Professional Documents
Culture Documents
CBCI Follow Up - Extra Slides
CBCI Follow Up - Extra Slides
CBCI Follow Up - Extra Slides
Date
Email james.royds@gmail.com
31/07/2019 1
Acknowledgements
n James Royds thanks the Institute of Risk Management (IRM), the Business
Continuity Institute (BCI), the British Standards Institute (BSI), the Emergency
Planning College and the International organization for Standardisation (ISO) for
providing source material for this presentation.
n James Royds is an Honorary Fellow of the BCI and one of its approved trainers. He
served on the Risk & Governance committee between 2012-2015. He was
Chairman of the Institute between 2010-2012. He is also a trained Lead Auditor for
ISO 22301:2012.
n Materials draw on good practice and international standards include:
n GPG 2013-18 – the Business Continuity Institute’s Good Practice Guidelines 2013-18
n ISO 22316:2017 – the ISO guidance on Organizational Resilience
n BS 31100:2011 – Risk Management – Code of practice and guidance for the
implementation of BS ISO 31000
n BS 11200: 2014 – the British Standard’s Guidance for Crisis Management
n ISO 22301:2012 – the International Standard for Business Continuity Management
31/07/2019 2
References
n The key references include:
1. ISO 22316:2017 – Security & Resilience – Principle and attributes.
2. BS 31100:2011 – Risk management – Code of practice and guidance for the implementation
of BS ISO 31000.
3. BS 11200:2014 – Crisis Management – Guidance and good practice.
4. BS ISO 27031:2011 – Information technology — Security techniques — Guidelines for
information and communications technology readiness for business continuity.
5. ISO / IEC 24762:2008 – Information technology – Security techniques – Guidelines for
information and communications technology disaster recovery services.
6. ISO 22301:2012 Societal security – Business continuity management systems – Requirements.
7. ISO 22313:2012 – Societal security – Business continuity management systems – Guidance for
establishing ISO 22301:2012.
8. PD ISO/TS 22317:2015 – Societal security – Business continuity management systems –
Guidelines for business impact analysis.
9. ISO 22320:2011 – Societal security – Emergency management – Requirements for incident
response.
10. BS 25999-1:2006 – The British Standard Code of Practice for Business Continuity
Management.
11. BS 25999-2:2007 – The Specification for a BCM system (being replaced by ISO 22301).
12. The Business Continuity Institute’s Good Practice Guidelines (2010-2013).
13. PD25111:2010 Business continuity management. Guidance on human aspects of business
continuity.
14. ISO 22398:2013 – Societal security – Guidance on exercising.
31/07/2019 3
How we learn and remember
It is said that we remember:
n 10% of what we read
(passive)
n 20% of what we hear
(passive)
n 30% of what we see and
hear (passive)
n 70% of what we say and
write (active)
n 90% of what we say as we
do (active)
31/07/2019 4
Strategic thinking
31/07/2019 5
The structures of modern life
What can we do
to make our
organizations
more resilient?
How do
How do we we
mitigate what respond?
could go wrong?
31/07/2019 6
Resilience in organizations
etc
Source: BS 65000:2014
31/07/2019 7
Let’s look briefly at organizations
31/07/2019 8
The context in which organizations function
• Interested parties
• Legal and regulatory
The EXTERNAL requirements
context is the
external • Market drivers and trends
environment in • Social, cultural, political,
which an
organization seeks to financial, technological,
achieve its economic, natural and
Purpose objectives: competitive environment
(national, international,
Culture regional, local)
Interested
Parties
Leadership
• Any factor which influences the
The INTERNAL
context is the way risk is managed
Conscious
organization
internal • Aligned with strategy,
environment in objectives, culture
which an
organization seeks to • Projects, processes, activities,
achieve its critical activities
objectives:
• KPIs etc.
31/07/2019 9
The fabric of organizations
Policies & Procedures Systems & Processes Technology Capabilities
Relationships and
dependencies STRUCTURE
between these lines
will impact how
resilient you are:
Values Mission/Vision
STRATEGY
Ethics CULTURE Being Objectives
Resilient
Attitudes Initiatives
Behaviours Plans
Risks emerge and
your readiness to
respond is a key
factor in
PERFORMANCE
determining how
your organization
will be impacted
Systems & Processes Technology Capabilities
31/07/2019 10
CMT – Crisis Management Team
Management structures
BCT – Business Continuity Team
BST – Business Support Team
IMT – Incident Management Team
31/07/2019 11
The building blocks of effective resilience
Transparency
Authority and responsibility
Governance Participation
and
accountability
Embedded values
Innovation,
improvisation
Agility
Common Influence
Leadership
vision and Standards and
and culture behaviours
purpose Decision-making
Performance
31/07/2019 12
The functional components of resilience
Risk Management Crisis Management Business Continuity
the “systematic application the capability of an the capability of an
of management policies, organization to respond to organization to continue
procedures and practices an “inherently abnormal, delivery of products or
for communicating, unstable and complex services at acceptable
consulting, establishing the situation that represents a predefined levels following
context, identifying, threat to its strategic a disruptive incident.
analysing, evaluating, objectives, reputation or
treating, monitoring and existence” and manage the
reviewing risk” in your consequences so
organization. disruption is kept to a
minimum.
ISO 31000 BS 11200 ISO 22301
31/07/2019 13
What is Risk Management
n Risk management is the
identification, assessment, and
prioritization of risks (defined in ISO
31000 as the effect of uncertainty
on objectives, whether positive or The problem is that
negative) followed by coordinated traditional risk
and economical application of management tends
resources to minimize, monitor, and to focus on threats,
control the probability and /or
impact of unfortunate events or to
or negatives AND
maximize the realization of RARELY CONSIDERS
opportunities. opportunities
n “Coordinated activities to direct
and control an organization with
regard to risk”. ISO 31000:2009.
31/07/2019 14
Risk management
n It is best managed by people following a defined process:
Value
Owners
Impose Minimise
Reduce
Controls
Manage May Possess
Identify
Vulnerabilities
31/07/2019 15
What is Enterprise Risk Management
Enterprise risk management in business
includes the methods and processes used by
organizations to manage risks and seize
opportunities related to the achievement of
their objectives. ... (www).
31/07/2019 16
What is Crisis Management
n Processes, procedures, plans
and systems to manage an
abnormal, unstable and
complex situation that
represents a threat to the
strategic objectives, reputation
or existence of an organization
31/07/2019 17
The aim of crisis management
n To ensure that at the Executive
Roles/Responsibilities
• Policy
strategic, tactical and Management
(CEO, CIO, CFO etc)
• Direction
• Wider Contacts
Roles/Responsibilities
your response capabilities Crisis
Management
C4:
•Command, Control
objectives. Teams
Roles/Responsibilities
• Response and Recovery
• etc
31/07/2019 18
What is resilience?
31/07/2019 19
What is organizational resilience?
31/07/2019 20
What is organizational resilience?
31/07/2019 21
Your business / organization
Asset / Risk Management
Stakeholder & Collaboration Management
Reputation Management
Horizon scanning
Risk, Emergency Response, Crisis
Resilient and Business Continuity Management
organizations Change Management
do all these Health & Safety
things ICT continuity
and much Information, Cyber & physical Security
more... Environmental and Quality Management
Financial / Fraud Control
Facilities Management
Supply Chain
Human Resource planning
31/07/2019 22
Traditional Business Continuity
31/07/2019 23
New direction, new purpose for BCM
n A strategic management
tool / business process
offering:
n Protection of value and
reputation in a crisis
31/07/2019 24
Risk & Continuity
Table: Comparison on Risk Management and Business Continuity Management (Source: The Business Continuity Institute, (2005), Good
Practice Guidelines – A Framework for Business Continuity Management, UK).
31/07/2019 25
Consequences
31/07/2019 26
Protection of value / intellectual capital
Tangible Intangible
Tangible
Company Market Cap Relevance Relevance
Value
% %
Your
10bn 1bn 10.0 90.0
company
Source: Based on an idea by IT Governance UK Ltd
31/07/2019 27
Financial consequences
31/07/2019 28
Recoverers verses non-recoverers
Knight, Rory F.; Pretty, Deborah (1996). The Impact of Catastrophes on Shareholder Value (Report).
31/07/2019 29
Former BP chief
Tony Hayward: BP executive Tony
oil spill contingency Hayward said that
plans were
'inadequate' the media response
to the oil spill was a
http://www.bbc.co.uk/news/business-11709027 "feeding frenzy".
Mr Hayward said
that the company
was "not prepared"
to deal with "the
intensity of the
media scrutiny".
31/07/2019 Source: BBC News 30
Why
31/07/2019 31
The structure of incidents: the complexity of crises
Sudden
relatively easy to invoke a response and mobilise (at least in the
immediate term) the resources needed to manage the
consequences.
31/07/2019 32
Level 1-4 impacts
Level 1 § Localised damage in part § Move people to another § All locations are mapped
of office area in same building to a recovery location
§ Localised technology or § Spare processing capacity § Assets, resources and
Localised power failure § Training for staff technology are enabled in
Impact § Operator error recovery location
§ Minimum of 15% capacity
recovered for support of
Level 2 § Facility damage – whole § Move people to another
prioritised activities
building building in same city
§ Building-wide technology
Building or power failure
Impact
31/07/2019 33
Risk management controls
1 2 3 4 5
Limited Significant
Rating Very effective Effective improvement improvement Ineffective
needed needed
Controls are
There are significant Design of controls is
designed and
Controls are properly Controls are properly opportunities for the not fit for purpose,
Design operating in excess
designed designed improvement of will require new
of basic
design design
requirements
Key controls in place, Controls are non-
Controls are applied
but there are existent or have
and operating in Controls are properly Controls are properly
Application significant major deficiences:
excess of basic applied as intended applied as intended
opportunities for they do not operate
requirements
further improvement as intended
Significant but not The design and
Controls are well- Some improvement Minor improvement major improvement application of
designed and are is needed in the is needed in the is needed in the controls is highly
Overall
being applied application of application of design and ineffective: needs a
effectively controls controls application of major redesign and
controls application
Source: COSO Technical Guide
31/07/2019 34
It is NOT a crisis when…
31/07/2019 35
Phases of crisis management – high level view
Business as usual
31/07/2019 36
Emergency Response, Crisis, Continuity and Recovery
Incident
Or go in
Overall Objective: search of a
Back-to-Normal as New
soon as possible normal?
Risk
Management Normal Timelin Timeline
Incident Response / eWithin minutes to days:
Contact staff, customers, suppliers etc.
Recover critical processes;
Anticipate events:
Crisis Management Rebuild lost work-in-progress
Horizon Scan;
Assess likelihood & impact Business Continuity
Run risk register
31/07/2019 38
The Incident Command System
31/07/2019 39
ICS – command management
Incident Leadership
Commander
• Command, control
Comms / & management
Legal External Affairs • Objectives /
Emergency priorities
HR Coordinator • Direct liaison with
Tactical
Liaise with external agencies Incident Control Incident Current Status Issues Outstanding
Visitors, VIPs etc.,
briefing cell
Status Boards – Situation Unit
Phone to
meeting room
HK
CMT Personalities
Command Staff:
• IC / Deputy
• Legal Adviser
Printer
Lon
• Communications &
External Affairs
Copier
These fu nctions could be combined or
performed by less than four people depending • BCM Adviser
on the nature and s cale o f the in cident • HR Adviser
Communications & Legal Adviser Paris
Facilities H&S Planning Operations • H&S Adviser
External Affairs
General Staff:
BC - Property
BC - Environ
• Planning
• Operations
GS
GS
CS
CS
Fax • Logistics
Incident NY
• Finance
Commander / Business Continuity Team:
CMT Leader • Facilities Adviser
Telephone
• Business Ops
etc • IT Adviser
Deputy
• Etc as required
CS People
GS
GS
CS
BC
Links to BCTs
EST
Landlines and IT Business Operations
Finance Logistics HR Adviser BCM Adviser
Mobiles Sourcing, Shared etc CST – Comms
BCT – Continuity / Recovery GS – General staff CS – Command staff
31/07/2019 41
Communications protocols
n Who talks to whom and how?
n About what?
n When?
External Internal
31/07/2019 42
ERC status boards
Problems Solutions
What Has Happened What We Are Doing About It
Emergency Response Business Continuity
SITUATION
Situation Unit responsible for maintaining these Status Boards, supported by:
Note: Sophisticated resources not needed - Flip-chart sheets stuck on a wall are very effective!
31/07/2019 43
Exercise frequency – an example
Notification
Team Tabletop exercise Limited exercise Full scale exercise
exercise
Departments
6 months Annually Every 1 year Every 2-3 years
BCTs / BCPs
Joint CMT /
Annually Every 18 months Every 2 years Every 2-3 years
Board / Group
31/07/2019 44
Social media..... ...never forgets!
“The Deepwater Horizon response was the first (crisis of its kind) to encounter the
combination of multiple, highly competitive cable news outlets with the broadband
Internet and web of specialized websites, blogs and other social media”
31/07/2019 45
What makes a good CM leader?
31/07/2019 46
Leadership in a crisis
31/07/2019 47
Leadership decisions
Use of authority
by the Leader
Area of freedom
for subordinates
1 2 3 4 5 6 7
Leader Leader sells Leader Leader Leader Leader Leader
makes decision presents presents presents defines permits
decisions decision & tentative problem, limits and team to
and issues explains it decision gets ideas, team makes decide
orders allowing subject to makes decisions within wide
questions change decision limits
considering
team views
Source: Tannenbaum & Schmidt Continuum
31/07/2019 48
Good leadership
n Every crisis requires strong leadership but: “you do not lead by hitting people over
the head - that’s assault not leadership” (Source: Dwight Eisenhower)
Task Needs
Individual Team
Needs Needs
31/07/2019 49
Leadership skills in a crisis
Task-orientated •Identifying key issues and priorities, Accepting the new reality quickly, Strategic
thinking
31/07/2019 50
Speed of response
“Normal’ Business
Crisis Management Operations
Operations
31/07/2019 52
Early effect – Theory
The ability to react quickly to incidents within a pre-planned crisis management framework,
together with rehearsed decision points is the essence of what “early effect” is all about.
Effect of Impact
HIGH Cost of impact
Initiative lost –
Opportunity to situation “set”
influence
situation
LOW Trigger
Time
31/07/2019 54
What is Business Continuity
n Business Continuity is often
described as ‘just common sense’.
31/07/2019 55
Disruption defined
31/07/2019 56
Why organizations don’t plan
“There are
“We don’t
“It will never “IT do the more “Everyone “We do have
have the
happen to business important would know a plan
time or
us” continuity” things we what to do” somewhere”
resources”
need to do”
31/07/2019 57
The key issue
n Q: What is the difference between Business Continuity, BC
Management, a BC Plan and a BC Management System?
n A: Specifically a BC plan is an output of the implementation
process while a BCMS provides the framework for the
design, development, implementation, validation and
continuous improvement of a management system. Competence
& Capability
n A BCMS will differentiate between:
n BC – Business Continuity (your competencies and capabilities)
n BCM – Business Continuity Management (your Process and
Process &
Procedures for managing continuity) Systems
Procedures
n BCMS – Business Continuity Management System (your
System)
n BCP – a Business Continuity Plan (process for continuity of a
product, service, process etc)
31/07/2019 58
Demonstrating capability, process, system
Enterprise Risk Management: is the “systematic application of management policies,
procedures and practices for communicating, consulting, establishing the context,
identifying, analysing, evaluating, treating, monitoring and reviewing risk” in your
organization.
31/07/2019 59
Demonstrating capability, process, system
A Business Continuity Management System (or a crisis and continuity management
system) is a part of an overall system of governance that establishes, implements,
operates, monitors, reviews, maintains and improves business continuity and business
resilience.
Crisis Management: is the capability of your organization to respond to an “inherently
abnormal, unstable and complex situation that represents a threat to its strategic
objectives, reputation or existence” and manage the consequences so disruption is
kept to a minimum.
A Crisis and / or Business Continuity Plan: is a set of documented processes and
procedures that guides your organization to respond, recover, resume and restore
critical activities to a pre-defined level following disruption. Typically this covers
resources, services and activities required to ensure the continuity of critical business
activities / functions.
A Business Continuity Program: is your on-going management and governance
process supported by Top Management (and appropriately resourced) to implement
and maintain business continuity management. This is achieved through the running
of a compliant BCMS.
31/07/2019 60
Plan-do-check-act
Action Comments
Do (implement and operate the Implement and operate the BCMS: policy, controls, processes and
BCMS) procedures. Document and maintain.
31/07/2019 61
Key output: management system and plans
Establish and
Scope of management implement BC
system Communications
procedures
Documented
BCMS information Exercising and testing
31/07/2019 62
Resilience Programme Management
Risk Emergency Response Business & IT Continual
Consequences and Management & Crisis Management Continuity & Improvement and
Recovery Performance
Mitigate Risks:
Management
1 Management Measurement
Threats and
Likelihoods
Risk
Opportunities
Reduce
Critical Risk
Ensure Readiness to
Impacted Processes
and / or Prepare
Crisis & Continuity
Management
Management
3
CMPs, BCP
BRM
Risk
Materializes
Emergency Business Lessons
Response and Crisis Continuity: Learned and
Incident Corrective
Management Recovery and
4
Respond,
Actions
Recover,
Restoration
Restore
Operational Plans
Functional Plans
31/07/2019 63
The chronology of terms
Point to which information Minimum level of service / Period of time following an incidentTime it would take for adverse impacts,
used by an activity must be product that is acceptable to within which: which might arise as a result of not
restored to enable the org. to achieve its - Product / service must be providing a product / service or
the activity to operate on business objectives during resumed performing an activity
resumption disruption - activity must be resumed to become unacceptable
- resources must be recovered
Time
-1 0 +1 +2 +3 +4
You decide the intervals of time. They could be:
Seconds, Minutes, Hours, Days, Weeks, Months even Years (!) depending on your business rhythms.
Measurements of time must be consistent across whole organization. That way specific priorities can be set, managed and coordinated
relative to all priorities. This ensures consistency of approach.
31/07/2019 64
Product and Service
n The product – strategic
n An insurance policy
31/07/2019 65
Process
n The process – tactical
1. Provide quotation
2. Issue Policy
31/07/2019 66
Activity
1. Activities – to undertake Provide Quotation (Operational)
a) Answer the telephone / email
b) Obtain details from the client
c) Provide a verbal / email quotation
d) Confirm verbal quotation with letter / email
2. Activities – to undertake
Issue Policy (Operational)
a) Receive payment from
the client
b) Produce policy documents
c) Send policy documents
to the client
31/07/2019 67
Business Impact Analysis – Example
Product (Strategic)
• Insurance Policies
Processes – to deliver Insurance Policies Products and Services
• 1. Provide Quotation
• Strategic
• 2. Issue Policy
31/07/2019 70
Module 2 version 3.1 Ι BCI PROFESSIONAL PRACTICES 70
MTDPs Question: estimate the Recovery Time Objectives?
Receive payment from the client 3 days Cash flow will suffer
31/07/2019 71
MTDPs Recovery Time Objectives
PRODUCT / PROCESS / ACTIVITY RTO MTPD REASON
Confirm verbal quote with letter/email <3 days 3 days To meet Quality standards
Issue Policy <5 days 5 days To deliver Insurance Policies
Receive payment from the client <3 days 3 days Cash flow will suffer
Send policy documents to the client <5 days 5 days To deliver Insurance Policies
31/07/2019 72
MTDPs Recovery Time Objectives
PRODUCT / PROCESS / ACTIVITY RTO MTPD REASON
Confirm verbal quote with letter/email 2 days 3 days To meet Quality standards
Issue Policy 4 days 5 days To deliver Insurance Policies
Receive payment from the client 2 days 3 days Cash flow will suffer
Send policy documents to the client days 5 days To deliver Insurance Policies
31/07/2019 73
RPO
31/07/2019 74
Maximum Tolerable Period of Disruption
Department / Maximum Tolerable Period of Disruption
Function /
Process /
Product / <4 hours 1 day 2-3 days 4-5 days 1-2 weeks 2-4 weeks > 4 weeks
Activity
Repair or rebuild at Least cost Time to recover, reliability, Rent space, as a cold-site, and have
2-5 months
time of incident Little resources and ability to rehearse replacement equipment available
31/07/2019 78
Business Continuity Dashboard
9 14 4 2
Location A, Location B
11 critical functions across Time-Critical processes Plant A, Plant B
organization out of total 48.
Critical IT Users
IT Recovery Sites External Vital Record Types
Dependencies
2 25 125 6
Electronic Hard-copy
Documents Documents
Total number of applications Including subsidiaries,
Varying levels of
needed to support the recovery vendors / suppliers, and
Time-Critical Employees out confidentiality
the time-critical processes governmental departs
of total 350
79
Final thought
31/07/2019 80