PowerPoint Presentation

Business Continuity Management02.10.2013.g.Introducing ISO 22301, the new global standard forBusiness Continuity ManagementWho is BSI? 10 Fast FactsFounded in 19012Standards, assessment, testing, certification, training, softwareNo owners/ shareholders all profit reinvested into the businessGlobal independent business services organization>2,500 staffand >50%non-UK#1 certification body in the UK and USANational Standards Body in the UK244.9mrevenue in201164,000 clientsin 147countries53 offices located around the worldWhat is ISO 22301?3

Source: IS&BCA, 2013StandardsBritish standardsBusiness Continuity Institute (BCI), British Standard Institute (BSI)

PAS 56 Publicly Available Specification Guide to Business Continuity Management

BS 25999-1:2006, Business continuity management Code of practice BS 25999-2:2007, Business continuity management Specification

International standardsISO 22301:2012 Societal security Business continuity management systems Requirements

ISO 22313 Societal security Business continuity management systems Guidance

ISO 22398 Societal security Guidelines for exercises and testing

ISO 31000 Risk Management Principles and Guidelines

02-okt-134. qualityaustria Forum, Beograd4Business Continuity Management definition Holistic management processFramework for resilience and response capabilitySafeguard interests of key stakeholdersIdentifies potential risks, threats and impacts5Business Continuity aims to safeguard the interests of an organisation and its key stakeholders by protecting its critical business functions against predetermined disruptions (ISO 22301:2012). Principal drivers6Local Government 92%Central Government 85%Finance Insurance 85%Utilities 81%Health and Social Care 74%Transport and Logistics 69%Manufacturing and Production 58%Education 52%Business Services 40%Construction 31%Corporate governance;Regulation/legislation;Central GovernmentCentral Government; Corporate governance;Public sector procurementCorporate governance; Regulation/legislation;AuditorsRegulation/legislation; Corporate governance;CustomersCorporate governance; Regulation/legislation;Public sector procurementCorporate governance; Regulation/legislation;CustomersCustomers;Insurers;Corporate governanceCorporate governance;Customers;Regulation/legislationCustomers; Corporate governance;Regulation/legislation andInvestors/shareholdersCustomers; Corporate governance;InsurersMajor crisis for mobile-phone giants7

BackgroundBooming mobile phone industryPhilips semiconductor plant in Albuquerque (USA)Produced mobile phone chips, crucial components40% of output to:Nokia, FinlandEricsson, SwedenThe incidentFurnace fire caused by lightning boltBrought under control in minutesSmoke and water damageThe impactFlow of chips suddenly stoppedWeeks to get plant up to capacity

Nokia Monitored supply chainTook immediate action to secure supplyReconfigured manufacturing to accommodate different specificationEricssonTook supplier word that not a major problemDelayed taking remedial action (2 weeks)Source: Logistics Europe February 2004Key risk areas business impactPeopleInformation and DataBuildings, work environment and associated utilitiesFacilities equipment and consumablesICT SystemsTransportationFinance Partners and Suppliers8What to plan for?9

Major cause of organizational disruption in 201210

Source: CMI, BCM Survey 2013

Winter weather 77%Loss of people due to illness 42% Loss of IT 40%Loss of telecommunications 27%

Value of crisis management11Without crisis managementDamage tofinancial results,

reputation andkey relationshipsLost time/productivityTimeIt reduces thenegative impact and speeds recovery from all kinds of corporate crises Negative impactWith crisis managementCrisiseventBCM compatibility PDCA12Risk TreatmentResidual RiskShareAvoid/ Remove/ ChangeIncrease / RetainBusiness ContinuityBCM checklistScope and ObjectiveGain a understanding of your businessAssess the RiskEvaluate potential continuity arrangementsDefine your strategyDevelop your continuity plansMaintain, train and exercise continuity plans13Organization and its context14

15

02-okt-134. qualityaustria Forum, Beograd16

BCM objectivesClearly stated; Be consistent with the policy; SMARTTake account of applicable needs and requirements; Enable opportunities to maintain or improve performance; Be monitored and updated as appropriate.

In order to ensure that these objectives will be achieved, the organizations should determine:

Who will be responsible; What will be done and when it will be completed; and How the results will be evaluated.

02-okt-134. qualityaustria Forum, Beograd17Components of BCM arrangements02-okt-134. qualityaustria Forum, Beograd18Source: CMI, BCM Survey 2013Be prepared02-okt-134. qualityaustria Forum, Beograd19DisasterRecoveryEmergency ResponseCrisis ManagementBusinessRecoveryBusiness continuity planInitial control of emergency situationSafeguarding human life, protecting physical assets, minimizing damage/business impact avoiding environmental contaminationStabilizing, security, damage assessmentStrategic direction/policy issuesCrisis communications internal and external (media)Outward facing liaison - stakeholders, users etc.Co-ordination of service recovery effortsPhased recovery of business-critical processes

Recovery of infrastructure and servicesReturning to business as normalBenefits of BCM Improves business resilience (86%)Helps protect their reputation (74%)Meets customer requirements (72%)It helped their organization to recover from disruption more quickly than would otherwise have been the case (85%).

02-okt-134. qualityaustria Forum, Beograd20Source: CMI, BCM Survey 2013Structure Of ISO 22301:201221ClauseDescription4.0Is a component of Plan. It introduces requirements necessary to establish the context ofthe BCMS as it applies to the organization, as well as needs, requirements, and scope.5.0Is a component of Plan. It summarises the requirements specific to top managements role in the BCMS, and how leadership articulates its expectations to the organization via a policy statement.6.0Is a component of Plan. It describes requirements as it relates to establishing strategic objectives and guiding principles for the BCMS as a whole. The content of Clause 6 differs from establishing risk treatment opportunities stemming from risk assessment, as well as business impact analysis (BIA) derived recovery objectives.Structure Of ISO 22301:201222ClauseDescription7.0Is a component of Plan. It supports BCMS operations as they relate to establishing competence and communication on a recurring/as-needed basis with interested parties, while documenting, controlling, maintaining and retaining required documentation.8.0Is a component of Do. It defines BC requirements, determines how to address them anddevelops the procedures to manage a disruptive incident.9.0Is a component of Check. It summarises requirements necessary to measure BCM performance, BCMS compliance with the International Standard and managements expectations, and seeks feedback from management regarding expectations.10.0Is a component of Act. It identifies and acts on BCMS non-conformance through corrective action.Clause 4: Context Of The Organization23Copyright 2012 BSI. All rights reserved.Clause 4 relates to the context of the organization which requires theorganization to determine their external and internal issuesThere is now a clear requirement to consider interested partiesThis will determine its business continuity policy and objectives and how it will consider risk and the effect of risk on its businessRequirement also for a procedure to manage legal and regulatory requirementsConcept Of Interested PartiesISO 22301 replaces the term stakeholders withthat of interested partiesThe ISO requires broader consideration ofinterested parties than BS 25999-2Closer alignment with organizational objectivesfor corporate social responsibility24Copyright 2012 BSI. All rights reserved.Clause 5: LeadershipClause 5 of the standard summarizes the requirements specific to top managements role in the BCMSTop management given clearer BCM responsibilitiesThe ISO outlines specific ways in which management must demonstrate its commitment to the system25Copyright 2012 BSI. All rights reserved.Clause 6: PlanningNew section relating to establishment of strategic objectives and guiding principles for the BCMS as a wholeWhen planning the BCM the context of the organization should be taken into account through the consideration of the risks and opportunitiesThe organizations business continuity objectiv must be clearly defined with plans in place to achieve themes26Copyright 2012 BSI. All rights reserved.Clause 7: SupportClause 7 details the support required to establish, implement and maintain an effective BCMS, including:Resource requirementsCompetence of people involvedAwareness of and communication withinterested partiesRequirements for documentmanagement.27Copyright 2012 BSI. All rights reserved.Clause 8: OperationISO 22301 requires that organizations plan and control the operation of their BCM requirements. Most importantly this will include:A methodology and documented process forconducting a business impact analysis (BIA)A systematic methodology and documented processfor conducting risk assessmentsA methodology for selecting business continuity strategies which will protect the most important activities of the business and ensure their resumption in the event of disruption.28Copyright 2012 BSI. All rights reserved.Clause 8: Operation29Copyright 2012 BSI. All rights reserved.ISO 22301 places greater emphasis on the procedure required to detect an incident, early communication thereof and the need to regularly monitor the incidentThere is also a requirement to consider how the organization will recover its activities from a temporary state back to normal (if appropriate)Exercises and tests to demonstrate the effectiveness of BCM arrangementsClause 9: Performance Evaluation30Copyright 2012 BSI. All rights reserved.As with all management system standards there is a need to look back at whathas been achievedISO 22301 also requires that this analysis is evaluated and conclusions drawnby the organizationGreater emphasis on setting of objectives, monitoring performance and metricsMost organizations will already produce metrics which can be tailored to BCMSperformanceClause 9: Performance EvaluationInternal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement31Copyright 2012 BSI. All rights reserved.Clause 10: ImprovementNonconformities of the BCMS have to be dealt with together with corrective actions to ensure they dont happen againAs with all management system standards, continual improvement is a core requirement of the standard32Copyright 2012 BSI. All rights reserved.ISO 22301 An Implementation ChecklistObtain management supportTreat it as a projectBCM policy define objectives and scopeDefine roles and responsibilitiesImplement mandatory proceduresPerform BIA and risk assessmentDetermine the business continuity strategy33Copyright 2012 BSI. All rights reserved.ISO 22301 An Implementation Checklist34Copyright 2012 BSI. All rights reserved.Develop incident management plans and business continuity plansTraining and awareness10. ExercisingMaintaining and reviewing the BCMSInternal auditManagement reviewPreventative and corrective actionsEvaluating BCM against established standards02-okt-134. qualityaustria Forum, Beograd35Legislation (e.g. statutory requirements)Regulations (e.g. industry specific requirements)ISO 22301, ISO 27001, ITIL/ISO 20000BCIs Good Practice GuidelinesBS 25999Other organizations

Resume02-okt-134. qualityaustria Forum, Beograd36Start with an understanding of your business, not with the threat - business impact analysis takes precedence over risk assessment Review and test BCM regularly Keep informed Do not neglect the supply chainBe clear about management roles and responsibilitiesSMEs in particular should consider how they can use BCM in a proportionate way to improve their resilience