BS 25999 – Part 2 Business Continuity ManagementSpecificationAwareness Presentation

Date: 28 Nov 2007 Mumbai

2

A turning point-but not the least

3

Disruptions that we are familiar with

4

Disruptions we almost forgot!!!

• Started as LLDDS in Clinton, Mississippi• Merged with MCI in 1997 and called MCI WorldCom• Was second largest communications company n the US• Telecom industry entered a downturn in 1998• Starting 1999 to 2001 there was accounting fraud

Underreporting ‘line costs’ (interconnection expenses with other telecommunication companies) by capitalizing these costs on the balance sheet rather than properly expensing them.

Inflating revenues with bogus accounting entries from ‘corporate unallocated revenue accounts’.

• Internal fraud estimates was 3.8 Billion USD• Final estimates 11 billion USD• Post chapter 11 changed name to MCI which was acquired by

Verizon in 2005

5

Enron

• irregular accounting procedures bordering on fraud throughout 1990’s.• opacity of the company's financial disclosures. • 2001 Jeff Skilling joined Enron as CEO but left in six months, but feore he left

he sold 450000 shares.• Keneth Lay Chairman took over as CEO• Media and analysts doubted the liquidity• Enron's plunge occurred after it was revealed that much of its profits and

revenue were the result of deals with special purpose entities (limited partnerships which it controlled).

• Oct 2001, Enron declare a 1 time charge of 1 billion• Started to buy back commercial papers for 3.8 billion to give impression of

good cash position, but consumed bank credit• Credit ratings lowered by Moody’s and S&P• Stocks tumbled• Arthur Anderson vanished

6

Companies hit by Rajkumar riots

April 2006

Riots in the Indian city of Bangalore following the death of leading film star Rajkumar cost businesses there millions of dollars, officials say.

Eight people, including a policeman, were killed in violence on Thursday as tens of thousands of mourners attended the funeral of the screen legend.

Unrest forced more than 1,000 IT firms and other businesses to shut before calm returned on Friday, reports say.

Rajkumar dies at 77

7

Influenza

8

9

Reality

• Nearly 1 in 5 businesses suffer disruption every year

• Source BCI

10

Has your company been affected by any of the following interruptions in the past year?

Facilities Move , 35.15

Merger/Acquisition , 24.24

Hardw are Failure , 51.04

Softw are Failure , 39.97

Netw ork Failure , 40.61War, 241.00%

Human Error , 37.72

Pow er Outage , 50.07

Telecommunications Failure , 41.73

Terrorist Activities , 4.98

Ethical Scandal/Corporate Governance Issue , 4.33

Labor Disputes , 6.9

Others , 6.9

Natural Disaster , 46.87

Information Security Breach (including viruses, DOS

attacks, etc) , 26.48

Utility Service Provider Failure , 31.62

11

How much would you estimate business disruptions have cost your company in the past twelve months?

More than $5 million , 4.82

$1 million to $5 million , 7.22

$500,000 to $999.999 , 6.74

$100,000 to $499,000 , 22.63

Less than $100,000 , 58.59

12

What do you think is currently the weakest link in your continuity strategy, planning and recovery efforts?

People risks , 34.51

Technology risk, 18.62

Process risk , 26.65

Data risk , 5.14

Supply Chain partner risk , 8.35

Collaboration w ith public authorities , 6.74

13

14

15

What is Business Continuity Management ?

holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities

16

Why BCMS ?

• Minimize business disruptions

• Quickly recover to normal business operations

• Protect an organization’s value and reputation

• To meet shareholder commitments national / legislative requirements

• IBA guidelines for banks legal, regulatory and contractual commitments moral and social responsibilities

• Demonstrate “best practice”.

• Reduce insurance liabilities.

17

What a BCMS achieves

18

19

Logical steps

20

Risk matrix

Critical

Less critical

21

Risk Impact versus control

Strength of controls

Priority focus should be on the aspects with high risk and those with the largest gap between risk and control

Impact Factor Vs Strength of Controls for ACTIVITIES

-3.0

-2.0

-1.0

0.0

1.0

2.0

3.0

4.0

5.0

6.0

Imp

act

Vulnerability Impact Factor SoC Delta

22

Typical Business Risks

• Failure or refusal to supply

• Bargaining power of suppliers

• Business model

• Processes

• Loss making orders

• Partners

• Investment

• Outsourcing

23

Typical Business risks

• Accounting practices

• Lines of credit

• Accounts receivables

• Cash flow

• Cost structure

• Ability to raise finance and Liquidity

• Overhead costs

• Economy of scale

24

Typical Business risks

• Services

• Channels

• Currency fluctuations

• Transfer pricing

• Equity portfolio

• Taxation

• Deductibles

• Availability of finance

• Interest rates

• Insurance claims/liabilities

25

Typical Business risks

• Migration of key people to competition

• Quality of workforce

• In-availability of workforce

• Unions

• Health of senior management/key employees

• Crime

26

Risks and Potential Threats

27

Where BCM is going?

• No longer just a fashion accessory, BCM is now an integral part of managing the business

• Integrated across all business functions; no longer seen as an IT speciality

• Now being accepted as a strategic business imperative

• Progress towards independent auditable processes BS25999-2

• Broader based agreement on what is best practice in the form of the a new standard, BS 25999-1

28

Benefits of BCM

The benefits of an effective BCM programme are that the organization:

• is able to proactively identify the impacts of an operational disruption

• has in place an effective response to disruptions which minimises the impact on the organization

• maintains an ability to manage risks

• encourages cross-team working

• is able to demonstrate a credible response through a process of exercising

• could enhance its reputation

• might gain a competitive advantage, conferred by the demonstrated ability to maintain delivery.

29

29

BS 25999

• BS 25999-1:2006 Code of practice for

business continuity management

Published 28 November 2006

• BS 25999-2:2007 Specifications

Published 20 Nov. 2007

29

30

Organisations Represented on TC BCM/1

• Association of British Insurers

• Association of Chief Police Officers

• Association of Insurance Risk Managers

• Business Continuity Institute

• Cabinet Office

• Chief Fire Officers' Association (CFOA)

• Continuity Forum

• Coventry University

• Department of Trade and Industry

• Emergency Planning Society

• Association of British Certification Bodies

• Federation of Small Businesses

• Financial Services Authority

• Independent International Organization for Certification

• Institute of Directors

• Institute of Emergency Management

• Institute of Internal Auditors

• Institute of Risk Management

• Intellect

• Metropolitan Police

• Securities Industry Business Continuity Management Group (SIBCMG)

• Society of Industrial Emergency Services Officers (SIESO)

• Survive

31

Standards

• An agreed, repeatable way of doing things

• A full consensus of all interested parties, so not imposed

• Voluntary

• Best practice not general practice, thus aspirational

• Back-up can be available through audit and certification

• Updated on a regular cycle

32

Standards: some benefits

• Promotes competition

• Attracts customers

• Demonstrates market leadership

• Creates competitive advantage

• Develops and maintains best practice

• Maximises compatibility

33

What have standards done to Indian Businesses ?

• Have given the opportunity for Indian companies to Leap-Frog the learning curve w.r.t. management systems and practices

34

BCMS – PDCA Cycle

35

Plan

• Establish business continuity policy, objectives, targets, controls processes and procedures relevant to managing risk and improving business continuity to deliver results in accordance with an organisation’s overall policies and objectives

36

Do

• Implement and operate the business continuity policy, controls, processes and procedures

37

Check

• Assess and, where applicable, measure process performance against business continuity policy, objectives and practical experience, and report the results to management for review

38

Act

• Take corrective and preventive actions, or other relevant information based on the results of the management review, to achieve continual improvement of the BCMS

39

The BCM Lifecycle

Determining BCM Strategy

Understanding the organization

Exercising, maintaining and reviewing

Developing and implementing BCM response

Embedding BCM in the organizational culture

40

The fit

Interested Parties

Business Continuity

requirements and

expectations

Interested Parties

Business Continuity

requirements and

expectations

Interested Parties

Managed Business Continuity

Interested Parties

Managed Business Continuity

Continual improvement of the Business Continuity Management System

Continual improvement of the Business Continuity Management System

Monitor and review

Monitor and review

Maintain and

Improve

Maintain and

Improve

EstablishEstablish

Implement and operateImplement

and operate

41

Definitions

• Disruption Event whether anticipated or unanticipated, which causes

an unplanned negative deviation from the expected delivery of products or services according to the organisation’s objectives

• Risk something that might happen and its effect(s) on the

achievement of objectives

• Risk management structured development and application of management

culture, policy, procedures and practices to the tasks of identifying, analysing, evaluating, and controlling responding to risk

42

Thank you