BCI Guidelines & Horizon Scan 2016

The BCI, Good Practice Guidelines, and

Horizon ScanBCI US ChapterChristopher Rivera, MBCI

05/01/2023 www.thebci.org 2

• Business Continuity Institute background

• Overview of BCI’s Good Practice Guidelines

• Overview of Horizon Scan

Agenda

3

Business Continuity Institute background

05/01/2023 www.thebci.org


• Founded in 1994, a Member-Owned, Not-for-Profit Professional Association of Business Continuity Professionals

• A global membership and certifying organization for business continuity professionals

• Over 8,000 members in more than 120 countries working in an estimated 3,000 organizations in the public and private sectors

• We stand for excellence in the business continuity profession

• Our certified grades provide unequivocal assurance of technical and professional competency

What is the BCI?


• Professionals seeking international recognition of their professional and technical competency in the BC discipline

• Individuals currently working in BC related functions who are seeking to improve their knowledge and understanding of the BC discipline

• Individuals who are looking to benefit from being part of a global network of like-minded professionals to share good practice in BC and related disciplines

• Newcomers to the discipline who are considering a career in BC or a related profession

Who can be a member of the BCI?


BCI Chapters

A global membership

Membership by Region

AsiaAustralasiaBelgium / Netherlands

CanadaJapanNordic

SADCSwissUSA

Africa (5%)Central America & West Indies (1%)North America (15%)

Asia (9%)Europe (12%)South America (5%)

Australia (7%)Middle East (4%)United Kingdom (42%)


BCI Membership grades

7


Overview of Good Practice Guidelines

A Guide to Global Good Practice in Business Continuity

• The most comprehensive and independent view of current thinking in Business Continuity

• Provides the what, why, how and when of good BC practice

• Written by BC professionals for BC professionals

• Used in training and examining individuals and organizations (our body of knowledge)

• Aligned to ISO 22301

• Reference material for academic institutions

The BCI Good Practice Guidelines



• BCI members can download a free PDF version from the Members’ Area of the BCI website

• Non-members can purchase a PDF version from the BCI website at https://shop.thebci.org/shop/shop.php?sid=144

How can I get a copy of the GPG?

https://shop.thebci.org/shop/shop.php?sid=144





The Six Professional Practices


The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.

Source: ISO 22301:2012

The BCI’s Definition of Business Continuity


• Responsibilities of Top Management

• Setting strategic objectives

• Resources for business continuity

• The importance of the BIA and a stronger link to the organizations approach to risks and threats

• Resource requirements, skills and competence of people involved

• Training, awareness and communications

• Document management

• Exercising and testing

• Monitoring performance and measuring value of business continuity

GPG Alignment to ISO 22301?


Defines an organization’s policy relating to BC, how it will be implemented, controlled and validated through a BCM program

• Setting BC Policy and determining the scope of the BCM program

• Defining governance and assigning roles and responsibilities

• Implementing a BCM program, managing documentation using program and project management techniques

• Managing outsourced activities and supply chain continuity

PP1 – Policy and Program Management

05/01/2023 19

The BCM program operates at three levels

• Strategic - decisions are made and policy is determined

• Tactical - operations are coordinated and managed

• Operational - activities are undertaken


www.thebci.org


The Management Professional Practice that continually seeks to integrate BC into day-to-day business activities and organizational culture

• Organizational Culture

• Skills and Competence

• Managing a Training Program

• Managing an Awareness Campaign

PP2 – Embedding Business Continuity


Reviews and assesses and organization in terms of what its objectives are, how it functions and the constraints of the environment in which it operates

• Business Impact Analysis (BIA)

• Threat Analysis (includes risk assessment)

PP3 – Analysis


Identifies and selects appropriate strategies and tactics

• Continuity and Recovery Strategies and Tactics

• Threat (Risk) Mitigation Measures

• Incident Response Structure

PP4 – Design


Executes the agreed-upon strategies and tactics through the process of developing plan documentation

• Business continuity plans

• Developing and managing plans at a strategic, tactical and operational level

PP5 – Implementation


Confirms the BCM program meets objectives set in the BC Policy and that plans are fit for purpose

• Developing an exercise program

• Developing and running exercises

• Maintenance of the BCM program

• Review of the BCM program

PP6 – Validation


How does the GPG work in the real-world

Problem Description

Management

engagement

“My steering committee isn’t coming to meetings anymore or they’ve delegated their role.”

Participation

“The VP from Department X assigned his administrative assistant as his group’s planner.”

Focus“We have 1000 plans in our software tool… but we’re not sure we’re recovering what truly matters.”

Proactive vs

Reactive (and

scope)

“We seemed to be laser focused on reacting to events. Shouldn’t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT?”

Templates vs plans

“No one seems to use the plans we’ve documented. And why would they all read the same, almost as if they’re templates!”

Measurement

“We have 1000 plans, all updated in the last 12 months… but we’re not sure if we’re actually ready for a disaster.”

SolutionGPG


PP2 – Embedding Business

Continuity

PP3 – Analysis

PP4 – Design

PP5 – Implementatio

n

PP6 – Validation


BCI Horizon Scan


• The goal of the BCI has been to promote a more resilient world

• When the Institute celebrated its 20th anniversary in 2014, the focus was not on our past achievements but our vision of the future

• From that vision emerged the BCI 20/20 Think Tank, a worldwide group of thought leaders with a passion to drive the profession forward

BCI Horizon Scan


BCI 20/20 – two focal points

Advisory• Help in shaping the profession

• Developing career opportunities for those who have chosen to pursue this field

Advocacy• Raise the profile and value of business continuity and

resilience

• Build the value of resilience into organizational strategies

• As professionals learn more and more about the threats and translate those threats into business risks – which includes how to work with senior executives to manage these risks – the real and perceived value of our efforts will only increase


Issues concerning the BCI in 2016

Excerpt from BCI Horizon Scan Report 2016


A 2016 study of threats and business risks by insurer Allianz confirms management is in line with evolving threats as we, business continuity professionals, are facing – which is good news for executive sponsorship

Business risks mirror BC concerns

Excerpt from Allianz Risk Barometer Top Business Risks 2016


As a key protective discipline, business continuity ensures organizational resilience by building an effective response to disruptive events.

Horizon scanning is a useful tool that can provide an objective perspective on threats and uncertainties that may lead to business disruption.

These conclusions inform – or even confirm – strategies undertaken by organizations to prepare for disruption.

Introduction to Horizon Scanning


Cyber attacks (85%), data breach (80%) and unplanned IT outages (77%) remain the top three threats facing organizations, with data breaches moving into second place in 2016

The use of the Internet for malicious attacks (83%), growing influence of social media (63%) and the loss of a key employee (56%) are the top three trends

Investment levels for BC are up for more organizations (23% from 18%) with more businesses using ISO 22301 as a framework for BCM implementation (52% from 44%)

Horizon Scan Report 2016 headlines

34

Top 10 threats worldwide



35

Investment trends in business continuity



Top 10 based on level of concern


37

Top 5 trends and uncertainties



Ranked 1st were Cyber Attacks in both 2016 and 2015, which were ranked third in 2013 and second in 2014 (not surprising given all the incidents we hear about almost daily)

Most DRJ attendees agreed this was and is a major concern and acknowledged the close association with Data Breach, Terrorism and Security, increasing the relevance of this threat

Tracking threats

How does this affect us as BC Professionals?

• Recognition that this threat has IT availability and even business continuity implications

• Leverage crisis management and crisis communications processes in response

# 1 Cyber Threats


Ranked 2nd were data breaches, which ranked third in 2015

DRJ discussion surrounded the fact that data breaches come in many forms, both cyber / internet related as well as the old fashion stealing of reports and copying files to a flash drive

Data breach related exercises are a key focus of attendees as well as differentiating IT related response plans from incorporating breach response into crisis management plans

Tracking threats


• Leverage crisis management and crisis communications processes in response

• Facilitate adoption of strategies related to data privacy and protection

# 2 Data Breaches


Ranked 3rd were unplanned IT outages, which ranked second in 2015

Still a top 10 issue and area of key focus in most IT DR and BC programs

While most respondents see emerging threats such as cyber and data breaches as more impactful, IT outages are still a major focus

Discussion among the DRJ attendees focused on the changing face of IT, as software as a service, cloud computing and outsourced IT change the landscape and require differing strategies, often outside of the organizations direct control

Tracking threats


• The evolution of IT services to external providers moves control outside our direct ability to manage

• Coordination of recoveries becomes more challenging across providers

# 3 Unplanned IT outages


Moving from 10th in 2015 to 4th in 2016, Terrorism has re-emerged for resilience and continuity professionals

This increase may be attributed to the recent terrorist attacks which occurred during the survey periodMost participants acknowledged the threat, and felt it was driving attention to incident response and crisis management plans, plus a focus on tracking

Tracking threats


• Indirectly, recent events are creating protectionist measures impacting global operations and trade (Brexit)

• Local or regional nature of events creates access and credentialing issues

# 4 Terrorism


Ranked 5th in the 2016 scan, which is up from 6th in 2015

Adding to the puzzle we mentioned earlier, along with cyber and data breaches, Security is clearly an area of concern for organizations

Part of the senior level discussions at DRJ had to do with organizational issues and placement of security vs continuity and recovery in organizations

Tracking threats


• Security events impact travel and facility availability

• No issues of placing BC in Security as long as there is a recognition of more than response, business-aligned strategies still necessary

# 5 Security Incident


During a discussion at DRJ Spring in Orlando, the review of the Horizon Scan report drove numerous discussions regarding how different threats or scenarios could lead to a disruption, including:

• Treat the business risk rather than focus on the case… but there are exceptions

• The business environment can lead to business risk, not just traditional threats such as natural and man-made disasters

The changing risk landscape


The Horizon Scan session at DRJ discussion also led to discussions regarding owning versus contributing to risk mitigation.

– For example, does/should the BC professional “own” data breach-related mitigation? – Alternatively, is there a role the BC professional can/should play when it comes to data breach

mitigation – and response?

Specific to many of the threats highlighted in the Horizon Scan report, and based on the contributions made by the DRJ Spring senior professionals, “ownership” is often based on the threat or risk.

– But beyond ownership, the BC professional can also serve as a cross-functional facilitator, with the objective to bring diverse skill sets together to mitigate risk to a level consistent with the organization’s risk appetite

The discussion regarding ownership also led to a discussion on competencies, and what the BC professional needs to know to get involved in broader resiliency initiatives.

– Different from being an expert in all risk disciplines, the BC professional needs a familiarity with different types of risks and where to go to seek assistance.

– More broadly, to be successful in managing or contributing to risk management, the BC professional needs a broad understanding of the business (products/services, customers, processes and resources), as well as skills specific to communications (oral/written), sales, and facilitation.

Risk mitigation ownership

Resilience – adaptive capacity of an organization in a complex and changing environment (ISO 22316)• Business continuity is not the same as organizational resilience. • The effective enhancement of organizational resilience will require a

collaborative effort between many management disciplines.

• No single management discipline can credibly claim ‘ownership’ of organizational resilience, and organizational resilience cannot be described as a subset of another management discipline or standard.

• Business continuity principles and practices are an essential contribution for an organization seeking to develop and enhance effective resilience capabilities.

• The wide range of activities required to develop and enhance organizational resilience capabilities provide an opportunity for business continuity practitioners to broaden their skills and knowledge, building on the foundation of their business continuity experience and credentials.

BCI’s statement on resilience

45

Owner Facilitator

Participant

It depends on the risk or threat

In the context of an ever-increasing focus on resilience and the engagement of multiple disciplines, what’s the business continuity professional’s role?

The role of the BC Professional?

46

Back to the Horizon Scan

47

Where do we fit into resilience?

48

Responsibilities

• Increases the organization’s preparedness for disruptive incidents by implementing capabilities to enable the continuation of product and service delivery at acceptable predefined levels

• Collaborates with other disciplines to create a more resilient organization, taking ownership of assigned risks and participating as a team member in mitigating other risks

A proposed job description

49

Duties

• Engages management to establish appropriate business continuity requirements

• Enables the selection of effective capabilities to respond to and recover from disruptive incidents

• Leads the evaluation of response and recovery capabilities, as well as the development of the competencies necessary to plan and respond effectively

• Implements the processes necessary to drive continual improvement and manage the effects of organizational change


50


51

Business Continuity Analyst

Business Continuity Leader

Resilience Professional

Skills

• Oral and written communications

• Inquiry• Project

management

• Sales (including relationship building)

• Strategic and tactical thinking

• Management (in general)

• Facilitation techniques

Enablers

• Knowledge of the organization and its resources

• Knowledge of the organization’s products and services and customer usage

• Knowledge of other management and risk disciplines


• Threats are real and expanding, leading to increased business risk• These changes are leading to changes in our profession

Business Continuity Analyst

Business Continuity Leader

Resilience Professional

• Our success will be based on our knowledge of the organization and its business environment, including customers and their expectations

Summary

Join or connect with us today

@BCI_US_ChapterBCI USA – The Business Continuity Institute US Chapter

[email protected]