delivering a safer society business continuity management - not just for “ business ”
Post on 18-Mar-2016
26 Views
Preview:
DESCRIPTION
TRANSCRIPT
Delivering a Safer Society
Business Continuity Management - Not just for “Business”
Michael Gallagher
Business Continuity Management - Not just for “Business”
• What is BCM?• What are the Drivers?• What is Status?• Features of good BCM• Relationship with Emergency Services• Developments in UK• Implications for Local Authorities • Not just a Plan
Two out of five enterprises that experience a disaster will go out of business within five years.Enterprises can improve these odds – but only if they take the necessary measures before and after the disaster.
Aftermath: Disaster Recovery, Gartner, September 2001
28% of UK businesses do not have a formal recovery plan.
37% of the businesses that do have a disaster recovery plan have never tested it.
Commercial Claims Survey, Deloitte & Touche, 2001
Disaster tonight
How confident?
Are you comfortable?
Usual excuses
It will never happen to us!
I’m sure we could cope
You can’t plan for the unforeseen
If we don’t have a disaster we’ve wasted money
Isn’t this why we have insurance?
We are used to things going wrong
Business Continuity Management
The act of anticipating incidents which will affect mission-critical functions and processes for the organisation and ensuring that it responds in a planned and rehearsed manner
Business Continuity Institute
Not just about producing plan(s)Risk Management
identification, evaluation & reductioncreating awareness / culture
CommunicationExercising / testing and keeping plans up to date
Computers - A major risk?
28% of UK Local Authorities did not have ICT security policies
Socitm’s IT Trends in Local Government 2002/3
Types of Risk
Strategic
Operational
• External
• Internal
• Distribution
• Customers
BCM is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
BCI Good Practice Guidelines - Nov 2002
The BCM Life Cycle
BCI
BCI 10 Certification Standards:
• Project Initiation & Management Risk Evaluation & Control• Business Impact Analysis• Developing Business Continuity Strategies• Emergency Response & Operations• Developing & Implementing BCPs• Awareness & Training Programmes• Maintaining & Exercising BCPs• Public Relations & Crisis Co-ordination• Co-ordination with Public Authorities
Co-ordination with Public Authorities
To establish applicable procedures and policies for co-ordinating continuity and restoration policies activities with localauthorities while ensuring compliance with applicable statutes and regulations.
Role -• Co-ordinate emergency preparations, response, recovery, resumption, and restoration procedures with public authorities• Establish liaison procedures for emergency / disaster scenarios• Maintain current knowledge of laws and regulations concerning emergency procedures
Project Initiation
Risk Identification
Business Impact Analysis
Develop Business Continuity Strategies
Plan Development
Plan Maintenance
Plan Testing
Phases in BCM
Make it relevant -
BCM is about ensuring that if your organisation experiences a disaster or other serious incident you have already consideredthat possibility. You will have taken steps to reduce the riskof this happening and to minimise the impact if it does happen. You will have a plan in place with which all key managers are familiar, which has been tested, and which will enable your organisation to continue to function as close to normalas possible with the least disruption possible.
Relevant to every type and size of organisation
“What If” instead of “If Only”
Evolution of BCM
1970 IT-DRP Responsibility of DP ManagerMore tolerant of downtimeBanks had own arrangements
1980 Commercial Recovery SitesPortable Computer RoomsEmphasis on response and recovery
1990 Less tolerant of downtimeTechnology changesIncreasing dependence on communicationsBecomes BCP - include the business processesEmphasis on preventionY2K
Evolution of BCM
2000 Becomes BCM Responsibility of BusinessHolisticAll disciplines working togetherClosely aligned with Risk Management -
Danger of separate departments thinking that some threats and responsibilities handled by someone else
9/11 etc.
Why is BCM Essential?
Regulatory Requirements.Turnbull - Corporate GovernanceData Protection.Confidence of suppliers and customers.Reputation.Business environment.Insurance is not enough.
Turnbull“The board should maintain a sound system of internal control to safeguard shareholders investment and the company’s assets”
“The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management”
ManagementAccountable to Board for monitoring and reporting on internal controls
EmployeesAccountable for applying the controlsShould have necessary knowledge and expertise to do so
“The Turnbull Committee Guidance for Directors on Internal Controls sets out an overall framework of best practice for business based on an assessment and control of their significant risks. For many companies business continuity management will address some of these key risks and help them to achieve compliance.”
Nigel Turnbull, Chairman, ICAEW Committee on the Guidance for Directors on Internal Controls
Corporate Governance
System by which businesses and organisations direct and controltheir functions and relate to their communities.
Underpins • Trust• Credibility• ConfidenceWhy?High-profile corporate financial scandals
Boardroom ethics / responsibilities• Kings Cross Fire• Herald of Free Enterprise
Turnbull
In determining policies, the board should consider the following factors -
• Nature and extent of risk facing the organisation• Those risks considered as “acceptable”• The likelihood of risks materialising• Ability to reduce incidence and/or impact of risk• The cost benefits of risk control systems
System for internal control should -
• Include reporting of significant failings or weaknesses• Apply not just to listed companies
Higgs ReportJanuary 2003Review of the role and effectiveness of non-executive directors
Cromme Code - GermanyBouton Report - France
Smith Report - July 2003 - Company Audit CommitteesSarabanes-Oxley Act 2002 - USA
PrivacyData Protection1988 and 2003 ActsResponsibilitiesLinked to IT Policies & Procedures
ReputationConfidence of suppliers and customers
“Trust and reputation can vanish overnight”
Alan Greenspan, Chairman, US Federal ReservePerrier - benzeneRatnersFord / Firestone - Explorer SUV - 100+ deaths - $Bns
AIB - RusnakHeineken - glass shardsJohnson & Johnson - Tylenol, cyanide, 7 deaths
Speed, Openness, CommitmentCommercial Union
“Reputational risk is single biggest risk for financial institutions”PwC / EIU Survey - July 2003
Business environment
On-line24 X 7 X 367JITSupply chain pressureSystems integration - ERPFewer points of failure - greater impactFewer workaroundsKnowledge
Insurance
Risk management and business continuity management are now embedded in the insurance purchase process. Insurers are now demanding good BCM practices
Only a part
Provide financeWill not keep customers suppliedWill not protect reputation / imageCover for loss of profits?
Essential to Success
• Commitment from top• Sponsor• Formal establishment • Strategy / approach• Awareness / culture• Business Continuity Manager• Ownership with “business”• Regular reporting
What is the Status of BCM in your Organisation?
Significance of Score!
Over 80 Likely that effective BCM programme in place
65 - 80 If regulatory BCM requirements apply - unlikely thatthey are being met
50 - 65 Room for improvementNon-compliance with good governance requirements?
Less than 50 Work to be done
Features of Good BCM.
Simple
Quality not Quantity
Relevant and current
Not necessarily expensive
Simple
Commonsense process
• Realistic evaluation & management of risks• Understanding what business consequences are if key
facilities, processes or people are lost• Appropriate strategy to limit damage and recover as well
as possible
Risk Matrix
Prob
abili
ty
Impact
HIGHLOW
LOW
HIGH Control Prevent
Accept Plan
Risk Severity / Probability
Probability
Seve
ri ty
Catastrophic
Serious
Minor
Insignificant
Certain /Very Likely
QuiteProbable
Improbable VeryUnlikely
Theft
Employee accident
HR System downfor 1 day
SAP down for2 days
Major FireFactory hitby Aircraft
Product recall
Costs
Investment
Incidentcosts Prevention
costs
Total costs
Quality not Quantity
No silver bullet
Process as important as plan
Documentation must be “right”
Fit with “culture”
Flexible crisis plans
Quality Crisis management team- react quickly & effectively
Software not the easy answer
Successful BCM not related to size of plan
Avoid unnecessary detail
Unusable
Ignored in crisis
Updating difficult
Instructions to a minimum
Action points
Issue on need-to-know basis
Relevant sections
Relevant and current
An irrelevant or out-of-date plan is worse than no plan
Not token plan
Ownership - responsibility
Use of software?
Not necessarily expensive
Time
Consider at planning stage
SMEs at risk
BCM Working Group
InsurancePhysical securityITCommunications - voice & dataPRHR / Health & SafetyBuilding Services / infrastructure / property / office servicesTransport / DistributionFinance ProcurementLegalInternal AuditCustomer ServiceSales & MarketingProduction
Essential elements
Plan invocationCrisis management teamContact detailsBusiness processes to be recovered - Priorities
HowWhereTimescales
Recovery stepsCommunications - media, staff, business partners
Emergency Services
BC Plans prepared in isolationWho to contact?Who’s role is it to liaise?How?
ExpertsUnderstand rolesWork closely
Fire Services
Manchester in March
UK Civil Contingencies Bill
Supports UK Government’s Integrated Emergency Management approach - “an all-embracing approach to handling disasters”
Local responders will deliver civil protection based on - risk management, emergency planning, business continuity, and warning and informing the public.
For BC professionals - may act as catalyst for greater co-operation and collaboration with those involved in planning for, and responding toemergencies.
UK Civil Contingencies Bill
Duty to assess, plan and advise
Requires the development of BCPs which each Category 1 responder will rely on to ensure the continuity of its ability to discharge its functions in face of an emergency
Cat 1 responders are required to arrange to make certain informationrisk assessments and plans available to the public.
LAs have a duty to promote business continuity management -
“shall provide advice and assistance to the public in connection with the making of arrangements for the continuance of commercial activities by the public in the event of an emergency”.
Governance and Local Authorities
UK - Framework and Guidance
• Local Code of Corporate Governance by end March 2002
• Risk Management one of 5 core elements of Corporate Governance
• Annual report in Financial Statements from 2002/2003
• In BVPP (Best Value Performance Plan for 2003/2004
The hard part of BCM is not creating the plan - it is keeping it up to date
Reorganisations and reshapingTransformation and rationalisationMergers and acquisitionsRate of technological changeIncreased sophistication of ICTJITOutsourcingWorking practicesStaff turnover, redundanciesHot-desking / virtual office
Be clear on ownershipPart of annual appraisal process
Common Weaknesses
Inadequate management supportInsufficient financial supportNarrow viewResponsibilities unclearInappropriate ownershipNot everyone involvedPlan stops at site gatePoor risk analysis / BIAInadequate training / awarenessInadequate testingBalance overview / detail not rightNot up to dateNot accessible or relevant when required
Sources of information
Business Continuity Institute www.thebci.org.uk
Emergency Planning Society www.emergplansoc.org.uk
Survive www.survive.com
Continuity Central www.continuitycentral.com
PAS56 www.bsi-global.com
Federal Emergency Management Agency (FEMA)www.fema.gov
Sources of information
London Emergency Services Liaison Panelwww.leslp.gov.uk
UK Government Emergency Response Sitewww.ukresilience.info
Business Continuity Management - How to Protect your Company from Danger
Financial Times / Prentice Hallwww.briefingzone.com
Michael Gallagher gallagml@iol.ie
top related