Post on 22-Apr-2018
“The problem”
The Business Continuity Management lifecycle
Getting executive attention
The missing link(s)
“Dustbustin”
Summary
Q & A
BC Manager – “must” implement best practice or national / international standards
Department Managers – must do their “day job”
Conflicting priorities BCM not in KPI BCM not in job description Risk management
“how much is enough”?
Must do a BIA, BCP, Exercises, etc
You want me to do WHAT?
BCM manager Dept. manager
BCM Practitioners typically focus on the “Doing” components – BIA, Strategy, Plans, Exercises, Education
Pivotal to success
They will usually only endorse BCM efforts if: 1. There is a damned good BIA available or; 2. There is a “burning platform” Option 1 is best, 2 leads to panic and pressure
Recommended approach must show how they will increase the likelihood of attaining corporate objectives by decreasing risk
To attain objectives you must:
Ensure continuity of critical processes
Protect resources Secure supply Recover if necessary
Bovine risk management 101
Need exec support PS can also get “dusty”
Programme management is the single point of failure It is the “hub” around which all other activities rotate
The “Dustbuster”
Program Management*
Plan
Do
Check
Act
Approve Policy Approve Standards & Practices Define Roles & Responsibilities Define Program Scope Agree Annual Goals
Maintain Framework Develop Action Plan Execute Planning Life Cycle Coordinate implementation Input to BG Planning Audit
Track & Report Outcomes Aligned to changing Goals Aligned to leading practices Mitigates regulatory risks Support BCMS Audit
Review & Amend Policy Amend Standards & Practices Amend Roles & Resp. Amend Scope & Goals Approve BCM Strategies
*Your PDCA activities may be distributed differently
Plan “What do we want to achieve”
Policy Executive endorsement, high level objectives Target “maturity level” Risk tolerance (difficult) Risk escalation criteria (possibly based on risk matrix)
Standards & Practices – e.g.: BS25999, CSA Z-1600, ASIS SPC 1-2009 Risk evaluation criteria, documentation standards
Roles & Responsibilities (RACI) Who does what – planning cycle & response Includes executive responsibilities e.g. steering committee
Program Scope What’s in and out? – operations, locations, subsidiaries, suppliers…
Annual Goals Rolling targets & this year’s deliverables
Do “Create deliverables”
Maintain Framework The PDCA management system Tools and templates, training and education materials
Develop Action Plan Project plan to achieve goals set in planning phase
Execute Planning Life Cycle* BIA, RA, Strategy, Plans, Exercises, Training, Maintenance
Coordinate implementation, e.g: ITDR strategy should address business’ needs Multi-stakeholder collaboration – “peacekeeper / arbitrator” Overall prioritisation (with agreement from steering committee)
Input to BG Planning Audit Ideally Internal Audit checks the business against agreed
standards and: The BC manager “helps” the business comply with the standards
Check “Are we achieving our objectives & doing this in
the most appropriate way” Track & Report Outcomes
Are business groups up to date & aligned with Policy, Standards, Annual Goals?
Aligned to changing corporate goals Organizations priorities usually change over time, does the BCM program
still address risks to (current) corporate objectives? Aligned to leading practices
Are leading practices changing, are newer & better ways emerging, do we need to adopt these?
Mitigates regulatory risks What new regulations apply to us and does the BCM program effectively
mitigate these, or do we need to change anything? Support BCMS Audit
Occasionally the program should be audited to ensure it is appropriate given the risk profile of the organization
Act “Continuous improvement”
Review & Amend Policy To reflect changing risk appetite or circumstances
Amend Standards & Practices Implement newer practices if deemed appropriate
Amend Roles & Resp. To reflect changes to company structure, size, authority levels or
BCM program Amend Scope & Goals
As BCM program matures (able to do more), changing regulations or practices
Approve BCM Strategies Large capital expenditures needed Overall prioritisation Where response strategy may negatively impact another part of the
business
BC Manager – must implement agreed BCM activities
Aligned priorities “day job” takes priority BCM in KPI and job
description Risk management / BCM
maturity agreed – we know “how much is enough”
BCM effort as directed by policy (I’m here to help!)
Sure, it is number 4 on my priority list
BCM manager Dept. manager
BCM is a program, not a project
BCM is a risk management discipline – requires trade-offs
BCM is not “just about the plan”
Governance process is critical to ensure success
A plan-do-check-act management system will assist to: Ensure the executive team are engaged Ensure everyone is on the same page regarding “how much is
enough” Ensure roles and responsibilities are properly defined Ensure deliverables and scope are properly defined Ensure planning and risk mitigation efforts are aligned Ensure consistent understanding of business interruption risks Provide a mechanism for the program manager to “Steer the ship”