Transcript No Slide Title

Delivering a Safer Society
Business Continuity Management Not just for “Business”
Michael Gallagher
Business Continuity Management Not just for “Business”
•
•
•
•
•
•
•
•
What is BCM?
What are the Drivers?
What is Status?
Features of good BCM
Relationship with Emergency Services
Developments in UK
Implications for Local Authorities
Not just a Plan
Two out of five enterprises that experience a disaster will go out
of business within five years.
Enterprises can improve these odds – but only if they take the
necessary measures before and after the disaster.
Aftermath: Disaster Recovery, Gartner, September 2001
28% of UK businesses do not have a formal recovery plan.
37% of the businesses that do have a disaster recovery plan
have never tested it.
Commercial Claims Survey, Deloitte & Touche, 2001
Disaster tonight
How confident?
Are you comfortable?
Usual excuses
It will never happen to us!
I’m sure we could cope
You can’t plan for the unforeseen
If we don’t have a disaster we’ve wasted money
Isn’t this why we have insurance?
We are used to things going wrong
Business Continuity Management
The act of anticipating incidents which will affect mission-critical
functions and processes for the organisation and ensuring that it
responds in a planned and rehearsed manner
Business Continuity Institute
Not just about producing plan(s)
Risk Management
identification, evaluation & reduction
creating awareness / culture
Communication
Exercising / testing and keeping plans up to date
Computers - A major risk?
28% of UK Local Authorities did not have ICT security policies
Socitm’s IT Trends in Local Government 2002/3
Types of Risk
Strategic
Operational
• External
• Internal
• Distribution
• Customers
BCM is a holistic management process that identifies
potential impacts that threaten an organisation and
provides a framework for building resilience and
the capability for an effective response that safeguards
the interests of its key stakeholders, reputation,
brand and value-creating activities.
BCI Good Practice Guidelines - Nov 2002
The BCM Life Cycle
BCI
BCI 10 Certification Standards:
•
•
•
•
•
•
•
•
•
Project Initiation & Management Risk Evaluation & Control
Business Impact Analysis
Developing Business Continuity Strategies
Emergency Response & Operations
Developing & Implementing BCPs
Awareness & Training Programmes
Maintaining & Exercising BCPs
Public Relations & Crisis Co-ordination
Co-ordination with Public Authorities
Co-ordination with Public Authorities
To establish applicable procedures and policies for co-ordinating
continuity and restoration policies activities with local
authorities while ensuring compliance with applicable statutes
and regulations.
Role • Co-ordinate emergency preparations, response,
recovery, resumption, and restoration procedures
with public authorities
• Establish liaison procedures for emergency / disaster
scenarios
• Maintain current knowledge of laws and regulations
concerning emergency procedures
Phases in BCM
Project Initiation
Risk Identification
Business Impact Analysis
Develop Business Continuity Strategies
Plan Development
Plan Testing
Plan Maintenance
Make it relevant -
BCM is about ensuring that if your organisation experiences
a disaster or other serious incident you have already considered
that possibility. You will have taken steps to reduce the risk
of this happening and to minimise the impact if it does happen.
You will have a plan in place with which all key managers
are familiar, which has been tested, and which will enable
your organisation to continue to function as close to normal
as possible with the least disruption possible.
Relevant to every type and size of organisation
“What If” instead of “If Only”
Evolution of BCM
1970
IT-DRP
More tolerant of downtime
Banks had own arrangements
Responsibility of DP Manager
1980
Commercial Recovery Sites
Portable Computer Rooms
Emphasis on response and recovery
1990
Less tolerant of downtime
Technology changes
Increasing dependence on communications
Becomes BCP - include the business processes
Emphasis on prevention
Y2K
Evolution of BCM
2000
Becomes BCM
Responsibility of Business
Holistic
All disciplines working together
Closely aligned with Risk Management Danger of separate departments thinking that some
threats and responsibilities handled by someone else
9/11 etc.
Why is BCM Essential?
Regulatory Requirements.
Turnbull - Corporate Governance
Data Protection.
Confidence of suppliers and customers.
Reputation.
Business environment.
Insurance is not enough.
Turnbull
“The board should maintain a sound system of internal control to
safeguard shareholders investment and the company’s assets”
“The directors should, at least annually, conduct a review of the
effectiveness of the group’s system of internal control and
should report to shareholders that they have done so. The review
should cover all controls, including financial, operational and
compliance controls and risk management”
Management
Accountable to Board for monitoring and reporting on
internal controls
Employees
Accountable for applying the controls
Should have necessary knowledge and expertise to do so
“The Turnbull Committee Guidance for Directors on Internal
Controls sets out an overall framework of best practice for
business based on an assessment and control of their significant risks.
For many companies business continuity management will address
some of these key risks and help them to achieve compliance.”
Nigel Turnbull, Chairman, ICAEW Committee on the
Guidance for Directors on Internal Controls
Corporate Governance
System by which businesses and organisations direct and control
their functions and relate to their communities.
Underpins
• Trust
• Credibility
• Confidence
Why?
High-profile corporate financial scandals
Boardroom ethics / responsibilities
• Kings Cross Fire
• Herald of Free Enterprise
Turnbull
In determining policies, the board should consider the
following factors •
•
•
•
•
Nature and extent of risk facing the organisation
Those risks considered as “acceptable”
The likelihood of risks materialising
Ability to reduce incidence and/or impact of risk
The cost benefits of risk control systems
System for internal control should • Include reporting of significant failings or weaknesses
• Apply not just to listed companies
Higgs Report
January 2003
Review of the role and effectiveness of non-executive directors
Cromme Code - Germany
Bouton Report - France
Smith Report - July 2003 - Company Audit Committees
Sarabanes-Oxley Act 2002 - USA
Privacy
Data Protection
1988 and 2003 Acts
Responsibilities
Linked to IT Policies & Procedures
Reputation
Confidence of suppliers and customers
“Trust and reputation can vanish overnight”
Alan Greenspan, Chairman, US Federal Reserve
Perrier - benzene
Ratners
Ford / Firestone - Explorer SUV - 100+ deaths - $Bns
AIB - Rusnak
Heineken - glass shards
Johnson & Johnson - Tylenol, cyanide, 7 deaths
Speed, Openness, Commitment
Commercial Union
“Reputational risk is single biggest risk for financial institutions”
PwC / EIU Survey - July 2003
Business environment
On-line
24 X 7 X 367
JIT
Supply chain pressure
Systems integration - ERP
Fewer points of failure - greater impact
Fewer workarounds
Knowledge
Insurance
Risk management and business continuity management are now
embedded in the insurance purchase process.
Insurers are now demanding good BCM practices
Only a part
Provide finance
Will not keep customers supplied
Will not protect reputation / image
Cover for loss of profits?
Essential to Success
•
•
•
•
•
•
•
•
Commitment from top
Sponsor
Formal establishment
Strategy / approach
Awareness / culture
Business Continuity Manager
Ownership with “business”
Regular reporting
What is the Status of BCM in your Organisation?
Significance of Score!
Over 80
Likely that effective BCM programme in place
65 - 80
If regulatory BCM requirements apply - unlikely that
they are being met
50 - 65
Room for improvement
Non-compliance with good governance requirements?
Less than 50 Work to be done
Features of Good BCM.
Simple
Quality not Quantity
Relevant and current
Not necessarily expensive
Simple
Commonsense process
•
•
•
Realistic evaluation & management of risks
Understanding what business consequences are if key
facilities, processes or people are lost
Appropriate strategy to limit damage and recover as well
as possible
Probability
Risk Matrix
HIGH
Control
Prevent
LOW
Accept
Plan
LOW
Impact
HIGH
Risk Severity / Probability
Catastrophic
Major Fire
Factory hit
by Aircraft
Product recall
Serious
Minor
SAP down for
2 days
HR System down
for 1 day
Employee
accident
Insignificant
Theft
Certain /
Very Likely
Quite
Probable
Improbable
Probability
Very
Unlikely
Total costs
Incident
costs
Prevention
costs
Costs
Investment
Quality not Quantity
No silver bullet
Process as important as plan
Documentation must be “right”
Fit with “culture”
Flexible crisis plans
Quality Crisis management team- react quickly & effectively
Software not the easy answer
Successful BCM not related to size of plan
Avoid unnecessary detail
Unusable
Ignored in crisis
Updating difficult
Instructions to a minimum
Action points
Issue on need-to-know basis
Relevant sections
Relevant and current
An irrelevant or out-of-date plan is worse than no plan
Not token plan
Ownership - responsibility
Use of software?
Not necessarily expensive
Time
Consider at planning stage
SMEs at risk
BCM Working Group
Insurance
Physical security
IT
Communications - voice & data
PR
HR / Health & Safety
Building Services / infrastructure / property / office services
Transport / Distribution
Finance
Procurement
Legal
Internal Audit
Customer Service
Sales & Marketing
Production
Essential elements
Plan invocation
Crisis management team
Contact details
Business processes to be recovered - Priorities
How
Where
Timescales
Recovery steps
Communications - media, staff, business partners
Emergency Services
BC Plans prepared in isolation
Who to contact?
Who’s role is it to liaise?
How?
Experts
Understand roles
Work closely
Fire Services
Manchester in March
UK Civil Contingencies Bill
Supports UK Government’s Integrated Emergency Management
approach - “an all-embracing approach to handling disasters”
Local responders will deliver civil protection based on risk management,
emergency planning,
business continuity, and
warning and informing the public.
For BC professionals - may act as catalyst for greater co-operation and
collaboration with those involved in planning for, and responding to
emergencies.
UK Civil Contingencies Bill
Duty to assess, plan and advise
Requires the development of BCPs which each Category 1 responder
will rely on to ensure the continuity of its ability to discharge its
functions in face of an emergency
Cat 1 responders are required to arrange to make certain information
risk assessments and plans available to the public.
LAs have a duty to promote business continuity management “shall provide advice and assistance to the public in connection
with the making of arrangements for the continuance of
commercial activities by the public in the event of
an emergency”.
Governance and Local Authorities
UK - Framework and Guidance
• Local Code of Corporate Governance by end March 2002
• Risk Management one of 5 core elements of Corporate
Governance
• Annual report in Financial Statements from 2002/2003
• In BVPP (Best Value Performance Plan for 2003/2004
The hard part of BCM is not creating the plan it is keeping it up to date
Reorganisations and reshaping
Transformation and rationalisation
Mergers and acquisitions
Rate of technological change
Increased sophistication of ICT
JIT
Outsourcing
Working practices
Staff turnover, redundancies
Hot-desking / virtual office
Be clear on ownership
Part of annual appraisal process
Common Weaknesses
Inadequate management support
Insufficient financial support
Narrow view
Responsibilities unclear
Inappropriate ownership
Not everyone involved
Plan stops at site gate
Poor risk analysis / BIA
Inadequate training / awareness
Inadequate testing
Balance overview / detail not right
Not up to date
Not accessible or relevant when required
Sources of information
Business Continuity Institute
www.thebci.org.uk
Emergency Planning Society
www.emergplansoc.org.uk
Survive
www.survive.com
Continuity Central
www.continuitycentral.com
PAS56
www.bsi-global.com
Federal Emergency Management Agency (FEMA)
www.fema.gov
Sources of information
London Emergency Services Liaison Panel
www.leslp.gov.uk
UK Government Emergency Response Site
www.ukresilience.info
Business Continuity Management How to Protect your Company from Danger
Financial Times / Prentice Hall
www.briefingzone.com
Michael Gallagher
[email protected]