And how it relates to the Civil Contingencies Act What would happen if You were denied access to your offices Unable to make use of a vital system such as a finance Suffered ID: 912368
Download Presentation The PPT/PDF document "A guide to Business Continuity Managemen..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
A guide to Business Continuity Management
(And how it relates to the Civil Contingencies Act)
Slide2What
would happen
if:
You were denied
access to your
offices?
Unable
to make use of a vital system such as a
finance?
Suffered
a cyber-attack which brought down your website,
disrupted your
communications or resulted in the theft of confidential
data?
Lost a
key member of staff or third party
supplier?
Slide3Do you know what you would do if they were suddenly unavailable and what your priorities would be?
Slide4The Guide
Explains
the context for Business Continuity Management and the Civil Contingencies Act 2004.
Follows
the ‘Plan/Do/Check/Act cycle to cover the steps required to implement a Business Continuity Management
system
.
Provides case
studies and lessons learnt, plus a table of useful sources of information
.
Slide5What is BCM?
Business Continuity Management, or BCM, is an activity that is concerned with developing an organisation’s ability to continue providing critical services (or business processes) in the event of an interruption.
This
incorporates all aspects of the incident cycle
including:
Identification
and assessment of
risks
Implementation
of prevention and mitigation
activities
Managing
incidents
Recovering
and resuming business as usual activities
.
Slide6The
relationship
b
etween
d
ifferent
r
isk
m
anagement
and
response
m
ethods
Slide7Statutory Duties
Section 2 (1) (c) of the
Civil Contingencies Act
places a legal duty on all Category 1 responders (which includes Local Authorities and other front line responders) to develop and maintain plans that will ensure they can continue to deliver their functions in an emergency (as defined in the Act), ‘so far as is reasonably practicable’. These duties relate to all of a Category 1 responder’s functions: i.e. the provision of key services, not just their emergency response functions.
Slide8Statutory Duties
Section
4 of the CCA 2004 gives Local Authorities an additional duty: to promote and provide general BCM advice to commercial and voluntary organisations in their area. Local Authorities may charge on a cost recovery basis for the requested provision of more specific advice and assistance.
Slide9“
I am often asked what single piece of advice I can recommend that would be most helpful to the business community. My answer is a simple, but effective, business continuity plan that is regularly reviewed and tested
.”
Eliza Manningham-Buller, the Director General of MI5,
2002 -2007
Slide10Making
the case for BCM: key drivers and benefits
In addition to continuing service delivery and protecting the organisation, there are a number of benefits that can be achieved through having a structured and consistent BCM process in place.
Flagging these up to senior management when making your case for BCM can be a useful means of securing senior level commitment to the process, a necessary and critical factor for a successful programme.
Key Drivers -The 3 C’s
:
Credibility
Demonstrating effective BCM capabilities will enable the organisation to sustain critical services. It will also instil confidence in the organisation from staff, the general public and other stakeholders
.
Compliance
With statutory and corporate governance requirements.
Cost
Protecting your assets, working more efficiently, reducing recovery costs and assurance of third party providers of services.
Slide12Generic considerations when undertaking a BCM
programme
Economics
Politics
and terrorism
Customers
Media
Technology
Commerce
Attitudes
and awareness
Culture
Slide13The Plan/Do/Check/Act Cycle.
The standard applies the Plan-Do-Check-Act (PDCA) cycle to the Business Continuity Management Process.
Image or
graph here
Slide14Plan
Sponsorship and commitment
Management
commitment at the highest levels of the
organisation
is key to the implementation of effective BCM.
Initial Assessment/Gap Analysis
Understand
what procedures are currently in
place
Benchmark
the organisation’s current level of preparedness against the
BCM
requirements of the CCA
2004
Develop
an improvement programme to address any weaknesses
.
Policy and
Objectives Align BCM with the wider Governance arrangements within the organisation and provide the framework for driving BCM principles within all parts of the business.
Slide15Plan
Specify Terms of Reference and
s
cope
The
BCM programme must be carefully scoped, including the responsibilities of managers and staff within the organisation and of third-party providers outside the organisation.
Allocate
r
esources
For
the
establishment and ongoing
maintenance.
Create
a
management
s
tructure
and assign roles and responsibilities Allow responsibilities for BCM to be clearly defined and allocated Integrate with the existing suite of management responsibilities Avoid single person dependency Allocate responsibilities to functions or individuals who have the necessary authority, credibility, skills, knowledge and expertise.
Slide16Plan - The
b
ig
p
icture
Slide17Plan
Establish
the
p
roject
BCM
programmes are potentially complex and need to be well-organised and controlled
.
Use
a project planning methodology to manage the programme and to structure the ongoing workload necessary to maintain the strategies and
plans.
Appoint an
experienced project manager
to guide
the working groups and
report
to a steering committee.
Slide18Plan
An ongoing discipline
The development and implementation of an approved BCM solution across an organisation is only the start of an ongoing commitment.
Organisations
change all the time and recovery strategies and associated plans will become out of date unless they are regularly reviewed and updated.
Slide19Do
Business
Impact
Assessments (BIA)
The BIA should identify:
Critical
business processes or
services
The
potential damage or loss that may be caused to the organisation and the community as a result of a disruption to critical business processes.
Slide20Do
Risk Assessment (RA)
Identification
of internal threats to the organisation including:
Damage
or denial of access to
premises
Loss
of utilities, including electricity, water and
gas
Failure
of business partners or service
providers
Unavailability
of key staff
;
Single
points of failure within the IT infrastructure,
or elsewhere in the business processes.
Slide21Do
BCM
strategies
The information collated from undertaking the BIA and RA will enable the development of an appropriate BCM strategy for the organisation.
Do
nothing (Tolerate
)
Changing
, transferring or ending the process (Terminate
)
Insurance
(
Transfer)
Loss
mitigation (
Treat)
Business Continuity Planning (Treat).
Slide22Do
Developing
the
p
lan
At
the highest level there is a need for an
incident
or
crisis
management plan in order to manage and coordinate the immediate and wider impacts of an interruption, such as any media attention.
Each
service area should have their own plan, and there should be generic plans covering key resources which might include
:
Accommodation
and
services
plan
Computer systems and network plan Telecommunications
plan Media plan/public relations plan Security plan Personnel plan Finance and administration plan Salvage and restoration plan Damage assessment plan Vital records plan.
Slide23Do
Crisis
management
Local Authorities will already have a well - established command structure in place in order to harmonise its own
emergency
arrangements with the
e
mergency
s
ervices
.
It is important that Business Continuity Planning takes account of this and ties in with any other local arrangements that may already be in place. However, care must be taken to ensure that the two structures are distinct and, if possible, do not involve the same people, although coordination of the two responses will be important as they are likely to be drawing on the same pool of resources.
Slide24Do
Crisis
ma
nagement
s
tructure
Strategic
- usually comprising key members of the senior management team, sets strategy, co-ordinates media liaison and provides support to the tactical group.
Tactical
– provides overall management of the incident - responsibility for crisis management and internal liaison with departments and divisions, and external liaison with other organisations, the media, regulators, and public authorities.
Operational
– a series of business and service recovery teams (including, where appropriate, outsourced service providers) representing the critical business functions and the services that will be established to support these functions.
Slide25Do
Building and embedding a BCM culture
Plans don’t make things happen, people do!
Education and awareness
Establish an effective education and awareness programme to ensure that all staff are made aware of the implications of Business Continuity and their roles and responsibilities in a recovery situation.
Training
Ensure that all personnel involved in the implementation and maintenance of BCM are fully trained and can effectively undertake their responsibilities.
Slide26Check
Developing your plans and BC strategies is only the start of an ongoing commitment to BCM and the Business Continuity Manager has responsibility for maintaining the BCM environment through a series of operational management activities.
Exercising
Following the initial rehearsals establish a programme of regular testing and exercising to ensure that the critical components of the strategy are exercised.
Debriefing
Post-incident debriefing provides an invaluable
opportunity to learn lessons about the incident
management process which can be fed back into
improving planning arrangements.
Slide27Check
Incident monitoring
Many crises are preceded by warning signals – they’re often the result of a number of small problems that incubate either unnoticed or un-addressed over a period of time, sometimes within the organisation itself.
Recognising this provides us with an opportunity to pick up trends, warning signals and problems before they escalate into a major incident.
Regular Reviews
Business Continuity is a cyclical process. A regular review of all of the deliverables from the BCM process needs to be undertaken to ensure that they remain current.
Check
Change Management
Incorporating BCM into the change management process will enable contingency facilities to be agreed and established in advance of staff, building and IT changes.
Audit
The audit process is vital for providing assurance to the BCM process and demonstrating improvement. The BCM Coordinator should consider helping develop suitable audit criteria to facilitate the audit process.
Slide29Act
Continual
improvement
It is easy for managers to concentrate on the testing and exercising of plans, but forget the need to improve the plan as a consequence. Ideally the Business Continuity Manager should develop a timetable for review of the plan.
Changes should be tested where feasible and the Plan reissued.
Version control is crucial to ensure everyone knows the correct version to use.