Business Continuity Managementchapter 1: an overview

Diane Christina

Prepared by Diane Christina @2009

Objective of this chapter Introduce risk management and business

continuity management as part of good governance

Develop the link between risk management and business continuity management as part of a risk management framework

Prepared by Diane Christina @2009

Material references A risk management approach to business continuity: Aligning business

continuity with corporate governance, Julia Graham & David Kaye, 2006, Chapter 1-3

COSO Enterprise Risk Management Framework: 2004 Standards Australia: ASNZS 4360: 2004 PAS 56:2003 – Guide to BCM:BSI: March 2003 Expecting the Unexpected: www.london-first.co.uk: 2003 Aligning Business Continuity and Information Security: Special Project

Report, 2006 Dr. Goh Meh Heng, 1st ed. 2007, Managing & Sustaining Your Business

Continuity Management Program Dr. Goh Meh Heng, 1st ed. 2004, Implementing Your Business Continuity Plan Andre Hiles, 1st ed. 2002, Enterprise Risk Assessment and Business Impact

Analysis

Prepared by Diane Christina @2009

Risk Managing Today

The essence of risk management is

A BALANCING ACTGetting the balance right between taking and

exploit risk

Prepared by Diane Christina @2009

Risk Managing Today The challenge for management is to create an environment that facilitates the

identification and tight control of the negative risks,

while nurturing an environment that allows for the identification and conversion of opportunities, and

to determine how much uncertainty an organization is prepared to accept (risk tolerance)

Prepared by Diane Christina @2009

Insurance

Risk Management vs Business Continuity Management

In managing risk, • Do we have control over the outcome?• Do we have control on the linkage between

effect and cause of risk?Maximize Controllable

Area

Minimize Uncontrollabl

e Area

Outsource

Others Mitigation Tools

Transfer the risk

BCM as alternative mechanism for risk mitigation

BCM

Prepared by Diane Christina @2009

Business Continuity Management As potential key control to minimize the

impact of disasters on the organization, its people, and assets

As an alternative mechanism for risk mitigation

As a contributor to business resilience in organizational processes to business disruption

A STRATEGIC MANAGEMENT PROCESS TO IDENTIFY POTENTIAL INCIDENTS AND DEVELOP EFFECTIVE RESPONSE PLANS

- BCM Institute -

Prepared by Diane Christina @2009

Business Continuity Management

A HOLISTIC MANAGEMENT PROCESS THAT IDENTIFIES POTENTIAL IMPACTS THAT

THREATEN AN ORGANIZATION AND PROVIDES A FRAMEWORK FOR BUILDING RESILIENCE AND THE CAPABILITY FOR AN EFFECTIVE RESPONSE THAT

SAFEGUARDS THE INTERESTS OF ITS KEY STAKEHOLDERS, REPUTATION, BRAND, AND VALUE

CREATING ACTIVITIES

- BCI PAS 56 -

Prepared by Diane Christina @2009

Business Continuity Management BCM is not just a response

also building resilience to strengthen an organization BCM is not just about fighting fires

also developing understanding what might be at risk and developing strategies if things do go wrong

BCM is not just about having plans to recover a business that are over elaborate

also about having plans that suit the nature of your business BCM is not an add-on to business

To be effective, it must be an embedded management process, as part of risk management and part of good business management

IT’S A PROACTIVE PROCESS THAT CONCENTRATES ON CRITICAL RESOURCES REQUIRED TO CONTINUE KEY

BUSINESS PROCESS DISREGARDS THE EVENT

Prepared by Diane Christina @2009

What is Business Continuity Planning?The main purpose of the BCP process is to ensure continuity of product / service delivery following an unplanned disruption to normal working.

“An ongoing process that helps organisations anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever aspect of the business they affect.”

Civil Contingencies Act 2004

Prepared by Diane Christina @2009

BC incidents

Prepared by Diane Christina @2009

Successful recovery or failure?

Time

Lev

el o

f b

usi

nes

s

B

No BCM – lucky escape

C No BCM – usual outcome

A

Fully tested effective BCM

Critical recovery point

Prepared by Diane Christina @2009

Understand your business What functions are critical? What are the ingredients of those functions? What is the impact of them being disrupted?

Internally Externally

How long could you cope without them?

Prepared by Diane Christina @2009

Identify Risk- What if???? Fire Crime – theft / damage Flood Power disruption IT failure Staff shortage Road network disruption / fuel problems Severe weather Reputation loss / customer confidence

Prepared by Diane Christina @2009

Consequences Loss of premises Loss of essential information Loss of staff Loss of a key supplier Loss of specialist equipment Disruption to finance flow Loss of company reputation

Prepared by Diane Christina @2009

Risk StrategiesIdentify and evaluate risk mitigation options Reduce likelihood Reduce impact

Prepared by Diane Christina @2009

Risk mitigation examples I.T procedures back up information off site Physical security Fire prevention, alarm and suppression

systems. Flood protection (internal & external) Alternate communications

Prepared by Diane Christina @2009

Recovery Strategies Business Continuity Plans. Other disaster recovery plans & procedures. Plans kept on and off site.

Prepared by Diane Christina @2009

Case Study The Auckland Power

Failure

Auckland, New Zealand, 1990

The Manchester Bombing

Manchester, UK, 1996 The Ladbroke Grove

Rail Disaster

London, UK, 1999 The Marriot and Ritz

Carlton

Jakarta, Indonesia, 2009

Brief Description on the event

Key lesson to be learned in related to minimizing the impact of disasters on the organization, its people, and assets

Maximal 2 pages A4, 1.5 line spacing, 11

font size