Version & Control Sheet

Title CBCI Extra slides

Date

Presenter(s) James C Royds (Hon) FBCI FCMI MBA DMS

Email james.royds@gmail.com

Version Name Title Date

31/07/2019 1
Acknowledgements
n James Royds thanks the Institute of Risk Management (IRM), the Business
Continuity Institute (BCI), the British Standards Institute (BSI), the Emergency
Planning College and the International organization for Standardisation (ISO) for
providing source material for this presentation.
n James Royds is an Honorary Fellow of the BCI and one of its approved trainers. He
served on the Risk & Governance committee between 2012-2015. He was
Chairman of the Institute between 2010-2012. He is also a trained Lead Auditor for
ISO 22301:2012.
n Materials draw on good practice and international standards include:
n GPG 2013-18 – the Business Continuity Institute’s Good Practice Guidelines 2013-18
n ISO 22316:2017 – the ISO guidance on Organizational Resilience
n BS 31100:2011 – Risk Management – Code of practice and guidance for the
implementation of BS ISO 31000
n BS 11200: 2014 – the British Standard’s Guidance for Crisis Management
n ISO 22301:2012 – the International Standard for Business Continuity Management

31/07/2019 2
References
n The key references include:
1. ISO 22316:2017 – Security & Resilience – Principle and attributes.
2. BS 31100:2011 – Risk management – Code of practice and guidance for the implementation
of BS ISO 31000.
3. BS 11200:2014 – Crisis Management – Guidance and good practice.
4. BS ISO 27031:2011 – Information technology — Security techniques — Guidelines for
information and communications technology readiness for business continuity.
5. ISO / IEC 24762:2008 – Information technology – Security techniques – Guidelines for
information and communications technology disaster recovery services.
6. ISO 22301:2012 Societal security – Business continuity management systems – Requirements.
7. ISO 22313:2012 – Societal security – Business continuity management systems – Guidance for
establishing ISO 22301:2012.
8. PD ISO/TS 22317:2015 – Societal security – Business continuity management systems –
Guidelines for business impact analysis.
9. ISO 22320:2011 – Societal security – Emergency management – Requirements for incident
response.
10. BS 25999-1:2006 – The British Standard Code of Practice for Business Continuity
Management.
11. BS 25999-2:2007 – The Specification for a BCM system (being replaced by ISO 22301).
12. The Business Continuity Institute’s Good Practice Guidelines (2010-2013).
13. PD25111:2010 Business continuity management. Guidance on human aspects of business
continuity.
14. ISO 22398:2013 – Societal security – Guidance on exercising.

31/07/2019 3
How we learn and remember
It is said that we remember:
n 10% of what we read
(passive)
n 20% of what we hear
(passive)
n 30% of what we see and
hear (passive)
n 70% of what we say and
write (active)
n 90% of what we say as we
do (active)

31/07/2019 4
Strategic thinking

Strategy states what you are going to

do and why

Plans state how you are going to do

it, when, who and with what
resources
Understanding the key difference
between what is urgent and what is
important

Focus on survival needs not business

wants

The output is a range of planning options,

choices and assumptions backed by credible
decision-support material

31/07/2019 5
The structures of modern life

We spend a lot of time in these: cities / What

What could
buildings / organizations happens if
go wrong?
it does?

What can we do
to make our
organizations
more resilient?

How do
How do we we
mitigate what respond?
could go wrong?

31/07/2019 6
Resilience in organizations

n An organization operates within etc

etc etc
a complex web of interactions etc Other organizations
etc
with other organizations, so it is etc
etc
etc
essential to build resilience not
only within the organization, but
organization etc
across its networks, and in its
interactions with others. etc
etc Other organizations
etc
etc

etc
Source: BS 65000:2014

31/07/2019 7
Let’s look briefly at organizations

TRANSFORMATION PROCESS / VALUE-ADDED

INPUTS OUTPUTS

Source: ISO 22313:2012

31/07/2019 8
The context in which organizations function
• Interested parties
• Legal and regulatory
The EXTERNAL requirements
context is the
external • Market drivers and trends
environment in • Social, cultural, political,
which an
organization seeks to financial, technological,
achieve its economic, natural and
Purpose objectives: competitive environment
(national, international,
Culture regional, local)
Interested
Parties

Leadership
• Any factor which influences the
The INTERNAL
context is the way risk is managed
Conscious
organization
internal • Aligned with strategy,
environment in objectives, culture
which an
organization seeks to • Projects, processes, activities,
achieve its critical activities
objectives:
• KPIs etc.

31/07/2019 9
 The fabric of organizations
Policies & Procedures Systems & Processes Technology Capabilities
Relationships and
dependencies STRUCTURE
between these lines
will impact how
resilient you are:
Values Mission/Vision

STRATEGY
Ethics CULTURE Being Objectives

Resilient
Attitudes Initiatives

Behaviours Plans
Risks emerge and
your readiness to
respond is a key
factor in
PERFORMANCE
determining how
your organization
will be impacted
Systems & Processes Technology Capabilities

31/07/2019 10
 CMT – Crisis Management Team

Management structures
BCT – Business Continuity Team
BST – Business Support Team
IMT – Incident Management Team

organizations and org. charts: they

are organic: creating themselves,
Policy and Objectives
destroying themselves; they evolve
to meet strategy, objectives and LEVEL 3
Strategic
culture... Group CMT
Plan
one down

Tactical Thinking two levels CMT LEVEL 2

up in order to plan
one level down Think
two up

Operational BCTs BCTs LEVEL 1

What is my boss’s boss

trying to achieve?
Plans Plans Plans

31/07/2019 11
The building blocks of effective resilience

Transparency
Authority and responsibility
Governance Participation
and
accountability
Embedded values
Innovation,
improvisation
Agility
Common Influence
Leadership
vision and Standards and
and culture behaviours
purpose Decision-making
Performance

31/07/2019 12
The functional components of resilience
Risk Management Crisis Management Business Continuity
the “systematic application the capability of an the capability of an
of management policies, organization to respond to organization to continue
procedures and practices an “inherently abnormal, delivery of products or
for communicating, unstable and complex services at acceptable
consulting, establishing the situation that represents a predefined levels following
context, identifying, threat to its strategic a disruptive incident.
analysing, evaluating, objectives, reputation or
treating, monitoring and existence” and manage the
reviewing risk” in your consequences so
organization. disruption is kept to a
minimum.
ISO 31000 BS 11200 ISO 22301

Aim and unifying purpose: building organizational resilience

31/07/2019 13
What is Risk Management
n Risk management is the
identification, assessment, and
prioritization of risks (defined in ISO
31000 as the effect of uncertainty
on objectives, whether positive or The problem is that
negative) followed by coordinated traditional risk
and economical application of management tends
resources to minimize, monitor, and to focus on threats,
control the probability and /or
impact of unfortunate events or to
or negatives AND
maximize the realization of RARELY CONSIDERS
opportunities. opportunities
n “Coordinated activities to direct
and control an organization with
regard to risk”. ISO 31000:2009.

31/07/2019 14
Risk management
n It is best managed by people following a defined process:
Value
Owners
Impose Minimise
Reduce
Controls
Manage May Possess
Identify
Vulnerabilities

Threat Agent Linked

Gives Rise Risk
Exploit
Increase
Threats Assets
Access

Intention to Abuse/ Damage

Source: BSI

31/07/2019 15
What is Enterprise Risk Management
Enterprise risk management in business
includes the methods and processes used by
organizations to manage risks and seize
opportunities related to the achievement of
their objectives. ... (www).

Enterprise Risk Management is about the

application of risk management to an “entire
organization”.
n ERM goes to the very heart of an
organization
n Methodology for managing uncertainty
n Affects corporate strategy
n Threats AND opportunities (ISO Guide 73 –
the language of risk management)

31/07/2019 16
What is Crisis Management
n Processes, procedures, plans
and systems to manage an
abnormal, unstable and
complex situation that
represents a threat to the
strategic objectives, reputation
or existence of an organization

31/07/2019 17
The aim of crisis management
n To ensure that at the Executive
Roles/Responsibilities
• Policy
strategic, tactical and Management
(CEO, CIO, CFO etc)
• Direction
• Wider Contacts

operational levels of control

• etc

Roles/Responsibilities
your response capabilities Crisis
Management
C4:
•Command, Control

are synchronised in order to (Comms, HR, PR etc) •Co-ordination,

•Communications

optimise your response

effort to achieve your
continuity and recovery IT / Data Centre
Facilities
Business Unit
Recovery

objectives. Teams

Roles/Responsibilities
• Response and Recovery
• etc

31/07/2019 18
What is resilience?

Of humans it is said that it is an

individual's ability to cope with
stress and adversity: in systems
to tolerate disruption, or cope
with and absorb shocks.

This coping attribute may

result in the individual or
system "bouncing back" to a
previous state of normal or
improved functioning.

31/07/2019 19
What is organizational resilience?

n The ability to anticipate

key events from
emerging trends,
constantly adapt to
change and to bounce
back from disruptive
and damaging incidents.

Source: The BCI’s Good Practice Guidelines 2013

31/07/2019 20
What is organizational resilience?

n The ability to anticipate

key events from
emerging trends,
constantly adapt to
change and to bounce
back from disruptive
and damaging incidents. What is the Maximum
Acceptable Outage for a boxer?

Source: The BCI’s Good Practice Guidelines 2013

31/07/2019 21
 Your business / organization
Asset / Risk Management
Stakeholder & Collaboration Management
Reputation Management
Horizon scanning
Risk, Emergency Response, Crisis
Resilient and Business Continuity Management
organizations Change Management
do all these Health & Safety
things ICT continuity
and much Information, Cyber & physical Security
more... Environmental and Quality Management
Financial / Fraud Control
Facilities Management
Supply Chain
Human Resource planning
31/07/2019 22
Traditional Business Continuity

n People, IT, Sites and Facilities

n Operating in silos and separated from Risk & Crisis Management

n Technical products not services or capabilities

n No consistent view on best practice or success

31/07/2019 23
New direction, new purpose for BCM

n A strategic management
tool / business process
offering:
n Protection of value and
reputation in a crisis

n Competitive advantage through

greater resilience

n Improved risk management and

more effective and transparent
corporate governance
Source: Lyndon Bird, Technical Director, BCI

31/07/2019 24
Risk & Continuity

Risk Business Continuity

Management Management
Key method Risk Analysis Business Impact Analysis
Key parameters Impact & Probability Impact and impact over Time

Type of incident All types of events - Events causing significant business

though usually disruption to assets, services and
segmented capabilities
Size of events All sizes (costs) of events For strategy planning: “survival” threatening
– although usually incidents only
segmented
Intensity All from gradual to Sudden or rapid events (though response
sudden may also be appropriate if a creeping
incident becomes severe)

Table: Comparison on Risk Management and Business Continuity Management (Source: The Business Continuity Institute, (2005), Good
Practice Guidelines – A Framework for Business Continuity Management, UK).

31/07/2019 25
Consequences

31/07/2019 26
Protection of value / intellectual capital

“an intangible asset, usually not included on an

organization’s balance sheet, that is approximately
equal in value to the difference between the market
capitalization of the company and its tangible (or net
asset or book) value”

Tangible Intangible
Tangible
Company Market Cap Relevance Relevance
Value
% %
Your
10bn 1bn 10.0 90.0
company
Source: Based on an idea by IT Governance UK Ltd

31/07/2019 27
Financial consequences

31/07/2019 28
Recoverers verses non-recoverers

Knight, Rory F.; Pretty, Deborah (1996). The Impact of Catastrophes on Shareholder Value (Report).

31/07/2019 29
 Former BP chief
Tony Hayward: BP executive Tony
oil spill contingency Hayward said that
plans were
'inadequate' the media response
to the oil spill was a
http://www.bbc.co.uk/news/business-11709027 "feeding frenzy".

Mr Hayward said
that the company
was "not prepared"
to deal with "the
intensity of the
media scrutiny".
31/07/2019 Source: BBC News 30
Why

3 good reasons why we need to do BCM management

Exposure & Expectations

Threats on the dependency on on the
increase… the increase… increase…
• Stakeholders,
• Natural disasters, cyber • Premises, people, IT,
management, business
crime, fraud and networks,
partners, auditors and
espionage, extreme communications,
regulators all
weather, reputational technology enablers,
demanding more
damage etc less central control, new
evidence of planning
entry points for
and protective
intruders,
measures

31/07/2019 31
The structure of incidents: the complexity of crises

• These are characterised by their immediate onset. They tend to

be unanticipated and escalate very quickly, often as result of a
severe triggering event or incident.
• An important implication for managers is that at least some
elements of the crisis will be obvious to all, and so it may be

Sudden
relatively easy to invoke a response and mobilise (at least in the
immediate term) the resources needed to manage the
consequences.

• These are also known as “creeping”, “‘slow-burn”, “long-wave”

or “rising tide” events. Whatever the preferred choice of name,
their common feature is that impact grows, sometimes

Smouldering undetected, over a period of time – whilst indicators of risk are

missed, denied, ignored or misunderstood.
• The key challenge for senior managers is recognising the threat
and then find support for the implementation of a proactive
response before the challenge becomes a full-scale emergency.

31/07/2019 32
 Level 1-4 impacts

Impact Scenarios Examples Typical Continuity Strategy Possible Solution

Level 1 § Localised damage in part § Move people to another § All locations are mapped
of office area in same building to a recovery location
§ Localised technology or § Spare processing capacity § Assets, resources and
Localised power failure § Training for staff technology are enabled in
Impact § Operator error recovery location
§ Minimum of 15% capacity
recovered for support of
Level 2 § Facility damage – whole § Move people to another
prioritised activities
building building in same city
§ Building-wide technology
Building or power failure
Impact

Level 3 City-wide: § Split operations between § Prioritised activities

§ Extreme weather cities operating in multiple
§ Civil unrest § Move prioritized activities / locations
City § Public infrastructure business processes (not § Minimal lead time required
Impact failure people) to alternate city to enable assets,
resources, technology, or
system accesses as they
Level 4 Country-wide: § Split operations between
are already in place
§ Extreme weather countries
§ Minimal disruption - 30%
§ Civil unrest / war / travel § Move prioritized activities /
County capacity available on
bans business processes (not
Impact demand to support
§ Public infrastructure people) to another country
Prioritised Activities
failure

31/07/2019 33
 Risk management controls
1 2 3 4 5
Limited Significant
Rating Very effective Effective improvement improvement Ineffective
needed needed
Controls are
There are significant Design of controls is
designed and
Controls are properly Controls are properly opportunities for the not fit for purpose,
Design operating in excess
designed designed improvement of will require new
of basic
design design
requirements
Key controls in place, Controls are non-
Controls are applied
but there are existent or have
and operating in Controls are properly Controls are properly
Application significant major deficiences:
excess of basic applied as intended applied as intended
opportunities for they do not operate
requirements
further improvement as intended
Significant but not The design and
Controls are well- Some improvement Minor improvement major improvement application of
designed and are is needed in the is needed in the is needed in the controls is highly
Overall
being applied application of application of design and ineffective: needs a
effectively controls controls application of major redesign and
controls application
Source: COSO Technical Guide

31/07/2019 34
It is NOT a crisis when…

31/07/2019 35
Phases of crisis management – high level view

Business as usual

31/07/2019 36
 Emergency Response, Crisis, Continuity and Recovery

Incident
Or go in
Overall Objective: search of a
Back-to-Normal as New
soon as possible normal?
Risk
Management Normal Timelin Timeline
Incident Response / eWithin minutes to days:
Contact staff, customers, suppliers etc.
Recover critical processes;
Anticipate events:
Crisis Management Rebuild lost work-in-progress
Horizon Scan;
Assess likelihood & impact Business Continuity
Run risk register

Within minutes to hours:

Recovery / Resumption
Account for people;
Deal with casualties; Within weeks to months:
Contain damage; Repair / replace damage; Based on BS25999-1:2006
Assess damage; Relocate to permanent site
Invoke Business Continuity Recover costs from insurers

31/07/2019 Introduction to Business Continuity 37

Crisis management structure

Command and Control

Activation and escalation

31/07/2019 38
The Incident Command System

n The Incident Command System

(ICS) is "a systematic tool used
for the command, control, and
coordination of emergency
response“
n "a set of personnel, policies,
procedures, facilities, and
equipment, integrated into a
common organizational structure
designed to improve emergency
response operations of all types
and complexities.“

31/07/2019 39
ICS – command management

Incident Leadership
Commander
• Command, control
Comms / & management
Legal External Affairs • Objectives /
Emergency priorities
HR Coordinator • Direct liaison with
Tactical

Operations Planning Logistics Finance

(incl Situation Unit)

Front-line Intelligence Support Accountancy

• Fire fighting • Collect, assess and • Facilities • Cost tracking
• Source control disseminate info • Transport • Cost control
• Salvage • What has happened? • Supplies • Procurement
• Clean-up • What are we doing? • Equipment • Insurance*
• Repair & recover • What next? • Comms • Claims*
31/07/2019 40
CMT Emergency Control Centre & Situation Unit for managing incidents

Liaise with external agencies Incident Control Incident Current Status Issues Outstanding
Visitors, VIPs etc.,
briefing cell
Status Boards – Situation Unit

Administration and Support Staff Administration and Support Staff Television,

Satellite etc

Phone to
meeting room

HK
CMT Personalities
Command Staff:
• IC / Deputy
• Legal Adviser
Printer

Lon
• Communications &
External Affairs

Copier
These fu nctions could be combined or
performed by less than four people depending • BCM Adviser
on the nature and s cale o f the in cident • HR Adviser
Communications & Legal Adviser Paris
Facilities H&S Planning Operations • H&S Adviser
External Affairs
General Staff:
BC - Property

BC - Environ

• Planning
• Operations
GS

GS

CS

CS
Fax • Logistics
Incident NY
• Finance
Commander / Business Continuity Team:
CMT Leader • Facilities Adviser
Telephone

• Business Ops
etc • IT Adviser
Deputy
• Etc as required

Doers: continuity, recovery Planners, coordinators Command, control, communicate

etc
BC - Business

CS People
GS

GS

CS
BC

Links to BCTs

EST
Landlines and IT Business Operations
Finance Logistics HR Adviser BCM Adviser
Mobiles Sourcing, Shared etc CST – Comms
BCT – Continuity / Recovery GS – General staff CS – Command staff

31/07/2019 41
Communications protocols
n Who talks to whom and how?

n About what?

n When?
External Internal

31/07/2019 42
 ERC status boards

Problems Solutions
What Has Happened What We Are Doing About It
Emergency Response Business Continuity

SITUATION

Maps, charts & Teams & Interested Schedule of

Incident Health, diagrams CMT
Incident Operating Major parties & briefings,
Facts Safety & Objectives assigned
Facts Conditions Resources CMT org. time-outs,
Update Env. Issues actions
deployed chart sitreps etc

Situation Unit responsible for maintaining these Status Boards, supported by:

• Planning • Safety • Incident • Planning • Planning • Incident • Emergency

• Operations • Planning Commander • Emergency • Operations Commander Coordinator
• Planning Coordinator • Emergency
• Emergency Coordinator
Coordinator

Note: Sophisticated resources not needed - Flip-chart sheets stuck on a wall are very effective!

31/07/2019 43
Exercise frequency – an example

Notification
Team Tabletop exercise Limited exercise Full scale exercise
exercise

Departments
6 months Annually Every 1 year Every 2-3 years
BCTs / BCPs

ITDR Team 6 months Annually Every 1 year Every 2-3 years

IMT / CMT 6 months Annually Every 1 year Every 2-3 years

Joint CMT /
Annually Every 18 months Every 2 years Every 2-3 years
Board / Group

31/07/2019 44
Social media..... ...never forgets!

“The Deepwater Horizon response was the first (crisis of its kind) to encounter the
combination of multiple, highly competitive cable news outlets with the broadband
Internet and web of specialized websites, blogs and other social media”
31/07/2019 45
What makes a good CM leader?

Why is Crisis Leadership different?

How should a crisis leader interact with the

Team?

What should the Leader expect from other

Team members?

Should decisions belong to the Leader or be

consensual?

How do you think your Team works?

31/07/2019 46
Leadership in a crisis
n Differs from ‘normal’
leadership because:
n Success or failure stakes
raised
n Situational disorientation
n Organizational disruption
n Time pressure
n Additional stress from other
factors (lack of sleep, fear,
emotion, excitement etc.,)
31/07/2019
The Political Dimensions
of Crisis Leadership
•Conflict
•Power
•Legitimacy
“in a crisis, leaders are expected
to reduce uncertainty and provide
an authoritative account of what
is going on, why it is happening
and what needs to be done”
(Boin et al 2008)
47
 Leadership decisions

Use of authority
by the Leader
Area of freedom
for subordinates

1 2 3 4 5 6 7
Leader Leader sells Leader Leader Leader Leader Leader
makes decision presents presents presents defines permits
decisions decision & tentative problem, limits and team to
and issues explains it decision gets ideas, team makes decide
orders allowing subject to makes decisions within wide
questions change decision limits
considering
team views
Source: Tannenbaum & Schmidt Continuum

31/07/2019 48
Good leadership
n Every crisis requires strong leadership but: “you do not lead by hitting people over
the head - that’s assault not leadership” (Source: Dwight Eisenhower)

Action orientated leadership

Task Needs

Individual Team
Needs Needs

31/07/2019 49
Leadership skills in a crisis

Task-orientated •Identifying key issues and priorities, Accepting the new reality quickly, Strategic
thinking

skills •Creating options, Decision-making, Delegation

•Meeting-management skills

Interpersonal •Emotional intelligence (including self-awareness; knowing and managing emotions

and those of others; self-motivation; relationship handling)
•Communication skills verbal and non-verbal
skills •Negotiating / influencing
•Ability to vary leadership style to circumstances

Personal •Confidence, Presence, Credibility

•Pragmatism, Cognitive skills

attributes •Effective stress handling

•Moral courage / ethics

Stakeholder •Engaging with internal and external stakeholders

•Engaging with media

awareness •Engaging with management teams

•Meeting the needs of a wide range and diversity of stakeholders

31/07/2019 50
Speed of response

TV NEWS ROOM Press Office

Regul
Confirm?
Group
Clarify?
Coy
Deny?
BCP
Rebut?
IMT
The omni-presence of the
Site
media shapes public perceptions Dept
and, as a reflex, your decisions !
You

INCIDENT Your organization

MEDIA
31/07/2019 51
Transitional decision-making

“Normal’ Business
Crisis Management Operations
Operations

Environment enduring temporary

Decisions considered rapid

Information comprehensive limited, changing

Actions measured immediate

Resources appropriate limited

Results strategic fast, tangible, tactical

End state complex, enduring clear, finite

31/07/2019 52
 Early effect – Theory
The ability to react quickly to incidents within a pre-planned crisis management framework,
together with rehearsed decision points is the essence of what “early effect” is all about.

Effect of Impact
HIGH Cost of impact

Initiative lost –
Opportunity to situation “set”
influence
situation

LOW Trigger
Time

Risk Measures Pre-emptive action Contain the situation Recover

Restore
Window to achieve Early Effect
31/07/2019 53
Emergency response plans
n Any response has 5 overlapping
stages or phases:
n 1. Emergency Response 1. Emergency
n 2. Crisis Management
n 3. Business Continuity
Response
n 4. Business Recovery 2. Crisis
n 5. Business Resumption Management
n Any stage can appear in any set of 3. Continuity
plans at any level
4. Recovery
5. Resumption

31/07/2019 54
What is Business Continuity
n Business Continuity is often
described as ‘just common sense’.

n It is about taking responsibility for

your business and enabling it to
stay on course whatever “storms
it is forced to weather”.

n It is about “keeping calm and

carrying on”!

31/07/2019 55
Disruption defined
Business Continuity
is all about
managing the
consequences of
disruption
• Disruption (i.e. a major
incident) when your
organization cannot
function on an “as
intended basis”.
• Events which disrupt the
“normal” flow of activities
in which you engage to
satisfy the growing needs
of ALL your interested
parties.
31/07/2019
Resilience is a
process not a
destination
• INCIDENT – a temporary
situation affecting part of
an organization requiring
special management
skills, processes and
structures
• CRISIS – an incident that
can affect the whole
organization
• DISASTER – an incident or
crisis from which an
organization does not
recover
56
Why organizations don’t plan

“There are
“We don’t
“It will never “IT do the more “Everyone “We do have
have the
happen to business important would know a plan
time or
us” continuity” things we what to do” somewhere”
resources”
need to do”

31/07/2019 57
The key issue
n Q: What is the difference between Business Continuity, BC
Management, a BC Plan and a BC Management System?
n A: Specifically a BC plan is an output of the implementation
process while a BCMS provides the framework for the
design, development, implementation, validation and
continuous improvement of a management system. Competence
& Capability
n A BCMS will differentiate between:
n BC – Business Continuity (your competencies and capabilities)
n BCM – Business Continuity Management (your Process and
Process &
Procedures for managing continuity) Systems
Procedures
n BCMS – Business Continuity Management System (your
System)
n BCP – a Business Continuity Plan (process for continuity of a
product, service, process etc)

31/07/2019 58
Demonstrating capability, process, system
Enterprise Risk Management: is the “systematic application of management policies,
procedures and practices for communicating, consulting, establishing the context,
identifying, analysing, evaluating, treating, monitoring and reviewing risk” in your
organization.

Business Continuity: is the competence and capability of your organization to

continue the delivery of products or services at acceptable redefined levels following
disruption.

Business Continuity Management: is a holistic management process that identifies

potential threats to an organization and the impacts to business operations those
threats, if realised, might cause, and which provides a framework for building
organizational resilience with the capability of an effective response that safeguards
the interests of its key stakeholders, reputation, brand and value-creating activities.

31/07/2019 59
Demonstrating capability, process, system
A Business Continuity Management System (or a crisis and continuity management
system) is a part of an overall system of governance that establishes, implements,
operates, monitors, reviews, maintains and improves business continuity and business
resilience.
Crisis Management: is the capability of your organization to respond to an “inherently
abnormal, unstable and complex situation that represents a threat to its strategic
objectives, reputation or existence” and manage the consequences so disruption is
kept to a minimum.
A Crisis and / or Business Continuity Plan: is a set of documented processes and
procedures that guides your organization to respond, recover, resume and restore
critical activities to a pre-defined level following disruption. Typically this covers
resources, services and activities required to ensure the continuity of critical business
activities / functions.
A Business Continuity Program: is your on-going management and governance
process supported by Top Management (and appropriately resourced) to implement
and maintain business continuity management. This is achieved through the running
of a compliant BCMS.

31/07/2019 60
Plan-do-check-act

Action Comments

Establish BCMS policy, objectives, targets, timescales, processes and

procedures relevant to managing risk and improving resilience and
Plan (establish the BCMS)
business continuity in accordance with the organizations’ overall policies
and objectives for and business strategy.

Do (implement and operate the Implement and operate the BCMS: policy, controls, processes and
BCMS) procedures. Document and maintain.

Assess, measure, monitor and review performance against the BCMS

Check (monitor and review the
policy, report the results to management for review, and determine and
BCMS)
authorise actions for remediation and improvement.

Maintain and improve the BCMS by identifying nonconformity and taking

Act (maintain and improve the corrective actions, based on the results of management review and
BCMS) reappraising the scope of the BCMS and business continuity policy and
objectives.

31/07/2019 61
Key output: management system and plans

Plan, do, check,

act

Context of the Performance

Leadership Planning Support Operation Improvement
organization & Evaluation

Understanding of the Monitoring,

organization and its Management Actions to address risk Operations of planning measurement, analysis Nonconformity and
commitment and opportunity Resources and control corrective action
context and evaluation

Expectations of BC Policy BC objectives Continual

interested parties Competencies BIA and risk assessment Internal audit
Risk Policy Risk objectives Improvement

Roles, responsibilities BC Strategy

Legal and regulatory and authorities Awareness Management review
Risk Strategy

Establish and
Scope of management implement BC
system Communications
procedures

Documented
BCMS information Exercising and testing

Plan Do Check Act

Source: BSI 2012

31/07/2019 62
Resilience Programme Management
Risk Emergency Response Business & IT Continual
Consequences and Management & Crisis Management Continuity & Improvement and
Recovery Performance
Mitigate Risks:

Management
1 Management Measurement
Threats and
Likelihoods

Risk
Opportunities
Reduce

Critical Risk
Ensure Readiness to

Impacted Processes
and / or Prepare
Crisis & Continuity
Management

2 Mission Critical Business

Disruptions
Respond to

Processes Continuity Plans

Prepare Crisis for high risk and
Management mission critical
Plans for credible processes
Credible
disruption scenarios
Disruption
Scenarios

Risk Management Business Continuity Management Audit Plan

Manage Risks,

Management

3
CMPs, BCP

CMP Development Quality Audits

Program

Risk Register BCP Development

Updates

BRM

Testing and Corrective

Updates Testing & Updates
& Updates Actions

Risk
Materializes
Emergency Business Lessons
Response and Crisis Continuity: Learned and
Incident Corrective
Management Recovery and
4
Respond,

Actions
Recover,

Restoration
Restore

Operational Plans
Functional Plans

31/07/2019 63
The chronology of terms

Point to which information
used by an activity must be
restored to enable
the activity to operate on
resumption
Minimum level of service /
product that is acceptable to
the org. to achieve its
business objectives during
disruption
Period of time following an incidentTime it would take for adverse impacts,
within which: which might arise as a result of not
- Product / service must be providing a product / service or
resumed performing an activity
- activity must be resumed to become unacceptable
- resources must be recovered

RPO MBCO RTO MAO / MTPD

Recovery Point Minimum Recovery Time Maximum Acceptable Outage
Objective Business Objective / Maximum Tolerable
Continuity Period of Disruption
Objective

Time
-1 0 +1 +2 +3 +4
You decide the intervals of time. They could be:
Seconds, Minutes, Hours, Days, Weeks, Months even Years (!) depending on your business rhythms.
Measurements of time must be consistent across whole organization. That way specific priorities can be set, managed and coordinated
relative to all priorities. This ensures consistency of approach.

31/07/2019 64
Product and Service
n The product – strategic

n An insurance policy

31/07/2019 65
Process
n The process – tactical

n Processes to deliver an insurance policy

1. Provide quotation
2. Issue Policy

31/07/2019 66
Activity
1. Activities – to undertake Provide Quotation (Operational)
a) Answer the telephone / email
b) Obtain details from the client
c) Provide a verbal / email quotation
d) Confirm verbal quotation with letter / email
2. Activities – to undertake
Issue Policy (Operational)
a) Receive payment from
the client
b) Produce policy documents
c) Send policy documents
to the client

31/07/2019 67
Business Impact Analysis – Example

Module 2 version 3.1 Ι BCI PROFESSIONAL PRACTICES 68

 Products and services

Product (Strategic)
• Insurance Policies
Processes – to deliver Insurance Policies Products and Services
• 1. Provide Quotation
• Strategic
• 2. Issue Policy

Activities – to undertake: Processes

1. Provide Quotation • Tactical. Processes to deliver most
• Answer the telephone / email urgent products and services
• Obtain details from the client
• Provide a verbal / written quotation
• Confirm verbal quotation with letter / Activities
email
• Prioritised activities (and resources) which
Activities – to undertake: contribute to processes that deliver the
2. Issue Policy most urgent products and services
• Receive payment from
the client
• Produce policy documents
• Send policy documents
to the client
31/07/2019 69
Business Impact Analysis – Example
PRODUCT/PROCESS/ACTIVITY MTPD REASON
Insurance Policies 5 days Customers will go elsewhere
Provide Quotation 3 days To receive payments
Answer the telephone/email 6 hours Customers will go elsewhere
Obtain details from the client 1 day To provide quotation
Provide a verbal /written quotation 2 days To receive payments
Confirm verbal quote with letter/email 3 days To meet Quality standards
Issue Policy 5 days To deliver Insurance Policies
Receive payment from the client 3 days Cash flow will suffer
Produce policy documents 4 days To send out documents
Send policy documents to the client 5 days To deliver Insurance Policies

31/07/2019 70
Module 2 version 3.1 Ι BCI PROFESSIONAL PRACTICES 70
MTDPs Question: estimate the Recovery Time Objectives?

PRODUCT / PROCESS / ACTIVITY MTPD REASON

Insurance Policies 5 days Customers will go elsewhere

Maximum
Provide Quotation Tolerable 3 days To receive payments
Period of
Answer the telephone/email Disruption 6 hours Customers will go elsewhere
Obtain details from the client 1 day To provide quotation

Provide a verbal / written quotation 2 days To receive payments

Confirm verbal quote with letter/email 3 days To meet Quality standards

Issue Policy 5 days To deliver Insurance Policies

Receive payment from the client 3 days Cash flow will suffer

Produce policy documents 4 days To send out documents

Send policy documents to the client 5 days To deliver Insurance Policies

31/07/2019 71
MTDPs Recovery Time Objectives
PRODUCT / PROCESS / ACTIVITY RTO MTPD REASON

Insurance Policies <5 days 5 days Customers will go elsewhere

Provide Quotation <3 days 3 days To receive payments

Answer the telephone/email <6 hrs 6 hours Customers will go elsewhere

Obtain details from the client <1 day 1 day To provide quotation

Provide a verbal /written quotation <2 days 2 days To receive payments

Confirm verbal quote with letter/email <3 days 3 days To meet Quality standards
Issue Policy <5 days 5 days To deliver Insurance Policies

Receive payment from the client <3 days 3 days Cash flow will suffer

Produce policy documents <4 days 4 days To send out documents

Send policy documents to the client <5 days 5 days To deliver Insurance Policies

31/07/2019 72
MTDPs Recovery Time Objectives
PRODUCT / PROCESS / ACTIVITY RTO MTPD REASON

Insurance Policies 4 days 5 days Customers will go elsewhere

Provide Quotation 2 days 3 days To receive payments

Answer the telephone/email 4 hrs 6 hours Customers will go elsewhere

Obtain details from the client 0.5 day 1 day To provide quotation

Provide a verbal /written quotation 1 days 2 days To receive payments

Confirm verbal quote with letter/email 2 days 3 days To meet Quality standards
Issue Policy 4 days 5 days To deliver Insurance Policies

Receive payment from the client 2 days 3 days Cash flow will suffer

Produce policy documents 3 days 4 days To send out documents

Send policy documents to the client days 5 days To deliver Insurance Policies

31/07/2019 73
RPO

31/07/2019 74
Maximum Tolerable Period of Disruption
Department / Maximum Tolerable Period of Disruption
Function /
Process /
Product / <4 hours 1 day 2-3 days 4-5 days 1-2 weeks 2-4 weeks > 4 weeks
Activity

A Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic

B Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic
C Critical Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic
D Disruptive Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic
E Disruptive Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic
F Disruptive Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic
G Disruptive Critical Catastrophic Catastrophic Catastrophic Catastrophic Catastrophic
H Disruptive Critical Critical Catastrophic Catastrophic Catastrophic Catastrophic
I Disruptive Critical Critical Critical Catastrophic Catastrophic Catastrophic
J Manageable Manageable Manageable Disruptive Critical Critical Catastrophic
K Manageable Manageable Manageable Disruptive Disruptive Critical Catastrophic
L Manageable Manageable Manageable Manageable Disruptive Disruptive Critical
M Manageable Manageable Manageable Manageable Manageable Disruptive Disruptive
MTPD – time it would take for adverse impacts, which might arise as a result of NOT providing a product / service or performing
an activity, to become unacceptable (to your organization)
31/07/2019 75
Evaluating threats – risk management models
The simplest formula is:
Risk Value = Threat Impact x Threat Probability

n Can all threats be identified?

n Can probabilities be estimated?
n What time periods need to be considered?
n Numeric scales have problems
n Minor events are over-emphasized
n Values are not comparative
n Difficult to reflect less quantifiable assets
n Risk appetite or tolerance
n How much will be accepted
n Drives the level of action to control threats
n Difficult to measure
n Usually defined in terms of acceptance, or not, of risk
31/07/2019 76
 Tier 2 (3 to 30
Unavailability Tier 1 (0 to 72 Hours) Tier 3 (>30 Days)
Days)
Workspace Virtual / Command Centre Virtual / Command Lease / Own an alternate location
Remote / teleworking Centre Relocation to <alternate location>
Relocation to <alternate location> Remote / teleworking
Relocation to
<alternate location>
Equipment Travel-kit (Pre-configured Devices) Travel-kit (Pre- Emergency Procurement
Stockpiling configured Devices) Equipment Call-off Agreements
Emergency
Procurement
Stockpiling
Equipment Call-off
Agreements
Human Resource Designate Deputy for Executives and Succession Planning
Backups for Key Personnel / Cross-training
Technology IT Disaster Recovery (ITDR) 3G / 4G routers
SLA with technology vendor for third party applications
Travel-kit (Pre-configured Device) with Satellite Voice /
Data
Third Parties SLA & Contractual Obligations (such as Right-to-audit clause)
Reach out to Alternate Vendors
Call-off Agreements with Alternate Vendors
Joint BCM Exercising
Vital Records Storage in Fire Resistant Safes at Primary and Alternate Restore from Backup
Location
Digitization of Hard Copy Documents & Store Confidential
Data in Red Network
Storage of Documents at Bank Safe
31/07/2019 77
Example: options for call centre
Recovery Time
Strategy Option Advantages Disadvantages Comments
Objective

The equipment is This option is designed for a function that

Dedicated Backup
Immediate or near dedicated to recovery only requires “continuous availability.”
Less than 4 Hours Site
immediate recovery and is therefore, an If Call Centres are to be continuously available
Call Centre, ICT etc expensive option then this is what is required.

Most expensive: The

Greatest reliability organization must assume
Another internal business facility.
Redundant Facility – the total cost of the
Less than 1 day Most control equipment The site can be used for other corporate
remote internal
Time to recover services functions.
Long-term commitment
and Integrity

Regional incident risk Subscribe with a vendor who will provide

Testability
Requires a contractual designated space and equipment at the time of
Less than 1 day Commercial Hot Site Availability of skilled
obligation for a number of the outage. The equipment could be shared
personnel with other users.
years

Shippable or Useful for Subscribe with a hardware vendor to ship

Logistical difficulties in
1-4 days Transportable client/server designated equipment to your preferred
regional incident recovery
equipment computing location(s) at the time of the outage.

Testability Can use commercial backup office space

Cost effective Detailed plans are difficult A cold-site is an empty space equipped with
1-6 weeks Cold Site to maintain the Call Centre environment ready to accept
Time to recover
Long term maintenance equipment. Contains power, raised flooring,
costs a/c. Can be shared with other users.

Repair or rebuild at Least cost Time to recover, reliability, Rent space, as a cold-site, and have
2-5 months
time of incident Little resources and ability to rehearse replacement equipment available

31/07/2019 78
Business Continuity Dashboard

BC Critical Functions Critical Processes Critical Products Operational Facilities

9 14 4 2

Location A, Location B
11 critical functions across Time-Critical processes Plant A, Plant B
organization out of total 48.

Critical IT Users
IT Recovery Sites External Vital Record Types
Dependencies

2 25 125 6
Electronic Hard-copy
Documents Documents
Total number of applications Including subsidiaries,
Varying levels of
needed to support the recovery vendors / suppliers, and
Time-Critical Employees out confidentiality
the time-critical processes governmental departs
of total 350

79
Final thought

History teaches us to expect the

unexpected. Be prepared to ask
the unthinkable. What if....

Events can and do take place which cannot be

anticipated precisely.
Emergency response arrangements therefore need to
be flexible in order to adapt to circumstances at the
time while applying good practice.

31/07/2019 80