BS 25999/ ISO 22301 User Group

Copyright © 2012 BSI. All rights reserved.October 2012

London, 14 February 2013

ProgrammeTime Session09:30 – 09:45 Welcome and Camden Case study

Trevor King, Business Continuity Manager, Camden Council

09:45 – 10:00 Withdrawal of BS 25999 and the introduction to the ISO

Tim McGarr, Sector Content Manager (Business Continuity Management & Risk Management), BSI

10:00 – 10:30 Getting started in developing a Business Continuity Management System

Drew Gibson, Head of Business Continuity Management, Canary Wharf Group

10:30 – 10:50 Facilitated Discussion 1: The impact of the ISO and the withdrawal of BS 25999

Copyright © 2012 BSI. All rights reserved.2

10:30 – 10:50 Facilitated Discussion 1: The impact of the ISO and the withdrawal of BS 25999

10:50 – 11:10 Break: Tea and Coffee11:10 – 11:40 Continuity in the supply chain

Steve Mellish, Chairman, The Business Continuity Institute

11:40 – 12:05 Facilitated Discussion 2: Is your supply chain resilient? To what degree is it integrated in businesscontinuity arrangements?

12:05 – 12:30 The relationship between BCM and resilience

Charley Newnham, Business Resilience, PwC

12:30 – 13:30 Lunch and close

Trevor King

Business Continuity Manager

London Borough of CamdenLondon Borough of Camden

Welcome to Camden Council

trevor.king@camden.gov.uk

14 February 2013

Why Local Authorities havebusiness continuity management

Normal business reasons for a service

4

Normal business reasons for a serviceorganisation

Civil Contingencies Act

Camden Council’s BC policy

“It is the policy of the London Borough of Camden to have

adequate Business Continuity Management processesand maintain Business Continuity Plans in order to deliver

5

and maintain Business Continuity Plans in order to deliverappropriate levels of service during a Business Continuityincident to meet our obligations to our residents, ouremployees, partners, other stakeholders and to thosetravelling through Camden”.

It is the policy of the London Borough of Camdento have

Business Continuity Management processes

and maintain Business Continuity Plans in order to

6

deliver appropriate levels of service during aBusiness Continuity incident to meet ourobligations to

our residents, our employees, partners, otherstakeholders and to those travelling throughCamden.

Scale• 1 corporate BC plan

• 6 departmental BC plans

• 80 heads of service

• 138 BC plans

47 of the 138 BC plans have a component that must

7

• 47 of the 138 BC plans have a component that mustbe restored on the same day

• eg call centre, communications team, IT , social care,registrars, civil emergencies, repairs, and so on

• BC plans from suppliers of goods and services

How do we pull it all together (1 of 2)

Policy and structure of responsibility

Risks assessed centrally (Borough Risk Register)

Standard BC planning template

8

Standard BC planning template

Action plans focus on impacts of a BC event:

Cannot use the office (fire, utility failure, cordon)

Shortage of staff (transport, strike, flu)

Loss of use of IT (internal IT, telecomms, malicious)

Failure of a supplier of goods or services

Sudden increase in workload (civil emergency).

How do we pull it all together (2 of 2)

Heads of service are responsible for their plans

Prioritise activities

IT - central rules on restoration

9

IT - central rules on restoration

Re-accommodation – central control

Standard BC exercises

Review of BC incidents

BS 25999 and ISO 22301

Constant change

Reduction in the number of offices

Working from home – strategy of 7 for 10

10

Working from home – strategy of 7 for 10

IT

Priorities

Six month review of plans

Individual’s motivation to plan effectively Compliance culture ?

Perceived impact on the responsible manager(s) Imperative to provide a service health/safety,

11

health/safety, legal obligations, finance, reputation.

Historical (Y2K, flu, Olympics, local)

Leadership

BC promotion to businesses CCA: Local Authorities to provide advice and assistance

to businesses and voluntary organisations aboutbusiness continuity management.(no agreed measurables).

Camden Council we have:

12

Camden Council we have: Camden.gov.uk search on ‘business continuity’ Presentation evening Collaborate with other events Direct to students at schools Camden security zones Business news letter Leaflets? Our suppliers

Some Local Authorities provide a BC planning service.

Thank you

Have a good session

13

Trevor King

Business Continuity Manager

London Borough of Camden

trevor.king@camden.gov.uk

Drew Gibson MBCI

Canary Wharf Group Business Continuity Manager

drew.gibson@canarywharf.com

Implementing Business Continuity and ISO 22301

Canary Wharf

Lessons learnt in 2012

Lesson Learnt

•Communications

•Re-simplification of planning

•Simplicity of plans•Simplicity of plans

•Simplification of processes

•Realistic testing and exercising

•Second order testing andexercising

Considerations

•Budgets

•Staff management

•Regulatory oversight

•Extreme weather

•Current investments

•Office locations/DR sites

•Transport infrastructure

•Behavioural changes

ISO 22301 – Caveats

The Issues

•Not yet Audited

•Not arguing definitions

•Not a silver bullet•Not a silver bullet

•Still need to plan

•No fast track

•Need to get management buy in

ISO 22301 – Benefits

Benefits

•Internationally recognised

•Excellent framework for planning

•More relevant than BS25999•More relevant than BS25999

•Competitive advantage

•Demonstrate reliability of service

•Consistency of processes

ISO 22301 - The Process

ISO 22301

•Corrective & Preventative Actions Log

•Mitigation & Protection

•Risk Opportunity Log

•Wider scope

•Chapter 5 – Management Oversight

•Third party suppliers

•External stakeholders expectations

The Challenges

ISO 22301

•Objective view

•Major incident plans

•Staff awareness•Staff awareness

•Accessing recovery times

•BIA requirements

•Audit anxiety

•Creeping excellence

Facilitated Discussion 1: The impact of the ISOand the withdrawal of BS 25999

1. Has your organisation implemented ISO 22301/ BS 25999,or a BCM process aligned to that Standard? What werethe challenges in achieving this?

2. What will make your job easier in implementing a

Copyright © 2012 BSI. All rights reserved.29

2. What will make your job easier in implementing aStandards approach to BCM?

3. Has the transition to ISO 22301 left any gaps in BCMguidance/ Standards you would like to see addressed?

Three messages back to the BSI...

CONTINUITY IN THE SUPPLY CHAIN

– A PRACTICAL APPROACH

Steve Mellish FBCIDirector of Mellish Risk & Resilience and

Chairman of the Business Continuity Institute

Thursday 14th February 2013

Agenda

• Introduction

• Background

• The Sainsbury’s approach

• 5 ‘Top Tips’ to address your supply chain risk• 5 ‘Top Tips’ to address your supply chain risk

• Conclusion

Supply Chain Survey Results 2012

• 532 companies participated in the survey

• 73% had experienced at least 1 disruption (5 wasthe average)

• Failure of outsourcing suppliers has risen 17% to35% since 2009

• Failure of outsourcing suppliers has risen 17% to35% since 2009

• Severe weather disruption affected 48% (51% in2011)

• 39% of disruptions originated from ‘Tier 2’suppliers

Source: The Business Continuity Institute – Supply Chain Resilience 2012

The Sainsbury’s approach

• More then 1,000 stores

• More than 155,000 employees

• More than 22 million customer transactions aweekweek

• More than 7,000 suppliers

• 25 Distribution Centres

• Additional services include Banking, Onlineshopping, home grocery deliveries

The BusinessContinuity Group

provides the Sainsburyorganisation with a

comprehensive BCMprogramme of the

highest standard, whichprotects it from any

major event that mightadversely affect itsoperation and/or

reputation. Strategies for BCM will bebased on the business needs

balanced against cost andindustry ‘best practice’.

The BCM programme willbe driven by meeting the

needs of the business withinan ever-changing

environment.

Business Plan 2005/6

Mission

Vision

BC Goals Full and effective implementation of theperformance management system.

Set and achieve the budget.

BCM for critical suppliers

Review and revise the alternative accommodationstrategy.

Review and revise the emergency communicationsstrategy.

BCM for the Supply Chain

Ensure that the BCSG ‘Risk Map’ is maintainedand used to maximum effect.

Undertake BIA’s for Holborn and StreathamBusiness Centres which will gain BCSG approval.

Objectives

Develop and maintain great supplier partnerships.

Manage the BCMprogramme ensuring

maximum benefits areachieved with the resources

available to it, includingpeople, systems and finance.

“At Sainsbury’s we willdeliver an ever

improving qualityshopping experience

for our customers withgreat product at fair

prices. We willexceed customerexpectations for

healthy, safe, freshand tasty food makingtheir lives easier every

day.”

Our Goal

To be acknowledged asthe ‘Enterprise-wide

stakeholder protectionsystem’ for Sainsbury’s.

A risk managementdepartment that

protects Sainsbury’sand all of its

stakeholders from theeffects of unplannedbusiness disruption.

Plans and procedures willremain up-to-date and readyto use through an ongoingprogramme of plan review,maintenance and exercise.

Embed BCM into theculture of the organisation

through an ongoingawareness and education

programme.

Deliver plans and solutionswhich meet the business

needs and that protect theorganisation from the effects

of any major incident.

Identity Deliver a memorable BCAW:2006

Continue to learn and share best practice bothinternally and externally.

Ensure inductions and associated materials aremaintained and delivered.

Exercise, test and rehearse all plans, teams andassociated solutions.

Review and maintain the Holborn and StreathamBCP’s as well as the SIC procedures.

Agree an audit plan for the BCM programme.

BCM for critical suppliers

Complete the ‘London’ BC Plan

Implement BCP4DRP

Ensure effective responses to any major incidentsincluding product recalls.

•Getting better everyday•Great service drivessales•Individualresponsibility – teamdelivery•Keep it simple•Respect for theindividual•Treat every £ as yourown

Our Values

Painful Experience

Third Party Supplier Continuity

• Scope– Limited number of suppliers who, should they

fail to deliver, will have a major impact on theSainsbury brand, reputation or ‘core’ operationof the businessof the business

• Objectives– To assess their current BC capabilities

– To identify areas for improvement

– To provide guidance on addressing any areas ofweakness and vulnerability

What is a Critical Supplier?

• Service Provider not products

• Sainsbury’s specific (not industry-wide)

• Customer facing

• Reputational impact to Sainsbury’s• Reputational impact to Sainsbury’s

• Material impact on profit by £xm

• Legal/regulatory problems

• Stops mission critical activities*

Third Party Supplier Continuity

• The most critical suppliers were identified• Contact was made at CFO level to find out

about their business continuity capabilities• Conducted in partnership by sharing good

practicepractice• Reviewed contracts and there terms and

conditions• Raised awareness and education within the

trading and procurement teams

Challenges

• They may not want to discuss it!

• They may say they don’t know how to do it

• They may expect it to be done for them!

• They may want to charge for it• They may want to charge for it

• They may claim it’s all in place - so how doyou know for sure?

• The risk exposure had to be reduced

Business As Usual• 130 Suppliers were identified

• All suppliers returned their questionnaires

• Follow ups occurred and were maintained

• New tenders and contracts included businesscontinuitycontinuity

• Sainsbury’s are also asked to provide evidence

5 Top Tips

1. Identify all of your key suppliers and rate themin terms of importance to your business

2. Engage with your critical suppliers at a seniorlevel

3. Assess their level of preparedness for dealing3. Assess their level of preparedness for dealingwith service disruption

4. Follow up where appropriate and maintain anongoing dialogue (it’s not an initiative)

5. Include business continuity in your contracts

Free Extra Tip!

Make sure if you are asked you can answerand demonstrate that you can maintainsupply to your customers.

Gain an advantage over your competitors.

Who Next and When?

QUESTIONS?

stevemellish101@gmail.com

Facilitated Discussion 2: Is your supply chainresilient?

1. To what extent does your BCM programme considersupply chain risks?

2. How have you obtained assurance from your key suppliers

Copyright © 2012 BSI. All rights reserved.45

2. How have you obtained assurance from your key suppliersthat their BCM processes are robust?

3. What are the key challenges to maintaining a resilientsupply chain?

The relationshipbetween BCM andResilience

Charley Newnham, February 2013

We will cover...

1. The Changing Definition of Organisational Resilience

2. Is Business Continuity Not Organisational Resilience?

3. BCM and the Bigger Picture

4. 2012: Snapshot of Resilience in the Workplace

47

4. 2012: Snapshot of Resilience in the Workplace

5. Leveraging BCM Expertise for Organisational Resilience

Changing Definition of Resilience

Defining “Organisational Resilience”

The ability of an organisation to bounce back to it’s original state(Ferudi, 2007; McIntyre, 2007)2007

The ability to bounce forward to a new state that ensures both recoveryand adaptation; development of the ability to minimise or eradicatecrisis events

2010

49

crisis events

(Valikangas, 2010; Comfort, Boin & Demchak, 2010)

2010

Proof of resilience is “thriving longevity”: adaptive capacity, strategicsituational awareness, avoidance or minimisation of crisis, avoidance ofgradual decline, wise strategic governance, etc. (Carmelli & Markam,2011; Stephenson, 2011)

2012

If we are to be resilient, we have to be open to learning and change...Next..?

Thought Leadership Journey

Leading for Resilience

50

Managing BCM

SurvivingThriving

Is BCM Not OrganisationalResilience?

The case for preparationGood crisis management creates value

Companies with a positive approach to crisis management and recovery

Sta

ke

ho

lde

rva

lue

Management skills and response

Recoverers

Source: Knight / Pretty 1996 – 2010

Other Companies

Sta

ke

ho

lde

rva

lue

Non-recoverers

Stakeholder communication Time(250 days)

Insurance alone is inadequate

Plans need to be implemented

52

The Crisis ContinuumMapped to Business Continuity Management

Opportunity to

Time

Requirement to

53

Opportunity tobuild resilience

(Newnham, 2012, after Burnett, 1998)

Business Continuity Management

effort to the ‘left of bang’

To manage /respond during and

to the right of bang

Respond

The Crisis ContinuumWhat if there is no defining event(s)?

Opportunity to

Time

Requirement to

54

Opportunity tobuild resilience

(Newnham, 2012, after Burnett, 1998)

Business Continuity Management

effort to the ‘left of bang’

To manage /respond during and

to the right of bang

Respond

No “Bang” Required

Farepak

2006

Lehmans

2008

Woolworths

2009

Borders

2011

HMV

2012

Jessops

2012

ITV Digital

2002

55

Examples

• slow burn issues• flawed board level strategies• inferior hiring decisions• gradual declines in knowledge/growth• competitor activity• not adapting quickly enough to changing market• cutbacks in R&D• changes in regulations

What’s the BCM Contribution?

Opportunity tobuild resilience

Requirement to

Respond

Time

56

build resilience Respond

(Newnham, 2012, after Burnett, 1998)

Business Continuity Management

effort to the ‘left of bang’

To manage /respond during and

to the right of bang

BCM and the Bigger Picture

How The Mighty Fall

• Collins talks about 5 stages of decline

• In 1992 business gurus Peters & Watermanpublished a list of ‘excellent companies’

• 18 months later, they removed more than 30%

58

• 18 months later, they removed more than 30%from their list

• Research showed “the majority had failed toadapt to changes in the external environment”

• How long do you want your organisation tolast?

The Theory of Creative Destruction

• Alan Greenspan ran the US Federal Reservefrom 1986 - 2006

• Talks about “Creative Destruction”

• If an organisation isn’t capable of reinventingitself, or part thereof, when needed it will – and

59

itself, or part thereof, when needed it will – anddeserves – to die.

• What is the antithesis to creative destruction?

• Is it organisational resilience?

How Does the Roman Empire Help?!

• Carmelli & Markham (2011) examined at thelongest surviving organisations, to discoverwhat made them resilient

• Resilient companies don’t settle for endurance,but seek to thrive

60

• “Corporate resilience is about neither crisismanagement nor turnaround programs… it isnot reactive but proactive organisationalconditioning”.

The Business Continuity Role?

If organisational resilience is

“the strategic and operational,planned and adaptive capacity of anorganisation to thrive and achieve

61

organisation to thrive and achievelongevity*”

Where does BCM currently play it’s part?

*Newnham, 2012

2012 Snapshot of “Resilience” in theWorkplace

American National Standard forOrganisational Resilience (2009)

Business Continuity

Crisis Management

63

Risk Management

Physical Security

Information Security

“Resilience” Units in 2012?

More than 50% of “ResilienceDepartments are in public serviceorganisations

Mostly they oversee BusinessContinuity Management

64

76% also oversee Incident/EmergencyManagement

Less than 7% alsooversaw IT continuity

Just over 30% alsooversee Security or RiskManagement

The Ultimate Question?Who can provide resilience assurance?

Business Continuity

Crisis Management

Risk Management

Physical Security

Information Security

Can these functional leaders assure the CEO that,together, they can, do or should provide the total

resilience capacity for the organisation?

A New Resilience Consensus?

• Sutcliffe & Vogus (2003)• McManus (2008)• Beer (2009)• Gardner (2009)• Braes & Brooks (2010)• Comfort, Boin & Demchak (2010)• Valikangas (2010)

Internal andExternalSituation

Disciplinedapproach toexpansion

Virtuouscorporate

values

Pro-active

66

• Valikangas (2010)• Stephenson (2011)• Newnham (2012)

IncreasingStaff

Engagement

UnderstandingKey

DependenciesSecuring anddevelopingknowledge

Encouraginginnovation

Fit forpurpose

continuitystrategies

SituationMonitoring

ReducingSilo

MentalityRobust

leadershipand

governanceStrong

corporateculture

Pro-activeconditioning

Leveraging BCM Expertise forOrganisational Resilience

Existing Insights from BCM Leaders

• Where can BCM expertise be utilised for resilience?

• Do organisations have an appetite for exploringorganisational resilience?

• How can it be leveraged at Board level?Internal and

ExternalSituation

Disciplinedapproach toexpansion

Virtuouscorporate

values

Pro-active

68

• Do BCM leaders have the desire to take onorganisational resilience?

IncreasingStaff

Engagement

UnderstandingKey

DependenciesSecuring anddevelopingknowledge

Encouraginginnovation

Fit forpurpose

continuitystrategies

SituationMonitoring

ReducingSilo

MentalityRobust

leadershipand

governanceStrong

corporateculture

Pro-activeconditioning

The Corporate ChallengeWho gets rewarded for things that didn’t happen?

Conversation PiecesQuick reads, packed with stories and facts for opening conversations

70

Questions?

Charley NewnhamPwC | Organisational Resilience & Business ContinuityMobile: +44 (0) 7930 402575Email: charley.newnham@uk.pwc.comPricewaterhouseCoopers LLP31 Great George Street, Bristol, BS1 5QD

71