0
BUSINESS CONTINUITY IN THE SPOTLIGHT . . . A look at BS 25999  and how it's implemented
Why are you here today? <ul><li>Defining your scope    Denis Ives </li></ul><ul><li>How to define your scope   LRQA </li><...
David Evans Managing Director, Link Associates International Welcome & Introduction
Why are you here today? <ul><li>What is Business Continuity Management? </li></ul><ul><li>How to go about implementing a s...
A review process to help organisations understand what is important to them A method for dealing with the unexpected What ...
What is Business Continuity Management? “ The holistic management process that identifies potential threats to an organiza...
An uncertain world . . .  Momcilo Kovacevic LRQA
“ We live in an increasingly uncertain world” Safety Recall
More change and uncertainty Changing nature of business Increasing globalisation Complex Supply Chains Greater penalties f...
    Utilities - Electricity, Gas & Water     Transport & Logistics   Retail / Wholesale    Manufacturing & Pr...
Why should I be bothered?
<ul><li>20% of UK organisations suffer disruption each year caused by lower level incidents; such as fire, sickness, loss ...
<ul><li>No loss of life </li></ul><ul><li>Largest fire in Europe since World War Two </li></ul><ul><li>630 businesses disr...
<ul><li>Planning is essential </li></ul><ul><li>Communication is critical </li></ul><ul><li>Pick the best team(s) availabl...
Building a BCMS to BS 25999
Overview of BS 25999-1:2006 <ul><li>Code of Practice </li></ul><ul><li>Recommendations and Guidance </li></ul><ul><li>You ...
<ul><li>Planning </li></ul><ul><li>Business impact analysis </li></ul><ul><li>Risk assessment </li></ul><ul><li>Strategy <...
10 Standards of Professional Competence (BCI) <ul><li>Initiation and management </li></ul><ul><li>Business impact analysis...
BCM benefits <ul><li>Planning for BS 25999 actively makes you more resilient to being disrupted if faced with organisation...
Denis Ives UK & Ireland Manager, LRQA Defining your scope
Defining your scope  <ul><li>All management systems require a defined scope </li></ul><ul><li>Scope defines which parts of...
Defining your scope  Head Office Support Activity 1 Support Activity 2 Support Activity 3 Support Activity 4 Support Activ...
Defining your scope
Defining your scope  <ul><li>Spend time to define the scope of the products and services to which the BCM applies </li></u...
Why should you gain Certification?
Why should you gain Certification? Mandate BS 25999 certification
Why should you gain Certification? <ul><li>Supply Chain requirement: </li></ul><ul><ul><li>Major manufacturers are increas...
<ul><li>Civil Contingencies Act 2004 </li></ul><ul><ul><li>Business continuity planning is mandatory for all Category 1 se...
<ul><li>Establishes a goal that supports system development </li></ul><ul><li>Ensures system is maintained and improved ov...
<ul><li>Audit Services </li></ul><ul><ul><li>The  only  certification body able to offer UKAS-accredited BS 25999 certific...
Tim Pinnell Group Security and Continuity Policy Manager, BT Group BT 21st Century Network - A BCM Case Study
Certifying BT’s 21CN to BS25999 Tim Pinnell Group Security and Continuity Policy Manager
21CN - our current UK network IP ATM PSTN DSL KStream PSTN Leased lines PDH Fibre Copper SDH access PDH access End User ~5...
21CN - our simplified UK network IP-MPLS-WDM DSL Fibre & Copper Copper Agg Box End User ~5.5k sites ~100 sites Class 5  Ca...
Incident Site Disaster Recovery Network Management Incident Manager Multiple Incident Management Centres around the globe ...
25999 <ul><li>We like it </li></ul><ul><ul><li>Everything you would expect </li></ul></ul><ul><li>But </li></ul><ul><ul><l...
Policy and Objectives <ul><li>Policy </li></ul><ul><li>The purpose of this BCMS is to support the stated 21CN business con...
Scope and the supporting activities 21 st  Century Network Supply Chain People Supply Communications Power
Supporting or CRITICAL supporting activity <ul><li>Impacts resulting from the disruption of one or more of the platform se...
CSAs – Managing conflicting requirements CSA 1 CSA 2 CSA 3 CSA 4 ENTERPRISE RTO = 6 days BCMS 1 RTO = 2 hours RTO = 12 hou...
Plans and Exercise <ul><li>Risk driven </li></ul><ul><li>Manage conflict </li></ul><ul><li>Do it, and learn from it </li><...
Also <ul><li>Communications and awareness </li></ul><ul><li>Training </li></ul><ul><li>How to be audited </li></ul>
Summary <ul><li>Get senior management buy in </li></ul><ul><li>Be clear about your policy and objectives </li></ul><ul><li...
BUSINESS CONTINUITY IN THE SPOTLIGHT . . . A look at BS 25999 and how it's implemented For more details please contact us:...
Upcoming SlideShare
Loading in...5
×

Download PDF

882

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
882
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Download PDF"

  1. 1. BUSINESS CONTINUITY IN THE SPOTLIGHT . . . A look at BS 25999 and how it's implemented
  2. 2. Why are you here today? <ul><li>Defining your scope Denis Ives </li></ul><ul><li>How to define your scope LRQA </li></ul><ul><li>Why should you gain Certification? </li></ul><ul><li>The benefits of gaining certification </li></ul><ul><li>BT 21 st Century Network - A BCM Case Study Tim Pinnell </li></ul><ul><li>The approach, benefits and problems encountered, plus how they were resolved BT Group </li></ul><ul><li>Summary and Questions David Evans </li></ul><ul><li>Your opportunity to ask the team about Business Continuity, certification, etc . . . LINK Associates </li></ul><ul><li>Welcome & Introduction David Evans </li></ul><ul><li>Business Continuity Management (BCM) terminology explained LINK Associates </li></ul><ul><li>An Uncertain World Momcilo Kovacevic </li></ul><ul><li>Change, uncertainty and the main business drivers for BCM LRQA </li></ul><ul><li>Why should I be bothered? </li></ul><ul><li>Case study examples, discussing lessons learned </li></ul><ul><li>Building a BCMS to BS 25999 </li></ul><ul><li>Overview of BS 25999 </li></ul>
  3. 3. David Evans Managing Director, Link Associates International Welcome & Introduction
  4. 4. Why are you here today? <ul><li>What is Business Continuity Management? </li></ul><ul><li>How to go about implementing a system </li></ul><ul><li>Why you should certificate your system to BS 25999 </li></ul><ul><li>How to define the scope of your system </li></ul><ul><li>Case study: BT 21 st Century Network </li></ul>
  5. 5. A review process to help organisations understand what is important to them A method for dealing with the unexpected What is Business Continuity Management? A new name for risk assessment
  6. 6. What is Business Continuity Management? “ The holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities” BS 25999-2:2007
  7. 7. An uncertain world . . . Momcilo Kovacevic LRQA
  8. 8. “ We live in an increasingly uncertain world” Safety Recall
  9. 9. More change and uncertainty Changing nature of business Increasing globalisation Complex Supply Chains Greater penalties for failure Increasing expectations Increasing legislation
  10. 10.     Utilities - Electricity, Gas & Water     Transport & Logistics   Retail / Wholesale    Manufacturing & Production    Local Government & Emergency Services    IT & Telecommunications    Health & Social Care   Finance & Insurance  Education    Construction  Central Government    Business Services Legislation Central Gov Regulators Corp Gov Clients Insurers SECTOR Business Continuity Management PRINCIPAL DRIVERS
  11. 11. Why should I be bothered?
  12. 12. <ul><li>20% of UK organisations suffer disruption each year caused by lower level incidents; such as fire, sickness, loss of technology, denial of site access, loss of key suppliers . . . </li></ul><ul><li>These events may not impact on the wider community but can lead to the failure of an individual organisation through loss of customers and disruption to cash flow . . . </li></ul>Still not convinced about BCM?
  13. 13. <ul><li>No loss of life </li></ul><ul><li>Largest fire in Europe since World War Two </li></ul><ul><li>630 businesses disrupted for 2 days </li></ul><ul><li>16,500 people disrupted </li></ul><ul><li>88 businesses severely impacted </li></ul><ul><li>Many buildings & content destroyed </li></ul><ul><li>No access to buildings or stock </li></ul><ul><li>Some businesses relocated </li></ul><ul><li>Employees forced to travel </li></ul><ul><li>Significant costs incurred. </li></ul>Buncefield Oil Depot Disaster
  14. 14. <ul><li>Planning is essential </li></ul><ul><li>Communication is critical </li></ul><ul><li>Pick the best team(s) available </li></ul><ul><li>Teamwork is critical </li></ul><ul><li>Management commitment and support essential </li></ul><ul><li>Pace your recovery to reflect your own business type and needs </li></ul><ul><li>Give employees space and time to recover </li></ul><ul><li>Ensure the right infrastructure and support are available as long as is required. </li></ul>Critical Success Factors / Lessons Learnt by Royal & Sun Alliance
  15. 15. Building a BCMS to BS 25999
  16. 16. Overview of BS 25999-1:2006 <ul><li>Code of Practice </li></ul><ul><li>Recommendations and Guidance </li></ul><ul><li>You cannot achieve certification to this standard </li></ul><ul><li>BS 25999-1:2006 establishes the process, principles and terminology of Business Continuity Management </li></ul><ul><li>BS 25999-1:2006 defines a system based on Business Continuity Management good practice. </li></ul>
  17. 17. <ul><li>Planning </li></ul><ul><li>Business impact analysis </li></ul><ul><li>Risk assessment </li></ul><ul><li>Strategy </li></ul><ul><li>Awareness & training </li></ul><ul><li>Structure, roles & responsibilities </li></ul><ul><li>Procedures </li></ul><ul><ul><li>Incident handling </li></ul></ul><ul><li>Implementation & Operation </li></ul><ul><li>Business Continuity Plan development </li></ul><ul><li>Exercising plans </li></ul><ul><li>Incident handling </li></ul><ul><li>Competence & capability maintenance </li></ul><ul><li>Performance Assessment </li></ul><ul><li>Results review </li></ul><ul><li>Evaluation of compliance </li></ul><ul><li>Internal audit </li></ul><ul><li>Improvement </li></ul><ul><li>Corrective, preventive & improvement action </li></ul>Management System Policy Management Review Policy Planning Implementation & Operation Performance Assessment Improvement Management Review Management System PLAN DO CHECK ACT Overview of BS 25999-2:2007
  18. 18. 10 Standards of Professional Competence (BCI) <ul><li>Initiation and management </li></ul><ul><li>Business impact analysis </li></ul><ul><li>Risk assessment and control </li></ul><ul><li>Developing BCM strategies </li></ul><ul><li>Co-ordination with external agencies </li></ul><ul><li>Incident response and operation </li></ul><ul><li>Developing and implementing incident plans and business continuity management plans </li></ul><ul><li>Incident communication </li></ul><ul><li>Maintaining and exercising plans </li></ul><ul><li>Awareness and training programmes. </li></ul>Source: BCI Standards of Professional Competence (Aug-03)
  19. 19. BCM benefits <ul><li>Planning for BS 25999 actively makes you more resilient to being disrupted if faced with organisational threat </li></ul><ul><li>Successfully rehearsing BS 25999 action plans visibly proves your ability to maintain critical business services to a level and timescale you set as being appropriate for your organisation </li></ul><ul><li>Exercising will help reduce the impact of any potential disruption to working practices and service / product delivery </li></ul><ul><li>Should disruption happen a BCM system will aid effective and prompt recovery afterwards, so helping protect market share, reputation and brand. </li></ul>
  20. 20. Denis Ives UK & Ireland Manager, LRQA Defining your scope
  21. 21. Defining your scope <ul><li>All management systems require a defined scope </li></ul><ul><li>Scope defines which parts of your business activities you need to control to achieve your management system objectives </li></ul><ul><li>If you don’t fully define scope, how do you know what to control? </li></ul><ul><li>Scope definition for Business Continuity is more important and complex than some other management systems. </li></ul>
  22. 22. Defining your scope Head Office Support Activity 1 Support Activity 2 Support Activity 3 Support Activity 4 Support Activity 5 Support Activity 6 Support Activity 7 Product / Service 1 Product / Service 2 Product / Service 3
  23. 23. Defining your scope
  24. 24. Defining your scope <ul><li>Spend time to define the scope of the products and services to which the BCM applies </li></ul><ul><li>Identify your critical internal supporting activities which support the scope </li></ul><ul><li>Identify all external critical supporting activities which support your scope </li></ul><ul><li>In many cases the dependence on critical supporting activities will mean the system extends further than you may initially have expected. </li></ul>
  25. 25. Why should you gain Certification?
  26. 26. Why should you gain Certification? Mandate BS 25999 certification
  27. 27. Why should you gain Certification? <ul><li>Supply Chain requirement: </li></ul><ul><ul><li>Major manufacturers are increasingly dependent on extensive and complex supply chains </li></ul></ul><ul><ul><li>Likely to look for increased confidence in supply continuity </li></ul></ul><ul><ul><li>Early adoption will increase competitive advantage </li></ul></ul><ul><ul><li>Likely to become a prerequisite for future contracts. </li></ul></ul>
  28. 28. <ul><li>Civil Contingencies Act 2004 </li></ul><ul><ul><li>Business continuity planning is mandatory for all Category 1 services </li></ul></ul><ul><ul><li>Public organisations will be looking to demonstrate they have met their obligations of the CCA (2004) </li></ul></ul><ul><ul><li>This will include critical outsourced activities </li></ul></ul><ul><li>Financial Services Authority </li></ul><ul><ul><li>FSA currently has its own requirements for business continuity in FSA regulations. </li></ul></ul>Why should you gain Certification?
  29. 29. <ul><li>Establishes a goal that supports system development </li></ul><ul><li>Ensures system is maintained and improved over time </li></ul><ul><li>Provides independent feedback on system effectiveness </li></ul><ul><li>Supports continual improvement </li></ul><ul><li>Provides independent assurance to customers and other stakeholders. </li></ul>Why should you gain Certification?
  30. 30. <ul><li>Audit Services </li></ul><ul><ul><li>The only certification body able to offer UKAS-accredited BS 25999 certification in any industry sector in the UK </li></ul></ul><ul><ul><li>Gap assessments </li></ul></ul><ul><ul><li>UKAS-accredited certification </li></ul></ul><ul><li>Training </li></ul><ul><ul><li>Overview </li></ul></ul><ul><ul><li>Implementation </li></ul></ul><ul><ul><li>Performance assessment </li></ul></ul><ul><ul><li>Public and In-company courses. </li></ul></ul>More information?
  31. 31. Tim Pinnell Group Security and Continuity Policy Manager, BT Group BT 21st Century Network - A BCM Case Study
  32. 32. Certifying BT’s 21CN to BS25999 Tim Pinnell Group Security and Continuity Policy Manager
  33. 33. 21CN - our current UK network IP ATM PSTN DSL KStream PSTN Leased lines PDH Fibre Copper SDH access PDH access End User ~5.5k sites ~2k sites ~300 sites ~100 sites ~15 sites MSH -SDH ~1k sites SDH VC-12 PDH access SDH VC-4
  34. 34. 21CN - our simplified UK network IP-MPLS-WDM DSL Fibre & Copper Copper Agg Box End User ~5.5k sites ~100 sites Class 5 Call Server Content WWW ISP Multi-service access Converged core Wireless
  35. 35. Incident Site Disaster Recovery Network Management Incident Manager Multiple Incident Management Centres around the globe I ncident M anagement T eams work 24/7 D isaster R ecovery T eam on-call 24/7 Forward Control Point Managers on call RED Team are UK-wide Forward Control
  36. 36. 25999 <ul><li>We like it </li></ul><ul><ul><li>Everything you would expect </li></ul></ul><ul><li>But </li></ul><ul><ul><li>Not fit for multiple certifications </li></ul></ul>
  37. 37. Policy and Objectives <ul><li>Policy </li></ul><ul><li>The purpose of this BCMS is to support the stated 21CN business continuity requirement: </li></ul><ul><ul><li>“ 21C will at least equal the 20C customer experience for all equivalent products and services” </li></ul></ul><ul><li>This is in accordance with the objective of BT’s business continuity policy: </li></ul><ul><ul><li>“ To support BT’s aspiration to be the most resilient corporation in the world” </li></ul></ul><ul><li>Objectives </li></ul><ul><li>To demonstrate to BT’s customers through certification to BS25999 that the 21CN has sufficient and appropriate business continuity capability. </li></ul><ul><li>Operate a business continuity governance regime in accordance with the standard to ensure that: </li></ul><ul><ul><li>There is an effective incident management capability </li></ul></ul><ul><ul><li>There is appropriately skilled resource available to ensure effective response to incidents </li></ul></ul><ul><ul><li>The 21CN continues to improve its BC capability </li></ul></ul><ul><ul><li>BT remains compliant with its legal and regulatory obligations </li></ul></ul>
  38. 38. Scope and the supporting activities 21 st Century Network Supply Chain People Supply Communications Power
  39. 39. Supporting or CRITICAL supporting activity <ul><li>Impacts resulting from the disruption of one or more of the platform services yield an MCA score of >=40 </li></ul><ul><li>The platform is a 21CN platform </li></ul>Non-critical activities have achieved a MCA score of <40 and are awarded a non-critical priority score in the range 2-9. The actual score awarded within this range will be based upon a number of factors including experience, geography etc, and will reflect the unique circumstances of each disruption. Test Facility People Provision Supply Management Suppliers Environmental Mgmt Information services Internal Voice Mobile Voice Internal Messaging Network Mgmt Incident Mgmt Upgrade Governance Broadband Continuity Transfer Engineering Critical activities are determined by the following criteria:
  40. 40. CSAs – Managing conflicting requirements CSA 1 CSA 2 CSA 3 CSA 4 ENTERPRISE RTO = 6 days BCMS 1 RTO = 2 hours RTO = 12 hours RTO = 1 day RTO = 2 days BCMS 2 RTO = 12 hours RTO = 1 day RTO = 6 hours RTO = 12 hours BCMS 3 RTO = 1 hour RTO = 6 hours RTO = 6 hours RTO = 1 day RTO = 2 hours RTO = 12 hours RTO = 12 hours
  41. 41. Plans and Exercise <ul><li>Risk driven </li></ul><ul><li>Manage conflict </li></ul><ul><li>Do it, and learn from it </li></ul>
  42. 42. Also <ul><li>Communications and awareness </li></ul><ul><li>Training </li></ul><ul><li>How to be audited </li></ul>
  43. 43. Summary <ul><li>Get senior management buy in </li></ul><ul><li>Be clear about your policy and objectives </li></ul><ul><li>Make sure you have the scope right and identify your critical supporting activities </li></ul><ul><li>Ensure that your plans are risk-based, that you exercise them and learn from them. </li></ul>
  44. 44. BUSINESS CONTINUITY IN THE SPOTLIGHT . . . A look at BS 25999 and how it's implemented For more details please contact us: T: 0800 783 2179 F: 024 7630 2662 E: [email_address] www.lrqa.co.uk/bs25999 Close
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×