BS 25999/ ISO 22301 User Group Presentation... · BS 25999 and ISO 22301. Constant change Reduction...
Transcript of BS 25999/ ISO 22301 User Group Presentation... · BS 25999 and ISO 22301. Constant change Reduction...
BS 25999/ ISO 22301 User Group
Copyright © 2012 BSI. All rights reserved.October 2012
London, 14 February 2013
ProgrammeTime Session09:30 – 09:45 Welcome and Camden Case study
Trevor King, Business Continuity Manager, Camden Council
09:45 – 10:00 Withdrawal of BS 25999 and the introduction to the ISO
Tim McGarr, Sector Content Manager (Business Continuity Management & Risk Management), BSI
10:00 – 10:30 Getting started in developing a Business Continuity Management System
Drew Gibson, Head of Business Continuity Management, Canary Wharf Group
10:30 – 10:50 Facilitated Discussion 1: The impact of the ISO and the withdrawal of BS 25999
Copyright © 2012 BSI. All rights reserved.2
10:30 – 10:50 Facilitated Discussion 1: The impact of the ISO and the withdrawal of BS 25999
10:50 – 11:10 Break: Tea and Coffee11:10 – 11:40 Continuity in the supply chain
Steve Mellish, Chairman, The Business Continuity Institute
11:40 – 12:05 Facilitated Discussion 2: Is your supply chain resilient? To what degree is it integrated in businesscontinuity arrangements?
12:05 – 12:30 The relationship between BCM and resilience
Charley Newnham, Business Resilience, PwC
12:30 – 13:30 Lunch and close
Trevor King
Business Continuity Manager
London Borough of CamdenLondon Borough of Camden
Welcome to Camden Council
14 February 2013
Why Local Authorities havebusiness continuity management
Normal business reasons for a service
4
Normal business reasons for a serviceorganisation
Civil Contingencies Act
Camden Council’s BC policy
“It is the policy of the London Borough of Camden to have
adequate Business Continuity Management processesand maintain Business Continuity Plans in order to deliver
5
and maintain Business Continuity Plans in order to deliverappropriate levels of service during a Business Continuityincident to meet our obligations to our residents, ouremployees, partners, other stakeholders and to thosetravelling through Camden”.
It is the policy of the London Borough of Camdento have
Business Continuity Management processes
and maintain Business Continuity Plans in order to
6
deliver appropriate levels of service during aBusiness Continuity incident to meet ourobligations to
our residents, our employees, partners, otherstakeholders and to those travelling throughCamden.
Scale• 1 corporate BC plan
• 6 departmental BC plans
• 80 heads of service
• 138 BC plans
47 of the 138 BC plans have a component that must
7
• 47 of the 138 BC plans have a component that mustbe restored on the same day
• eg call centre, communications team, IT , social care,registrars, civil emergencies, repairs, and so on
• BC plans from suppliers of goods and services
How do we pull it all together (1 of 2)
Policy and structure of responsibility
Risks assessed centrally (Borough Risk Register)
Standard BC planning template
8
Standard BC planning template
Action plans focus on impacts of a BC event:
Cannot use the office (fire, utility failure, cordon)
Shortage of staff (transport, strike, flu)
Loss of use of IT (internal IT, telecomms, malicious)
Failure of a supplier of goods or services
Sudden increase in workload (civil emergency).
How do we pull it all together (2 of 2)
Heads of service are responsible for their plans
Prioritise activities
IT - central rules on restoration
9
IT - central rules on restoration
Re-accommodation – central control
Standard BC exercises
Review of BC incidents
BS 25999 and ISO 22301
Constant change
Reduction in the number of offices
Working from home – strategy of 7 for 10
10
Working from home – strategy of 7 for 10
IT
Priorities
Six month review of plans
Individual’s motivation to plan effectively Compliance culture ?
Perceived impact on the responsible manager(s) Imperative to provide a service health/safety,
11
health/safety, legal obligations, finance, reputation.
Historical (Y2K, flu, Olympics, local)
Leadership
BC promotion to businesses CCA: Local Authorities to provide advice and assistance
to businesses and voluntary organisations aboutbusiness continuity management.(no agreed measurables).
Camden Council we have:
12
Camden Council we have: Camden.gov.uk search on ‘business continuity’ Presentation evening Collaborate with other events Direct to students at schools Camden security zones Business news letter Leaflets? Our suppliers
Some Local Authorities provide a BC planning service.
Thank you
Have a good session
13
Trevor King
Business Continuity Manager
London Borough of Camden
Drew Gibson MBCI
Canary Wharf Group Business Continuity Manager
Implementing Business Continuity and ISO 22301
Lesson Learnt
•Communications
•Re-simplification of planning
•Simplicity of plans•Simplicity of plans
•Simplification of processes
•Realistic testing and exercising
•Second order testing andexercising
Considerations
•Budgets
•Staff management
•Regulatory oversight
•Extreme weather
•Current investments
•Office locations/DR sites
•Transport infrastructure
•Behavioural changes
The Issues
•Not yet Audited
•Not arguing definitions
•Not a silver bullet•Not a silver bullet
•Still need to plan
•No fast track
•Need to get management buy in
Benefits
•Internationally recognised
•Excellent framework for planning
•More relevant than BS25999•More relevant than BS25999
•Competitive advantage
•Demonstrate reliability of service
•Consistency of processes
ISO 22301
•Corrective & Preventative Actions Log
•Mitigation & Protection
•Risk Opportunity Log
•Wider scope
•Chapter 5 – Management Oversight
•Third party suppliers
•External stakeholders expectations
ISO 22301
•Objective view
•Major incident plans
•Staff awareness•Staff awareness
•Accessing recovery times
•BIA requirements
•Audit anxiety
•Creeping excellence
Facilitated Discussion 1: The impact of the ISOand the withdrawal of BS 25999
1. Has your organisation implemented ISO 22301/ BS 25999,or a BCM process aligned to that Standard? What werethe challenges in achieving this?
2. What will make your job easier in implementing a
Copyright © 2012 BSI. All rights reserved.29
2. What will make your job easier in implementing aStandards approach to BCM?
3. Has the transition to ISO 22301 left any gaps in BCMguidance/ Standards you would like to see addressed?
Three messages back to the BSI...
CONTINUITY IN THE SUPPLY CHAIN
– A PRACTICAL APPROACH
Steve Mellish FBCIDirector of Mellish Risk & Resilience and
Chairman of the Business Continuity Institute
Thursday 14th February 2013
Agenda
• Introduction
• Background
• The Sainsbury’s approach
• 5 ‘Top Tips’ to address your supply chain risk• 5 ‘Top Tips’ to address your supply chain risk
• Conclusion
Supply Chain Survey Results 2012
• 532 companies participated in the survey
• 73% had experienced at least 1 disruption (5 wasthe average)
• Failure of outsourcing suppliers has risen 17% to35% since 2009
• Failure of outsourcing suppliers has risen 17% to35% since 2009
• Severe weather disruption affected 48% (51% in2011)
• 39% of disruptions originated from ‘Tier 2’suppliers
Source: The Business Continuity Institute – Supply Chain Resilience 2012
The Sainsbury’s approach
• More then 1,000 stores
• More than 155,000 employees
• More than 22 million customer transactions aweekweek
• More than 7,000 suppliers
• 25 Distribution Centres
• Additional services include Banking, Onlineshopping, home grocery deliveries
The BusinessContinuity Group
provides the Sainsburyorganisation with a
comprehensive BCMprogramme of the
highest standard, whichprotects it from any
major event that mightadversely affect itsoperation and/or
reputation. Strategies for BCM will bebased on the business needs
balanced against cost andindustry ‘best practice’.
The BCM programme willbe driven by meeting the
needs of the business withinan ever-changing
environment.
Business Plan 2005/6
Mission
Vision
BC Goals Full and effective implementation of theperformance management system.
Set and achieve the budget.
BCM for critical suppliers
Review and revise the alternative accommodationstrategy.
Review and revise the emergency communicationsstrategy.
BCM for the Supply Chain
Ensure that the BCSG ‘Risk Map’ is maintainedand used to maximum effect.
Undertake BIA’s for Holborn and StreathamBusiness Centres which will gain BCSG approval.
Objectives
Develop and maintain great supplier partnerships.
Manage the BCMprogramme ensuring
maximum benefits areachieved with the resources
available to it, includingpeople, systems and finance.
“At Sainsbury’s we willdeliver an ever
improving qualityshopping experience
for our customers withgreat product at fair
prices. We willexceed customerexpectations for
healthy, safe, freshand tasty food makingtheir lives easier every
day.”
Our Goal
To be acknowledged asthe ‘Enterprise-wide
stakeholder protectionsystem’ for Sainsbury’s.
A risk managementdepartment that
protects Sainsbury’sand all of its
stakeholders from theeffects of unplannedbusiness disruption.
Plans and procedures willremain up-to-date and readyto use through an ongoingprogramme of plan review,maintenance and exercise.
Embed BCM into theculture of the organisation
through an ongoingawareness and education
programme.
Deliver plans and solutionswhich meet the business
needs and that protect theorganisation from the effects
of any major incident.
Identity Deliver a memorable BCAW:2006
Continue to learn and share best practice bothinternally and externally.
Ensure inductions and associated materials aremaintained and delivered.
Exercise, test and rehearse all plans, teams andassociated solutions.
Review and maintain the Holborn and StreathamBCP’s as well as the SIC procedures.
Agree an audit plan for the BCM programme.
BCM for critical suppliers
Complete the ‘London’ BC Plan
Implement BCP4DRP
Ensure effective responses to any major incidentsincluding product recalls.
•Getting better everyday•Great service drivessales•Individualresponsibility – teamdelivery•Keep it simple•Respect for theindividual•Treat every £ as yourown
Our Values
Third Party Supplier Continuity
• Scope– Limited number of suppliers who, should they
fail to deliver, will have a major impact on theSainsbury brand, reputation or ‘core’ operationof the businessof the business
• Objectives– To assess their current BC capabilities
– To identify areas for improvement
– To provide guidance on addressing any areas ofweakness and vulnerability
What is a Critical Supplier?
• Service Provider not products
• Sainsbury’s specific (not industry-wide)
• Customer facing
• Reputational impact to Sainsbury’s• Reputational impact to Sainsbury’s
• Material impact on profit by £xm
• Legal/regulatory problems
• Stops mission critical activities*
Third Party Supplier Continuity
• The most critical suppliers were identified• Contact was made at CFO level to find out
about their business continuity capabilities• Conducted in partnership by sharing good
practicepractice• Reviewed contracts and there terms and
conditions• Raised awareness and education within the
trading and procurement teams
Challenges
• They may not want to discuss it!
• They may say they don’t know how to do it
• They may expect it to be done for them!
• They may want to charge for it• They may want to charge for it
• They may claim it’s all in place - so how doyou know for sure?
• The risk exposure had to be reduced
Business As Usual• 130 Suppliers were identified
• All suppliers returned their questionnaires
• Follow ups occurred and were maintained
• New tenders and contracts included businesscontinuitycontinuity
• Sainsbury’s are also asked to provide evidence
5 Top Tips
1. Identify all of your key suppliers and rate themin terms of importance to your business
2. Engage with your critical suppliers at a seniorlevel
3. Assess their level of preparedness for dealing3. Assess their level of preparedness for dealingwith service disruption
4. Follow up where appropriate and maintain anongoing dialogue (it’s not an initiative)
5. Include business continuity in your contracts
Free Extra Tip!
Make sure if you are asked you can answerand demonstrate that you can maintainsupply to your customers.
Gain an advantage over your competitors.
Facilitated Discussion 2: Is your supply chainresilient?
1. To what extent does your BCM programme considersupply chain risks?
2. How have you obtained assurance from your key suppliers
Copyright © 2012 BSI. All rights reserved.45
2. How have you obtained assurance from your key suppliersthat their BCM processes are robust?
3. What are the key challenges to maintaining a resilientsupply chain?
We will cover...
1. The Changing Definition of Organisational Resilience
2. Is Business Continuity Not Organisational Resilience?
3. BCM and the Bigger Picture
4. 2012: Snapshot of Resilience in the Workplace
47
4. 2012: Snapshot of Resilience in the Workplace
5. Leveraging BCM Expertise for Organisational Resilience
Defining “Organisational Resilience”
The ability of an organisation to bounce back to it’s original state(Ferudi, 2007; McIntyre, 2007)2007
The ability to bounce forward to a new state that ensures both recoveryand adaptation; development of the ability to minimise or eradicatecrisis events
2010
49
crisis events
(Valikangas, 2010; Comfort, Boin & Demchak, 2010)
2010
Proof of resilience is “thriving longevity”: adaptive capacity, strategicsituational awareness, avoidance or minimisation of crisis, avoidance ofgradual decline, wise strategic governance, etc. (Carmelli & Markam,2011; Stephenson, 2011)
2012
If we are to be resilient, we have to be open to learning and change...Next..?
The case for preparationGood crisis management creates value
Companies with a positive approach to crisis management and recovery
Sta
ke
ho
lde
rva
lue
Management skills and response
Recoverers
Source: Knight / Pretty 1996 – 2010
Other Companies
Sta
ke
ho
lde
rva
lue
Non-recoverers
Stakeholder communication Time(250 days)
Insurance alone is inadequate
Plans need to be implemented
52
The Crisis ContinuumMapped to Business Continuity Management
Opportunity to
Time
Requirement to
53
Opportunity tobuild resilience
(Newnham, 2012, after Burnett, 1998)
Business Continuity Management
effort to the ‘left of bang’
To manage /respond during and
to the right of bang
Respond
The Crisis ContinuumWhat if there is no defining event(s)?
Opportunity to
Time
Requirement to
54
Opportunity tobuild resilience
(Newnham, 2012, after Burnett, 1998)
Business Continuity Management
effort to the ‘left of bang’
To manage /respond during and
to the right of bang
Respond
No “Bang” Required
Farepak
2006
Lehmans
2008
Woolworths
2009
Borders
2011
HMV
2012
Jessops
2012
ITV Digital
2002
55
Examples
• slow burn issues• flawed board level strategies• inferior hiring decisions• gradual declines in knowledge/growth• competitor activity• not adapting quickly enough to changing market• cutbacks in R&D• changes in regulations
What’s the BCM Contribution?
Opportunity tobuild resilience
Requirement to
Respond
Time
56
build resilience Respond
(Newnham, 2012, after Burnett, 1998)
Business Continuity Management
effort to the ‘left of bang’
To manage /respond during and
to the right of bang
How The Mighty Fall
• Collins talks about 5 stages of decline
• In 1992 business gurus Peters & Watermanpublished a list of ‘excellent companies’
• 18 months later, they removed more than 30%
58
• 18 months later, they removed more than 30%from their list
• Research showed “the majority had failed toadapt to changes in the external environment”
• How long do you want your organisation tolast?
The Theory of Creative Destruction
• Alan Greenspan ran the US Federal Reservefrom 1986 - 2006
• Talks about “Creative Destruction”
• If an organisation isn’t capable of reinventingitself, or part thereof, when needed it will – and
59
itself, or part thereof, when needed it will – anddeserves – to die.
• What is the antithesis to creative destruction?
• Is it organisational resilience?
How Does the Roman Empire Help?!
• Carmelli & Markham (2011) examined at thelongest surviving organisations, to discoverwhat made them resilient
• Resilient companies don’t settle for endurance,but seek to thrive
60
• “Corporate resilience is about neither crisismanagement nor turnaround programs… it isnot reactive but proactive organisationalconditioning”.
The Business Continuity Role?
If organisational resilience is
“the strategic and operational,planned and adaptive capacity of anorganisation to thrive and achieve
61
organisation to thrive and achievelongevity*”
Where does BCM currently play it’s part?
*Newnham, 2012
American National Standard forOrganisational Resilience (2009)
Business Continuity
Crisis Management
63
Risk Management
Physical Security
Information Security
“Resilience” Units in 2012?
More than 50% of “ResilienceDepartments are in public serviceorganisations
Mostly they oversee BusinessContinuity Management
64
76% also oversee Incident/EmergencyManagement
Less than 7% alsooversaw IT continuity
Just over 30% alsooversee Security or RiskManagement
The Ultimate Question?Who can provide resilience assurance?
Business Continuity
Crisis Management
Risk Management
Physical Security
Information Security
Can these functional leaders assure the CEO that,together, they can, do or should provide the total
resilience capacity for the organisation?
A New Resilience Consensus?
• Sutcliffe & Vogus (2003)• McManus (2008)• Beer (2009)• Gardner (2009)• Braes & Brooks (2010)• Comfort, Boin & Demchak (2010)• Valikangas (2010)
Internal andExternalSituation
Disciplinedapproach toexpansion
Virtuouscorporate
values
Pro-active
66
• Valikangas (2010)• Stephenson (2011)• Newnham (2012)
IncreasingStaff
Engagement
UnderstandingKey
DependenciesSecuring anddevelopingknowledge
Encouraginginnovation
Fit forpurpose
continuitystrategies
SituationMonitoring
ReducingSilo
MentalityRobust
leadershipand
governanceStrong
corporateculture
Pro-activeconditioning
Existing Insights from BCM Leaders
• Where can BCM expertise be utilised for resilience?
• Do organisations have an appetite for exploringorganisational resilience?
• How can it be leveraged at Board level?Internal and
ExternalSituation
Disciplinedapproach toexpansion
Virtuouscorporate
values
Pro-active
68
• Do BCM leaders have the desire to take onorganisational resilience?
IncreasingStaff
Engagement
UnderstandingKey
DependenciesSecuring anddevelopingknowledge
Encouraginginnovation
Fit forpurpose
continuitystrategies
SituationMonitoring
ReducingSilo
MentalityRobust
leadershipand
governanceStrong
corporateculture
Pro-activeconditioning
Questions?
Charley NewnhamPwC | Organisational Resilience & Business ContinuityMobile: +44 (0) 7930 402575Email: [email protected] LLP31 Great George Street, Bristol, BS1 5QD
71