Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Similar documents

Business Continuity Management Policy

Coping with a major business disruption. Some practical advice

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Business Continuity Management and BS by Steve Chan, Head of Training - HK, BSI Management Systems

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

BUSINESS CONTINUITY POLICY

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

Business Continuity Management

Business Continuity and Disaster Recovery Planning

Business Continuity Management

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Management Framework

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Business Continuity Management

BCP and DR. P K Patel AGM, MoF

Proposal for Business Continuity Plan and Management Review 6 August 2008

Solihull Clinical Commissioning Group

Principles for BCM requirements for the Dutch financial sector and its providers.

BS BUSINESS CONTINUITY MANAGEMENT

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Business Continuity Policy and Business Continuity Management System

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Chapter I: Fundamentals of Business Continuity Management

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

Business Continuity Policy

Business Continuity Management

Business Continuity Policy

Business Continuity Management. Policy Statement and Strategy

Business Continuity Policy

Business Continuity and Disaster Planning

Business Continuity Planning and Disaster Recovery Planning

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Business Continuity Planning

Temple university. Auditing a business continuity management BCM. November, 2015

1.0 Policy Statement / Intentions (FOIA - Open)

Business Resiliency Business Continuity Management - January 14, 2014

The PNC Financial Services Group, Inc. Business Continuity Program

Company Management System. Business Continuity in SIA

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

How To Manage A Disruption Event

PBSi Business Continuity Planning

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Appendix 1 - Leicester City Council s Business Continuity Management Strategy and Policy Statement

BUSINESS CONTINUITY MANAGEMENT SINGAPORE SS540 BCM STANDARDS. LSA Consultants Pte Ltd

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

BUSINESS CONTINUITY MANAGEMENT POLICY

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

RETAIL AUDIT FORUM - AUDITING BUSINESS CONTINUITY

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management Policy and Framework

Business Continuity Planning

BUSINESS CONTINUITY MANAGEMENT POLICY

A GUIDE TO BUSINESS CONTINUITY PLANNING

Business Continuity Management Policy

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Staying In Business. A Business Continuity White Paper by. Paul O Brien and Gerard Joyce. LinkResQ Limited

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Risk Management Guidelines

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Emergency Response and Business Continuity Management Policy

GUIDANCE DOCUMENT FOR COMPLETION OF RESIDENTIAL CARE ESTABLISHMENTS BUSINESS CONTINUITY PLAN TEMPLATE WEST MIDLANDS

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Business Continuity Management AIRM Presentation

Business Continuity Management Group Policy

Business continuity management policy

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

BUSINESS CONTINUITY POLICY

London Borough of Bromley. Executive & Resources PDS Committee. Disaster Recovery Plans for London Borough of Bromley

Business Continuity (Policy & Procedure)

Business continuity management policy

Reputation. Further excellence. business continuity. risk management. Data security

Business Continuity Policy

The PNC Financial Services Group, Inc. Business Continuity Program

Business Continuity Plan

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Table of Contents... 1

Business Continuity Plan Toolkit

Guideline - Business Continuity Plan

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Transcription:

Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015

Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity Management) ISO PAS 22399 BR (Business Resilience) OR (Organizational Resilience) Emergency Management Crisis Management Disaster Recovery

Disasters Happen Every Day...Its A Fact! Disasters are inevitable and costly so why are so many unprepared? Effective organizations have: Management foresight Tested Procedures Process Controls Back-up facilities Business Continuity Planning (BCP)

Business Continuity Institute (BCI) PAS56 Holistic management process Identifies potential impacts What is BCM? Framework for resilience and response capability safeguard interests of key stakeholders Or more simply It is the process to mount an immediate & effective response to any major incident Ensure plans are in place to maintain output to meet customer demand 1 PAS 56 Guide to Business Continuity Management is a Publicly Available Specification developed through the British Standards Institution.

Business Continuity Why Is Business Continuity So Important? What would you do tomorrow if your building was on fire today? What would your customers do? What would your competitors do? What would your bank and shareholders do? By systematically reviewing the risks you can reduce the risk of an incident occurring limit the impact if the worst comes to pass

Creates competitive advantage Reduces impact and likelihood of failure Demonstrates management commitment at all levels Enhances image and confidence with stakeholders (shareholders, customers/suppliers, employees, local officials) Helps organizations fulfill moral responsibility to protect employees and the community Enhances an organization s ability to minimize and recover from financial loses, market changes, fines, supplier interruptions, reputational hits, etc. Reduces exposure to civil or criminal liability Reduces insurance costs

Business Continuity Management Success, Recovery or Failure Fully tested effective BCM Business Outputs No BCM lucky escape No BCM likely outcome Critical recovery point Time

Components of BCM Emergency Response Plan Crisis Management/ Communication Plan A A successful outcome Activity Business Recovery Plan

BCM Value The value of a well-documented, comprehensive plan: Companies prefer to do business with companies that have business continuity plans. Many cases, customers are demanding to review business continuity plans. Companies with tested plans increase chances of surviving by approximately 70% over companies without tested plans. Be prepared to meet your employee s and customer s needs regardless of the situation

Facts Businesses with no plan: 43% never reopen. World Trade Centre 1993 Bombing: 150 companies never reopened (43%). Hurricane Andrew 1992: 80% of businesses without a plan failed in 2 years. 2005 London Bombing: 70% of those with a plan identified that the plan needed changes. Katrina created a new definition of disaster: city destroyed, no roads, utilities, government infrastructure, etc. Years to recover. 70% of all businesses that close for one month either never reopen or fail in three years. Most companies that lose their computer system for 10 days or more fail.

Reasons For Failure What causes businesses to fail? 68% Human error. 25% Technology failure. 5% Natural disaster. 2% Intentional causes. Many companies fall into a trap of planning only for failures on a grand scale when it is the smaller interruptions that cause most problems.

BCM Planning

BCM Programme BCM programme management driven top-down by executive management ensuring ownership and establishing policy. Managed at corporate/operational and operational/facility levels. Measure results through auditing, exercising, maintenance and training. Support continuous improvement through constructive feedback. Identify overall strategic objectives, values and activities; identify stakeholders, business processes, products and services Develop business continuity plans in line with agreed strategies; embed BCM within culture of the organisation. Embedding BCM Analyse financial and non-financial business impacts resulting from disruption of business processes (BIA); identify business-critical processes; identify gaps in recovery capability; develop prioritised recovery timeline. Design appropriate levels of recovery strategies that provide practical, costeffective solutions to close the gaps; design organisational structure to implement the formulated strategic objectives and operating model to respond to major incidents.

EFFECTIVE BCM IS BUILT ON 7 P s Programme - BCM Strategy People - Roles and responsibilities, Operations, Finance, HR, Sales, Awareness and Education Processes - All Organisational Processes Including ICT Premises - Buildings, Facilities & Equipment Providers Profile - Supply Chain - Brand, Image and Reputation Performance - Benchmarking, Evaluation & Audit

BCM Programme Business Continuity Pillars Business Continuity Audit Training and Exercising Business Recovery Plan Crisis Management Plan Emergency Response Plan Continuity Strategy Design and Development Business Impact Analysis and Risk Assessment Awareness and Programme Development BCM Programme Management

Lifecycle

5 Steps To BCM Stage 1 Understanding Your Business Organizational Strategy Business Impact Analysis Risk Assessment & Control Stage 2 BCM Strategies Organization BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy Stage 3 Developing & Implementing BCM Response Crisis Management Public Relations and the Media Business Continuity Plans Business Unit Plans, Incident Response Stage 4 Developing BCM Culture Assessing Designing & Delivering Measuring Results Stage 5 Exercise, Maintain & Audit Exercising of BCM Plans BCM Maintenance BCM Audit BCM Controls Policies, Procedures, Practices Compliance

5 Steps To BCM Stage 1 Understanding Your Business Organizational Strategy Business Impact Analysis Risk Assessment & Control Stage 2 BCM Strategies Organization BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy Stage 3 Developing & Implementing BCM Response Crisis Management Public Relations and the Media Business Continuity Plans Business Unit Plans, Incident Response Stage 4 Developing BCM Culture Assessing Designing & Delivering Measuring Results Stage 5 Exercise, Maintain & Audit Exercising of BCM Plans BCM Maintenance BCM Audit BCM Controls Policies, Procedures, Practices Compliance

5 Steps To BCM Stage 1 Understanding Your Business Organizational Strategy Business Impact Analysis Risk Assessment & Control Stage 2 BCM Strategies Organization BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy Stage 3 Developing & Implementing BCM Response Crisis Management Public Relations and the Media Business Continuity Plans Business Unit Plans, Incident Response Stage 4 Developing BCM Culture Assessing Designing & Delivering Measuring Results Stage 5 Exercise, Maintain & Audit Exercising of BCM Plans BCM Maintenance BCM Audit BCM Controls Policies, Procedures, Practices Compliance

5 Steps To BCM Stage 1 Understanding Your Business Organizational Strategy Business Impact Analysis Risk Assessment & Control Stage 2 BCM Strategies Organization BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy Stage 3 Developing & Implementing BCM Response Crisis Management Public Relations and the Media Business Continuity Plans Business Unit Plans, Incident Response Stage 4 Developing BCM Culture Assessing Designing & Delivering Measuring Results Stage 5 Exercise, Maintain & Audit Exercising of BCM Plans BCM Maintenance BCM Audit BCM Controls Policies, Procedures, Practices Compliance

5 Steps To BCM Stage 1 Understanding Your Business Organizational Strategy Business Impact Analysis Risk Assessment & Control Stage 2 BCM Strategies Organization BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy Stage 3 Developing & Implementing BCM Response Crisis Management Public Relations and the Media Business Continuity Plans Business Unit Plans, Incident Response Stage 4 Developing BCM Culture Assessing Designing & Delivering Measuring Results Stage 5 Exercise, Maintain & Audit Exercising of BCM Plans BCM Maintenance BCM Audit BCM Controls Policies, Procedures, Practices Compliance

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Monitoring activities Response planning Asset management Safety programs Security programs Training / Exercises Audits

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Occurs only if and when there is a high probability of an imminent disruptive event. Provides time to prepare to respond.

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Heightened alert status Activate response teams Contingency planning Resource staging Shelter in place preparations Communicate with stakeholders Move to alternate locations

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Objectives: Stabilize the situation Assess situation and damage Minimize initial impacts Prevent follow-on impacts Return to normal operations as soon as possible

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Activate Emergency Response team and plans Activate Incident Management team and other response teams Communicate with stakeholders Situation / damage assessment Salvage operations Workarounds

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Objective: Ensure the organization can recover operations as fast as necessary

Timeline Mitigation & Preparation Imminent Event Response Recovery Restoration Variety of potential resource impacts Human Resources Data Facilities Supplies Equipment

Mitigation & Preparation Imminent Event Response Recovery Restoration Activate Recovery teams and plans Activate Infrastructure Restoration plans Temporary work locations Backup equipment Alternate supply channels

Mitigation & Preparation Imminent Event Response Recovery Restoration Occurs only in extreme cases Rebuilds organization back to normal

Mitigation & Preparation Imminent Event Response Recovery Restoration Deactivating tasks in recovery plans Confirming or redefining the organization s vision, mission, and role Restoring or creating new facilities Deciding which products and services will be provided in the future Creating awareness and understanding: What the new normal operating environment will be When it will happen

Business Continuity Plan Emergency Response Initial control of emergency situation Blue light services safeguarding human life Stabilising, security, damage assessment Crisis Management Strategic direction/policy issues Crisis communications internal and external (media) Co-ordination of service recovery efforts Business Recovery Phased recovery of business-critical processes Disaster Recovery Recovery of infrastructure and services Returning to business as normal

Risk Response Choices - 4 T Model 1. Tolerate: Accept the existing risk and impacts and do nothing 2. Transfer: Insurance, outsourcing (not all risks are transferable) 3. Terminate: Change, suspend, or terminate 4. Treat: Business Continuity improve an organization s resilience to the event (prevention, mitigation, preparedness, monitoring, response and recovery programs)

Training Suggested Course Content: Write a business continuity policy Conduct a Business Impact Analysis (BIA) Determine work arounds for critical processes and identify supporting resources Design a crisis management structure and define responsibilities Link emergency response to crisis management /business continuity Document plans and supporting documents Develop an implementation program Define maintenance and testing requirements Design crisis management /business continuity exercises and tests

Training Levels Audience Description All Employees Basic awareness training which gives the staff an insight into basic Business Continuity and informs them about their Business Recovery Plans and what will happen to them during an incident Managers Management training to inform managers about the overall incident response and management, the purpose of their Business Recovery Plans, what they will be expected to do during an incident and how they will implement their plans Business Continuity & Incident Personnel Specialized training to train all staff involved in incident response, management and recovery. This will probably involve a number of different training courses.

Conclusion Conduct a Business Impact Analysis Identify which processes are truly critical and cost of BC Prioritize investments in people and technology Plan and Implement Test, test, test!!! Review the business continuity plan when the business process changes

The pessimist sees difficulty in every opportunity. The optimist sees opportunity in every difficulty - Winston Churchill

Questions