The RM To BC Route Presentation John Agius_G31000 Conference-Paris 21-22 May 2012 V4.2

598 views
512 views

Published on

Presentation prepared for the G31000 ISO 31000 International Conference, Paris, France 21-22 May 2012

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
598
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The RM To BC Route Presentation John Agius_G31000 Conference-Paris 21-22 May 2012 V4.2

  1. 1. 21/05/2012 The RM to BC Route (How ISO 31000 benefit Business Continuity) Presentation by: John Agius M.Sc. (Leic.) RCDM, MIAP, Dip. Law & Admin., Dip. J&PWISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 1 When Organizations decide to implement BC RM, together with the basic BC prerequisites, are already established through the RM process within the organization. <> This is not the exception but the case every time ISO 31000 Conference Paris, France 21 – 22 May 2012 Slide: 2 1
  2. 2. 21/05/2012The RM to BC Route• ISO 31000 & 22301 Standards Series• Management• Risk (and RM)• BC or Disruption Related Risk?• We all manage risk• Historical view of Management, RM & BC• The Disaster Sequence Model (DSM)• The treatment of risk• How ISO 31000 benefit BC• Way forwardISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 3ISO 31000 & 22301 Series Series Standard: An researched & established model depicting how to develop, deploy and manage a practice.ISO 31000: 2009 Risk Management – Principles and guidelines ISO 22301: 2012 Societal Security-Business Continuity management Systems – Requirements• Many countries around the globe are/will-be formally adopting the standards• New framework format: • Integration of previously independent systems • Common terms and processes • Embedding various management systems• Development process: • Broad range of experts from around the globe • Providing an updated framework of good practice • Building on the work of key National Standards Bodies• Valid internationalization of standards• Greater universal consistency• Meeting the needs of global organizationsISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 4 2
  3. 3. 21/05/2012ISO 31000 ISO 31000: Risk Management – Principles and guidelines ISO 31010: Risk Management – Risk assessment techniques• 31000:2009 – Provides principles and generic guidelines on risk management. It can be used by any organization, (public, private or community enterprise, association, group or individual) and it is not specific to any industry or sector.• 31010:2009 – A supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment• 73:2009 – ISO Guide providing the definitions of generic terms related to risk management.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 5 ISO 22301: Societal Security – Business Continuity Management Systems - RequirementsISO 22301 ISO 22313: Societal Security – Business Continuity Management Systems - Guidance• 22301:2012 – Specifies the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruption.• 22313:2012 (expected) – Provides guidance to ISO 22301 for setting up and managing an effective BCMSISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 6 3
  4. 4. 21/05/2012Management• We speak about management - what is management?• The standards define as:• Management system: – Set of interrelated or interacting elements to establish policies and objectives, and processes to achieve those objectives.• Integrated Management Systems: – A management system that merges more than one field, such as ISO22301, 3.16 quality or environment.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 7Management is:The process of reaching organizational goals by workingwith and through People, Premises, Technology,Information, Supplies & Stakeholders. – Characteristics: – Continuing and related activities; – Objectives (Achieving organizational goals) – Threats & opportunities; – Resources – Stakeholders. – Functions: – Define/Plan (plan) – Design/Organize & Influence (do) – Do/Control (check) – Deliver/Improve (act)ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 8 4
  5. 5. 21/05/2012Risk & BC• Risk: – Effect of uncertainty on objectives. ISO 31000, 2.1• Risk Management: – Coordinated activities to direct and control an organization with regard to risk. ISO 31000, 2.2• Business Continuity: – Strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.• BC Management: ISO22313, 3.3 – Management process which provides a framework for building capability that safeguards the objectives of the organization including its obligations. (to what objectives / obligations) ISO22301, 3.2ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 9Risk (and RM) – a deeper look• Risk – Effect of uncertainty on objectives • Effect - deviation from the expected - +ve or –ve. • Objectives - different aspects at different levels • Risk - characterised by reference to potential events and consequences, or a combination of these. • Risk - expressed in terms of a combination of consequences of an event & likelihood of occurrence. • Uncertainty – state, even partial, of deficiency of info about the event, consequence or knowledge. – Risk – from threats, opportunities & disruptive-incidentsISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 10 5
  6. 6. 21/05/2012Threats, Opportunities, Disruptions• For every Threat – an Opportunity• For every threat/opportunity – a potential disruption Threats Opportunities - Reduced Turnover - Plan to increase Turnover - Reduced Custom - Seek to improve Custom - Disruption to plans - Make new/upgrade Plans - Etc… - Etc… Disruptive-events - Potentially occur to both ‘Threats’ and ‘Opportunities’ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 11Types of risks• Three – Threat • Down-side risk • An indication or warning of potential danger – Opportunity • Up-side risk • Missed or would-be opportunity – Disruption-related • Disruption risk • Potential interruptions (to key products, services, resources, etc.) • “risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them”. ISO 22301:2012, 8.3.3.4 (a)ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 12 6
  7. 7. 21/05/2012Risk Specialisms – BC / DRR Overall management system (ISO 31000, 4.1): Holistic: General / Business – Incident Management fields/elements (ISO 22301, 3.16) e.g. quality, environment, risk, etc… – Crisis Management specialisms (M_o_R 3rd Edition): e.g. specialisms (see opposite) – H&S Integrated management system (ISO 22301, 3.16) Systematic, timely and structured (ISO 31000, Principles) – Security M_o_R: Guidance for Practitioners – Financial 3rd Edition Author: OGC (Office of Government Commerce) – Environmental Publisher: TSO (The Stationery Office, UK) <Purposely updated in line with ISO 31000> – Reputational In this presentation focus is on ‘risk’ and on – Contract the first specialism in the list i.e. ‘BC’ / ‘DRR’ (Disruption-related risk)ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 13BC or Disruption risk?• Business Continuity or Disruption-related risk? – What is commonly termed as “business continuity” is a type of disruption-related risk influencing the achievement of organizational continuity objectives and in particular the uninterrupted delivery of key products and/or services. – Disruption-related risks should be treated as such and are best dealt with as part of the treatment options available within the risk management discipline. – Continuity plans - are one of the tools that can be adopted to manage disruption-related events. – Manage disruption to: • achieve, maintain, protect & mitigate - continuityISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 14 7
  8. 8. 21/05/2012Protection through mitigation• ISO 22301 - 8.3.4.3 – For identified risks requiring treatment, the organization shall consider proactive measures that: – a) reduce the likelihood of disruption; – b) shorten the period of disruption; and – c) limit the impact of disruption on the organization’s key products and services. – The organization shall choose and implement appropriate risk treatments in accordance with its level of risk acceptance.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 15We all Manage risk On Global & National levels organizations: • Take and manage risks –Benefit »profit (hopefully) –Suffer »loss (possibly)ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 16 8
  9. 9. 21/05/2012Managing Risk Risk ownership and – RISK: is not static Accountability Remains with the Owner/s • Overseers – Sponsors – Owners – Managers Risk Management Role – Practitioners Facilitating RM expertise – Professionals • The non-static element of risk demands flexibility • Flexibility is performed by people • RM is a discipline practiced by people • When people Err – Organizations suffer/loose • When people do well – Organizations benefit/profitISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 17Management (Methodology)• Like Risk;• Management Methodology: • Overall (general / business) management system – Is not cast-in-stone – It is continuously changing / evolving • So are: – Standards & Systems – “ISO is no exception”ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 18 9
  10. 10. 21/05/2012Management (Background)• Management (overall system): • Recognizes - roots (where it came from) • Acknowledges – status quo • Seek – future direction (way forward) – Management - Risk & Business Continuity: • Roots: General / Business management • Status quo: centred / focused management • Fragmented; siloed; diverse terminology; etc… • Future direction: Integrated managementISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 19Management (Status quo)• Standards • National • International • Non Standards• Management • Strategic, Tactical, Operational, etc.• Risk Management • IRM; AIRMIC; RMA; PRIMIA; RIMS; PRIMA; GARP; • Etc. …• BC Management • BCI; BCPA; ACP; ICOR; BCM Institute; • Etc. …• Disparate approaches • Segregation rather than Integration, Siloism, • Confusing Terminology, Different Interpretations • Incompatible definitions (sometimes) • Higher costs, inefficiency • Repetition, Re inventing the wheel • One hundred and one other issuesISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 20 10
  11. 11. 21/05/2012Management, RM & BC Historical view – Management (general / business) • Originally based on intuition & limited informed decisions • Sporadic/instinctive decision making & Limited planning • Tools: SWOT (Strengths, Weaknesses, Opportunities, Threats) • Framework: 4D’s (Define, Design, DO, Deliver) • Lacking focus on the management of threats • Thus, the emergence of RM as an independent management system – Risk management • Formerly – ‘Threat handling (-ve) within general / business management’ • Focus – threats (opportunity is a recent addition - traditionalists still ignore) • Tools: RA and other “Risk Assessment Techniques” (see: ISO 31010 – Annex B) • 4T’s (Terminate, Treat, Transfer, Take) • Framework: DIM-RI (Design, Implement, Monitor-Review, Improve) • Lacking focus on - Disruption/Interruption-related Risk – BC management • Formerly – ‘Disaster Recovery’ & the failure of RM identifying the ‘Risk of Disruption’ • Focus - ‘Disruption/Interruption/Recovery’ (of critical products & services) • Tools: RA & BIA and other “Risk Assessment Techniques” (ISO 31010 – Annex B) • PDCA (Plan, Do, Check, Act – applied to BCMS processes) • BCM – the result of the failure of RM & DRP from providing a plausible solution to the effects disruptive-related incidents were having on organizations during the 70’s & mid-80’s.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 21Management Integrated Management System ( S M A R T - O b j e c t I v e s) Internal External Stakeholders Stakeholders Define Deliver Design Requirements Organization for Managed preparedness preparedness and continuity and continuity Organization DO Environment managementISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 22 11
  12. 12. 21/05/2012Risk Management Integrated Management System (Mandate and commitment ) (S M A R T - O b j e c t I v e s) Design of Process Principles framework for Stakeholders - Establish Stakeholders managing risk Context- Value Risks- Org. Process - Assess Risk- Decisions - Identify- Uncertainty Continual - Analyze Implementing- Information improvement B C risk - Evaluate Disruption- Tailored of the - Treat Risk management- HR & Culture Requirements framework - Various- Transparent Organization Managed Assessment- for Inclusive preparedness Techniques preparedness- Dynamic- and continuity Iterative Monitoring andCommunicate - continuity- management Responsive and review of & consult- Facilitate the framework - Monitor and reviewISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 23Business Continuity Mgmt. Continual improvement of preparedness And continuity management system ( S M A R T - O b j e c t I v e s) Stakeholders Establish Stakeholders Stakeholders Stakeholders (Plan) Risk Business Maintain and Assess Impact Implement ment Analysis and Operate Improve (Act) Other (Do) Requirements AssessmentRequirements Organization Techniques for Managed For Managed preparedness preparednesspreparedness Preparedness and continuity Monitor and and continuityand continuity And continuity managementmanagement review (Check)ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 24 12
  13. 13. 21/05/2012Management (Present-day) Integrated Management System ( S M A R T - O b j e c t I v e s) Internal External Stakeholders Stakeholders Define Deliver Design Requirements Organization for Managed preparedness preparedness and continuity and continuity Organization DO Environment managementISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 25Integrated Management (To Be) Integrated Management System ( S M A R T - O b j e c t I v e s) Int. / Ext. Int. / Ext. Stakeholders Plan Stakeholders Principles ProcessStakeholders Other Stakeholders Act Techniques Do RequirementsRequirements Organization Preparedness Managed for preparedness preparedness and continuity and continuityOrganization Environment management CheckISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 26 13
  14. 14. 21/05/2012RM & BC Management Model Integrated Management System SMART-ObjectIves (Focus: Risk & Business Continuity) Stakeholders Design BoD And Plan Stakeholders (Board Audit Committee) Stakeholders Risks Sponsors Monitor Improve BC Disruption Implementing RMSC Act Risk Do (Risk Mgmt.Process Owners Steering Committee) Requirements Organization for Managed preparedness preparedness and continuity Monitoring and continuity management and review Internal AuditBusiness Managers Check CommitteeISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 27Disaster Sequence Model (DSM)• Natural, man-made or systems failure do not happen instantly• Latent defects build up unnoticed• Overlooked latent defects can lead to disasters• DSM consist of 3 separate but interrelated parts: • Incubation period • Triggering event • Learning process• DSM model – easily applicable to understand & manage business activity, threats, opportunities & disruptive-events effectivelyISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 28 14
  15. 15. 21/05/2012Turner’s DSM Model SIX Stages• Stage I: Toft & Reynolds, 1997: 22 – notionally normal starting point: (a) Initially culturally accepted beliefs about the world and its hazards; (b) Associated precautionary norms set out in laws, codes of practice, mores and folkways.• Stage II: – the incubation period: the accumulation of an unnoticed set of events which are at odds with the accepted beliefs about hazards and the norms for their avoidance.• Stage III: – precipitating event: forces itself to the attention and transforms the general perception of Stage II.• Stage IV: – onset: the immediate consequence of the collapse of cultural precautions becomes apparent.• Stage V: – rescue and salvage: first stage adjustment – the immediate post-collapse situation is recognised in ad hoc adjustments which permit the work of rescue and salvage to be started.• Stage VI: – full cultural readjustment: an inquiry or assessment is carried out and beliefs and precautionary norms are adjusted to fit the newly gained understanding of the world where knowledge gained is absorbed into the culture of organisations/society.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 29Disaster Sequence Learning Recovery Onset Precipitation Incubation Normality P-D-C-A: (Threat; Opportunity; Disruption) Risk level Timeline Normal operation Early warning period Disruption event Extended disruptionActivity Triggering Incident RTO MTPD Collapse Start threatISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 30 15
  16. 16. 21/05/2012Treatment of risk ISO 31000, 2.25, 5.5.1• avoiding the risk, – by terminating it altogether; – by deciding not to start or continue with the activity that gives rise to the risk whether the risk is the result of a ‘threat’, an ‘opportunity’ or a ‘disruptive incident’.• taking or increasing the risk, – to pursue opportunities; – to take full advantage and maximize the benefit; – to decide whether a ‘disruptive incident’ to key products and/or services needs intervention to reduce the likelihood of occurrence, the shortening of the period of disruption and/or limiting the impact from disruption.• removing the source, – and make sure that the threat, opportunity and/or disruptive incident do not negatively affect the organization.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 31Treatment of risk Cont…• changing the likelihood and/or consequence, – by intervening to change the probabilities; – by modifying the potential impact; – by modifying the probability and impact levels of potential disruptive incidents.• sharing it with others, – by passing it on to insurance; – by contracts and risk financing – by seeking new partnership to share the threat and/or maximise opportunity; – by subcontracting to specialist organizations and share the threats/benefits; – by equally applying the above to situations emerging from disruptive incidents.• retaining the risk, – by informed decision; – by doing nothing about it; – by being ready to intervene should the threat, opportunity and/or disruptive incident arise.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 32 16
  17. 17. 21/05/2012Treatment of risk Cont…• invoking continuity procedure – to reduce the likelihood of disruption (ISO 22301, 8.3.4.3. (a)) – to shorten the period of disruption (ISO 22301, 8.3.4.3. (b)) – to limit the impact of disruption on the organization’s key products and services (ISO 22301, 8.3.4.3. (c)) – “preparing and implementing risk treatment plans identifying resource requirements including contingencies” (ISO 31000, 5.5.3), reliance, dependence, etc; – “establish, implement and maintain a formal and documented process for business impact analysis (BIA), risk assessment (RA) and other assessment techniques that establishes the context of assessment, defines the criteria and evaluates the potential impact” with regards to “disruption related risks” (ISO 22301, 8.3.3.4 (c)); – “establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives” (ISO 22301, 5.4.5).ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 33 To BusinessBenefits of ISO 31000 Continuity• Principles: – creates value to the organization; – is an integral part of the organizational processes; – aids the decision making process; – explicitly addresses the principle of uncertainty resulting from the effect of disruptive events; – it is systematic, structured and timely; – is based on the best available disruption management information; – is tailored to the organization; – takes human and cultural factors into account; – it is transparent and inclusive; – it is dynamic, iterative and responsive to change, and – facilitates continual improvement and enhancement of the organization in terms of improving the overall integrated management system.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 34 17
  18. 18. 21/05/2012Benefits of ISO 31000 Cont…• Framework: – ISO 31000 framework aids the: Plan-Do-Check-Act (PDCA) cycle – Provides the necessary mandate, commitment, support and funding by top management and the Board of directors towards establishing a BCMS• The required elements for managing the risk of disruption effectively and in line with other organisational: – Risks, – context, – RM and BC policies, – accountability, – roles and responsibilities, – organizational processes integration, – functional activities, – resources required to implement the BC plan, – critical and alternate staff, – awareness and training programs,ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 35Benefits of ISO 31000 Cont…• Framework cont…: – internal and external communication and reporting mechanisms most essential for the successful implementation of a BCMS incorporating the identification of: • organizational vulnerabilities; • continuity and recovery team members; • scope, purpose and value to the organization, as well as, • the necessary lines of defence (BoD: Board of Directors, RMSC: Risk Management Steering Committee & IAC: Internal Audit Committee) for the necessary sponsorship, direction and audit of the RM and BCMS implementation mechanisms.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 36 18
  19. 19. 21/05/2012Benefits of ISO 31000 Cont…• Framework cont…:• The development of a strategy to implement the organizational, RM framework and processes to facilitate the risk assessment (RA) and business impact analysis (BIA) of the BC plan and the identification of variances that can be translated into potential opportunities;• The framework monitoring and review - having established processes in place help to establish a well-managed organization; regular departmental/unit status reports of BC progress; internal and/or external audits to sustain the BCMS implementation; regular RM and BC audits with a view to validate performance against controls;• Top management support and involvement towards the concept of continual improvement of the framework encouraging departments/units to establish the culture and attitude that RM and BC are not static and nearly everything the organization does can be improved and ought to be reviewed to enable the identification of new opportunities.ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 37Benefits of ISO 31000 Cont…• Process/es: – An established, globally agreed to and supported RM process/es directly affecting BCMS; – The use of enterprise-wide risk management (EWRM) processes and guidelines; – In-depth awareness and understanding of the organization and its context; – An establish risk assessment process providing well founded risk identification, analysis and evaluation methodology; – A systematic and logical approach to the management of all types of risk incorporating the effective handling of threats, opportunity considerations and disruption related risks that can be modified through one or more treatment options; – Established communication and consultation structure with customers, stakeholders and management; – Effective monitoring and review of all aspects of organizational risks and disruptive eventualitiesISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 38 19
  20. 20. 21/05/2012Benefits of ISO 31000 Cont…• General: – Increased competitive advantage supported by a globally designed and agreed to RM standard; – Greater understanding of the effects of disruptive events in relation to the other organizational risks; – Enhanced customer confidence; – Improved stakeholder trust and support;ISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 39Conclusions• The objective of this presentation: – To trigger discussion on the importance of the integration of a holistic management system incorporating Management, RM, BCM.• Integration is: • More efficient • Less expensive • Improves the overall management systemISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 40 20
  21. 21. 21/05/2012Way Forward / How• Integrated Risk Management System One holistic management approach General Management Risk Management, Business Continuity, Incident, Crisis and Disaster Management• Merge not fragment RM & BC are “not stand-alone activities” but an essential/integral part of the ‘Overall Management System’ – avoid reinventing the wheel (ISO 31000, 3(b) Principles)• Gap analysis Urgently needed to help merge the different activities (currently in silo) Amalgamation of ISO 31000 & 22301 series• ISO 31000 is doing a great job: Getting the activities together – Terminology, definitions, approaches, methodologies, principles, frameworks, processes, etc…• BC cannot exist without an RM function• An RM function is not complete without a BC programmeISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 41 Thank youISO 31000 ConferenceParis, France 21 – 22 May 2012 Slide: 42 21

×