Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
New features of the BCI’s Good Practice Guidelines 2013Trends and advances in global BC practice
Presented by Doug Weldon FBCI
BCI Good Practice Guidelines 2013 1
• Leading global membership and certifying organization
• 8,000 members in more than 100 countries worldwide, working in in an estimated 3,000 organizations in private, public and third sectors
• Statutory membership grades provide assurance of technical and professional competency
What is the Business Continuity Institute (BCI)?
BCI Good Practice Guidelines 2013 2
The BCI seeks to promote and facilitate the adoption of good BC practice worldwide by:
Raising standards in BC Undertaking industry research Driving thought leadership in BC Facilitating the sharing of good practice in BC Training and certifying professionals Raising the value of the profession Developing the business case for BC
What does the BCI do?
BCI Good Practice Guidelines 2013 3
• The Business Continuity Institute (BCI)
– Training and Education
– Certification
– Membership – Chapters and Forums
– Corporate Partnership – Strategic Alliances
– Events – Global Awards ‐ BCM World ‐ BCAW
BCI Good Practice Guidelines 2013 4
5
11%
18%
13%
1%21%
8%
25%
3%
BCI Membership 2013outside the UK
Africa
Asia
Australasia
Central America & West Indies
Europe
Middle East
North America
South America
• The most comprehensive and independent view of current thinking in Business Continuity (BC)
• Written by BC professionals for BC professionals
• Body of knowledge for Business Continuity
• Used in training and examining individuals and organizations
• Reference material for Academic institutions
The BCI Good Practice Guidelines 2013A Guide to Global Good Practice in Business Continuity
BCI Good Practice Guidelines 2013 6
• Provides not just the ‘what to do’, but answers the ‘why’, ‘how’ and ‘when’ of good BC practice
• Reflects current global thinking in BC; aligned to ISO 22301:2012, the new international standard for Business Continuity Management
The BCI Good Practice Guidelines (GPG) 2013
BCI Good Practice Guidelines 2013 7
Why do we produce the GPG?
• National and International standards for BC• Legal and regulatory requirements to have BC• GPG is an independent view of thinking in the discipline • Enhances and complements existing and emerging
standards in BC, Crisis Management, Incident Management, Emergency Planning and Organizational Resilience and Governance, Risk and Compliance.
• Is the foundation for certification and training for BC professionals worldwide.
BCI Good Practice Guidelines 2013 8
BCI Good Practice Guidelines 2013 9
Business Continuity Frequently Asked Questions
What do we use BC for?
How well do BC and risk management overlap?
Are BC and organizational resilience the same thing?
What is the difference between BC and Emergency Management?
How do BCMS standards overlap with other standards?
What has changed from the 2010 GPG?
• Principles of practicing Business Continuity remain the same but the good practice has moved on in many areas with the emergence of ISO 22301.
• Six Professional Practices that make up the BCM Lifecycle(Management and Technical Practices) have been renamed for simplicity.
• There is a distinction made between the wider discipline of Business Continuity (BC), Business Continuity Management (BCM) the Business Continuity Management System (BCMS) associated with practicing it. BCI Good Practice Guidelines 2013 10
BCI Good Practice Guidelines 2013
The capability of the organization tocontinue delivery of products orservices at acceptable predefined levelsfollowing a disruptive incident.
Source: ISO 22301:2012
11
The definition of Business Continuity
BCI Good Practice Guidelines 2013
A holistic management process thatidentifies potential threats to anorganization and the impacts to businessoperations those threats, if realized, mightcause, and which provides a framework forbuilding organizational resilience with thecapability of an effective response thatsafeguards the interests of its keystakeholders, reputation, brand and value‐creating activities.
Source: ISO 22301:2012
12
The definition of Business Continuity Management (BCM)
BCI Good Practice Guidelines 2013
Part of the overall system that establishes,implements, operates, monitors, reviews,maintains and improves businesscontinuity.
Source: ISO 22301:2012
13
The definition of a Business Continuity Management System (BCMS)
Improving organizational resilience
BCI Good Practice Guidelines 2013 14
The BCM Lifecycle
BCI Good Practice Guidelines 2013 15
The Six Professional Practices
BCI Good Practice Guidelines 2013 16
PP1 – Policy and Programme Management
PP1 – Policy and Programme Management
Defines an organization’s policy relating to BC, how it will be implemented, controlled and validated through a BCM
programme.
• Setting BC Policy and determining the scope of the BCM programme
• Defining governance and assigning roles and responsibilities• Implementing a BCM programme, managing documentation using
programme and project management techniques• Managing outsourced activities and supply chain continuity
BCI Good Practice Guidelines 2013 17
BCI Good Practice Guidelines Training Course Module One Version 1.0
The BCM programme operates at three levels:
Strategic Decisions are made and policy is determined
Tactical Operations are coordinated and managed
Operational Activities are undertaken
Policy and Programme Management
18
BCI Good Practice Guidelines Training Course Module One Version 1.0 19
An initiation process
Planning, co‐ordination and implementation
of projects
Maintaining levels of awareness
BCM programme management
Implementing a BCM programme
20
PP2 – Embedding Business Continuity
PP2 – Embedding Business Continuity
The Management Professional Practice that continually seeks to integrate BC into day‐to‐day business activities and organizational culture.
• Organizational Culture• Skills and Competence• Managing a Training Programme• Managing an Awareness Campaign
BCI Good Practice Guidelines 2013 21
BCI Good Practice Guidelines 2013
• Organizational Culture
– Shared assumptions, beliefs, values and patterns of behaviour
‘The way things are done around here’
22
Organizational Culture
BCI Good Practice Guidelines 2013
• It is essential that all individuals undertaking BC related tasks at any level have the appropriate level of competence for the role
– Training
– Knowledge
– Experience
• Establish current level of awareness and competence
• Specify the desired level
• Develop training programme and awareness campaign to address the ‘gap’
23
Skills and Competence
24
PP3 – Analysis
PP3 – AnalysisReviews and assesses and organization in terms of what its objectives are, how it functions and the constraints of the environment in which it operates.
• Business Impact Analysis (BIA)
• Threat Analysis (includes risk assessment)
BCI Good Practice Guidelines 2013 25
BCI Good Practice Guidelines 2013
The four different types:
26
Initial BIA To develop a
framework for further analysis and clarify the BCM scope
Strategic BIA To identify and
prioritize the most urgent products and services and determine the organization’s recovery timescales and disruption tolerance levels at a strategic level.
Tactical BIA To determine the
process or processes required for delivery of the organization’s most urgent products and services and assess the impact of a disruption on them at a tactical level
Operational BIA To identify and prioritize the
activities at an operational level which contribute to the identified process or processes that deliver the most urgent products and services and to determine the required continuity and recovery resources
Business Impact Analysis
BCI Good Practice Guidelines 2013
Outcomes from evaluation threats:
• A list of the threats that could cause a disruption to the organization’s most urgent activities, prioritised by level of impact
• The identification of any unacceptable single points of failure
27
Threat Analysis
28
PP4 – Design
PP4 – Design
Identifies and selects appropriate Strategies and Tactics.
• Continuity and Recovery Strategies and Tactics• Threat Mitigation Measures• Incident Response Structure
BCI Good Practice Guidelines 2013 29
BCI Good Practice Guidelines Training Course Module Four Version 1.0
Designing the incident response structure should identify teams to cover emergency response, incident management and recovery.
• The following factors should be taken into account:
– The existing management structure
– The organization’s nature, scale, complexity and process infrastructure
– The continuity and recovery strategies and tactics selected
– The nature, scale, complexity and urgency of the recovery requirements
30
Incident Response Structure
31
PP5 – Implementation
PP5 – Implementation
Executes the agreed Strategies and Tactics through the process of developing the Business Continuity Plan (BCP).
• The Business Continuity Plan (BCP)• Developing and managing plans at a strategic, tactical
and operational level.
BCI Good Practice Guidelines 2013 32
BCI Good Practice Guidelines 2013
The Business Continuity Plan (BCP) Other names for specialist plans which have the overall characteristics of a BCP include:• Incident or Crisis Management plan
• Contingency plan
• Media response plan
• Pandemic plan
• Product recall plan
• Major hazards plan
• Disaster recovery plan
• Service continuity plan
• Continuity of operations plan
33
The Business Continuity Plan
34
PP6 – Validation
PP6 – Validation
Confirms the BCM programme meets objectives set in the BC Policy and that the BCP is fit for purpose.
• Developing an exercise programme• Developing an running an exercise• Maintenance of the BCM programme• Review of the BCM programme
BCI Good Practice Guidelines 2013 35
BCI Good Practice Guidelines 2013
There are many names given to different types of exercise ranging in scale and complexity; they fall into the following five categories:
36
Discussion‐based
exercises
Table top exercises
Command Post exercises
Live Test
Developing an Exercise Programme
BCI Good Practice Guidelines 2013
The purpose of Review is to evaluate the BCM programme and identify improvements to both the organization’s implementation of the BCM Lifecycle and its level of organizational resilience
There are five basic types of review:
37
Audit (internal and external)
Self‐Assessment
Quality Assurance (QA)
Performance Appraisal
Supplier Performance
Review
How is the GPG 2013 aligned to ISO 22301:2012?
– responsibilities of Top Management
– setting strategic objectives
– resources for Business Continuity
– the importance of the BIA and a stronger link to the organizations approach to risks and threats
38
How is the GPG 2013 aligned to ISO 22301:2012?
– resource requirements, skills and competence of people involved
– training, awareness and communications
–document management
– exercising and testing
–monitoring performance and measuring value of BC
39
ISO brand is seen as a positive for BCM
Base: 556. Strongly agree and agree combined totals
A common language to work internationally with customers, suppliers and internally (85%)
BCM has come of age: a mature, globally recognised discipline
(73%)Customers understand and value the ISO brand (69%)
4. It helps drive business improvement and performance (67%)5. Stakeholders or interested parties understand the ISO brand (63%)6. Our management understand and value the ISO brand (62%)
Today “in‐house BCM” dominates
68% of respondents take a DIY approach to BCM
Base: 575
Further trends and advances
–Cyber Security – now a top risk– Implementing Business Resilience
–Horizon Scanning –Crisis Management
– Supply Chain continuity–Measuring Value
–Business Impact Analysis
42
BCI Good Practice Guidelines 2013 43
What is ‘Resilience’?
From Continuity ‐ keep going – (traditional resilience)
to Continuity AND Adaptability (resilience as both)
BCI Good Practice Guidelines 2013 44
CAPABILITIES
• Anticipation
• Response
• Adaptation
• Mitigation of loss
• Recovery
BCI Good Practice Guidelines 2013 45
• ACTIVITIES
• Risk management
• BCM
• Contingency planning
• Supply chain mgmt
• Quality management
• Health and safety
• Security management
• Crisis management
BCI Good Practice Guidelines 2013 46
ATTRIBUTES
• Organizational culture
• Strategic insight
• Acceptance of risk as dynamic and imprecise
• Informed decision‐making
• Real learning
• Adaptability
• Strong leadership