Академический Документы
Профессиональный Документы
Культура Документы
Abstract
An enterprise is exposed to riskssuch as acts of terrorism, natural disasters and utility failurewhich may disrupt
operations, disaffect customers and compromise business credibility and revenue streams. Risk can also be introduced to
an enterprise through changessuch as automation, down-sizing, process re-engineering or outsourcing of processes and
serviceseach of which may also bring changes in the type of risk. This paper proposes a framework for the design,
implementation and monitoring of a business continuity management programme within the context of an information
strategy.
r 2005 Elsevier Ltd. All rights reserved.
1. Introduction
As discussed in an earlier paper (Gibb, Buchanan, & Shah, 2006), processes and associated services lie at the
heart of delivering an enterprises strategy. Processes consist of sets of activities which are designed to deliver
value to customers. These processes are dependent upon human resources to initiate, enact and control specic
activities, and on infrastructure, material, nancial and information resources to provide the context and
inputs from which value can be created (Vancoppenolle, 2001). Processes cross traditional functional and
organisational boundaries and must be effectively integrated, monitored and protected if breakdowns at
handover points and interfaces are to be avoided. Processes are also highly dependent on information and
technology, and failures of underlying systems can be both costly and embarrassing:
Hi-tech companies in Silicon Valley lost systems and data when they were hit by a series of electricity
failures in January 2001 which cost in excess of $100 m (Faragher, 2001).
The Woolwich was unable to cope with a sudden growth in its lending activity, a situation which was
exacerbated by underlying systems problems with direct debits, which affected thousands of its mortgage
customers (Steiner, 2002).
WorldPay, a credit card transaction processing service, was subject to a denial of service attack involving
millions of e-mails generated by gangs in the Ukraine (Computer Crime Research Center, 2003).
Corresponding author.
E-mail address: forbes.gibb@cis.strath.ac.uk (F. Gibb).
0268-4012/$ - see front matter r 2005 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ijinfomgt.2005.11.008
ARTICLE IN PRESS
F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141 129
The Halifax suspended its share dealing service ShareXpress when it was discovered that customers could
access other customers accounts following a failed attempt to repair a software bug (MacIver, 2003).
Online betting companies in the UK have been threatened with denial of service attacks and the sending of
pornographic e-mails in their names unless they paid a ransom (Pesola, 2004).
Business continuity management (BCM) is a tool that can be employed to provide greater condence that
the outputs of processes and services can be delivered in the face of risks. It is concerned with identifying and
managing the risks which threaten to disrupt essential processes and associated services, mitigating the effects
of these risks, and ensuring that recovery of a process or service is achievable without signicant disruption to
the enterprise. The following sections describe a step-by-step approach to the design, implementation and
monitoring of BCM within the context of an information strategy.
Various authors have proposed different development cycles for BCM, each of which places emphasis on
particular aspects of BCM (CCTA, 1995; Barnes, 2001; Hiles & Barnes, 2001; Starr, Newfrock, & Delurey,
2002; Smith, 2002). The framework described here draws on these approaches and experience in the eld. Each
phase is illustrated in terms of a standard template which highlights the key activities that must be undertaken,
and the associated inputs and outputs. The phases (some of which will overlap) are:
1. Programme initiation.
2. Project initiation.
3. Risk analysis.
4. Selecting risk mitigation strategies.
5. Monitoring and control.
6. Implementation.
7. Testing.
8. Education and training.
9. Review.
Project leaders
Business strategy
Project sponsors
Information strategy Collect stakeholder
input Terms of reference for
Financial plans
initiatives
Collect, merge and
Programme charter
assess business Cost-estimates
Business expectations priorities
Timetable
Scope programme
Business priorities
plan Dependency matrix
Customer and stakeholder
maps Documentation templates
and standards
Communication plan
responsibility will need to be supported by clear handover and succession procedures. Reporting mechanisms
and audit trails will have to be established to ensure that compliance can be demonstrated, particularly to any
external body which forms part of the regulatory regime.
The charter should establish budgeting principles and dene how potential overruns should be reported and
handled. The enterprise will also need to ensure that authority to spend is explicit in terms of individuals, the
ceilings to which they can spend, and the mechanisms needed in the event that conventional procurement
processes are disrupted. Services will change in line with market requirements, new regulatory demands,
improved technologies, etc. Review cycles for specic BCM plans will therefore need to be specied in order to
ensure that the components of the BCM programme are credible, relevant and cost-effective.
and should facilitate access to both internal and external stakeholders. An initial estimate of the costs of each
initiative will need to be made for budget planning purposes in consultation with the project sponsors. Howe
(2001) suggests that a 515% buffer should be built into the estimates which should include lines for
development, implementation, training, testing, management and maintenance. Simon, Hillson and Newland
(1997) suggest that risk management should represent 15% of total project costs where BCM is being carried
out prospectively rather than just retrospectively.
Business continuity will introduce changes to working practices, and the workforce and selected customers
should be kept aware of when and how projects will be initiated. Acceptance of, and commitment to, business
continuity procedures by employees will be important to avert suspicion and to encourage co-operation.
Customers should be pleased to hear about increased service levels but may also need to be re-assured about
existing provision and upgrades, and that their opinions are considered to be both relevant and important.
Once the programme has been dened, the prioritised projects can be initiated following standard project
management methodologies. As with the programme charter a signicant amount of background data and
information will need to be gathered in order to initiate each project plan (see Fig. 3). Background data about
the process or service, and the resources needed to deliver it, will need to be collected. The development of a
portal which consolidates this information should be considered to facilitate access to information at the
desktop and when the BCM team is in the eld.
The goals of the project will dene the expected outcomes of the project and should reect the expectations
of the key stakeholders in the process or service. The associated objectives should be specic, measurable,
attainable, relevant and time-based (i.e. SMART) targets which can be used to measure the degree to which
the project plan is realising its goals. It will be essential to build teams which contain a wide range of skills as
BCM is a multi-disciplinary activity. Skills which may be required include those relating to human resource
management, legal and contractual issues, nancing, IT, procurement, estates, communications and
presentation, interviewing and elicitation, and actuarial and statistical methods. As more detailed information
is gathered, more accurate gures should be generated regarding development, implementation, training,
testing, management and maintenance costs.
Risk analysis can be broken down into three distinct phases: risk identication, risk evaluation and business
impact analysis (BIA). This requires the team to identify events, the causes of these events and calculate the
consequences of these events (see Fig. 4).
Business strategy
Information strategy
Programme charter
Programme definition Process/service knowledge
Existing plans and procedures Develop survey base
Vendors and service providers instruments
Project scope
Staff lists
Organisational chart and Gather background
data and information Goals and objectives
locations
Insurance coverage and policies
Create knowledge Team
Annual reports
base
Regulators codes of practice Budget and resource allocation
Stakeholder expectations
Identify business
Off-site facilities Survey instruments
needs and benefits
Key customers
Infrastructure descriptions Evaluate existing Workpackage descriptions
(architectures, configurations plans
floor-plans, inventory, etc.) Timetable and milestones
Maps Develop project plan
Events list (actions and impact) Deliverables
Contracts (suppliers and
customers)
Vital records schedule
Programme charter
Programme definition
Statistics on risk
Interviews
be responsible for over 80% of IT downtime and power outages are increasing. Meanwhile the demand for
power is rising: large server farms consume the power equivalent of a town of 100,000 people. However,
wholesale prices for power have fallen by up to 40% in the UK in recent years. As a result, the margin of
excess capacity over peak demand has shrunk from 25% to 18% and generating capacity has been mothballed
to save costs (similar changes have taken place in the US). Fluctuations in prices, government policy, global
unrest, diminishing resources and climate change will all need to be regularly reviewed.
The calculation of estimates can also be based on simulations or on informed opinion from relevant
stakeholders. Simon et al. (1997) recommend the use of the Delphi technique for establishing group-based
consensus on the likelihood and impact of risks. Alternative approaches include the use of scenario planning
and internal and futures markets.
The next step is to establish the effects and impacts of a risk event. The effects of a risk are the damage or
loss that may occur to a process or service, while the impacts of a risk are the business consequences. In many
cases the impact may be simply a temporary failure to achieve service levels which has no long-term
consequences. However any sustained loss of continuity is likely to result in one or more of the following:
nancial loss: e.g., the loss of orders for a period of time, additional costs to recover service, loss of market
share, etc.
reputational damage: e.g., loss of goodwill or credibility, political or corporate embarrassment,
compromised health and safety, etc.
legal action: e.g., contractual breaches, personal details being made public and infringing data protection
legislation, etc.
These impacts may also have to be contextualised to reect different supplier and customer perspectives.
For instance, the loss of automated teller machines (ATMs) for a clearing bank in the UK will result in the
bank incurring costs of 30 p per transaction when customers use competitor ATMs. However, independent
providers of ATMS would lose the surcharge of 1.001.50 per transaction that they impose on customers.
The inability to deal with the impact of a risk may lead to a ripple or escalation effect. If a process or service
is not recovered within a short space of time other processes and services may become compromised. It will be
important to establish whether there is a point of no return at which it will be impossible to reverse the damage
being caused by the disruption as the effects escalate. Processes and services which are particularly vulnerable
will be those where there are single points of failure or major dependencies on third party service providers.
Finally, the analysis will have to consider the impact of combinations of risk. This will require calculations for
both independent (i.e. the risks do not inuence the likelihood of each other) and dependent (i.e. the
occurrence of a risk will effect the occurrence of another) risks (see Fig. 5). A risk model can then be built to
calculate the enterprises exposure to risk.
Once estimates for the likelihood of risks and their impacts have been established, it will be possible to scale
and group these risks in order to identify priorities for investment. There are several methods available
(Beatty, 2001; Charters, 2001; Humpidge, 2001; Institution of Civil Engineers and the Faculty and Institute of
Actuaries, 1998; Simon et al., 1997), the most popular approach being to use a matrix. Simon et al. (1997) use
a ve-point scale for the probability of the occurrence and severity of the impacts of risk. A score for each risk
can then be calculated by multiplying the probability by each impact using a weighting for each point on the
scale. They recommend a linear scale for probability and a logarithmic one for impact as shown in Table 1. It
should be emphasised that the scores which are achieved have no absolute meaning; they are simply a method
of indicating the relative seriousness of individual risks.
This phase deals with identifying and evaluating the options for dealing with the risks identied in the
previous phase (see Fig. 6). These approaches can be divided into two classes: those which proactively deal
with risk by transferring, minimising, absorbing or pooling it (see Fig. 7), and those which react to risk events
through disaster recovery plans. For each risk there may be one or more solutions for mitigation. Option
appraisal will have to be undertaken to assess the impact of the solution and the value that it will generate in
ARTICLE IN PRESS
134 F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141
Table 1
PI score matrix (Simon, Hillson, & Newland, 1997)
Probability
Programme charter
Programme definition
Project specification
Information strategy
Risk mitigation strategies
Technology architecture
Option identification Disaster recovery plans
Application architecture
Option appraisal Emergency response teams
Process map
Command and control structure
Building plans
Maps of localities
Prioritised risks
Incident reports
cost savings or protected revenues. It will be essential to look at the effect that the solution will have on the
level of risk and the consequences of the risk. Solutions may also introduce their own risks and will have to be
evaluated using the procedures applied in the risk analysis phase. For instance some technologies may be
scarcer in the marketplace or may require specialist and/or scarce skills to implement. The costs of each
ARTICLE IN PRESS
F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141 135
Mitigation of Risk
Insurance Outsourcing
Pool Risk Allocate
Contingency
Funds
Redundancy Improved Improved Improved
IT and Information Security
Facility System
Management Procedures
Procedures
solution will have to be considered and compared with the nancial savings expected from reducing or
eliminating the risk.
meshing to ensure that there are alternative transmission paths in the event of congestion or link failure.
Multiple points of entry to critical facilities should also be considered as well as back-up communications such
as dial-up and voice over IP. The loss of a third-party telecommunications service provider may be addressed
by having dual or multiple contracts.
Around 43% of data loss is caused by problems with power and IBM estimates that a typical computer
experiences more than 120 power problems a month (Coult, 2001). There are minor to major variations in
power supply in the form of spikes, blackouts, brownouts and surges. Although many of the major
manufacturers build in a degree of tolerance, protectors should be considered for key devices. Uninterruptible
power supplies (UPS) will be essential for servers and other critical devices while back-up generators will be
needed to deal with longer power outages.
The BCM strategy will require an effective communication, command and control structure to be in place to
ensure that the requirements of the plan are translated into action (see Fig. 8). The monitoring and control
phase is concerned with assuring that:
existing staff have been appropriately trained and that new staff are inducted into the relevant BCM
procedures (see Section 2.6),
testing is undertaken to the agreed levels and cycles (see Section 2.7),
risk reduction measures are put in place (see Section 2.8),
procurement of technologies and services takes place in line with the requirements of the risk mitigation
strategies (see Section 2.8),
ARTICLE IN PRESS
F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141 137
Programme charter
Programme definition
Education and training
Ensure governance programme
Project specification
of BCM
Testing regime
Information strategy Assure BCM
requirements are Incident reports
Risk mitigation strategies
met
Review regime
Disaster recovery plans
effective incident reporting is in place (see Section 2.9) including both successful and unsuccessful risk
management.
2.6. Implementation
This phase is concerned with putting in place any improvements to operating procedures, infrastructure,
security, etc., which can help to transfer, minimise or absorb the risks of processes and services being
compromised (see Fig. 9). The plan will require ratication by the risk manager, process owner and
programme manager and may involve secondary project management to specify, select, procure and monitor
implementation of additional technologies and services. Procurement of the necessary technologies and
services to achieve the plan will pass through the standard request for proposal (RFP), request for tender
(RFT) or invitation to tender (ITT) cycle. This phase should ensure that BCM is integrated with the systems
development life cycle where new projects are being initiated (Witty, 2001). This phase is also concerned with
ongoing testing of any recovery plans once they have been made fully operational. Other activities include
arranging insurance cover and ensuring that documentation about the BCM plan is up-to-date and accessible.
2.7. Testing
Testing of risk mitigation strategies and disaster recovery plans should be carried out both regularly and
comprehensively to see whether the plans are still relevant and deliverable (see Fig. 10). As a minimum, plans
should be tested within 3 months of implementation and thereafter on an agreed cycle of not more than 1 year.
Testing can be desk-based, technology oriented, and process or service oriented. In all cases a report should be
generated which evaluates the effectiveness of the tested components of plans and highlights areas that need to
be addressed with recommendations for action.
In desk-based testing the accuracy of the plans can be established by carrying out a walk-through of
procedures, and checking contact details, call trees, familiarity with the plan and its components, clarity of
instructions, times to initiate and respond, etc. This can be a low-cost exercise with low stress and minimal
involvement of staff. In the UK the Financial Services Authority undertakes a sector-wide desk-based exercise
on an annual basis to test the preparedness of the key nancial services companies in the event of a major
disruption.
Technology-oriented testing is concerned with ensuring that all hardware elements are operating and that
they still have appropriate capabilities. For instance back-up devices should be tested to see that they request,
receive and store data, and that the data is recoverable. Similarly, back-up power supplies should be tested to
see that the generators run, that fuel is clean and available in sufcient volume, and that they have been
ARTICLE IN PRESS
138 F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141
Establish business
expectations
Debrief staff
regularly maintained. Technology testing is a higher cost exercise but can be undertaken without involving
staff outside the technical functions.
Process- or service-oriented testing will involve testing the ability of staff to respond to selected threats or
events and to recover from the effects of these threats, and their familiarity with the plan. It should be accepted
that such tests will not be able to reconstruct the stressful conditions under which staff will have to operate,
and the way in which they will respond, in the event of a real crisis. However they will indicate the general
effectiveness of the plans and the minimum time that it will take to put them into operation.
This phase is concerned with ensuring that the benets and objectives of the BCM strategy have been
communicated to the workforce and that education and training ensures that the objectives can and are being
achieved (see Fig. 11). Communication is vital as all stakeholders need to be aware of their roles and
responsibilities. In addition to educating staff about the purpose of, nature of, and their involvement in BCM,
there will be a requirement to provide training for specic staff in relation to particular processes and services.
New staff should have BCM training as part of their induction and existing staff should have re-orientation
training every 612 months, and when new procedures and systems have been implemented. For critical
processes self-assessment and or certication procedures should be considered.
ARTICLE IN PRESS
F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141 139
2.9. Review
This phase is concerned with ensuring that the BCM strategy is responsive to changes in business
requirements. New processes, applications, technologies and personnel all bring new risks and requirements,
and it is essential that the enterprise does not become complacent and fails to update its BCM procedures. The
review should be informed by operational data such as incident reports and should identify best practice and
successes as well as failures (see Fig. 12). It should also be kept informed about changes in the business
environment, business priorities and new projects. Some of the questions which the programme manager
should ask are:
The review phase should feed back to the programme and project managers as well as managers responsible
for the day-to-day running of services.
3. Conclusions
Business continuity management (BCM) is key to ensuring that an enterprise can protect itself against the
risks which are inherent in its environment. Enterprises are increasingly reliant on the availability of
information in order to provide services to customers. Effective information management requires developing
an environment within which information can be provided to any authorised person, anywhere and at any
time. The common thread between BCM and information management is that they are both concerned with
ARTICLE IN PRESS
140 F. Gibb, S. Buchanan / International Journal of Information Management 26 (2006) 128141
Business strategy
Incident reports
being able to deal with uncertainty. The CIO therefore has a key role to play in both promoting the philosophy
of BCM and ensuring that information management incorporates effective plans, procedures and policies to
protect an enterprises key information assets. These assets include IT infrastructure, the applications that run
across this infrastructure, content (digital and non-digital), and information personnel. It is important to
emphasise that contingency plans must be in place for the loss of assets other than technology-based ones. The
ooding of an academic library, for instance, will require plans for the salvage, drying and restoration of rare
books and documents with a clear set of priorities for targeting material before exposure to water and
contaminants makes them non-recoverable.
The temporary or permanent loss of information personnel must also be considered as many parts of an
enterprise are reliant on scarce skills and experience. Some businesses have planned for the potential impact of
avian u on both their staff and on their customers (Jack, 2005). For instance, restrictions on travel may mean
an increased reliance on online services and changes in work patterns and system loading. In the event of a
disaster, employees will be operating under stressful and unfamiliar conditions and may have to cope with the
loss of personal possessions and, in extremis, colleagues. Assistance with accommodation, transportation,
sustenance and counselling should all be factored into a disaster recovery plan. The location and deliberate
dispersal of staff is another issue, as whole disaster recovery teams were lost during the attack on the World
Trade Center.
In summary, a lack of investment in BCM can result in loss of revenue at best and cessation of business
activities at worst. The enterprise will need to consider:
The CIO must therefore ensure that plans are in place to protect information assets, and that rapid and
effective recovery of core business systems can be accomplished. The framework described above should assist
in this planning.
References
Charters, I. (2001). Risk evaluation and control: II. Practical guidelines for risk assessment. In A. Hiles, & P. Barnes (Eds.), The definitive
handbook of business continuity management (pp. 131138). Chichester: Wiley.
Computer Crime Research Center. (2003). Hackers in attack on RBS credit card rm. Available from: http://www.crime-research.org/
news/2003/11/Mess0802.html, last accessed 23 December 2004.
Coult, C. (2001). Disaster recovery. Managing Information, 8(8), 3639.
Gascoigne, C. (2000). Safeguard the indispensable. Financial Times, 25 October, 12.
Hiles, A., & Barnes, P. (2001). The definitive handbook of business continuity management. Chichester: Wiley.
Howe, J. (2001). Project initiation and management. In A. Hiles, & P. Barnes (Eds.), The definitive handbook of business continuity
management (pp. 107122). Chichester: Wiley.
Humpidge, P. (2001). Why have a disaster if you dont have to? In A. Hiles, & P. Barnes (Eds.), The definitive handbook of business
continuity management (pp. 7589). Chichester: Wiley.
Institution of Civil Engineers and the Faculty and Institute of Actuaries. (1998). Risk analysis and management for projects. London:
Thomas Telford.
Jack, A. (2005). Avian u danger highlights continuity planning. Financial Times, 3 October, 10.
MacIver, K. (2003). The UKs ten worst web application failures. Information Age, May, 3640.
OHehir, M. (2001). Effective risk management and BCP drivers. In A. Hiles, & P. Barnes (Eds.), The definitive handbook of business
continuity management (pp. 2542). Chichester: Wiley.
Pesola, M. (2004). Child porn blackmail threat to website. Financial Times, 27 October, 1.
Simon, P., Hillson, D., & Newland, K. (1997). PRAM: Project risk analysis and management guide. Norwich: APM Group.
Smith, D. J. (Ed.). (2002). Business continuity management: Good practice guidelines. Caversham: Business Continuity Institute.
Starr, R., Newfrock, J., & Delurey, M. (2002). Enterprise resilience: managing risk in the networked economy. Strategy and Business, 30,
7379.
Steiner, R. (2002). Woolwich growing pains hit customers. Sunday Times Business, 27 October, 1, 13.
Vancoppenolle, G. (2001). What are we planning for? In A. Hiles, & P. Barnes (Eds.), The definitive handbook of business continuity
management (pp. 324). Chichester: Wiley.
Witty, R. (2001). Integrating BCP into the IT project life cycle. Gartner. Available from http://www4.gartner.com/DisplayDocument?
doc_cd 98830.
Forbes Gibb is a Professor of Information Science in the Graduate School of Informatics at the University of Strathclyde. He has been
involved in several major EU-funded research projects (SIMPR, STAMP, AUTOSOFT, MIND) and teaches in the areas of information
strategy, service management, and content management. He is currently Director for the M.Sc. in Strategic Information Systems, a course
which was designed for, and delivered exclusively to, the Royal Bank of Scotland.
Steven Buchanan is an Information Systems Lecturer in the Graduate School of Informatics, University of Strathclyde. He has carried out
consultancy work and research in the areas of information strategy, information systems development, and information audits. He has
worked across Europe and throughout Australasia for a number of public and private sector organisations, spanning telecommunications,
nance, education, local government, and microelectronics. He has previously held executive positions within two global ICT consultancy
and professional services organisations (SMS Management & Technology and Ericsson Edgecom Australia).