Business Continuity

Management
02.10.2013.g.
Introducing ISO 22301, the new global standard for
Business Continuity Management
Who is BSI? 10 Fast Facts
Founded in
1901
2
Standards,
assessment, testing,
certification, training,
software
No owners/
shareholders all
profit reinvested
into the business
Global independent
business services
organization
>2,500 staff
and >50%
non-UK
#1 certification
body in the UK
and USA
National
Standards Body
in the UK
244.9m
revenue in
2011
64,000 clients
in 147
countries
53 offices
located around
the world
What is ISO 22301?
3
Source: IS&BCA, 2013
Standards
British standards
Business Continuity Institute (BCI), British Standard Institute (BSI)
PAS 56 Publicly Available Specification Guide to Business Continuity
Management

BS 25999-1:2006, Business continuity management Code of practice
BS 25999-2:2007, Business continuity management Specification


International standards
ISO 22301:2012 Societal security Business continuity management
systems Requirements

ISO 22313 Societal security Business continuity management systems
Guidance

ISO 22398 Societal security Guidelines for exercises and testing

ISO 31000 Risk Management Principles and Guidelines


02-okt-13 4. qualityaustria
Forum, Beograd
4
Business Continuity
Management definition

Holistic management process
Framework for resilience and response capability
Safeguard interests of key stakeholders
Identifies potential risks, threats and impacts
5
Business Continuity aims to safeguard the
interests of an organisation and its key
stakeholders by protecting its critical business
functions against predetermined disruptions (ISO
22301:2012).
Principal drivers
6
Local Government 92% Central Government 85%
Finance Insurance 85% Utilities 81%
Health and Social Care 74% Transport and Logistics 69%
Manufacturing and Production 58% Education 52%
Business Services 40% Construction 31%
Corporate governance;
Regulation/legislation;
Central Government
Central Government;
Corporate governance;
Public sector procurement
Corporate governance;
Regulation/legislation;
Auditors
Regulation/legislation;
Corporate governance;
Customers
Corporate governance;
Regulation/legislation;
Public sector procurement
Corporate governance;
Regulation/legislation;
Customers
Customers;
Insurers;
Corporate governance
Corporate governance;
Customers;
Regulation/legislation
Customers;
Corporate governance;
Regulation/legislation and
Investors/shareholders
Customers;
Corporate governance;
Insurers
Major crisis for mobile-phone
giants
7
Background
Booming mobile phone industry
Philips semiconductor plant in
Albuquerque (USA)
Produced mobile phone chips,
crucial components
40% of output to:
Nokia, Finland
Ericsson, Sweden
The incident
Furnace fire caused by lightning
bolt
Brought under control in minutes
Smoke and water damage
The impact
Flow of chips suddenly stopped
Weeks to get plant up to capacity
Nokia
Monitored supply chain
Took immediate action to secure supply
Reconfigured manufacturing to accommodate
different specification
Ericsson
Took supplier word that not a major problem
Delayed taking remedial action (2 weeks)
Source: Logistics Europe February 2004
Key risk areas business
impact
People
Information and Data
Buildings, work environment and associated
utilities
Facilities equipment and consumables
ICT Systems
Transportation
Finance
Partners and Suppliers
8
What to plan for?
9
Major cause of organizational
disruption in 2012
10
Source: CMI, BCM Survey 2013
Winter weather
77%
Loss of people due to
illness 42%
Loss of IT 40%
Loss of
telecommunications
27%


Value of crisis management
11
Without
crisis management
Damage to
financial results,

reputation and
key relationships
Lost time/productivity
Time
It reduces the
negative
impact and
speeds
recovery from
all kinds of
corporate
crises
N
e
g
a
t
i
v
e

i
m
p
a
c
t

With
crisis management
Crisis
event
BCM compatibility PDCA
12
















Risk
Treatment
Residual
Risk
Share
Avoid/
Remove/
Change
Increase /
Retain
Business
Continuity
BCM checklist
Scope and Objective
Gain a understanding of your business
Assess the Risk
Evaluate potential continuity arrangements
Define your strategy
Develop your continuity plans
Maintain, train and exercise continuity plans
13
Organization and its context
14
15
02-okt-13 4. qualityaustria
Forum, Beograd
16
BCM objectives
Clearly stated;
Be consistent with the policy; SMART
Take account of applicable needs and requirements;
Enable opportunities to maintain or improve
performance;
Be monitored and updated as appropriate.

In order to ensure that these objectives will be achieved,
the organizations should determine:

Who will be responsible;
What will be done and when it will be completed; and
How the results will be evaluated.

02-okt-13 4. qualityaustria
Forum, Beograd
17
Components of BCM
arrangements
02-okt-13 4. qualityaustria
Forum, Beograd
18
IT backup
arrangements
Arrangement
s for remote
working
Site
emergency
plan
Moving staff
to alternative
site
Contact
cascade
Media
response to
continuity
issues
Access to
alternative
utility services
(backup
generator)
Alternative
suppliers
Series1 84 79 70 62 58 49 45 34
0
10
20
30
40
50
60
70
80
90
Source: CMI, BCM Survey 2013
Be prepared
02-okt-13 4. qualityaustria
Forum, Beograd
19
Disaster
Recovery
Emergency
Response
Crisis
Management
Business
Recovery
Business continuity plan
Initial control of
emergency situation
Safeguarding human life,
protecting physical
assets, minimizing
damage/business impact
avoiding environmental
contamination
Stabilizing, security,
damage assessment
Strategic direction/policy
issues
Crisis communications
internal and external
(media)
Outward facing liaison -
stakeholders, users etc.
Co-ordination of service
recovery efforts
Phased recovery of
business-critical
processes




Recovery of infrastructure
and services
Returning to business
as normal
Benefits of BCM

Improves business resilience (86%)
Helps protect their reputation (74%)
Meets customer requirements (72%)
It helped their organization to recover from
disruption more quickly than would otherwise have
been the case (85%).

02-okt-13 4. qualityaustria
Forum, Beograd
20
Source: CMI, BCM Survey 2013
Structure Of ISO 22301:2012
21
Clause Description
4.0 Is a component of Plan. It introduces requirements necessary to establish the context of
the BCMS as it applies to the organization, as well as needs, requirements, and scope.
5.0 Is a component of Plan. It summarises the requirements specific to top managements
role in the BCMS, and how leadership articulates its expectations to the organization via
a policy statement.
6.0 Is a component of Plan. It describes requirements as it relates to establishing strategic
objectives and guiding principles for the BCMS as a whole. The content of Clause 6
differs from establishing risk treatment opportunities stemming from risk assessment, as
well as business impact analysis (BIA) derived recovery objectives.
Structure Of ISO 22301:2012
22
Clause Description
7.0 Is a component of Plan. It supports BCMS operations as they relate to establishing
competence and communication on a recurring/as-needed basis with interested
parties, while documenting, controlling, maintaining and retaining required
documentation.
8.0 Is a component of Do. It defines BC requirements, determines how to address them and
develops the procedures to manage a disruptive incident.
9.0 Is a component of Check. It summarises requirements necessary to measure BCM
performance, BCMS compliance with the International Standard and
managements expectations, and seeks feedback from management regarding
expectations.
10.0 Is a component of Act. It identifies and acts on BCMS non-conformance through
corrective action.
Clause 4: Context Of The Organization
23
Copyright 2012 BSI. All rights reserved.
Clause 4 relates to the context of the organization which requires the
organization to determine their external and internal issues
There is now a clear requirement to consider interested parties
This will determine its business continuity policy and objectives and how it will
consider risk and the effect of risk on its business
Requirement also for a procedure to manage legal and regulatory requirements
Concept Of Interested Parties
ISO 22301 replaces the term stakeholders with
that of interested parties
The ISO requires broader consideration of
interested parties than BS 25999-2
Closer alignment with organizational objectives
for corporate social responsibility
24
Copyright 2012 BSI. All rights reserved.
Clause 5: Leadership
Clause 5 of the standard summarizes the
requirements specific to top managements
role in the BCMS
Top management given clearer BCM
responsibilities
The ISO outlines specific ways in which
management must demonstrate its
commitment to the system
25
Copyright 2012 BSI. All rights reserved.
Clause 6: Planning
New section relating to establishment of
strategic objectives and guiding principles for
the BCMS as a whole
When planning the BCM the context of the
organization should be taken into account
through the consideration of the risks and
opportunities
The organizations business continuity objectiv
must be clearly defined with plans in place to
achieve them
es
26
Copyright 2012 BSI. All rights reserved.
Clause 7: Support
Clause 7 details the support required to establish,
implement and maintain an effective BCMS,
including:
Resource requirements
Competence of people involved
Awareness of and communication with
interested parties
Requirements for document
management.
27
Copyright 2012 BSI. All rights reserved.
Clause 8: Operation
ISO 22301 requires that organizations plan
and control the operation of their BCM
requirements. Most importantly this will
include:
A methodology and documented process for
conducting a business impact analysis (BIA)
A systematic methodology and documented process
for conducting risk assessments
A methodology for selecting business continuity
strategies which will protect the most important
activities of the business and ensure their
resumption in the event of disruption.
28
Copyright 2012 BSI. All rights reserved.
Clause 8: Operation
29
Copyright 2012 BSI. All rights reserved.
ISO 22301 places greater emphasis on the procedure required to detect an
incident, early communication thereof and the need to regularly monitor the
incident
There is also a requirement to consider how the organization will recover its
activities from a temporary state back to normal (if appropriate)
Exercises and tests to demonstrate the effectiveness of BCM arrangements
Clause 9: Performance Evaluation
30
Copyright 2012 BSI. All rights reserved.
As with all management system standards there is a need to look back at what
has been achieved
ISO 22301 also requires that this analysis is evaluated and conclusions drawn
by the organization
Greater emphasis on setting of objectives, monitoring performance and metrics
Most organizations will already produce metrics which can be tailored to BCMS
performance
Clause 9: Performance Evaluation
Internal audits and management review
continue to be key methods of reviewing the
performance of the BCMS and tools for its
continual improvement
31
Copyright 2012 BSI. All rights reserved.
Clause 10: Improvement
Nonconformities of the BCMS have to be dealt
with together with corrective actions to ensure
they dont happen again
As with all management system standards,
continual improvement is a core requirement of
the standard
32
Copyright 2012 BSI. All rights reserved.
ISO 22301 An Implementation Checklist
1. Obtain management support
2. Treat it as a project
3. BCM policy define objectives and scope
4. Define roles and responsibilities
5. Implement mandatory procedures
6. Perform BIA and risk assessment
7. Determine the business continuity strategy
33
Copyright 2012 BSI. All rights reserved.
ISO 22301 An Implementation Checklist
34
Copyright 2012 BSI. All rights reserved.
8. Develop incident management plans and business continuity plans
9. Training and awareness
10. Exercising
11. Maintaining and reviewing the BCMS
12. Internal audit
13. Management review
14. Preventative and corrective actions
Evaluating BCM against
established standards
02-okt-13 4. qualityaustria
Forum, Beograd
35
Legislation (e.g. statutory requirements)
Regulations (e.g. industry specific requirements)
ISO 22301, ISO 27001, ITIL/ISO 20000
BCIs Good Practice Guidelines
BS 25999
Other organizations

Resume
02-okt-13 4. qualityaustria
Forum, Beograd
36
Start with an understanding of your business, not with
the threat - business impact analysis takes precedence
over risk assessment
Review and test BCM regularly
Keep informed
Do not neglect the supply chain
Be clear about management roles and responsibilities
SMEs in particular should consider how they can use
BCM in a proportionate way to improve their resilience