Embed Size (px)
Citation preview
OFFICIAL
OFFICIAL
BCI NE Forum
1
Ian Charters FBCI
Business
Continuity
Management
Systems –
Requirements
OFFICIAL
OFFICIAL
What is a standard?
• How many of you have read ISO 22301?
• How many of you are certificated to it?
• How many of you haven’t a clue what it is?
2
• A Standard is a way of doing something agreed by a representative selection of
those with expertise in a subject – Standard types include:
• A Requirements Standards is a checklist of things you ‘shall’ do (and be able
to prove) if you want certification
• A Guidance Standard suggests how to implement a Requirement Standard –
things you ‘should’ do and ‘may’ do.
• A Technical Specification usually expands significantly on one aspect of one
(or more) Requirement Standards. It contains suggestions as well as
explanation
OFFICIAL
OFFICIAL
Why should I be interested? – we don’t need certification
• Written by practitioners (not vested interests)
• It identifies good practice – use it as a guide
• It is achievable – use it as a benchmark
• Certification can provide a regular stimulus
– Once you gain it – you wont want to lose it!
• It demonstrates conformity to others
• It might convince top management to take it more seriously
3
OFFICIAL
OFFICIAL
Where did it come from?
• Business Continuity Institute: Good Practice Guidelines
• BS 25999-1 & -2 (Guidance and Requirements)
• ISO 22301: 2012 – (minor review soon)
• Associated guidance and technical specifications:
– ISO 22313 : Guidance to ISO 22301
– ISO TS 22317 : Business Impact Analysis
– ISO TS 22318 : Supply Chain Continuity
– ISO TS 22398 : Exercising and Testing
– ISO/IEC 27031:2011, Guidelines for information and communication technology readiness for business continuity
4
OFFICIAL
OFFICIAL
Agenda
• Some key words/concepts in ISO 22301
– Management system
– Risk / Impact
– Leadership
– Business Continuity Objectives
– Priority
– Unacceptable
– Communication with Interested Parties
– Suppliers
– Performance evaluation
– Continuous improvement
– Questions
5
Agenda
OFFICIAL
OFFICIAL
What is a Management System?
Establish
(Plan)
Implement
and operate
(Do)
Monitor and
review
(Check)
Maintain and
improve (Act)
6
Continual improvement of business
continuity management system (BCMS)
Interested parties
Requirements for
business continuity
Interested parties
Managed business
continuity
4 5 6 7
8
9
10
OFFICIAL
OFFICIAL
Is it risk-based or impact-based?
• BCM sometimes described as a ‘reactive’ response to ‘risks’ BUT
– is really ‘consequence’ management
– it deals with the impacts of incidents (not tries to stop them)
– and requires preparations – so is pro-active
• Risk methodology suspect for unexpected events
• Customers don't care what the problem is
– They do care how long it takes to sort out
• Risk appetite (4.1) is undefinable – but 'impact' appetite can be defined
7
OFFICIAL
OFFICIAL
BCM reduces duration and impact8
Level o
f o
pera
tio
ns
Time
Managing a foreseen disruption
Controlled response
Warning
Incid
en
t
Minimum
acceptable level
of operations
Resumption of activities at acceptable level within acceptable timeframe
1. Mitigating, responding
to and managing impacts
2. Shortened disruption
With business continuity
Without business continuity
Recovery Time Objective
Time at which impacts become unacceptable
OFFICIAL
OFFICIAL
Leadership
• “Persons in top management and other relevant management roles
throughout the organization shall demonstrate leadership with
respect to the BCMS” (5.1)
• Stronger than ‘commitment’
• Allocating resources
• Leading by example
• Communicating the importance of BCM
9
OFFICIAL
OFFICIAL
Business Continuity Objectives
• Part of the MS standard (Annex SL) text
• It refers to targets in your BCM programme implementation
– e.g. All Initial BIAs to be completed by… then annually
– e.g. To achieve certification for Product xxx by …..
– Nothing to do with recovery times (editing issue!)
10
OFFICIAL
OFFICIAL
Priority
• setting prioritized timeframes for resuming these activities at a
specified minimum acceptable level, taking into consideration the
time within which the impacts of not resuming them would
become unacceptable (8.2.2)
• Priority of Activities determined by urgency of the Products and
Services the organisation delivers
• Critical => Priority i.e. time-based (not ‘importance’)
11
OFFICIAL
OFFICIAL
Setting priorities
Time
Measu
re o
f
succ
ess
Each product/service will have a different profile
Time ‘at which impacts become unacceptable’ or
‘POINT OF NO RETURN’Successful
recovery
Limited
recovery
Failure
Point of no
return
OFFICIAL
OFFICIAL
What does ‘unacceptable’ mean?
• Unacceptable impacts could mean
– The organisation’s survival is at threat
– Someone has to resign
– We lose out market for this product
– Our share price tumbles
– We become a take-over or outsource target
– We are on the front page of the nationals
• Up to the organisation’s management to define
13
RIM (Blackberry) share price
OFFICIAL
OFFICIAL
Communication with Interested Parties
• Communication during the planning stage
– Emergency services and local authorities
– Customers, partners and suppliers
– Neighbours
• Communication during an incident
– As above
– Alternative means of communications
14
OFFICIAL
OFFICIAL
What about Suppliers?
• Reminders to include them in BIA, BC strategies, plans and audits
• ISO 22318 – Technical Specification on Supply Chain Continuity
• Which suppliers do I worry about?
• What can I do about it?
15
OFFICIAL
OFFICIAL
Performance Evaluation
• What do we measure?
• Is it appropriate?
• Are there measurable benefits without an incident?
16
OFFICIAL
OFFICIAL
Continual Improvement
• More effective – not necessarily faster recovery
• Increasingly better fit to the organisation’s needs
• Don’t try to get it right first time!
17
OFFICIAL
OFFICIAL
Resilience …. the end of BCM?
• Definition: BCM ….. provides a framework for building organizational resilience …..
• ISO 22316 (draft) will attempt to describe ‘Attributes’ and ‘Activities’ of a resilient organisation
• Organizational resilience is the ability of an organization to respond and adapt to change.
• Original draft: risk (53) v. continuity (1) Now: risk (3) v. continuity (1)
• Standards integration – BCM one of them
• Response to unexpected change + many other attributes & activities
18
