Delivering a Safer Society

Business Continuity Management - Not just for “Business”

Michael Gallagher

Business Continuity Management - Not just for “Business”

• What is BCM?• What are the Drivers?• What is Status?• Features of good BCM• Relationship with Emergency Services• Developments in UK• Implications for Local Authorities • Not just a Plan

Two out of five enterprises that experience a disaster will go out of business within five years.Enterprises can improve these odds – but only if they take the necessary measures before and after the disaster.

Aftermath: Disaster Recovery, Gartner, September 2001

28% of UK businesses do not have a formal recovery plan.

37% of the businesses that do have a disaster recovery plan have never tested it.

Commercial Claims Survey, Deloitte & Touche, 2001

Disaster tonight

How confident?

Are you comfortable?

Usual excuses

It will never happen to us!

I’m sure we could cope

You can’t plan for the unforeseen

If we don’t have a disaster we’ve wasted money

Isn’t this why we have insurance?

We are used to things going wrong

Business Continuity Management

The act of anticipating incidents which will affect mission-critical functions and processes for the organisation and ensuring that it responds in a planned and rehearsed manner

Business Continuity Institute

Not just about producing plan(s)Risk Management

identification, evaluation & reductioncreating awareness / culture

CommunicationExercising / testing and keeping plans up to date

Computers - A major risk?

28% of UK Local Authorities did not have ICT security policies

Socitm’s IT Trends in Local Government 2002/3

Types of Risk

Strategic

Operational

• External

• Internal

• Distribution

• Customers

BCM is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

BCI Good Practice Guidelines - Nov 2002

The BCM Life Cycle

BCI

BCI 10 Certification Standards:

• Project Initiation & Management Risk Evaluation & Control• Business Impact Analysis• Developing Business Continuity Strategies• Emergency Response & Operations• Developing & Implementing BCPs• Awareness & Training Programmes• Maintaining & Exercising BCPs• Public Relations & Crisis Co-ordination• Co-ordination with Public Authorities

Co-ordination with Public Authorities

To establish applicable procedures and policies for co-ordinating continuity and restoration policies activities with localauthorities while ensuring compliance with applicable statutes and regulations.

Role -• Co-ordinate emergency preparations, response, recovery, resumption, and restoration procedures with public authorities• Establish liaison procedures for emergency / disaster scenarios• Maintain current knowledge of laws and regulations concerning emergency procedures

Project Initiation

Risk Identification

Business Impact Analysis

Develop Business Continuity Strategies

Plan Development

Plan Maintenance

Plan Testing

Phases in BCM

Make it relevant -

BCM is about ensuring that if your organisation experiences a disaster or other serious incident you have already consideredthat possibility. You will have taken steps to reduce the riskof this happening and to minimise the impact if it does happen. You will have a plan in place with which all key managers are familiar, which has been tested, and which will enable your organisation to continue to function as close to normalas possible with the least disruption possible.

Relevant to every type and size of organisation

“What If” instead of “If Only”

Evolution of BCM

1970 IT-DRP Responsibility of DP ManagerMore tolerant of downtimeBanks had own arrangements

1980 Commercial Recovery SitesPortable Computer RoomsEmphasis on response and recovery

1990 Less tolerant of downtimeTechnology changesIncreasing dependence on communicationsBecomes BCP - include the business processesEmphasis on preventionY2K

Evolution of BCM

2000 Becomes BCM Responsibility of BusinessHolisticAll disciplines working togetherClosely aligned with Risk Management -

Danger of separate departments thinking that some threats and responsibilities handled by someone else

9/11 etc.

Why is BCM Essential?

Regulatory Requirements.Turnbull - Corporate GovernanceData Protection.Confidence of suppliers and customers.Reputation.Business environment.Insurance is not enough.

Turnbull“The board should maintain a sound system of internal control to safeguard shareholders investment and the company’s assets”

“The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management”

ManagementAccountable to Board for monitoring and reporting on internal controls

EmployeesAccountable for applying the controlsShould have necessary knowledge and expertise to do so

“The Turnbull Committee Guidance for Directors on Internal Controls sets out an overall framework of best practice for business based on an assessment and control of their significant risks. For many companies business continuity management will address some of these key risks and help them to achieve compliance.”

Nigel Turnbull, Chairman, ICAEW Committee on the Guidance for Directors on Internal Controls

Corporate Governance

System by which businesses and organisations direct and controltheir functions and relate to their communities.

Underpins • Trust• Credibility• ConfidenceWhy?High-profile corporate financial scandals

Boardroom ethics / responsibilities• Kings Cross Fire• Herald of Free Enterprise

Turnbull

In determining policies, the board should consider the following factors -

• Nature and extent of risk facing the organisation• Those risks considered as “acceptable”• The likelihood of risks materialising• Ability to reduce incidence and/or impact of risk• The cost benefits of risk control systems

System for internal control should -

• Include reporting of significant failings or weaknesses• Apply not just to listed companies

Higgs ReportJanuary 2003Review of the role and effectiveness of non-executive directors

Cromme Code - GermanyBouton Report - France

Smith Report - July 2003 - Company Audit CommitteesSarabanes-Oxley Act 2002 - USA

PrivacyData Protection1988 and 2003 ActsResponsibilitiesLinked to IT Policies & Procedures

ReputationConfidence of suppliers and customers

“Trust and reputation can vanish overnight”

Alan Greenspan, Chairman, US Federal ReservePerrier - benzeneRatnersFord / Firestone - Explorer SUV - 100+ deaths - $Bns

AIB - RusnakHeineken - glass shardsJohnson & Johnson - Tylenol, cyanide, 7 deaths

Speed, Openness, CommitmentCommercial Union

“Reputational risk is single biggest risk for financial institutions”PwC / EIU Survey - July 2003

Business environment

On-line24 X 7 X 367JITSupply chain pressureSystems integration - ERPFewer points of failure - greater impactFewer workaroundsKnowledge

Insurance

Risk management and business continuity management are now embedded in the insurance purchase process. Insurers are now demanding good BCM practices

Only a part

Provide financeWill not keep customers suppliedWill not protect reputation / imageCover for loss of profits?

Essential to Success

• Commitment from top• Sponsor• Formal establishment • Strategy / approach• Awareness / culture• Business Continuity Manager• Ownership with “business”• Regular reporting

What is the Status of BCM in your Organisation?

Significance of Score!

Over 80 Likely that effective BCM programme in place

65 - 80 If regulatory BCM requirements apply - unlikely thatthey are being met

50 - 65 Room for improvementNon-compliance with good governance requirements?

Less than 50 Work to be done

Features of Good BCM.

Simple

Quality not Quantity

Relevant and current

Not necessarily expensive

Simple

Commonsense process

• Realistic evaluation & management of risks• Understanding what business consequences are if key

facilities, processes or people are lost• Appropriate strategy to limit damage and recover as well

as possible

Risk Matrix

Prob

abili

ty

Impact

HIGHLOW

LOW

HIGH Control Prevent

Accept Plan

Risk Severity / Probability

Probability

Seve

ri ty

Catastrophic

Serious

Minor

Insignificant

Certain /Very Likely

QuiteProbable

Improbable VeryUnlikely

Theft

Employee accident

HR System downfor 1 day

SAP down for2 days

Major FireFactory hitby Aircraft

Product recall

Costs

Investment

Incidentcosts Prevention

costs

Total costs

Quality not Quantity

No silver bullet

Process as important as plan

Documentation must be “right”

Fit with “culture”

Flexible crisis plans

Quality Crisis management team- react quickly & effectively

Software not the easy answer

Successful BCM not related to size of plan

Avoid unnecessary detail

Unusable

Ignored in crisis

Updating difficult

Instructions to a minimum

Action points

Issue on need-to-know basis

Relevant sections

Relevant and current

An irrelevant or out-of-date plan is worse than no plan

Not token plan

Ownership - responsibility

Use of software?

Not necessarily expensive

Time

Consider at planning stage

SMEs at risk

BCM Working Group

InsurancePhysical securityITCommunications - voice & dataPRHR / Health & SafetyBuilding Services / infrastructure / property / office servicesTransport / DistributionFinance ProcurementLegalInternal AuditCustomer ServiceSales & MarketingProduction

Essential elements

Plan invocationCrisis management teamContact detailsBusiness processes to be recovered - Priorities

HowWhereTimescales

Recovery stepsCommunications - media, staff, business partners

Emergency Services

BC Plans prepared in isolationWho to contact?Who’s role is it to liaise?How?

ExpertsUnderstand rolesWork closely

Fire Services

Manchester in March

UK Civil Contingencies Bill

Supports UK Government’s Integrated Emergency Management approach - “an all-embracing approach to handling disasters”

Local responders will deliver civil protection based on - risk management, emergency planning, business continuity, and warning and informing the public.

For BC professionals - may act as catalyst for greater co-operation and collaboration with those involved in planning for, and responding toemergencies.

UK Civil Contingencies Bill

Duty to assess, plan and advise

Requires the development of BCPs which each Category 1 responder will rely on to ensure the continuity of its ability to discharge its functions in face of an emergency

Cat 1 responders are required to arrange to make certain informationrisk assessments and plans available to the public.

LAs have a duty to promote business continuity management -

“shall provide advice and assistance to the public in connection with the making of arrangements for the continuance of commercial activities by the public in the event of an emergency”.

Governance and Local Authorities

UK - Framework and Guidance

• Local Code of Corporate Governance by end March 2002

• Risk Management one of 5 core elements of Corporate Governance

• Annual report in Financial Statements from 2002/2003

• In BVPP (Best Value Performance Plan for 2003/2004

The hard part of BCM is not creating the plan - it is keeping it up to date

Reorganisations and reshapingTransformation and rationalisationMergers and acquisitionsRate of technological changeIncreased sophistication of ICTJITOutsourcingWorking practicesStaff turnover, redundanciesHot-desking / virtual office

Be clear on ownershipPart of annual appraisal process

Common Weaknesses

Inadequate management supportInsufficient financial supportNarrow viewResponsibilities unclearInappropriate ownershipNot everyone involvedPlan stops at site gatePoor risk analysis / BIAInadequate training / awarenessInadequate testingBalance overview / detail not rightNot up to dateNot accessible or relevant when required

Sources of information

Business Continuity Institute www.thebci.org.uk

Emergency Planning Society www.emergplansoc.org.uk

Survive www.survive.com

Continuity Central www.continuitycentral.com

PAS56 www.bsi-global.com

Federal Emergency Management Agency (FEMA)www.fema.gov

Sources of information

London Emergency Services Liaison Panelwww.leslp.gov.uk

UK Government Emergency Response Sitewww.ukresilience.info

Business Continuity Management - How to Protect your Company from Danger

Financial Times / Prentice Hallwww.briefingzone.com

Michael Gallagher gallagml@iol.ie