Dustbustinʼ(using a management system)

Clive Lunn FBCI, CRM

  “The problem”

  The Business Continuity Management lifecycle

  Getting executive attention

  The missing link(s)

  “Dustbustin”

  Summary

  Q & A

  BC Manager – “must” implement best practice or national / international standards

  Department Managers – must do their “day job”

  Conflicting priorities   BCM not in KPI   BCM not in job description   Risk management

  “how much is enough”?

Must do a BIA, BCP, Exercises, etc

You want me to do WHAT?

BCM manager Dept. manager

 BCM Practitioners typically focus on the “Doing” components – BIA, Strategy, Plans, Exercises, Education

Pivotal to success

They will usually only endorse BCM efforts if: 1.  There is a damned good BIA available or; 2.  There is a “burning platform”   Option 1 is best, 2 leads to panic and pressure

  Recommended approach must show how they will increase the likelihood of attaining corporate objectives by decreasing risk

 To attain objectives you must:

 Ensure continuity of critical processes

 Protect resources  Secure supply  Recover if necessary

Bovine risk management 101

Need exec support PS can also get “dusty”

Help !

Plans are only one element

 Programme management is the single point of failure  It is the “hub” around which all other activities rotate

The “Dustbuster”

Program Management*

Plan

Do

Check

Act

Approve Policy Approve Standards & Practices Define Roles & Responsibilities Define Program Scope Agree Annual Goals

Maintain Framework Develop Action Plan Execute Planning Life Cycle Coordinate implementation Input to BG Planning Audit

Track & Report Outcomes Aligned to changing Goals Aligned to leading practices Mitigates regulatory risks Support BCMS Audit

Review & Amend Policy Amend Standards & Practices Amend Roles & Resp. Amend Scope & Goals Approve BCM Strategies

*Your PDCA activities may be distributed differently

Plan   “What do we want to achieve”

  Policy   Executive endorsement, high level objectives   Target “maturity level”   Risk tolerance (difficult)   Risk escalation criteria (possibly based on risk matrix)

  Standards & Practices – e.g.:   BS25999, CSA Z-1600, ASIS SPC 1-2009   Risk evaluation criteria, documentation standards

  Roles & Responsibilities (RACI)   Who does what – planning cycle & response   Includes executive responsibilities e.g. steering committee

  Program Scope   What’s in and out? – operations, locations, subsidiaries, suppliers…

  Annual Goals   Rolling targets & this year’s deliverables

Do   “Create deliverables”

  Maintain Framework   The PDCA management system   Tools and templates, training and education materials

  Develop Action Plan   Project plan to achieve goals set in planning phase

  Execute Planning Life Cycle*   BIA, RA, Strategy, Plans, Exercises, Training, Maintenance

  Coordinate implementation, e.g:   ITDR strategy should address business’ needs   Multi-stakeholder collaboration – “peacekeeper / arbitrator”   Overall prioritisation (with agreement from steering committee)

  Input to BG Planning Audit   Ideally Internal Audit checks the business against agreed

standards and:   The BC manager “helps” the business comply with the standards

Check   “Are we achieving our objectives & doing this in

the most appropriate way”   Track & Report Outcomes

  Are business groups up to date & aligned with Policy, Standards, Annual Goals?

  Aligned to changing corporate goals   Organizations priorities usually change over time, does the BCM program

still address risks to (current) corporate objectives?   Aligned to leading practices

  Are leading practices changing, are newer & better ways emerging, do we need to adopt these?

  Mitigates regulatory risks   What new regulations apply to us and does the BCM program effectively

mitigate these, or do we need to change anything?   Support BCMS Audit

  Occasionally the program should be audited to ensure it is appropriate given the risk profile of the organization

Monitoring tool sample

Act   “Continuous improvement”

  Review & Amend Policy   To reflect changing risk appetite or circumstances

  Amend Standards & Practices   Implement newer practices if deemed appropriate

  Amend Roles & Resp.   To reflect changes to company structure, size, authority levels or

BCM program   Amend Scope & Goals

  As BCM program matures (able to do more), changing regulations or practices

  Approve BCM Strategies   Large capital expenditures needed   Overall prioritisation   Where response strategy may negatively impact another part of the

business

  BC Manager – must implement agreed BCM activities

  Aligned priorities   “day job” takes priority   BCM in KPI and job

description   Risk management / BCM

maturity agreed – we know “how much is enough”

BCM effort as directed by policy (I’m here to help!)

Sure, it is number 4 on my priority list

BCM manager Dept. manager

  BCM is a program, not a project

  BCM is a risk management discipline – requires trade-offs

  BCM is not “just about the plan”

  Governance process is critical to ensure success

  A plan-do-check-act management system will assist to:   Ensure the executive team are engaged   Ensure everyone is on the same page regarding “how much is

enough”   Ensure roles and responsibilities are properly defined   Ensure deliverables and scope are properly defined   Ensure planning and risk mitigation efforts are aligned   Ensure consistent understanding of business interruption risks   Provide a mechanism for the program manager to “Steer the ship”

  Questions?

According to the WHO: H1N1 is dead, H3N2 is coming & H5N1 is still waiting in the wings