Upload
christopher-rivera
View
35
Download
1
Embed Size (px)
Citation preview
The BCI, Good Practice Guidelines, and
Horizon ScanBCI US ChapterChristopher Rivera, MBCI
05/01/2023 www.thebci.org 2
• Business Continuity Institute background
• Overview of BCI’s Good Practice Guidelines
• Overview of Horizon Scan
Agenda
3
Business Continuity Institute background
05/01/2023 www.thebci.org
05/01/2023 www.thebci.org 4
• Founded in 1994, a Member-Owned, Not-for-Profit Professional Association of Business Continuity Professionals
• A global membership and certifying organization for business continuity professionals
• Over 8,000 members in more than 120 countries working in an estimated 3,000 organizations in the public and private sectors
• We stand for excellence in the business continuity profession
• Our certified grades provide unequivocal assurance of technical and professional competency
What is the BCI?
05/01/2023 www.thebci.org 5
• Professionals seeking international recognition of their professional and technical competency in the BC discipline
• Individuals currently working in BC related functions who are seeking to improve their knowledge and understanding of the BC discipline
• Individuals who are looking to benefit from being part of a global network of like-minded professionals to share good practice in BC and related disciplines
• Newcomers to the discipline who are considering a career in BC or a related profession
Who can be a member of the BCI?
05/01/2023 www.thebci.org 6
BCI Chapters
A global membership
Membership by Region
AsiaAustralasiaBelgium / Netherlands
CanadaJapanNordic
SADCSwissUSA
Africa (5%)Central America & West Indies (1%)North America (15%)
Asia (9%)Europe (12%)South America (5%)
Australia (7%)Middle East (4%)United Kingdom (42%)
05/01/2023 www.thebci.org
BCI Membership grades
7
05/01/2023 www.thebci.org 8
Overview of Good Practice Guidelines
A Guide to Global Good Practice in Business Continuity
• The most comprehensive and independent view of current thinking in Business Continuity
• Provides the what, why, how and when of good BC practice
• Written by BC professionals for BC professionals
• Used in training and examining individuals and organizations (our body of knowledge)
• Aligned to ISO 22301
• Reference material for academic institutions
The BCI Good Practice Guidelines
05/01/2023 www.thebci.org 9
05/01/2023 www.thebci.org 10
• BCI members can download a free PDF version from the Members’ Area of the BCI website
• Non-members can purchase a PDF version from the BCI website at https://shop.thebci.org/shop/shop.php?sid=144
How can I get a copy of the GPG?
05/01/2023 www.thebci.org 11
The Six Professional Practices
05/01/2023 www.thebci.org 12
The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Source: ISO 22301:2012
The BCI’s Definition of Business Continuity
05/01/2023 www.thebci.org 13
• Responsibilities of Top Management
• Setting strategic objectives
• Resources for business continuity
• The importance of the BIA and a stronger link to the organizations approach to risks and threats
• Resource requirements, skills and competence of people involved
• Training, awareness and communications
• Document management
• Exercising and testing
• Monitoring performance and measuring value of business continuity
GPG Alignment to ISO 22301?
05/01/2023 www.thebci.org 18
Defines an organization’s policy relating to BC, how it will be implemented, controlled and validated through a BCM program
• Setting BC Policy and determining the scope of the BCM program
• Defining governance and assigning roles and responsibilities
• Implementing a BCM program, managing documentation using program and project management techniques
• Managing outsourced activities and supply chain continuity
PP1 – Policy and Program Management
05/01/2023 19
The BCM program operates at three levels
• Strategic - decisions are made and policy is determined
• Tactical - operations are coordinated and managed
• Operational - activities are undertaken
PP1 – Policy and Program Management
www.thebci.org
05/01/2023 www.thebci.org 20
The Management Professional Practice that continually seeks to integrate BC into day-to-day business activities and organizational culture
• Organizational Culture
• Skills and Competence
• Managing a Training Program
• Managing an Awareness Campaign
PP2 – Embedding Business Continuity
05/01/2023 www.thebci.org 21
Reviews and assesses and organization in terms of what its objectives are, how it functions and the constraints of the environment in which it operates
• Business Impact Analysis (BIA)
• Threat Analysis (includes risk assessment)
PP3 – Analysis
05/01/2023 www.thebci.org 22
Identifies and selects appropriate strategies and tactics
• Continuity and Recovery Strategies and Tactics
• Threat (Risk) Mitigation Measures
• Incident Response Structure
PP4 – Design
05/01/2023 www.thebci.org 23
Executes the agreed-upon strategies and tactics through the process of developing plan documentation
• Business continuity plans
• Developing and managing plans at a strategic, tactical and operational level
PP5 – Implementation
05/01/2023 www.thebci.org 24
Confirms the BCM program meets objectives set in the BC Policy and that plans are fit for purpose
• Developing an exercise program
• Developing and running exercises
• Maintenance of the BCM program
• Review of the BCM program
PP6 – Validation
05/01/2023 www.thebci.org 25
How does the GPG work in the real-world
Problem Description
Management
engagement
“My steering committee isn’t coming to meetings anymore or they’ve delegated their role.”
Participation
“The VP from Department X assigned his administrative assistant as his group’s planner.”
Focus“We have 1000 plans in our software tool… but we’re not sure we’re recovering what truly matters.”
Proactive vs
Reactive (and
scope)
“We seemed to be laser focused on reacting to events. Shouldn’t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT?”
Templates vs plans
“No one seems to use the plans we’ve documented. And why would they all read the same, almost as if they’re templates!”
Measurement
“We have 1000 plans, all updated in the last 12 months… but we’re not sure if we’re actually ready for a disaster.”
SolutionGPG
PP1 – Policy and Program Management
PP2 – Embedding Business
Continuity
PP3 – Analysis
PP4 – Design
PP5 – Implementatio
n
PP6 – Validation
05/01/2023 www.thebci.org 26
BCI Horizon Scan
05/01/2023 www.thebci.org 27
• The goal of the BCI has been to promote a more resilient world
• When the Institute celebrated its 20th anniversary in 2014, the focus was not on our past achievements but our vision of the future
• From that vision emerged the BCI 20/20 Think Tank, a worldwide group of thought leaders with a passion to drive the profession forward
BCI Horizon Scan
05/01/2023 www.thebci.org 28
BCI 20/20 – two focal points
Advisory• Help in shaping the profession
• Developing career opportunities for those who have chosen to pursue this field
Advocacy• Raise the profile and value of business continuity and
resilience
• Build the value of resilience into organizational strategies
• As professionals learn more and more about the threats and translate those threats into business risks – which includes how to work with senior executives to manage these risks – the real and perceived value of our efforts will only increase
05/01/2023 www.thebci.org 30
Issues concerning the BCI in 2016
Excerpt from BCI Horizon Scan Report 2016
05/01/2023 www.thebci.org 31
A 2016 study of threats and business risks by insurer Allianz confirms management is in line with evolving threats as we, business continuity professionals, are facing – which is good news for executive sponsorship
Business risks mirror BC concerns
Excerpt from Allianz Risk Barometer Top Business Risks 2016
05/01/2023 www.thebci.org 32
As a key protective discipline, business continuity ensures organizational resilience by building an effective response to disruptive events.
Horizon scanning is a useful tool that can provide an objective perspective on threats and uncertainties that may lead to business disruption.
These conclusions inform – or even confirm – strategies undertaken by organizations to prepare for disruption.
Introduction to Horizon Scanning
05/01/2023 www.thebci.org 33
Cyber attacks (85%), data breach (80%) and unplanned IT outages (77%) remain the top three threats facing organizations, with data breaches moving into second place in 2016
The use of the Internet for malicious attacks (83%), growing influence of social media (63%) and the loss of a key employee (56%) are the top three trends
Investment levels for BC are up for more organizations (23% from 18%) with more businesses using ISO 22301 as a framework for BCM implementation (52% from 44%)
Horizon Scan Report 2016 headlines
34
Top 10 threats worldwide
05/01/2023 www.thebci.org
Excerpt from BCI Horizon Scan Report 2016
35
Investment trends in business continuity
Excerpt from BCI Horizon Scan Report 2016
05/01/2023 www.thebci.org 36
Top 10 based on level of concern
Excerpt from BCI Horizon Scan Report 2016
37
Top 5 trends and uncertainties
Excerpt from BCI Horizon Scan Report 2016
05/01/2023 www.thebci.org 38
Ranked 1st were Cyber Attacks in both 2016 and 2015, which were ranked third in 2013 and second in 2014 (not surprising given all the incidents we hear about almost daily)
Most DRJ attendees agreed this was and is a major concern and acknowledged the close association with Data Breach, Terrorism and Security, increasing the relevance of this threat
Tracking threats
How does this affect us as BC Professionals?
• Recognition that this threat has IT availability and even business continuity implications
• Leverage crisis management and crisis communications processes in response
# 1 Cyber Threats
05/01/2023 www.thebci.org 39
Ranked 2nd were data breaches, which ranked third in 2015
DRJ discussion surrounded the fact that data breaches come in many forms, both cyber / internet related as well as the old fashion stealing of reports and copying files to a flash drive
Data breach related exercises are a key focus of attendees as well as differentiating IT related response plans from incorporating breach response into crisis management plans
Tracking threats
How does this affect us as BC Professionals?
• Leverage crisis management and crisis communications processes in response
• Facilitate adoption of strategies related to data privacy and protection
# 2 Data Breaches
05/01/2023 www.thebci.org 40
Ranked 3rd were unplanned IT outages, which ranked second in 2015
Still a top 10 issue and area of key focus in most IT DR and BC programs
While most respondents see emerging threats such as cyber and data breaches as more impactful, IT outages are still a major focus
Discussion among the DRJ attendees focused on the changing face of IT, as software as a service, cloud computing and outsourced IT change the landscape and require differing strategies, often outside of the organizations direct control
Tracking threats
How does this affect us as BC Professionals?
• The evolution of IT services to external providers moves control outside our direct ability to manage
• Coordination of recoveries becomes more challenging across providers
# 3 Unplanned IT outages
05/01/2023 www.thebci.org 41
Moving from 10th in 2015 to 4th in 2016, Terrorism has re-emerged for resilience and continuity professionals
This increase may be attributed to the recent terrorist attacks which occurred during the survey periodMost participants acknowledged the threat, and felt it was driving attention to incident response and crisis management plans, plus a focus on tracking
Tracking threats
How does this affect us as BC Professionals?
• Indirectly, recent events are creating protectionist measures impacting global operations and trade (Brexit)
• Local or regional nature of events creates access and credentialing issues
# 4 Terrorism
05/01/2023 www.thebci.org 42
Ranked 5th in the 2016 scan, which is up from 6th in 2015
Adding to the puzzle we mentioned earlier, along with cyber and data breaches, Security is clearly an area of concern for organizations
Part of the senior level discussions at DRJ had to do with organizational issues and placement of security vs continuity and recovery in organizations
Tracking threats
How does this affect us as BC Professionals?
• Security events impact travel and facility availability
• No issues of placing BC in Security as long as there is a recognition of more than response, business-aligned strategies still necessary
# 5 Security Incident
05/01/2023 www.thebci.org 43
During a discussion at DRJ Spring in Orlando, the review of the Horizon Scan report drove numerous discussions regarding how different threats or scenarios could lead to a disruption, including:
• Treat the business risk rather than focus on the case… but there are exceptions
• The business environment can lead to business risk, not just traditional threats such as natural and man-made disasters
The changing risk landscape
05/01/2023 www.thebci.org 44
The Horizon Scan session at DRJ discussion also led to discussions regarding owning versus contributing to risk mitigation.
– For example, does/should the BC professional “own” data breach-related mitigation? – Alternatively, is there a role the BC professional can/should play when it comes to data breach
mitigation – and response?
Specific to many of the threats highlighted in the Horizon Scan report, and based on the contributions made by the DRJ Spring senior professionals, “ownership” is often based on the threat or risk.
– But beyond ownership, the BC professional can also serve as a cross-functional facilitator, with the objective to bring diverse skill sets together to mitigate risk to a level consistent with the organization’s risk appetite
The discussion regarding ownership also led to a discussion on competencies, and what the BC professional needs to know to get involved in broader resiliency initiatives.
– Different from being an expert in all risk disciplines, the BC professional needs a familiarity with different types of risks and where to go to seek assistance.
– More broadly, to be successful in managing or contributing to risk management, the BC professional needs a broad understanding of the business (products/services, customers, processes and resources), as well as skills specific to communications (oral/written), sales, and facilitation.
Risk mitigation ownership
Resilience – adaptive capacity of an organization in a complex and changing environment (ISO 22316)• Business continuity is not the same as organizational resilience. • The effective enhancement of organizational resilience will require a
collaborative effort between many management disciplines.
• No single management discipline can credibly claim ‘ownership’ of organizational resilience, and organizational resilience cannot be described as a subset of another management discipline or standard.
• Business continuity principles and practices are an essential contribution for an organization seeking to develop and enhance effective resilience capabilities.
• The wide range of activities required to develop and enhance organizational resilience capabilities provide an opportunity for business continuity practitioners to broaden their skills and knowledge, building on the foundation of their business continuity experience and credentials.
BCI’s statement on resilience
45
Owner Facilitator
Participant
It depends on the risk or threat
In the context of an ever-increasing focus on resilience and the engagement of multiple disciplines, what’s the business continuity professional’s role?
The role of the BC Professional?
46
Back to the Horizon Scan
47
Where do we fit into resilience?
48
Responsibilities
• Increases the organization’s preparedness for disruptive incidents by implementing capabilities to enable the continuation of product and service delivery at acceptable predefined levels
• Collaborates with other disciplines to create a more resilient organization, taking ownership of assigned risks and participating as a team member in mitigating other risks
A proposed job description
49
Duties
• Engages management to establish appropriate business continuity requirements
• Enables the selection of effective capabilities to respond to and recover from disruptive incidents
• Leads the evaluation of response and recovery capabilities, as well as the development of the competencies necessary to plan and respond effectively
• Implements the processes necessary to drive continual improvement and manage the effects of organizational change
A proposed job description
50
A proposed job description
51
Business Continuity Analyst
Business Continuity Leader
Resilience Professional
Skills
• Oral and written communications
• Inquiry• Project
management
• Sales (including relationship building)
• Strategic and tactical thinking
• Management (in general)
• Facilitation techniques
Enablers
• Knowledge of the organization and its resources
• Knowledge of the organization’s products and services and customer usage
• Knowledge of other management and risk disciplines
05/01/2023 www.thebci.org 52
• Threats are real and expanding, leading to increased business risk• These changes are leading to changes in our profession
Business Continuity Analyst
Business Continuity Leader
Resilience Professional
• Our success will be based on our knowledge of the organization and its business environment, including customers and their expectations
Summary
Join or connect with us today
@BCI_US_ChapterBCI USA – The Business Continuity Institute US Chapter