risk Management... 3. Where do I start? 4. Lifecycle / Process Flow 5. Critical Components (and Influences) 6. When is BCM Complete?
Section 1 What is BCM?
Business Continuity Definition ISO 22301 Capability of the organisation to continue delivery of products or services at acceptable, predefined levels, following a disruptive event
In Simple Terms Disruptive event? Products and Services (Mission Critical) Focussed on primarily disruption to Buildings and facilities Skills and knowledge ICT Supplies How quickly do we need to restore... Operations Data (How much data can we afford to lose)?
Disruptive Events: Europe 95 09
And 2010...
Risk Definition Risk = Impact x Probability Probable events Power failure Communications failure Hardware failure Lower likelihood Aircraft Floods Fire
Products? / Services? Public Sector mainly services driven, however Estimated 300 SOE s Electricity; Transportation and Telecommunications Products and services through Local Government Information flow between Government departments
Brand South Africa Government Departments / SOE s providing essential services to support the National Economy Supply Chain Obligations Best Practise (ISO) Brand doesn t matter we have a monopoly We are now extremely brand conscious! Recent Treasury Bond Auction
Non-performance? Impacts? No competition... Market share? Impacts upon other entities Impacts on Economy? Brand and Reputation? Coastal Cities
Mission Critical? How is criticality determined? At what stage of the lifecycle? Tangible and intangible impacts Seasonality Interdependencies Regulatory / Legislative Supply Chain? What does the risk analysis focus on?
What is BCM NOT! BCM is NOT Disaster Recovery (DR) and the two should never be confused! DR is a legacy concept which addresses the recovery of technology only Whereas BCM is focused on continued delivery of services and products!
Section 2 Relationship with Risk Management
Primary Issues BCM is complementary to a risk management... sets out to understand the risks to operations, and the consequences of those risks (BS 25999) Shall identify and document...links between the BC policy and the organisation s objectives, including the overall risk management strategy (ISO 22301)
BCM Focus By focusing on the impact of disruption, BCM identifies those products and services on which the organization depends for its survival......or put another way, its reason for existence! What needs to be done before an incident occurs to protect its people, premises, technology, information, supply chain, stakeholders and reputation. (BS 25999)
BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk Management and allows stakeholders to ask searching questions, such as: The company s business and operating model Key value creating products and services Key dependencies critical assets and processes How the company will respond to a loss of or threat to any of these What the main threats are today and on the horizon (Scanning) Evidence that the continuity plans will work in practice (GPG 2010)
Section 3 Where do I Start?
Where Do I Start? Management Buy-In Policy Programme Management Project definition Scope Funding Awareness and Skills Business Impact Analysis Determine Criticality and time constraints Risk Analysis BCM Strategy
Large Organisations Urgent Important Activities Non Critical Activities
Developing Awareness Corporate newsletters, bulletins, articles staff magazines Intranet web sites Professional BCM practitioners within the organization Remuneration and rewards through the performance and appraisal system Participation in other organization s BCM exercises or real events Inclusion of BCM related objectives through the organization s performance and appraisal mechanisms Induction programme Executive briefings
Section 4 Life cycle / Process Flow
BCM Lifecycle What s missing? POLICY
Process Flow Awareness Buy-in Top Down Skills Ownership Funding Training Policy Activities Input Output End-to-end Impact over time Services Urgency Data loss Operations Critical ops RTO RPO Enablers Dependencies MCA s Protect Risk analysis Reduce the threat of disruption to MCA s Strategy People Premises Resources (IT, telecoms, power, supplies)
Initial Output Business Impact Analysis Report MCA s RTO / RPO Interdependencies Enablers Critical skills Critical times Resources People, premises, resources etc. Risk Analysis Report
Balance of Programme? Once understanding the organisation is complete... Implement recovery strategy Alternative site configuration Resource configuration Supply chain Business Continuity Plans IT Continuity Plans Test, Maintain & Review
Section 5 Critical Components
Critical Components / Attributes Management buy-in Policy Budget Ownership and Accountability Awareness Evacuation (Protecting skills and assets) Crisis Management (Threats to Brand and Reputation)
Influences Regulatory PFMA Governance King II & III Stakeholder interests IT Governance Compliance Auditor General Standard ISO 22301
ISO 22301 Excerpt Scope Applicable to all organisations, regardless of size, type and nature Management commitment Top management shall provide evidence of its commitment to BCM by: Establishing a BCM Policy Establish BCM objectives and plans Establish roles responsibilities and competencies Appoint persons responsible for BCMS with appropriate authority and competency
Auditor General Weakening of Pillars of Governance Management of supply chains Service delivery Security of government information Accuracy of Government reports Terence Nombembe
Certification Training Global (Business Continuity Institute) Why Certification? (Necessary Competence) BCM Skills Base International Local Africa
Section 6 When is BCM Complete?
It is never complete! The initial aim will be to successfully complete an implementation of the BCM lifecycle, but the long term goal of BCM programme management is to improve the organization s BCM capability, and hence its operational resilience, with successive iterations of the BCM Lifecycle
Resilience? BCM increases an organisations resilience Resilience is widely defined as the ability of an organization to absorb, respond and recover from disruptions
BCM Lifecycle
When is BCM not required? A hospital bed that is not occupied does not mean that it is not required!
Currency Agree a programme of ongoing exercising and maintenance of the BCM plan (solution) to ensure it remains current Up-to-date Deployable Resourced Funded Best practise!
Governance If a country does not have a reputation for strong corporate governance practices, capital will flow elsewhere. If investors are not confident with the level of disclosure, capital will flow elsewhere. If a country opts for lax accounting and reporting standards, capital will flow elsewhere. All enterprises in that country regardless of how steadfast a particular company s practices may be suffer the consequences. Markets must now honour what they perhaps, too often, have failed to recognise. Markets exist by the grace of investors. And it is today s more empowered investors that will determine which companies and which markets will stand the test of time and endure the weight of greater competition. It serves us well to remember that no market has a divine right to investors capital. Arthur Levitt, former Chairperson of the United States Securities and Exchange Commission
Thank you! Mark Penberthy FBCI mark@markpenberthy.com