Understanding Business Continuity Management

download Understanding Business Continuity Management

of 17

Transcript of Understanding Business Continuity Management

  • 8/11/2019 Understanding Business Continuity Management

    1/17

    UNDERSTANDINGBusiness Continuity Management

    http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    2/17

    2012 VMIA.

    The information provided in this document is intended for general use only. VMIA does not warrant the

    information in this document and does not accept any liability to any person for information or advice

    or the use of such information or advice provided in this document. VMIA encourages the free transfer,

    copying and printing of this document if such activities support the purpose and intent for which

    this document was developed. This document is protected by and its use subject to the terms and

    conditions of VMIAs Copyright Licence.

  • 8/11/2019 Understanding Business Continuity Management

    3/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 1

    What is the purpose of this document?

    This introductory guide has been compiled to assist those who are new to the concepts of

    Business Continuity Management (BCM). The information is not intended to be comprehensive,

    however it does provide an insight into business continuity management to assist you to

    continue your BCM journey.

    A list of suggested reading and VMIAs business continuity management services is available at

    the end of this document.This guide is divided into the following sections:

    Section 1:Business Continuity Management fundamentals

    Section 2: Developing Business Continuity Plans

    Section 1: Business ContinuityManagement fundamentals

    What is Business Continuity Management?

    Business Continuity Management (BCM) is a program that aids organisations to prevent and

    prepare for disruption events events which prevent an organisation from continuing ordinarybusiness operations.

    At the severe end of the scale these events could be catastrophes or disasters such as earthquakes

    or floods, while at the other end disruption might be caused by a key staff member being unavailable

    for work or your companys website going down.

    While BCM has traditionally focused on the continuity of operations after a crisis or disaster, by

    broadening the definition to disruption risk management, it becomes clearer that BCM includes

    all forms of risk mitigation, including prevention.

    BCM is also a key topic when talking about the concept of organisational resilience, where an

    organisation is able to effectively handle changes, challenges and stress.An important element of BCM is developing effective Business Continuity Plans (BCPs) to enable

    organisations to continue key operations during and after a disruption.

    BCM can include the following elements:

    prevention and mitigation

    crisis/incident management

    emergency planning and management

    business continuity planning.

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    4/17

  • 8/11/2019 Understanding Business Continuity Management

    5/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 3

    What is the background for Business ContinuityManagement in the Victorian public sector?

    In 2004, the State Coordination and Management Council (SC&MC) mandated that all government

    agencies have a Business Continuity Plan (BCP) based on the relevant Australian Standard.

    In the same year, the Financial Management Compliance Framework (FMCF) established that

    agencies should certify there are documented and tested back up, disaster recovery and business

    continuity procedures in place that are commensurate with the Public Sector Agencys financial

    management needs (Standing Direction, 17, 3.2.2 FMCF).

    The Victorian Government Risk Management Framework 2011 (VGRMF) also refers to the need to

    integrate emergency management, security and pandemic arrangements with the agencys BCPs.

    What is the current status of Business ContinuityManagement across the Victorian public sector?

    A 2010 VMIA survey of 131 clients provided an insight into the BCM maturity of a diverse range of

    organisations. Some of the key observations included:

    Plans are in place, but not always comprehensive. Many organisations already had someplans in place. However, the suite of plans and arrangements were not always complete or integrated.

    Limited formalised crisis management arrangements.Only 35% of respondentsstated they had a clearly articulated and current crisis management plan.

    Some commitment by senior management. In 66% of cases, BCM activities weresupported by senior management and were a priority for the organisation.

    Always room for improvement in business resilience in the VPS.Around 48%of organisations affected by business interruptions achieved their recovery objectives and 47%

    maintained their service levels.

    IT Disaster Recovery arrangements can be better aligned with business continuity.

    IT disaster recovery plans did not always talk to other business functions when considering continuity

    capability and recovery time objectives.

    People and culture in BCM.Organisations must understand the risks related to employeeresiliency that could arise in a crisis and address them.

    Not enough BCM professionals.More than half (52%) of VMIA clients surveyed do nothave any BCM professionals within the organisation. This was more acute for smaller organisations.

    Section 1: BCM Fundamentals

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    6/174 | Business Continuity GUIDELINES www.vmia.vic.gov.au

    Seven tips to improve your organisations BusinessContinuity Management capability

    1. Get the Board and Executive to champion your BCM program

    2. Refer to available BCM standards and guidelines

    3. Agree on a strategy and develop a road map of activities

    4. Get your governance structure right and link the emergency, crisis and continuity elements

    5. Understand your service and operational priorities to ensure they are protected

    6. Develop strategies, including intuitive and practical plans

    7. Exercise and test your plans and arrangements regularly (this is critical to maintaining and

    improving your BCM capability).

    What is the current Australian Standard for

    Business Continuity Management?

    Standards Australia released AS/NZS 5050 Business Continuity Managing Disruption-Related

    Risk Standardin 2010. This replaced Australias previous BCM Standards, HB 221:2004 and HB

    292:2006. A new international standard, ISO 22301:2012 Societal Security Business Continuity

    Management Systems Requirements, has recently been released and is yet to be published by

    Standards Australia. A companion guide to 22301 is planned for release in 2013 (ISO 22312).

    The Victorian Government Risk Management Framework (VGRMF) does not mandate certification to

    any one Standard. The suite of Standards and guidance materials available generally outline similar

    approaches to addressing BCM.

    Section 1: BCM Fundamentals

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    7/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 5

    What is the difference between crisis management,

    emergency management, business continuity and

    disaster recovery?

    The following definitions outline the core BCM elements:

    Emergency Response(ER) the protection of people, assets and/or the environment followinga disaster or emergency (for example a fire or bomb threat).

    Business continuity planning(BCP) analysing the organisation, its critical activities, inter-dependencies and vulnerabilities, to assist in prioritising key functions and planning strategies torecover or maintain them in the event of a significant business disruption.

    Crisis management (sometimes referred to as incident management) thegovernance arrangements and processes that enable an organisation to protect reputation, value,order, manage media and stakeholders and properly disseminate timely and accurate information. As

    well as managing strategic communications and relationships, crisis management arrangements willoversee and support the response to a major emergency, crisis and/or a significant business disruption.

    The crisis management plan is sometimes referred to as a Tier 1 plan or a BCM Plan. Location orprecinct BCPs may be referred to as Tier 2 plansby larger multi-site organisations. Functional BCPscan sometimes be referred to as Tier 2 or Tier 3 plansif location BCPs are in place.

    Business continuity management a management process which provides a frameworkfor building capability that safeguards the objectives of the organisation, including its obligations,from business disruptions. This involves managing a disruption before (ie. risk management), during(ie. emergency response, crisis management and BCPs) and after (BCPs) it occurs.

    IT Disaster Recovery (sometimes referred to as Disaster Recovery or DR) the recovery arrangements for IT and data availability and protection. Information technology andcommunication systems are an important resource dependency for organisations generally, but asubset of BCM (essentially, they are a BCP for the IT functions).

    Risk management ISO 31000:2009 defines risk management as the coordinated activities todirect and control an organisation with regard to risk. This typically involves establishing a frameworkto ensure the organisation understands its risk environment and is effectively assessing, treating,communicating and monitoring its risks. This includes managing all types of risk including, but notlimited to, financial, safety, compliance, operational, strategic and business disruptioncategories.

    The below graphic shows how the response elements (emergency response, crisis management and

    BCPs) often interact:

    Emergency response plan

    Crisis management/

    communication plan

    Time objective

    Activity

    Business

    recovery plans

    A

    Asuccessfuloutcome

    Source: Workshop 1 Emergency Response, Business continuity management (BCM) workshop, Marsh Technology Conference 2005

    Section 1: BCM Fundamentals

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    8/176 | Business Continuity GUIDELINES www.vmia.vic.gov.au

    What are the critical success factors of a businesscontinuity program?

    There are a number of factors that can help you ensure the success of your organisations BCM

    program. Some of these include:

    Leadership and commitment. Ensure you have management and board commitment andyour leaders allocate appropriate resources and set the tone at the top for BCM.

    Good governance.Ensure the governance structure and command and control arrangementsin a declared business disruption are defined, have the appropriate authority and capacity to make

    decisions and escalation processes are clearly understood. These arrangements should be

    documented in the crisis or incident management plan and reflected in other ancillary plans.

    Integration and alignment. Ensure there is appropriate integration and alignment betweenemergency response, incident/crisis management and business continuity arrangements, (includingdisaster recovery plans). Also, embed BCM activities such as training or review of plans into

    management processes.

    Embed in the organisational culture. The business continuity function needs tounderstand the organisational culture when developing plans and arrangements to ensure their

    effectiveness and staff engagement. Delivery and workshop methods, communication mediums,

    terminology and language suitable to the organisational culture should be considered.

    Meeting your obligations. When undertaking business continuity planning, consider yourorganisations regulatory, contractual or policy requirements, and expectations in a disruption, are

    understood and addressed in your plans.

    Review, exercise and update. When changes occur in the operating environment, ensurethat your arrangements, assumptions and plans are reviewed for currency and accuracy. Plans may

    become outdated, ineffective and require substantial investment to renew if changes occur and

    plans are not reviewed in a timely manner. A great way to ensure the continuous improvement of

    plans is to embed a regular exercise, testing and audit regime. Exercises also serve to prepare and

    train staff.

    Learn from experiences. Learn from your organisations experiences as well as from others.Join BCM forums and networks and review legal, insurance and industry case studies.

    Understand interdependencies. Consider where your organisation sits in the supply chainand how secure and resilient your supply chain is. You will want to be aware of suppliers, clients/

    customers, partners and other third parties and address vulnerabilities in your arrangements and

    plans. Consider participating with key stakeholders in business continuity exercises, and review

    service level agreements or contracts for BCM conditions.

    Section 1: BCM Fundamentals

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    9/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 7

    Section 2: Developing BusinessContinuity Plans

    How do you develop business continuity plans?

    There are a number of different standards and guidelines on BCM that describe the process for developing

    business continuity plans. Most of the processes outlined are similar although they may differ in the number

    and order of some elements of plan development. Essentially, you will need to consider the following steps:

    1. Get commitmentand understand

    the business

    4. Implementstrategies and

    document plans

    2. Assess criticalfunctions, impacts,

    vulnerabilities andpriorities (BIA) and

    risk assessment

    6. Exercise, review

    and improveyour plans

    3. Identify strategiesand (realistic)

    response plans

    5. Communicateyour plans and

    educate your staff

    Make and

    challenge

    assumptions

    1. Commitment and preparation

    Confirm the commitment from the organisations leaders.

    Establish the business continuity policy, plan, governance structure, roles and responsibilities.

    Understand your business, in terms of its goals, objectives, culture, people, systems, supply chain

    and decision makers.

    2. Conduct a business impact analysis and risk assessment

    Assess critical functions, impacts, vulnerabilities and priorities

    Facilitate a disruption-related risk assessment

    3. Identify strategies and (realistic) response plans

    Strategies could include suspension of activities, timely recovery, manual workarounds, relocation,

    preparation and prevention investments, arrangements with third parties (including insurance),

    and resilience strategies.

    4. Implement strategies and document plans

    Develop accountable action plans

    5. Communicate your plans and educate staff

    Establish a communication and training plan which is tailored to the needs of different groups

    involved in the BCM Program.

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    10/178 | Business Continuity GUIDELINES www.vmia.vic.gov.au

    6. Exercise, review and improve your plans and arrangements

    Develop a BCM testing and exercising regime which is supported by audit and review mechanisms.

    Tailor the testing and exercise regime to address the various parts and priorities of the BCM Program.

    7. Review assumptions

    Throughout the BCM process, identify and review the key assumptions you are making about your

    BCM arrangements and plans.

    Throughout the process ensure assumptions are assessed, agreed and documented where appropriate.

    They will help people understand the scope of the BCPs. For instance, do the plans assume that the

    disruption will be limited to a precinct, a facility or part of a facility only? Do plans assume that wirelessor remote internet and phone services will be available? Identify and challenge assumptions as you

    develop your plans.

    What is a business impact analysis?

    The business impact analysis (BIA) enables you to understand your organisations priorities and their

    vulnerability to business disruptions. It will show which parts of the organisation will be most affected

    by an incident and what effect it will have upon the organisation as a whole. The business impact

    analysis process involves the following:

    1. Identifying the organisations time-sensitive(often refered to as critical) business functions,

    processes, activities or services.

    2. Analysing the interdependenciesthat will influence the recovery times and recovery objectives for

    each operation.

    For example, a function of the organisation may be processing payroll. This activity is dependent

    on people, access to resources and systems. If the IT systems are down, this will impact the

    ability of payroll staff to do their work.

    3. Determining timeframes or thesholdsin which the identified functions should resume, to mitigate

    significant consequences and ensure business goals are met.

    This can include recovery time objectives (RTO) and the maximum acceptable outages (MAO).

    Both maximum acceptable outages and recovery time objectives will need to be approved by

    senior management.

    To inform the time frames, the organisation should agree on impact criteria and then analyse the

    functions against these criteria. Financial impact estimates can be recorded and used to inform

    your insurance program.

    4. Identifying existing controls and contingencies that mitigate or help manage a disruption

    to operations.

    For instance, your organisation may already have emergency response and crisis management

    plans, IT DRP, redundant patient/office capacity in facility X, back up generators, EmergencyCodes or Critical Hospital Operating Contingencies (healthcare).

    The BIA will provide the rationale and cost justification for decisions about risk mitigation and continuity,

    including the development of BCPs.

    Section 2: Developing business continuity plans

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    11/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 9

    What is MAO and RTO?

    There are a number of BCM acronyms and terms used when developing business continuity plans.

    Some of the common terms are explained below:

    MAO/MTPD:Maximum Acceptable Outage or Maximum Tolerable Period of Disruption. The maximumacceptable outage is a measure of risk tolerance for each key business function (sometimes referred

    to as process, activity or service) which is agreed by the organisation. For example, the organisation

    may decide that it cannot allow certain functions to be disrupted for longer than a specified time frame.

    In this sense, it assists the organisation to understand its priorities to make informed decisions about

    appropriate recovery times and BCM strategies.

    RTO/RTE: Recovery Time Objective or Recovery Time Estimate. This is the target time agreed for

    recovery of a function. In reality, this should be based on the ability for dependencies to be restoredfirst or work-arounds arranged to enable the function to continue, such as how long it takes for

    relevant IT systems to recover.

    RPO Recovery Point Objective generally refers to a point in time when systems and data shouldbe recovered to after an outage (for example, the end of the previous day). Recovery point objectives

    are often used as the basis for the development of IT back-up strategies, and as a determinant of the

    amount of data that may need to be recreated after the systems or functions have been recovered.

    The risk appetite for data recovery can vary depending on an organisations activities and risk appetite.

    For instance, a banks tolerance for losing very recent information may be more acute than other

    organisations.

    Sometimes the recovery point objective is referred to as the minimum level at which a business

    function could still operate. For example, the Finance Department can operate on 50% staff with

    access to six workstations. To overcome confusion, this could be called a functions minimum

    resource requirement.

    Now that I have completed the business impact

    analysis, how do I determine what strategies willbe most appropriate?

    Once the business impact analysis is complete:

    1. Conduct a risk assessment for disruption-related risks to better understand the threat environment

    and response needs.

    2. Conduct a BCM governance gap analysisto determine what arrangements you will need to make

    to develop the BCM program.

    For example, are emergency response plans, crisis management arrangements and business

    continuity plans developed? Do they cover all of the key elements? Are they up to date? Are they

    integrated with one another where necessary, with clearly defined accountabilities, delegated

    authorities and decision making procedures?

    Section 2: Developing business continuity plans

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    12/17

  • 8/11/2019 Understanding Business Continuity Management

    13/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 11

    What do I need to include in businesscontinuity plans?

    The information below focuses primarily on continuity and recovery plans (BCPs) for business functions,

    processes, activities and services, although some information will be relevant for crisis management

    (or Tier 1) plans. BCM tools and templates can be found on VMIAs website at www.vmia.vic.gov.au.

    There is no one-size-fits-allfor developing plans. The style, format and content of business continuity

    plans will vary according to the needs and culture of an organisation. One thing to keep in mind is

    to keep them practical, realistic and simple where possible. It is also important to remember that no

    disaster will occur exactly as anticipated. Ensure there is a good balance between providing enough

    guidance and allowing a measure of flexibility to enable operational decision makers to deal with

    diverse circumstances.

    Some elements you may want to address in your plans:

    Document control

    Table of contents

    Whether it is a business process (eg. department), resourcing function (such as IT, facilities or HR),

    location/precinct plan or other

    Governance arrangements, including activation procedures

    Roles and responsibilities

    Maximum acceptable outage, recovery time objective and recovery point objective thresholds

    Continuity, recovery, resumption and/or restoration action/guidance checklists

    Resources required, including minimum temporary resources until services are fully restored.

    In addition you may need to consider:

    - People

    - Information and data

    - Buildings, work environment and associated utilities (ensuring occupational health and safety

    requirements are met)

    - Facilities, equipment and consumables

    - Information technology and communication systems

    - Transportation & accommodation

    - Finance and delegated authorities

    Communication priorities and protocols

    Inter-dependencies (for example suppliers or contractors your business depends on, or that depend

    on you)

    Key assumptions made within the plans

    Resources and tools, such as an event log template, or a call tree

    Plans should take an all-hazards approach, which focuses on the effects of disruptions on people,

    systems, utilities, suppliers, infrastructure and surge in demand rather than every possible scenario.

    Section 2: Developing business continuity plans

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    14/1712 | Business Continuity GUIDELINES www.vmia.vic.gov.au

    How do I ensure plans are maintained and current?Maintaining and updating your plans is critical to ensuring the business continuity management

    program is effective. The risk is that all your hard work and investment is put on a shelf and becomes

    obsolete or irrelevant, particularly as the organisations profile changes over time.

    Along with regular desktop reviews of plans, one of the best ways to review and improve your business

    continuity management arrangements is to establish an exercising and testing framework. Exercising

    can help identify gaps and improvements and ensure the currency of BCM arrangements. The

    framework should establish the exercise type, frequency, scope and accountabilities.

    Some of the benefits of using scenario exercises include:

    A check to ensure completeness, accuracy, governance arrangements and currency of plans

    Determining the feasibility and compatibility of back-up facilities and procedures

    Identifying areas in the plan that require modification or enhancement

    Engaging and providing training to employees

    Demonstrating to internal and external stakeholders your organisations preparedness to respond

    and recover

    Maintaining organisational visibility of and support for crisis management and business

    continuity functions

    Providing evidence for business cases to improve business continuity preparation.

    For scenario exercises, the scope may depend on how mature your plans are and how prepared your

    people are. You will also want to consider the focus of the activity. For example, will you engage your crisis

    team or your recovery teams? Will you review response capability or just recovery? Will you exercise

    public relations and reputational issues as well as operational issues, and so on.

    Exercise focusCommunications

    Stakeholders

    Response versus recoveryIT data recovery

    Organisation specific factors

    FormatLive activation

    Role-play or group discussion

    Role of the facilitator and observersUse of exercises

    (eg. stakeholder mapping)

    StorylineRealism

    Known vulnerabilities

    Push the boundaries

    Informed by previous audits,exercises, experiences

    Assumptions explained

    ParticipantsUse of deputies and observers

    CMT and/or recovery teams

    Level of information provided to them

    Expectations

    Section 2: Developing business continuity plans

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    15/17www.vmia.vic.gov.au Business Continuity GUIDELINES | 13

    Maintenance Activity Description

    Validation test (eg. call-tree and accuracy

    of contacts)

    Reviews the accuracy and effectiveness of

    communication tools and resources in the event

    of a serious business disruption by manually

    using the call-tree or confirming contact details.

    Desktop review Educates key people about their roles in a

    business disruption. The format can include

    individual meetings with staff (individually or in

    groups) using the plans and/or a presentation.

    Desktop scenario exercise Conducted with the crisis or recovery teams,

    these exercises review the assumptions made

    in business continuity plans and supports staff

    to understand and implement their continuity

    role when required.

    Offsite inventory, back-up verification and

    availability of required supplies test

    Reviews the condition of the agreed inventory

    for business continuity and/or alternate sites.

    A check list of items can be reviewed. A

    discussion of needs may take place where

    staff can identify gaps.

    Checking with suppliers or dependencies the

    time frames for delivery of materials in the event

    of a business disruption can also be reviewed.

    Activation of crisis/recovery teams exercise Reviews the readiness and times to activate key

    roles in the event of a disruption.

    Disaster recovery test Tests the capability of IT and systems to recover

    in the event of a disruption.

    Full or partial live scenario exercise Assesses how aspects of the business continuity

    plans can be effectively implemented in real-time.

    Fully integrated exercise A live exercise with removal of access to key

    activities or processes, involving key elements of

    the business continuity management framework,

    including IT disaster recovery, crisis management

    and business continuity.

    Below is a table listing the various forms of exercises an organisation can employ. Some, such asvalidation exercises, can be more frequent than others:

    Section 2: Developing business continuity plans

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    16/1714 | Business Continuity GUIDELINES www.vmia.vic.gov.au

    Where can I find out more?

    Refer to the various business continuity management standards and guidelines, including:

    - AS/NZS 5050:2010 Business continuity managing disruption-related risk

    - ISO 22301:2012 Societal security Business continuity management systems requirements

    - HB 292:2006A practitioners guide to business continuity management

    - The Good Practice Guidelines, Business Continuity Institute 2010

    - Business continuity management Building resilience in public sector entities,Australian National

    Audit Office 2009

    Keep an eye on our website www.vmia.vic.gov.au for online tools, templates and publications. In

    particular, the Guides and Publications section and Business Continuity Management section.

    VMIA provides business continuity management learning opportunities through our Client Learning

    Program. Our current training program can be found here: www.vmia.vic.gov.au/Client-Training.aspx

    There a number of professional bodies and networks that can help connect practitioners and offer

    learning experiences. In Australia the key bodies are the British based Business Continuity Institute

    and the Continuity Forum Pty Ltd. Social media, such as LinkedIn have professional networks that

    allow practitioners to ask questions.

    Section 2: Developing business continuity plans

    http://www.vmia.vic.gov.au/http://www.vmia.vic.gov.au/
  • 8/11/2019 Understanding Business Continuity Management

    17/17

    http://www.vmia.vic.gov.au/