using the bci good practice guidelines to solve business continuity problems
TRANSCRIPT
Using the GPGs to Solve Business Continuity Problems
Presented by: Brian Zawada (FBCI)US Chapter Board President
www.thebci.org 1
What is the BCI?
2
• Founded in 1994, a Member-Owned, Not-for-Profit Professional Association of Business Continuity Professionals
• A global membership and certifying organization for business continuity professionals
• Over 8,000 members in more than 120 countries working in an estimated 3,000 organizations in the public and private sectors
• We stand for excellence in the business continuity profession • Our certified grades provide unequivocal assurance of
technical and professional competency
www.thebci.org
What is the BCI?
3www.thebci.org
• Provide fundamental business continuity skills and specialized business continuity training to develop individual knowledge, skills, and capabilities.
• Provide members with access to peer-based networking opportunities, enabling them to share experiences and knowledge.
To is the BCI’s goal to be ESSENTIAL to a member’s success in the business continuity and resilience profession.
4
What are the BCI’s Objectives?
What is the BCI?
www.thebci.org
• Professionals seeking international recognition of their professional and technical competency in the BC discipline
• Individuals currently working in BC related functions who are seeking to improvetheir knowledge and understanding of the BC discipline
• Individuals who are looking to benefit from being part of a global network of like-minded professionals to share good practice in BC and related disciplines
• Newcomers to the discipline who are considering a career in BC or a related profession
Who can be a member of the BCI?
5www.thebci.org
A Global Membership
3www.thebci.org
BCI Chapters:• USA• Australasia• Canada• Swiss• SADC• Nordic• Asia• Belgium /
Netherlands• Japan
• Founded in 2008, the USA arm of the BCI
• ~1000 members and growing rapidly
• Our strategic goal is to make BCI membership ESSENTIAL to business continuity professionals in the United States
USA Chapter Board Members:
• Rich Bogle• Ted Brown• John Jackson• Alice Kaltenmark• Paul Kirvan• Frank Lady• Brian Mackay• Heather Merchan• Margaret Millett• Sean Murphy• Eric Staffin• Belinda Wilson• Brian Zawada
7
What is the BCI USA Chapter?
www.thebci.org
1. Internationally Respected Certification2. Professional Growth3. Networking4. Content5. “Much More”
8
Why the BCI?
www.thebci.org
• A global certification brand aligned to industry best practices
• Benefits to you and your organization:o Credibility (recognition of
competency)o Opportunityo Compensationo Approach aligned to best practice
9
Why the BCI #1 - Certification
www.thebci.org
10www.thebci.org
BCI Membership - Experience
1. Review the GPG2. Take the Exam3. Complete the Application
• Membership Level Based on Experience• Summarize Your Experience• References
Or…
11
Approach to Membership
Approach to Membership
www.thebci.org
12
The Alternate Route to Membership
The Alternative Route to Membership was set up for holders of third party business continuity certifications to provide an alternative route to BCI Membership that did not require applicants to sit for the Certificate of the BCI (CBCI) examination but instead, recognize third party certifications as equivalent qualifications
www.thebci.org
13
The Alternate Route to Membership
The following qualifications and credentials have been identified as at least equivalent to the CBCI:
• ABCP• CBCP• MBCP• ICOR CORS Exam
• Training and Educationo Instructor-Led Trainingo Custom Trainingo E-Learningo CBCI Exam Online
• Mentoring Program
14
Why the BCI #2 – Professional Growth
www.thebci.org
• Based on global good practice
• Delivered by a global network of BCI licensed training partners
• Instructors with years of practical experience to share
• Certification CBCI
• Introductory and Awareness training
• Specialist skills classes (Crisis and Incident Management, Writing Plans, Exercising etc.)
• Master classes (BIA, Developing the Plan, etc.)
Training and Education
15www.thebci.org
• The Good Practice Guidelines Training Course (3 or 5-Day)
• The BCI BCM Audit Course• The BCI BIA Training Course (2-day)• The BCI Supply Chain Continuity
Management Course• The BCI Crisis & Incident Management
Course• The BCI Writing Business Continuity Plans
Course• The BCI Diploma
16
Course Catalog (sample)
Training and Education
www.thebci.org
• Mentors actively work in Business Continuity or related Professions
• All Mentors are qualified and experienced Business Continuity professionals and hold either an FBCI, AFBCI or MBCI
• Mentors and Mentees are carefully matched by the BCI based on learning and development needs
• Share knowledge and expertise
• Contribute to the growth of Business Continuity as a recognized discipline in industry
• Support the and personal development of new and ‘young’ professionals
Mentoring
17www.thebci.org
Largest Global Network of BCM Professionals• Organized as..
• Chapters: Asia, Australia, Belgium / Netherlands, Canada, Japan, Nordic, South Africa, Switzerland and United States
• Forums: UK and Europe, Africa, Canada, Asia, Middle East, South America
• Global Conference• USA Conferences and Association
Participation• BCAW• BCM Executive Forum• Consultant Directory
BCI
Chapters
Forums
18
Why the BCI #3 - Networking
www.thebci.org
• The BCI Good Practice Guidelines
• Continuity Magazine• The BCI eNewsletter• BCI Benchmark• Special Reports (topical and
lessons learned)• C-Suite Toolkit• Surveys, benchmarking and
white papers
• Other free webinars
19
Why the BCI #4 - Content
www.thebci.org
• The most comprehensive and independent view of current thinking in Business Continuity
• Provides not just the ‘what to do’, but answers the ‘why’, ‘how’ and ‘when’ of good BC practice
• Written by BC professionals for BC professionals
• Used in training and examining individuals and organizations (our body of knowledge)
• Aligned to ISO 22301
• Reference material for academic institutions
A Guide to Global Good Practice in Business Continuity
20
The BCI Good Practice Guidelines
www.thebci.org
How can I get a copy of the BCI’s Good Practice Guidelines (2013)?
BCI members can download a free pdf version from the Members’ Area
Non-members can purchase a pdf version from the BCI website www.thebci.org
21
What is the BCI?
www.thebci.org
• Discounts• Job listings and postings• Advocacy (government and academia)• Continuing Professional Development (CPD) System
22
Why BCI: #5 – “Much More”
Why the BCI #5 – “Much More”
www.thebci.org
23
The Six Professional Practices
www.thebci.org
The capability of the organization to continuedelivery of products or services at acceptablepredefined levels following a disruptive incident.
Source: ISO 22301:2012
The BCI’s Definition of Business Continuity
• Responsibilities of Top Management
• Setting strategic objectives
• Resources for business continuity
• The importance of the BIA and a stronger link to the organizations approach to risks and threats
• Resource requirements, skills and competence of people involved
• Training, awareness and communications
• Document management
• Exercising and testing
• Monitoring performance and measuring value of business continuity
GPG Alignment to ISO 22301?
GPG Alignment to ISO 22301?
ISO 22301 BCI GPG’s (2013)
4.1 Understanding of the
organization and its contextPP1 – Policy & Program Management
4.2 Understand the needs and
expectations of interested partiesPP1 – Policy & Program Management
4.3 Determining the scope of the
business continuity management
system
PP1 – Policy & Program Management
5.1 Leadership and commitment PP1 – Policy & Program Management
5.2 Management commitment PP1 – Policy & Program Management
5.3 Policy PP1 – Policy & Program Management
5.4 Organizational roles,
responsibilities and authoritiesPP1 – Policy & Program Management
GPG Alignment to ISO 22301?
ISO 22301 BCI GPG’s (2013)
6.1 Actions to address risks and
opportunitiesPP1 – Policy & Program Management
6.2 Business continuity objectives
and plans to achieve themPP1 – Policy & Program Management
7.1 Resources PP1 – Policy & Program Management
7.2 Competence PP2 – Embedding Business Continuity
7.3 Awareness PP2 – Embedding Business Continuity
7.4 Communication PP2 – Embedding Business Continuity
GPG Alignment to ISO 22301?
ISO 22301 BCI GPG’s (2013)
8.1 Operational planning and control PP1 – Policy & Program Management
8.2 Business impact analysis and risk
assessmentPP3 – Analysis
8.3 Business continuity strategy PP4 – Design
8.4 Establish and implement
business continuity proceduresPP5 – Implementation
8.5 Exercising and testing PP6 – Validation
GPG Alignment to ISO 22301?
ISO 22301 BCI GPG’s (2013)
9.1 Monitoring, measurement,
analysis and evaluationPP6 – Validation
9.2 Internal audit PP6 – Validation
9.3 Management reviewPP2 – Embedding Business Continuity
PP6 – Validation
10. Nonconformity and corrective
actionPP6 – Validation
10.2 Continual Improvement PP6 – Validation
GPG Alignment to ISO 22301?
PP1 – Policy and Program Management
Defines an organization’s policy relating to BC, how it will be implemented, controlled and validated through a BCM
program
• Setting BC Policy and determining the scope of the BCM program• Defining governance and assigning roles and responsibilities• Implementing a BCM program, managing documentation using
program and project management techniques• Managing outsourced activities and supply chain continuity
BCI Good Practice Guidelines 2013 30
BCI Good Practice Guidelines Training Course Module One Version 1.0
The BCM program operates at three levels:
Strategic Decisions are made and policy is determined
Tactical Operations are coordinated and managed
Operational Activities are undertaken
Policy and Program Management
31
PP2 – Embedding Business Continuity
The Management Professional Practice that continually seeks to integrate BC into day-to-day business activities and organizational culture
• Organizational Culture• Skills and Competence• Managing a Training Program• Managing an Awareness Campaign
BCI Good Practice Guidelines 2013 32
PP3 – AnalysisReviews and assesses and organization in terms of what its objectives are, how it functions and the constraints of the environment in which it operates.
• Business Impact Analysis (BIA)
• Threat Analysis (includes risk assessment)
BCI Good Practice Guidelines 2013 33
PP4 – Design
Identifies and selects appropriate strategies and tactics
• Continuity and Recovery Strategies and Tactics• Threat (Risk) Mitigation Measures• Incident Response Structure
BCI Good Practice Guidelines 2013 34
PP5 – Implementation
Executes the agreed-upon strategies and tactics through the process of developing plan documentation
• Business continuity plans• Developing and managing plans at a strategic, tactical
and operational level
BCI Good Practice Guidelines 2013 35
PP6 – Validation
Confirms the BCM program meets objectives set in the BC Policy and that plans are fit for purpose
• Developing an exercise program• Developing and running exercises• Maintenance of the BCM program• Review of the BCM program
BCI Good Practice Guidelines 2013 36
How the GPG’s Help Solve Problems!
GPG Problem Description
PP1 – Policy and Program Management
Management Engagement
“My steering committee isn’t coming to meetings anymore or they’ve delegated their role.”
PP2 – Embedding Business Continuity
Participation“The VP from Department X assigned his administrative assistant as his group’s planner.”
PP3 – Analysis Focus“We have 1000 plans in our software tool… but we’re not sure we’re recovering what truly matters.”
PP4 – Design Proactive vs Reactive (and scope)
“We seemed to be laser focused on reacting to events. Shouldn’t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT?”
PP5 – Implementation Templates vs Plans“No one seems to use the plans we’ve documented. And why would they all read the same, almost as if they’re templates!”
PP6 – Validation Measurement“We have 1000 plans, all updated in the last 12 months… but we’re not sure if we’re actually ready for a disaster.”
My Top 6 Problems (Case Study)
“My steering committee isn’t coming to meetings anymore or they’ve delegated their role.”
• Root Cause: The program is focused on planning activities rather than what it’s protecting and the performance of response/recovery strategies.
• Solution: Speak their language in terms of scope (product/services) and program objectives.
PP1 – Policy and Program Management
“The VP from Department X assigned his administrative assistant as his group’s planner.”
• Root Cause: Role-specific competencies aren’t defined.
• Solution: For each role, define the skills and experiences necessary to be successful, and then measure the assignment process; drive competency improvement.
PP2 – Embedding Business Continuity
“We have 1000 plans in our software tool… but we’re not sure we’re recovering what truly matters.”
• Root Cause: Management has not defined priorities in terms of products and services, and because of that, the program focuses on every box on the organizational chart.
• Solution: Perform strategic, tactical and operational level business impact analyses in order to bring focus to the program.
PP3 – Analysis
“We seemed to be laser-focused on reacting to events. Shouldn’t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT?”
• Root Cause: The organization isn’t focused on controls to mitigate risk; rather, it’s all about focusing on reacting to risk, with too much of a focus on one specific resource – IT.
• Solution: Use the risk assessment to identify and implement control enhancement; and identify strategies to address a loss of all resources –facilities, people, equipment, IT and suppliers/service providers.
PP4 - Design
“No one seems to use the plans we’ve documented. And why do they all read the same, almost as if they’re templates?”
• Root Cause: Procedures fail to support the response and recovery decision-making process.
• Solution: Ensure procedures answer the key questions – what, who, where, when and how.
PP5 - Validation
“We have 1000 plans, all updated in the last 12 months… but we’re not sure if we’re actually ready for a disaster”
• Root Cause: The business continuity program is measuring success based on the execution of activities rather than the performance of strategies.
• Solution: Determine if you can recover products and services consistent with management expectations – and report on that!
PP6 - Validation
• ISO 22301 and the GPG’s help improve performance
– ISO 22301 is written for the organization, the GPG’s are written for the business continuity professional tasked with implementing best practice
• Both documents leverage the equivalent of centuries of experience to focus on the best practices necessary to ensure organizations proactively mitigate continuity-related risk and response/recover appropriately
GPG Related Conclusions
• New training programs (in-person and webinar-based)• Complementary webinars and print content to introduce emerging
practices and member experiences• Research and other publications to add value to your career and
employer• A renewed mentoring program that matches BCI members based on
geography, industry, expertise and need• A new membership level aimed at the experienced practitioner, the
AFBCI• Continued, strong partnerships with DRJ
These and other US-focused services are in addition to the excellent benefits of the BCI overall
Summary: Why the BCI?
46www.thebci.org
To find out more about BCI Certification, Membership, Training & Education, or Partnership, visit us at Booths 517/519 or go to www.thebci.org.
The BCI is offering DRJ Spring attendees with less than two years of experience a complimentary one-year affiliate membership and enrolment as a BCI Mentee. Stop by the Booth to enroll!
www.thebci.org 47
Join us or connect with us today
www.thebci.orghttp://www.thebci.org/index.php/home/us-chapter-home
Twitter: @BCI_US_ChapterLinkedIn: BCI USA – The Business Continuity Institute US Chapter