27102009085025-141381139
TRANSCRIPT
-
8/7/2019 27102009085025-141381139
1/51
BS 25999 a framework forresilience and successRobert WhitcherBCI Webinar June, 2009
-
8/7/2019 27102009085025-141381139
2/51
Scope of Presentation
The Standards process
Drivers for BCM and BS 25999
BS 25999 development
Overview of BS 25999 Part 1
Break
Overview of BS 25999 Part 2
Certification
Conclusions
2
-
8/7/2019 27102009085025-141381139
3/51
-
8/7/2019 27102009085025-141381139
4/51
Standards pyramid
ISO
European Standard
ISO/PAS
National Standard
Publically Available Specification
Private Standard
Company Codes of Practice
-
8/7/2019 27102009085025-141381139
5/51
The standards process
Starts with formation of a Technical Committee (TC)after recognition of business need
All interested stakeholders invited to join the TC
Work programme agreed with input from the National orInternational standards body
TC can operate purely for National Standards or canmirror European and ISO committees
Draft standards go for public consultation
Emphasis is on building consensus among keystakeholders about what is best practice
5
-
8/7/2019 27102009085025-141381139
6/51
Why formal standards
Standards are a powerful tool for organizations ofall sizes, supporting innovation and increasingproductivity.
Effective standardization promotes forceful
competition and enhances profitability, enabling abusiness to take a leading role in shaping theindustry itself.
Standards allow a company to:Attract and assure customers
Demonstrate market leadershipCreate competitive advantageDevelop and maintain best practice
6
-
8/7/2019 27102009085025-141381139
7/51
Why a formal standard
We live in a more uncertain world with new andevolving risks
Ensuring the survival of an organization is a topmanagement priority
More Board awareness of business disruptionsand their impact on profits
Organizations have far more interdependency betweencountries
Organizations rely on longer and more risky supply chainsand frequently rely on single-source suppliers
7
-
8/7/2019 27102009085025-141381139
8/51
Why a formal standard
Provides a common framework, based oninternationally accepted best practices for implementingand managing business continuity
Provides a framework for organizations of any type,
size and location Improve operational effectiveness of an organization
Allows for the proactive management of business risks
Help demonstrate applicable laws, regulations and
contractual requirements are being observed Brings a common understanding to the marketplace
8
-
8/7/2019 27102009085025-141381139
9/51
BS 25999 Part 1
11
-
8/7/2019 27102009085025-141381139
10/51
14
PAS 56
Predecessor to BS 25999
Developed in conjunctionwith:
The Business Continuity
Institute (BCI)Insight Consulting, and
British StandardsInstitution (BSI)
Published March 2003
Now withdrawn
Original BCM Lifecycle
-
8/7/2019 27102009085025-141381139
11/51
BS 25999-1:2006
Code of practice for business continuitymanagement
Establishes the BCM processes, principles andterminology
Provides a basis for understanding, developing andimplementing business continuity within organizations ofany size or from any sector
Provide a comprehensive methodology based on BCMbest practice and the whole BCM lifecycle
Business driven
15
-
8/7/2019 27102009085025-141381139
12/51
Benefits of BS 25999
Provides a common framework, based oninternational best practice, to manage businesscontinuity
Proactively improves your resilience when facedwith disruptions to your ability to achieve keyobjectives
Provides a rehearsed method of restoring yourability to supply critical products and services to an
agreed level and timeframe following a disruption Delivers a proven response for managing a
disruption
16
-
8/7/2019 27102009085025-141381139
13/51
BS 25999 Code of practice contents
1 Scope and applicability
2 Terms and definitions
3 Overview of business continuity management (BCM)
4 The Business Continuity Management policy
5 BCM Programme Management
6 Understanding the organization
7 Determining business continuity strategy
8 Developing and implementing a BCM response9 Exercising, maintaining and reviewing BCM arrangements
10 Embedding BCM in the organization's culture
17
-
8/7/2019 27102009085025-141381139
14/51
BS 25999 Code of practice contents
1 Scope and applicability
2 Terms and definitions
3 Overview of business continuity management (BCM)
4 The Business Continuity Management policy
5 BCM Programme Management
6 Understanding the organization
7 Determining business continuity strategy
8 Developing and implementing a BCM response9 Exercising, maintaining and reviewing BCM arrangements
10 Embedding BCM in the organization's culture
18
-
8/7/2019 27102009085025-141381139
15/51
What is Business ContinuityManagement?
Business continuity management is a holisticmanagement process that identifies potentialimpacts that threaten an organization and providesa framework for building resilience and thecapability for an effective response whichsafeguards the interests of its key stakeholders,reputation, brand and value creating activities
Source: BS 25999-1
19
-
8/7/2019 27102009085025-141381139
16/51
Business Continuity Lifecycle20
-
8/7/2019 27102009085025-141381139
17/51
The BCM policy
The objectives of establishing a BCM policy are to:ensure that all BCM activities are conducted andimplemented in an agreed and controlled manner;
achieve a business continuity capability that meetschanging business needs and is appropriate to the size,complexity and nature of the organization; and
put in place a clearly defined framework for the ongoingBCM capability.
21
-
8/7/2019 27102009085025-141381139
18/51
BCM programme management
Achieves the objectives defined in the policy
Involves three steps:1. assigning responsibilities (governance);
2. implementing business continuity in the organization;
3. ongoing management of business continuity
Programme management is at the heart of the BCM process.Effective programme management establishes theorganizations approach to business continuity.
Purpose
22
-
8/7/2019 27102009085025-141381139
19/51
Understanding the organization
Business Impact Analysis
Identification of critical activities Determining continuity requirements
Evaluating threats to critical activities
Undertake a risk assessment Determine choices
Approvals
To assist the understanding of the organization through theidentification of its key products and services, and the criticalactivities and resources that support them.
Purpose
23
-
8/7/2019 27102009085025-141381139
20/51
Understanding the organization
It is important that the organization understands:a) the interdependencies of its activities, and
b) any reliance it has on external organizations, and anyreliance placed upon it by others.
24
-
8/7/2019 27102009085025-141381139
21/51
Determining business continuity strategy
Strategy options will depend on a range of factors:
the maximum tolerable period of disruption of the criticalactivity;
the costs of implementing a strategy or strategies; and
the consequences of inaction.
As a result of the analysis conducted in understanding theorganization, an organization will be in a position to choose theappropriate continuity strategies to enable it to meet its objectives.
Purpose
25
-
8/7/2019 27102009085025-141381139
22/51
Determining business continuity strategy
Strategies might be required for the followingorganizational resources:
people
premises
technology
information
supplies
stakeholders
civil emergencies
26
-
8/7/2019 27102009085025-141381139
23/51
Developing and implementing a response
Identify critical activities
Evaluate threats to those critical activities Choose appropriate strategies to reduce the
likelihood and impact of incidents; and
Choose appropriate strategies that provide forthe continuity or recovery of critical activities
Development and implementation of appropriate plans andarrangements to ensure continuity of critical activities, and themanagement of an incident.
Purpose
The range of threats to be planned for should be determinedby the organizations risk appetite.
27
-
8/7/2019 27102009085025-141381139
24/51
Incident timeline
Incident!
Incident response
Business Continuity
Timeline
Recovery / resumption back-to-normal
Overall recovery objective:Back-to-normal as quickly as possible
Within minutes to hours :Staff and visitors accountedfor, casualties dealt with,damage containment / limitation, damageassessment,Invocation of BCP Within minutes to days :
Contact staff, customers,suppliers, etc.Recovery of critical businessprocessesRebuild lost work-in-progress
Within weeks to months :Damage repair / replacementRelocation to permanent place ofworkRecovery of costs from insurers
28
-
8/7/2019 27102009085025-141381139
25/51
Developing and implementing a response
A small organization may have a single plan thatencompasses all requirements for the businessand which covers its entire operations
A very large organization may have many plans,each of which specifies in detail the recovery of:
a particular part of its business;
particular premises; or
a particular scenario.
May include separate documentation for theincident, continuity and recovery phases
29
-
8/7/2019 27102009085025-141381139
26/51
The Incident Management Plan (IMP)
The IMP should:
Be flexible, feasible and relevant;Be easy to read and understand, and
Provide the basis for managing all possible issues,including the stakeholder and external issues, facing theorganization during an incident.
The purpose of an IMP is to allow the organization to manage theinitial (acute) phase of an incident.
Purpose
30
-
8/7/2019 27102009085025-141381139
27/51
The Business Continuity Plan (BCP)
Contents of the BCP
Action plans / task listsResource requirements
Responsible person or persons
Forms and annexes
The purpose of a BCP is to enable an organization to recover ormaintain its activities in the event of a disruption to normal businessoperations.
Purpose
31
-
8/7/2019 27102009085025-141381139
28/51
Exercising
Exercises provide demonstrable evidence ofbusiness continuity and incident managementcompetence and capability
Time and resources spent proving BCMstrategies by exercising BCPs will lead to a fit-for-purpose capability
No matter how well designed and thought-out aBCM strategy or BCP appears to be, a series ofrobust and realistic exercises will identify areasthat require amendment
This element of the BCM lifecycle ensures that an organizationsBCM arrangements are validated by exercise and review and thatthey are kept up-to-date.
Purpose
32
-
8/7/2019 27102009085025-141381139
29/51
-
8/7/2019 27102009085025-141381139
30/51
BS 25999 Part 2
34
-
8/7/2019 27102009085025-141381139
31/51
35
Understanding BS 25999
BS 25999 Part One, a Code of Practice, providesBCM recommendations
BS 25999 Part Two, a Specification, provides anauditable management system framework formanaging business continuity
-
8/7/2019 27102009085025-141381139
32/51
-
8/7/2019 27102009085025-141381139
33/51
37
The Business Continuity ManagementSystem (BCMS)
-
8/7/2019 27102009085025-141381139
34/51
38
Whats the difference between BCM and
a BCMS?
BCM Lifecycle BCMS
-
8/7/2019 27102009085025-141381139
35/51
39
BS 25999-2 layout
-
8/7/2019 27102009085025-141381139
36/51
40
Establishing and managing the BCMS(Plan)
To define the scope and boundaries of your BCMS,and to ensure that:
Your organizations objectives are clearly stated,understood and communicated,
Top managements commitment to BCM is demonstrated,Proper resources are allocated, and
those with BCM responsibilities are competent to performtheir role.
To ensure that your organization embeds businesscontinuity into your routine operations andmanagement processes
-
8/7/2019 27102009085025-141381139
37/51
41
Establishing and managing the BCMS(Plan)
Provide clear evidence of the effective operation ofyour BCMS and your organizationsimplementation of Business ContinuityManagement.
-
8/7/2019 27102009085025-141381139
38/51
42
Implementing and operating the BCMS(Do)
To enable you to identify critical activities and theresources needed to support your key productsand services
understand the threats to them and choose appropriaterisk treatments
Identify BCM arrangements that will enable you torecover your critical activities within the recoverytime objectives you set
Enable you to develop and implement appropriateBCM plans and arrangements
to manage any incident andto continue running your critical activities
-
8/7/2019 27102009085025-141381139
39/51
43
Maintaining and improving the BCMS(Act)
Maintain and improve the effectiveness andefficiency of your BCMS
Taking corrective and preventive actions, asdetermined by the management review
-
8/7/2019 27102009085025-141381139
40/51
44
Implementing and operating the BCMS(Do)
Verify the ongoing effectiveness of your BCMarrangements
Provides you with greater assurance following anincident that critical activities will be recovered asrequired
-
8/7/2019 27102009085025-141381139
41/51
-
8/7/2019 27102009085025-141381139
42/51
Certification
-
8/7/2019 27102009085025-141381139
43/51
Why Certification?
Competitiveadvantage
Supply chainrequirement
Respond toshareholders,
investors,analysts
Financial benefitsand savings(insurance,audits)
Reduce costs oftendering
Certifiedbusinessesoutperform
Recruitment andretention
Rigour andindependence of
the audits
Consistencyacross sites
Ensure staff arecomplying with
proceduresProtect brandand reputation Drive continuousimprovement
47
-
8/7/2019 27102009085025-141381139
44/51
48
What is certification?
Certification involves a third-party, such as BSIManagement Systems, visiting an organization,assessing their management system against therequirements of a standard.
This hopefully - results in the issuing of acertificate of registration to show that theorganization abides by the principles set out in thestandard, so following industry best practice.
-
8/7/2019 27102009085025-141381139
45/51
49
Why is certification important?
Lets you reduce the cost of evaluating suppliers
Helps you develop, implement, maintain andimprove a management system a proactive andproven approach to reducing risk
Continual improvement - achieved through regularassessments of the management system
Demonstrates that your organization is exercisingduty of care
Provides a goal for your organization to worktowards
-
8/7/2019 27102009085025-141381139
46/51
50
Why is certification important?
Demonstrates to stakeholders that:key services and products can continue to be delivered
applicable laws, regulations and contractual requirementsare being observed
Offers global consistency in BCM implementation
Protects the interests of shareholders, brand andreputation
Mandating certification from suppliers andoutsource partners can help reduce supply chainrisks
-
8/7/2019 27102009085025-141381139
47/51
-
8/7/2019 27102009085025-141381139
48/51
End of Presentation
-
8/7/2019 27102009085025-141381139
49/51
Additional Optional slides
65
-
8/7/2019 27102009085025-141381139
50/51
65
BS 25999 Part 1 - Code of Practice
The code of practice for business continuitymanagement
Establishes the BCM processes, principles andterminologyProvides a basis for understanding, developing andimplementing business continuity within organizations ofany size or from any sectorProvide a comprehensive methodology based on BCMbest practice and the whole BCM lifecycleBusiness driven
Published in November 2006
-
8/7/2019 27102009085025-141381139
51/51
End of Presentation