The RM to BC route – how ISO 31000 benefit Business ContinuityJohn Agius – May 2012Accompanying notes (paper) for the pres...
The first part of the BCI statement is true whereby ‘all’, and not simply ‘many’, organizations thatdecide to implement BC...
Eventually, when the effects of threats started to get complicated and serious, focus on threatmanagement was needed. As a...
Continuity User Group”. This step had a significant impact in changing the external perception of thesubject. Concurrently...
Disaster Sequence phases relevant to the understanding of disruption-related risk & disaster eventsTurner’s DSM model can ...
Risk treatment can involve (ISO 31000, 2.25, 5.5.1):    •   avoiding the risk,            o by terminating it altogether; ...
4. How ISO 31000 benefit BC:The benefits of using the ISO 31000 route to BC rather than managing the two approaches in sil...
scope, purpose and value to the organization, as well as,                          the necessary lines of defence (BoD: Bo...
5. Conclusions:Organizations of all types and sizes face internal and external factors and influences that make ituncertai...
BibliographyG31000 (2012) “ISO 31000 International Conference 2012, Paris, France – 21 – 22 May 2012”, athttp://www.g31000...
Upcoming SlideShare
Loading in …5
×

The RM To BC Route Presentation Notes John Agius 21052012

810 views

Published on

Accompanying notes (paper) to the presentation with the same title prepared for the G31000 International Conference on ISO 31000 Standard, Paris - France 21-22 May 2012

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
810
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The RM To BC Route Presentation Notes John Agius 21052012

  1. 1. The RM to BC route – how ISO 31000 benefit Business ContinuityJohn Agius – May 2012Accompanying notes (paper) for the presentation with the same title prepared for the G31000 ISO31000 Conference 2012 - Paris, France, 21 – 22 May 2012, Paris, FranceAbstractWhat is commonly termed as “business continuity” is a type of disruption-related risk influencing theachievement of organizational continuity objectives and in particular the uninterrupted delivery ofkey products and/or services. Disruption-related risks should be treated as such and are best dealtwith as part of the treatment options available within the risk management discipline. Continuityplans are one of the tools that can be adopted to manage disruption-related events.Moreover, experience dictates that organizations that decide to implement BC have RM, togetherwith the basic BC prerequisites, already established through the RM process within the organization.Thus, taking the RM to BC route is not only the right way but the most efficient and best effectiveapproach.IntroductionConsciously or not, organizations deal with risk. In handling risks effectively and efficiently anorganization is able to ensure continuity of its operations and the delivery of its key products andservices. In other words, the management of risk makes it possible for organization to achieveobjectives. And objectives do not always materialize as expected. As a result organizations operatein a continuum of uncertainty. This uncertainty effect from the handling of probable threats, missedor would-be opportunities and/or potential disruptive incidents on set-objectives is termed ‘risk’(ISO 31000, 2.1).“Many organizations have a well-established RM function, maintain a corporate risk-register (RR)and have risk-assessment (RA) embedded in the organization in as much as all managers areexpected to assess risks as part of their normal practices and procedures. Threat assessments,therefore, may already be available for the organization’s activities. However the presence of a riskmanagement function is not a pre requisite for an effective BCM programme” (BCI-GPG, 2010: 53). ISO 31000 Conference Paris, France 21 – 22 May 2012 1 © J. Agius
  2. 2. The first part of the BCI statement is true whereby ‘all’, and not simply ‘many’, organizations thatdecide to implement BC have RM established within the organization. Hindsight indicates that this isthe case every time. The statement that “the presence of a RM function is not a pre requisite for aneffective BCM programme”, i.e. the handling and treatment of disruption-related risks, is only true ifsuch a function is implemented independently of or in total absence of a BC programme. However,BC or the handling of disruption-related risks cannot exist without an RM function and an RMfunction would not be complete without a BC programme.“RM and BC only exist as a consequence of risk awareness. Every company … accurately orotherwise, has risk management nearer the board and above business continuity” (Power Peter,2010). This in no way implies that RM is above BC or vice versa since both specialisms are an equaland integral part of the same concept of management. In this regard, it must be stated that there isalso a historical perspective on how RM emerged from traditional management and how the failuresof RM led to the establishment of BC as we know it today with the three philosophies (management,RM & BC) running in silo. However, modern management thinking is currently exploring avenues onhow to reintegrate the different management systems into an “overall integrated managementsystem”.This new thinking may well consider incorporating established scientific research to helpsubstantiate the scientific value of modern management development. One example is Turner’s“Disaster Sequence Model” (DSM) which established how disaster events resulting in disruption-related incidents do not occur instantly. Turner’s research ably developed by Toft and Reynoldsindicates that there is always an incubation process that triggers an incident that leads it into adisaster.The DSM model by Turner (1978) indicate the sequence of events that initiates from a series ofunnoticed set of events leading to the onset of an incident, then into a crisis, followed by a processof rescue and salvage (recovery) attempt and possibly a disaster, if things do not turn right.The following sections look at: 1. A concise historical view of Management, RM and BC phases 2. The Disaster Sequence Model - DSM 3. The treatment of risk 4. How ISO 31000 can benefit BC 5. Conclusions1. A concise historical view of Management, RM and BC phases:Management:Management (general) was traditionally based on intuition and limited informed decision-making ofday-to-day management issues. Management tools have been developed over time e.g. SWOT(Strengths, Weaknesses, Opportunities and Threat) and the 4D’s (Define, Design, Do, and Deliver)and other useful tools. These management tools streamlined management into a quasi-scientificmodel. Yet, general management (as it was initially labelled) was broad and lacking focus on specificmanagement issues amongst them ‘threats’ and the effect these had on management objectives. ISO 31000 Conference Paris, France 21 – 22 May 2012 2 © J. Agius
  3. 3. Eventually, when the effects of threats started to get complicated and serious, focus on threatmanagement was needed. As a result RM emerged and later evolved as an independentmanagement system.Risk Management:The handling of threats and the effects these had on organizations was initially perceived as themanagement of risk (nowadays it is referred to as the down-side of risk). The first RM conceptswere based on tools specifically developed to manage risk emerging from the effects that threatswere having on organisations. One of the tools to manage threats was the 4T’s. This was based onmeasures to terminate, treat, transfer or take the risk with a view to ensure that organizationscontinue to move forward in achieving their objectives.What the 4T’s and other RM tools failed to take into consideration were risks arising as a result ofmissed and would-be opportunities and those emerging from the effects unexpected disruption-related events had on the objectives set by organizations.Through the introduction of sophisticated technological systems and processes and high marketdemands, the effects of disruptive incidents began to leave their mark on organizations set to delivercritical products and services. Since RM lacked the capacity to manage disruptive situations anddisruption was no longer limited to MIS or computer-installation systems, organizations had anurgent need to identify methods to handle the effects from disruptive events.Initially, DRP (disaster recovery planning) in the US attempted to provide the solution. This“inevitable created the demand for third party consultancy … initially aimed entirely at DataProcessing or MIS (as IT/ITC was then generally called) and was technical in nature” (BCI GPG 2010,9). However, the problems emerging as a result of the ‘risk from business disruption’ were beyonddata processing and MIS. Consequently, rather than entrenching the BC principles within existinggeneral or business management systems or within the risk specialism, a new discipline wasdeveloped as a totally separate management philosophy This philosophy was to be named businesscontinuity management (BCM).It is noteworthy the fact that the strong focus in the search for solutions to disruption-related risksled to the total neglect of the difficulties encountered by issues related to the up-side of risk. As aresult, issues related to missed and would-be opportunities have been totally ignored. Some riskpractitioners still argue against the up-side element in risk and continue to consider themanagement of opportunity as a separate issue outside of risk management.Business Continuity:According to the BCI-GPG-2010 (p. 9), the first signs of BCM evolved out of disaster recoveryplanning (DRP). The first known use of the term “Business Continuity” is said to have been made byRon Ginn (later to become the inaugural BCI Chairman) back in 1986, after he had researched thesubject in the United States and interviewed many leading practitioners. Ginn wrote a book entitled“Continuity Planning” which postulated an application of the DRP skill-set to a much wider range ofbusiness risks and potential operational interruptions. In 1988 a UK organization by the name of“Survive” created a forum in which DR people could share their experiences and knowledge.Eventually, in 1991 “Survive” dropped the references to DRP and re-branded itself “The Business ISO 31000 Conference Paris, France 21 – 22 May 2012 3 © J. Agius
  4. 4. Continuity User Group”. This step had a significant impact in changing the external perception of thesubject. Concurrently, two of the largest US-owned DR companies also changed their position,seeing “Continuity” as a more upbeat message than “Recovery”.It can therefore be said that the appearance of BCM is the result of the failure of RM and DRP fromproviding a plausible solution to the effects disruptive-related incidents were having onorganizations during the late 1970’s and the mid-1980’s.2. The Disaster Sequence Model - DSM:Natural, man-made or systems failures do not happen instantly. These are caused through latentdefects that build up within the natural environment, systems and processes. Badly managedand/or not managed at all, latent defects can lead to disasters. In his DSM model Turner describesthe sequence of events associated with the developments leading to disasters (Toft & Reynolds,1997). At the most general level the model consists of three separate but interrelated parts: • the incubation period of actions and events prior to a disastrous situation • the event triggering the incident/disaster and the immediate aftermath of recovery, and • the learning process through investigation, analysis, reports and recommendations.The DSM model can be easily adopted to better understand how to effectively manage risks fromdisruptive-related events. The different stages of Turner’s DSM model are as follows (Toft &Reynolds, 1997: 22): 1. Stage I – notionally normal starting point: (a) Initially culturally accepted beliefs about the world and its hazards; (b) Associated precautionary norms set out in laws, codes of practice, *mores and ** folkways, 2. Stage II – the incubation period: the accumulation of an unnoticed set of events which are at odds with the accepted beliefs about hazards and the norms for their avoidance. 3. Stage III – precipitating event: forces itself to the attention and transforms the general perception of Stage II. 4. Stage IV – onset: the immediate consequence of the collapse of cultural precautions becomes apparent. 5. Stage V – rescue and salvage: first stage adjustment – the immediate post-collapse situation is recognised in ad hoc adjustments which permit the work of rescue and salvage to be started. 6. Stage VI – full cultural readjustment: an inquiry or assessment is carried out and beliefs and precautionary norms are adjusted to fit the newly gained understanding of the world where knowledge gained is absorbed into the culture of organisations/society. *Mores: customs, conventions. Practices **Folkways: The unconscious group ways of doing things (living, ISO 31000 Conference thinking & acting) serving as compelling guides of conduct Paris, France 21 – 22 May 2012 4 © J. Agius
  5. 5. Disaster Sequence phases relevant to the understanding of disruption-related risk & disaster eventsTurner’s DSM model can be easily applied to the effective understanding and management of day today business activity, risk situations and disruption events as well as to aid the continuedadvancement of management. The incorporation of advanced management tools and models likeTurner’s DSM provides for a systematic and structured approach to the assessment and treatment ofdisruption-related risk events.3. The treatment of Risk:Good risk management (RM) entails effective treatment to the “internal and external factors andinfluences that make it uncertain whether and when organizations will achieve their objectives” (ISO31000: Introduction).Generally risk treatment to the first two types of risks: • ‘threats’ and • ‘opportunities’is dependent on “the way in which consequence and likelihood are expressed and the way in whichthey are combined to determine a level of risk” (ISO 31000, 5.4.3).In the case of the third type of risk: • ‘disruption-related’the ‘time’ factor is added to the ‘consequence’ and ‘likelihood’ factors associated to the other typesof risks. This is so because time may drastically affect the level of consequential impact of adisruptive incident. ISO 31000 Conference Paris, France 21 – 22 May 2012 5 © J. Agius
  6. 6. Risk treatment can involve (ISO 31000, 2.25, 5.5.1): • avoiding the risk, o by terminating it altogether; o by deciding not to start or continue with the activity that gives rise to the risk whether the risk is the result of a ‘threat’, an ‘opportunity’ or a ‘disruptive incident’. • taking or increasing the risk, o to pursue opportunities; o to take full advantage and maximize the benefit; o to decide whether a ‘disruptive incident’ to key products and/or services needs intervention to reduce the likelihood of occurrence, the shortening of the period of disruption and/or limiting the impact from disruption. • removing the source, o and make sure that the threat, opportunity and/or disruptive incident do not negatively affect the organization. • changing the likelihood and/or consequence; o by intervening to change the probabilities; o by modifying the potential impact; o by modifying the probability and impact levels of potential disruptive incidents. • sharing it with others, o by passing it on to insurance; o by contracts and risk financing o by seeking new partnership to share the threat and/or maximise opportunity; o by subcontracting to specialist organizations and share the threats/benefits; o by equally applying the above to situations emerging from disruptive incidents. • retaining the risk o by informed decision; o by doing nothing about it; o by being ready to intervene should the threat, opportunity and/or disruptive incident arise. • invoking continuity procedure o to reduce the likelihood of disruption (ISO 22301, 8.3.4.3. (a)) o to shorten the period of disruption (ISO 22301, 8.3.4.3. (b)) o to limit the impact of disruption on the organization’s key products and services (ISO 22301, 8.3.4.3. (c)) o “preparing and implementing risk treatment plans identifying resource requirements including contingencies” (ISO 31000, 5.5.3), reliance, dependence, etc; o “establish, implement and maintain a formal and documented process for business impact analysis (BIA), risk assessment (RA) and other assessment techniques that establishes the context of assessment, defines the criteria and evaluates the potential impact” with regards to “disruption related risks” (ISO 22301, 8.3.3.4 (c)); o “establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives” (ISO 22301, 5.4.5). ISO 31000 Conference Paris, France 21 – 22 May 2012 6 © J. Agius
  7. 7. 4. How ISO 31000 benefit BC:The benefits of using the ISO 31000 route to BC rather than managing the two approaches in silo aremany. With a frame-of-mind focused on disruption-related risks, the following is a list of benefitswithin the ISO 31000 standard documentation applicable to the development of BCMS:Principles: • creates value to the organization; • is an integral part of the organizational processes; • aids the decision making process; • explicitly addresses the principle of uncertainty resulting from the effect of disruptive events; • it is systematic, structured and timely; • is based on the best available disruption management information; • is tailored to the organization; • takes human and cultural factors into account; • it is transparent and inclusive; • it is dynamic, iterative and responsive to change, and • facilitates continual improvement and enhancement of the organization in terms of improving the overall integrated management system.Framework: • Makes use of the Plan-Do-Check-Act (PDCA) cycle amply aided by the ISO 31000 framework of Design, Implement, Monitor & Review and Continual Improvement model; • Provides the necessary mandate, commitment, support and funding by top management and the Board of directors much needed for the successful implementation of an effective BCMS activity; • The required elements for managing the risk of disruption effectively and in line with other organisational: o Risks, o context, o RM and BC policies, o accountability, o roles and responsibilities, o organizational processes integration, o functional activities, o resources required to implement the BC plan, o critical and alternate staff, o awareness and training programs, o internal and external communication and reporting mechanisms most essential for the successful implementation of a BCMS incorporating the identification of: organizational vulnerabilities; continuity and recovery team members; ISO 31000 Conference Paris, France 21 – 22 May 2012 7 © J. Agius
  8. 8. scope, purpose and value to the organization, as well as, the necessary lines of defence (BoD: Board of Directors, RMSC: Risk Management Steering Committee & IAC: Internal Audit Committee) for the necessary sponsorship, direction and audit of the RM and BCMS implementation mechanisms. • The development of a strategy to implement the organizational, RM framework and processes to facilitate the risk assessment (RA) and business impact analysis (BIA) of the BC plan and the identification of variances that can be translated into potential opportunities; • The framework monitoring and review - having established processes in place help to establish a well-managed organization; regular departmental/unit status reports of BC progress; internal and/or external audits to sustain the BCMS implementation; regular RM and BC audits with a view to validate performance against controls; • Top management support and involvement towards the concept of continual improvement of the framework encouraging departments/units to establish the culture and attitude that RM and BC are not static and nearly everything the organization does can be improved and ought to be reviewed to enable the identification of new opportunities.Process/es: • An established, globally agreed to and supported RM process/es directly affecting BCMS; • The use of enterprise-wide risk management (EWRM) processes and guidelines; • In-depth awareness and understanding of the organization and its context; • An establish risk assessment process providing well founded risk identification, analysis and evaluation methodology; • A systematic and logical approach to the management of all types of risk incorporating the effective handling of threats, opportunity considerations and disruption related risks that can be modified through one or more treatment options; • Established communication and consultation structure with customers, stakeholders and management; • Effective monitoring and review of all aspects of organizational risks and disruptive eventualitiesOthers: • Increased competitive advantage supported by a globally designed and agreed to RM standard; • Greater understanding of the effects of disruptive events in relation to the other organizational risks; • Enhanced customer confidence; • Improved stakeholder trust and support; ISO 31000 Conference Paris, France 21 – 22 May 2012 8 © J. Agius
  9. 9. 5. Conclusions:Organizations of all types and sizes face internal and external factors and influences that make ituncertain whether and when they will achieve their objectives. As stated earlier on, the effect thisuncertainty has on an organization’s objectives is “risk” (ISO 31000, 2.1). Risks can be of threedifferent types namely: • Threat • Opportunity • Disruption-relatedIn acknowledging that organizations operate in an ‘uncertain’ environment, ISO 31000 illustratesthat objectives can have different aspects within different fields/specialisms of management.Being the organizational efforts and/or actions to obtain or accomplish a goal, organizationalobjectives are not always achieved as planned. The route from designing and setting objectives totheir launch, implementation and materialization passes through a complicated environment of‘uncertainty’ thus ‘risk’. Risk, RM and BC are part of an overall integrated management system thatare best treated utilizing established and well researched RM tools. RM & BC architecture within an overall Integrated Management SystemThus, the integration of RM and BC is not only beneficial it is also more efficient and less costly. Thelaunch of the “risk management” standard (ISO 31000: 2009 series) and of “business continuity” (ISO22301: 2012 series), as well as of other standards, “will further increase the use of international bestpractice” (CMI, 2012) in management. These are not perfect and will require continuous updating inline with new thinking. This development will continue to further reduce the gap between thedifferent management concepts towards the promotion and the integration rather than thefragmentation of modern management thinking and practice. ISO 31000 Conference Paris, France 21 – 22 May 2012 9 © J. Agius
  10. 10. BibliographyG31000 (2012) “ISO 31000 International Conference 2012, Paris, France – 21 – 22 May 2012”, athttp://www.g31000conference2012.org/ ----------<>----------BCI, GPG (2010) Good Practice Guidelines 2010, Global Edition, Berkshire: BCICMI (2012) “Planning for the worst, The 2012 BCM Survey”, Reproduced athttp://www.managers.org.uk/sites/default/files/u28/4354BCMreport2012v3.pdfISO 22301 (exp.) Societal security – Business continuity management – Requirements, Secretariat:SIS, ISO/TC 223ISO 22313 (exp.) Societal Security – Business continuity management systems – Guidelines,Secretariat: SIS, ISO/TC 223,ISO 31000 (2009) Risk management – Principles and guidelines, Geneva: ISOISO 31000 (2009) Risk management – Risk assessment techniques, Geneva: ISO/IECPower, Peter (2010) “Risk and Continuity: Convergence is in the air…” Reproduced at ContinuityCentral, http://www.continuitycentral.com/feature0765.html April 2012Toft, B. and Reynolds, S. (1997) Learning from Disasters: a management approach, Leicester:Perpetuity Press, p. 22.Turner, B. A. (1978) Man-Made Disasters, Wykeham, London ----------<>---------- John Agius M.Sc. (Leic.) RCDM, MIAP, Dip. Law & Admin., Dip. J&PWThe RM to BC Route - How ISO 31000 benefits Business ContinuityRisk and Business Continuity Management have been developed as a result of the effects of uncertainty that organizations face in achieving theirobjectives. The likelihood of deviations from set objectives, whether negative and/or positive, compels organizations to be proactive andprepared to intervene in good time to manage adverse effects and pursue opportunities. In the event of business disruptions organizations areobliged to provide for resiliency and to ensure that alternative arrangements are in place for business to continue to operate whatever thecircumstances. John’s presentation tackles the process RM plays in establishing an effective and efficient BCMS and how ISO 31000 benefit thisprocess.About the Author:John is a Risk-and-Business-Continuity manager having strong industry and academic experience in the profession and the associated resiliencedisciplines. Originating from electronics and Computing John moved from DRP in Data Processing and MIS way back in the 1970’s to RM and BCas known today. Coupled with his 30+ years of professional experience in Management, the Police, Law, Security, planning & environmentalenforcement and Telecommunications his knowledge is backed by an MSc in Risk, Crisis & Disaster Management from the University of Leicesterin England and various other prestigious certifications. He is a part-time visiting lecturing staff at the University of Malta and other tertiary andfurther education institutions lecturing Risk Management and Assessment.LinkedIn profile - http://mt.linkedin.com/in/johnagius ISO 31000 Conference Paris, France 21 – 22 May 2012 10 © J. Agius

×