2. Objective of this chapter Introduce risk management and business continuity management as part of good governance Develop the link between risk management and business continuity management as part of a risk management framework
3. Material references A risk management approach to business continuity: Aligning business continuity with corporate governance, Julia Graham & David Kaye, 2006, Chapter 1-3 COSO Enterprise Risk Management Framework: 2004 Standards Australia: ASNZS 4360: 2004 PAS 56:2003 – Guide to BCM:BSI: March 2003 Expecting the Unexpected: www.london-first.co.uk: 2003 Aligning Business Continuity and Information Security: Special Project Report, 2006 Dr. GohMehHeng, 1st ed. 2007, Managing & Sustaining Your Business Continuity Management Program Dr. GohMehHeng, 1st ed. 2004, Implementing Your Business Continuity Plan Andre Hiles, 1st ed. 2002, Enterprise Risk Assessment and Business Impact Analysis
4. Risk Managing Today The essence of risk management is A BALANCING ACT Getting the balance right between taking and exploit risk
5. Risk Managing Today The challenge for management is to create an environment that facilitates the identification and tight control of the negative risks, while nurturing an environment that allows for the identification and conversion of opportunities, and to determine how much uncertainty an organization is prepared to accept (risk tolerance)
6.
7. Do we have control on the linkage between effect and cause of risk? Maximize Controllable Area Insurance Outsource Others Mitigation Tools BCM Minimize Uncontrollable Area Transfer the risk BCM as alternative mechanism for risk mitigation
8. Business Continuity Management As potential key control to minimize the impact of disasters on the organization, its people, and assets As an alternative mechanism for risk mitigation As a contributor to business resilience in organizational processes to business disruption A Strategic management process to identify potential incidents and develop effective response plans - BCM Institute -
9. Business Continuity Management A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value creating activities - BCI PAS 56-
10. Business Continuity Management BCM is not just a response also building resilience to strengthen an organization BCM is not just about fighting fires also developing understanding what might be at risk and developing strategies if things do go wrong BCM is not just about having plans to recover a business that are over elaborate also about having plans that suit the nature of your business BCM is not an add-on to business To be effective, it must be an embedded management process, as part of risk management and part of good business management It’s a Proactive Process that concentrates on critical resources required to continue key business process disregards the event
11. What is Business Continuity Planning? The main purpose of the BCP process isto ensure continuity of product / service delivery following an unplanned disruption tonormal working. “An ongoing process that helps organisations anticipate, prepare for, prevent, respond to and recover from disruptions, whatever their source and whatever aspect of the business they affect.” Civil Contingencies Act 2004
13. Fully tested effective BCM A B No BCM – lucky escape C No BCM – usual outcome Successful recovery or failure? Level of business Critical recovery point Time
14. Understand your business What functions are critical? What are the ingredients of those functions? What is the impact of them being disrupted? Internally Externally How long could you cope without them?
15. Identify Risk- What if???? Fire Crime – theft / damage Flood Power disruption IT failure Staff shortage Road network disruption / fuel problems Severe weather Reputation loss / customer confidence
16. Consequences Loss of premises Loss of essential information Loss of staff Loss of a key supplier Loss of specialist equipment Disruption to finance flow Loss of company reputation
18. Risk mitigation examples I.T procedures back up information off site Physical security Fire prevention, alarm and suppression systems. Flood protection (internal & external) Alternate communications
19. Recovery Strategies Business Continuity Plans. Other disaster recovery plans & procedures. Plans kept on and off site.
20.
21. Key lesson to be learned in related to minimizing the impact of disasters on the organization, its people, and assets