Business Continuity Managementchapter 1: an overviewDiane Christina

Objective of this chapterIntroduce risk management and business continuity management as part of good governance Develop the link between risk management and business continuity management as part of a risk management framework

Material referencesA risk management approach to business continuity: Aligning business continuity with corporate governance, Julia Graham & David Kaye, 2006, Chapter 1-3COSO Enterprise Risk Management Framework: 2004Standards Australia: ASNZS 4360: 2004PAS 56:2003 – Guide to BCM:BSI: March 2003Expecting the Unexpected: www.london-first.co.uk: 2003Aligning Business Continuity and Information Security: Special Project Report, 2006Dr. GohMehHeng, 1st ed. 2007, Managing & Sustaining Your Business Continuity Management ProgramDr. GohMehHeng, 1st ed. 2004, Implementing Your Business Continuity PlanAndre Hiles, 1st ed. 2002, Enterprise Risk Assessment and Business Impact Analysis

Risk Managing Today The essence of risk management is A BALANCING ACTGetting the balance right between taking and exploit risk

Risk Managing Today The challenge for management is to create an environment that facilitates the identification and tight control of the negative risks, while nurturing an environment that allows for the identification and conversion of opportunities, and to determine how much uncertainty an organization is prepared to accept (risk tolerance)

Risk Management vs Business Continuity ManagementIn managing risk,Do we have control over the outcome?Do we have control on the linkage between effect and cause of risk?Maximize Controllable AreaInsuranceOutsourceOthers Mitigation ToolsBCMMinimize Uncontrollable AreaTransfer the riskBCM as alternative mechanism for risk mitigation

Do we have control over the outcome?

Do we have control on the linkage between

Business Continuity ManagementAs potential key control to minimize the impact of disasters on the organization, its people, and assetsAs an alternative mechanism for risk mitigationAs a contributor to business resilience in organizational processes to business disruption A Strategic management process to identify potential incidents and develop effective response plans- BCM Institute -

Business Continuity ManagementA holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value creating activities- BCI PAS 56-

Business Continuity ManagementBCM is not just a response also building resilience to strengthen an organization BCM is not just about fighting firesalso developing understanding what might be at risk and developing strategies if things do go wrongBCM is not just about having plans to recover a business that are over elaboratealso about having plans that suit the nature of your businessBCM is not an add-on to businessTo be effective, it must be an embedded management process, as part of risk management and part of good business management It’s a Proactive Process that concentrates on critical resources required to continue key business process disregards the event

What is Business Continuity Planning? The main purpose of the BCP process isto ensure continuity of product / service delivery following an unplanned disruption tonormal working.“An ongoing process that helps organisations anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever aspect of the business they affect.”Civil Contingencies Act 2004

BC incidents

Fully tested effective BCMABNo BCM – lucky escapeCNo BCM – usual outcomeSuccessful recovery or failure?Level of businessCritical recovery pointTime

Understand your businessWhat functions are critical?What are the ingredients of those functions?What is the impact of them being disrupted?InternallyExternallyHow long could you cope without them?

Identify Risk- What if????Fire Crime – theft / damageFloodPower disruptionIT failureStaff shortageRoad network disruption / fuel problemsSevere weatherReputation loss / customer confidence

ConsequencesLoss of premisesLoss of essential informationLoss of staffLoss of a key supplierLoss of specialist equipmentDisruption to finance flowLoss of company reputation

Risk StrategiesIdentify and evaluate risk mitigation optionsReduce likelihoodReduce impact

Risk mitigation examplesI.T procedures back up information off sitePhysical securityFire prevention, alarm and suppression systems.Flood protection (internal & external)Alternate communications

Recovery StrategiesBusiness Continuity Plans.Other disaster recovery plans & procedures.Plans kept on and off site.

Case StudyThe Auckland Power Failure Auckland, New Zealand, 1990The Manchester Bombing Manchester, UK, 1996The Ladbroke Grove Rail Disaster London, UK, 1999The Marriot and Ritz Carlton Jakarta, Indonesia, 2009Brief Description on the eventKey lesson to be learned in related to minimizing the impact of disasters on the organization, its people, and assetsMaximal 2 pages A4, 1.5 line spacing, 11 font size

Brief Description on the event

Key lesson to be learned in related to minimizing the impact of disasters on the organization, its people, and assets

Maximal 2 pages A4,

1.5 line spacing, 11 font size