Transcript Document
www.continuityforum.org Continuity Forum acts as a bridge between organisations who have interest in promoting, delivering and utilising Business Continuity and Risk Management. By our actions, Continuity Forum encourages a uniform approach to the delivery of these critical disciplines. We provide an unbiased, non-commercial input to regulators, legislators, standards bodies, auditors, & the media. The Importance of Business Continuity Management & Resilience Russell Price Chairman Continuity Forum So why is Business Continuity so important ? • What would you do tomorrow if your building was on fire today? • What would your customers do? • What would your competitors do? • What would your bank and shareholders do? www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 3 A riskier world? Risk Management – A changing framework Value of Tangible assets Knowledge Reputation Management Image Traditional Asset Protection Value of Intangible assets 1970’s 2000+ Production based economy Knowledge based economy Mainly National/Local Founded on Plant, Labour etc www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 4 Risk Model Example ‘PEST’ model Technical Economic IT/Systems Breakdown Contamination Industrial Accident Industrial Accidents Government Crisis Utilities failure On-site product tampering Malicious acts Organisational failure Sabotage Terrorism Labour strikes Off-site product tampering People Social www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 5 •The chances are that all chief executives are likely to face a crisis. The impact on shareholder value After initial reflex (10 days), market begins to assess company’s response. •The ability to manage a crisis is a vital standard of good corporate governance because it has: Effective crisis response Ineffective crisis responses • Major immediate impact on shareholder value (private sector) • Long-term impact on reputation (public & private sector) 25 50 75 100 125 150 175 200 225 250 Trading days after the event Source: “The Impact of Catastrophes on Shareholder Value,” Rory F. Knight & Deborah J. Pretty, Templeton College, University of Oxford, p. 3. Source: ‘The Impact of Catastrophes on Shareholder Value’, Rory F. Knight & Deborah J. Pretty, Templeton College, University of Oxford www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 6 Building a Secure Business “Building a secure business is not just about supply and demand. It is about the protection and prevention measures that you can put in place against crime, the consequences of a natural disaster, electronic attack, acts of terrorism and other events that would have a negative impact on your organisation” Rt Hon Hazel Blears MP. Secretary of State Secure in the Knowledge (2005) www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 7 A word about people, analysis & decision making The difference between Wisdom, Knowledge and Experience www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 8 “Perceptions are truths because people believe them” Epictetus www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 9 Audience Participation www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 10 BCM - Not just an IT issue! www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 11 What can disrupt your business ? Fire Hackers Flood Power www.Continuityforum.org - +44 (0) 208 993 1599 Terrorism IT Copyright 2003 12 It will never happen to me ! • For a company, a mission critical incident can be expected once every 1.8 years … some large organisations have hundreds each year! • 88% experience ‘disaster’ on non contract systems or in unplanned areas • 92% substantially upgrade their ‘capability’ after an event • 43% stated that in took them 2 months or longer to recover from the event • An effective Plan can reduce the total loss by 90% plus www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 13 Is This An Effective Management Strategy In the Face of the KNOWN Risks! YES! NO! “Minds (and organisations!) are like parachutes, They work best when open” Lord Thomas Dewar www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 15 Business Continuity Management Definition: “Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities”. The Business Continuity Institute 2001 www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 16 Resilience “at every relevant level (the ability) to detect, prevent and if necessary, to handle and recover from disruptive challenges” Dealing with Disasters 3rd Edition Cabinet Office www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 17 Success, recovery or failure? Fully tested effective BCM A Level of business B No BCM – lucky escape C Time No BCM – usual outcome Critical recovery point www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 18 THE BUSINESS CONTINUITY MANAGEMENT CYCLE Understanding Your Business 1 Exercising, Maintenance and Audit 5 2 BCM P Business Continuity Strategies Managem Programme Management 4 Building & Embedding a BCM Culture 3 Develop and Implement BCM Plans & Solution(s) Business Continuity Institute 2002 Current Drivers Legislation Suppliers Auditors Investors Potential Customers Exist Customers Regulators Insurers Central Govt Corp. Governance 0 5 10 15 20 25 Year - 2005 www.Continuityforum.org - +44 (0) 208 993 1599 30 35 Year - 2004 Copyright 2003 20 Current Regulations/Standards • US - Securities and Exchange Commission - NASD Rules 3510 & 3520 and the NYSE Rule 446 • Basel II & E-banking • UK Civil Contingencies Act • Sarbanes Oxley • UK FSA – BCM Guidance • PAS 56 and from Summer 2006 BSI • King II in South Africa • Singapore - MAS BCM Standard • Australian Standard for BCM • US - NFPA 1600 • Europe - Netherlands, Luxemburg, Belgium, et al www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 21 A Changing World Corporate Governance ISO 17799-01 CCA, Comp Act GDPdU & GoBS BS7799-02 NF Z 42-013 COBIT AIPA ITIL King II MAS IT Baseline China Basel II APO Sarbanes Oxley Act www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 22 Other Drivers • Investors • Banks • Media • Trade Bodies • Professional Associations • Emergency Services • Local Authorities • Public The Current Position… • In all sectors there are still serious weaknesses in overall planning for Business Continuity • People and Infrastructure is CRITICAL! • Companies are not planning on a broad enough basis and are failing to maintain current plans • Business Continuity and Risk Management is rapidly developing into a Business essential! www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 24 Building Resilience • Continuity is vital for every organisation • Organisations are reliant on Extended Supply Chains • The unexpected will always happen • Adopt a ‘best practice’ approach • Embed Business Continuity Management and Security within the organisation • Test regularly www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 25 Benefits of BCM • Reduces impact and likelihood of failure • Demonstrates professional management • Improves processes • Enhances customer service • Creates competitive advantage • Frees management time spent fire-fighting • Increases confidence in the future • Can reduce cost of capital www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 26 And that’s before the Event Strikes ! After an Event the benefits can be calculated in Millions! www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 27 EFFECTIVE BCM IS BUILT ON 7 P’s Programme - the total BCM strategy People - Roles and responsibilities, H&S, awareness and education Processes - all organisational processes including ICT Premises - buildings & facilities Providers - supply chain inc. outsourcing Profile - brand, image and reputation Performance - benchmarking, evaluation & audit ESSENTIAL ELEMENTS OF BCM • Take a holistic approach • ‘End to End’ • Effects, not causes • Prevention, not just cure • Culture of BCM • Need to measurement Getting Started on BCM • Identify critical activities • Determine what supports these activities • Determine the resilience of the support • Identify and eliminate ‘single points of failure’ • Challenge suppliers about resilience statements • Work with ‘trusted’ suppliers • Include ‘transparency’ in SLAs and contracts • ACT NOW! www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 30 Summary • Current trends are toward an environment of professional management of risk though Business Continuity Management • Future trends indicate that there will be a requirement on all organisations to demonstrate adequate planning • BCM is the clear way to demonstrate to stake holders that the company has prepared, and can effectively manage any failure • Industry data proves that failure is inevitable for all organisations • The cost of failure far exceeds the cost of planning • Minimising the effects of loss is only achievable through effective planning • To fail to plan is … to plan to fail! www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 31 Thank you Any Questions? Russell Price Chairman Continuity Forum www.continuityforum.org www.Continuityforum.org - +44 (0) 208 993 1599 Copyright 2003 32 www.continuityforum.org Continuity Forum acts as a bridge between organisations who have interest in promoting, delivering and utilising Business Continuity and Risk Management. By our actions, Continuity Forum encourages a uniform approach to the delivery of these critical disciplines. We provide an unbiased, non-commercial input to regulators, legislators, standards bodies, auditors, academic bodies & the media.