The New Standard for Business Continuity Management -BS25999 - John Sharp.pdf · the Organization...

The New Standard for

Business Continuity

Management - BS25999

John Sharp FBCI (Hons) FCMI MCIM

Principal Consultant

Kiln House Associates Ltd

KHA Ltd © 2008

John Sharp FBCI (Hons) FCMI MCIM

1997 until 2004 - CEO of the Business Continuity Institute

Chair of the team that produced the BSI Guide to BCM (PAS 56) & Member of Technical Committee for BS25999 & BS25777

Member of the Metropolitan Police BCM Board

Member of the team that produced BCM guidance for the Civil Contingencies Act

Associate Course Director – Emergency Planning College

UKAS Technical Expert – BS25999-2

Chair of Wolverhampton University Audit CommitteeKHA Ltd © 2008

• Business Continuity Plans are only really ‘tested’ when

used in a real invocation

• Evidence of organisations failing despite having BCPs.

• Plans not exercised

• Plans not kept up to date

• People not trained or made aware of BCP

• Low levels of senior management commitment

• Too many plans written to get a ‘tick in the box’

Why a BCM Standard was Needed

KHA Ltd © 2008

• Growing threat levels

• Complex supply chains

• Outsourcing

• UK national infrastructure dependent upon commercial

and voluntary organisations

• International nature of trade

• Auditors lack of understanding of BCM

• Demands from regulators, insurers and customers

Why a BCM Standard was Needed

KHA Ltd © 2008

• 1997 – Professional practice standard exists in the UK

& US

• 1999 – work commenced on a uniform assessment of

BCM for Y2K

• 2001 – FSA requires BCM ‘good practice’ guidelines

• 2002 – BCI publishes BCI BCM Good Practice

Guidelines

• 2003 – Publication of PAS 56 by BSI

• 2006 – BSI publishes BS25999-1 in November

• 2007 –BS25999-2 published in November

• 2008 UKAS pilot accreditation scheme for certification

Development of the BCM Standard

KHA Ltd © 2008

• BCM is based on a ‘lifecycle’ – it is a continuous process

• Must become part of the organisational culture

• Commitment from the top, and throughout the organisation

• Based on impacts – not threats

• As much about prevention as recovery

• BCM must be proven by exercise and lessons learnt

• BCM must be maintained in a changing environment

• A specification against which certification can be achieved

Key Elements of the Standard

KHA Ltd © 2008

The Business Continuity Management Lifecycle

BS 25999-1 2006

BCMProgrammeManagement

Developing andImplementing

a BCM Response

Determining BCM

Strategies

Exercising, Maintaining& Reviewing

Understandingthe Organization

KHA Ltd © 2008

The Plan-Do-Check-Act (PDCA) model

BS25999-2

KHA Ltd © 2008

Stage 1 - Establish a Business Continuity Management System

• Why are you introducing BCM?

• What are the requirements for BC, taking into account:– Organisation’s objectives

– Obligations - legal, regulatory, contractual

• Interests of key stakeholders

• Scope of BC in terms of products and services

KHA Ltd © 2008

External Drivers

CMI Research 2008

External Drivers

0 10 20 30 40 50

Corp. Governance

Exist Cust omers

Legislat ion

Cent ral Govt

Insurers

Pot ent ial Cust omers

Regulat ors

Audit ors

Invest ors

Suppliers

%Year - 2007 Year - 2008

KHA Ltd © 2008

Environmental Analysis

Organisation

EthicalPolitical

EconomicLegal

Environmental Technological

Social

STEEPLE

KHA Ltd © 2008

• What are their requirements and perceptions?

• Who are they?

• Shareholders, Customers, Clients, Employees and Suppliers

• Regulators, Financial Investors, Insurers, Auditors, Professional Bodies, Trade Associations, Government Departments

• Competitors, the Community, Media and ‘Vested Interest’ Groups

Stakeholders

KHA Ltd © 2008

• Determining the scope of the BCM is a vital first step?

• Factors that influence scope are:

• The size and complexity of the organisation

• The needs of customers/clients, regulators, auditors, insurers and investors

• The type of activity undertaken

• The environment and location of operation

• Organisation’s objectives

Scope

KHA Ltd © 2008

• A BCM policy statement

• Ongoing support from the top of the organisation

• BCM structure – roles & responsibilities

• Adequate resources to deliver BCM

• Effective management and control of

documentation and records

• An assurance process – KPIs

• System for continuous improvement (PDCA)

Programme Management

KHA Ltd © 2008

Embedding BCM into the Organisation’s Culture

• Train appropriate staff

• Raise awareness

– Why BCM is being introduced

– What is being done and when

– Benefits that accrue to ALL

• Inform stakeholders

• Ongoing support from Executive

• Communicate

KHA Ltd © 2008

Stage 2 - Understanding the Organisation

What is critical to the organisation

at the time of disruption?

KHA Ltd © 2008

• What are the key services & products?

• What are the critical activities?

• What processes are used to deliver critical activities?

• Who and what is used in these processes?

� Internally

�Externally

• The impact if key services & products are disrupted – for whatever reason

• The Maximum Tolerable Period of Disruption -MTPoD

Understanding the Organisation

KHA Ltd © 2008

Key Services and Products

• Not all services and products are critical

• Some services and products are seasonal

• Some are exceptional – e.g. emergency

management

• Criticality is determined by drivers and

stakeholders

• The impact on the organisation if the service or

production is disrupted will influence the criticality

• The organisation’s risk appetite affects criticality

• Critical rating must be ‘signed off’ by the top

management

KHA Ltd © 2008

Mapping Resources to Critical Activities

Estate Management

Domestic Installations

Home Services

Commercial Contracts

ICT Suppliers People Facilities

KHA Ltd © 2008

Estate Management

Domestic Installations

Home Services

Commercial Contracts

ICT S u p p lie rs P e o p le Facilities


KHA Ltd © 2008

Central Resources

DomesticInstallations

HomeServices

CommercialContracts

EstateManagement


KHA Ltd © 2008

Risk Management

Identify ‘single points of failure’

– People

– Technology

– Information

– Facilities

– Suppliers

KHA Ltd © 2008

Implement risk treatments:

– Accept - where impact & likelihood are low

– Mitigate - if impact is high but likelihood low

– Stop or re-engineer - where impact &

likelihood are high

– Transfer the risk to others, e.g. Insurance

– Plan for continuity - where impact is high but

likelihood is low

Risk Management

KHA Ltd © 2008

Stage 3 – Determining BCM Strategies

What can the organisation do if key

services and products are disrupted?

KHA Ltd © 2008

The Organisation’s Approach to Determining BCM Strategies Should:

• be to implement appropriate measures to reduce likelihood of incidents occurring and/or reduce their impact if they do.

• provide continuity for it’s key products and services and supporting activities during and following an incident.

• take account of those products and services and their supporting activities that have not been identified as critical

BS 25999-1 2006

Strategy Options

KHA Ltd © 2008

The most appropriate strategy or strategies will depend on a range of factors such as:

• The maximum tolerable period of disruption (MTPoD) of the service

• The cost of implementing the strategy or strategies

• The consequences of inaction

Strategy Options

KHA Ltd © 2008

BCM Strategies Must Cover:

• People

• Premises

• Technology

• Information

• Supplies

• Stakeholders

KHA Ltd © 2008

BCM Strategies

• Cannot fail – full availability

• How soon to recover - recovery time (RTO -

within the MTPoD)

• At what level of recovery - recovery point

• Do nothing – accept the risk (Health warning!)

• Signed off strategies to meet obligations

KHA Ltd © 2008

In general you should consider 4 high level scenarios and what alternative working arrangements could be made if:

• Cannot gain access to the building

• A high percentage of the staff are unavailable

• The ICT systems are unavailable

• A key supplier/partner is disrupted

BCM Strategies

KHA Ltd © 2008

What is needed to

make strategies work?

BCM Strategies

KHA Ltd © 2008

• Recognise critical functions, dependencies and single points of failure.

• Enable organisation to perform critical activities

• Allow decisions to be taken by responsible managers

• Signed off by senior management

BCM Strategies must:

KHA Ltd © 2008

Stage 4 - Developing & Implementing a BCM Response

Incident Management & Business

Continuity Planning

KHA Ltd © 2008

Incident Response Structure

What is needed to deal with a disruptive

incident?

KHA Ltd © 2008

Plan Invocation

Establish procedures for determining when an disruption has occurred and how the BCPs will be invoked

– Identify the person(s) who determines whether a disruption has occurred

– Specify the procedure to be used

– Specify who should be consulted

– Specify who should be informed

KHA Ltd © 2008

Invocation Teams

• The organisation must move at the speed of the

incident to prevent a crisis occurring

• Separate teams to cover:

� The major incident

� Continuity of the organisation’s key services &

products

• The team structures should reflect the normal

organisational structure

KHA Ltd © 2008

Incident Management

The BCM team structures should mirror the incident management structures

LEVEL 1STRATEGIC

(GOLD)

LEVEL 2TACTICAL(SILVER)

LEVEL 3OPERATIONAL

(BRONZE)

ESCALA

TIO

N CONTRO

L

THINK

PLAN

DO

KHA Ltd © 2008

Communications Management

• Regularly update senior management

• Keep the clients informed

• Mechanisms to inform employees

• Keep other stakeholders informed

• Ensure media are briefed

KHA Ltd © 2008

Information Management

• Collate situation reports

• Access to contact details

• Access to staff records

• Insurance policies, SLAs, contracts

• Monitor the media

• Maintain a log of decisions, activities and actions

KHA Ltd © 2008

Resolving Conflicts

• Resources will be limited

• All managers believe their areas are critical

• Decisions about priorities should be made at the

planning stage and not at the time of the emergency

• However every situation is different therefore a

mechanism must exist to adjust BCPs accordingly.

• A high level BCM team must be empowered to

determine priorities

• The BCM should be assembled from people who

understand and represent the organisation

KHA Ltd © 2008

The incident response structure must enable personnel to:

• be capable of confirming the nature and extent of the incident, and

• manage the incident;

• be responsible for triggering an appropriate business continuity response;

• have access to plans, processes and procedures to manage an incident;

• have plans for the activation, operation, coordination and communication of the incident response;

• have resources available to support the plans, processes and procedures to manage the incident.

Incident Response Structure

KHA Ltd © 2008

• Cover critical products & services as specified in

the scoping document

• High level plans

• Departmental plans

• Unit plans

BC Planning

KHA Ltd © 2008

Corporate Plan

Dept Plan Dept Plan Dept Plan

Unit Plan Unit Plan Unit Plan Unit Plan

BC Planning

KHA Ltd © 2008

• Cover critical services



• Unit plans

• Linked to:

• Incident Management plans

• Recovery Plans

BC Planning

KHA Ltd © 2008

• Cover critical services



• Unit plans

• Linked to:

• Incident Management plans

• Recovery Plans

• Involve all elements of the Organisation

BC Planning

KHA Ltd © 2008

Business ContinuityManagement

EM

ER

GE

NC

Y M

AN

AG

EM

EN

T

IT D

ISA

STE

R R

EC

OV

ER

Y

FAC

ILIT

IES

MA

NA

GE

ME

NT

HU

MA

N R

ES

OU

RC

ES

SEC

UR

ITY

CR

ISIS

CO

MM

UN

ICA

TIO

NS

& P

R

KN

OW

LE

DG

E M

AN

AG

EM

EN

T

SUPP

LY

CH

AIN

MA

NA

GE

ME

NT

QU

AL

ITY

MA

NA

GE

ME

NT

HE

AT

H &

SA

FET

Y

RIS

K M

AN

AG

EM

EN

T

EN

VIR

ON

ME

NT

AL

MA

NA

GE

ME

NT

Involve all Elements of the Organisation

KHA Ltd © 2008

• Keep them simple

• Ensure that you can use them during a disruption

• Identify what resources are needed

• Make plans owned by operational units

• Exercised, audited and reviewed

• Version and distribution controlled

• Accessible

Golden Rules for BCPs

KHA Ltd © 2008

Exercising

An exercise is:

An opportunity to measure the quality of the

planning, the adequacy of the training and test

the effectiveness of the arrangements made.

KHA Ltd © 2008

Considerations:

• Risk, impacts and capabilities

• Types of exercise to be used

• Involvement of senior management

• Process of delivering exercises

• Relationship between exercising emergency plans and BCPs

• Planning exercises which minimise the risk of disruption and the risk of an incident occurring as a direct result of the exercise is minimised

Exercising

KHA Ltd © 2008

• Senior management commitment

• Planning team

• Risk assessment

• Documentation

• Briefing

• Exercise

• De-brief

• Review of lessons learnt

• Funding

Exercise Process Requires:

KHA Ltd © 2008

Exercising your BCP – the learning cycle

Business Continuity

PlanExercise Debrief

Post-ExerciseReport

‘LessonsLearned’Report

AuditBCP

Post-ExerciseReport

ImplementChanges

ReviewPlan

This can be a test of part or the whole of the plan

This should be a debrief after each exercise in order to capture the experience of all the participants

This post-exercise report should collate the output of all debriefs with the post-exercise analysis of the exercise outcomes

The BCP should be audited against the LLR and necessary changes identified

This report closes the exercise programme and outlines the full outcome of the programme. It makes recommendations for changes to the BCP

Approval and acceptance of recommendations by BCM strategic lead within organisation

Having made changes to the BCP, it is important to review the plan in its entirety before disseminating the ‘current version’.

Emergency Preparedness 2005KHA Ltd © 2008

When planning exercises consider:

High level scenarios:

– Denial of access or loss of facilities

– Loss of key staff/skills

– Loss of critical systems, including ICT

– Loss of key resources, including suppliers/partners

Capabilities

– Mobilisation

– Co-ordination

– Communications

Warning

– Don’t let the exercise create a disruptive incident

Exercising

KHA Ltd © 2008

Maintaining

Maintaining a BC plan involves regular

scanning to ensure that details are current by

author, or designate person, to check that

facts are correct and if changes are required

to instigate amendments, re-issuing and re-

training as appropriate.

KHA Ltd © 2008

Why Maintain Your Plan

Nothing stays the same, there is always change

– Organisations

– Regulations and laws

– Clients & Customers

– Suppliers

– People

– Contacts

– Technology

– Processes

– Locations

All plans should be reviewed annually and signed off by plan owner

KHA Ltd © 2008

Stage 6 - Monitor & Review of the

Business Continuity Management

System

KHA Ltd © 2008

Ensuring the BCMS is valid and fit for purpose through the process of continuous improvement

Check

Assess and, where applicable, measure process

performance against business continuity policy,

objectives and practical experience, and report the

results to management for review

KHA Ltd © 2008

BCMS Review

• The organisation shall ensure its business

continuity capability and appropriateness is

reviewed at planned intervals and when

significant changes occur to ensure its continuing

suitability, adequacy and effectiveness.

• The organisation shall regularly review its BCMS

either through self-assessment or audit.

KHA Ltd © 2008

Reviewing

The environment in which we operate is constantly

changing so BCPs and BCM arrangements need

reviewing.

This involves the BCM team and author standing back

and checking strategy on, say an annual basis, or after

significant change using a formal process.

Where changes are needed this will lead to re-writing,

re-issue and re-training and endorsement by

management team.

KHA Ltd © 2008

Essential Elements Required to Meet BS25999

• Clearly Define the Scope

• Establish an effective management system

• Identify critical activities and resources, including

critical suppliers and partners

• Risk assessment (effects, not causes;

prevention, not just cure)

• Create appropriate incident and continuity plans

• Exercise plans and record results

• Audit BCM and BCMS

• Management of documentation & records

• Establish a culture of BCM

KHA Ltd © 2008

The Benefits of Meeting BS25999

• Provides a structured approach to BCM

• Demonstration, internally and to all stakeholders, of

organisation’s capability to manage disruptive events

• Competitive advantage

• Maintenance of existing contracts

• Protects the organisation

• Compliance

• Possible certification

KHA Ltd © 2008

The Route Map to Business Continuity ManagementMeeting the Requirements of BS25999

Published by BSi

Thank you for Listening

John Sharp

Email: [email protected]: 01886 833844

KHA Ltd © 2008

The New Standard for Business Continuity Management -BS25999 - John Sharp.pdf · the Organization...

Documents

Transcript of The New Standard for Business Continuity Management -BS25999 - John Sharp.pdf · the Organization...