ADFINGO

ADFINGO

ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.

1

Business Continuity Management

Dewar Donnithorne-TaitAdfingo

Within a government context

AFCEA Europe TechNet 2006, Sofia, Bulgaria

Thursday 19th October 2006

ADFINGO


2

Background

• Formerly:– Defence Systems– Sun Microsystems lead on UK Government

BCM panel (Office of Government Commerce) right after 9/11

• Latterly:– eGovernment Minster’s personal strategic

adviser, FEDICT, Belgium (this presentation mainly based on this experience)

• Business Continuity Institute

ADFINGO


3

BCM

Business Continuity Management (BCM) is a process which embraces all aspects of the organization, which identifies threats and contingencies and which provides a framework to provide capabilities and responses to assure continuous business operation and to protect the interests of stakeholders.

ADFINGO


4

IA

Information Assurance (IA) is a comprehensive approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.Comment. IAAC describes IA to board directors as ‘the certainty that the information within an organization is reliable, secure and private. IA encompasses both the accuracy of the information and its protection, and includes disciplines such as information security management, risk management and business continuity planning.’

Definition proposed by the Information Assurance Advisory Council (IAAC), UK.

ADFINGO


5

Disaster Recovery

Disaster Recovery is the process for bringing back systems, processes and data to the original position, which prevailed before an accident/calamity/catastrophe/disaster occurred

Comment. It is reactive to an event occurring, although procedures should be tested and rehearsed frequently

ADFINGO


6

Security

Security is the protection, guard or defence against threat.

Comment. It can be active or passive. In organizational terms the threat is measured in terms of potential damage to the organization. The security classifications afforded relate to the potential damage to the organization if security is breached. The level of protection increases with the degree of classification. Government security generally conforms very closely to this model. The term personal security is traditionally taken to mean protection from physical attack, but with the advent of increased ICT use, viruses and other electronic attacks the use of personal firewalls and back-ups bring personal electronic security more into line with the organizational definition. In government, security is generally regarded as an organizational issue and this is how the term is used in this presentation.

ADFINGO


7

Privacy

• Privacy - two relevant definitions: Absence or avoidance of publicity or

display, being withdrawn from public interest, seclusion

Private or personal matters or relations

Comment. The key feature is that privacy is about the choice of the individual, social group and occasionally organization to keep things from the knowledge of others; this could be for reasons which might not prevent damage, as in the sense of security. In some states, certain rights and levels of privacy have been made rights (individual and sometimes also organizational depending on the state). For BCM, several sorts of private information may be involved, such as client/customer records.

ADFINGO


8

A Governance Model

PurposeCore Values

Long-Term Goal(s)

Short-Term Goal

Short-Term Goal

Short-Term Goal

Objective

Objective

Objective

StrategyStrategy Strategy

Capability

Capability

Capability

Resource

Resource

Resource

Activities: People, Processes, Systems, Policies

ADFINGO


9

Implementing BCM

Adapted from ‘Business Continuity Management: Good Practice Guidelines’, The Business Continuity

Institute, 2002

ADFINGO


10

Stage 1: Understanding the Business

Organizational Purpose, Core Values, Strategy, Objectives, Capabilities, Resources

Critical Business Factors (eg people, processes, systems)

Business Outputs and Deliverables Business Impact Analysis

• Risk Assessment and Control

ADFINGO


11

Stage 2: Business Continuity Management Strategies

Organisation (Corporate) BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy

(including people)

ADFINGO


12

Stage 3: Develop and Implement a BCM Capability

Plans and Planning External Bodies and Organisations Crisis and/or BC event/incident Management Sourcing (intra-organisation and/or outsourcing

providers) Emergency Response, Recovery Solutions and

Operations Communications Public Relations and the Media

ADFINGO


13

Stage 4: Building and Embedding a BCM Culture

An on-going programme of: Awareness Education and Culture Building Training

ADFINGO


14

Stage 5: Exercising, Maintenance and Audit

Exercising of BCM plans Rehearsal of staff and BCM teams Testing of technology and BCM systems BCM Maintenance BCM Audit

ADFINGO


15

Stage 6: BCM Programme Management, Policy, Assurance

Senior Commitment and proactive participation Organisation (Corporate) BCM Strategy BCM Policies BCM Framework Roles, Accountability, Responsibility and Authority Finance Resources Assurance Audit Management Information System: Metrics/Benchmark Compliance: Legal/Regulatory issues Change Management

ADFINGO


16

RESPONSIBILITIES

• Ever-increasing trend to reliance on knowledge, automation, mass-customisation

• Technical burden tends to fall on ICT staffs• But BCM is a pan-organisation activity, which

needs to be led from the highest levels• In government, this is typically ‘Prime

Minister’s Office’ or ‘Ministry of Interior’• Other government departments, including

ICT functions, play their part within overall approach

ADFINGO


17

PRINCIPLES OF GOVERNMENT BCM(Adapted from Business Continuity Management: Good Practice Guidelines, The Business Continuity Institute, 2002)

• Business Continuity Management (BCM) and Crisis Management are an integral part of government Corporate Governance.

• BCM activities must match, focus upon and directly support government goals and business strategy.

• BCM must provide organisational resilience to optimise government product and service availability and as a value-based management process, BCM must optimise resource efficiencies.

• BCM is a business management process that must add value.

• The component parts of government own their business risk and their management of business risk should be based on risk levels appropriate for all government stakeholders.

ADFINGO


18

PRINCIPLES 2

• The government must recognise and acknowledge that reputation, brand image, stakeholder value and risk cannot be transferred or removed by intra-governmental sourcing and/or outsourcing.

• All BCM strategies, plans and solutions must be government main-line business owned and driven. They should not be viewed as a specialised, separate category.

• BCM must be considered at all stages of the development of new government business operations, products, services and internal infrastructure projects.

• BCM must be considered as an essential part of the business change management process.

• The relevant legal and regulatory requirements for BCM must be clearly defined and understood before undertaking a government BCM programme.

ADFINGO


19

PRINCIPLES 3

• There must be agreed, published and distributed organisation policy, strategy, framework and exercising guidelines for government BCM and Crisis Management.

• All BCM strategies, plans and solutions must be based upon: the identified government business Mission Critical Activities (MCA); their dependencies; the single points of failure identified by a Business Impact Analysis (BIA).

• The competency of government BCM practitioners should be based on and benchmarked against standards, such as the ten professional competency standards of the Business Continuity Institute.

• The government and its component parts must implement and maintain a robust exercising, rehearsal and testing programme to ensure its BCM and Crisis Management capabilities are effective, efficient and economic.

ADFINGO


20

PRINCIPLES 4

• All third parties, including joint venture companies and service providers, upon which the government is critically dependent for the provision of products, services, support or data, must be required to demonstrate an effective, proven and fit-for-purpose BCM capability.

• The government's BCM and Crisis Management capabilities should reflect these good practice guidelines.

• All BIA must be conducted in respect of government products and services in an end-to-end context.

• The government and its component parts are accountable and responsible for maintaining an effective, up-to-date and fit-for-purpose BCM competence and capability.

ADFINGO


21

BCM & IA• ‘IA encompasses both the accuracy of the information and its

protection, and includes disciplines such as information security management, risk management and business continuity planning.’

• The Turnbull Report in the UK advocates and provides a basis for a risk-based approach to corporate governance, which has to be interpreted to cater for levels of risk acceptable to government functions. However, the continually increasing dependence on ever more complex information systems means that more emphasis needs to be given to the information risk management element of government corporate governance.(The Turnbull Report on Corporate Governance - Internal Control: Guidance for Directors on the Combined Code, 1999, London)

• IA can be viewed as a major subset of BCM

ADFINGO


22

IAAC Deliberations• An IAAC discussion paper recommended:

The incorporation of IA into guidelines for corporate governance The development of further metrics and IA maturity models to

assist in the creation of appropriate risk management tools Compliance with a management standard, with the minimum

standard being ISO 17799 Development of theory and tools for the measuring and

monitoring of dependency risks Development of the insurance markets to provide more efficient

tailored services Senior management awareness, communicated in business

language, of the risks and dependencies faced by organisations

ADFINGO


23

Some MetricsSource: Performance Concepts quoted in Business Continuity, Director Publications Ltd,

London, 2000

Organisations in possession of a BCM plan

Sector Yes No No Comment

• Finance 32 56 12

• Computing, Technology 31 60 9

• Telecom 31 65 4

• Public Sector 26 44 30

• Manufacturing 23 48 19

• Retail 16 70 10

• Entertainment, Media 16 76 8

• Transport, Logistics 12 64 24

ADFINGO


24

Some More Metrics 1Source: Performance Concepts quoted in Business Continuity, Director

Publications Ltd, London, 2000

• 38% of those interviewed couldn’t distinguish between Business Continuity Management and Disaster Relief

• 88% suffered serious events not covered by plans• Up to 90% reduction in total loss can be achieved by having

by good, tested plans• 94% do not seek managerial approval of plans prior to

implementation• 92% upgrade BCM capability significantly after a disaster• 70% do not view DR/BCM as an integral part of biz planning• 22% consider integrated company-wide planning important• 20% do not consider protection of data & systems

important

ADFINGO


25

Some More Metrics 2Source: Performance Concepts quoted in Business Continuity, Director

Publications Ltd, London, 2000• 88% of e-business is not included in organizational Business

Continuity Management and Disaster Relief plans• 57% of disasters are IT-related• 61% do not publish BCM plans to all employees• Only 11% of organisations had active board-level involvement

in BCM• 92% fail to update BCM plans after new system introduction• 84% do not identify risks in Supply Chain Management (SCM)• 10% of disasters are in SCM• 29% of involved had no formal training • 38% confident in their skills

ADFINGO


26

DiscussionDewar Donnithorne-Tait MA MBA FIoD

www.adfingo.netm: +44-7703-105006 e:

[email protected]

ADFINGO

Documents

bcm culture

bcm programme management

bcm teams

bcm capability plans

information systems

business continuity

government security

systems business outputs