A guide to Business Continuity Management - PowerPoint Presentation

Slide1

A guide to Business Continuity Management

(And how it relates to the Civil Contingencies Act)

Slide2

What

would happen

if:

You were denied

access to your

offices?

Unable

to make use of a vital system such as a

finance?

Suffered

a cyber-attack which brought down your website,

disrupted your

communications or resulted in the theft of confidential

data?

Lost a

key member of staff or third party

supplier?

Slide3

Do you know what you would do if they were suddenly unavailable and what your priorities would be?

Slide4

The Guide

Explains

the context for Business Continuity Management and the Civil Contingencies Act 2004.

Follows

the ‘Plan/Do/Check/Act cycle to cover the steps required to implement a Business Continuity Management

system

.

Provides case

studies and lessons learnt, plus a table of useful sources of information

.

Slide5

What is BCM?

Business Continuity Management, or BCM, is an activity that is concerned with developing an organisation’s ability to continue providing critical services (or business processes) in the event of an interruption.

This

incorporates all aspects of the incident cycle

including:

Identification

and assessment of

risks

Implementation

of prevention and mitigation

activities

Managing

incidents

Recovering

and resuming business as usual activities

.

Slide6

The

relationship

b

etween

d

ifferent

r

isk

m

anagement

and

response

m

ethods

Slide7

Statutory Duties

Section 2 (1) (c) of the

Civil Contingencies Act

places a legal duty on all Category 1 responders (which includes Local Authorities and other front line responders) to develop and maintain plans that will ensure they can continue to deliver their functions in an emergency (as defined in the Act), ‘so far as is reasonably practicable’. These duties relate to all of a Category 1 responder’s functions: i.e. the provision of key services, not just their emergency response functions.

Slide8

Statutory Duties

Section

4 of the CCA 2004 gives Local Authorities an additional duty: to promote and provide general BCM advice to commercial and voluntary organisations in their area. Local Authorities may charge on a cost recovery basis for the requested provision of more specific advice and assistance.

Slide9

“

I am often asked what single piece of advice I can recommend that would be most helpful to the business community. My answer is a simple, but effective, business continuity plan that is regularly reviewed and tested

.”

Eliza Manningham-Buller, the Director General of MI5,

2002 -2007

Slide10

Making

the case for BCM: key drivers and benefits

 

In addition to continuing service delivery and protecting the organisation, there are a number of benefits that can be achieved through having a structured and consistent BCM process in place.

Flagging these up to senior management when making your case for BCM can be a useful means of securing senior level commitment to the process, a necessary and critical factor for a successful programme.

 

Slide11

Key Drivers -The 3 C’s

:

Credibility

Demonstrating effective BCM capabilities will enable the organisation to sustain critical services. It will also instil confidence in the organisation from staff, the general public and other stakeholders

.

Compliance

With statutory and corporate governance requirements.

Cost

Protecting your assets, working more efficiently, reducing recovery costs and assurance of third party providers of services.

Slide12

Generic considerations when undertaking a BCM

programme

Economics

Politics

and terrorism

Customers

Media

Technology

Commerce

Attitudes

and awareness

Culture

Slide13

The Plan/Do/Check/Act Cycle.

The standard applies the Plan-Do-Check-Act (PDCA) cycle to the Business Continuity Management Process.

 

Image or

graph here

Slide14

Plan

Sponsorship and commitment

Management

commitment at the highest levels of the

organisation

is key to the implementation of effective BCM.

Initial Assessment/Gap Analysis

Understand

what procedures are currently in

place

Benchmark

the organisation’s current level of preparedness against the

BCM

requirements of the CCA

2004

Develop

an improvement programme to address any weaknesses

.

Policy and

Objectives Align BCM with the wider Governance arrangements within the organisation and provide the framework for driving BCM principles within all parts of the business.

Slide15

Plan

Specify Terms of Reference and

s

cope

The

BCM programme must be carefully scoped, including the responsibilities of managers and staff within the organisation and of third-party providers outside the organisation.

Allocate

r

esources

For

the

establishment and ongoing

maintenance.

Create

a

management

s

tructure

and assign roles and responsibilities Allow responsibilities for BCM to be clearly defined and allocated Integrate with the existing suite of management responsibilities Avoid single person dependency Allocate responsibilities to functions or individuals who have the necessary authority, credibility, skills, knowledge and expertise.

Slide16

Plan - The

b

ig

p

icture

Slide17

Plan

Establish

the

p

roject

BCM

programmes are potentially complex and need to be well-organised and controlled

.

Use

a project planning methodology to manage the programme and to structure the ongoing workload necessary to maintain the strategies and

plans.

Appoint an

experienced project manager

to guide

the working groups and

report

to a steering committee.

Slide18

Plan

An ongoing discipline

 

The development and implementation of an approved BCM solution across an organisation is only the start of an ongoing commitment.

Organisations

change all the time and recovery strategies and associated plans will become out of date unless they are regularly reviewed and updated.

Slide19

Do

Business

Impact

Assessments (BIA)

The BIA should identify:

Critical

business processes or

services

The

potential damage or loss that may be caused to the organisation and the community as a result of a disruption to critical business processes.

Slide20

Do

Risk Assessment (RA)

Identification

of internal threats to the organisation including:

Damage

or denial of access to

premises

Loss

of utilities, including electricity, water and

gas

Failure

of business partners or service

providers

Unavailability

of key staff

;

Single

points of failure within the IT infrastructure,

or elsewhere in the business processes.

Slide21

Do

BCM

strategies

The information collated from undertaking the BIA and RA will enable the development of an appropriate BCM strategy for the organisation.

 

Do

nothing (Tolerate

)

Changing

, transferring or ending the process (Terminate

)

Insurance

(

Transfer)

Loss

mitigation (

Treat)

Business Continuity Planning (Treat).

Slide22

Do

Developing

the

p

lan

At

the highest level there is a need for an

incident

or

crisis

management plan in order to manage and coordinate the immediate and wider impacts of an interruption, such as any media attention.

Each

service area should have their own plan, and there should be generic plans covering key resources which might include

:

Accommodation

and

services

plan

Computer systems and network plan Telecommunications

plan Media plan/public relations plan Security plan  Personnel plan Finance and administration plan Salvage and restoration plan Damage assessment plan Vital records plan.

Slide23

Do

Crisis

management

Local Authorities will already have a well - established command structure in place in order to harmonise its own

emergency

arrangements with the

e

mergency

s

ervices

.

It is important that Business Continuity Planning takes account of this and ties in with any other local arrangements that may already be in place. However, care must be taken to ensure that the two structures are distinct and, if possible, do not involve the same people, although coordination of the two responses will be important as they are likely to be drawing on the same pool of resources.

Slide24

Do

Crisis

ma

nagement

s

tructure

Strategic

- usually comprising key members of the senior management team, sets strategy, co-ordinates media liaison and provides support to the tactical group.

Tactical

– provides overall management of the incident - responsibility for crisis management and internal liaison with departments and divisions, and external liaison with other organisations, the media, regulators, and public authorities.

Operational

– a series of business and service recovery teams (including, where appropriate, outsourced service providers) representing the critical business functions and the services that will be established to support these functions.

Slide25

Do

Building and embedding a BCM culture

Plans don’t make things happen, people do!

Education and awareness

Establish an effective education and awareness programme to ensure that all staff are made aware of the implications of Business Continuity and their roles and responsibilities in a recovery situation.

Training

Ensure that all personnel involved in the implementation and maintenance of BCM are fully trained and can effectively undertake their responsibilities.

Slide26

Check

 

Developing your plans and BC strategies is only the start of an ongoing commitment to BCM and the Business Continuity Manager has responsibility for maintaining the BCM environment through a series of operational management activities.

Exercising

Following the initial rehearsals establish a programme of regular testing and exercising to ensure that the critical components of the strategy are exercised.

Debriefing

Post-incident debriefing provides an invaluable

opportunity to learn lessons about the incident

management process which can be fed back into

improving planning arrangements.

Slide27

Check

Incident monitoring

 

Many crises are preceded by warning signals – they’re often the result of a number of small problems that incubate either unnoticed or un-addressed over a period of time, sometimes within the organisation itself.

Recognising this provides us with an opportunity to pick up trends, warning signals and problems before they escalate into a major incident.

Regular Reviews

Business Continuity is a cyclical process. A regular review of all of the deliverables from the BCM process needs to be undertaken to ensure that they remain current.

 

Slide28

Check

Change Management

Incorporating BCM into the change management process will enable contingency facilities to be agreed and established in advance of staff, building and IT changes.

Audit

The audit process is vital for providing assurance to the BCM process and demonstrating improvement. The BCM Coordinator should consider helping develop suitable audit criteria to facilitate the audit process.

Slide29

Act

Continual

improvement

It is easy for managers to concentrate on the testing and exercising of plans, but forget the need to improve the plan as a consequence. Ideally the Business Continuity Manager should develop a timetable for review of the plan.

Changes should be tested where feasible and the Plan reissued.

Version control is crucial to ensure everyone knows the correct version to use.