121112 business continuity byrenier barnard

1

© Workplace Law

Approved training centre

Business Continuity Business as Usual ?Ren Barnard

2

International Standards OrganisationISO 31000 Risk Management Principles and Guidelines

ISO 22301 Societal security — Business continuity management systems — Requirements

ISO 22313 Societal security — Business continuity management systems — Guidance

ISO 22398 Societal security — Guidelines for exercises and testing

British StandardBS 25999-2:2007, Business continuity management — Specification

3

Everybody is a winner

4

Survey Says: Principal Drivers Base = 1021

Local Government 92% Central Government 85%

Finance Insurance 85% Utilities 81%

Health and Social Care 74% Transport and Logistics 69%

Manufacturing and Production 58% Education 52%

Business Services 40% Construction 31%

Corporate governance;Regulation/legislation;Central Government

Central Government; Corporate governance;

Public sector procurementCorporate governance; Regulation/legislation;

Auditors

Regulation/legislation; Corporate governance;

CustomersCorporate governance; Regulation/legislation;

Public sector procurement

Corporate governance; Regulation/legislation;

CustomersCustomers;

Insurers;Corporate governance

Corporate governance;Customers;

Regulation/legislationCustomers;

Corporate governance;Regulation/legislation and

Investors/shareholders

Customers; Corporate governance;

Insurers

5

August 2011 – London Riots

6

Does it matter?

Denial of service attacks10/12: The DDoS attacks have been launched in the last week using the so-called itsoknoproblembro DDoS toolkit.

10/12: A novel coronavirus was identified in lower respiratory tract specimens of a Qatari national who was receiving treatment for a severe respiratory illness in London

12/10: Britain facing fuel shortage as snow continues to cause chaos UK to be hit by 70s-style

blackouts within 3 years' and EU rules may also force up bills, Spare energy capacity could drop to just four per cent by winter 2015

05/12: Northern Rock rescue 'could cost taxpayer £2bn'

7

World Economic Forum RIM

Chronic Fiscal Imbalances

Major systemic financial failure

Water supply crises

Extreme volatility in energy and agriculture prices

8

Assess the RiskRisk:Effect of uncertainty on objectives

Threats: May be described as events or actions which could, at some point, cause an impact..

Business Continuity: (GPG)Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruption in order to continue business operations at an acceptable predefined level

9

Deepwater Horizon Oil Spill

Business Continuity or

Risk Management

10

The survey says:evaluated through risk assessment, based on those registering extremely concerned and concerned, are as follows:

•Unplanned IT and telecom outages – 74% •Data breach (i.e. loss or theft of confidential information) – 68%

– HoMER (CPNI) (Counter Productive Behaviour)•Cyber attack (e.g. malware, denial of service) – 65% •Adverse weather (e.g. windstorm/ tornado, flooding, snow, drought) – 59% •Interruption to utility supply (i.e. water, gas, electricity, waste disposal) – 56%

– Ofgem UK Faces power shortages risk by 2015 – Black out probability 1 in 12 years

BCI Survey: Horizon scan January 2012 Base = 458

11

Top Responses by Country

12

Risk Assessment

Business Impact

What are we trying to achieve;

Who should be involved;

What creates uncertainty and how significant is it;

What can we do to ensure success

13

Key Risk Areas – Business Impact

• People• Information and Data• Buildings, work environment and associated

utilities• Facilities equipment and consumables• ICT Systems• Transportation• Finance • Partners and Suppliers

14

Something achieved that continues to exist…

15

G4S Olympic Security – Scheduling Failure?

16

Manchester Airport

17

Aims

Business Continuity or BC aims to safeguard the interests of an organisation and its key stakeholders by protecting its critical business functions (CBFs) against predetermined disruptions.

22301:2012

18

BCM Checklist

Scope and ObjectiveGain a understanding of your businessAssess the RiskEvaluate potential continuity

arrangementsDefine your strategyDevelop your continuity plans

19

ISO Compatibility PDCA

Risk Management ISO 31000 BCM 25999 -> ISO 22301Risk Management Framework Policy and Program

ManagementEstablishing the Context Understanding the OrganizationRisk Assessment -BIA Is one of the tools-(ISO31010 Guidance on risk assessment techniques)

BIA + Risk Assessment focused on Most urgent activities

Risk Treatment BCM Strategies Develop and Implement BCM Responses

Communication and Consultation

Embedded BCM in the Culture

Monitor and Review Exercising, Maintaining and Reviewing

20

Transition BS 25999 to ISO 22302

25999-2 United Kingdom Only but recognised worldwide - BSI

22301 Accepted worldwide – ISO

May 2012 – May 2014 “Upgrade Period”

November 2012 – Accreditation 25999

21

Similarities and differences:

No changes or minor changes – in 10 areas

Moderate changes – in 8 areas

Major changes – in 5 areas

22

Major Changes – “Common Theme”

• Understanding the organisation• Understanding the needs and

expectations of interested parties• Management commitment• Communication & warning system• Monitoring, measurement, analysis and

evaluation

23

Areas Clause in 22301

Clause in BS25999

Change

Understanding the organisation 4.1 - SignificantUnderstanding the needs and expectations of interested parties

4.2 - Significant

Determining the Scope 4.3 3.2.1 ModerateManagement Commitment 5.2 - SignificantBusiness Continuity Policy 5.3 3.2.2 ModerateBussiness Continuity Objectives 6.2 3.2.1.1 ModerateCompetentces 7.2 3.2.4 Minor or No

ChangeAwareness 7.3 3.2.4 Minor or No

ChangeCommunication and Warning System 7.4, 8.4.2,

8.4.34.3.3.3 Significant

Documented Information 7.5 3.4 ModerateBusiness Impact Analysis 8.2.1, 8.2.2 4.1.1 Minor or No

ChangeRisk Assessment 8.2.1, 8.2.3 4.1.2 ModerateBusiness Continuity Strategy 8.3.1 4.2 Minor or No

ChangeResource Requirements 8.3.2 4.3.2.2,

4.3.3.3Moderate

Risk Treatment 8.3.3 4.1.3 Minor or No Change

Incident response structure 8.4.2 4.3.2 Minor or No Change

BC Plans, Recovery Plans 8.4.4, 8.4.5 4.3.3 Minor or No Change

Exercise and Testing 8.5 4.4.2 Minor or No Change

Monitoring Measurement Analysis and Evaluation 9.1 4.4.3 SignificantInternal Audit 9.2 5.1 Minor or No

ChangeManagement Review 9.3 5.2 Minor or No

ChangeNon Conformity and Corrective Action 10.1 6.1.3 ModeratePreventative Action 6.1, 9.1.1 6.1.2 Moderate

24

6-step process: 25999 - 22301

1. Evaluating the organisations external and internal context and list all interested parties2. List all legal requirements3. Align BC with company’s strategy4. Define measurable objectives, how tomeasure them, and who will evaluate them5. Define action plan to achieve objectives6. Communication – who will communicate withwhom, and how?

25

Organisation and its Context

26

27

Objectives

• Clearly stated; • Be consistent with the policy; SMART• Take account of applicable needs and requirements; • Enable opportunities to maintain or improve performance; • Be monitored and updated as appropriate.

In order to ensure that these objectives will be achieved, the organizations should determine:

• Who will be responsible; • What will be done and when it will be completed; and • How the results will be evaluated.

28

Strategy

• Protecting prioritised activities• Stabilizing, continuing, resuming

and recovering prioritized activities and their dependencies and supporting resources

• Mitigating, responding to and managing impacts

29

Thank You

Questions

30

31