Business Continuity Management

1
Business Continuity Management and the IT
Professional Michael Gallagher March 14th 2006
2
Business Continuity Management and the IT
Professional What is Business Continuity
Management? Risk Management What are the
drivers? Achieving effective BCM IT
implications Flu Pandemic risks Getting
Business Continuity right What is the status of
BCM in your Organisation?
3
Business Continuity Management The act of
anticipating incidents which will affect
mission-critical functions and processes for the
organisation and ensuring that it responds in a
planned and rehearsed manner Business
Continuity Institute
Not just about producing plan(s) Risk
Management identification, evaluation
reduction creating awareness /
culture Communication Exercising / testing and
keeping plans up to date
Computers - A major risk?
4
BCM is a holistic management process that
identifies potential impacts that threaten an
organisation and provides a framework for
building resilience and the capability for an
effective response that safeguards the
interests of its key stakeholders, reputation,
brand and value-creating activities. BCI
Good Practice Guidelines - Nov 2002 PAS 56
- Mar 2003 BCM is an holistic management
process that identifies, in advance, the
potential impacts of a wide variety of
disruptions to the organizations ability to
function, allowing that organization to survive
the loss of part or all of its operational
capability. Draft BS 25999 Jan
2006
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
(No Transcript)
10
Two out of five enterprises that experience
a disaster will go out of business within five
years. Enterprises can improve these odds but
only if they take the necessary measures before
and after the disaster. Aftermath Disaster
Recovery, Gartner, September 2001
11
Survey of 500 UK businesses 53 - no
plan 57 - tested plans Chartered Management
Institute - Survey 2004 Large organisations in
Ireland 90 - have plan 80 - have tested
plans Renaissance - Survey 2004
12
Disaster tonight How confident? Are you
comfortable?
13
Usual excuses It will never happen to us! Im
sure we could cope You cant plan for the
unforeseen If we dont have a disaster weve
wasted money Isnt this why we have
insurance? We are used to things going wrong
14
Evolution of BCM 1970 IT-DRP
Responsibility of DP Manager More tolerant of
downtime Banks had own arrangements 1980 Commerc
ial Recovery Sites Portable Computer
Rooms Emphasis on response and
recovery 1990 Less tolerant of
downtime Technology changes Increasing
dependence on communications Becomes BCP -
include the business processes Emphasis on
prevention Y2K
15
Evolution of BCM
2000 Becomes BCM Responsibility of
Business Holistic All disciplines working
together Closely aligned with Risk Management
- Danger of separate departments thinking that
some threats and responsibilities handled by
someone else 9/11 etc.
16
Emerging Standards BCI BCM Good Practice
Guidelines - Nov 2002 Update - Feb 2005 BSI
/ BCI PAS 56 Guide to BCM - March
2003 Soon - standard - BS25999
17
The BCM Life Cycle
BCI
18
Phases in BCM
Project Initiation
Risk Identification
Business Impact Analysis
Develop Business Continuity Strategies
Plan Development
Plan Testing
Plan Maintenance
19
User Expectations and Assumptions Context -
major building hit Staff can move to new
location Have access to systems quickly Maximum
data loss - current days transactions Always
possible to recover from previous night Backups
done and stored in alternate locations Servers
secure and dispersed LAN resilience Technology
aware of priorities Work will have been done to
ease transition Customer Expectations and
Assumptions Service continues uninterrupted
20
In essence - BCM is about ensuring that if
your organisation experiences a disaster or
other serious incident you have already
considered that possibility. You will have taken
steps to reduce the risk of this happening and
to minimise the impact if it does happen. You
will have a plan in place with which all key
managers are familiar, which has been tested,
and which will enable your organisation to
continue to function as close to normal as
possible with the least disruption possible.
Relevant to every type and size of
organisation What If instead of If
Only
21
The Risk Management Cycle
Identification
Analysis
Monitoring
Control
22
Types of Risk A Classification Strategic Op
erational External Internal Distributi
on Customers
23
Risk Matrix
HIGH
Control
Prevent
Probability
Accept
Plan
LOW
HIGH
LOW
Impact
24
Natural hazards Storms Flood Earthquake /
Subsidence / building collapse Frost /
Snow-bound Electrical storms Man-made
hazards Deliberate Computer fraud, viruses,
hacking, denial of service ... Fraud Break-in
/ Arson / Malicious damage Industrial dispute -
employee morale Riot / civil unrest Terrorist
attack - bomb damage - biological .. Bomb
scare Product tampering
25
Man-made hazards Accidental / Operational Compu
ter malfunction - hardware, software,
infrastructure Operator error - computer /
automation, machine, vehicle . Loss
of records Explosion Chemical
spillage Fire Transportation
disruptions JIT delivery malfunctions Indirect
Power failure Telecoms failure Cordon Smok
e damage Water damage / leaks
26
Others - Supply chain Succession planning -
loss of key personnel Kidnap Espionage Medical
emergencies / Pandemic Sick building
syndrome Workplace addictions Violence in the
workplace Fraud - white-collar
crime Multi-tenant sites
27
Why is BCM Essential? Regulatory
Requirements. Turnbull - Corporate
Governance Data Protection. Confidence of
suppliers and customers. Reputation. Business
environment. Insurance.
28
Turnbull The board should maintain a sound
system of internal control to safeguard
shareholders investment and the companys
assets The directors should, at least
annually, conduct a review of the
effectiveness of the groups system of internal
control and should report to shareholders
that they have done so. The review should
cover all controls, including financial,
operational and compliance controls and risk
management Management Accountable to Board for
monitoring and reporting on internal
controls Employees Accountable for applying the
controls Should have necessary knowledge and
expertise to do so
29
The Turnbull Committee Guidance for Directors
on Internal Controls sets out an overall
framework of best practice for business based
on an assessment and control of their significant
risks. For many companies business continuity
management will address some of these key
risks and help them to achieve compliance. Ni
gel Turnbull, Chairman, ICAEW Committee on the
Guidance for Directors on Internal Controls
30
Higgs Report January 2003 Review of the role
and effectiveness of non-executive
directors Basel II Cromme Code -
Germany Bouton Report - France Smith Report -
July 2003 - Company Audit Committees Sarbanes-Oxl
ey Act 2002 - USA
31
FCPA - Foreign Corrupt Practices Act
(1977) NASD Proposals - National Association
of Securities Dealers (2002) FSA -
Financial Services Authority UK - Civil
Contingencies Act (2005) HIPAA - Health
Insurance Portability and Accountability
Act Privacy GLB - Gramm-Leach-Bliley
Act (2001) California SB 1386 - July 1
2003 Data Protection 1988 and 2003
Acts Responsibilities Linked to IT Policies
Procedures
32

• Data Protection Act 1988
• 2(1)(d)
• Appropriate security measures shall be taken
  against
• unauthorised access to, alteration, disclosure
  or
• destruction of, the data against their
  accidental loss
• or destruction
• Section 4 of 2003 Act states that security
  measures should take
• account of the following factors -
• State of technological development
• Cost of implementing the measures
• Harm that might result from unlawful
  processing
• Nature of the data concerned

33
Reputation Confidence of suppliers and
customers Trust and reputation can vanish
overnight Alan Greenspan, Chairman, US
Federal Reserve Perrier - benzene Ratners Ford /
Firestone - Explorer SUV - 100 deaths -
Bns AIB - Rusnak Heineken - glass
shards Johnson Johnson - Tylenol, cyanide, 7
deaths Speed, Openness, Commitment Commercial
Union Reputational risk is single biggest risk
for financial institutions PwC / EIU
Survey - July 2003
34
Insurance Risk management and business
continuity management are now embedded in the
insurance purchase process. Insurers are now
demanding good BCM practices. Now a major
driver. Only a part Provide finance Will not
keep customers supplied Will not protect
reputation / image Cover for loss of profits?
35
2003
The Business Continuity Institute
36
Source Contingency Planning Research Inc. -
5,320 Incidents
37
(No Transcript)
38
(No Transcript)
39
Features of Good BCM. Simple Quality not
Quantity Relevant and current Not necessarily
expensive
40

• Simple
• Commonsense process
• Realistic evaluation management of risks
• Understanding what business consequences are
  if key
• facilities, processes or people are lost
• Appropriate strategy to limit damage and
  recover as well
• as possible

41
Risk Severity / Probability
Factory hit by Aircraft
Catastrophic
Major Fire
Product recall
Serious
SAP down for 2 days
Severity
HR System down for 1 day
Minor
Employee accident
Theft
Insignificant
Certain / Very Likely
Quite Probable
Very Unlikely
Improbable
Probability
42
Total costs
Incident costs
Prevention costs
Costs
Investment
43
Relevant and current An irrelevant or
out-of-date plan is worse than no plan Not
token plan Ownership - responsibility Not
necessarily expensive Time Consider at
planning stage SMEs at risk
44
Essential elements Plan invocation Crisis
management team Contact details Business
processes to be recovered - Priorities How
Where Timescales Recovery
steps Communications - media, staff, business
partners Dont forget non-computer records
45
IT Security Policies and Standards Protection
mechanisms / strategies Commitment to proper
information security policies /
procedures Commitment Mindset Enforced
Updated
46
(No Transcript)
47
(No Transcript)
48
Business environment On-line 24 X 7 X
365 JIT Supply chain pressure Systems
integration - ERP More single points of failure
- greater impact Fewer workarounds Knowledge
49
ERP Systems Major advantages Corporate and IT
challenges Major project Expensive -
budgetary restraints Impact on resilience /
recovery spend All eggs Single point of
failure Implications of downtime No
workarounds Phased recovery? Knowledge of
system? BCM and resilience considerations from
start
50
Pandemic

• Avian Flu
• Influenza Pandemic
• Separate but could be related
• Communication critical
• CONTINUITY
• Balance - Awareness, Planning, Panic

51
A global pandemic is the single most
important threat to the global economy US
National Intelligence Council
Mapping the Global Future If ever there was
a time when the risk of a pandemic was higher
than usual it is now Dr Julie
Gerberding,Director, Centers for Disease
Control Prevention, US
52
The most serious known health threat the world
is facing today. This is a grave danger for all
people in all countries Dr Lee Jong-wook,
Director General, WHO A new pandemic would
claim between 5m and 150m people Dr David
Nabarro, WHO
53
The worlds third largest bank says that up to
half of its staff could fall ill or be absent
from work at the peak of the next flu
pandemic Financial Times, January 2006
54
IMPACT Spanish Flu 1918 - 1919 Deadliest
disease in history 50 - 100 million died Most
in 15 - 35 age group Three waves over 18
months Traced to avian flu virus -
H1N1 Todays avian flu - 50 mortality rate





55
Influenza Pandemic Comparisons
Time Worldwide Deaths (Ms) Population
(Bs) 1918 - 19 50 - 100 1.8 1957 - 58
2 2.8 1968 - 69 1 3.6 2006 Est 7.5 -
350 6.5
56
Business Pandemic Influenza Planning Checklist

• Centers for Disease Control Prevention
• www.cdc.gov/business
• 6 Sections
• Tick status -
• Completed
• In Progress
• Not Started

57
It is not finished when the Plan is
produced. Updating. Exercising. Training.
Audit / Review.
58
The hard part of BCM is not creating the plan -
it is keeping it up to date Reorganisations and
reshaping Transformation and rationalisation Mer
gers and acquisitions Rate of technological
change Increased sophistication of
ICT JIT Outsourcing Working practices Staff
turnover, redundancies Hot-desking / virtual
office Be clear on ownership Part of annual
appraisal process
59
Exercising Even a failed disaster recovery test
is useful Types Walk-through Component or
Rolling Full BCP test Involve key business
partners - suppliers? Observe their exercises?
60
BCM Audit Internal or external Be
practical Objectives - Assess status Assess
currency Confirm ownership / responsibilities
Confirm all know roles Review
documentation Encourage training /
exercising Support infrastructure
61
Common Weaknesses Inadequate management
support Insufficient financial support Narrow
view Responsibilities unclear Inappropriate
ownership Not everyone involved Plan stops at
site gate Poor risk analysis / BIA Inadequate
training / awareness Inadequate testing Balance
overview / detail not right Not up to date Not
accessible or relevant when required
62
What is the Status of BCM in your
Organisation?
63
BCM Self Assessment Questionnaire 1 Is there an
active BCM programme in place in your
organisation? Is BCM a comprehensive activity,
which is closely linked to risk management, IT
security, physical security, insurance, internal
audit, etc? 2 Is there a person appointed with
overall responsibility and authority for managing
the programme? Is there a sponsor at board
level? Does a Planning / Steering committee, or
a BCM Working Group exist? Is this group
representative of all main functions /
departments? 3 Has a risk management / BCM
culture been established? Are both senior and
middle management aware of the issues? Is BCM
regarded as part of a manager's job specification
and does it rank as a KPI in the annual
performance evaluation and appraisal process?
64
BCM Self Assessment Questionnaire 4 Is business
continuity something which must be taken into
consideration in preparing proposals for new
projects or in seeking approval for capital
expenditure? Does the approval process insist
on this? 5 Has a risk analysis or business
impact analysis been done and has management
endorsed the priorities which that process has
defined? Have controls and safeguards been
identified and implemented to minimise loss? 6
Are regular reports on business continuity
status, targets and achievements made to
executive management and to the board? 7 Are
there documented business continuity plans?
Have key executives got a copy of the plan(s)
at a location, at home for example, where it
would be quickly accessible in the event of an
incident? Are the plans in a format which is
usable in the event of a crisis?
65
BCM Self Assessment Questionnaire 8 Is there
an Emergency / Crises Management Team? Are key
executives aware of the plan and of their roles
in a crisis? Has a location for a crisis
command and control centre been identified? Are
arrangements in place to move to alternative
sites if required? 9 Are business continuity
plans exercised regularly - has an exercise taken
place within the past six months? Are these
exercises realistic? Are the results of such
exercises / tests documented and used to
influence the work programme? 10 Does the
plan deal with how to handle the media? Are
managers aware of the procedures to be followed
for both internal and external communications?

66
BCM Self Assessment Questionnaire 11 Does the
plan deal with people issues - relocation
arrangements, communication with next of kin
and provision for trauma counselling where
necessary? 12 Are arrangements for IT
resilience and contingency adequate? Do these
include built-in redundancy, multiple nodes,
clustering, mirroring, multiple locations,
hot-sites, etc. as appropriate? 13 Have user
departments been involved in creating the IT
Disaster Recovery Plan and have they been
involved in testing the plan? Are user
department processes taken into account in plan
testing, or is testing confined to recovery of
computer hardware and software? 14 Are backup
and recovery procedures reviewed and tested
regularly? Are backup power arrangements in
place and tested regularly?
67
BCM Self Assessment Questionnaire 15 Are the
backup and resilience features of the voice and
data communications infrastructure adequate?
If these facilities are critical to the
business, have the alternative arrangements
been tested within the past six months? 16
Are documented IT security policies and
procedures in place? Are all computer users
fully aware of e-mail and internet usage
policies? 17 Is computer anti-virus software
kept up-to-date? Are computer error and
exception logs adequately monitored? Is there
an IT Incident Response Plan and are all relevant
personnel familiar with it? 18 Has the role
of, and relationship with, public authorities
been considered? Is there an awareness
concerning risks of environmental pollution?
Have health and safety issues been considered?
Has a good working relationship been
established with the local emergency services?
68
BCM Self Assessment Questionnaire 19 Do
contracts with key suppliers require that these
organisations have a BCP? Is BCM included in
the contracts for all outsourced business
functions? Have these plans been reviewed by
your organisation within the past year? Have
tests / exercises been observed or reviewed? 20
Are business continuity plans updated regularly?
Are contact details up to date and do plans
reflect the current organisation structure and
responsibilities? Have the plans and processes
been audited / appraised by an independent
internal source or by external experts?
69
Significance of Score! Over 80 Likely that
effective BCM programme in place 65 - 80 If
regulatory BCM requirements apply - unlikely
that they are being met 50 - 65 Room for
improvement Non-compliance with good governance
requirements? Less than 50 Work to be done
70
Intel Each business unit and manufacturing
organization is actively incorporating its own
risk assessments and business continuity
objectives into its culture and strategic
planning, and communicating its plans to
all employees. Business continuity is now
something that every one of our organizations
has to be cognizant of, and we will continue to
incorporate the whole issue of business
continuity capability or business continuity
planning into the Intel Quality Award Program
. Incorporating it into our everyday life.
Craig R Barrett Intel CEO
71
Sources of information
Business Continuity Management - How to
Protect your Company from Danger
Financial Times / Prentice Hall www.briefingzon
e.com Michael Gallagher gallagml_at_iol.ie
72
Sources of information Business Continuity
Institute www.thebci.org.uk Emergency Planning
Society www.emergplansoc.org.uk Continuity
Central
www.continuitycentral.com Global
Continuity www.globalcontinuity.com PAS56 w
ww.bsi-global.com ERP Systems and Business
Continuity Management
The Role of the Emergency Services in BCM
73
Thanks
74
Achieving Business Continuity via Dual Data
Centre Architecture for critical
applications Greg Rogers, Technical
Architect, IT Solutions, ESB Tuesday April
4 IT Continuity Planning Claire Bradley,
Resiliency Risk Management, JPMorgan
Chase Tuesday May 9