Embed Size (px)
Citation preview
1
© Workplace Law
Approved training centre
Business Continuity Business as Usual ?Ren Barnard
2
International Standards OrganisationISO 31000 Risk Management Principles and Guidelines
ISO 22301 Societal security — Business continuity management systems — Requirements
ISO 22313 Societal security — Business continuity management systems — Guidance
ISO 22398 Societal security — Guidelines for exercises and testing
British StandardBS 25999-2:2007, Business continuity management — Specification
3
Everybody is a winner
4
Survey Says: Principal Drivers Base = 1021
Local Government 92% Central Government 85%
Finance Insurance 85% Utilities 81%
Health and Social Care 74% Transport and Logistics 69%
Manufacturing and Production 58% Education 52%
Business Services 40% Construction 31%
Corporate governance;Regulation/legislation;Central Government
Central Government; Corporate governance;
Public sector procurementCorporate governance; Regulation/legislation;
Auditors
Regulation/legislation; Corporate governance;
CustomersCorporate governance; Regulation/legislation;
Public sector procurement
Corporate governance; Regulation/legislation;
CustomersCustomers;
Insurers;Corporate governance
Corporate governance;Customers;
Regulation/legislationCustomers;
Corporate governance;Regulation/legislation and
Investors/shareholders
Customers; Corporate governance;
Insurers
5
August 2011 – London Riots
6
Does it matter?
Denial of service attacks10/12: The DDoS attacks have been launched in the last week using the so-called itsoknoproblembro DDoS toolkit.
10/12: A novel coronavirus was identified in lower respiratory tract specimens of a Qatari national who was receiving treatment for a severe respiratory illness in London
12/10: Britain facing fuel shortage as snow continues to cause chaos UK to be hit by 70s-style
blackouts within 3 years' and EU rules may also force up bills, Spare energy capacity could drop to just four per cent by winter 2015
05/12: Northern Rock rescue 'could cost taxpayer £2bn'
7
World Economic Forum RIM
Chronic Fiscal Imbalances
Major systemic financial failure
Water supply crises
Extreme volatility in energy and agriculture prices
8
Assess the RiskRisk:Effect of uncertainty on objectives
Threats: May be described as events or actions which could, at some point, cause an impact..
Business Continuity: (GPG)Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruption in order to continue business operations at an acceptable predefined level
9
Deepwater Horizon Oil Spill
Business Continuity or
Risk Management
10
The survey says:evaluated through risk assessment, based on those registering extremely concerned and concerned, are as follows:
•Unplanned IT and telecom outages – 74% •Data breach (i.e. loss or theft of confidential information) – 68%
– HoMER (CPNI) (Counter Productive Behaviour)•Cyber attack (e.g. malware, denial of service) – 65% •Adverse weather (e.g. windstorm/ tornado, flooding, snow, drought) – 59% •Interruption to utility supply (i.e. water, gas, electricity, waste disposal) – 56%
– Ofgem UK Faces power shortages risk by 2015 – Black out probability 1 in 12 years
BCI Survey: Horizon scan January 2012 Base = 458
11
Top Responses by Country
12
Risk Assessment
Business Impact
What are we trying to achieve;
Who should be involved;
What creates uncertainty and how significant is it;
What can we do to ensure success
13
Key Risk Areas – Business Impact
• People• Information and Data• Buildings, work environment and associated
utilities• Facilities equipment and consumables• ICT Systems• Transportation• Finance • Partners and Suppliers
14
Something achieved that continues to exist…
15
G4S Olympic Security – Scheduling Failure?
16
Manchester Airport
17
Aims
Business Continuity or BC aims to safeguard the interests of an organisation and its key stakeholders by protecting its critical business functions (CBFs) against predetermined disruptions.
22301:2012
18
BCM Checklist
Scope and ObjectiveGain a understanding of your businessAssess the RiskEvaluate potential continuity
arrangementsDefine your strategyDevelop your continuity plans
19
ISO Compatibility PDCA
Risk Management ISO 31000 BCM 25999 -> ISO 22301Risk Management Framework Policy and Program
ManagementEstablishing the Context Understanding the OrganizationRisk Assessment -BIA Is one of the tools-(ISO31010 Guidance on risk assessment techniques)
BIA + Risk Assessment focused on Most urgent activities
Risk Treatment BCM Strategies Develop and Implement BCM Responses
Communication and Consultation
Embedded BCM in the Culture
Monitor and Review Exercising, Maintaining and Reviewing
20
Transition BS 25999 to ISO 22302
25999-2 United Kingdom Only but recognised worldwide - BSI
22301 Accepted worldwide – ISO
May 2012 – May 2014 “Upgrade Period”
November 2012 – Accreditation 25999
21
Similarities and differences:
No changes or minor changes – in 10 areas
Moderate changes – in 8 areas
Major changes – in 5 areas
22
Major Changes – “Common Theme”
• Understanding the organisation• Understanding the needs and
expectations of interested parties• Management commitment• Communication & warning system• Monitoring, measurement, analysis and
evaluation
23
Areas Clause in 22301
Clause in BS25999
Change
Understanding the organisation 4.1 - SignificantUnderstanding the needs and expectations of interested parties
4.2 - Significant
Determining the Scope 4.3 3.2.1 ModerateManagement Commitment 5.2 - SignificantBusiness Continuity Policy 5.3 3.2.2 ModerateBussiness Continuity Objectives 6.2 3.2.1.1 ModerateCompetentces 7.2 3.2.4 Minor or No
ChangeAwareness 7.3 3.2.4 Minor or No
ChangeCommunication and Warning System 7.4, 8.4.2,
8.4.34.3.3.3 Significant
Documented Information 7.5 3.4 ModerateBusiness Impact Analysis 8.2.1, 8.2.2 4.1.1 Minor or No
ChangeRisk Assessment 8.2.1, 8.2.3 4.1.2 ModerateBusiness Continuity Strategy 8.3.1 4.2 Minor or No
ChangeResource Requirements 8.3.2 4.3.2.2,
4.3.3.3Moderate
Risk Treatment 8.3.3 4.1.3 Minor or No Change
Incident response structure 8.4.2 4.3.2 Minor or No Change
BC Plans, Recovery Plans 8.4.4, 8.4.5 4.3.3 Minor or No Change
Exercise and Testing 8.5 4.4.2 Minor or No Change
Monitoring Measurement Analysis and Evaluation 9.1 4.4.3 SignificantInternal Audit 9.2 5.1 Minor or No
ChangeManagement Review 9.3 5.2 Minor or No
ChangeNon Conformity and Corrective Action 10.1 6.1.3 ModeratePreventative Action 6.1, 9.1.1 6.1.2 Moderate
24
6-step process: 25999 - 22301
1. Evaluating the organisations external and internal context and list all interested parties2. List all legal requirements3. Align BC with company’s strategy4. Define measurable objectives, how tomeasure them, and who will evaluate them5. Define action plan to achieve objectives6. Communication – who will communicate withwhom, and how?
25
Organisation and its Context
26
27
Objectives
• Clearly stated; • Be consistent with the policy; SMART• Take account of applicable needs and requirements; • Enable opportunities to maintain or improve performance; • Be monitored and updated as appropriate.
In order to ensure that these objectives will be achieved, the organizations should determine:
• Who will be responsible; • What will be done and when it will be completed; and • How the results will be evaluated.
28
Strategy
• Protecting prioritised activities• Stabilizing, continuing, resuming
and recovering prioritized activities and their dependencies and supporting resources
• Mitigating, responding to and managing impacts
29
Thank You
Questions
30
31
