Business Continuity Management Standards · DRII Professional Practice for Business Continuity Planners. ... multitude of different practices, standards, guidelines and other material

Business Continuity Management Standards

Lawrence Cox, PNA, FTIA, FFIN, AIMM, MBCI

24th March 2009

Page 1LIC Business Continuity Advisory Services

http://www.thebci.org.au/ads.php?id=2

Agenda

Background.

Current Standards.

Is there a need for an Australian / International Standard?

With so many Standards (or Guidelines) to choose from how can you ensure your BCM Framework delivers best practice value?

What role can BCI and Continuity Forum play in Supporting you and your organisation?

LIC Business Continuity Advisory Services Page 2

Background

Since the mid 1900s we have seen a significant change in scope from:an initial limited focus on Disaster Recovery (mainly based around natural disasters), the heady days of Information Technology, increasing reliance on IT and new need for ITDRP, necessary expansion to cover shortcomings in addressing business contingencies outside of IT,Increased attention to identifying and planning for other potential business interruptions,

To Business Continuity Management (BCM) In terms of BCI’s GPG 2008 Business Continuity Management (BCM) is defined as :“A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities”.

The current desire to move from BCM to Organisational Resilience is dependent on the function of the organisation’s overall Situation Awareness, Management of Keystone Vulnerabilities and Adaptive Capacity within its complex, dynamic and interdependent environment.

Resilience is not something you do…it is something you are. (Dr. Erica Seville)


Disaster Recovery Planning (DRP)

IT Disaster Recovery Planning (DRP)

BusinessContingency Planning(BCP)

Business ContinuityPlanning(BCP)

BusinessContinuityManagement(BCM)

OrganisationalResilience

Resumption Vs Continuity


BCM Lifecycle (Original AUS BCM Guide)


BCM Lifecycle(UK PAS 56 )


Current Standards

Regulators in recent times have reacted in response to significant changes in Market Conditions, Market and Community Expectations with a range of new or revised standards including:

ISO/PAS 22399:2007 Societal Security – Guideline for incident preparedness & Operational Continuity Management.ISO 27002 Information Technology Security (Includes BCM Requirements)AS/NZS 4360: 2004 Risk ManagementAS 3745:2002 Emergency Control organisation & procedures for buildings, structures & work places.BS25999 – 1: 2006 Business Continuity Management Part 1 Code of PracticeBS25999 – 2: 2007 Business Continuity Management Part 2 Specification BS25777: 2008 Information & Communications Technology Continuity Management. Code of Practice.NFPA1600:2007 Disaster / Emergency Management & Business Continuity ProgramsCSA Z1600 Standard on Emergency Management & Business Continuity ProgramsSS540: 2008 Singapore Standard for Business Continuity Management (BCM)TR 19:2005 Technical Reference for Business Continuity ManagementASIS International Organisational Resilience Preparedness & Continuity Management Best Practice StandardAPRA APS 232 Business Continuity Management, APRA APS 231 Outsourcing & APRA APS 221 Related Entities


Other Legislative Requirements

In addition to the Standards there has also been a strengthening of other Legislative requirements including:

Corporations Act Section 180 Directors duties and obligations, negligence and due diligence.Title IX – Private Sector Preparedness 2007: In addition to Preparedness Guidance and recommendations calls for a voluntary preparedness certification program.Superannuation Industry (Supervision) Regulations 1994 (Cth) Regulation 4.15 Adequacy of resources operating standard, adequacy of technical resources including Business Continuity Planning.SIS Act Part 3 Licensing requirements for regulated superannuation funds, approved deposit funds and pooled superannuation trusts.Australia Expanded requirements for Essential Services & Critical Infrastructure ProtectionUK Civil Contingencies Act 2004 and Negligent Homicide Provisions.Sarbanes-Oxley Act 2002 and other changes to Corporate Governance Legislations. Occupational Health & Safety numerous changes to safe work place requirements


Supporting BCM Guidelines

Numerous supporting BCM Guidelines have also been published and include but are not limited to:ISO N30 Risk management — Vocabulary — Guidelines for use in standardsHB 436:2004 Risk Management Guidelines (companion to AS/NZS4360:2004)HB 167:2006 Security Risk ManagementHB205:2004 OHS Risk ManagementHB 221-2004 Business Continuity ManagementHB 292:2006 A Practitioners Guide to Business Continuity ManagementHB 293:2006 Executive Guide to Business Continuity ManagementHB299:2008 Workforce PlanningITIL Information Technology Infrastructure LibraryAPRA AGN Risk Assessment and Business Continuity ManagementAPRA Information Paper 2006 Pandemic PlanningBCI Good Practice Guide 2008 - 2 DRII Professional Practice for Business Continuity PlannersCB027:2002 A handbook on Business Continuity ManagementFFIEC Business Continuity Planning IT Examination HandbookMAS Business Continuity Management GuidelinesHKMA Business Continuity Planning GuidelinesANO Business Continuity Management Better Practice GuideBIS High level Principles for Business Continuity

and so the list goes on and on and on !!!!!


Is there a need for an Australian / International Standard?

In my view the answer is “YES”. There is a clear need to enhance the focus on, the consistency of and the standardisation of terminologies, methodologies, practices and requirements globally.

There is simply no one Silver Bullet! What is the right (best) way? As we have noted earlier there is currently a multitude of different practices, standards, guidelines and other material that is available to Practitioners, Organisations, Regulators and Auditors etc leading to potential confusion, inconsistencies, conflict, complacency and poor practices. It simply remains too easy for organisations to ignore sound BCM requirements in their pursuit of shorter term (often unsustainable over the longer term) business goals.

Additionally whilst we may all use the same terms, the actual usage / meaning of those terms can vary significantly across organisations. E.g. BCP Resource RTO vs. IT DRP RTO.

Depending on the Industry and the extent of your International Operations there can be a wide range of, and some times competing standards and guidelines, all of which need to be complied with.

Global Practitioners and Organisations need a consistent terminology & methodology to enable them to satisfy:

Regulatory Drivers

Legislative / Statutory Drivers

Competing Business Drivers

Increasing Market / Stakeholders / Community Expectations


What additional Value would an ISO Provide?

Would provide a common framework (including terminology) based on Internationally recognised and accepted best practices for developing, implementing, managing and compliance assuring BCM.

Avoid the increasing pressure on individual Governments and Regulators from having to develop and impose additional Legislative and Regulatory requirements to address current perceived shortcomings.

Enhance organisational understanding of the underlying need for and the resulting organisational benefits arising from embracing and implementing BCM as part of a proactive management program.

Best Practice provides common goals and objectives to Organisations of any type or size to enhance their overall level of Organisational awareness, operational effectiveness and end competitiveness.

Compliance / Certification would help to:

Protect and enhance an organisation’s reputation and brand not just locally but internationally.

Attract new customers and/or open additional / alternative market opportunities.

Ensure compatibility and compliance with other regulatory requirements.

Identify opportunities for ongoing operational / risk management improvement.


Why an Australian Standard?Given the delays in the final approval and implementation of ISO/FDIS 31000 Risk Management –Principles & Guidelines (eta June 2009) coupled with the considerable debate across countries as to the role of and need for a separate BCM standard it is likely to take some time before agreement can be reached across member countries on a suitable ISO for Business Continuity Management .

Whilst we have comprehensive Australian BCM Guidelines, without an AS/NZ BCM standard it is considered that Australia would be placed at a potential disadvantage to other member countries who currently have and are pushing forward their own BCM Standards for ISO adoption.

Proposed AS/NZ Standard has been designed to enhance the linkage and acceptance with Risk Management and thus complements the proposed ISO 31000 Risk Management Standard (which was been largely based on AS/NZ4360) and provides a sound base for Australia/New Zealand to influence the direction and composition of any future ISO BCM standard.

The AS/NZ BCM Standard is based on three Parts:

AS/NZ Standard for BCM: Part 1 Business Continuity Management System Specification

AS/NZ Standard for BCM: Part 2 Business Continuity Management Practice Standard

AS/NZ Standard for BCM: Part 3 Business Continuity Management audit and assurance Standard


BCM Standards Relationships & Implementation (Draft AS/NZ S 5050.1:200X BCM Standard)


With so many Standards (or Guidelines) to choose from how can you ensure your BCM Framework delivers best practice value? BCM should be a key component of your Corporate Governance (Risk Management) Practice. The Relevant Standards and Legislative requirements need to be identified, reviewed and used to provide a sound base / content for development of the Organisation’s BCM Policy and supporting Framework.The BCM Policy, Framework and supporting process needs to cover the entire planning cycle and ensure that it provides Management, practitioners, novices and auditors guidance and standards including:

What – Process specifications for a sustainable business continuity management system (BCMS)Why – Legal, Regulatory, Sound Corporate Governance, Business Resilience etcHow – Methodologies, guidelines and actual sustainable mechanics and toolsWho - Code of Practice and Certification Programs Audit – Compliance and Quality Assurance Standards

The Policy and Framework needs to be flexible enough to be relevant to the entire Organisation, its operating environment and Regulatory requirements to ensure the sustainability of the BCM program and thus the ongoing Resilience of the Organisation. It should provide:

the context in which it is implemented and maintain the required methodology and capabilities

demonstrable commitment from the organisation’s executive regarding BCM

a basis for communicating widely to all staff regarding BCM

ownership and integration into the organisation as an embedded management process


BCMS Lifecycle (BS 25999-2:2007 BCM Std)


BCMs Cycle (Draft AS/NZ S 5050.1:200X BCM Standard)


The interrelationships of the BCM principles, framework and processes

(Draft AS/NZ S 5050.2:200X BCM Standard)


BCM Framework (Draft AS/NZ S 5050.2:200X BCM Standard)


BCM Process (Draft AS/NZ S 5050.2:200X BCM Standard)


BCM Life Cycle (BS 25999-1:2006 BCM Std)


BCM Process (Singapore SS 540: 2008 BCM Std)


BIA Process (Draft AS/NZ S 5050.2:200X BCM Standard)


BCM Activities (Draft AS/NZ S 5050.2:200X BCM Standard)


BCM Incident Timeline (BS 25999-1:2006 BCM Std)


How can you ensure your BCM Framework delivers best practice value?

Review any existing research and BCM benchmarking material and undertake self Compliance / Benchmark rating review against these and your Policy and Standards.

Undertake the BCI Benchmark (powered by Inoni Limited).

Seek opportunities to participate in any available Industry or broader BCM working groups and in particular BCM Benchmarking Opportunities.

Where possible identify and review the policies, practices and capabilities of:

Local Market leaders in your own Industry – Who do the Local Regulators see and espouse as the benchmark?

International Market leaders in your own Industry – Who do the Local or International Regulators see and espouse as the benchmark?

Local Market Leaders in compatible industries?

International Market Leaders in compatible industries?

Key Suppliers / Customers?

Where necessary seek assistance in the compliance and benchmark review of your BCM capabilities by an independent Certified / Accredited BCM Practitioner / Auditor.


What role can BCI and Continuity Forum play in Supporting you and your organisation?

Both BCI and Continuity Forum have been working over the last few years to develop and introduce a range of products and services to benefit both Members and non members. A cooperation agreement between Continuity Forum and the Australasian Chapter of the Business Continuity Institute (BCI) was recently completed. The purpose of this agreement is to encourage information exchange within membership of both organisations and to ensure better integration of resources and activities, and more effective representation of the business continuity industry in the Australia-New Zealand region.

BCI membership is aimed at individual BCM practitioners and its products and services includes:

BCI Professional Certification and Membership,

BCI Accredited Facilitator Led Training and BCI E Learning Programs

BCI Benchmark (powered by Inoni) anonymous, secure & free to professional members & partners of BCI

BCI Continuity Magazine, BCI Good Practice Guide,

Web site - Publications Resource Centre, BCI Film Resources Library, Fire and Flood Toolkits,

BCI Forums, Workshops, Member & SIG Meetings, member directory and support services.

Continuity Forum membership is aimed at the organisational level and its products and services includes:

Corporate Membership,

Facilitator Led Training Workshops

BCM Surveys and Benchmark

Web Site - Continuity Forum Newsletter, Reference Resource Centre, Supplier Directory

BCM Forums, Workshops, Member & SIG Meetings, member directory and support services.


Thank You !

For further Information please contact:Lawrence Cox, PNA, FTIA, FFIN, AIMM, MBCI

LIC Business Continuity Advisory Services P O Box 359

Patterson Lakes Vic 3197Telephone: 0417501099

Email: [email protected]


www.thebci.org.au www.continuity.net.au

Documents

Business Continuity Management Standards · DRII Professional Practice for Business Continuity Planners. ... multitude of different practices, standards, guidelines and other material