1 / 50

Delivering a Safer Society Business Continuity Management - Not just for “ Business ”

Delivering a Safer Society Business Continuity Management - Not just for “ Business ” Michael Gallagher. Business Continuity Management - Not just for “ Business ” What is BCM? What are the Drivers? What is Status? Features of good BCM

hanley
Download Presentation

Delivering a Safer Society Business Continuity Management - Not just for “ Business ”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Delivering a Safer Society Business Continuity Management - Not just for “Business” Michael Gallagher

  2. Business Continuity Management - • Not just for “Business” • What is BCM? • What are the Drivers? • What is Status? • Features of good BCM • Relationship with Emergency Services • Developments in UK • Implications for Local Authorities • Not just a Plan

  3. Two out of five enterprises that experience a disaster will go out • of business within five years. • Enterprises can improve these odds – but only if they take the • necessary measures before and after the disaster. • Aftermath: Disaster Recovery, Gartner, September 2001

  4. 28% of UK businesses do not have a formal recovery plan. 37% of the businesses that do have a disaster recovery plan have never tested it. Commercial Claims Survey, Deloitte & Touche, 2001

  5. Disaster tonight How confident? Are you comfortable?

  6. Usual excuses It will never happen to us! I’m sure we could cope You can’t plan for the unforeseen If we don’t have a disaster we’ve wasted money Isn’t this why we have insurance? We are used to things going wrong

  7. Business Continuity Management The act of anticipating incidents which will affect mission-critical functions and processes for the organisation and ensuring that it responds in a planned and rehearsed manner Business Continuity Institute Not just about producing plan(s) Risk Management identification, evaluation & reduction creating awareness / culture Communication Exercising / testing and keeping plans up to date Computers - A major risk?

  8. 28% of UK Local Authorities did not have ICT security policies Socitm’s IT Trends in Local Government 2002/3

  9. Types of Risk • Strategic • Operational • External • Internal • Distribution • Customers

  10. BCM is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. BCI Good Practice Guidelines - Nov 2002

  11. The BCM Life Cycle BCI

  12. BCI 10 Certification Standards: • Project Initiation & Management Risk Evaluation & Control • Business Impact Analysis • Developing Business Continuity Strategies • Emergency Response & Operations • Developing & Implementing BCPs • Awareness & Training Programmes • Maintaining & Exercising BCPs • Public Relations & Crisis Co-ordination • Co-ordination with Public Authorities

  13. Co-ordination with Public Authorities • To establish applicable procedures and policies for co-ordinating • continuity and restoration policies activities with local • authorities while ensuring compliance with applicable statutes • and regulations. • Role - • Co-ordinate emergencypreparations, response, • recovery, resumption, and restoration procedures • with public authorities • Establish liaison procedures for emergency / disaster • scenarios • Maintain current knowledge of laws and regulations • concerning emergency procedures

  14. Phases in BCM Project Initiation Risk Identification Business Impact Analysis Develop Business Continuity Strategies Plan Development Plan Testing Plan Maintenance

  15. Make it relevant - BCM is about ensuring that if your organisation experiences a disaster or other serious incident you have already considered that possibility. You will have taken steps to reduce the risk of this happening and to minimise the impact if it does happen. You will have a plan in place with which all key managers are familiar, which has been tested, and which will enable your organisation to continue to function as close to normal as possible with the least disruption possible. Relevant to every type and size of organisation “What If” instead of “If Only”

  16. Evolution of BCM 1970 IT-DRP Responsibility of DP Manager More tolerant of downtime Banks had own arrangements 1980 Commercial Recovery Sites Portable Computer Rooms Emphasis on response and recovery 1990 Less tolerant of downtime Technology changes Increasing dependence on communications Becomes BCP - include the business processes Emphasis on prevention Y2K

  17. Evolution of BCM 2000 Becomes BCM Responsibility of Business Holistic All disciplines working together Closely aligned with Risk Management - Danger of separate departments thinking that some threats and responsibilities handled by someone else 9/11 etc.

  18. Why is BCM Essential? Regulatory Requirements. Turnbull - Corporate Governance Data Protection. Confidence of suppliers and customers. Reputation. Business environment. Insurance is not enough.

  19. Turnbull “The board should maintain a sound system of internal control to safeguard shareholders investment and the company’s assets” “The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management” Management Accountable to Board for monitoring and reporting on internal controls Employees Accountable for applying the controls Should have necessary knowledge and expertise to do so

  20. “The Turnbull Committee Guidance for Directors on Internal Controls sets out an overall framework of best practice for business based on an assessment and control of their significant risks. For many companies business continuity management will address some of these key risks and help them to achieve compliance.” Nigel Turnbull, Chairman, ICAEW Committee on the Guidance for Directors on Internal Controls

  21. Corporate Governance • System by which businesses and organisations direct and control • their functions and relate to their communities. • Underpins • Trust • Credibility • Confidence • Why? • High-profile corporate financial scandals • Boardroom ethics / responsibilities • Kings Cross Fire • Herald of Free Enterprise

  22. Turnbull • In determining policies, the board should consider the • following factors - • Nature and extent of risk facing the organisation • Those risks considered as “acceptable” • The likelihood of risks materialising • Ability to reduce incidence and/or impact of risk • The cost benefits of risk control systems • System for internal control should - • Include reporting of significant failings or weaknesses • Apply not just to listed companies

  23. Higgs Report January 2003 Review of the role and effectiveness of non-executive directors Cromme Code - Germany Bouton Report - France Smith Report - July 2003 - Company Audit Committees Sarabanes-Oxley Act 2002 - USA Privacy Data Protection 1988 and 2003 Acts Responsibilities Linked to IT Policies & Procedures

  24. Reputation Confidence of suppliers and customers “Trust and reputation can vanish overnight” Alan Greenspan, Chairman, US Federal Reserve Perrier - benzene Ratners Ford / Firestone - Explorer SUV - 100+ deaths - $Bns AIB - Rusnak Heineken - glass shards Johnson & Johnson - Tylenol, cyanide, 7 deaths Speed, Openness, Commitment Commercial Union “Reputational risk is single biggest risk for financial institutions” PwC / EIU Survey - July 2003

  25. Business environment On-line 24 X 7 X 367 JIT Supply chain pressure Systems integration - ERP Fewer points of failure - greater impact Fewer workarounds Knowledge

  26. Insurance Risk management and business continuity management are now embedded in the insurance purchase process. Insurers are now demanding good BCM practices Only a part Provide finance Will not keep customers supplied Will not protect reputation / image Cover for loss of profits?

  27. Essential to Success • Commitment from top • Sponsor • Formal establishment • Strategy / approach • Awareness / culture • Business Continuity Manager • Ownership with “business” • Regular reporting

  28. What is the Status of BCM in your Organisation?

  29. Significance of Score! Over 80 Likely that effective BCM programme in place 65 - 80 If regulatory BCM requirements apply - unlikely that they are being met 50 - 65 Room for improvement Non-compliance with good governance requirements? Less than 50 Work to be done

  30. Features of Good BCM. Simple Quality not Quantity Relevant and current Not necessarily expensive

  31. Simple • Commonsense process • Realistic evaluation & management of risks • Understanding what business consequences are if key • facilities, processes or people are lost • Appropriate strategy to limit damage and recover as well • as possible

  32. Risk Matrix HIGH Control Prevent Probability Accept Plan LOW LOW HIGH Impact

  33. Risk Severity / Probability Factory hit by Aircraft Catastrophic Major Fire Product recall Serious SAP down for 2 days Severity HR System down for 1 day Minor Employee accident Theft Insignificant Certain / Very Likely Quite Probable Very Unlikely Improbable Probability

  34. Total costs Incident costs Prevention costs Costs Investment

  35. Quality not Quantity No silver bullet Process as important as plan Documentation must be “right” Fit with “culture” Flexible crisis plans Quality Crisis management team- react quickly & effectively Software not the easy answer Successful BCM not related to size of plan

  36. Avoid unnecessary detail Unusable Ignored in crisis Updating difficult Instructions to a minimum Action points Issue on need-to-know basis Relevant sections

  37. Relevant and current An irrelevant or out-of-date plan is worse than no plan Not token plan Ownership - responsibility Use of software? Not necessarily expensive Time Consider at planning stage SMEs at risk

  38. BCM Working Group Insurance Physical security IT Communications - voice & data PR HR / Health & Safety Building Services / infrastructure / property / office services Transport / Distribution Finance Procurement Legal Internal Audit Customer Service Sales & Marketing Production

  39. Essential elements Plan invocation Crisis management team Contact details Business processes to be recovered - Priorities How Where Timescales Recovery steps Communications - media, staff, business partners

  40. Emergency Services BC Plans prepared in isolation Who to contact? Who’s role is it to liaise? How? Experts Understand roles Work closely Fire Services Manchester in March

  41. UK Civil Contingencies Bill Supports UK Government’s Integrated Emergency Management approach - “an all-embracing approach to handling disasters” Local responders will deliver civil protection based on - risk management, emergency planning, business continuity, and warning and informing the public. For BC professionals - may act as catalyst for greater co-operation and collaboration with those involved in planning for, and responding to emergencies.

  42. UK Civil Contingencies Bill Duty to assess, plan and advise Requires the development of BCPs which each Category 1 responder will rely on to ensure the continuity of its ability to discharge its functions in face of an emergency Cat 1 responders are required to arrange to make certain information risk assessments and plans available to the public. LAs have a duty to promote business continuity management - “shall provide advice and assistance to the public in connection with the making of arrangements for the continuance of commercial activities by the public in the event of an emergency”.

  43. Governance and Local Authorities • UK - Framework and Guidance • Local Code of Corporate Governance by end March 2002 • Risk Management one of 5 core elements of Corporate • Governance • Annual report in Financial Statements from 2002/2003 • In BVPP (Best Value Performance Plan for 2003/2004

  44. The hard part of BCM is not creating the plan - it is keeping it up to date Reorganisations and reshaping Transformation and rationalisation Mergers and acquisitions Rate of technological change Increased sophistication of ICT JIT Outsourcing Working practices Staff turnover, redundancies Hot-desking / virtual office Be clear on ownership Part of annual appraisal process

  45. Common Weaknesses Inadequate management support Insufficient financial support Narrow view Responsibilities unclear Inappropriate ownership Not everyone involved Plan stops at site gate Poor risk analysis / BIA Inadequate training / awareness Inadequate testing Balance overview / detail not right Not up to date Not accessible or relevant when required

  46. Sources of information Business Continuity Institute www.thebci.org.uk Emergency Planning Society www.emergplansoc.org.uk Survive www.survive.com Continuity Central www.continuitycentral.com PAS56 www.bsi-global.com Federal Emergency Management Agency (FEMA) www.fema.gov

  47. Sources of information London Emergency Services Liaison Panel www.leslp.gov.uk UK Government Emergency Response Site www.ukresilience.info Business Continuity Management - How to Protect your Company from Danger Financial Times / Prentice Hall www.briefingzone.com Michael Gallagher gallagml@iol.ie

More Related