John Sharp FBCI (Hon) FCIM MIM
Download
Report
Transcript John Sharp FBCI (Hon) FCIM MIM
BUSINESS CONTINUITY
MANAGEMENT
USING THE NEW
BRITISH STANDARD – BS25999
John Sharp FBCI (Hons) FCMI MCIM
Principal Consultant
Kiln House Associates Ltd
KHA Ltd © 2008
John Sharp FBCI (Hons) FCMI MCIM
1997 until 2004 - CEO of the Business Continuity Institute
Chair of the team that produced the BSI Guide to BCM
(PAS 56) & Member of Technical Committee for BS25999
& BS25777
Member of the UK Metropolitan Police BCM Board
Member of the team that produced BCM guidance for the
UK Civil Contingencies Act
Associate Course Director – UK Emergency Planning
College
UKAS Technical Expert – BS25999-2
Chair of Audit Committee - University of Wolverhampton
KHA Ltd © 2008
Why a BCM Standard
was Needed
• Business Continuity Plans are only really ‘tested’ when
used in a real invocation
• Evidence of organisations failing despite having BCPs.
•
Plans not exercised
•
Plans not kept up to date
•
People not trained or made aware of BCP
•
Low levels of senior management commitment
• Too many plans written to get a ‘tick in the box’
KHA Ltd © 2008
Why a BCM Standard
was Needed
• Growing threat levels
• Complex supply chains
• Outsourcing
• UK national infrastructure dependent upon commercial
and voluntary organisations
• International nature of trade
• Auditors lack of understanding of BCM
• Demands from regulators, insurers and customers
KHA Ltd © 2008
Development of the
BCM Standard
• 1997 – Professional practice standard exists in the UK & US
• 1999 – development of a uniform assessment of BCM for Y2K
• 2001 – FSA requires BCM ‘good practice’ guidelines
• 2002 – BCI publishes BCI BCM Good Practice Guidelines
• 2003 – Publication of PAS 56 by BSI
• 2006 – BSI publishes BS25999-1 in November
• 2007 – BS25999-2 published in November
• 2008 - UKAS pilot accreditation scheme for certification
KHA Ltd © 2008
Key Elements of
the Standard
• BCM is based on a ‘lifecycle’ – it is a continuous process
• Must become part of the organisational culture
• Commitment from the top, and throughout the organisation
• Based on impacts – not threats
• As much about prevention as recovery
• BCM must be proven by exercise and lessons learnt
• BCM must be maintained in a changing environment
• A specification against which certification can be achieved
KHA Ltd © 2008
The Business Continuity
Management Lifecycle
Understanding
the Organization
Exercising,
Maintaining
& Reviewing
BCM
Programme
Management
Developing and
Implementing
a BCM Response
BS 25999-1
KHA Ltd © 2008
2006
Determining
BCM
Strategies
Stage 1 - Establish a Business
Continuity Management System
• Why are you introducing BCM?
• What are the requirements for BC, taking into
account:
• Organisation’s objectives
• Obligations - legal, regulatory, contractual
• Interests of key stakeholders
• Scope of BC in terms of products and services
KHA Ltd © 2008
External Drivers
Suppliers
Invest ors
Audit ors
Regulat ors
Pot ent ial Cust omers
Insurers
Cent ral Govt
Legislat ion
Exist Cust omers
Corp. Governance
0
Year - 2007
10
Year - 2008
20
30
%
CMI Research 2008
KHA Ltd © 2008
40
50
Environmental Analysis
STEEPLE
Social
Technological
Environmental
Organisation
Economic
Legal
Political
KHA Ltd © 2008
Ethical
Stakeholders
• What are their requirements and perceptions?
• Who are they?
• Shareholders, Students, Customers, Employees and
Suppliers
• Regulators, Financial Investors, Insurers, Auditors,
Professional Bodies, Trade Associations, Government
Departments
• Competitors, the Community, Media and ‘Vested Interest’
Groups
KHA Ltd © 2008
Scope
• Determining the scope of the BCM is a vital first
step?
• Factors that influence scope are:
• The size and complexity of the organisation
• The needs of customers/clients, regulators, auditors,
insurers and investors
• The type of activity undertaken
• The environment and location of operation
• Organisation’s objectives
KHA Ltd © 2008
Programme Management
• A BCM policy statement
• Ongoing support from the top of the organisation
• BCM structure – roles & responsibilities
• Adequate resources to deliver BCM
• Effective management and control of
documentation and records
• An assurance process – KPIs
• System for continuous improvement (PDCA)
KHA Ltd © 2008
The Plan-Do-Check-Act (PDCA) model
BS25999-2
KHA Ltd © 2008
Embedding BCM into the
Organisation’s Culture
• Train appropriate staff
• Raise awareness
• Why BCM is being introduced
• What is being done and when
• Benefits that accrue to ALL
• Inform stakeholders
• Ongoing support from Executive
• Communicate
KHA Ltd © 2008
Stage 2 - Understanding
the Organisation
What is critical to the organisation
at the time of disruption?
KHA Ltd © 2008
Understanding
the Organisation
• What are the key services & products?
• What are the critical activities?
• What processes are used to deliver critical
activities?
• Who and what is used in these processes?
Internally
Externally
• The impact if key services & products are
disrupted – for whatever reason
• The Maximum Tolerable Period of Disruption MTPoD
KHA Ltd © 2008
Maximum Tolerable
Period of Disruption (MTPoD)
The duration after which an
organisation’s viability
(either financially or through
loss of reputation) will be
irrevocably threatened if
delivery of a particular
product and service cannot
be resumed.
KHA Ltd © 2008
Key Services
and Products
• Not all services and products are critical
• Some services and products are seasonal
• Some are exceptional – e.g. emergency management
• Criticality is determined by drivers and stakeholders
• The impact on the organisation if the service or
production is disrupted will influence the criticality
• The organisation’s risk appetite affects criticality
• Critical rating must be ‘signed off’ by the top
management
KHA Ltd © 2008
Mapping Resources to
Critical Activities
Degree Programmes
Post Graduate Programmes
Research
Third Leg Activities
ICT
KHA Ltd © 2008
Suppliers
People
Facilities
Mapping Resources to
Critical Activities
Degree Programmes
Post Graduate Programmes
Research
Third Leg Activities
ICT
KHA Ltd © 2008
Suppliers
People
Facilities
Risk Assessment
• Identify single points of failure
•
•
•
•
•
People
Information technology
Premises
Plant & machinery
Suppliers
• Consider vulnerability of critical resources
• Consider the security of these resources
• Can you reduce the vulnerabilities and
improve security?
KHA Ltd © 2008
Stage 3 – Determining
BCM Strategies
What can the organisation do if key
services and products are disrupted?
KHA Ltd © 2008
Strategy Options
The Organisation’s Approach to Determining
BCM Strategies Should:
• be to implement appropriate measures to reduce
likelihood of incidents occurring and/or reduce their
impact if they do.
• provide continuity for it’s key products and services
and supporting activities during and following an
incident.
• take account of those products and services and their
supporting activities that have not been identified as
critical
KHA Ltd © 2008
BS 25999-1 2006
Strategy Options
The most appropriate strategy or strategies will
depend on a range of factors such as:
• The maximum tolerable period of disruption
(MTPoD) of the service
• The cost of implementing the strategy or
strategies
• The consequences of inaction
KHA Ltd © 2008
BCM Strategies
Must Cover:
• People
• Premises
• Technology
• Information
• Supplies
• Stakeholders
KHA Ltd © 2008
BCM Strategies
• Cannot fail – full availability
• How soon to recover - recovery time (RTO within the MTPoD)
• At what level of recovery - recovery point
• Do nothing – accept the risk (Health warning!)
• Signed off strategies to meet obligations
KHA Ltd © 2008
BCM Strategies
In general you should consider 4 high level
scenarios and what alternative working
arrangements could be made if:
• Cannot gain access to the building
• A high percentage of the staff are unavailable
• The ICT systems are unavailable
• A key supplier/partner is disrupted
KHA Ltd © 2008
BCM Strategies
What is needed to
make strategies work?
KHA Ltd © 2008
BCM Strategies
must:
• Recognise critical functions, dependencies and
single points of failure.
• Enable organisation to perform critical activities
• Allow decisions to be taken by responsible
managers
• Signed off by senior management
KHA Ltd © 2008
Stage 4 - Developing &
Implementing a BCM Response
Incident Management & Business
Continuity Planning
KHA Ltd © 2008
Incident Response
Structure
What is needed to deal with a disruptive
incident?
KHA Ltd © 2008
Plan Invocation
Establish procedures for determining when an
disruption has occurred and how the BCPs will be
invoked
– Identify the person(s) who determines
whether a disruption has occurred
– Specify the procedure to be used
– Specify who should be consulted
– Specify who should be informed
KHA Ltd © 2008
Invocation Teams
•
The organisation must move at the speed of the
incident to prevent a crisis occurring
•
Separate teams to cover:
•
The major incident
Continuity of the organisation’s key services &
products
The team structures should reflect the normal
organisational structure
KHA Ltd © 2008
TI
LA
CA
LEVEL 2
TACTICAL
(SILVER)
L
RO
NT
ES
THINK
LEVEL 1
STRATEGIC
(GOLD)
CO
ON
Incident Management
LEVEL 3
OPERATIONAL
(BRONZE)
The BCM team structures should mirror
the incident management structures
KHA Ltd © 2008
PLAN
DO
Communications
Management
•
Regularly update senior management
•
Keep the students/customers informed
•
Mechanisms to inform employees
•
Keep other stakeholders informed
•
Ensure media are briefed
KHA Ltd © 2008
Information
Management
•
Collate situation reports
•
Access to contact details
•
Access to staff records
•
Insurance policies, SLAs, contracts
•
Monitor the media
•
Maintain a log of decisions, activities and actions
KHA Ltd © 2008
Resolving Conflicts
• Resources will be limited
• All managers believe their areas are critical
• Decisions about priorities should be made at the
planning stage and not at the time of the emergency
• However every situation is different therefore a
mechanism must exist to adjust BCPs accordingly.
• A high level BCM team must be empowered to
determine priorities
• The BCM should be assembled from people who
understand and represent the organisation
KHA Ltd © 2008
Incident Response Structure
The incident response structure must enable personnel to:
• be capable of confirming the nature and extent of the
incident, and
• manage the incident;
• be responsible for triggering an appropriate business
continuity response;
• have access to plans, processes and procedures to
manage an incident;
• have plans for the activation, operation, coordination
and communication of the incident response;
• have resources available to support the plans,
processes and procedures to manage the incident.
KHA Ltd © 2008
BC Planning
• Cover critical products & services as specified in
the scoping document
• High level plans
• Departmental plans
• Unit plans
KHA Ltd © 2008
BC Planning
Corporate Plan
Dept Plan
Unit Plan
KHA Ltd © 2008
Unit Plan
Dept Plan
Dept Plan
Unit Plan
Unit Plan
BC Planning
• Cover critical services
• High level plans
• Departmental plans
• Unit plans
• Linked to:
• Incident Management plans
• Recovery Plans
KHA Ltd © 2008
Relationship Between
Plans
KHA Ltd © 2008
BC Planning
• Cover critical services
• High level plans
• Departmental plans
• Unit plans
• Linked to:
• Incident Management plans
• Recovery Plans
•
KHA Ltd © 2008
Involve all elements of the Organisation
KHA Ltd © 2008
CRISIS COMMUNICATIONS & PR
SECURITY
HUMAN RESOURCES
KNOWLEDGE MANAGEMENT
HEATH & SAFETY
ENVIRONMENTAL MANAGEMENT
QUALITY MANAGEMENT
SUPPLY CHAIN MANAGEMENT
FACILITIES MANAGEMENT
IT DISASTER RECOVERY
EMERGENCY MANAGEMENT
RISK MANAGEMENT
Involve all Elements of the Organisation
Business Continuity
Management
Golden Rules for BCPs
• Keep them simple
• Ensure that you can use them during a disruption
• Identify what resources are needed
• Make plans owned by operational units
• Exercised, audited and reviewed
• Version and distribution controlled
• Accessible
KHA Ltd © 2008
Stage 5 - Exercising
& Maintaining
Will the plans work and are
they up to date?
KHA Ltd © 2008
Exercising
An exercise is:
An opportunity to measure the quality of the
planning, the adequacy of the training and test
the effectiveness of the arrangements made.
KHA Ltd © 2008
Exercising
Considerations:
• Risk, impacts and capabilities
• Types of exercise to be used
• Involvement of senior management
• Process of delivering exercises
• Relationship between exercising emergency plans and
BCPs
• Planning exercises which minimise the risk of disruption
and the risk of an incident occurring as a direct result of
the exercise is minimised
KHA Ltd © 2008
Exercise Process
Requires:
• Senior management commitment
• Planning team
• Risk assessment
• Documentation
• Briefing
• Exercise
• De-brief
• Review of lessons learnt
• Funding
KHA Ltd © 2008
Exercising your BCP – the learning cycle
Business
Continuity
Plan
Exercise
This can be a test
of part or the whole
of the plan
PostDebrief Exercise
Report
This should be a debrief
after each exercise in order
to capture the experience
of all the participants
‘Lessons
Learned’
Report
This post-exercise report should
collate the output of all debriefs
with the post-exercise analysis of
the exercise outcomes
Review
Plan
Implement
Changes
Having made changes to the
BCP, it is important to
review the plan in its entirety
before disseminating the
‘current version’.
KHA Ltd © 2008
PostExercise
Report
Approval and acceptance of
recommendations by BCM
strategic lead within
organisation
Audit
BCP
This report closes the
exercise programme and
outlines the full outcome of
the programme. It makes
recommendations for
changes to the BCP
Emergency Preparedness 2005
The BCP should be
audited against the
LLR and necessary
changes identified
Exercising
When planning exercises consider:
High level scenarios:
• Denial of access or loss of facilities
• Loss of key staff/skills
• Loss of critical systems, including ICT
• Loss of key resources, including suppliers/partners
Capabilities
• Mobilisation
• Co-ordination
• Communications
Warning
• Don’t let the exercise create a disruptive incident
KHA Ltd © 2008
Maintaining
Maintaining a BC plan involves regular
scanning to ensure that details are current by
author, or designate person, to check that
facts are correct and if changes are required
to instigate amendments, re-issuing and retraining as appropriate.
KHA Ltd © 2008
Why Maintain Your Plan
Nothing stays the same, there is always change
•
•
•
•
•
•
•
•
•
Organisations
Regulations and laws
Students & Customers
Suppliers
People
Contacts
Technology
Processes
Locations
All plans should be reviewed annually and signed off
by plan owner
KHA Ltd © 2008
Reviewing
• The environment in which we operate is constantly
changing so BCPs and BCM arrangements need
reviewing.
• This involves the BCM team and author standing
back and checking strategy on, say an annual basis,
or after significant change using a formal process.
• Where changes are needed this will lead to rewriting, re-issue and re-training and endorsement by
management team.
KHA Ltd © 2008
Essential Elements Required to Meet BS25999
•
•
•
•
•
•
•
•
•
KHA Ltd © 2008
Clearly Define the Scope
Establish an effective management system
Identify critical activities and resources, including
critical suppliers and partners
Risk assessment (effects, not causes;
prevention, not just cure)
Create appropriate incident and continuity plans
Exercise plans and record results
Audit BCM and BCMS
Management of documentation & records
Establish a culture of BCM
The Benefits of Meeting BS25999
• Provides a structured approach to BCM
• Demonstration, internally and to all stakeholders, of
organisation’s capability to manage disruptive events
• Competitive advantage
• Maintenance of existing contracts
• Protects the organisation
• Compliance
• Possible certification
KHA Ltd © 2008
The Route Map to Business Continuity Management
Meeting the Requirements of BS25999
Published by Bsi
£20 (+P&P)
Thank you for Listening
John Sharp
Email: [email protected]
Tel: 01886 833844
www.khacontinuity.co.uk
KHA Ltd © 2008