การบรหิารความตอ่เนื�องทางธรุกจิสําหรับหอ้งสมดุ(Business Continuity

1

(Business Continuity Management for Libraries)

โดย ดร. บรรจง หะรังษี

BCM Topics

� BCM programme management� Understanding the organization� Determining business continuity strategy� Developing and implementing a BCM response� BCM exercising, maintaining and reviewing BCM � BCM exercising, maintaining and reviewing BCM

arrangements� Embedding BCM in the organization’s culture� Workshops:

� Estimate resource requirements for Library Loan Service

� Determine business continuity strategy for Library Loan Service

Business Continuity

� Business continuity is strategic (เชิงกลยทุธ์) and tactical (แปลงกลยทุธ์สู่การปฏิบตัิ) capability of

the organization to plan for and respond to incidents and business disruptions in to incidents and business disruptions in order to continue business operations at an acceptable predefined level.

4

Business Continuity Management

� Business Continuity Management (BCM) is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.

5

BCM Process in BCI

1

2

13

4

5

6

6

Activity = process/a set of processes to produce/support one or more product/service

7

BCM programme management

� Programme management enables the business continuity capability to be both established and maintained in a manner appropriate to the size and complexity of appropriate to the size and complexity of the organization.

8

Understanding the organization

� The activities associated with "Understanding the organization" provide information that

�enables prioritization of an organization’s �enables prioritization of an organization’s products and services and the urgency to deliver them.

(This sets the requirements for selection of appropriate BCM/BC strategies.)

9

Determining business continuity strategy

� Determining business continuity strategy enables a range of strategies to be evaluated.

� This allows an appropriate response to be chosen for each product or service, such that the organization can continue to deliver those products and services:the organization can continue to deliver those products and services:� at an acceptable level of operation; and � within an acceptable timeframe

during and following a disruption. � The choice made will take account of the

resilience and countermeasure options already present within the organization.

10

Developing and implementing a BCM response

� Developing and implementing a BCM response results in the creation of a management framework and a structure of incident management, business of incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.

11

BCM exercising, maintaining and reviewing BCM arrangements

� BCM exercising, maintenance, review and audit leads to the organization being able to:

demonstrate the extent to which its strategies �demonstrate the extent to which its strategies and plans are complete, current and accurate; and

� identify opportunities for improvement

12

Embedding BCM in the organization’s culture

� Embedding BCM in the organizations culture enables BCM to become part of the organization’s core values and instils confidence in all stakeholders in the ability confidence in all stakeholders in the ability of the organization to cope with disruptions.

13

1 BCM programme management1 BCM programme management

14

BCM programme management

� The BCM programme (management) of an organisation provides the framework around which the BCM capability is designed and built.designed and built.

15

Benefits of a BCM Programme (Management)

The organization:� is able to proactively identify the impacts of an

operational disruption;� has in place an effective response to disruptions

which minimizes the impact on the organization;� maintains an ability to manage uninsurable risks;� maintains an ability to manage uninsurable risks;� encourages cross-team working;� is able to demonstrate a credible response

through a process of exercising;� could enhance its reputation; and� might gain a competitive advantage, conferred

by the demonstrated ability to maintain delivery.

16

1 BCM programme management

1a. THE BUSINESS CONTINUITY MANAGEMENT POLICY� 1a.1 REFLECTING ORGANISATIONAL CONTEXT

� 1a.2 BCM POLICY CONTENTS

� 1a.3 BCM PROGRAMME SCOPE & DETERMINING CHOICES

� 1a.4 OUTSOURCED ACTIVITIES

1b. PROGRAMME MANAGEMENT1b. PROGRAMME MANAGEMENT� 1b.1 ASSIGNING RESPONSIBILITIES

� 1b.2 IMPLEMENTING BCM IN THE ORGANISATION

� 1b.3 PROJECT MANAGEMENT

� 1b.4 ONGOING BC MANAGEMENT

� 1b.5 DOCUMENTATION

� 1b.6 INCIDENT READINESS & RESPONSE

17

REFLECTING ORGANISATIONAL CONTEXT� This is to understand the direction and focus of

the business before embarking on other stages (business impact analysis or risk assessment)

� Need to study and understand the business plan for growth/downsize, restructure, etc., in the short, medium or long term.for growth/downsize, restructure, etc., in the short, medium or long term.� This type of information may not be visible to the

person charged with business continuity activity.

� Knowledge of business plans will also be required.

� Need to set the geographic scale for the clear choice of continuity strategies.

18

Organisational Strategy

� Aspects of the organisation’s strategy likely to affect the BCM Programme are:

�Expansion (or contraction) strategy

�Development of new products or services�Development of new products or services

�Key business change or restructuring

�Relocation or location consolidation

19

Regulatory Requirements

e.g.,

� Regulatory/Statutory requirements

� Health and safety regulations

20

Scale

� Decide on the maximum geographic extent that the organisation wants to, or needs to, plan to survive. This could be determined by:determined by:

�Geographical extent (or market/customer area)

�Products, market sectors or specific customer requirements

21

BCM POLICY CONTENTS

� The BCM Policy is the key document which sets out the scope and governance of the BCM programme.

22

BCM PROGRAMME SCOPE & DETERMINING CHOICESFrom the Business Strategy studied and understood,

� Set the scope to ensure clarity of what areas of the organisation are included within the BCM programme. � The scope can be defined by identifying which products and

services fall within in it.

Conduct a Business Impact Analysis to ascertain the � Conduct a Business Impact Analysis to ascertain the effects of a loss of product and services.

� Consider the strategy options for each product and service.

� Provide executive management with the evaluation report to choose the options, which they can determine.

� Ensure the agreed option is ‘signed-off’ by the executive management including the financial and resource provisions.

23

Activity = process/a set of processes to produce/support one or more product/service

24

What Areas to Include/Exclude

� Decisions on which products, services or locations to include within the scope may be determined by one or more of the following factors:� A customer requirement� A regulatory/statutory requirement� Perceived high-risk location due to proximity to other industrial

premises or physical threats such as floodingPerceived high-risk location due to proximity to other industrial premises or physical threats such as flooding

� Product being an overwhelming proportion of organisational income

� Reasons why product, service or location may be excluded from the scope:� Product/service nearing end of life (would be terminated if

supply interrupted)� Product/service with low margins (termination or outsourced)� A perceived low- risk location

25

‘Do nothing’ Strategy

� A ‘do nothing’ strategy may be acceptable for the least urgent activities identified in the BIA result. � Where the organisation has identified that an activity

has a RTO greater than a few months, this gives enough time for buildings to be found and utilities to enough time for buildings to be found and utilities to be installed post-incident with minimal planning and preparation.

� Another case for ‘do nothing’ is that� if the cost of BCM is judged to be too high or � the risk is deemed low (because disruption is felt to

be unlikely or would have a low impact), then

accept the risk.

26

Strategy Options

‘Do nothing’ Strategy

Premises

27

Business Continuity

� If Business Continuity is the chosen strategy then it requires that suitable measures (BCM arrangements) are put in place to ensure that the various activities place to ensure that the various activities supporting their delivery can be continued or recovered within the required timescales.

28

Acceptance

� If the cost of BCM is judged to be too high or the risk is deemed low (because disruption is felt to be unlikely or would have a low impact) then the risk can be ‘accepted’.

� In this event the organisation may choose to do nothing about it or put in place measures to deal In this event the organisation may choose to do nothing about it or put in place measures to deal with it if the risk occurs. Such measures may include:� An Incident Management capability� Measures to protect against specific high-probability

threats such as fire

29

Transfer

� A risk may be transferable to a third-party who may be more able to manage it. Such measures include:

� Outsourcing. More and more organisations are outsourcing business critical processes and activities outsourcing business critical processes and activities to create virtual organisations. It is important to remember that the risk to the organisation’s reputation and brand image cannot be shifted to outsourced providers; the risk and responsibility always remains with the business.

30

Transfer

� Off-shoring, using in-house resource or outsource providers away from the centre of the business (usually in a far country), may introduce other concerns to be considered, such as security, political and environmental risks, etc. and environmental risks, etc.

� Insurance - transferring some of the financial costs of an incident (e.g. fire, bomb attack) to an insurance company.

� However in a major incident this can only provide money to support business resumption to a small degree and is not sufficient as a solution on its own.

31

Change, suspend or terminate

� Change, suspend or terminate the product/service if possible.

32

OUTSOURCED ACTIVITIES

� If part or all of a product or service delivery is outsourced, the ultimate responsibility for its continuity remains with the organisation and cannot be transferred to the outsourcing company.

� Customers will expect the organisation to have made an informed choice about their partners and taken informed choice about their partners and taken appropriate measures to assure delivery.

� The purpose is to ensure that the organisation’s delivery of products and services is not disrupted by a failure of a third party supplier of goods or services which are provided either to the organisation or direct to the customer on the organisation’s behalf.

33

Important Issues in Outsourcing

� Have a specification for BCM requirements in contract terms

� Have an agreement on realistic Service Levels for use during incidentsLevels for use during incidents

� Involve outsourcing companies in BCM training, awareness and exercising

� Have documentation for results of exercises

34

PROGRAMME MANAGEMENT

� Key steps in BCM Programme Management are:

�Assigning responsibilities

�Implementing BCM in the organisation�Implementing BCM in the organisation

�Project Management

�Ongoing management

�BCM documentation

�Incident readiness and response

35

ASSIGNING RESPONSIBILITIES

� The key to a successful BCM programme is the early identification of clearly defined roles, responsibilities and authorities to manage the BCM programme and process throughout the organisation.The purpose of assigning roles and � The purpose of assigning roles and responsibilities is to ensure that the tasks required to implement and maintain the programme are allocated to specific andcompetent individuals whose performance can be monitored.

36

ASSIGNING RESPONSIBILITIES

� A member of the Executive should be given overall accountability for the organisation’s BCM capability and its effectiveness.

� This ensures that a BCM programme is given the correct level of importance within the organisation correct level of importance within the organisation and a greater chance of effective implementation.

� An individual should be appointed to manage the BCM programme. This person may be known as the BC Manager.

37

BCM Programme Board and Team� BCM Programme Board (BCM

Committee) – a management group to give advice, guidance and management oversight

� Incident Management Team – a team comprising representatives of all teams involved in incident of all teams involved in incident response to coordinate, manage and resolve incidents (hopefully until closure)

� BCM Team (BCM operational team) – a series of business and service recovery teams representing critical business processes and their supporting services, e.g., IT services

38

IMPLEMENTING BCM IN THE ORGANISATION

� The purpose of this step is to ensure that a sustainable BCM programme is implemented in the organisation.

� The documented and repeatable process � The documented and repeatable process for BCM should be created and adopted throughout the organization.

39

PROJECT MANAGEMENT

� Project management disciplines should be adopted and used, such as GRACE, PMBoK,….

� This is to help manage projects to implement the BCM programme, mainly to complete projects within the required time, cost and efforts.

� Typical project stages in a BCM programme include:� Typical project stages in a BCM programme include:� Awareness raising

� Defining programme scope (Write Policy)

� Business impact analysis

� Risk Analysis

� Continuity option selection

� Developing and implementing the BC plan

� Developing and managing a desktop exercise to test the BC plan

40

ONGOING BC MANAGEMENT

� The Executive of the organisation should:

�Appoint a person or team to manage the BCM programme

�Define the scope of the BCM programme�Define the scope of the BCM programme

�Approve the continuity budget

�Monitor the performance of the BCMprogramme

41

ONGOING BC MANAGEMENT

� The appointed BCM team should (in consultation with the Executive):� Develop and approve a BCM process and programme.� Undertake or manage the BCM activities� Promote BCM across the organisation and externally

where appropriatewhere appropriate� Manage the continuity budget� Maintain the BCM documentation� Report on the current state of readiness to the

Executive on a regular basis highlighting where there are gaps to be corrected

� Train BCM members

42

DOCUMENTATION

� A set of BCM documentation includes:� BCM Policy including scope and principles� BCM roles, responsibilities and resources� Training and competency records for BCM personnel� Business Impact Analysis� Business Impact Analysis� Risk analysis� BCM Strategies including papers supporting the

choice of the strategies adopted� Incident Response structure� Incident Management Plans� Business Continuity Plans

43

DOCUMENTATION

�Departmental Business Resumption Plans

�Exercise Schedule and reports

�Awareness and training programme

�Service Level Agreements with customers and suppliersService Level Agreements with customers and suppliers

�Contracts for third party recovery services such as workspace and salvage

�Maintenance and review (audit) programme, reports and corrective actions

44

INCIDENT READINESS & RESPONSE

A process/plan to handle incidents until returning to a normal situation needs to be defined like:

� Receive notification of an incident.

� Assess situation then:� either manage response through appropriate prepared plans� either manage response through appropriate prepared plans

� or escalate to Incident management team

� Contain - Is there anything that can be done immediately to stop the problem getting worse?

� Look at the Incident Management Plan - is there a pre-planned response that fits this incident?

� Follow the documented response procedure

45

INCIDENT READINESS & RESPONSE

� Predict the likely outcome and adapt the BC Plan to provide a response strategy

� Implement the response strategy

Evaluate the progress of the response � Evaluate the progress of the response

� If the situation is OK, stand down the response

� Review the effectiveness of the response

ตวัอยา่ง IncidentResponse/ Response/ Management Plan

ตวัอยา่ง

BC Plan

กรณีใช ้Strategy ทางเลอืก 1

ตวัอยา่ง

BC Plan

กรณีใช ้ กรณีใช ้Strategy ทางเลอืก 2/3/4

� Workshops:

�Estimate resource requirements for Library Loan Service

�Determine business continuity strategy for �Determine business continuity strategy for Library Loan Service