Presentation is loading. Please wait.

Presentation is loading. Please wait.

BUSINESS CONTINUITY MANAGEMENT USING THE NEW BRITISH STANDARD – BS25999 John Sharp FBCI (Hons) FCMI MCIM Principal Consultant Kiln House Associates Ltd.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "BUSINESS CONTINUITY MANAGEMENT USING THE NEW BRITISH STANDARD – BS25999 John Sharp FBCI (Hons) FCMI MCIM Principal Consultant Kiln House Associates Ltd."— Presentation transcript:

1 BUSINESS CONTINUITY MANAGEMENT USING THE NEW BRITISH STANDARD – BS25999 John Sharp FBCI (Hons) FCMI MCIM Principal Consultant Kiln House Associates Ltd KHA Ltd © 2008

2 John Sharp FBCI (Hons) FCMI MCIM 1997 until 2004 - CEO of the Business Continuity Institute Chair of the team that produced the BSI Guide to BCM (PAS 56) & Member of Technical Committee for BS25999 & BS25777 Member of the UK Metropolitan Police BCM Board Member of the team that produced BCM guidance for the UK Civil Contingencies Act Associate Course Director – UK Emergency Planning College UKAS Technical Expert – BS25999-2 Chair of Audit Committee - University of Wolverhampton KHA Ltd © 2008

3 Business Continuity Plans are only really ‘tested’ when used in a real invocation Evidence of organisations failing despite having BCPs. Plans not exercised Plans not kept up to date People not trained or made aware of BCP Low levels of senior management commitment Too many plans written to get a ‘tick in the box’ Why a BCM Standard was Needed

4 KHA Ltd © 2008 Growing threat levels Complex supply chains Outsourcing UK national infrastructure dependent upon commercial and voluntary organisations International nature of trade Auditors lack of understanding of BCM Demands from regulators, insurers and customers Why a BCM Standard was Needed

5 KHA Ltd © 2008 1997 – Professional practice standard exists in the UK & US 1999 – development of a uniform assessment of BCM for Y2K 2001 – FSA requires BCM ‘good practice’ guidelines 2002 – BCI publishes BCI BCM Good Practice Guidelines 2003 – Publication of PAS 56 by BSI 2006 – BSI publishes BS25999-1 in November 2007 – BS25999-2 published in November 2008 - UKAS pilot accreditation scheme for certification Development of the BCM Standard

6 KHA Ltd © 2008 BCM is based on a ‘lifecycle’ – it is a continuous process Must become part of the organisational culture Commitment from the top, and throughout the organisation Based on impacts – not threats As much about prevention as recovery BCM must be proven by exercise and lessons learnt BCM must be maintained in a changing environment A specification against which certification can be achieved Key Elements of the Standard

7 KHA Ltd © 2008 The Business Continuity Management Lifecycle BS 25999-1 2006 BCM Programme Management Developing and Implementing a BCM Response Determining BCM Strategies Exercising, Maintaining & Reviewing Understanding the Organization

8 KHA Ltd © 2008 Stage 1 - Establish a Business Continuity Management System Why are you introducing BCM? What are the requirements for BC, taking into account: Organisation’s objectives Obligations - legal, regulatory, contractual Interests of key stakeholders Scope of BC in terms of products and services

9 External Drivers CMI Research 2008 KHA Ltd © 2008

10 Environmental Analysis Organisation EthicalPolitical Economic Legal Environmental Technological Social STEEPLE

11 KHA Ltd © 2008 What are their requirements and perceptions? Who are they? Shareholders, Students, Customers, Employees and Suppliers Regulators, Financial Investors, Insurers, Auditors, Professional Bodies, Trade Associations, Government Departments Competitors, the Community, Media and ‘Vested Interest’ Groups Stakeholders

12 KHA Ltd © 2008 Determining the scope of the BCM is a vital first step? Factors that influence scope are: The size and complexity of the organisation The needs of customers/clients, regulators, auditors, insurers and investors The type of activity undertaken The environment and location of operation Organisation’s objectives Scope

13 KHA Ltd © 2008 A BCM policy statement Ongoing support from the top of the organisation BCM structure – roles & responsibilities Adequate resources to deliver BCM Effective management and control of documentation and records An assurance process – KPIs System for continuous improvement (PDCA) Programme Management

14 The Plan-Do-Check-Act (PDCA) model BS25999-2 KHA Ltd © 2008

15 Embedding BCM into the Organisation’s Culture Train appropriate staff Raise awareness Why BCM is being introduced What is being done and when Benefits that accrue to ALL Inform stakeholders Ongoing support from Executive Communicate

16 KHA Ltd © 2008 Stage 2 - Understanding the Organisation What is critical to the organisation at the time of disruption?

17 KHA Ltd © 2008 What are the key services & products? What are the critical activities? What processes are used to deliver critical activities? Who and what is used in these processes?  Internally  Externally The impact if key services & products are disrupted – for whatever reason The Maximum Tolerable Period of Disruption - MTPoD Understanding the Organisation

18 KHA Ltd © 2008 Maximum Tolerable Period of Disruption (MTPoD) The duration after which an organisation’s viability (either financially or through loss of reputation) will be irrevocably threatened if delivery of a particular product and service cannot be resumed.

19 KHA Ltd © 2008 Key Services and Products Not all services and products are critical Some services and products are seasonal Some are exceptional – e.g. emergency management Criticality is determined by drivers and stakeholders The impact on the organisation if the service or production is disrupted will influence the criticality The organisation’s risk appetite affects criticality Critical rating must be ‘signed off’ by the top management

20 KHA Ltd © 2008 Mapping Resources to Critical Activities Post Graduate Programmes Research Third Leg Activities Degree Programmes ICTSuppliersPeopleFacilities

21 KHA Ltd © 2008 Post Graduate Programmes Research Third Leg Activities Degree Programmes ICTSuppliersPeopleFacilities Mapping Resources to Critical Activities

22 KHA Ltd © 2008 Risk Assessment Identify single points of failure People Information technology Premises Plant & machinery Suppliers Consider vulnerability of critical resources Consider the security of these resources Can you reduce the vulnerabilities and improve security?

23 KHA Ltd © 2008 Stage 3 – Determining BCM Strategies What can the organisation do if key services and products are disrupted?

24 The Organisation’s Approach to Determining BCM Strategies Should: be to implement appropriate measures to reduce likelihood of incidents occurring and/or reduce their impact if they do. provide continuity for it’s key products and services and supporting activities during and following an incident. take account of those products and services and their supporting activities that have not been identified as critical BS 25999-1 2006 Strategy Options KHA Ltd © 2008

25 The most appropriate strategy or strategies will depend on a range of factors such as: The maximum tolerable period of disruption (MTPoD) of the service The cost of implementing the strategy or strategies The consequences of inaction Strategy Options

26 KHA Ltd © 2008 BCM Strategies Must Cover: People Premises Technology Information Supplies Stakeholders

27 KHA Ltd © 2008 BCM Strategies Cannot fail – full availability How soon to recover - recovery time (RTO - within the MTPoD) At what level of recovery - recovery point Do nothing – accept the risk (Health warning!) Signed off strategies to meet obligations

28 KHA Ltd © 2008 In general you should consider 4 high level scenarios and what alternative working arrangements could be made if: Cannot gain access to the building A high percentage of the staff are unavailable The ICT systems are unavailable A key supplier/partner is disrupted BCM Strategies

29 KHA Ltd © 2008 What is needed to make strategies work? BCM Strategies

30 KHA Ltd © 2008 Recognise critical functions, dependencies and single points of failure. Enable organisation to perform critical activities Allow decisions to be taken by responsible managers Signed off by senior management BCM Strategies must:

31 KHA Ltd © 2008 Stage 4 - Developing & Implementing a BCM Response Incident Management & Business Continuity Planning

32 KHA Ltd © 2008 Incident Response Structure What is needed to deal with a disruptive incident?

33 KHA Ltd © 2008 Plan Invocation Establish procedures for determining when an disruption has occurred and how the BCPs will be invoked –Identify the person(s) who determines whether a disruption has occurred –Specify the procedure to be used –Specify who should be consulted –Specify who should be informed

34 KHA Ltd © 2008 Invocation Teams The organisation must move at the speed of the incident to prevent a crisis occurring Separate teams to cover:  The major incident  Continuity of the organisation’s key services & products The team structures should reflect the normal organisational structure

35 Incident Management The BCM team structures should mirror the incident management structures THINK PLAN DO KHA Ltd © 2008

36 Communications Management Regularly update senior management Keep the students/customers informed Mechanisms to inform employees Keep other stakeholders informed Ensure media are briefed

37 KHA Ltd © 2008 Information Management Collate situation reports Access to contact details Access to staff records Insurance policies, SLAs, contracts Monitor the media Maintain a log of decisions, activities and actions

38 Resolving Conflicts Resources will be limited All managers believe their areas are critical Decisions about priorities should be made at the planning stage and not at the time of the emergency However every situation is different therefore a mechanism must exist to adjust BCPs accordingly. A high level BCM team must be empowered to determine priorities The BCM should be assembled from people who understand and represent the organisation KHA Ltd © 2008

39 The incident response structure must enable personnel to: be capable of confirming the nature and extent of the incident, and manage the incident; be responsible for triggering an appropriate business continuity response; have access to plans, processes and procedures to manage an incident; have plans for the activation, operation, coordination and communication of the incident response; have resources available to support the plans, processes and procedures to manage the incident. Incident Response Structure KHA Ltd © 2008

40 Cover critical products & services as specified in the scoping document High level plans Departmental plans Unit plans BC Planning

41 KHA Ltd © 2008 Corporate Plan Dept Plan Unit Plan BC Planning

42 KHA Ltd © 2008 Cover critical services High level plans Departmental plans Unit plans Linked to: Incident Management plans Recovery Plans BC Planning

43 KHA Ltd © 2008 Relationship Between Plans

44 KHA Ltd © 2008 Cover critical services High level plans Departmental plans Unit plans Linked to: Incident Management plans Recovery Plans Involve all elements of the Organisation BC Planning

45 Business Continuity Management EMERGENCY MANAGEMENT IT DISASTER RECOVERY FACILITIES MANAGEMENT HUMAN RESOURCES SECURITY CRISIS COMMUNICATIONS & PR KNOWLEDGE MANAGEMENT SUPPLY CHAIN MANAGEMENT QUALITY MANAGEMENT HEATH & SAFETY RISK MANAGEMENT ENVIRONMENTAL MANAGEMENT Involve all Elements of the Organisation KHA Ltd © 2008

46 Keep them simple Ensure that you can use them during a disruption Identify what resources are needed Make plans owned by operational units Exercised, audited and reviewed Version and distribution controlled Accessible Golden Rules for BCPs

47 KHA Ltd © 2008 Stage 5 - Exercising & Maintaining Will the plans work and are they up to date?

48 KHA Ltd © 2008 Exercising An exercise is: An opportunity to measure the quality of the planning, the adequacy of the training and test the effectiveness of the arrangements made.

49 KHA Ltd © 2008 Considerations: Risk, impacts and capabilities Types of exercise to be used Involvement of senior management Process of delivering exercises Relationship between exercising emergency plans and BCPs Planning exercises which minimise the risk of disruption and the risk of an incident occurring as a direct result of the exercise is minimised Exercising

50 KHA Ltd © 2008 Senior management commitment Planning team Risk assessment Documentation Briefing Exercise De-brief Review of lessons learnt Funding Exercise Process Requires:

51 Exercising your BCP – the learning cycle Business Continuity Plan ExerciseDebrief Post- Exercise Report ‘Lessons Learned’ Report Audit BCP Post- Exercise Report Implement Changes Review Plan This can be a test of part or the whole of the plan This should be a debrief after each exercise in order to capture the experience of all the participants This post-exercise report should collate the output of all debriefs with the post-exercise analysis of the exercise outcomes The BCP should be audited against the LLR and necessary changes identified This report closes the exercise programme and outlines the full outcome of the programme. It makes recommendations for changes to the BCP Approval and acceptance of recommendations by BCM strategic lead within organisation Having made changes to the BCP, it is important to review the plan in its entirety before disseminating the ‘current version’. Emergency Preparedness 2005 KHA Ltd © 2008

52 When planning exercises consider: High level scenarios: Denial of access or loss of facilities Loss of key staff/skills Loss of critical systems, including ICT Loss of key resources, including suppliers/partners Capabilities Mobilisation Co-ordination Communications Warning Don’t let the exercise create a disruptive incident Exercising KHA Ltd © 2008

53 Maintaining Maintaining a BC plan involves regular scanning to ensure that details are current by author, or designate person, to check that facts are correct and if changes are required to instigate amendments, re-issuing and re- training as appropriate.

54 Why Maintain Your Plan Nothing stays the same, there is always change Organisations Regulations and laws Students & Customers Suppliers People Contacts Technology Processes Locations All plans should be reviewed annually and signed off by plan owner KHA Ltd © 2008

55 Reviewing The environment in which we operate is constantly changing so BCPs and BCM arrangements need reviewing. This involves the BCM team and author standing back and checking strategy on, say an annual basis, or after significant change using a formal process. Where changes are needed this will lead to re- writing, re-issue and re-training and endorsement by management team.

56 Essential Elements Required to Meet BS25999 Clearly Define the Scope Establish an effective management system Identify critical activities and resources, including critical suppliers and partners Risk assessment (effects, not causes; prevention, not just cure) Create appropriate incident and continuity plans Exercise plans and record results Audit BCM and BCMS Management of documentation & records Establish a culture of BCM KHA Ltd © 2008

57 The Benefits of Meeting BS25999 Provides a structured approach to BCM Demonstration, internally and to all stakeholders, of organisation’s capability to manage disruptive events Competitive advantage Maintenance of existing contracts Protects the organisation Compliance Possible certification

58 The Route Map to Business Continuity Management Meeting the Requirements of BS25999 Published by Bsi £20 (+P&P) Thank you for Listening John Sharp Email: john.sharp@btinternet.com Tel: 01886 833844 www.khacontinuity.co.uk KHA Ltd © 2008

Download ppt "BUSINESS CONTINUITY MANAGEMENT USING THE NEW BRITISH STANDARD – BS25999 John Sharp FBCI (Hons) FCMI MCIM Principal Consultant Kiln House Associates Ltd."

Similar presentations

Project Quality Plans Gillian Sandilands Director of Quality

Project Quality Plans Gillian Sandilands Director of Quality
Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS 1 1 1.

Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS
Managing the Health and Safety of Contractors

Managing the Health and Safety of Contractors
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Major Accident Prevention Policy (MAPP) and Safety Management System (SMS) in the Context of the Seveso II Directive.

Major Accident Prevention Policy (MAPP) and Safety Management System (SMS) in the Context of the Seveso II Directive.
Environmental Management System Implementation

Environmental Management System Implementation
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Child Safeguarding Standards

Child Safeguarding Standards
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
Business Continuity Mark Holloway Former Head of Change Management at Co-operative Food.

Business Continuity Mark Holloway Former Head of Change Management at Co-operative Food.
1 Continuity Planning for transportation agencies.

1 Continuity Planning for transportation agencies.
Business Crisis and Continuity Management (BCCM) Class Session 3 3 - 1.

Business Crisis and Continuity Management (BCCM) Class Session
IS Audit Function Knowledge

IS Audit Function Knowledge
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ASPEC Internal Auditor Training Version 1.0 2013.

ASPEC Internal Auditor Training Version
THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.

THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.
Www.lrqa.co.uk BS EN ISO 14001:2004 Madlen King BSc MSc MIEMA EMS Lead Assessor Lloyd’s Register Quality Assurance Ltd BS EN ISO 14001:2004.

BS EN ISO 14001:2004 Madlen King BSc MSc MIEMA EMS Lead Assessor Lloyd’s Register Quality Assurance Ltd BS EN ISO 14001:2004.

Similar presentations

Ads by Google