Business Continuity Business as Usual ?

1
Business Continuity Business as Usual ?

• Ren Barnard

2
International Standards Organisation

• ISO 31000 Risk Management Principles and
  Guidelines
• ISO 22301 Societal security Business continuity
  management systems Requirements
• ISO 22313 Societal security Business continuity
  management systems Guidance
• ISO 22398 Societal security Guidelines for
  exercises and testing
• British Standard
• BS 25999-22007, Business continuity management
  Specification

3
Everybody is a winner
4
Survey Says Principal Drivers Base 1021
Local Government 92 Central Government 85
Finance Insurance 85 Utilities 81
Health and Social Care 74 Transport and Logistics 69
Manufacturing and Production 58 Education 52
Business Services 40 Construction 31
Corporate governance Regulation/legislation Central Government Central Government Corporate governance Public sector procurement
Corporate governance Regulation/legislation Auditors Regulation/legislation Corporate governance Customers
Corporate governance Regulation/legislation Public sector procurement Corporate governance Regulation/legislation Customers
Customers Insurers Corporate governance Corporate governance Customers Regulation/legislation
Customers Corporate governance Regulation/legislation and Investors/shareholders Customers Corporate governance Insurers
5
August 2011 London Riots
6
Does it matter?
10/12 A novel coronavirus was identified in
lower respiratory tract specimens of a Qatari
national who was receiving treatment for a severe
respiratory illness in London
Denial of service attacks 10/12 The DDoS attacks
have been launched in the last week using the
so-called itsoknoproblembro DDoS toolkit.
12/10 Britain facing fuel shortage as snow
continues to cause chaos
UK to be hit by 70s-style blackouts within 3
years' and EU rules may also force up bills,
Spare energy capacity could drop to just four per
cent by winter 2015
05/12 Northern Rock rescue 'could cost taxpayer
2bn'
7
World Economic Forum RIM
Major systemic financial failure
Chronic Fiscal Imbalances
Water supply crises
Extreme volatility in energy and agriculture
prices
8
Assess the Risk

• Risk
• Effect of uncertainty on objectives
• Threats
• May be described as events or actions which
  could, at some point, cause an impact..
• Business Continuity (GPG)
• Strategic and tactical capability of the
  organisation to plan for and respond to incidents
  and business disruption in order to continue
  business operations at an acceptable predefined
  level

9
Deepwater Horizon Oil Spill
Business Continuity or Risk Management
10
The survey says

• evaluated through risk assessment, based on those
  registering extremely concerned and concerned,
  are as follows
• Unplanned IT and telecom outages 74
• Data breach (i.e. loss or theft of confidential
  information) 68
• HoMER (CPNI) (Counter Productive Behaviour)
• Cyber attack (e.g. malware, denial of service)
  65
• Adverse weather (e.g. windstorm/ tornado,
  flooding, snow, drought) 59
• Interruption to utility supply (i.e. water, gas,
  electricity, waste disposal) 56
• Ofgem UK Faces power shortages risk by 2015
  Black out probability 1 in 12 years
• BCI Survey Horizon scan January 2012 Base 458

11
Top Responses by Country
12
Risk Assessment

• Business Impact
• What are we trying to achieve
• Who should be involved
• What creates uncertainty and how significant is
  it
• What can we do to ensure success

13
Key Risk Areas Business Impact

• People
• Information and Data
• Buildings, work environment and associated
  utilities
• Facilities equipment and consumables
• ICT Systems
• Transportation
• Finance
• Partners and Suppliers

14
Something achieved that continues to exist
15
G4S Olympic Security Scheduling Failure?
16
Manchester Airport
17
Aims

• Business Continuity or BC aims to safeguard the
  interests of an organisation and its key
  stakeholders by protecting its critical business
  functions (CBFs) against predetermined
  disruptions.
• 223012012

18
BCM Checklist

• Scope and Objective
• Gain a understanding of your business
• Assess the Risk
• Evaluate potential continuity arrangements
• Define your strategy
• Develop your continuity plans

19
ISO Compatibility PDCA
Risk Management ISO 31000 BCM 25999 -gt ISO 22301
Risk Management Framework Policy and Program Management
Establishing the Context Understanding the Organization
Risk Assessment BIA Is one of the tools (ISO31010 Guidance on risk assessment techniques) BIA Risk Assessment focused on Most urgent activities
Risk Treatment BCM Strategies Develop and Implement BCM Responses
Communication and Consultation Embedded BCM in the Culture
Monitor and Review Exercising, Maintaining and Reviewing
20
Transition BS 25999 to ISO 22302

• 25999-2 United Kingdom Only but recognised
  worldwide - BSI
• 22301 Accepted worldwide ISO
• May 2012 May 2014 Upgrade Period
• November 2012 Accreditation 25999

21
Similarities and differences

• No changes or minor changes in 10 areas
• Moderate changes in 8 areas
• Major changes in 5 areas

22
Major Changes Common Theme

• Understanding the organisation
• Understanding the needs and expectations of
  interested parties
• Management commitment
• Communication warning system
• Monitoring, measurement, analysis and evaluation

23
Areas Clause in 22301 Clause in BS25999 Change
Understanding the organisation 4.1 - Significant
Understanding the needs and expectations of interested parties 4.2 - Significant
Determining the Scope 4.3 3.2.1 Moderate
Management Commitment 5.2 - Significant
Business Continuity Policy 5.3 3.2.2 Moderate
Bussiness Continuity Objectives 6.2 3.2.1.1 Moderate
Competentces 7.2 3.2.4 Minor or No Change
Awareness 7.3 3.2.4 Minor or No Change
Communication and Warning System 7.4, 8.4.2, 8.4.3 4.3.3.3 Significant
Documented Information 7.5 3.4 Moderate
Business Impact Analysis 8.2.1, 8.2.2 4.1.1 Minor or No Change
Risk Assessment 8.2.1, 8.2.3 4.1.2 Moderate
Business Continuity Strategy 8.3.1 4.2 Minor or No Change
Resource Requirements 8.3.2 4.3.2.2, 4.3.3.3 Moderate
Risk Treatment 8.3.3 4.1.3 Minor or No Change
Incident response structure 8.4.2 4.3.2 Minor or No Change
BC Plans, Recovery Plans 8.4.4, 8.4.5 4.3.3 Minor or No Change
Exercise and Testing 8.5 4.4.2 Minor or No Change
Monitoring Measurement Analysis and Evaluation 9.1 4.4.3 Significant
Internal Audit 9.2 5.1 Minor or No Change
Management Review 9.3 5.2 Minor or No Change
Non Conformity and Corrective Action 10.1 6.1.3 Moderate
Preventative Action 6.1, 9.1.1 6.1.2 Moderate
24
6-step process 25999 - 22301

• 1. Evaluating the organisations external and
  internal context and list all interested parties
• 2. List all legal requirements
• 3. Align BC with companys strategy
• 4. Define measurable objectives, how to
• measure them, and who will evaluate them
• 5. Define action plan to achieve objectives
• 6. Communication who will communicate with
• whom, and how?

25
Organisation and its Context
26
(No Transcript)
27
Objectives

• Clearly stated
• Be consistent with the policy SMART
• Take account of applicable needs and
  requirements
• Enable opportunities to maintain or improve
  performance
• Be monitored and updated as appropriate.
• In order to ensure that these objectives will be
  achieved, the organizations should determine
• Who will be responsible
• What will be done and when it will be completed
  and
• How the results will be evaluated.

28
Strategy

• Protecting prioritised activities
• Stabilizing, continuing, resuming and recovering
  prioritized activities and their dependencies and
  supporting resources
• Mitigating, responding to and managing impacts

29
Thank You

• Questions

30
(No Transcript)
31
(No Transcript)