Using the GPGs to Solve Business Continuity Problems Presented by: Brian Zawada FBCI US Chapter Board President www.thebci.org 1
What is the BCI? Founded in 1994, a Member-Owned, Not-for-Profit Professional Association of Business Continuity Professionals A global membership and certifying organization for business continuity professionals Over 8,000 members in more than 120 countries working in an estimated 3,000 organizations in the public and private sectors We stand for excellence in the business continuity profession Our certified grades provide unequivocal assurance of technical and professional competency www.thebci.org 2
What is the BCI? What are the BCI s Objectives? Provide fundamental business continuity skills and specialized business continuity training to develop individual knowledge, skills, and capabilities. Provide members with access to peer-based networking opportunities, enabling them to share experiences and knowledge. To is the BCI s goal to be ESSENTIAL to a member s success in the business continuity and resilience profession. www.thebci.org 3
Who can be a member of the BCI? Professionals seeking international recognition of their professional and technical competency in the BC discipline Individuals currently working in BC related functions who are seeking to improve their knowledge and understanding of the BC discipline Individuals who are looking to benefit from being part of a global network of like-minded professionals to share good practice in BC and related disciplines Newcomers to the discipline who are considering a career in BC or a related profession www.thebci.org 4
A Global Membership BCI Chapters: USA Australasia Canada Swiss SADC Nordic Asia Belgium / Netherlands Japan www.thebci.org 3
What is the BCI USA Chapter? The USA arm of the BCI Founded: 2008 in Daytona Beach, FL 1000+ members and growing rapidly Our strategic goal is to make BCI membership to business continuity professionals in the United States USA Chapter Board Members: Rich Bogle Ted Brown John Jackson Alice Kaltenmark Paul Kirvan Brian Mackay Heather Merchan Margaret Millett Sean Murphy Belinda Wilson Brian Zawada www.thebci.org 6
Why the BCI? 1. Internationally Respected Certification 2. Professional Growth 3. Networking 4. Content 5. Much More www.thebci.org 7
Why the BCI #1 - Certification A global certification brand aligned to industry best practices Benefits to you and your organization: o o o o Credibility (recognition of competency) Opportunity Compensation Approach aligned to best practice www.thebci.org 8
BCI Membership - Experience www.thebci.org 9
Approach to Membership Approach to Membership 1. Review the GPG 2. Take the Exam 3. Complete the Application Membership Level Based on Experience Summarize Your Experience References Or www.thebci.org 10
The Alternate Route to Membership The Alternative Route to Membership was set up for holders of third party business continuity certifications to provide an alternative route to BCI Membership that did not require applicants to sit for the Certificate of the BCI (CBCI) examination but instead, recognize third party certifications as equivalent qualifications www.thebci.org 11
The Alternate Route to Membership The following qualifications and credentials have been identified as at least equivalent to the CBCI: ABCP CBCP MBCP ICOR CORS Exam 12
Why the BCI #2 Professional Growth Training and Education o o o o Instructor-Led Training Custom Training E-Learning CBCI Exam Online Mentoring Program www.thebci.org 13
Training and Education Based on global good practice Delivered by a global network of BCI licensed training partners Instructors with years of practical experience to share Certification CBCI Introductory and Awareness training Specialist skills classes (Crisis and Incident Management, Writing Plans, Exercising etc.) Master classes (BIA, Developing the Plan, etc.) www.thebci.org 14
Course Catalog (sample) Training and Education The Good Practice Guidelines Training Course (3 or 5-Day) The BCI BCM Audit Course The BCI BIA Training Course (2-day) The BCI Supply Chain Continuity Management Course The BCI Crisis & Incident Management Course The BCI Writing Business Continuity Plans Course The BCI Diploma www.thebci.org 15
Mentoring Mentors actively work in Business Continuity or related Professions All Mentors are qualified and experienced Business Continuity professionals and hold either an FBCI, AFBCI or MBCI Mentors and Mentees are carefully matched by the BCI based on learning and development needs Share knowledge and expertise Contribute to the growth of Business Continuity as a recognized discipline in industry Support the and personal development of new and young professionals Interested? Email membership@thebci.org for an application www.thebci.org 16
Why the BCI #3 - Networking Largest Global Network of BCM Professionals Organized as.. Chapters: Asia, Australia, Belgium / Netherlands, Canada, Japan, Nordic, South Africa, Switzerland and United States Forums: UK and Europe, Africa, Canada, Asia, Middle East, South America Global Conference USA Conferences and Association Participation BCAW BCM Executive Forum Consultant Directory BCI Chapters Forums www.thebci.org 17
Why the BCI #4 - Content The BCI Good Practice Guidelines Continuity Magazine The BCI enewsletter BCI Benchmark Special Reports (topical and lessons learned) C-Suite Toolkit Surveys, benchmarking and white papers Other free webinars www.thebci.org 18
The BCI Good Practice Guidelines A Guide to Global Good Practice in Business Continuity The most comprehensive and independent view of current thinking in Business Continuity Provides not just the what to do, but answers the why, how and when of good BC practice Written by BC professionals for BC professionals Used in training and examining individuals and organizations (our body of knowledge) Aligned to ISO 22301 Reference material for academic institutions www.thebci.org 19
What is the BCI? How can I get a copy of the BCI s Good Practice Guidelines (2013)? BCI members can download a free pdf version from the Members Area Non-members can purchase a pdf version from the BCI website www.thebci.org www.thebci.org 20
Why the BCI #5 Much More Why BCI: #5 Much More Discounts Job listings and postings Advocacy (government and academia) Continuing Professional Development (CPD) System www.thebci.org 21
The Six Professional Practices www.thebci.org 22
The BCI s Definition of Business Continuity The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Source: ISO 22301:2012
GPG Alignment to ISO 22301? Responsibilities of Top Management Setting strategic objectives Resources for business continuity The importance of the BIA and a stronger link to the organizations approach to risks and threats Resource requirements, skills and competence of people involved Training, awareness and communications Document management Exercising and testing Monitoring performance and measuring value of business continuity
GPG Alignment to ISO 22301? ISO 22301 BCI GPG s (2013) 4.1 Understanding of the organization and its context PP1 Policy & Program Management 4.2 Understand the needs and expectations of interested parties PP1 Policy & Program Management 4.3 Determining the scope of the business continuity management PP1 Policy & Program Management system 5.1 Leadership and commitment PP1 Policy & Program Management 5.2 Management commitment PP1 Policy & Program Management 5.3 Policy PP1 Policy & Program Management 5.4 Organizational roles, responsibilities and authorities PP1 Policy & Program Management GPG Alignment to ISO 22301?
GPG Alignment to ISO 22301? ISO 22301 BCI GPG s (2013) 6.1 Actions to address risks and opportunities PP1 Policy & Program Management 6.2 Business continuity objectives and plans to achieve them PP1 Policy & Program Management 7.1 Resources PP1 Policy & Program Management 7.2 Competence PP2 Embedding Business Continuity 7.3 Awareness PP2 Embedding Business Continuity 7.4 Communication PP2 Embedding Business Continuity
GPG Alignment to ISO 22301? ISO 22301 BCI GPG s (2013) 8.1 Operational planning and control PP1 Policy & Program Management 8.2 Business impact analysis and risk assessment PP3 Analysis 8.3 Business continuity strategy PP4 Design 8.4 Establish and implement business continuity procedures PP5 Implementation 8.5 Exercising and testing PP6 Validation
GPG Alignment to ISO 22301? ISO 22301 BCI GPG s (2013) 9.1 Monitoring, measurement, analysis and evaluation PP6 Validation 9.2 Internal audit PP6 Validation 9.3 Management review PP2 Embedding Business Continuity PP6 Validation 10. Nonconformity and corrective action PP6 Validation 10.2 Continual Improvement PP6 Validation
PP1 Policy and Program Management Defines an organization s policy relating to BC, how it will be implemented, controlled and validated through a BCM program Setting BC Policy and determining the scope of the BCM program Defining governance and assigning roles and responsibilities Implementing a BCM program, managing documentation using program and project management techniques Managing outsourced activities and supply chain continuity BCI Good Practice Guidelines 2013 29
Policy and Program Management The BCM program operates at three levels: Strategic Tactical Operational Decisions are made and policy is determined Operations are coordinated and managed Activities are undertaken BCI Good Practice Guidelines Training Course Module One Version 1.0 30
PP2 Embedding Business Continuity The Management Professional Practice that continually seeks to integrate BC into day-to-day business activities and organizational culture Organizational Culture Skills and Competence Managing a Training Program Managing an Awareness Campaign BCI Good Practice Guidelines 2013 31
PP3 Analysis Reviews and assesses and organization in terms of what its objectives are, how it functions and the constraints of the environment in which it operates. Business Impact Analysis (BIA) Threat Analysis (includes risk assessment) BCI Good Practice Guidelines 2013 32
PP4 Design Identifies and selects appropriate strategies and tactics Continuity and Recovery Strategies and Tactics Threat (Risk) Mitigation Measures Incident Response Structure BCI Good Practice Guidelines 2013 33
PP5 Implementation Executes the agreed-upon strategies and tactics through the process of developing plan documentation Business continuity plans Developing and managing plans at a strategic, tactical and operational level BCI Good Practice Guidelines 2013 34
PP6 Validation Confirms the BCM program meets objectives set in the BC Policy and that plans are fit for purpose Developing an exercise program Developing and running exercises Maintenance of the BCM program Review of the BCM program BCI Good Practice Guidelines 2013 35
How the GPG s Help Solve Problems!
My Top 6 Problems (Case Study) GPG Problem Description PP1 Policy and Program Management PP2 Embedding Business Continuity PP3 Analysis PP4 Design Management Engagement Participation Focus Proactive vs Reactive (and scope) My steering committee isn t coming to meetings anymore or they ve delegated their role. The VP from Department X assigned his administrative assistant as his group s planner. We have 1000 plans in our software tool but we re not sure we re recovering what truly matters. We seemed to be laser focused on reacting to events. Shouldn t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT? PP5 Implementation PP6 Validation Templates vs Plans Measurement No one seems to use the plans we ve documented. And why would they all read the same, almost as if they re templates! We have 1000 plans, all updated in the last 12 months but we re not sure if we re actually ready for a disaster.
PP1 Policy and Program Management My steering committee isn t coming to meetings anymore or they ve delegated their role. Root Cause: The program is focused on planning activities rather than what it s protecting and the performance of response/recovery strategies. Solution: Speak their language in terms of scope (product/services) and program objectives.
PP2 Embedding Business Continuity The VP from Department X assigned his administrative assistant as his group s planner. Root Cause: Role-specific competencies aren t defined. Solution: For each role, define the skills and experiences necessary to be successful, and then measure the assignment process; drive competency improvement.
PP3 Analysis We have 1000 plans in our software tool but we re not sure we re recovering what truly matters. Root Cause: Management has not defined priorities in terms of products and services, and because of that, the program focuses on every box on the organizational chart. Solution: Perform strategic, tactical and operational level business impact analyses in order to bring focus to the program.
PP4 - Design We seemed to be laser-focused on reacting to events. Shouldn t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT? Root Cause: The organization isn t focused on controls to mitigate risk; rather, it s all about focusing on reacting to risk, with too much of a focus on one specific resource IT. Solution: Use the risk assessment to identify and implement control enhancement; and identify strategies to address a loss of all resources facilities, people, equipment, IT and suppliers/service providers.
PP5 - Validation No one seems to use the plans we ve documented. And why do they all read the same, almost as if they re templates? Root Cause: Procedures fail to support the response and recovery decision-making process. Solution: Ensure procedures answer the key questions what, who, where, when and how.
PP6 - Validation We have 1000 plans, all updated in the last 12 months but we re not sure if we re actually ready for a disaster Root Cause: The business continuity program is measuring success based on the execution of activities rather than the performance of strategies. Solution: Determine if you can recover products and services consistent with management expectations and report on that!
GPG Related Conclusions ISO 22301 and the GPG s help improve performance ISO 22301 is written for the organization, the GPG s are written for the business continuity professional tasked with implementing best practice Both documents leverage the equivalent of centuries of experience to focus on the best practices necessary to ensure organizations proactively mitigate continuity-related risk and response/recover appropriately
Summary: Why the BCI? New training programs (in-person and webinar-based) Complementary webinars and print content to introduce emerging practices and member experiences Research and other publications to add value to your career and employer A renewed mentoring program that matches BCI members based on geography, industry, expertise and need An Executive Forum for senior business continuity practitioners in the US to collaborate and share ideas, modeled after the successful approach used by the BCI in Europe A new membership level aimed at the experienced practitioner, the AFBCI Continued, strong partnerships with DRJ and Continuity Insights These and other US-focused services are in addition to the excellent benefits of the BCI overall www.thebci.org 45
To find out more about BCI Certification, Membership, Training & Education, or Partnership, visit us in the Ballroom or go to: www.thebci.org and follow the links www.thebci.org 46
Join us or connect with us today www.thebci.org http://www.thebci.org/index.php/home/us-chapter-home Twitter: @BCI_US_Chapter LinkedIn: BCI USA The Business Continuity Institute US Chapter Abby Horan 703.637.4407 Membership@thebci.org