The New Standard for Business Continuity Management -BS25999 - John Sharp.pdf · the Organization...
Transcript of The New Standard for Business Continuity Management -BS25999 - John Sharp.pdf · the Organization...
The New Standard for
Business Continuity
Management - BS25999
John Sharp FBCI (Hons) FCMI MCIM
Principal Consultant
Kiln House Associates Ltd
KHA Ltd © 2008
John Sharp FBCI (Hons) FCMI MCIM
1997 until 2004 - CEO of the Business Continuity Institute
Chair of the team that produced the BSI Guide to BCM (PAS 56) & Member of Technical Committee for BS25999 & BS25777
Member of the Metropolitan Police BCM Board
Member of the team that produced BCM guidance for the Civil Contingencies Act
Associate Course Director – Emergency Planning College
UKAS Technical Expert – BS25999-2
Chair of Wolverhampton University Audit CommitteeKHA Ltd © 2008
• Business Continuity Plans are only really ‘tested’ when
used in a real invocation
• Evidence of organisations failing despite having BCPs.
• Plans not exercised
• Plans not kept up to date
• People not trained or made aware of BCP
• Low levels of senior management commitment
• Too many plans written to get a ‘tick in the box’
Why a BCM Standard was Needed
KHA Ltd © 2008
• Growing threat levels
• Complex supply chains
• Outsourcing
• UK national infrastructure dependent upon commercial
and voluntary organisations
• International nature of trade
• Auditors lack of understanding of BCM
• Demands from regulators, insurers and customers
Why a BCM Standard was Needed
KHA Ltd © 2008
• 1997 – Professional practice standard exists in the UK
& US
• 1999 – work commenced on a uniform assessment of
BCM for Y2K
• 2001 – FSA requires BCM ‘good practice’ guidelines
• 2002 – BCI publishes BCI BCM Good Practice
Guidelines
• 2003 – Publication of PAS 56 by BSI
• 2006 – BSI publishes BS25999-1 in November
• 2007 –BS25999-2 published in November
• 2008 UKAS pilot accreditation scheme for certification
Development of the BCM Standard
KHA Ltd © 2008
• BCM is based on a ‘lifecycle’ – it is a continuous process
• Must become part of the organisational culture
• Commitment from the top, and throughout the organisation
• Based on impacts – not threats
• As much about prevention as recovery
• BCM must be proven by exercise and lessons learnt
• BCM must be maintained in a changing environment
• A specification against which certification can be achieved
Key Elements of the Standard
KHA Ltd © 2008
The Business Continuity Management Lifecycle
BS 25999-1 2006
BCMProgrammeManagement
Developing andImplementing
a BCM Response
Determining BCM
Strategies
Exercising, Maintaining& Reviewing
Understandingthe Organization
KHA Ltd © 2008
The Plan-Do-Check-Act (PDCA) model
BS25999-2
KHA Ltd © 2008
Stage 1 - Establish a Business Continuity Management System
• Why are you introducing BCM?
• What are the requirements for BC, taking into account:– Organisation’s objectives
– Obligations - legal, regulatory, contractual
• Interests of key stakeholders
• Scope of BC in terms of products and services
KHA Ltd © 2008
External Drivers
CMI Research 2008
External Drivers
0 10 20 30 40 50
Corp. Governance
Exist Cust omers
Legislat ion
Cent ral Govt
Insurers
Pot ent ial Cust omers
Regulat ors
Audit ors
Invest ors
Suppliers
%Year - 2007 Year - 2008
KHA Ltd © 2008
Environmental Analysis
Organisation
EthicalPolitical
EconomicLegal
Environmental Technological
Social
STEEPLE
KHA Ltd © 2008
• What are their requirements and perceptions?
• Who are they?
• Shareholders, Customers, Clients, Employees and Suppliers
• Regulators, Financial Investors, Insurers, Auditors, Professional Bodies, Trade Associations, Government Departments
• Competitors, the Community, Media and ‘Vested Interest’ Groups
Stakeholders
KHA Ltd © 2008
• Determining the scope of the BCM is a vital first step?
• Factors that influence scope are:
• The size and complexity of the organisation
• The needs of customers/clients, regulators, auditors, insurers and investors
• The type of activity undertaken
• The environment and location of operation
• Organisation’s objectives
Scope
KHA Ltd © 2008
• A BCM policy statement
• Ongoing support from the top of the organisation
• BCM structure – roles & responsibilities
• Adequate resources to deliver BCM
• Effective management and control of
documentation and records
• An assurance process – KPIs
• System for continuous improvement (PDCA)
Programme Management
KHA Ltd © 2008
Embedding BCM into the Organisation’s Culture
• Train appropriate staff
• Raise awareness
– Why BCM is being introduced
– What is being done and when
– Benefits that accrue to ALL
• Inform stakeholders
• Ongoing support from Executive
• Communicate
KHA Ltd © 2008
Stage 2 - Understanding the Organisation
What is critical to the organisation
at the time of disruption?
KHA Ltd © 2008
• What are the key services & products?
• What are the critical activities?
• What processes are used to deliver critical activities?
• Who and what is used in these processes?
� Internally
�Externally
• The impact if key services & products are disrupted – for whatever reason
• The Maximum Tolerable Period of Disruption -MTPoD
Understanding the Organisation
KHA Ltd © 2008
Key Services and Products
• Not all services and products are critical
• Some services and products are seasonal
• Some are exceptional – e.g. emergency
management
• Criticality is determined by drivers and
stakeholders
• The impact on the organisation if the service or
production is disrupted will influence the criticality
• The organisation’s risk appetite affects criticality
• Critical rating must be ‘signed off’ by the top
management
KHA Ltd © 2008
Mapping Resources to Critical Activities
Estate Management
Domestic Installations
Home Services
Commercial Contracts
ICT Suppliers People Facilities
KHA Ltd © 2008
Estate Management
Domestic Installations
Home Services
Commercial Contracts
ICT S u p p lie rs P e o p le Facilities
Mapping Resources to Critical Activities
KHA Ltd © 2008
Central Resources
DomesticInstallations
HomeServices
CommercialContracts
EstateManagement
Mapping Resources to Critical Activities
KHA Ltd © 2008
Central Resources
DomesticInstallations
HomeServices
CommercialContracts
EstateManagement
Mapping Resources to Critical Activities
KHA Ltd © 2008
Risk Management
Identify ‘single points of failure’
– People
– Technology
– Information
– Facilities
– Suppliers
KHA Ltd © 2008
Implement risk treatments:
– Accept - where impact & likelihood are low
– Mitigate - if impact is high but likelihood low
– Stop or re-engineer - where impact &
likelihood are high
– Transfer the risk to others, e.g. Insurance
– Plan for continuity - where impact is high but
likelihood is low
Risk Management
KHA Ltd © 2008
Stage 3 – Determining BCM Strategies
What can the organisation do if key
services and products are disrupted?
KHA Ltd © 2008
The Organisation’s Approach to Determining BCM Strategies Should:
• be to implement appropriate measures to reduce likelihood of incidents occurring and/or reduce their impact if they do.
• provide continuity for it’s key products and services and supporting activities during and following an incident.
• take account of those products and services and their supporting activities that have not been identified as critical
BS 25999-1 2006
Strategy Options
KHA Ltd © 2008
The most appropriate strategy or strategies will depend on a range of factors such as:
• The maximum tolerable period of disruption (MTPoD) of the service
• The cost of implementing the strategy or strategies
• The consequences of inaction
Strategy Options
KHA Ltd © 2008
BCM Strategies Must Cover:
• People
• Premises
• Technology
• Information
• Supplies
• Stakeholders
KHA Ltd © 2008
BCM Strategies
• Cannot fail – full availability
• How soon to recover - recovery time (RTO -
within the MTPoD)
• At what level of recovery - recovery point
• Do nothing – accept the risk (Health warning!)
• Signed off strategies to meet obligations
KHA Ltd © 2008
In general you should consider 4 high level scenarios and what alternative working arrangements could be made if:
• Cannot gain access to the building
• A high percentage of the staff are unavailable
• The ICT systems are unavailable
• A key supplier/partner is disrupted
BCM Strategies
KHA Ltd © 2008
What is needed to
make strategies work?
BCM Strategies
KHA Ltd © 2008
• Recognise critical functions, dependencies and single points of failure.
• Enable organisation to perform critical activities
• Allow decisions to be taken by responsible managers
• Signed off by senior management
BCM Strategies must:
KHA Ltd © 2008
Stage 4 - Developing & Implementing a BCM Response
Incident Management & Business
Continuity Planning
KHA Ltd © 2008
Incident Response Structure
What is needed to deal with a disruptive
incident?
KHA Ltd © 2008
Plan Invocation
Establish procedures for determining when an disruption has occurred and how the BCPs will be invoked
– Identify the person(s) who determines whether a disruption has occurred
– Specify the procedure to be used
– Specify who should be consulted
– Specify who should be informed
KHA Ltd © 2008
Invocation Teams
• The organisation must move at the speed of the
incident to prevent a crisis occurring
• Separate teams to cover:
� The major incident
� Continuity of the organisation’s key services &
products
• The team structures should reflect the normal
organisational structure
KHA Ltd © 2008
Incident Management
The BCM team structures should mirror the incident management structures
LEVEL 1STRATEGIC
(GOLD)
LEVEL 2TACTICAL(SILVER)
LEVEL 3OPERATIONAL
(BRONZE)
ESCALA
TIO
N CONTRO
L
THINK
PLAN
DO
KHA Ltd © 2008
Communications Management
• Regularly update senior management
• Keep the clients informed
• Mechanisms to inform employees
• Keep other stakeholders informed
• Ensure media are briefed
KHA Ltd © 2008
Information Management
• Collate situation reports
• Access to contact details
• Access to staff records
• Insurance policies, SLAs, contracts
• Monitor the media
• Maintain a log of decisions, activities and actions
KHA Ltd © 2008
Resolving Conflicts
• Resources will be limited
• All managers believe their areas are critical
• Decisions about priorities should be made at the
planning stage and not at the time of the emergency
• However every situation is different therefore a
mechanism must exist to adjust BCPs accordingly.
• A high level BCM team must be empowered to
determine priorities
• The BCM should be assembled from people who
understand and represent the organisation
KHA Ltd © 2008
The incident response structure must enable personnel to:
• be capable of confirming the nature and extent of the incident, and
• manage the incident;
• be responsible for triggering an appropriate business continuity response;
• have access to plans, processes and procedures to manage an incident;
• have plans for the activation, operation, coordination and communication of the incident response;
• have resources available to support the plans, processes and procedures to manage the incident.
Incident Response Structure
KHA Ltd © 2008
• Cover critical products & services as specified in
the scoping document
• High level plans
• Departmental plans
• Unit plans
BC Planning
KHA Ltd © 2008
Corporate Plan
Dept Plan Dept Plan Dept Plan
Unit Plan Unit Plan Unit Plan Unit Plan
BC Planning
KHA Ltd © 2008
• Cover critical services
• High level plans
• Departmental plans
• Unit plans
• Linked to:
• Incident Management plans
• Recovery Plans
BC Planning
KHA Ltd © 2008
Relationship Between Plans
KHA Ltd © 2008
• Cover critical services
• High level plans
• Departmental plans
• Unit plans
• Linked to:
• Incident Management plans
• Recovery Plans
• Involve all elements of the Organisation
BC Planning
KHA Ltd © 2008
Business ContinuityManagement
EM
ER
GE
NC
Y M
AN
AG
EM
EN
T
IT D
ISA
STE
R R
EC
OV
ER
Y
FAC
ILIT
IES
MA
NA
GE
ME
NT
HU
MA
N R
ES
OU
RC
ES
SEC
UR
ITY
CR
ISIS
CO
MM
UN
ICA
TIO
NS
& P
R
KN
OW
LE
DG
E M
AN
AG
EM
EN
T
SUPP
LY
CH
AIN
MA
NA
GE
ME
NT
QU
AL
ITY
MA
NA
GE
ME
NT
HE
AT
H &
SA
FET
Y
RIS
K M
AN
AG
EM
EN
T
EN
VIR
ON
ME
NT
AL
MA
NA
GE
ME
NT
Involve all Elements of the Organisation
KHA Ltd © 2008
• Keep them simple
• Ensure that you can use them during a disruption
• Identify what resources are needed
• Make plans owned by operational units
• Exercised, audited and reviewed
• Version and distribution controlled
• Accessible
Golden Rules for BCPs
KHA Ltd © 2008
Stage 5 - Exercising & Maintaining
Will the plans work and are
they up to date?
KHA Ltd © 2008
Exercising
An exercise is:
An opportunity to measure the quality of the
planning, the adequacy of the training and test
the effectiveness of the arrangements made.
KHA Ltd © 2008
Considerations:
• Risk, impacts and capabilities
• Types of exercise to be used
• Involvement of senior management
• Process of delivering exercises
• Relationship between exercising emergency plans and BCPs
• Planning exercises which minimise the risk of disruption and the risk of an incident occurring as a direct result of the exercise is minimised
Exercising
KHA Ltd © 2008
• Senior management commitment
• Planning team
• Risk assessment
• Documentation
• Briefing
• Exercise
• De-brief
• Review of lessons learnt
• Funding
Exercise Process Requires:
KHA Ltd © 2008
Exercising your BCP – the learning cycle
Business Continuity
PlanExercise Debrief
Post-ExerciseReport
‘LessonsLearned’Report
AuditBCP
Post-ExerciseReport
ImplementChanges
ReviewPlan
This can be a test of part or the whole of the plan
This should be a debrief after each exercise in order to capture the experience of all the participants
This post-exercise report should collate the output of all debriefs with the post-exercise analysis of the exercise outcomes
The BCP should be audited against the LLR and necessary changes identified
This report closes the exercise programme and outlines the full outcome of the programme. It makes recommendations for changes to the BCP
Approval and acceptance of recommendations by BCM strategic lead within organisation
Having made changes to the BCP, it is important to review the plan in its entirety before disseminating the ‘current version’.
Emergency Preparedness 2005KHA Ltd © 2008
When planning exercises consider:
High level scenarios:
– Denial of access or loss of facilities
– Loss of key staff/skills
– Loss of critical systems, including ICT
– Loss of key resources, including suppliers/partners
Capabilities
– Mobilisation
– Co-ordination
– Communications
Warning
– Don’t let the exercise create a disruptive incident
Exercising
KHA Ltd © 2008
Maintaining
Maintaining a BC plan involves regular
scanning to ensure that details are current by
author, or designate person, to check that
facts are correct and if changes are required
to instigate amendments, re-issuing and re-
training as appropriate.
KHA Ltd © 2008
Why Maintain Your Plan
Nothing stays the same, there is always change
– Organisations
– Regulations and laws
– Clients & Customers
– Suppliers
– People
– Contacts
– Technology
– Processes
– Locations
All plans should be reviewed annually and signed off by plan owner
KHA Ltd © 2008
Stage 6 - Monitor & Review of the
Business Continuity Management
System
KHA Ltd © 2008
Ensuring the BCMS is valid and fit for purpose through the process of continuous improvement
Check
Assess and, where applicable, measure process
performance against business continuity policy,
objectives and practical experience, and report the
results to management for review
KHA Ltd © 2008
BCMS Review
• The organisation shall ensure its business
continuity capability and appropriateness is
reviewed at planned intervals and when
significant changes occur to ensure its continuing
suitability, adequacy and effectiveness.
• The organisation shall regularly review its BCMS
either through self-assessment or audit.
KHA Ltd © 2008
Reviewing
The environment in which we operate is constantly
changing so BCPs and BCM arrangements need
reviewing.
This involves the BCM team and author standing back
and checking strategy on, say an annual basis, or after
significant change using a formal process.
Where changes are needed this will lead to re-writing,
re-issue and re-training and endorsement by
management team.
KHA Ltd © 2008
Essential Elements Required to Meet BS25999
• Clearly Define the Scope
• Establish an effective management system
• Identify critical activities and resources, including
critical suppliers and partners
• Risk assessment (effects, not causes;
prevention, not just cure)
• Create appropriate incident and continuity plans
• Exercise plans and record results
• Audit BCM and BCMS
• Management of documentation & records
• Establish a culture of BCM
KHA Ltd © 2008
The Benefits of Meeting BS25999
• Provides a structured approach to BCM
• Demonstration, internally and to all stakeholders, of
organisation’s capability to manage disruptive events
• Competitive advantage
• Maintenance of existing contracts
• Protects the organisation
• Compliance
• Possible certification
KHA Ltd © 2008
The Route Map to Business Continuity ManagementMeeting the Requirements of BS25999
Published by BSi
Thank you for Listening
John Sharp
Email: [email protected]: 01886 833844
KHA Ltd © 2008