Business Continuity Management Peter Case-Upton School of Business Information [email_address]

Background to BCM Risk Analysis The BCM Process Business Continuity Management The Plan

Business Continuity Management Business continuity - what is it? Planning for potential disasters which could effect the normal operation of the business Why Bother? Minimising the cost impact Reducing regulatory/statutory effects Preserving image/credibility Demonstrate leadership

Business continuity - what is it?

Planning for potential disasters which could effect the normal operation of the business

Why Bother?

Minimising the cost impact

Reducing regulatory/statutory effects

Preserving image/credibility

Demonstrate leadership

The Origins BCM came from an IT systems background Typical exponents of BCM were:- IBM, DEC, HP, ICL, etc Banks, commercial, industrial, etc Found to rely on business processes Companies have learned the hard way via their own disasters

BCM came from an IT systems background

Typical exponents of BCM were:-

IBM, DEC, HP, ICL, etc

Banks, commercial, industrial, etc

Found to rely on business processes

Companies have learned the hard way via their own disasters

Types of Risk and Threat Denial of access Chemical spillages Fire, bombs, terrorist attacks Sickness/epidemic Natural disasters Threats from the skies (Accident/Intentional)

Denial of access

Chemical spillages

Fire, bombs, terrorist attacks

Sickness/epidemic

Natural disasters

Threats from the skies (Accident/Intentional)

Examples World Trade Centre Sept 11 & 1992 Manchester Bomb Docklands Etc

World Trade Centre Sept 11 & 1992

Manchester Bomb

Docklands

Etc

The Manchester Bomb 1000 kg Lorry bomb 200 people injured

Some Facts - Business Disasters 80% of UK businesses have no plan The ‘It won’t happen to me syndrome!’ 68% of businesses who experience a disaster and don’t have a plan - go out of business within 2 years One in five organisations will suffer a major IT disaster in five years

80% of UK businesses have no plan

The ‘It won’t happen to me syndrome!’

68% of businesses who experience a disaster and don’t have a plan - go out of business within 2 years

One in five organisations will suffer a major IT disaster in five years

Disaster Recovery Supply Chain Management Quality Management Heath and Safety Knowledge Management IT & Security Emergency Management Business Continuity Management A Wide Ranging Subject Area Risk Management Crisis Management and PR Facilities Management

Business Continuity Life Cycle Understand the Business Develop and Implement a BCM Response Develop Business Continuity Strategies Build and Embed a BCM Culture Exercise, Maintenance and Audit Programme Management 1 5 2 3 4 6 BCM

The Major Events in BCM Risk Analysis Review and Business Impact Analysis Disaster Management Fallback Provision Recovery Management Salvage Provision Test the plan

Implementation Involvement - must have corporate commitment at board level Use a structured approach Set up a steering group Arrange working groups Provide awareness training for groups Include budget for BCM Add contingency item to budget (5%?)

Involvement - must have corporate commitment at board level

Use a structured approach

Set up a steering group

Arrange working groups

Provide awareness training for groups

Include budget for BCM

Add contingency item to budget (5%?)

Typical Company Structure

Typical Company Structure Steering Group

Typical Company Structure Working Group 2

Risk Assessment Risk Identification What is the risk? Risk Assessment What level of risk exists? Risk Management What are the priorities of all risks? Risk Reduction How can the risks be reduced?

Risk Identification

What is the risk?

Risk Assessment

What level of risk exists?

Risk Management

What are the priorities of all risks?

Risk Reduction

How can the risks be reduced?

Risk The Zaphod Beeblebrox Approach “ Zaphod put on the glasses. They were a double pair of Joo Janta 200 Superchromatic Peril-Sensitive Sunglasses , which had been specifically designed to help people develop a relaxed attitude to danger. At the first hint of trouble they turn totally black and thus prevent you from seeing anything that might harm you” From Adams ‘The Restaurant at the end of the universe’

How Can Risk be Measured Using probability (range of 0.0 to 1.0) Once in every x years, e.g. 1 in 20 year storm Odds (2/1, 10/1) Occurrence (event per ‘000 people) Percentage (10%, 50%) High/ Medium/Low Risk Rating

Using probability (range of 0.0 to 1.0)

Once in every x years, e.g. 1 in 20 year storm

Odds (2/1, 10/1)

Occurrence (event per ‘000 people)

Percentage (10%, 50%)

High/ Medium/Low Risk Rating

High, Medium and Low Risk Items Consequence Likelihood

Risk Control Techniques Risk Avoidance - To eliminate uncertainty Transfer - Move ownership Reduction - Down grade risk level Absorption - Accept responsibility

Risk Avoidance - To eliminate uncertainty

Transfer - Move ownership

Reduction - Down grade risk level

Absorption - Accept responsibility

Business Impact Overview A departmental specific document which defines:- The Risk Analysis Organisational structures/numbers IT requirements Business Procedures Rationale for criticality Effect of disasters How could levels of service be maintained

A departmental specific document which defines:-

The Risk Analysis

Organisational structures/numbers

IT requirements

Business Procedures

Rationale for criticality

Effect of disasters

How could levels of service be maintained

The Disaster Phase - Day One Assess the type and extent of disaster Invoke multi-level disaster management teams and initiate plans Communicate with - staff, media, other sites Mobilise contingency resource Inform salvage/insurance people Don't change the method of working

Assess the type and extent of disaster

Invoke multi-level disaster management teams and initiate plans

Communicate with - staff, media, other sites

Mobilise contingency resource

Inform salvage/insurance people

Don't change the method of working

The Fallback Phase - Day 1+ Try and use the plans Move to alternative locations Prioritise high criticality processes first Communicate with others Use replacement IT systems + data backups Alternative communications provision Prepare for recovery

Try and use the plans

Move to alternative locations

Prioritise high criticality processes first

Communicate with others

Use replacement IT systems + data backups

Alternative communications provision

Prepare for recovery

Recovery Management Getting back to normal operation Phased return to the provision of full service Consider environmental aspects re-establish communications links Communicate with others Counselling Test the plan - learn from experience

Getting back to normal operation

Phased return to the provision of full service

Consider environmental aspects

re-establish communications links

Communicate with others

Counselling

Test the plan - learn from experience

Background to BCM Risk Analysis The BCM Process Business Continuity Management Summary