Business continuity management system overveiw

Issue 1 © Intertek QATAR www.intertek.com 1

Welcome to the Seminar on Business Continuity Business Continuity Management SystemManagement System

ISO 22301:2012ISO 22301:2012AN ORIENTATION


Business Continuity issues are of wo types :

Incidents disrupting Business for a periodIncidents disrupting Business for a periodIncidents disrupting Business for a long time Incidents disrupting Business for a long time period having very big impact - Catastrophes period having very big impact - Catastrophes (Natural disasters)(Natural disasters)

Earthquakes, Fire, Volcano eruptions, ETC.


Learning ObjectivesUpon completion of this presentation, on can:

• Understand …… what is BCMS;• Understand …… why BCMS;• Understand ……. Benefits of BCMS;• Focus of Top Management for ISO 22301 preparation

November 2015 - QATAR Ver. 1 3


SOME BUSINESS DISRRUPTIONS AND THEIR IMPACTS – indicating the need for BCMS - Videos

1.BLACKBERRY INCIDENT

2. GLOBAL CASES

3. AT&T


Business Continuity issues are of two Categories


WHAT IS NOW NEEDED ? CHALLENGE FOR RECOVERY In REALITY ?


Resumption of Activities

7

Time

Perf

orm

ance

Normalactivity

Time to resumeactivity

Time after which irrevocable damageis done to the organization

Minimumperformance

level

Time to resume normallevels of operation

NormalActivity

Incident

Objective to resume activity


Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. ( Source: ISO 22301:2012)

November 2015 - QATAR Ver. 1 8

What is Business Continuity ?


The Business management system can be defined as management process that provides a framework for building capability that safeguards the objectives of the organization including the obligations.

Anticipate the probable Risk of Business Continuity Incident (Business Impact analysis – process of analyzing activities that a business disruption might have upon them)

Depending upon the length of the severity of interruption, it depends on management’s ability to re-establish of the organization’s functions into minimum acceptable level and then to normalcy.

Business continuity planning (BCP) continually confronts the likelihood or otherwise of an incident. (Risks – Effect of uncertainty of objectives)

BCP is the only solution to such unexpected business interruption – proactive management-led incident management program driven by management requirements (Business Continuity Strategy)

BUSINESS CONTINUITY MANAGEMENT SYSTEM & Business Continuity Plan (BCP)


BUSINESS CONTINUITY PLAN (BCP) OBJECTIVES Ensure continuity and survival of the business;Ensure continuity and survival of the business; Provide protection to corporate assets;Provide protection to corporate assets; Provide management control of risks and exposures;Provide management control of risks and exposures; Provide preventative measures where appropriate;Provide preventative measures where appropriate; Take proactive management control of any Take proactive management control of any business interruption;business interruption;BCP Provides a balance between acceptable potential losses and acceptable One-time and annual costs. Risk assessment identifies key sources of vulnerabilities having different impacts, and taking pro-active steps in a manner to avoid such incidents.TESTNG OF BCP IS MANDATORY else RECOVERY WOULD BE (Sample Testing is not enough)

NEED FOR BCP - Video


ISO 22301:2012


Process Approach and PDCA

12

Your Your ProcessesProcesses

PLAN DO

CHECKACT

ContinualImprovement

The Plan-Do-Check-Act (PDCA) methodology applies to all processes

• Activities• Controls• Documentation• Resources• Objectives

• Analyze/review• Decide/change• Improve effectiveness

Deploy & conform with plan

Measure & monitor for conformity & effectiveness


BIRD’S EYE VIEW OF BUSINESS CONTINUITY MANAGEMENT SYSTEM – KEY ELEMENTS


Process Approach Introduction

• Process – set of interrelated or interacting activities that uses resources to transform inputs into outputs

• Process Approach – systematically identifies and manages the linkage, combination, and interaction of a system of processes within an organization

• ISO 22301 – based on processes needed and their interactions

15


Process Approach Emphasis

The process approach emphasizes the importance of:

• Understanding and meeting requirements• Looking at processes in terms of added value• Obtaining results of process performance and effectiveness• Use of objective measurements to improve processes

16


Fundamentals of an ISO 22301 BCMS

• ISO 22301 –BCMS REQUIREMENT STANDARD– Description, rationale, benefits, application, PDCA– Emphasis on planning

• ISO 22313 - BCM GUIDANCE STANDARDS - in line with ISO 31000

• Business Continuity Institute – good practice guidelines

17


Purpose of ISO 22301• Applies to any type or size organization in any industry or sector• Tried and tested framework for a systematic approach• Provides a framework to meet customer, internal and statutory

and regulatory requirements• Sets standardized requirements for business continuity• Model for consistently meeting business needs despite

disruptions• Basis for certification that specified requirements are met

18


19

An ISO 22301 BCMS in Practice

• Requires internal audits• Verifies effective management• Ensures organization is fully in control of its

activities• Fosters customer confidence

• Allows engaging a certification body to obtain certificate of conformity

• Provides, via certification, the credibility of an independent assessment

• Provides a system that adds value

ISO 22301 states what must be done; a properly documented BCMS describes how required processes are to be done.

19


Key Business Continuity Terms• Business Impact Analysis

• Risk Appetite

• Risk Assessment

• BCM program & plan

• BCM response

• Activity

• Critical activities

• Exercise & Testing

• Incident management plan

• BCP Invocation

• Recovery Time Objective (RTO)• Maximum Allowable Time of Disruption (MAO)

20


Impact can be quantitative or qualitative:• Loss of key personnel

• Loss of physical assets

• Loss of information

• Disruption of service

• Violation of law, penalties• Brand image, reputation, credibility• Financial/revenue• Customers, suppliers, partners (External Interested Prties)

• Environmental/H&S

22

Impact Analysis


RISK APPITITE – Further Explanations


RESILIENT – Further Explanation


RECOVERY TIME OBJECTIVE (RTO) & MAXIMUM TIME OF DISRRUPTION FROM ZERO LEVEL

RTOMAO


MAO

RTO

RECOVERY TIME OBJECTIVE (RTO) & MAXIMUM TIME OF DISRRUPTION FROM REDUNDANCY LEVEL


Interested Parties – ISO 22313:2010

27


A 1 10 J

B 2 11 K

C 3 12 L

D 4 13 M

E 5 14 N

F 6 15 O

G 7 16 P

H 8 17 Q

I 9 18 R

EXTERNAL INTERESTED

PARTIES

EXTERNAL INTERESTED

PARTIES

INTERNAL INTERESTED PARTIES

Step 1> Identifying Interested parties as per Scope of BCMS


INTERESTED PARTIES

BUSINESS RELATIONSHIPS KEY PROCESSES / ACTIVITY

BUSINESS IMPACT w.r.t. LOSS OF $ IN THE TIME FRAME, IF THE PROCESS IS NOT AVAILABLE

RTO< 5 DAYS 5 – 15 DAYS 15 DAYS – 30 DAYS RISK APPIITE

(Time / $ Loss)

DESIGN COMPANY AS A VENDOR

OUTSOURCING OF DESIGN OF BUSINESS APPLICTION AS PER PREDEFINED SCOPE

1. DESIGN & DEVELOPMENT NO ISSUE NOT ACCEPTABLE(Activate

Redundancy)

NOT ACCEPTABLE (Activate BCP)

MAO = 30 DAYS

MAX. 15 DYS OR < USD 50,000 4 Days2. VERIFICATION AND VALIDATION NOT ACCEPTABLE

(Activate Redundancy)3. DESIGN CHANGE

INTERESTED PARTIES

BUSINESS RELATIONSHIP

SKEY PROCESSES / ACTIVITY

BUSINESS IMPACT w.r.t. LOSS OF $ IN THE TIME FRAME, IF THE PROCESS IS NOT AVAILABLE RTO

< 30 MINUTES 30 Minutes to 1 Hour DAYS > 1 hour RISK APPIITE

(Time / $ Loss)

NET WORK VENDOR

PROVIDING NETWORK FOR

THE ONLINE SHOPPING SITE

COMPANY

1. POWER SUPPLY FOR TELECOM EQUIMENT ON TOWERS

NO ISSUE(Activate Redundancy) NOT ACCEPTABLE

(Activate BCP)NOT ACCEPTABLE

(Activate BCP)MAO = 1 hour

MAX. 15 DYS OR < USD 5,000 15 Minutes2. NETWORK CAPACITY

NOT ACCEPTABLE(Activate Redundancy)3. NETWORK SECURITY ASPECT (SOC)

BUSINESS IMPACT ANALYSIS - Samples

THIS SHALL HELP IN PRIORITISING THE RISKS BASED ON SEVERITY OF THE IMPACT ON BUSINESS BASED ON THE KEY ASPECT SAY > $ or TIME


Approaches to Business Impact Analysis (BIA)

• There is no single “right” way to conduct a BIA• Any method that satisfies 8.2 is acceptable• The BIA method may offer either

– One BIA technique for universal use– A selection of techniques together with guidance on selecting one

appropriate to the needs of specific activities (e.g. a BIA technique suited to HR activities may not be equally suitable for IT or H&S)

• Following slides illustrate a variety of BIA techniques

30


BIA Report – Example Headings

• Executive Summary• BIA Method Summary• BIA by Department / Process

– Operations– R&D– Finance– Sales & Marketing– HR– Vendor Management– Compliance and Risk

• Summary of Critical Activities and Impacts

31

Analyses impact of disruption of critical activities that support key products and services which, themselves, are of course cross-functional


Identify Risks and Opportunities

• Implementation of a BCMS assists in providing controls to mitigate risks

• Ensure review of risks and opportunities when assessing your current system and performing a gap analysis

• Determine appropriate risk and opportunity treatments

You may find these useful:

• ISO 31000:2009, Risk management – Principles and guidelines

• ISO/IEC 31010:2009, Risk management – Risk assessment techniques

32


RIS

K L

EVEL

HIGH

/

71 - 100

Medium

/

41 - 70

Low

/

1 - 40

RISK MITIGATION ( Risk Reduction )

Risk Mitigation – Implemeting Controls for Risk

Reduction

No matter which ever controls implemented, following are the facts:1. Shall definitely bring down the risk of C, I & A – till the time control is effective;2. What ever control – risk cannot be brought to ZERO – can only reduce the risk; 3. In IT, controls can reduce the “PROBABILITY” only;4. Residual risks shall always be there – one must remember 24x7;


BUSINESS CONTINUITY PLAN - VIDEO

BUSINESS CONTINUTIY PLANS – as per anticipated risks

Take away > Redundancy is the SECTRET OF SUCCESS OF BUSINESS CONTINUITY PLANS


BIRD’S EYE VIEW OF BCMS


Critical BC Focus Aspects of Organization(anticipate maximum disruptions)

All Single Point of Failures [No Redundancies]

Residual Risks Identified in Risk Assessments [after considering all the controls]

Unknown causes of redundancy failures

No actions taken on BC Testing failures

Unknown / Ignored Risks


1. Realization for the need to implement BCMS2. Think and understand and realise the need of BCMS3. Accept the need for BCMS4. Attempt to learn how to do BCMS5. Learn the BCMS Concept and Start BCMS6. Create Base line of BCMS7. Implement & Test BCMS – understand Residual Risk8. Perform Internal Audits & Management Reviews9. Implement Corrective Actions10.Get Audited and get Certified towards ISO 22301:2012

Realization of the Need to Implement BCMS (ISO 22301:2012) and get Certified


A CURRENT FACT

FINANCIAL COMPANY IN NEW YORKBENIFITTED FROM BUSINESS CONTINUITY

CORE SITE IN NEW YORK CONTROLLED THE DEVASTRATING

INCIDENT


Thank You!

Any Questions !

Business continuity management system overveiw

Business

Transcript of Business continuity management system overveiw