Post on 04-Jun-2020
transcript
Business Continuity Planning
Public Entities Risk Management Forum 5th July 2012
Presented by Mark Penberthy FBCI
“Overcoming Practical Challenges”
Business Continuity Management (BCM)
AGENDA 1. What is BCM?
2. Relationship with Risk Management...
3. Where do I start?
4. Lifecycle / Process Flow
5. Critical Components (and Influences)
6. When is BCM Complete?
Section 1
What is BCM?
Business Continuity Definition
• ISO 22301
“Capability of the organisation to continue delivery of products or services at acceptable,
predefined levels, following a disruptive event”
In Simple Terms
• Disruptive event?
• Products and Services (Mission Critical)
• Focussed on primarily disruption to • Buildings and facilities
• Skills and knowledge
• ICT
• Supplies
• How quickly do we need to restore... • Operations
• Data (How much data can we afford to lose)?
Disruptive Events: Europe ‘95 –’09
And 2010...
Risk Definition
Risk = Impact x Probability
Probable events – Power failure
– Communications failure
– Hardware failure
• Lower likelihood – Aircraft
– Floods
– Fire
Products? / Services?
• Public Sector mainly services driven, however
• Estimated 300 SOE’s
• Electricity; Transportation and Telecommunications
• Products and services through Local Government
• Information flow between Government departments
Brand South Africa
• Government Departments / SOE’s providing essential services to support the National Economy
• Supply Chain Obligations
• Best Practise (ISO)
• “Brand doesn’t matter – we have a monopoly”
• “We are now extremely brand conscious”!
• Recent Treasury Bond Auction
Non-performance?
• Impacts?
• No competition...
• Market share?
• Impacts upon other entities
• Impacts on Economy?
• Brand and Reputation?
– Coastal Cities
Mission Critical?
• How is criticality determined?
• At what stage of the lifecycle?
– Tangible and intangible impacts
– Seasonality
– Interdependencies
– Regulatory / Legislative
– Supply Chain?
• What does the risk analysis focus on?
What is BCM NOT!
BCM is NOT Disaster Recovery (DR) and the two should never be confused!
• DR is a legacy concept which addresses the recovery of technology only
•
• Whereas BCM is focused on continued delivery of services and products!
Section 2
Relationship with Risk Management
Primary Issues
• “BCM is complementary to a risk management... sets out to understand the risks to operations, and the consequences of those risks” (BS 25999)
• “Shall identify and document...Links between the BC policy and the organisation’s objectives, including the overall risk management strategy” (ISO 22301)
BCM Focus
By focusing on the impact of disruption, BCM identifies those products and services on which the organization depends for its survival...
...or put another way, its reason for existence!
What needs to be done before an incident occurs to protect its people, premises, technology, information, supply chain, stakeholders and reputation. (BS 25999)
BCM and Risk Management
BCM is a key contributor to effective corporate governance. It is often positioned under Risk Management and allows stakeholders to ask searching questions, such as:
• The company’s business and operating model • Key value creating products and services • Key dependencies – critical assets and processes • How the company will respond to a loss of or threat to any of these • What the main threats are today and on the horizon (Scanning) • Evidence that the continuity plans will work in practice
(GPG 2010)
Section 3
Where do I Start?
Where Do I Start? • Management Buy-In • Policy • Programme Management
– Project definition – Scope – Funding – Awareness and Skills
• Business Impact Analysis – Determine Criticality and time constraints
• Risk Analysis • BCM Strategy
Large Organisations
Urgent
Important
Activities
Non Critical Activities
Developing Awareness
• Corporate newsletters, bulletins, articles staff magazines • Intranet web sites • Professional BCM practitioners within the organization • Remuneration and rewards through the performance and appraisal system • Participation in other organization’s BCM exercises or real events • Inclusion of BCM related objectives through the organization’s performance and appraisal mechanisms • Induction programme • Executive briefings
Section 4
Life cycle / Process Flow
BCM Lifecycle
What’s missing?
POLICY
Process Flow
•Awareness
•Buy-in
•Top Down
•Skills
•Ownership
•Funding
•Training
Policy
• Input
• Output
• End-to-end
Activities • Impact over time
• Services
• Urgency
• Data loss
Operations
• Critical ops
• RTO
• RPO
• Enablers
• Dependencies
MCA’s
• Risk analysis
• Reduce the threat of disruption to MCA’s
Protect
• People
• Premises
• Resources
• (IT, telecoms, power, supplies)
Strategy
Initial Output
• Business Impact Analysis Report – MCA’s
– RTO / RPO
– Interdependencies
– Enablers
– Critical skills
– Critical times
– Resources • People, premises, resources etc.
• Risk Analysis Report
Balance of Programme?
• Once “understanding the organisation” is complete... – Implement recovery strategy
– Alternative site configuration
– Resource configuration
– Supply chain
– Business Continuity Plans
– IT Continuity Plans
– Test, Maintain & Review
Section 5
Critical Components
Critical Components / Attributes
• Management buy-in
• Policy
• Budget
• Ownership and Accountability
• Awareness
• Evacuation (Protecting skills and assets)
• Crisis Management (Threats to Brand and Reputation)
Influences
• Regulatory – PFMA
• Governance – King II & III – Stakeholder interests – IT Governance
• Compliance – Auditor General
• Standard – ISO 22301
ISO 22301 Excerpt
• Scope – Applicable to all organisations, regardless of size, type
and nature
• Management commitment – Top management shall provide evidence of its
commitment to BCM by: – Establishing a BCM Policy – Establish BCM objectives and plans – Establish roles responsibilities and competencies – Appoint persons responsible for BCMS with
appropriate authority and competency
Auditor General
• “Weakening of Pillars of Governance”
– Management of supply chains
– Service delivery
– Security of government information
– Accuracy of Government reports
Terence Nombembe
Certification Training
• Global (Business Continuity Institute)
• Why Certification? (Necessary Competence)
• BCM Skills Base
– International
– Local
– Africa
Section 6
When is BCM Complete?
It is never complete!
• The initial aim will be to successfully complete an implementation of the BCM lifecycle, but the long term goal of BCM programme management is to improve the organization’s BCM capability, and hence its operational resilience, with successive iterations of the BCM Lifecycle
Resilience?
• BCM increases an organisations resilience
• Resilience is widely defined as the ability of an organization to absorb, respond and recover from disruptions
BCM Lifecycle
When is BCM not required?
A hospital bed that is not occupied does not mean that it is not required!
Currency
Agree a programme of ongoing exercising and maintenance of the BCM plan (solution) to ensure it remains current
• Up-to-date
• Deployable
• Resourced
• Funded
• Best practise!
If a country does not have a reputation for strong corporate governance practices, capital will flow elsewhere. If investors are not confident with the level of disclosure, capital will flow elsewhere. If a country opts for lax accounting and reporting standards, capital will flow elsewhere. All enterprises in that country – regardless of how steadfast a particular company’s practices may be – suffer the consequences.
Markets must now honour what they perhaps, too often, have failed to recognise.
Markets exist by the grace of investors. And it is today’s more empowered investors that will determine which companies and which markets will stand the test of time and endure the weight of greater competition.
It serves us well to remember that no market has a divine right to investors’ capital.
Arthur Levitt, former Chairperson of the United States Securities and Exchange Commission
Governance
Thank you!
Mark Penberthy FBCI mark@markpenberthy.com