Business continuity management system overveiw

Issue 1 © Intertek QATAR www.intertek.com
1
Welcome to the Seminar on
Business ContinuityBusiness Continuity
Management SystemManagement System
ISO 22301:2012ISO 22301:2012
AN ORIENTATION

2
Business Continuity issues are of wo types :
Incidents disrupting Business for a periodIncidents disrupting Business for a period
Incidents disrupting Business for a long timeIncidents disrupting Business for a long time
period having very big impact - Catastrophesperiod having very big impact - Catastrophes (Natural disasters)(Natural disasters)
Earthquakes, Fire, Volcano eruptions, ETC.

3
Learning Objectives
Upon completion of this presentation, on can:
• Understand …… what is BCMS;
• Understand …… why BCMS;
• Understand ……. Benefits of BCMS;
• Focus of Top Management for ISO 22301 preparation
November 2015 - QATAR Ver. 1 3

4
SOME BUSINESS DISRRUPTIONS AND THEIR IMPACTS – indicating the need for BCMS - Videos
1.BLACKBERRY INCIDENT
2. GLOBAL CASES
3. AT&T

5
Business Continuity issues are of two Categories

6
WHAT IS NOW NEEDED ? CHALLENGE FOR RECOVERY In REALITY ?

7
Resumption of Activities
7
Time
Performance
Normal
activity
Time to resume
activity
Time after which irrevocable damage
is done to the organization
Minimum
performance
level
Time to resume normal
levels of operation
Normal
Activity
Incident
Objective to resume activity

8
Business Continuity (BC) is defined as the capability of the organization to continue delivery of products
or services at acceptable predefined levels following a disruptive incident. ( Source: ISO 22301:2012)
November 2015 - QATAR Ver. 1 8
What is Business Continuity ?

9
The Business management system can be defined as management process that
provides a framework for building capability that safeguards the objectives of
the organization including the obligations.
Anticipate the probable Risk of Business Continuity Incident
(Business Impact analysis – process of analyzing activities that a business disruption might have upon them)
Depending upon the length of the severity of interruption, it depends on
management’s ability to re-establish of the organization’s functions into
minimum acceptable level and then to normalcy.
 Business continuity planning (BCP) continually confronts the likelihood or
otherwise of an incident. (Risks – Effect of uncertainty of objectives)
BCP is the only solution to such unexpected business interruption – proactive
management-led incident management program driven by management
requirements (Business Continuity Strategy)
BUSINESS CONTINUITY MANAGEMENT SYSTEM & Business Continuity Plan (BCP)

10
BUSINESS CONTINUITY PLAN (BCP) OBJECTIVES
 Ensure continuity and survival of the business;Ensure continuity and survival of the business;
 Provide protection to corporate assets;Provide protection to corporate assets;
 Provide management control of risks and exposures;Provide management control of risks and exposures;
 Provide preventative measures where appropriate;Provide preventative measures where appropriate;
 Take proactive management control of anyTake proactive management control of any
business interruption;business interruption;
BCP Provides a balance between acceptable potential losses and
acceptable One-time and annual costs.
Risk assessment identifies key sources of vulnerabilities having
different impacts, and taking pro-active steps in a manner to
avoid such incidents.
TESTNG OF BCP IS MANDATORY else RECOVERY WOULD BE
(Sample Testing is not enough)
NEED FOR BCP - Video

11
ISO 22301:2012

12
Process Approach and PDCA
12
YourYour
ProcessesProcesses
PLAN DO
CHECKACT
Continual
Improvement
The Plan-Do-Check-Act (PDCA) methodology applies to all processes
• Activities
• Controls
• Documentation
• Resources
• Objectives
• Analyze/review
• Decide/change
• Improve effectiveness
Deploy & conform with plan
Measure & monitor for conformity &
effectiveness

13

14
BIRD’S EYE VIEW OF BUSINESS CONTINUITY MANAGEMENT SYSTEM – KEY ELEMENTS

15
Process Approach Introduction
• Process – set of interrelated or interacting activities that uses
resources to transform inputs into outputs
• Process Approach – systematically identifies and manages the
linkage, combination, and interaction of a system of processes
within an organization
• ISO 22301 – based on processes needed and their interactions
15

16
Process Approach Emphasis
The process approach emphasizes the importance of:
• Understanding and meeting requirements
• Looking at processes in terms of added value
• Obtaining results of process performance and effectiveness
• Use of objective measurements to improve processes
16

17
Fundamentals of an ISO 22301 BCMS
• ISO 22301 –BCMS REQUIREMENT STANDARD
– Description, rationale, benefits, application, PDCA
– Emphasis on planning
• ISO 22313 - BCM GUIDANCE STANDARDS
- in line with ISO 31000
• Business Continuity Institute – good practice guidelines
17

18
Purpose of ISO 22301
• Applies to any type or size organization in any industry or sector
• Tried and tested framework for a systematic approach
• Provides a framework to meet customer, internal and statutory
and regulatory requirements
• Sets standardized requirements for business continuity
• Model for consistently meeting business needs despite
disruptions
• Basis for certification that specified requirements are met
18

19
19
An ISO 22301 BCMS in Practice
• Requires internal audits
• Verifies effective management
• Ensures organization is fully in control of its
activities
• Fosters customer confidence
• Allows engaging a certification body to obtain
certificate of conformity
• Provides, via certification, the credibility of an
independent assessment
• Provides a system that adds value
ISO 22301 states what must be done; a properly documented BCMS describes how required
processes are to be done.
19

20
Key Business Continuity
Terms
• Business Impact Analysis
• Risk Appetite
• Risk Assessment
• BCM program & plan
• BCM response
• Activity
• Critical activities
• Exercise & Testing
• Incident management plan
• BCP Invocation
• Recovery Time Objective (RTO)
• Maximum Allowable
Time of Disruption (MAO)
20

21

22
Impact can be quantitative or qualitative:
• Loss of key personnel
• Loss of physical assets
• Loss of information
• Disruption of service
• Violation of law, penalties
• Brand image, reputation,
credibility
• Financial/revenue
• Customers, suppliers,
partners (External Interested Prties)
• Environmental/H&S
22
Impact Analysis

23
RISK APPITITE – Further Explanations

24
RESILIENT – Further Explanation

25
RECOVERY TIME OBJECTIVE (RTO) & MAXIMUM TIME OF DISRRUPTION FROM
ZERO LEVEL
RTO
MAO

26
MAO
RTO
RECOVERY TIME OBJECTIVE (RTO) & MAXIMUM TIME OF DISRRUPTION FROM
REDUNDANCY LEVEL

27
Interested Parties – ISO 22313:2010
27

28
A 1 10 J
B 2 11 K
C 3 12 L
D 4 13 M
E 5 14 N
F 6 15 O
G 7 16 P
H 8 17 Q
I 9 18 R
EXTERNAL
INTERESTED
PARTIES
EXTERNAL
INTERESTED
PARTIES
INTERNAL INTERESTED PARTIES
Step 1> Identifying Interested parties as per Scope of BCMS

29
INTERESTED
PARTIES
BUSINESS
RELATIONSHIPS
KEY PROCESSES / ACTIVITY
BUSINESS IMPACT w.r.t. LOSS OF $ IN THE TIME FRAME, IF THE PROCESS IS NOT
AVAILABLE
RTO
< 5 DAYS 5 – 15 DAYS 15 DAYS – 30 DAYS
RISK APPIITE
(Time / $ Loss)
DESIGN COMPANY
AS A VENDOR
OUTSOURCING OF
DESIGN OF BUSINESS
APPLICTION AS PER
PREDEFINED SCOPE
1. DESIGN & DEVELOPMENT NO ISSUE
NOT ACCEPTABLE
(Activate
Redundancy)
NOT ACCEPTABLE
(Activate BCP)
MAO = 30 DAYS
MAX. 15 DYS OR
< USD 50,000 4 Days2. VERIFICATION AND VALIDATION
NOT ACCEPTABLE
(Activate Redundancy)
3. DESIGN CHANGE
INTERESTED
PARTIES
BUSINESS
RELATIONSHIP
S
KEY PROCESSES / ACTIVITY
BUSINESS IMPACT w.r.t. LOSS OF $ IN THE TIME FRAME, IF THE PROCESS IS NOT AVAILABLE
RTO
< 30 MINUTES
30 Minutes to 1 Hour
DAYS
> 1 hour
RISK APPIITE
(Time / $ Loss)
NET WORK
VENDOR
PROVIDING
NETWORK FOR
THE ONLINE
SHOPPING SITE
COMPANY
1. POWER SUPPLY FOR TELECOM
EQUIMENT ON TOWERS
NO ISSUE
(Activate Redundancy)
NOT ACCEPTABLE
(Activate BCP)
NOT ACCEPTABLE
(Activate BCP)
MAO = 1 hour
MAX. 15 DYS OR
< USD 5,000 15 Minutes2. NETWORK CAPACITY
NOT ACCEPTABLE
(Activate Redundancy)3. NETWORK SECURITY ASPECT (SOC)
BUSINESS IMPACT ANALYSIS - Samples
THIS SHALL HELP IN PRIORITISING THE RISKS BASED ON SEVERITY OF THE IMPACT ON BUSINESS BASED ON THE KEY
ASPECT SAY > $ or TIME

30
Approaches to Business Impact Analysis (BIA)
• There is no single “right” way to conduct a BIA
• Any method that satisfies 8.2 is acceptable
• The BIA method may offer either
– One BIA technique for universal use
– A selection of techniques together with guidance on selecting one
appropriate to the needs of specific activities (e.g. a BIA technique
suited to HR activities may not be equally suitable for IT or H&S)
• Following slides illustrate a variety of BIA techniques
30

31
BIA Report – Example Headings
• Executive Summary
• BIA Method Summary
• BIA by Department / Process
– Operations
– R&D
– Finance
– Sales & Marketing
– HR
– Vendor Management
– Compliance and Risk
• Summary of Critical Activities and Impacts
31
Analyses impact of disruption of critical activities
that support key products and services which,
themselves, are of course cross-functional

32
Identify Risks and Opportunities
• Implementation of a BCMS assists in providing controls to
mitigate risks
• Ensure review of risks and opportunities when assessing your
current system and performing a gap analysis
• Determine appropriate risk and opportunity treatments
You may find these useful:
• ISO 31000:2009, Risk management – Principles and guidelines
• ISO/IEC 31010:2009, Risk management – Risk assessment techniques
32

33
RISKLEVEL
HIGH
/
71 - 100
Medium
/
41 - 70
Low
/
1 - 40
RISK MITIGATION ( Risk Reduction )
Risk Mitigation – Implemeting Controls for Risk
Reduction
No matter which ever controls implemented, following are the facts:
1. Shall definitely bring down the risk of C, I & A – till the time control is effective;
2. What ever control – risk cannot be brought to ZERO – can only reduce the risk;
3. In IT, controls can reduce the “PROBABILITY” only;
4. Residual risks shall always be there – one must remember 24x7;

34
BUSINESS CONTINUITY PLAN - VIDEO
BUSINESS CONTINUTIY PLANS – as per anticipated risks
Take away > Redundancy is the SECTRET OF SUCCESS OF BUSINESS CONTINUITY PLANS

35
BIRD’S EYE VIEW OF BCMS

36
Critical BC Focus Aspects of Organization
(anticipate maximum disruptions)
All Single Point of Failures [No Redundancies]
Residual Risks Identified in Risk Assessments
[after considering all the controls]
 Unknown causes of redundancy failures
 No actions taken on BC Testing failures
 Unknown / Ignored Risks

37
1. Realization for the need to implement BCMS
2. Think and understand and realise the need of BCMS
3. Accept the need for BCMS
4. Attempt to learn how to do BCMS
5. Learn the BCMS Concept and Start BCMS
6. Create Base line of BCMS
7. Implement & Test BCMS
– understand Residual Risk
8. Perform Internal Audits & Management Reviews
9. Implement Corrective Actions
10.Get Audited and get Certified towards ISO 22301:2012
Realization of the Need to Implement BCMS (ISO 22301:2012) and get Certified

38
A CURRENT FACT
FINANCIAL COMPANY IN NEW YORK
BENIFITTED FROM BUSINESS CONTINUITY
CORE SITE IN NEW YORK
CONTROLLED THE DEVASTRATING
INCIDENT

39
Thank You!
Any Questions !

Business continuity management system overveiw

More Related Content

What's hot

Similar to Business continuity management system overveiw

Recently uploaded

Business continuity management system overveiw

Editor's Notes