Post on 25-Dec-2015
transcript
BS 25999 – Part 2 Business Continuity ManagementSpecificationAwareness Presentation
Date: 28 Nov 2007 Mumbai
4
Disruptions we almost forgot!!!
• Started as LLDDS in Clinton, Mississippi• Merged with MCI in 1997 and called MCI WorldCom• Was second largest communications company n the US• Telecom industry entered a downturn in 1998• Starting 1999 to 2001 there was accounting fraud
Underreporting ‘line costs’ (interconnection expenses with other telecommunication companies) by capitalizing these costs on the balance sheet rather than properly expensing them.
Inflating revenues with bogus accounting entries from ‘corporate unallocated revenue accounts’.
• Internal fraud estimates was 3.8 Billion USD• Final estimates 11 billion USD• Post chapter 11 changed name to MCI which was acquired by
Verizon in 2005
5
Enron
• irregular accounting procedures bordering on fraud throughout 1990’s.• opacity of the company's financial disclosures. • 2001 Jeff Skilling joined Enron as CEO but left in six months, but feore he left
he sold 450000 shares.• Keneth Lay Chairman took over as CEO• Media and analysts doubted the liquidity• Enron's plunge occurred after it was revealed that much of its profits and
revenue were the result of deals with special purpose entities (limited partnerships which it controlled).
• Oct 2001, Enron declare a 1 time charge of 1 billion• Started to buy back commercial papers for 3.8 billion to give impression of
good cash position, but consumed bank credit• Credit ratings lowered by Moody’s and S&P• Stocks tumbled• Arthur Anderson vanished
6
Companies hit by Rajkumar riots
April 2006
Riots in the Indian city of Bangalore following the death of leading film star Rajkumar cost businesses there millions of dollars, officials say.
Eight people, including a policeman, were killed in violence on Thursday as tens of thousands of mourners attended the funeral of the screen legend.
Unrest forced more than 1,000 IT firms and other businesses to shut before calm returned on Friday, reports say.
Rajkumar dies at 77
10
Has your company been affected by any of the following interruptions in the past year?
Facilities Move , 35.15
Merger/Acquisition , 24.24
Hardw are Failure , 51.04
Softw are Failure , 39.97
Netw ork Failure , 40.61War, 241.00%
Human Error , 37.72
Pow er Outage , 50.07
Telecommunications Failure , 41.73
Terrorist Activities , 4.98
Ethical Scandal/Corporate Governance Issue , 4.33
Labor Disputes , 6.9
Others , 6.9
Natural Disaster , 46.87
Information Security Breach (including viruses, DOS
attacks, etc) , 26.48
Utility Service Provider Failure , 31.62
11
How much would you estimate business disruptions have cost your company in the past twelve months?
More than $5 million , 4.82
$1 million to $5 million , 7.22
$500,000 to $999.999 , 6.74
$100,000 to $499,000 , 22.63
Less than $100,000 , 58.59
12
What do you think is currently the weakest link in your continuity strategy, planning and recovery efforts?
People risks , 34.51
Technology risk, 18.62
Process risk , 26.65
Data risk , 5.14
Supply Chain partner risk , 8.35
Collaboration w ith public authorities , 6.74
15
What is Business Continuity Management ?
holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
16
Why BCMS ?
• Minimize business disruptions
• Quickly recover to normal business operations
• Protect an organization’s value and reputation
• To meet shareholder commitments national / legislative requirements
• IBA guidelines for banks legal, regulatory and contractual commitments moral and social responsibilities
• Demonstrate “best practice”.
• Reduce insurance liabilities.
21
Risk Impact versus control
Strength of controls
Priority focus should be on the aspects with high risk and those with the largest gap between risk and control
Impact Factor Vs Strength of Controls for ACTIVITIES
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
5.0
6.0
Imp
act
Vulnerability Impact Factor SoC Delta
22
Typical Business Risks
• Failure or refusal to supply
• Bargaining power of suppliers
• Business model
• Processes
• Loss making orders
• Partners
• Investment
• Outsourcing
23
Typical Business risks
• Accounting practices
• Lines of credit
• Accounts receivables
• Cash flow
• Cost structure
• Ability to raise finance and Liquidity
• Overhead costs
• Economy of scale
24
Typical Business risks
• Services
• Channels
• Currency fluctuations
• Transfer pricing
• Equity portfolio
• Taxation
• Deductibles
• Availability of finance
• Interest rates
• Insurance claims/liabilities
25
Typical Business risks
• Migration of key people to competition
• Quality of workforce
• In-availability of workforce
• Unions
• Health of senior management/key employees
• Crime
27
Where BCM is going?
• No longer just a fashion accessory, BCM is now an integral part of managing the business
• Integrated across all business functions; no longer seen as an IT speciality
• Now being accepted as a strategic business imperative
• Progress towards independent auditable processes BS25999-2
• Broader based agreement on what is best practice in the form of the a new standard, BS 25999-1
28
Benefits of BCM
The benefits of an effective BCM programme are that the organization:
• is able to proactively identify the impacts of an operational disruption
• has in place an effective response to disruptions which minimises the impact on the organization
• maintains an ability to manage risks
• encourages cross-team working
• is able to demonstrate a credible response through a process of exercising
• could enhance its reputation
• might gain a competitive advantage, conferred by the demonstrated ability to maintain delivery.
29
29
BS 25999
• BS 25999-1:2006 Code of practice for
business continuity management
Published 28 November 2006
• BS 25999-2:2007 Specifications
Published 20 Nov. 2007
29
30
Organisations Represented on TC BCM/1
• Association of British Insurers
• Association of Chief Police Officers
• Association of Insurance Risk Managers
• Business Continuity Institute
• Cabinet Office
• Chief Fire Officers' Association (CFOA)
• Continuity Forum
• Coventry University
• Department of Trade and Industry
• Emergency Planning Society
• Association of British Certification Bodies
• Federation of Small Businesses
• Financial Services Authority
• Independent International Organization for Certification
• Institute of Directors
• Institute of Emergency Management
• Institute of Internal Auditors
• Institute of Risk Management
• Intellect
• Metropolitan Police
• Securities Industry Business Continuity Management Group (SIBCMG)
• Society of Industrial Emergency Services Officers (SIESO)
• Survive
31
Standards
• An agreed, repeatable way of doing things
• A full consensus of all interested parties, so not imposed
• Voluntary
• Best practice not general practice, thus aspirational
• Back-up can be available through audit and certification
• Updated on a regular cycle
32
Standards: some benefits
• Promotes competition
• Attracts customers
• Demonstrates market leadership
• Creates competitive advantage
• Develops and maintains best practice
• Maximises compatibility
33
What have standards done to Indian Businesses ?
• Have given the opportunity for Indian companies to Leap-Frog the learning curve w.r.t. management systems and practices
35
Plan
• Establish business continuity policy, objectives, targets, controls processes and procedures relevant to managing risk and improving business continuity to deliver results in accordance with an organisation’s overall policies and objectives
37
Check
• Assess and, where applicable, measure process performance against business continuity policy, objectives and practical experience, and report the results to management for review
38
Act
• Take corrective and preventive actions, or other relevant information based on the results of the management review, to achieve continual improvement of the BCMS
39
The BCM Lifecycle
Determining BCM Strategy
Understanding the organization
Exercising, maintaining and reviewing
Developing and implementing BCM response
Embedding BCM in the organizational culture
40
The fit
Interested Parties
Business Continuity
requirements and
expectations
Interested Parties
Business Continuity
requirements and
expectations
Interested Parties
Managed Business Continuity
Interested Parties
Managed Business Continuity
Continual improvement of the Business Continuity Management System
Continual improvement of the Business Continuity Management System
Monitor and review
Monitor and review
Maintain and
Improve
Maintain and
Improve
EstablishEstablish
Implement and operateImplement
and operate
41
Definitions
• Disruption Event whether anticipated or unanticipated, which causes
an unplanned negative deviation from the expected delivery of products or services according to the organisation’s objectives
• Risk something that might happen and its effect(s) on the
achievement of objectives
• Risk management structured development and application of management
culture, policy, procedures and practices to the tasks of identifying, analysing, evaluating, and controlling responding to risk