Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Business Continuity.Bs25999


Published on

Published in: Business, Technology
  • Be the first to comment

Business Continuity.Bs25999

  1. 1. Business Continuity BS 25999 by Robert Whitcher, Global Marketing BSI Management Systems
  2. 2. Scope of Presentation • The Standards process • Business Continuity Management (BCM) Overview • Benefits of BCM • Drivers for BCM • Where we are with BCM and where we are going • PAS 56 • BS 25999 • Conclusions
  3. 3. How Standards can help What is a Standard? • A full consensus of all interested parties, so not imposed (includes government, business, trade association’s, NGO’s and consumers in the discussions) • Updated on a regular cycle • Best practice not general practice, therefore aspirational • Certification or audit is available, if required
  4. 4. Standards Pyramid Marketing Potential Marketing Potential Consumer Awareness ISO Consumer Awareness Risk Management Risk Management Credibility CO European Standard Credibility US NT S NS RO SU E S National Standard L EN N O CO NS C Publicly Available Specification NT RO CO Private Standard L Company Codes of Practice
  5. 5. The Standards process • Starts with formation of a Technical Committee (TC) after recognition of business ‘need’ • All interested stakeholders invited to join the TC • Work programme agreed with input from the National or International standards body • TC can operate purely for National Standards or can ‘mirror’ European and ISO committees • Draft standards go for public consultation • Emphasis is on building consensus amongst key stakeholders about what is best practice
  6. 6. Drivers for BS 25999 and BCM • More business continuity awareness • Civil Contingencies / Homeland Security • Corporate Governance & Compliance • Protection of Corporate Value and Reputation • Supply Chain & Outsourcing • Commitments to customers • Duty of care • Protect the interests of shareholders
  7. 7. Interest in a BCM Standard View Poll Results: Do you support the development of a formal BSI standard for BCM YES 790 94.84% No 15 1.80% Undecided 28 3.36% Voters: 833. View Poll Results: Should there be a Validation scheme as part of the Standard Yes, there should a BCM plan Validation 606 80.26% scheme No, The standard will be enough. Companies 37 4.90% can check plans out if they need to Undecided 112 14.83% Voters: 755. Source: Date: 18 October 2006
  8. 8. Where we are in BCM? • Growing consensus on what is best practice, at least for larger organizations • Better understanding of business benefits amongst increasing numbers of organizations • BCM seen as part of overall Risk Management profile • Recognition that it can help reduce business interruptions
  9. 9. Where BCM is going • No longer just fashionable, but an integral part of managing the business • Broader based agreement on what is best practice in the form of a new standard, BS 25999 • Integrated across all business functions; no longer seen as an IT specialty • Progress towards auditable processes
  10. 10. PAS 56 • An Informal Standard produced from the consensus of a limited number of experts • A good start to the business continuity debate • Offered a view of what a future full National or European Standard might look like • Provided evidence that BCM is a business discipline • Offered consist approach across sectors • Helped business continuity to be taken more seriously
  11. 11. PAS 56 to BS 25999 • Consultation took place to evaluate the future for PAS 56 • New technical (or BCM standards) committee formed in 2005 which responded to feedback on PAS 56 by developing a new standard - BS 25999 • Part 1 of the standard was published in November 2006 PAS 56 was withdrawn
  12. 12. 12 BS 25999 • Will be published in two parts: 1. Code of practice 2. Specification
  13. 13. Early interest in BS 25999-1 • Draft for public comment (DPC) Available throughout August, 2006 Over 5,000 copies were downloaded • other ‘similar’ standards less than 250 Over 70 set of comments About 300 pages of comments
  14. 14. 14 BS 25999-1:2006 • Code of practice for business continuity management Will establish the BCM processes, principles and terminology. Provide a basis for understanding, developing and implementing business continuity within any size of organization. Provide a comprehensive set of controls based on BCM best practice and the whole BCM lifecycle.
  15. 15. 15 What is Business Continuity Management? “Business continuity management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities” Source: BS 25999-1
  16. 16. 17 The Benefits of BCM Source: BS 25999-1
  17. 17. Business Continuity Lifecycle
  18. 18. 19 BS 25999 Code of practice contents 1 Scope and applicability 2 Terms and definitions 3 Overview of business continuity management (BCM) 4 The Business Continuity Management policy 5 BCM Programme Management 6 Understanding the organization 7 Determining business continuity strategy 8 Developing and implementing a BCM response 9 Exercising, maintaining and reviewing BCM arrangements 10 Embedding BCM in the organization's culture
  19. 19. 20 BS 25999 Code of practice contents 1 Scope and applicability 2 Terms and definitions 3 Overview of business continuity management (BCM) 4 The Business Continuity Management policy 5 BCM Programme Management 6 Understanding the organization 7 Determining business continuity strategy 8 Developing and implementing a BCM response 9 Exercising, maintaining and reviewing BCM arrangements 10 Embedding BCM in the organization's culture
  20. 20. The BCM policy • The purposes of establishing a business continuity policy are to: ensure that all BCM activities are conducted and implemented in an agreed and controlled manner; achieve a business continuity capability that meets changing business needs and is appropriate to the size, complexity and nature of the organization; and put in place a clearly defined framework for the ongoing BCM capability.
  21. 21. BCM Programme Management • At the heart of the BCM process Effective programme management establishes the organization’s approach to, and ongoing management of, business continuity Achieve the objectives defined in the policy BCM programme management involves three steps: • assigning responsibilities (governance); • implementing business continuity in the organization; • the ongoing management of business continuity
  22. 22. Understanding the organization • Business Impact Analysis • Identification of critical activities • Determining continuity requirements • Evaluating threats to critical activities Undertake a risk assessment • Determine Choices • Approvals
  23. 23. Understanding the organization • It is important that the organization understands: a) the interdependencies of its activities, and b) any reliance it has on external organizations, and any reliance placed upon it by others.
  24. 24. Determining business continuity strategy • Strategy options will depend on a range of factors: the maximum tolerable period of disruption of the critical activity; the costs of implementing a strategy or strategies; and the consequences of inaction.
  25. 25. Determining business continuity strategy • Strategies might be required for the following organizational resources: people; premises; technology; information supplies stakeholders civil emergencies
  26. 26. Developing and implementing a response • Development and implementation of appropriate plans and arrangements to ensure continuity of critical activities, and the management of an incident. • Incident response structure Incident timelines
  27. 27. Incident timeline Incident! Overall recovery objective: Back-to-normal as quickly as possible Timeline Incident response Within weeks to months: Damage repair / replacement Relocation to permanent place of Business Continuity work Recovery of costs from insurers Within minutes to hours: Staff and visitors accounted days: Within minutes to for, casualties dealtstaff, customers, Contact with, damage containment etc. suppliers, / limitation, damage of critical business Recovery Recovery / resumption – back-to-normal assessment, processes Invocation of BCP lost work-in-progress Rebuild
  28. 28. Developing and implementing a response • Content of plans Introduction Purpose and scope Roles and responsibilities Plan invocation Document owner and maintainer Contact details • The incident management plan (IMP) To allow an organization to manage the initial (acute) phase of an incident
  29. 29. Developing and implementing a response • Content of the IMP General Task and action lists Emergency contacts People activities Media response Stakeholder management Incident management location Annexes
  30. 30. Developing and implementing a response • The Business continuity plan(s) – BCP(s) to enable an organization to recover or maintain its activities in the event of a disruption to normal business operations. • Contents of the BCP • General • Action plans / task lists • Resource requirements • Responsible person(s) • Forms and annexes
  31. 31. Exercising, maintaining and reviewing BCM arrangements • To ensure an organization’s BCM arrangements are validated by exercise and review, and are kept up-to-date. Exercises provide demonstrable evidence of a business continuity and incident management competence and capability. Time and resources spent proving BCM strategies by exercising BCPs will lead to a fit-for-purpose capability. No matter how well designed and thought-out a BCM strategy or BCP appears to be, a series of robust and realistic exercises will identify areas that require amendment.
  32. 32. Embedding BCM in the organization’s culture • To be successful: must be a part of the way an organization is managed, regardless of size or sector. At each stage of the BCM process, opportunities exist to introduce and enhance an organization’s BCM culture. • Awareness • Skills training
  33. 33. 35 BS 25999-2 Specification aims • Will specify the requirements for: establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented BCM system within the context of an organization’s overall business risks. the implementation of business continuity controls customized to the needs of individual organizations.
  34. 34. 36 BS 25999-2 Development Timeline (Estimated) Note: PAS 56 will be withdrawn when BS 25999-1 is published
  35. 35. Conclusion • Business continuity is higher up the organization’s agenda Top management have more corporate governance responsibilities Increased focus on Business Risk, therefore a British Standard for Business Continuity • BS 25999-1 will help to: Establish, manage and improve a Business Continuity Management System Implement Business Continuity into an organization’s culture
  36. 36. Conclusion • BS 25999-1 is only the beginning • BS 25999-2 will provide a management system for managing Business Continuity within an organization • Set a minimum requirement for third part auditing or certification Allow organizations to determine how well they are performing against the standard Demonstrate to others that they are treating Business Continuity seriously
  37. 37. 39 Contact Us Name: Robert Whitcher, Global Product Manager, Global Marketing Title: Manager Address: BSI Management Systems 389 Chiswick High Road London W4 4AL Telephone: 0208 996 7962 Fax: Email: Robert Links:
  38. 38. End of Presentation