Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Risk Managementvsvs
Continuity Management
Marie‐Hélène Primeau, CA, MBCI
DRJ Fall World – September 12, 2011
Marie Hélène Primeau, CA, MBCIPresident – Premier Continuum
• Chartered Accountant and Member of the Business Continuity Institute• In Business Continuity for more than 8 years• Consulting
Marie-Hélène Primeau, CA, MBCI
Consulting– with medium and large organization – to develop and maintain Business Continuity Management Programs– in various industries such as Manufacturing, Distribution and Logistics,
Government, Financial Services
• Teaching– Lecturer – post graduate degree at the University of Montreal (Business Continuity
and Resilience)– Developer and instructor of the BCI 2 Day Overview of the BCM Lifecycle– Instructor for the Business Continuity Institute 5 day Course– Has taught BCI Good Practice Guidelines in North America, Europe and online– Instructor for a 2-Day workshop on Exercising your Plans
Risk Managementvs
Continuity Management
Definitions
Risk (ISO 31000):
• Effect of Uncertainty on objectives• Effect of Uncertainty on objectives
Business Continuity (BCI GPG 2010):
• Strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level
Examples of Past Incidents
• Japan 2011 Earthquake > Tsunami > Nuclear Crisis
• BP Oil Spill 2010
• …
World Economic ForumGlobal Risk Report2011
OrganizationalContext
Competition
Other Stakeholders
Suppliers & Business Partners
L i ti &
Environment
Logistic & Transportation
Shareholders
Legislations &
Your organization
Customers
Reputation
Legislations & Regulations
Risk Management Process (ISO 31000)
Principles / Framework
Risk Assessment
• Any types of risk including risk to continuity
pact
BCM typically here
Likelihood
Imp
Risk Management Process (ISO 31000)
Principles / Framework
Risk Treatment Options
Risk Management Process and BCM Lifecycle
Principles / Framework
Source: ISO 31000
Source: BS25999‐1 / Business Continuity Institute Good Practice Guidelines
Risk Management vs Business Continuity Management (BCM)
Risk Management (ISO 31000) BCM (BS25999‐1)
Risk Management Framework Policy and Programme Management
“Establishing the context” Scope Determination (Policy)Understanding the Organization
Risk Assessment‐ BIA is one of the tools
Business Impact Analysis (BIA)Risk Assessment focused on organisation’s most urgent activities
Risk Treatment BCM StrategiesgDevelopment & Implementing BCM response
Communication and consultation Embedding BCM in the Culture
Monitoring and Review Exercising, Maintaining and Reviewing
Business Impact Analysis (BIA) – Purpose
• For each activity, product or service• Document the impacts over time from its loss or disruption
• Identify the Maximum Tolerable Period of Disruption (MTPD) and thus the priorities for recovery
• Identify the dependencies (both internal and external) that are required to enable the activity to operate effectively
Business Impact Analysis
Source: The Business Continuity Institute 5‐day Course
• BIA should be conducted in advance• Focus on most urgent activities
Evaluating Threats through Risk Assessment(within the BCM context)
• Estimates likelihood and impact of threats
• Helps in identifying potential causes of interruption• Such as unacceptable concentration of risks (single points of failure)
• Can identify measures to reduce likelihood or impact of disruptions
• Can benefit from existing risk management and inform
Evaluate Risks to Most Urgent Activities
• Loss of key personnel / significant number of employees
• Loss of Information technology systems gy y(equipment and/or applications)
• Loss of telephone systems
• Loss of main premises
• Loss of vital resources / records
• Loss of key equipment
• Loss of services / utilities (water, electricity, etc.)
• Loss of a major supplier or business partner (subcontractor)
Risk Reduction and Mitigation
Prevention
DetectionDetection
Suppression
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Protection
BCM in Context
Emergency
Incident Management
BCMEmergency Planning
Risk
Crisis Com.
ICT Disaster Risk Management Recovery
Where should BCM report within the organization?
Source: Engaging & Sustaining the Interest of the Board in BCM SurveyThe Business Continuity Institute 2011
In Conclusion
• Key Success Factors• Obtain top management commitmentObtain top management commitmentand sponsorship
• Build on existing programs
• Seek appropriate internal and externalsupport and resources
Chance favors only the prepared mindChance favors only the prepared mind..Louis Pasteur
Marie-Hélène Primeau, CA, MBCI – President, Premier Continuum [email protected]
514-761-6222 ext. 1003www.premiercontinuum.com