การบริหารความต่อเนืองทางธุรกิจสําหรับห ้องสมุด(Business ContinuityManagement for Libraries)โดย ดร. บรรจง หะรังษี 1
BCM Topics BCM programme management Understanding the organization Determining business continuity strategy Developing and implementing a BCM response BCM exercising, maintaining and reviewing BCM arrangements Embedding BCM in the organization’s culture Workshops: Estimate resource requirements for Library Loan Service Determine business continuity strategy for Library Loan Service
Business Continuity Business continuity is strategic (เชิงกลยุทธ์) and tactical (แปลงกลยุทธ์สู่การปฏิบติ) capability of ั the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
4Business Continuity Management Business Continuity Management (BCM) is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.
6Activity = process/a set of processes toproduce/support one or more product/service
7BCM programme management Programme management enables the business continuity capability to be both established and maintained in a manner appropriate to the size and complexity of the organization.
8Understanding the organization The activities associated with "Understanding the organization" provide information that enables prioritization of an organization’s products and services and the urgency to deliver them. (This sets the requirements for selection of appropriate BCM/BC strategies.)
9Determining business continuitystrategy Determining business continuity strategy enables a range of strategies to be evaluated. This allows an appropriate response to be chosen for each product or service, such that the organization can continue to deliver those products and services: at an acceptable level of operation; and within an acceptable timeframe during and following a disruption. The choice made will take account of the resilience and countermeasure options already present within the organization.
10Developing and implementing a BCMresponse Developing and implementing a BCM response results in the creation of a management framework and a structure of incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
11BCM exercising, maintaining andreviewing BCM arrangements BCM exercising, maintenance, review and audit leads to the organization being able to: demonstrate the extent to which its strategies and plans are complete, current and accurate; and identify opportunities for improvement
12Embedding BCM in the organization’sculture Embedding BCM in the organizations culture enables BCM to become part of the organization’s core values and instils confidence in all stakeholders in the ability of the organization to cope with disruptions.
14BCM programme management The BCM programme (management) of an organisation provides the framework around which the BCM capability is designed and built.
15Benefits of a BCM Programme (Management)The organization: is able to proactively identify the impacts of an operational disruption; has in place an effective response to disruptions which minimizes the impact on the organization; maintains an ability to manage uninsurable risks; encourages cross-team working; is able to demonstrate a credible response through a process of exercising; could enhance its reputation; and might gain a competitive advantage, conferred by the demonstrated ability to maintain delivery.
17REFLECTING ORGANISATIONALCONTEXT This is to understand the direction and focus of the business before embarking on other stages (business impact analysis or risk assessment) Need to study and understand the business plan for growth/downsize, restructure, etc., in the short, medium or long term. This type of information may not be visible to the person charged with business continuity activity. Knowledge of business plans will also be required. Need to set the geographic scale for the clear choice of continuity strategies.
18Organisational Strategy Aspects of the organisation’s strategy likely to affect the BCM Programme are: Expansion (or contraction) strategy Development of new products or services Key business change or restructuring Relocation or location consolidation
19Regulatory Requirementse.g., Regulatory/Statutory requirements Health and safety regulations
20Scale Decide on the maximum geographic extent that the organisation wants to, or needs to, plan to survive. This could be determined by: Geographical extent (or market/customer area) Products, market sectors or specific customer requirements
21BCM POLICY CONTENTS The BCM Policy is the key document which sets out the scope and governance of the BCM programme.
22BCM PROGRAMME SCOPE &DETERMINING CHOICESFrom the Business Strategy studied and understood, Set the scope to ensure clarity of what areas of the organisation are included within the BCM programme. The scope can be defined by identifying which products and services fall within in it. Conduct a Business Impact Analysis to ascertain the effects of a loss of product and services. Consider the strategy options for each product and service. Provide executive management with the evaluation report to choose the options, which they can determine. Ensure the agreed option is ‘signed-off’ by the executive management including the financial and resource provisions.
23Activity = process/a set of processes toproduce/support one or more product/service
24What Areas to Include/Exclude Decisions on which products, services or locations to include within the scope may be determined by one or more of the following factors: A customer requirement A regulatory/statutory requirement Perceived high-risk location due to proximity to other industrial premises or physical threats such as flooding Product being an overwhelming proportion of organisational income Reasons why product, service or location may be excluded from the scope: Product/service nearing end of life (would be terminated if supply interrupted) Product/service with low margins (termination or outsourced) A perceived low- risk location
25‘Do nothing’ Strategy A ‘do nothing’ strategy may be acceptable for the least urgent activities identified in the BIA result. Where the organisation has identified that an activity has a RTO greater than a few months, this gives enough time for buildings to be found and utilities to be installed post-incident with minimal planning and preparation. Another case for ‘do nothing’ is that if the cost of BCM is judged to be too high or the risk is deemed low (because disruption is felt to be unlikely or would have a low impact), then accept the risk.
27Business Continuity If Business Continuity is the chosen strategy then it requires that suitable measures (BCM arrangements) are put in place to ensure that the various activities supporting their delivery can be continued or recovered within the required timescales.
28Acceptance If the cost of BCM is judged to be too high or the risk is deemed low (because disruption is felt to be unlikely or would have a low impact) then the risk can be ‘accepted’. In this event the organisation may choose to do nothing about it or put in place measures to deal with it if the risk occurs. Such measures may include: An Incident Management capability Measures to protect against specific high-probability threats such as fire
29Transfer A risk may be transferable to a third-party who may be more able to manage it. Such measures include: Outsourcing. More and more organisations are outsourcing business critical processes and activities to create virtual organisations. It is important to remember that the risk to the organisation’s reputation and brand image cannot be shifted to outsourced providers; the risk and responsibility always remains with the business.
30Transfer Off-shoring, using in-house resource or outsource providers away from the centre of the business (usually in a far country), may introduce other concerns to be considered, such as security, political and environmental risks, etc. Insurance - transferring some of the financial costs of an incident (e.g. fire, bomb attack) to an insurance company. However in a major incident this can only provide money to support business resumption to a small degree and is not sufficient as a solution on its own.
31Change, suspend or terminate Change, suspend or terminate the product/service if possible.
32OUTSOURCED ACTIVITIES If part or all of a product or service delivery is outsourced, the ultimate responsibility for its continuity remains with the organisation and cannot be transferred to the outsourcing company. Customers will expect the organisation to have made an informed choice about their partners and taken appropriate measures to assure delivery. The purpose is to ensure that the organisation’s delivery of products and services is not disrupted by a failure of a third party supplier of goods or services which are provided either to the organisation or direct to the customer on the organisation’s behalf.
33Important Issues in Outsourcing Have a specification for BCM requirements in contract terms Have an agreement on realistic Service Levels for use during incidents Involve outsourcing companies in BCM training, awareness and exercising Have documentation for results of exercises
34PROGRAMME MANAGEMENTKey steps in BCM ProgrammeManagement are: Assigning responsibilities Implementing BCM in the organisation Project Management Ongoing management BCM documentation Incident readiness and response
35ASSIGNING RESPONSIBILITIES The key to a successful BCM programme is the early identification of clearly defined roles, responsibilities and authorities to manage the BCM programme and process throughout the organisation. The purpose of assigning roles and responsibilities is to ensure that the tasks required to implement and maintain the programme are allocated to specific and competent individuals whose performance can be monitored.
36ASSIGNING RESPONSIBILITIES A member of the Executive should be given overall accountability for the organisation’s BCM capability and its effectiveness. This ensures that a BCM programme is given the correct level of importance within the organisation and a greater chance of effective implementation. An individual should be appointed to manage the BCM programme. This person may be known as the BC Manager.
37BCM Programme Board and Team BCM Programme Board (BCM Committee) – a management group to give advice, guidance and management oversight Incident Management Team – a team comprising representatives of all teams involved in incident response to coordinate, manage and resolve incidents (hopefully until closure) BCM Team (BCM operational team) – a series of business and service recovery teams representing critical business processes and their supporting services, e.g., IT services
38IMPLEMENTING BCM IN THEORGANISATION The purpose of this step is to ensure that a sustainable BCM programme is implemented in the organisation. The documented and repeatable process for BCM should be created and adopted throughout the organization.
39PROJECT MANAGEMENT Project management disciplines should be adopted and used, such as GRACE, PMBoK,…. This is to help manage projects to implement the BCM programme, mainly to complete projects within the required time, cost and efforts. Typical project stages in a BCM programme include: Awareness raising Defining programme scope (Write Policy) Business impact analysis Risk Analysis Continuity option selection Developing and implementing the BC plan Developing and managing a desktop exercise to test the BC plan
40ONGOING BC MANAGEMENT The Executive of the organisation should: Appoint a person or team to manage the BCM programme Define the scope of the BCM programme Approve the continuity budget Monitor the performance of the BCM programme
41ONGOING BC MANAGEMENT The appointed BCM team should (in consultation with the Executive): Develop and approve a BCM process and programme. Undertake or manage the BCM activities Promote BCM across the organisation and externally where appropriate Manage the continuity budget Maintain the BCM documentation Report on the current state of readiness to the Executive on a regular basis highlighting where there are gaps to be corrected Train BCM members
42DOCUMENTATION A set of BCM documentation includes: BCM Policy including scope and principles BCM roles, responsibilities and resources Training and competency records for BCM personnel Business Impact Analysis Risk analysis BCM Strategies including papers supporting the choice of the strategies adopted Incident Response structure Incident Management Plans Business Continuity Plans
43DOCUMENTATION Departmental Business Resumption Plans Exercise Schedule and reports Awareness and training programme Service Level Agreements with customers and suppliers Contracts for third party recovery services such as workspace and salvage Maintenance and review (audit) programme, reports and corrective actions
44INCIDENT READINESS &RESPONSE A process/plan to handle incidents until returning to a normal situation needs to be defined like: Receive notification of an incident. Assess situation then: either manage response through appropriate prepared plans or escalate to Incident management team Contain - Is there anything that can be done immediately to stop the problem getting worse? Look at the Incident Management Plan - is there a pre- planned response that fits this incident? Follow the documented response procedure
45INCIDENT READINESS &RESPONSE Predict the likely outcome and adapt the BC Plan to provide a response strategy Implement the response strategy Evaluate the progress of the response If the situation is OK, stand down the response Review the effectiveness of the response