Tim Armit

1
Tim Armit

• Clifton Risk Management
• Business Continuity in the modern world
• Changes in approach and requirements

2
Agenda

• IT requirements - changes in operation and
  expectation       
• What does the modern company need?
• What approaches should we take to tests?
• The new British Standard

3
IT requirements - changes in operation and
expectation     

• 1990
• no PCs,
• no internet,
• no servers,
• no mobile telephones
• no email
• mainframe based with telephony

4
How did IT DR move to BCM ?

• Pre 1990 everything was IT
• Early 1990s PCs rolled out
• Mid 1990s growth in call centres
• Late 1990s rise of the Web
• Reliance rises.. Risk rises

5
1990s move from IT to business

• BCP business moved focus
• Mainframes to Client Servers
• PCs / Client Servers / Internet
• 24-7 business
• More customer demands
• More competition in business

6
IT now

• Resilient systems
• Mirroring and use of VM equivalents
• Tape back up moved to real time storage
• Distributed locations
• International locations
• BCM takes over from IT DR

7
Background and history

• Noah
• The military
• USA 1960s
• UK 1980s
• 1990s move from IT to business

8
(No Transcript)
9
Background and history

• 1992 first major London IRA bomb
• Threat changed
• Over 100 businesses impacted
• High profile high impact
• 1993 bomb
• Both bombs aimed at business not people,
  Friday night and Saturday morning

10
Background and history

• 1992 first major London IRA bomb
• 1993 London again
• 1996 Manchester and Canary Wharf
• The millennium
• September 11th

• This Century ? So far the longest period of UK
  terrorist inactivity in living memory

11
Background and history

• September 11th
• Global issue
• BCP worked
• Government intervention
• Country wide reaction airports
• Not much change to plans in the UK

12
What does the modern company need?
13
Who cares about Business Continuity?

• 95 of businesses employ less then 10 people

• 95 of businesses will not have a business
  continuity plan

14
Are models past there sell by?

• Designed in early 1990s
• Mainframe and lack of risk knowledge defined them
• Never re-considered from basics
• Time for a re-think?
• Did we miss the boat with BS25999?

15
What do we really need?

• What happened?
• Is everyone ok?
• What does this mean to us?
• What are we going to do about it?

16
What is our job?

• To protect companies,
• To minimise the impact to companies
• To ensure that companies can recover their
  businesses in the shortest possible time with the
  minimum amount of interruption and down time.

17
Profession or Trade?

• Is BCP not a trade that you learn through serving
  your time as an apprentice, learning your trade
  and applying it more professionally each time?
• Being able to quote the words but not the meaning
  behind them does not mean you are capable it just
  means you have passed a test.

18
Where is the future for business continuity?
19
Where is the future for business continuity?

• We need to grow and to change.
• become more involved in the business and the
  scope of risk that covers everything from
  environmental to capital and credit stop being
  scared and limited.
• work with the business beyond the obvious
  physical risks to bring added value to the
  protection of a company.
• rethink our models and approaches from first
  principles not tinker at the edges.

20
Where is the future for business continuity?

• To be an integral part of change management,
  projects and new developments.
• Architects will liaise with us on new builds so
  risks are mitigated from the outset.
• IT will continue to become more resilient and we
  must understand this.
• Crisis Management should become like the fire
  alarm, no one will look at a plan at first as
  they will all be trained and know what to do.
  All staff will have heard of business continuity
  and will be aware of what it means.

21
How should future tests work?
22
The survey said..

• Testing within comfort zones
• Limited scope of testing
• Non integrated tests
• Silo tests
• Testing what we know works
• Real events show this is not enough lets stop
  kidding ourselves!

23
What has been said..

• We dont need roll call floor clearing will do
• Our plans didnt work with no mobiles
• First rendezvous point not being available was
  not something we had considered
• We didnt expect so many phone calls to come in
• If it rains on evacuation we lose control
• We have no idea of co-tenants plans

TEST TEST TEST TEST TEST TEST TEST
24
The Real World

• Take a step out of your company and think what
  would really happen
• Would you know anything?
• Would anyone talk to you?
• Do you know who / where / when?
• Would your staff care about the company?

25
BS25999
26
BS25999

• Setting the scope of the BCM programme
• Terms and definitions mean? (IMPs!)
• The BCM policy
• Programme Management
• How do you understand your organisation?
• Determining your business continuity strategy
• Developing and implementing a BCM response
• Exercising and maintaining your capability
• Embedding BCM into your organisation.

27

• Clifton Risk Management
• Email timarmit_at_cliftonrisk.com
• Phone 01253 711003
• Web www.cliftonrisk.com