- Business continuity management (BCM) involves identifying threats that could impact business operations and developing plans to maintain operations. It aims to minimize risks and ensure critical functions continue during disruptions. - The responsibilities for BCM include the CEO and executive team overseeing strategies, and the board ensuring plans are developed and tested. - Developing a BCM plan involves understanding the organization, prioritizing critical functions, identifying risks, outlining mitigation options, and testing response plans. Key activities and resources needed for operations should be mapped and redundant systems established.

1. Business Continuity ManagementPresenter:Mike Jackson

2. AgendaSlide 2

3. What is Business Continuity Management?A good, although lengthy definition in BS 25999-1 is: "A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities“It is also called Business Continuity & Resiliency PlanningIn Plain language – Working out how to stay in business in the event of a significant occurrence DefinitionSlide 3

4. An interesting recent aspect of this topic is that some consultants are grouping the approaches of Risk Management and Business Continuity Management together. In my experience, there are benefits to be had by grouping these aspects since there is commonality in the early processes, and therefore cost savings, but the outcomes are strategically different and must must be exercised to assure the corresponding deliverables.For example, In the case of a glass being half full or half empty, RM will see it as probably half full and BCM will worry about the contents being hazardous or if the glass breaks how long it will take to clear upDefinitionSlide 4

5. Business continuity and disaster recovery planning is a key governance responsibility. The UK Companies Act 2006 gives statutory force to what has long been the worldwide common law duty of directors, which is to exercise due care in relation to their companies. Specifically, directors must "exercise reasonable care, skill and diligence“ Principle responsibility lies with the CEO and his Executive Management team for their companies Business Continuity Management . The board of directors is accountable for ensuring that the organization has developed and tested business continuity and disaster recovery plans that deal with all the likely risks that face the organization. Senior Management is responsible for providing BCM strategies that are necessary for the continuation of Business Critical functionsResponsibilitySlide 5

6. Principle responsibility lies with the CEO and his Executive Management team for their companies Business Continuity ManagementSenior Management is responsible for providing BCM strategies that are necessary for the continuation of Business Critical functionsResponsibilitySlide 6

7. Four Phases:Understanding the organisationDetermine the Business Continuity StrategyDevelop and implementing BCM responseExercising maintaining and reviewing Major Phases of BCMSlide 7

8. There are 2 widely recognised standards: BS25999Two parts:BS-25999-1 (2006) Code of Practice (Guide)

9. BS-25999-2 (2007) SpecificationISO/PAS 22399 (2007) Societal Security International StandardsSlide 8

10. What activities in your organisation, if stopped, cause the most impact to your business?Impact may be on: Cash FlowReputationMeeting Statutory and Legal requirementsKey Questions to ask Slide 9

11. How are these activities delivered and what resources are used to support them?Resources may be: PeoplePlant and MachineryPremises and FurnitureComputing and TelecommunicationsData and InformationSuppliers and DistributorsKey Questions to ask (2)Slide 10

12. Some other key questions are:Who is essential?What equipment, IT, Telecomms and other systems are necessary to continue to function?Who does the Org rely upon to carry out key activities?Who depends upon the Organisation?Are there any service levels, legal or regulatory obligations?Do Disaster Recovery, Business Continuity and emergency plans already exist?Are there any natural fluctuations of operational activity e.g. Month-end payroll or end of year for accounts Key Questions to ask (3)Slide 11

13. You then need to consider:How long can your business manage without key activities? (This is important as this dictates what you focus on first)How essential is a departments work to the overall performance of the business on a day to day basis?Having identified key resources – consider the likelihood that these resources may be lost i.e. what are the risks to these resources?Key Questions to ask (4)Slide 12

14. There are a number of things you can do before you bring in the consultant(s) Understand your businessIdentify what makes your business profitableMap and document these processes

15. Get agreement with the rest of the board teamConduct a high level SWOT analysis Determine what and where your vulnerabilities are that affect your productivity and profitUnderstand which resources are necessary for the business to continueBefore the Consultants ArriveSlide 13

16. Identify Possible scenarios Determine how long it takes to replace

17. Avoid doom and gloom – be realistic Establish and Understand replacement timesPlace Profit Processes in a priority order You can do this in term of frequency of use or profitability or ease – whatever you decide

18. Determine how long it takes to replace

19. Personnel

20. Resources