New features of the BCI’s Good Practice Guidelines 2013 - NEW...•The Business Continuity Institute (BCI) –Training and Education –Certification –Membership – Chapters and

New features of the BCI’s Good Practice Guidelines 2013Trends and advances in global BC practice

Presented by Doug Weldon FBCI

BCI Good Practice Guidelines 2013 1

• Leading global membership and certifying organization

• 8,000 members in more than 100 countries worldwide, working in in an estimated 3,000 organizations in private, public and third sectors

• Statutory membership grades provide assurance of technical and professional competency

What is the Business Continuity Institute (BCI)?


The BCI seeks to promote and facilitate the adoption of good BC practice worldwide by:

Raising standards in BC Undertaking industry research Driving thought leadership in BC Facilitating the sharing of good practice in BC Training and certifying professionals Raising the value of the profession Developing the business case for BC

What does the BCI do?


• The Business Continuity Institute (BCI)

– Training and Education

– Certification

– Membership – Chapters and Forums

– Corporate Partnership – Strategic Alliances

– Events – Global Awards ‐ BCM World ‐ BCAW


5

11%

18%

13%

1%21%

8%

25%

3%

BCI Membership 2013outside the UK

Africa

Asia

Australasia

Central America & West Indies

Europe

Middle East

North America

South America

• The most comprehensive and independent view of current thinking in Business Continuity (BC)

• Written by BC professionals for BC professionals

• Body of knowledge for Business Continuity

• Used in training and examining individuals and organizations

• Reference material for Academic institutions

The BCI Good Practice Guidelines 2013A Guide to Global Good Practice in Business Continuity


• Provides not just the ‘what to do’, but answers the ‘why’, ‘how’ and ‘when’ of good BC practice

• Reflects current global thinking in BC; aligned to ISO 22301:2012, the new international standard for Business Continuity Management

The BCI Good Practice Guidelines (GPG) 2013


Why do we produce the GPG?

• National and International standards for BC• Legal and regulatory requirements to have BC• GPG is an independent view of thinking in the discipline • Enhances and complements existing and emerging

standards in BC, Crisis Management, Incident Management, Emergency Planning and Organizational Resilience and Governance, Risk and Compliance.

• Is the foundation for certification and training for BC professionals worldwide.



Business Continuity Frequently Asked Questions

What do we use BC for?

How well do BC and risk management overlap?

Are BC and organizational resilience the same thing?

What is the difference between BC and Emergency Management?

How do BCMS standards overlap with other standards?

What has changed from the 2010 GPG?

• Principles of practicing Business Continuity remain the same but the good practice has moved on in many areas with the emergence of ISO 22301.

• Six Professional Practices that make up the BCM Lifecycle(Management and Technical Practices) have been renamed for simplicity.

• There is a distinction made between the wider discipline of Business Continuity (BC), Business Continuity Management (BCM) the Business Continuity Management System (BCMS) associated with practicing it. BCI Good Practice Guidelines 2013 10

BCI Good Practice Guidelines 2013

The capability of the organization tocontinue delivery of products orservices at acceptable predefined levelsfollowing a disruptive incident.

Source: ISO 22301:2012

11

The definition of Business Continuity


A holistic management process thatidentifies potential threats to anorganization and the impacts to businessoperations those threats, if realized, mightcause, and which provides a framework forbuilding organizational resilience with thecapability of an effective response thatsafeguards the interests of its keystakeholders, reputation, brand and value‐creating activities.


12

The definition of Business Continuity Management (BCM)


Part of the overall system that establishes,implements, operates, monitors, reviews,maintains and improves businesscontinuity.


13

The definition of a Business Continuity Management System (BCMS)

Improving organizational resilience


The BCM Lifecycle


The Six Professional Practices


PP1 – Policy and Programme Management

PP1 – Policy and Programme Management

Defines an organization’s policy relating to BC, how it will be implemented, controlled and validated through a BCM

programme.

• Setting BC Policy and determining the scope of the BCM programme

• Defining governance and assigning roles and responsibilities• Implementing a BCM programme, managing documentation using

programme and project management techniques• Managing outsourced activities and supply chain continuity


BCI Good Practice Guidelines Training Course Module One Version 1.0

The BCM programme operates at three levels:

Strategic Decisions are made and policy is determined

Tactical Operations are coordinated and managed

Operational Activities are undertaken

Policy and Programme Management

18

BCI Good Practice Guidelines Training Course Module One Version 1.0 19

An initiation process

Planning, co‐ordination and implementation

of projects

Maintaining levels of awareness

BCM programme management

Implementing a BCM programme

20

PP2 – Embedding Business Continuity

PP2 – Embedding Business Continuity

The Management Professional Practice that continually seeks to integrate BC into day‐to‐day business activities and organizational culture.

• Organizational Culture• Skills and Competence• Managing a Training Programme• Managing an Awareness Campaign



• Organizational Culture

– Shared assumptions, beliefs, values and patterns of behaviour

‘The way things are done around here’

22

Organizational Culture


• It is essential that all individuals undertaking BC related tasks at any level have the appropriate level of competence for the role

– Training

– Knowledge

– Experience

• Establish current level of awareness and competence

• Specify the desired level

• Develop training programme and awareness campaign to address the ‘gap’

23

Skills and Competence

24

PP3 – Analysis

PP3 – AnalysisReviews and assesses and organization in terms of what its objectives are, how it functions and the constraints of the environment in which it operates.

• Business Impact Analysis (BIA)

• Threat Analysis (includes risk assessment)



The four different types:

26

Initial BIA To develop a

framework for further analysis and clarify the BCM scope

Strategic BIA To identify and

prioritize the most urgent products and services and determine the organization’s recovery timescales and disruption tolerance levels at a strategic level.

Tactical BIA To determine the

process or processes required for delivery of the organization’s most urgent products and services and assess the impact of a disruption on them at a tactical level

Operational BIA To identify and prioritize the

activities at an operational level which contribute to the identified process or processes that deliver the most urgent products and services and to determine the required continuity and recovery resources

Business Impact Analysis


Outcomes from evaluation threats:

• A list of the threats that could cause a disruption to the organization’s most urgent activities, prioritised by level of impact

• The identification of any unacceptable single points of failure

27

Threat Analysis

28

PP4 – Design

PP4 – Design

Identifies and selects appropriate Strategies and Tactics.

• Continuity and Recovery Strategies and Tactics• Threat Mitigation Measures• Incident Response Structure


BCI Good Practice Guidelines Training Course Module Four Version 1.0

Designing the incident response structure should identify teams to cover emergency response, incident management and recovery.

• The following factors should be taken into account:

– The existing management structure

– The organization’s nature, scale, complexity and process infrastructure

– The continuity and recovery strategies and tactics selected

– The nature, scale, complexity and urgency of the recovery requirements

30

Incident Response Structure

31

PP5 – Implementation

PP5 – Implementation

Executes the agreed Strategies and Tactics through the process of developing the Business Continuity Plan (BCP).

• The Business Continuity Plan (BCP)• Developing and managing plans at a strategic, tactical

and operational level.



The Business Continuity Plan (BCP) Other names for specialist plans which have the overall characteristics of a BCP include:• Incident or Crisis Management plan

• Contingency plan

• Media response plan

• Pandemic plan

• Product recall plan

• Major hazards plan

• Disaster recovery plan

• Service continuity plan

• Continuity of operations plan

33

The Business Continuity Plan

34

PP6 – Validation

PP6 – Validation

Confirms the BCM programme meets objectives set in the BC Policy and that the BCP is fit for purpose.

• Developing an exercise programme• Developing an running an exercise• Maintenance of the BCM programme• Review of the BCM programme



There are many names given to different types of exercise ranging in scale and complexity; they fall into the following five categories:

36

Discussion‐based

exercises

Table top exercises

Command Post exercises

Live Test

Developing an Exercise Programme


The purpose of Review is to evaluate the BCM programme and identify improvements to both the organization’s implementation of the BCM Lifecycle and its level of organizational resilience

There are five basic types of review:

37

Audit (internal and external)

Self‐Assessment

Quality Assurance (QA)

Performance Appraisal

Supplier Performance

Review

How is the GPG 2013 aligned to ISO 22301:2012?

– responsibilities of Top Management

– setting strategic objectives

– resources for Business Continuity

– the importance of the BIA and a stronger link to the organizations approach to risks and threats

38

How is the GPG 2013 aligned to ISO 22301:2012?

– resource requirements, skills and competence of people involved

– training, awareness and communications

–document management

– exercising and testing

–monitoring performance and measuring value of BC

39

ISO brand is seen as a positive for BCM

Base: 556. Strongly agree and agree combined totals

A common language to work internationally with customers, suppliers and internally (85%)

BCM has come of age: a mature, globally recognised discipline

(73%)Customers understand and value the ISO brand (69%)

4. It helps drive business improvement and performance (67%)5. Stakeholders or interested parties understand the ISO brand (63%)6. Our management understand and value the ISO brand (62%)

Today “in‐house BCM” dominates

68% of respondents take a DIY approach to BCM

Base: 575

Further trends and advances

–Cyber Security – now a top risk– Implementing Business Resilience

–Horizon Scanning –Crisis Management

– Supply Chain continuity–Measuring Value

–Business Impact Analysis

42


What is ‘Resilience’?

From Continuity ‐ keep going – (traditional resilience)

to Continuity AND Adaptability (resilience as both)


CAPABILITIES

• Anticipation

• Response

• Adaptation

• Mitigation of loss

• Recovery


• ACTIVITIES

• Risk management

• BCM

• Contingency planning

• Supply chain mgmt

• Quality management

• Health and safety

• Security management

• Crisis management


ATTRIBUTES

• Organizational culture

• Strategic insight

• Acceptance of risk as dynamic and imprecise

• Informed decision‐making

• Real learning

• Adaptability

• Strong leadership


Thank [email protected]

www.thebci.org

Documents

New features of the BCI’s Good Practice Guidelines 2013 - NEW...•The Business Continuity Institute (BCI) –Training and Education –Certification –Membership – Chapters and