Linus New V Old School BCIF - isaca-melbourne.org.au fileBusiness Continuity Management Scenario...
Transcript of Linus New V Old School BCIF - isaca-melbourne.org.au fileBusiness Continuity Management Scenario...
Business Continuity ManagementBusiness Continuity Management
Scenario Planning Vs Resource Loss PlanningScenario Planning Vs Resource Loss Planning(Old School Thinking Vs New School Thinking)(Old School Thinking Vs New School Thinking)
by Saul Midler (MBCI)by Saul Midler (MBCI)
Agenda:IntroductionRisk Reduction via scenarios(Old School)Business Continuity via Resources (New School)
© Linus ISS 2007
Foundation StoneFoundation Stone
Disasters don’t cause business to fail
Business fail due to poor or non-existent:ProceduresCapabilityExercising
Risk Mitigation only reduces the likelihood of a disruptionThere will always be a residual risk
Introduction
© Linus ISS 2007
ProofProof
Consider 9/112,800 DIED and 185,000 workers lost their JOB* including:
- 7,300 in IT- 3,000 in Accounting- 3,000 in Insurance- 2,200 in Commercial Printing
320 companies did not reopen for business The Survivors include:
- Cantor Fitzgerald lost 658 staff - resumed operations 2 days later- Marsh & McLennon: 3,200 staff over 8 floors- Morgan Stanley: 3,500 staff over 17 floors- NY Port Authority: 2,000 staff over 23 floors
* Fiscal Policy Institute Nov 5, 2001
Introduction
© Linus ISS 2007
WhatWhat’’s the likelihood?s the likelihood?
Research took place in March 2007 by: The Chartered Management Institute (UK), supported by Continuity Forum and the Civil Contingencies Secretariat within the Cabinet Office England
Causes of operational disruption to organisations in the past 6 years
© Linus ISS 2007
Conclusion?Conclusion?
Disruptions do and will happen
This is why preparation is so important
Preparation = Risk Reduction + Business Continuity
Introduction
© Linus ISS 2007
Preparation = Risk Reduction Risk Reduction + Business Continuity
© Linus ISS 2007
What is Risk?What is Risk?
There is Risk in everything we do
Some activities don’t greatly concern usCrossing the roadRiding a motor bike Going on a date
Some activities do concern usInvesting moneyExtreme sportsBusiness management
If the risk is too greatWe need to mitigate the risk or reduce the exposure
Definition:The chance of something happening that will have an impact upon objectives. It is measured in terms of consequence and likelihood
Risk Reduction
© Linus ISS 2007
Business Risk in ContextBusiness Risk in Context
BCMBCM
Risk means different things to different peopleto understand it, you need to put it into context with definition
Risk is very broad – what is our focus?Legal Liability (eg exposure to litigation – faulty products)Political/Regulatory (eg policy sensitivity)Financial/Market (eg risk of credit defaults)Mergers and Acquisitions (eg undisclosed contingent liabilities)Corporate Governance (eg breaches of regulations)Experimentation (eg new product or process, R&D activity)OH&S (eg ensuring worker safety)Market Sector (eg Emerging competitors, new technology)Operational (dependency on Resources and processes)Other…..
Risk Reduction
© Linus ISS 2007
Where does RM sit Where does RM sit wrtwrt BCM BCM
Other…Risk Assessment
Mitigate
BCMBCM
Accept
Risk Assessment
Physical & Logical ResourcesBIA/RDA
Risk Evaluation… Consequences
Likelihood
Insignificant
1
Minor
2
Moderate
3
Major
4
Catastrophic
5
A (almost certain) C S H H H
B (likely) M C S H H
C (moderate) L M C S H
D (unlikely) L L M C S
E (rare) L L L M C
OperationalManagement
Political /Regulatory
Mergers &Acquisitions
Corp GovernanceLegal /Reputation OH&S
FinancialManagement
Accept?
Mitigate?
Risk Reduction
© Linus ISS 2007
Assess RiskAssess Risk
Likelihood (BCI: Probability) - Used as a qualitative description of probability or frequency.
RareE
UnlikelyD
ModerateC
LikelyB
Almost CertainA
DescriptorLevel
Catastrophic5
Major4
Moderate3
Minor2
Insignificant1
DescriptorLevel
Low RiskL
Moderate RiskM
Considerable RiskC
Significant RiskS
High RiskH
Consequence (BCI: Threat Impact) –The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain.
Risk Reduction
© Linus ISS 2007
ConsequenceConsequence
Usually this is straight forward and may be expressed as:
Loss: $1,000,000 per day
Injury: 12 people in Hospital, 4 people dead
Disadvantage: lost 12.5% of market share
etc
Risk Reduction
© Linus ISS 2007
LikelihoodLikelihood
Be careful when considering Statistical Probability:
This relies on: Large sample sizesBehavioural attributes that provide consistency
We need to be part Believer Customers will default on their Credit Card accountsThere will be a disruption due to fire
We need to be part ScepticAre statistics really going to predict the future
- eg 15% of customers never pay their Credit Card account- eg there is a 5% chance of having a fire this year
Likelihood tends to be emotional – how you feel about it!
Risk Reduction
© Linus ISS 2007
Why is this so difficult?Why is this so difficult?
BCM is an outcome from the Risk Assessment, however:
BCM should not be:undertaken as a Risk Management taskdriven by Risk Management philosophy or methodology
Risk Assessment is about:Reducing exposure to something that might happenPREVENTION
Business Continuity is about:Recovering from something that does happenCURE
Risk Reduction
© Linus ISS 2007
What are we actually assessing?What are we actually assessing?Risk Assessment:
Evaluation of an event happening that will cause a problem
Risk Managers consider the likelihood of events such as:Industrial Action Fire FloodEarthquake Power failure StormGas tanker explosion SARS Influenza PandemicStrike Hacking Malicious damageTerrorism Legionella etc etc etc
Risk Management:Reduced likelihood of each event causing a problemCan they reduce the likelihood to Zero? NO, there will be residual Risk?
Risk Managers:think of Scenarios – “What if something happens?”implement mitigation strategies
Scenarios rely on experience and imaginationThe irony is that the possibility exists that they can’t think of everything!
Risk Reduction
© Linus ISS 2007
Preparation = Risk Reduction + Business ContinuityBusiness Continuity
© Linus ISS 2007
What is Business Continuity Management?What is Business Continuity Management?
Effective BCM ensures that your organisation:
has a level of operational resilience appropriate to support the needs of the business as defined by the corporate objectives
has the capability to continue to provide its customers with critical services and products regardless of any operational disruption
maintain appropriate management practices as ‘business as usual’ to ensure that its Business Continuity capabilities always reflect the needs, technology and structure of the business
BCM = Business Driven + Continuity Capable + Management Discipline
Business Continuity
© Linus ISS 2007
The PhilosophyThe Philosophy
When disaster strikes:a business function ceases to produce its outputthe recipient of the output suffers painthe organisation then suffers pain (or goes out of business!!)
Q: Why can’t the output be produced? Think of Cause and Effect - Remember: Disasters don’t cause businesses to fail!!
A: Because one or more RESOURCES are not available
What are Resources?assets that must be available to enable a Business Function to operate and produce its output include computer software, personal computers, telephones, information itself, paper files, pre-printed forms, IT, Network drive, fax machine, skilled staff, machinery, equipment, accommodation, third-party organisations etc.
Business Continuity
© Linus ISS 2007
The Philosophy cont.The Philosophy cont.
How do we stop a disruption from becoming a disaster?Risk Management cannot reduce the risk to zeroNeed to invoke procedures:
- based on business driven restoration priorities- to work around the Resource loss until the Resources are available- to repair or replace the unavailable Resources with respect to:
o Destination (if we have to leave the site)o Quantities
What scenarios will this support?WHY DOES IT MATTER????More than you can imagineALL that result in Resource Loss
Why?Think of Cause and Effect - Remember: Disasters don’t cause businesses to fail!!
The cause of the Resource loss is irrelevant to its replacement
Business Continuity
© Linus ISS 2007
New School ThinkingNew School Thinking
Business Manager defines RTO for the Business Functions
When should the Business Function restart at an acceptable level of capacity?
BIA Business Function RTORestoration Priority Sequence for the business
Business Staff defines Business Resources and their Survival Profiles
What is the acceptable level of capacity? Business Resource RTO and Quantities over time
Restoration Priority Sequence for each Resource
RDA
BIA
Res
ourc
e D
epen
denc
y A
naly
sis
Business Continuity
Business Resource
RTO = 10d
Business Resource
Business Resource
RTO = 3d
Business FunctionRTO = 10d
Business Function
RTO = 3d
InfrastructureResource
Infrastructure Resource
RTO = 2d
Infrastructure Resource
Support Resource
RTO = 3d
Support Resource
Support Resource
RTO = 2dBusiness FunctionRTO = 15d
© Linus ISS 2007
New School ThinkingNew School Thinking
SDBy the RTO:
Where to relocate IRHow to repair or replace IROptions & Costs
Str
ateg
y D
evel
opm
ent
Business Function RTORestoration Priority Sequence for the business
Business Resource RTO and Quantities over time
Restoration Priority Sequence for each Resource
Support Resource RTOBUSINESS determines RTO of IT systems (not ITD)
Infrastructure Resources RTO
BUSINESS determines RTO of IT Infrastructure (not ITD)
Where to relocate SRHow to repair or replace SROptions & Costs
SDBy the RTO:
How to repair or replace BROptions & Costs
SDBy the RTO:
Where to relocate BFWhat BF work aroundsOptions & Costs
SDBy the RTO:
Business Continuity
© Linus ISS 2007
New School ThinkingNew School ThinkingS
trat
egy
Impl
emen
tatio
n
Prioritised Recovery (in RTO) of:Business FunctionsResources (Business, Support & Infrastructure
Contingency Procedures for Business Function:
RelocationWork arounds
Resource Recovery Procedures for:Business ResourcesSupport ResourcesInfrastructure Resources
Where to relocate BFWhat BF work aroundsOptions & Costs
How to repair or replace BROptions & Costs
Where to relocate SRHow to repair or replace SROptions & Costs
Where to relocate IRHow to repair or replace IROptions & Costs
Business Continuity
Pro
cedu
re D
evel
opm
ent
© Linus ISS 2007
Advanced New School ThinkingAdvanced New School Thinking
Prioritised Recovery (in RTO) of:Business FunctionsResources (Business, Support & Infrastructure
Contingency Procedures for Business Function:
RelocationWork arounds
Resource Recovery Procedures for:Business ResourcesSupport ResourcesInfrastructure Resources
When we get there;What do we needHow manyBy when
Destination ResourceAnalysis
Business Continuity
© Linus ISS 2007
Key MessagesKey Messages
Preparation = Risk Reduction + Business Continuity
When considering Operational Disruption:Risk Management = PreventionBusiness Continuity Management = Cure
Disruption = Loss of somethingSeparate Cause from Effect
When considering StrategiesScenarios are infinite Resources are finite
RDA = New School thinking
DRA = ANDVANCED New School thinking!!
?