3. What is Business Continuity Management? A good, although lengthy definition in BS 25999-1 is: "A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities“ It is also called Business Continuity & Resiliency Planning In Plain language – Working out how to stay in business in the event of a significant occurrence Definition Slide 3
4. An interesting recent aspect of this topic is that some consultants are grouping the approaches of Risk Management and Business Continuity Management together. In my experience, there are benefits to be had by grouping these aspects since there is commonality in the early processes, and therefore cost savings, but the outcomes are strategically different and must must be exercised to assure the corresponding deliverables. For example, In the case of a glass being half full or half empty, RM will see it as probably half full and BCM will worry about the contents being hazardous or if the glass breaks how long it will take to clear up Definition Slide 4
5. Business continuity and disaster recovery planning is a key governance responsibility. The UK Companies Act 2006 gives statutory force to what has long been the worldwide common law duty of directors, which is to exercise due care in relation to their companies. Specifically, directors must "exercise reasonable care, skill and diligence“ Principle responsibility lies with the CEO and his Executive Management team for their companies Business Continuity Management . The board of directors is accountable for ensuring that the organization has developed and tested business continuity and disaster recovery plans that deal with all the likely risks that face the organization. Senior Management is responsible for providing BCM strategies that are necessary for the continuation of Business Critical functions Responsibility Slide 5
6. Principle responsibility lies with the CEO and his Executive Management team for their companies Business Continuity Management Senior Management is responsible for providing BCM strategies that are necessary for the continuation of Business Critical functions Responsibility Slide 6
7. Four Phases: Understanding the organisation Determine the Business Continuity Strategy Develop and implementing BCM response Exercising maintaining and reviewing Major Phases of BCM Slide 7
10. What activities in your organisation, if stopped, cause the most impact to your business? Impact may be on: Cash Flow Reputation Meeting Statutory and Legal requirements Key Questions to ask Slide 9
11. How are these activities delivered and what resources are used to support them? Resources may be: People Plant and Machinery Premises and Furniture Computing and Telecommunications Data and Information Suppliers and Distributors Key Questions to ask (2) Slide 10
12. Some other key questions are: Who is essential? What equipment, IT, Telecomms and other systems are necessary to continue to function? Who does the Org rely upon to carry out key activities? Who depends upon the Organisation? Are there any service levels, legal or regulatory obligations? Do Disaster Recovery, Business Continuity and emergency plans already exist? Are there any natural fluctuations of operational activity e.g. Month-end payroll or end of year for accounts Key Questions to ask (3) Slide 11
13. You then need to consider: How long can your business manage without key activities? (This is important as this dictates what you focus on first) How essential is a departments work to the overall performance of the business on a day to day basis? Having identified key resources – consider the likelihood that these resources may be lost i.e. what are the risks to these resources? Key Questions to ask (4) Slide 12
14.
15. Get agreement with the rest of the board teamConduct a high level SWOT analysis Determine what and where your vulnerabilities are that affect your productivity and profit Understand which resources are necessary for the business to continue Before the Consultants Arrive Slide 13
24. Power, heating / cooling and lightingBefore the Consultants Arrive Slide 14
25. Develop a Risk Analysis Quadrant Before the Consultants Arrive High Materials Unavailable Operator Injured Political Upheaval Probability Fire Salesman Killed Operator Killed Flood Reputation Destroyed Service Denial attack CEO Kidnapped Production Machine Breakdown Theft Low Low High Impact Slide 15
26. Outline options for mitigating the identified business continuity risks Bring in your BCM consultants to review and document your findings and to add their own experience and value Before the Consultants Arrive They should design and develop the Business Continuity Plan and recommend how it should be initiated and maintained Slide 16
27. You should expect the following outputs from this exercise: Identified Risks and associated mitigations Business Continuity Plan BCP Test scenarios and Test plans Outline Test schedule Crisis Management/Emergency Response/Incident Management procedures Outline DR Plans and Test scenario plans Deliverables Slide 17
28. You should test aspects of your BCP and the underlying Incident management and DR responses Use an external consultant where possible, as they should remain impartial and observe and report the outcome of the planned scenario Test Slide 18
29. 80% of organizations with a tried and tested business continuity plan are likely to survive a major business discontinuity; only 20% of those without a business continuity plan are likely to survive. Over 90% of organizations that suffer a significant data loss are not in business two years later. The latest data indicates that many of the existing plans are not comprehensive and that maintenance (testing and updating) is generally inadequate. 'Backup' is not the same as a business continuity plan, and terrorism should be specifically addressed. Public Domain Statistics Slide 19