1
© 2013 Avalution Consulting, LLC | All Rights Reserved
DRJ Spring World 2014
Build an ISO 22301 Management System to Capture Executive Attention
Workshop Objectives
• Introduce ISO 22301 as a Source of Best Practices
• Define the Management System Concept (and the value behind it)
• Discuss the Key Elements of a Business Continuity Management System (10)
• Outline Implementation Strategies
• Present Case Studies to Demonstrate Value
2
2
Workshop Agenda
• ISO 22301 Introduction
• Management Systems – What/Why
• Key Elements of a Management System
• Implementation Strategies and Case Studies
• Conclusions
3
What is ISO 22301?
4
3
ISO 22301
World’s First International Business Continuity Standard!
5
Replaced BS 25999-2, effective November 2012
What is ISO 22301?• A “Requirements” document for
a Business Continuity Management System (BCMS)
• Set up, operate and continuously improve a BCMS
– Alignment to PDCA
• Adaptive (“plug and play”)
• A resource to drive performance
• Minimal “jargon”
6
4
Technical Committee 223 Projects
ISO 22301Business Continuity
Management Systems –Requirements
ISO 22313Business Continuity
Management Systems –Guidance
ISO 22317 Business Continuity
Management Systems –Business Impact Analysis
ISO 22316Organizational
Resilience – Principles and Guidelines
ISO 22320Emergency
Management –Requirements for
Incident Response
ISO 22398Guidelines for Exercises
7
8
Requirements Standards
HOW(ISO 22313)
Guidance Standards
WHAT(ISO 22301)
Types of Standards
5
What is ISO 22301?
• Clause 1: Scope• Clause 2: Normative References• Clause 3: Terms and Definitions
Introduction
• Clause 4: Context of the Organization• Clause 5: Leadership• Clause 6: Planning• Clause 7: Support• Clause 8: Operations• Clause 9: Performance Evaluation• Clause 10: Improvement
Requirements
9
ISO 22301 Value
• Management and customers respect ISO standards
• A form of benchmarking (agreement on minimum expectations)
• Common language / simplicity of concept descriptions
• Drives engagementthrough continuousimprovement
10
6
Things You Need to Know
• What is a management system?• Products and services versus…• Scope and objectives• Top management• Risk treatment• Risk appetite• Documentation• Internal and external• ISO language
– Shall versus Should
11
What is ISO 22301?By the numbers…
12
ISO 22301 BS 25999-2 NFPA 1600 v2013
Pages of “Actual Content”* 16 12 13
Shall Statements 92 54 121
Top Management or Committee References
10(+18 sub-tasks) 4 8
* Requirements-related content
7
What is ISO 22301?By the numbers…
13
Ways to Prepare
1. Identify an executive sponsor in your organization, possibly a steering committee (“top management”)
2. Identify your “interested parties”
3. Establish your “obligations”
4. Begin to identify an appropriate program scope and objectives
5. Explore the concept of risk appetite
14
8
Management Systems -What/Why
Build an ISO 22301 Management System to Capture Executive Attention
15
Common Performance Issues
Lack of Focus
No Strategic Alignment
16
9
Management System
Set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives.
17
Management System
18
Connecting a discipline to organizational strategy through executive management
10
Management System-Aligned Business Continuity Standards
• ISO 22301• BS 25999-2• NFPA 1600 (2010+)• ISO 27001 (Security)• ASIS SPC.1-2009• ASIS/BSI BCM.01-2010
19
Management System
20
Plan
Do
Check
Act
11
Management System vs. Program
21
Is there a difference and does it really matter?
The Value of a Management System
• Built-In (Consistent) Executive Involvement
• Scope Based on Products/Services
• Alignment to other disciplines
• Continual improvement
22
12
Key Elements of a Management System
Build an ISO 22301 Management System to Capture Executive Attention
23
Key Elements
1. Leadership2. Obligations and Risk Appetite3. Products and Services4. Objectives, Priorities and Scope5. Competencies6. Documentation7. Corrective Actions8. Internal Audit9. Metrics10. Management Review
24
13
Key Element #1
Leadership: “Top management shall demonstrate
leadership…”
25
Collaboration Session
What is the appropriate role(s) of leadership? How often do they get involved? Can they delegate their responsibilities (all of their responsibilities)?
Key Element #2
Obligations and Risk Appetite:
– What are obligations?• Regulations, customer/supplier contracts, internal
policy, other
– And in the case of ISO 22301, what’s the role of risk appetite?
26
14
Risk Appetite (Example/Excerpt)
Avalution Consulting management selects and implements appropriate risk treatments for each critical in-scope activity in accordance with its objectives and level of risk acceptance. The BCSC defines its risk appetite as the following:
We are willing to tolerate a finite amount of downtime as long as it does not result in the following:
– Damaged reputation among our clients that leads to broader, negative market perception
– Missed service level agreements specific to The Planning Portal and BC Catalyst
– Financial loss in excess of $X– Project delays of more than three days due to resource disruption
and lost data
27
Key Element #3Product and Service Oriented:
– The BCMS must be focused on the organization’s products and services (internal and external)
– Plans must recover the key outputs the business produces, not just facilities, people and applications
Collaboration Session
How do products and services apply to my organization? Discuss your organization’s and BC program’s unique needs Pick one example to share with the group
28
15
Example Products and Services
• Banking– Online Banking– Deposit Funds– ATM Card
Services– Wires and ACH
Processing– Close Mortgages– Securities Trade
Execution
• Insurance– Voice Customer
Services– Pay Recurring
Claims– Claims Intake– Adjudicate
Claims– Process
Premiums
• Manufacturing– Produce Product A– Produce Product B– Service Product A– Service Product B– Engineering
Services– Ship Product– Receive Orders– Bill Customer
30
Example Products and Services
• Example Organization:
– Fuel Hedging– Manage Cash– Reporting Financials– Customer Support– Paying Bills– Selling Tickets– Maintaining Airplanes– Fly Planes (Operations)– Supporting Field Operations– Frequent Flyer Program
31
16
Key Element #4
Collaboration Session
Setting BCMS boundaries Discuss your organization’s and BC program’s unique needs Feedback on example objectives
Objectives, Priorities and Scope:
– The BCMS scope must include all key products and services for your organization
– Ensure BCMS objectives are aligned with the overall objectives of your organization
31
Company X’s Business Continuity Management System addresses all aspects of the corporation, with a focus on the delivery of the following key customer-facing products and services:
Product Line A Downtime Tolerance: 48 HoursProduct Line B Downtime Tolerance : 72 HoursProduct Line C Downtime Tolerance: 72 HoursCustomer Service Downtime Tolerance: 24 HoursResearch and Development Downtime Tolerance: 168 Hours
Example Scope
33
17
Example ObjectivesCompany X’s Business Continuity Management System objectives include the following:
• Protecting the safety of Company X’s employees and visitors• Managing the threats and impacts associated with an interruption to
critical manufacturing operations, including a facility interruption or loss of resources (including personnel, technologies and business partners).
• Reducing business continuity risk through four approaches: – An appropriate and proactive control environment designed to
decrease the likelihood of a disruptive event;– Strategies to effectively respond to a crisis;– Plans to recover critical business activities within stakeholder
expectations; and – The ability to maintain consistent communication with personnel
and clients.
34
Key Element #5Competencies:
– Establish roles, responsibilities and competencies– Create interactive and engaging training methods
for personnel within the management system– Develop role-specific Subject Matter Experts
throughout the BCMS
Example Documentation
Sample Role Description and Training Plans How could these apply to your organization?
34
18
Example Training Record (1)Business Continuity Steering Committee MemberResponsibilities Provide oversight to the Business Continuity Management System
Review and validate all analysis, strategy, and exercise outcomes Meet semi‐annually to discuss scope, analysis results and other
performance metrics (as part of the management review process)
COMPETENCIESEducation No specific requirement noted
Knowledge Knowledge of the Company X, as well as key products or services within the scope of the Business Continuity Management System
Must have a detailed understanding of the business continuity needs and objectives of the organization, as well as stakeholder expectations
Experience A director with broad organizational / strategy visibility and understanding, regardless of region
Skills Strong leadership and verbal communication skills, as well as broad business acumen that addresses key elements of the organization (specific to those he/she represents)
Training Participation in management reviews and exercises Participation in Company X awareness training ISO 22301 Introduction
36
Example Training Record (2)Training Format: Computer Based Training (CBT)
Training Topic: Business Continuity at Company X
Approver(s): Alex Smith
Title: Company X Business Continuity Awareness
Audience: US employees at Facility A and Facility B
Objective(s): Overall Objective: To introduce/remind all key stakeholders of the security and emergency response procedures at both locations;1. The purpose and need for the business continuity2. Business Continuity Program objectives at Company X3. Key roles and responsibilities4. Key business continuity program elements5. How employees are involved in business continuity6. Conclusions and next steps
Format Requirements:
1. Utilize a computer based format that can be accessed and viewed on demand.
2. Utilize a computer based format that supports both sound compatible and non‐compatible PCs.
3. Be as specific as possible, always attempting to minimize the need to revise content over the lifetime of the product.
37
19
Key Element #6
Documentation:
“… a documented process…”
– Policy• Expectations
– “SOP” / Framework / Standard• Planning process and management system operations
– Evidence• Are we doing what we said we would do
37
Policy Outline
39
20
Key Element #7Corrective Actions:
– Work to improve the suitability, adequacy and effectiveness of the BCMS
– Identify and react to BCMS “nonconformities”– Create a process to manage continual improvement
Example Documentation / Discussion
Sample Corrective Actions List How could this apply to your organization? What are sources of corrective actions?
39
Example Corrective Actions Structure
Other Potential Fields: Start Date; Detailed Description
Item Root Cause Proposed Solution Source Owner PriorityTarget
Resolution Date
Status
Develop and Implement a Crisis Communications Strategy
Lack of realistic training
New Plan Documentation
Post-incident
Greg Hamm
High 12/01/11 Completed
Define CMT Leader Responsibilities
Lack of management involvement
Update PlanDocumentation
Exercise SteveJohns
Low 03/01/12 Open
41
21
Key Element #8
Internal Audit:
“The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system…” – ISO 22301
Example Documentation
Example Internal Audit Work program
41
Example Audit Program Line Item
Requirement Definition Review of Requirement
Audit # Standard Name Ref # ISO Element Policy
AreaProgram
RequirementGeneral Test Plan Evidence Interviews Notes
1 ISO 22301
4.2 Understand-ing the Organization
VI.Business Continuity Planning Process
See ExcelFile
See Excel File
BCPolicy
Senior Management
4.2 – allelements documented
43
22
Key Element #9
Metrics:
– “The organization shall evaluate the BCMS performance and effectiveness of the BCMS”• Compliance to internal policy• Compliance to a standard• Performance of response and recovery strategies
43
Collaboration Session – Metrics “brainstorm”
Is This Your Report to Management?
Process UpdatedBIA?
Updated Plan?
Performed Exercise?
Went to Training? Rating
Process X Yes No Yes Yes
Process Y Yes Yes No No
Process Z No No Yes No
This is the wrong approach. It reinforces a check the box view point.
44
23
Metrics that Mean SomethingProduct /
ServiceBusiness Continuity Objective Current State Recovery
CapabilityRating
Perform Customer Support
Ensure No More Than 4 Hours Downtime with Less than a 90 Second Wait Time
8 hours, Estimated 4Minute Wait Time at Recovery
Manufacture Product
10 Days Target Safety Stock (offsite), Maintain Contingency Sourcing Agreement Effective Within 7 Days
1 Days Safety Stock, Contingency Sourcing Agreement With Acme Pending
Process Warranty Claims
Seamless Failover Between Each ClaimsHandling Region in the United States,
Claims Failover Process Complete and Demonstrated – No Downtime
Bill Customers
Restart Bill Generation and Catch Up On All Back Logged Work Within 5 Days; Suspend Collection Reminders to Protect Customer Relationship
Billing Tested and Restarted in Three Days –Back Log Closed in 4 Days
45
Key Element #10Management Review:
– Top level management must review the organization's BCMS at planned intervals
– Reviews should include status of action items from previous reviews, changes in issues relevant to the BCMS, information on business continuity performance and opportunities for continual improvement
46
Collaboration Session
Best practices for management review Discuss your organization’s and BC program’s unique needs Does anyone in the group use the management review process today?
24
Example Management Review Agenda• Program Scope and Objectives• Maximum Downtime Discussion• Feedback / Audit Results• Risk Assessment Results• Exercise Results• Post-Incident Lessons Learned• Training Results• Corrective Actions Review and Feedback• Dashboard / Metrics• Special Topics / Next Steps
48
Implementation Strategies and Case Studies
Build an ISO 22301 Management System to Capture Executive Attention
48
25
“Recipe”1. Executive Involvement
2. Organizational Strategy
3. Products/Services
4. Customer Knowledge
5. Inventory of Obligations
6. Organizational Knowledge
49
“Top Down” Implementation Strategies
• Start with your boss / program sponsor
• Personally explain the organizational benefits of a Business Continuity Management System
• Look for early wins and implement those specific items you can control
50
26
Apply the Key Elements
51
Documentation(Clause 7.5+)
Metrics(Clause 9.1)
Corrective Actions
(Clause 10.1)Objectives, Priorities,
Scope(Clause 4)
Obligations and Risk Appetite(Clause 4)
Leadership(Clause 5)
Management Review
(Clause 9.3)
Competencies(Clause 7.2)
Products and Services(Clause 4)
Internal Audit
(Clause 9.2)
Avalution Consulting
• Overview
• BCMS Implementation
• Issues
• Outcome
52
27
Case Study #2
• Overview
• BCMS Implementation
• Issues
• Outcome
53
Conclusions and QuestionsBuild an ISO 22301 Management System to Capture Executive Attention
54
28
Let’s Connect
866.533.0575 | avalution.com
@Avalution-Consulting
@Avalution
perspectives.avalution.com
Robert [email protected]
55