BS 25999 Certification Essentials Andrew Pettitt Business Continuity Senior Consultant SunGard Availability Services Professional Services
Essentials Getting the fundamentals right Strategies - covering all the bases Implementation birth pains? Learning to walk then run Weaving continuity into the fabric of your organisation
BCM Lifecycle (BS25999) understanding the organisation exercising, maintenance and review BCM programme management determining BCM strategies developing and implementing a BCM response
Getting the fundamentals right? What to plan for? Business-type functions? Statutory obligations? Emergency-type activities? Silo approach evident in many organisations Approach to BC disjointed Left hand doesn t know what right hand is doing Wasteful Time-consuming
Jumping the gun Pharmaceutical Company IT Recovery Contracts in place understanding the organisation Workplace Recovery in place BUT exercising, maintenance and review BCM programme management determining BCM strategies No BIA completed No strategy development developing and implementing a BCM response
Jumping the gun BIA showed Inappropriate RTOs and RPOs for IT Existing recovery plans beyond capabilities of staff Fundamental misunderstandings of business processes at senior level Unnecessary expenditure Paying for a Ferrari solution Needed a motorbike-sidecar and a Transit van instead
Jumping the gun Understanding the organisation is fundamental to success of BC management understanding the organisation Shortcuts to implementation result in bad planning that won t work and expensive mistakes BS25999 exercising, maintenance and review BCM programme management determining BCM strategies Restates what we know anyway and yet is often ignored Top management should sign this off developing and implementing a BCM response External review can pick up mistakes BUT
Strategies covering all the bases People Continuity of core skills & knowledge Premises Where do you go? Technology Appropriate RTOs and RPOs Information Confidentiality, integrity, availability & currency Stakeholders Supplies Top management signs these off!
Suppliers Supplier dependencies Ignore them? understanding the organisation Accept vague assurances? Eliminate by bringing everything in-house? Carry out audit of their BCM? exercising, maintenance and review BCM programme management determining BCM strategies Mostly ignore or accept it ll be alright on the night Get them to use BS25999! developing and implementing a BCM response
Implementation Disaster Event! Overall recovery objective: Back to normal as quickly as possible Time Zero The Disaster Timeline Time Line Emergency Response Business Continuity Within minutes to hours: Staff & visitors accounted for Casualties dealt with Damage containment / limitation Damage assessment Invocation of BCP Within hours to days: Contact staff, customers, suppliers, etc. Recovery of critical business processes Rebuild lost work-in-progress Recovery - back to normal Within weeks to months: Damage repair / replacement Relocation to permanent place of work Recovery of costs from insurers SunGard Availability Services (UK) Ltd
Implementation Incident Management Plans Must be flexible, easy to use and understandable Continuity Plans Often over-complex Never mind the quality, feel the width Implementing your response Not just about plans People, technology, communications etc.
Walking then running Exercise Test Rehearse Practice Keep on doing it!!!
The BCM fitness cycle Develop Continuity Implement Update Live Test Update Train Update Exercise Audit BCP SunGard Availability Services (UK) Ltd
If you don t.. BCM atrophies It becomes mummified It s inaccurate, invalid, irrelevant BS25999 Audit and self assessment Suggested programme for exercising BCM strategies Dodgy Continuity presents: I used to be a Business Continuity Manager coming to a business near you
Weaving continuity into the fabric Tell people about it!!! Awareness training Skills training Leadership! Involve people! Build roles Give responsibilities Devolve Involve in testing
Going forward BS25999 provides level playing field Applicable to public, private and voluntary sectors Size doesn t matter Links with CCA 2004, Companies Act 2006 & FSA Guidelines Being adopted in many EU countries and further afield as a de facto standard Part 1 provides roadmap to improved BCM Can be used to enhance current BCM Incentive for senior management to take it more seriously Helps get buy-in within an organisation Window of opportunity prior to Part 2
Thank you