Title Intro to BCM

Audience CBCI delegates

Date of Delivery 22 July 2019

Presenter(s) James C Royds (Hon) FBCI FCMI MBA DMS

Email 1

Email 2 james.royds@gmail.com
Document control
Version Name Title Date

0.1 J C Royds (Hon) FBCI Intro to BCM July 2019

23/07/2019 CBCI - Intro to BCM 1

 – James Royds FBCI thanks the Institute of Risk Management
(IRM), the Business Continuity Institute (BCI), the British Acknowledgements
Standards Institute (BSI), the Emergency Planning College
and the International organization for Standardisation (ISO)
for providing source material for this presentation.
– James Royds is an Honorary Fellow of the BCI and one of its
accredited trainers. He was Chairman of the BCI between
2010-2012. He is also a trained Lead Auditor for ISO
22301:2012.

Acknowledgemen
– Materials draw on good practice and international standards
include:
ts – ISO 22316:2017 – Security & Resilience – Principles and
Attributes
– BS 31100:2011 – Risk Management – Code of practice
and guidance for the implementation of BS ISO 31000
– BS 11200: 2014 – the British Standard’s Guidance for
Crisis Management
– ISO 22301:2012 – the International Standard for
Business Continuity Management BSI Standards Publication
– GPG 2018 – the Business Continuity Institute’s Good
Practice Guidelines 2018
23/07/2019 CBCI - Intro to BCM 2
 Ladies and Gentlemen please take your seats…
the show is about to begin!

Business Continuity Management

CBCI

Safety Curtain

23/07/2019 CBCI - Intro to BCM 3

 Date: 22 July 2019
Time: 09:00am
Venue: etc Venues
Location: Hatton, London
CBCI
Business Continuity Management

23/07/2019 CBCI - Intro to BCM 4

Business Continuity
Management

23/07/2019 CBCI - Intro to BCM 5

 “I cannot conceive of any vital disaster
happening to this vessel. Modern shipbuilding
has gone beyond that.” Captain Edward Smith

Was the crew any good at managing the crisis?

What capabilities did they not have?
Was the ship, were the crew / the passengers resilient?
Did the Company have any business continuity plans?
What could they have done differently?
Could it happen again?
23/07/2019 CBCI - Intro to BCM 6
 – Play Video

The Time is Now

https://www.youtube.com/watch?v=3IXEYVxTy4E

23/07/2019 CBCI - Intro to BCM 7

 Introduction to Business Continuity

Business Continuity Management (BCM) Lifecycle

Building organizational Resilience - What, Why and How
23/07/2019 CBCI - Intro to BCM 8
Introducing: James Royds FBCI
1996 – 2019 23 years in the industry
Chairman of the BCI 2010-2012
Honorary Fellow of the BCI
Fellow of the Chartered Management Institute 1999 - 2018
Sectors: Oil & Gas, Petrochemicals, Banking etc.
Independent adviser, trainer, facilitator, mentor, course writer
Lead auditor for ISO 22301:2012, Conference speaker
Working knowledge of BCM in GCC, Asia, UK, Europe
Author of the BCI's course on Organizational Resilience

CBCI - Intro to BCM

 BCM Qualifications
CBCI 2013-18
2013 – Pass with Merit
2018 – Pass with Merit

23/07/2019 Introduction to BCM 10

 Clients 2010 - 2019

23/07/2019 11
 Housekeeping, Health and Safety
- Fire alarms: None planned today
- Emergency exits: Follow signs
- Comfort breaks: Ladies / Gents Floors
- Mobile phones: Silent please!
Housekeeping, - Start: 09:00. Finish: 17:00 approx
Health & Safety - Timings breaks: 10:45, 12:45, 15:00
- Lunch: 12:45
- Handouts / templates: Electronic copies
- Air-conditioning: You have control!
- Attendance and Feedback forms: Local process
23/07/2019 CBCI - Intro to BCM 12
 Getting though the day
• Questions
• PowerPoint
• Notes
• Exam
• Case study
• Slides
• International Standards
• Confidentiality
• Chatham House
• Fun?
• Home work
Course key points
CBCI - Intro to BCM
23/07/2019 13
 • Day 1: Monday
• Intro to BCM
• Module 1 – Policy &
Program Management
• Module 2 – Embedding
• Day 2: Tuesday
• Module 3 – Analysis
• BIA Case Study
• Day 3: Wednesday
• Module 4 – Design
• Module 5 –
Implementation
• Day 4: Thursday
• Module 6 – Validation
CBCI training agenda • Feedback for BCI
• Day 5: Friday
<22-26 July 2019> • Exam

CBCI - Intro to BCM 23/07/2019 14

Timings Hrs 22-Jul-19 23-Jul-19 24-Jul-19 25-Jul-19 26-Jul-19

Day Monday Tuesday Wedneday Thursday Friday

# Day 1 Day 2 Day 3 Day 4 Day 5

1. Policy and Programme
Theme Management
2. Embedding BCM
08:30-09:00 0.5 Arrive: start of Day 1
Course administration
Introduction to BCM / CBCI
PP1 - Policy and Programme
09:00-10:30 1.5 Management (Slides 1-27);
Practical examples, case
studies, group discussion (as
time allows)
1. Business Impact Analysis
2. Threat assessment
Arrive: start of Day 2
Revision Day 1;
Course admin.
PP3 - Analysis: Business
Impacts, Treat assessment
(Slides 1-38); Practical
examples, case studies, group
discussion (as time allows)
1. Strategy options
development
2. Plans implementation
Arrive: start of Day 3
Revision Day 2;
Course admin.
PP4 - Design (Slides 1-20);
Practical examples, case
studies, group discussion
(as time allows)
1. Validation - Exercising
2. Validation - Maintenance, Exam day.
review, audit
Arrive: start of Day 4 Arrive by: 08:45 latest
Revision Day 3;
Please bring photo ID for exam
Course admin.
PP6 - Validation (Slides 1-33); Please check exam room on
Practical examples, case studies, arrival.
group discussion (as time allows) Exam briefing will start promptly
at 09:00. Please arrive by 08:45

10:30-10:45 0.25 Coffee / tea break
PP2 - Embedding BCM (Slides
1-19);
Practical examples, case
10:45-12:45 2 studies, group discussion (as
time allows)
Coffee / tea break
PP3 - Analysis: Business
Impacts, Threat assessment
(Slides 1-38);
Practical examples, case
studies, group discussion (as
time allows)
Coffee / tea break
PP5 - Implementation
(Slides 1-38);
Practical examples, case
studies, group discussion
(as time allows)
Coffee / tea break
All modules revision. CBCI exam You are free to leave the course
question technique. after you have taken the exam and
Please complete course feedback. completed your feedback. Your
exam proctor will advise.
Please sign exam results consent
form.

12:45-13:00 Lunch / personal time Lunch / personal time Lunch / personal time Lunch / personal time
PP1 / PP2 cont. CBCI exam PP3 cont. CBCI exam question PP4 / PP5 cont. CBCI exam 15:30 onwards personal revision.
question technique technique question technique Please read the Candidate
13:00-15:00 2 Information Pack.

15:00 - 15:15 Coffee / tea break Coffee / tea break Coffee / tea break Coffee / tea break
Modules and exam
15:15 - 17:00 1.75 Modules and exam technique Modules and exam technique Modules and exam technique
23/07/2019 CBCI - Introtechnique
to BCM 15
17:00 0 Depart: End of Day 1 Depart: End of Day 2 Depart: End of Day 3 Depart: End of Day 4
Do you all know
each other?!
Take 15 minutes getting to know the person you
are sitting next to:
• Q1. Who do you work for (name of
organization)?
Delegate • Q2. What do you do (job title) and for how
long?
introductions • Q3. What do you want out of this course?
• Q4. One interesting non-work-related fact about
the person you are introducing.

CBCI - Intro to BCM

 • What is BCM?
Business • Why is it necessary?
Continuity
Management • How does it work?

But let me first

start with a
question…
23/07/2019 CBCI - Intro to BCM 17
 ….what do ALL disruptive events have in common?

Time exists: Time exists: Time exists:

BEFORE the EVENT DURING the EVENT AFTER the EVENT

The answer is time Incident

Question: If we accept this simple idea, then what are we going to do about managing time?

18
….what do ALL disruptive events have in common?

Time exists: Time exists: Time exists:

BEFORE the EVENT DURING the EVENT AFTER the EVENT

The answer is time Incident

Phase 1 - Before Phase 2 - During Phase 3 - After

Enterprise Risk Management Crisis & Emergency Response Business Continuity Management
- Identify Management (emergency BCPs - Within minutes to days:
The - Assess response within minutes to - Contact staff, customers, suppliers etc.
building - Prevent hours): - Recover critical processes; Is this
blocks of - Reduce - Account for people - Rebuild lost work-in-progress
sustainable?
resilience - Mitigate - Deal with casualties
- Be Prepared to Respond - Contain damage BCPs – within days to months
capability - Assess damage - Repair/Replace, Recover to Normal
- Invoke Business Continuity - Adapt, Reassess and Improve

19
 Emergency Response, Crisis, Continuity and Recovery
Incident
Or go in
Overall Objective:
Back-to-Normal as soon as search of a
possible New
normal?

Risk B-A-U Incident Management Timeline Timeline

Management
Anticipate events:
Horizon Scan;
Assess likelihood & impact
Run risk register
Phase 2: Within minutes to days:
Contact staff, customers, suppliers etc.
1. Emergency Response Recover critical processes;
& Crisis Management Rebuild lost work-in-progress
2. Business Continuity

Phase 1: Within minutes to

3. Recovery / Resumption
hours: Phase 3: Within weeks to months:
Account for people; Repair / replace damage;
Deal with casualties; Relocate to permanent site Based on BS25999-1:2006
Contain damage; Recover costs from insurers
23/07/2019 Assess damage; CBCI - Intro to BCM 20
Invoke Business Continuity
 Question: What do you do if you know with certainty that disruption
(in this case an extreme weather event) is heading straight towards
your business and will cause damage on Thursday?
Answer: prepare for the worst and hope for the best!

And what are

If this is Business you acceptable
pre-defined
Continuity... So what are
your key levels?
products &
services?

Business Continuity is the capability of an organization to continue delivery of its products or

services at acceptable pre-defined levels following a disruptive event. Source: ISO 22301.

23/07/2019 CBCI - Intro to BCM 21

 – Determined by Top
Management
– Impact categories:
– H&S: Breaches in H&S
– Objectives: failure to meet
objectives
What is – Reputation: damage to
reputation or confidence
unacceptable?
among interested parties
– Revenue: damage to financial
value or viability
– Regulatory: failure to fulfil
legal / statutory obligations
– Impacts all need assessing
over time
23/07/2019 CBCI - Intro to BCM 22
BUSINESS CONTINUITY
What does it mean?

The capability of an
organization to
continue delivering its
products or services at
acceptable pre-defined
levels following
disruption.
Source: ISO 22301:2012 23/07/2019
CBCI - Intro to BCM 23
 BUSINESS
CONTINUITY
MANAGEMENT
“...an holistic management
process that identifies potential
threats to an organization and the
impacts to business operations
that those threats, if realised,
might cause; and which provides
a framework for building
organizational resilience with the
capability for an effective
response that safeguards the
interests of its key stakeholders,
reputation, brand and value
creating activities”.
ISO 22301:2102

23/07/2019 24
CBCI - Intro to BCM
 Why is Business Continuity necessary?
Why do we need Business Continuity
The world is
becoming turbulent
Management (BCM)?
faster than
organizations are
becoming resilient
Because: threats
on the increase…
• Natural disasters, cyber
crime, fraud and espionage,
extreme weather,
reputational damage etc
So we need a process to manage this…
23/07/2019
Because: exposure
& dependency on
the increase…
• Premises, people, IT,
networks, communications,
technology enablers, less
central control, new entry
points for intruders,
What are the risks to
CBCI - Intro to BCM
Because:
expectations on
the increase…
• Interested parties,
managers, business
partners, auditors and
regulators all demanding
more evidence of planning
and protective measures
your objectives?
25
What does it mean to be resilient?
If the purpose of BCM is to become Organizational Resilience:
The ability to anticipate
more resilient, what does being key events from emerging
trends, constantly adapt to
resilient mean? change and to bounce
back from disruptive and
damaging incidents
Source: ISO 22301:2012

“ability of a business to
anticipate, prepare for, and
respond and adapt to
incremental change and
sudden disruptions in order
to survive and prosper.”
ISO 22316:2017

23/07/2019 CBCI - Intro to BCM 26

Play video – Organizational Resilience
• https://www.youtube.com/watch?v=6T1EDZVyHoM

23/07/2019 CBCI - Intro to BCM 27

 A: By running a Management System
Q: How does BCM
work?

• All hazards approach

• System framework
• Business Continuity
Function
• Business partner
• Risk Management
• Crisis Management
• Business Continuity Plans
• Training

CBCI - Intro to BCM

 Strategy
Strategy development
development
Governance
Governance
Governance Understanding
Understanding
Understanding thethe
the business
business
business 4.4. Design
Design Training&
Training & Exercising
Exercising Continuous Improvement
Continuous
Continuous Improvement
Improvement
1.
1. Policy
1. PolicyPolicy &
& Program
Program
& Program 3.
3. Business
Business
3. Business Impact
Impact
Impact // Threat
Threat
/ Threat 5. 5. Implementation
Implementation 6. Maintenance
6. Maintenance
Maintenance&& Review
&Review
Review
Management
Management
Management
Assessment
Assessment
Assessment
2.
2. Embedding
Embedding
2. Embedding Exec
Exec

CMT
CMT
BIA: BIA:
BIA:
RPORPO
RPO BCTs
BCTs CM
CM Plans
Plans
Commitment
Commitment
Commitment MBCO MBCO
MBCO
Statements
Statements
Statements RTO RTO
RTO Self assessment
Self assessment
assessment
MAOMAO
MAO
Internal
Internal///
Internal
BC
BC Plan
Plan External
External Audit
ExternalAudit
Audit
Individual &
Individual &
Stage
Stage 1 11
Stage Stage
Stage 3 3
Stage Recovery
Recovery
Recovery
Strategies
Strategies
Strategies Collective
Collective
Training
Training
Functional
Functional
BCMS
BCMSBCMS BAUBAU
BAU Stage
Stage 44 Stage55
Stage ororDept.
Dept. Stage 6
Stage
BC BC
BC Status
Status
Status BCBC Plans
Plans
Risk
Risk
Risk
Manual
Manual
Manual Mitigations
Mitigations
Mitigations Management
Management
Management
&
& Resources
Resources
& Resources Review
Review
Review
Crisis
Crisis
Communications
Communications
Manual
Manual

Community
Community
Community of
of Practice
Practice
of Practice RiskRisk
& &
Risk &
Th
Threat
Th reat reat
Plan exercises,
Plan exercises,
Technical
Technical
Technical Guidance
Guidance
Guidance Rehearsals,
Rehearsals,
Assessment
Assessment
Assessment
Group
Group
Group Defined
Defined
Defined Practice
Practice
Practice ITDR Tests
ITDR Tests KPI –––Performance
KPI Performance
Performance
ITIT
DRDRPlan
Plan && Evaluation
&Evaluation
Evaluation

Stage
Stage 2 22
Stage
23/07/2019 CBCI - Intro to BCM 29
 Risk Crisis Business Continuity Continual

Mitigate Risks: Reduce

Management Management Management Improvement

Consequences and
1

Management
Enterprise
Threats and

Likelihoods

Risk
Opportunities

Critical Risk
Respond to Disruptions

Impacted Processes
Ensure Readiness to

OR

Crisis & Continuity

Mission Critical

Management
2 Prepare Business
Processes Continuity Plans for high
Prepare Crisis risk and mission critical
Management processes
Plans for credible disruption
Credible scenarios
Disruption
Scenarios

Risk Management Business Continuity Management Audit Plan

CMPs, BCP Updates
Manage Risks,

Management

3
Program

Risk Register CMP Development Testing BCP Development Quality Audits and
BCM

Updates & Updates Testing & Updates Corrective Actions

Risk Materializes

Emergency Lessons
Business
Recover, Restore

Response and Crisis Learned and

Incident Management Continuity: Recovery and Corrective
4 Restoration Actions
Respond,

23/07/2019 CBCI - Intro to BCM 30

Operational Plans
“Plans are of little importance, but
planning is essential” – Winston Churchill Evidence of capability
Organizations need to demonstrate evidence of
BC Capability capability across four areas:
CAPABILITY: in Crisis Management & Business Continuity
BCMS Management Systems SYSTEMS: in Business Continuity Management System
(your Management System)
BCM Process and procedures PLANNING: in Business Continuity Management
(Planning, Process and Procedures)
BCP Plans PLANS: in Business Continuity Plans

Evidence is demonstrated by
“Plans are nothing; planning is
everything” – Dwight D. Eisenhower
trained and exercised people
and documented plans

CBCI - Intro to BCM

BCM – what are the
main outputs or
deliverables?
Outputs from the
implementation of a BCM
program:
– Documented Business
Continuity plans
– Exercise Program
– Trained people
– Evidence of due process
– Planning and Response
capabilities

23/07/2019 CBCI - Intro to BCM 32

 Shall we begin the journey?

23/07/2019 CBCI - Intro to BCM 33