Your SlideShare is downloading. ×
110430 bcm presentation v0.1 mj
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

110430 bcm presentation v0.1 mj


Published on

BBBF IT COMMS SIG Event BCM Presentation by Michael Jackson at British Club 13th June 2011

BBBF IT COMMS SIG Event BCM Presentation by Michael Jackson at British Club 13th June 2011

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Business Continuity Management
    Mike Jackson
  • 2. Agenda
    Slide 2
  • 3. What is Business Continuity Management?
    A good, although lengthy definition in BS 25999-1 is:
    "A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities“
    It is also called Business Continuity & Resiliency Planning
    In Plain language – Working out how to stay in business in the event of a significant occurrence
    Slide 3
  • 4. An interesting recent aspect of this topic is that some consultants are grouping the approaches of Risk Management and Business Continuity Management together.
    In my experience, there are benefits to be had by grouping these aspects since there is commonality in the early processes, and therefore cost savings, but the outcomes are strategically different and must must be exercised to assure the corresponding deliverables.
    For example, In the case of a glass being half full or half empty, RM will see it as probably half full and BCM will worry about the contents being hazardous or if the glass breaks how long it will take to clear up
    Slide 4
  • 5. Business continuity and disaster recovery planning is a key governance responsibility. The UK Companies Act 2006 gives statutory force to what has long been the worldwide common law duty of directors, which is to exercise due care in relation to their companies. Specifically, directors must "exercise reasonable care, skill and diligence“  
    Principle responsibility lies with the CEO and his Executive Management team for their companies Business Continuity Management . The board of directors is accountable for ensuring that the organization has developed and tested business continuity and disaster recovery plans that deal with all the likely risks that face the organization.  
    Senior Management is responsible for providing BCM strategies that are necessary for the continuation of Business Critical functions
    Slide 5
  • 6. Principle responsibility lies with the CEO and his Executive Management team for their companies Business Continuity Management
    Senior Management is responsible for providing BCM strategies that are necessary for the continuation of Business Critical functions
    Slide 6
  • 7. Four Phases:
    Understanding the organisation
    Determine the Business Continuity Strategy
    Develop and implementing BCM response
    Exercising maintaining and reviewing
    Major Phases of BCM
    Slide 7
  • 8. There are 2 widely recognised standards:
    Two parts:
    • BS-25999-1 (2006) Code of Practice (Guide)
    • 9. BS-25999-2 (2007) Specification
    ISO/PAS 22399 (2007) Societal Security
    International Standards
    Slide 8
  • 10. What activities in your organisation, if stopped, cause the most impact to your business?
    Impact may be on:
    Cash Flow
    Meeting Statutory and Legal requirements
    Key Questions to ask
    Slide 9
  • 11. How are these activities delivered and what resources are used to support them?
    Resources may be:
    Plant and Machinery
    Premises and Furniture
    Computing and Telecommunications
    Data and Information
    Suppliers and Distributors
    Key Questions to ask (2)
    Slide 10
  • 12. Some other key questions are:
    Who is essential?
    What equipment, IT, Telecomms and other systems are necessary to continue to function?
    Who does the Org rely upon to carry out key activities?
    Who depends upon the Organisation?
    Are there any service levels, legal or regulatory obligations?
    Do Disaster Recovery, Business Continuity and emergency plans already exist?
    Are there any natural fluctuations of operational activity e.g. Month-end payroll or end of year for accounts
    Key Questions to ask (3)
    Slide 11
  • 13. You then need to consider:
    How long can your business manage without key activities? (This is important as this dictates what you focus on first)
    How essential is a departments work to the overall performance of the business on a day to day basis?
    Having identified key resources – consider the likelihood that these resources may be lost i.e. what are the risks to these resources?
    Key Questions to ask (4)
    Slide 12
  • 14. There are a number of things you can do before you bring in the consultant(s)
    Understand your business
    Identify what makes your business profitable
    • Map and document these processes
    • 15. Get agreement with the rest of the board team
    Conduct a high level SWOT analysis
    Determine what and where your vulnerabilities are that affect your productivity and profit
    Understand which resources are necessary for the business to continue
    Before the Consultants Arrive
    Slide 13
  • 16. Identify Possible scenarios
    • Determine how long it takes to replace
    • 17. Avoid doom and gloom – be realistic
    Establish and Understand replacement times
    Place Profit Processes in a priority order
    • You can do this in term of frequency of use or profitability or ease – whatever you decide
    • 18. Determine how long it takes to replace
    • 19. Personnel
    • 20. Resources
    • 21. Manufacturing Materials
    • 22. Suppliers
    • 23. Buildings
    • 24. Power, heating / cooling and lighting
    Before the Consultants Arrive
    Slide 14
  • 25. Develop a Risk Analysis Quadrant
    Before the Consultants Arrive
    Service Denial
    CEO Kidnapped
    Production Machine
    Slide 15
  • 26. Outline options for mitigating the identified business continuity risks
    Bring in your BCM consultants to review and document your findings and to add their own experience and value
    Before the Consultants Arrive
    They should design and develop the Business Continuity Plan and recommend how it should be initiated and maintained
    Slide 16
  • 27. You should expect the following outputs from this exercise:
    Identified Risks and associated mitigations
    Business Continuity Plan
    BCP Test scenarios and Test plans
    Outline Test schedule
    Crisis Management/Emergency Response/Incident Management procedures
    Outline DR Plans and Test scenario plans
    Slide 17
  • 28. You should test aspects of your BCP and the underlying Incident management and DR responses
    Use an external consultant where possible, as they should remain impartial and observe and report the outcome of the planned scenario
    Slide 18
  • 29. 80% of organizations with a tried and tested business continuity plan are likely to survive a major business discontinuity; only 20% of those without a business continuity plan are likely to survive.
    Over 90% of organizations that suffer a significant data loss are not in business two years later.
    The latest data indicates that many of the existing plans are not comprehensive and that maintenance (testing and updating) is generally inadequate.
    'Backup' is not the same as a business continuity plan, and terrorism should be specifically addressed.
    Public Domain Statistics
    Slide 19
  • 30. Questions
    Thank you
    Slide 20