• TheBusinessCon*nuityIns*tute(BCI)
• BusinessCon*nuityManagement(BCM)
• Whyshouldyoudothis
• Howtodoit-BCMlifecycle
• Whoshouldbeinvolved-governance
• Whatyoushoulddo–highlevelview• Summary
• Q&AandInforma*on
Agenda
2
TheBusinessCon*nuityIns*tute(BCI)• HeadquarteredinUKwithover8000membersinover100countries• Chaptersin7regions–Asia,AU/NZ,Canada,Japan,Nordic,Swiss,USA• Formaltraining&formalmentorshipforprac**oners• BusinessCon*nuityForumforlocalprac**oners(includingVancouver)• PublishesResearch,ThoughtLeadership,Con*nuityMagazine• BCIGoodPrac*ceGuidelinesledtoBS25999andlaterISO22301/22313
Cer*fica*on• Fellow(FBCI)–Seniormembershipgradeawardedforsignificantcontribu*onto
theIns*tuteandtheBCMdiscipline.• Member(MBCI)–Cer*fiedBCMprac**oner,min.threeyearsexperienceandBCI
Cer*ficatewithmeritorotherrecognizedcreden*als.• AssociateMember(AMBCI)–BCIcer*ficatewithatleastoneyear’sBCM
experience.
TheBCI
3
Whatisyour“business”i.e.whatyoudo?• “Business”isnotlimitedtoprofitmakingorganiza*ons• Your“business”isthereasonyourorganiza*on*exists
– *includes;for-profits,non-profits,mutuals,chari*es,governmentorganiza*ons– Themajorityofcri*calinfrastructureisprovidedbytheprivatesector
BCMDefini*on(fromBCIGoodPrac*ceGuidelines)
BusinessCon*nuityManagement(BCM)isanholis*cprocessthatiden*fiespoten*althreatstoanorganiza*onandtheimpactstobusinessopera*onsthatthosethreats,ifrealized,mightcause.Itprovidesaframeworkforbuildingorganiza*onalresiliencewiththecapabilityforaneffec*veresponsethatsafeguardstheinterestsofkeystakeholders,reputa*on,brandandvalue-crea*ngac*vi*es.
BusinessCon*nuityManagement
4
Thefirstruleofbusinessisto“stayinbusiness”• 25%ofbusinessesdonotreopenfollowingamajorincident
– TravellersInsurance/InsuranceIns*tuteofBusiness&HomeSafetywww.disastersafety.org• Protectstakeholders:investors&members,employees,customers,suppliers…• Protectsocietyfromthefailureofmonopolies&cri*calinfrastructureservicesSavemoney• “Ifyouthinksafetyisexpensive,tryhavinganaccident”(diqoabusinessinterrup*on)• Insurancedoesn’tfixeverything,youcan’tbuyreputa*on• Alignexpenditurewithrisk(aswellasopportunity)–spendonlywhereneeded• Reducethelikelihoodofabusinessinterrup*on–seesafetyquoteabove
– E.g.upgradetheleast*me-cri*calworksta*onsfirst– (howdoyouknowthesearetheleast*mecri*cal?)
Knowhowtorespondinanemergency• Createaplanandexercisetheplan• Includingwhattodonext…
WhyBCM–AllOrganiza*ons
5
WhyBCM-Cri*calInfrastructure
Cri$calInfrastructure EmergencyResponse(extendedevent)
Dailylife/TheEconomy
Energy&U$li$es(incl.fuels) ✔ ✔✔
Finance(incl.banking) ✓ ✔✔
Food(incl.wholesale&distribu*on) ✓ ✔
Government(federal,provincial,local) ✔✔ ✓
Health(incl.hospitals&laboratories) ✔✔ ✔
ICT(incl.telecomms&broadcas*ng) ✔✔ ✔✔
Manufacturing(incl.“material”suppliers) ✓ ✔
Safety(police,fire,ambulance,specializedsvcs) ✔✔ ✔✔
Transporta$on(air,marine,road,rail) ✔ ✔✔
Water(dams,wastewater/sewage,distribu*on) ✓ ✔✔
6
Areyouinoneofthesesectors?–youmaybeexpectedtohelpinmajordisasters
TheBusinessCon*nuityManagementLifecycle*
BusinessImpactAnalysisRiskAssessments
Risk/CosttradeoffAccept/mi*gaterisksDesigncontrols
“assetprotec*on”IncidentResponsePlansBusinessCon*nuityPlansITDRPlans
*BCIGoodPrac*ceGuidelines 7
DrillsExercises&TestsPlanupdates
Awareness&Training&Culture
GovernanceExecu*veLeadershipP-D-C-A
Who-ProgramManagement
8
“Respond”
“Prepare”
Policy&ReviewRiskanalysesApprovecontrolsImplementcontrolsincl.arrangementsPlanexercises&testsManageprogram
Exercises&testsExecuteplansU*lizearrangements
Conceptualaccountabili$estomanagebusinessinterrup$onrisks,improveresilienceandmaintaintheabilitytorespondtomajorincidents
Execu$veTeamProg.Lead,RiskownersExecu$veTeamRiskowners&assetownersProg.LeadProg.Lead
AlltheaboveDept.staff/respondersCri*calsuppliers
BCMBusinessStrategy
EnterpriseRisk
Management
Emergency/Incident
Management
CrisisManagement
Informa*on&CyberSecurity
PhysicalSecurity Opera*onal
RiskManagement
Facili*esManagement
SupplyChainManagement
Safety
BCMTouchpoints
BusinessImpactAnalysis(3basicques*ons)• WhatdoyouDO(businessac*vi*es)• Whathappensifyoucan’tdothesethings*• Whatdoyouneedtosustaintheseac*vi*es(cri*calresources)
Understandingthebusiness
10
RiskAssessment(forcri*calresources)• Whathazardsaretheyexposedto&theirvulnerability• Likelihoodofoccurrence–moreonthisnext…..
00.51
1.52
2.53
3.54
4.5
Day1 Day2 Day3 Week1 Week2
FastImpact
Slowimpact
• Impact*asafunc*onof*me
• Indicatestolerableoutage
• Usedtoselectrecovery*meobjec*ves
*Impactcanbe:Financial,SLAs,Reputa*on,Safety,Regulatory…etc.
Riskassessments&theprobabilityproblem
Problem:predic$nglowfrequency/highimpactincidents(i.e.typicalbusinessinterrup$ons)• Youcandeterminetheimpactwithreasonableaccuracybutnotthelikelihood• Probabilis*canalysisrequiresaccuratedata&highcertainty(unlikelytohavethis)
11
e.g.Predictthelikelihoodofafireinyourbuilding–consider:• Insurancedataonbuildingfiresisuselesstoyou,theyhavealargeportoliobutyoudonot• Howwellwasyourwiringinstalled,anycheapextensionleads&“personalloads”• Areyouinamul*tenantfacility,howareflammablesstored?Whohaslifeinsurance&doyouknowthelikelihoodofprematuredeathinCanada?
Theory:Performa“Bow-Tie”Analysisforeachriskeventandplottheresultsonaheat-map
Resul*ngCondi*onE
Condi*onD
Condi*onC
Resul*ngCondi*onF
Condi$on(riskevent)
Impact
Impact
---FaultTreeAnalysis--- ---EventTreeAnalysis---
Condi*onA
Condi*onB
BasicPlanConsidera*ons• Minimumplancontents
– Ac*va*onCriteria– Roles&Responsibili*es– Priori*es-whatmustbedone– Recoveryresources-whatisavailable– Resourcereplacement–whoisresponsible(howisintheirplan)
• Communica*on– Incidentescala*oncriteria– Internalstakeholdercommunica*on-Responders&staff– Externalstakeholdercommunica*on-crisiscommunica*ons
• Basicscenarios– Facili*esfailure–fire,flood,denialofaccess,u*lityoutage....– Skillsshortage–pandemic,strike,naturaldisaster,weather…..– Informa*onloss–ITfailure,cri*caldocuments,communica*ons…– Supplychainfailure–businessinterrup*on,logis*cs,(seeskills)…– Specializedequipmentloss–industrial&tes*ngequipment,vehicles…– Inventoryloss–destroyedordamagedmaterials&spares
12
ConceptofOpera*ons/Plans
13
CorporateIncidentManagementPlan
OverallStrategicControlRoles&ResponsibilitiesCrisisCommunicationEOCprocedures
FacilityEmergencyResponsePlan(s)
FacilityIncidentResponseSafety&evacua*onDamageassessmentImpactevalua*on
Tac*calBusinessCon*nuityPlan
ContinuityResourcesScenariochecklists
Personnel&assetramp-upAssetreplacement
Allcommonguidelines
DepartmentalBusinessCon*nuityPlans/Checklists
Department-SpecificAc$onsMee*ngloca*onsRecoveryLoca*ons
Recoveryassetaccess&use(ITDisasterRecoveryPlans)
Manageanymajorincidentatanyfacility
alignedwithfiresafetyplan&bldg.stakeholders
Oneperfacility-
interrup*ononly
Mayneedoneper
department
Drills,Exercises&TestsDon’ttrustwhathasn’tbeenprac$ced/tested• Drills
– Facilityevacua*on– Earthquakeresponse,including“drop,coverandholdon”(&thenwhat?)– Shelterinplace– Securityincidents
• Exercises– Incidentmanagementteam,includingcrisiscommunica*ons– Facilityemergencyresponseteams(inaddi*ontodrills)– Departmentalteams
• Tests– ITandothertechnologyrecovery– No*fica*onsystems/calltrees– Abilitytotelecommute
14
EmbeddingBCM• Awareness
– Wehaveaplan?–everyonemustknowthereisaplan&theirrole– Personalpreparedness–home&familypreparedness– Policies&procedures–e.g.cri*calsuppliers,Infosecurity,Newrisks– Campaigns–periodicar*cles,integrate“shakeout”withBCM
• Training– FormalBCMtraining&cer*fica*on–BCIcer*fica*onforprogramleader?– Internaltraining-Riskowners,steeringcommiqeemembers,“leaders”– Drills&exercises&tests–aformoftraining
• Culture– Execu*veinvolvement– 2waycommunica*on– Acknowledgethatit“canhappentous”– Mayneedtochange“thewaywedothingsaroundhere”– Noblame–mi*gate“bystandereffect”
15
Summary
16
BCIGoodPrac*ceGuidelineswww.thebci.org
• BCMisaprogram,notaproject
• BCMisenterprise-wideriskmanagement
• Execu*veinvolvementiscri*cal
• Bothproac*ve&reac*vecontrolsareneeded
• Plansshouldcover:• Facilityemergencyresponse• IncidentManagement&CrisisComms• Technologyrecovery• Departmental/processrecovery
• Leverageleadingprac*ces(&standards)
• Usecer*fiedprac**oners
Whereareyouinthisprocess–areyouready?