Issue 1 © Intertek QATAR www.intertek.com 1 Welcome to the Seminar on Business Continuity Business Continuity Management System Management System ISO 22301:2012 ISO 22301:2012 AN ORIENTATION
Issue 1 © Intertek QATAR www.intertek.com 1
Welcome to the Seminar on Business Continuity Business Continuity Management SystemManagement System
ISO 22301:2012ISO 22301:2012AN ORIENTATION
Issue 1 © Intertek QATAR www.intertek.com 2
Business Continuity issues are of wo types :
Incidents disrupting Business for a periodIncidents disrupting Business for a periodIncidents disrupting Business for a long time Incidents disrupting Business for a long time period having very big impact - Catastrophes period having very big impact - Catastrophes (Natural disasters)(Natural disasters)
Earthquakes, Fire, Volcano eruptions, ETC.
Issue 1 © Intertek QATAR www.intertek.com 3
Learning ObjectivesUpon completion of this presentation, on can:
• Understand …… what is BCMS;• Understand …… why BCMS;• Understand ……. Benefits of BCMS;• Focus of Top Management for ISO 22301 preparation
November 2015 - QATAR Ver. 1 3
Issue 1 © Intertek QATAR www.intertek.com 4
SOME BUSINESS DISRRUPTIONS AND THEIR IMPACTS – indicating the need for BCMS - Videos
1.BLACKBERRY INCIDENT
2. GLOBAL CASES
3. AT&T
Issue 1 © Intertek QATAR www.intertek.com 5
Business Continuity issues are of two Categories
Issue 1 © Intertek QATAR www.intertek.com 6
WHAT IS NOW NEEDED ? CHALLENGE FOR RECOVERY In REALITY ?
Issue 1 © Intertek QATAR www.intertek.com 7
Resumption of Activities
7
Time
Perf
orm
ance
Normalactivity
Time to resumeactivity
Time after which irrevocable damageis done to the organization
Minimumperformance
level
Time to resume normallevels of operation
NormalActivity
Incident
Objective to resume activity
Issue 1 © Intertek QATAR www.intertek.com 8
Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. ( Source: ISO 22301:2012)
November 2015 - QATAR Ver. 1 8
What is Business Continuity ?
Issue 1 © Intertek QATAR www.intertek.com 9
The Business management system can be defined as management process that provides a framework for building capability that safeguards the objectives of the organization including the obligations.
Anticipate the probable Risk of Business Continuity Incident (Business Impact analysis – process of analyzing activities that a business disruption might have upon them)
Depending upon the length of the severity of interruption, it depends on management’s ability to re-establish of the organization’s functions into minimum acceptable level and then to normalcy.
Business continuity planning (BCP) continually confronts the likelihood or otherwise of an incident. (Risks – Effect of uncertainty of objectives)
BCP is the only solution to such unexpected business interruption – proactive management-led incident management program driven by management requirements (Business Continuity Strategy)
BUSINESS CONTINUITY MANAGEMENT SYSTEM & Business Continuity Plan (BCP)
Issue 1 © Intertek QATAR www.intertek.com 10
BUSINESS CONTINUITY PLAN (BCP) OBJECTIVES Ensure continuity and survival of the business;Ensure continuity and survival of the business; Provide protection to corporate assets;Provide protection to corporate assets; Provide management control of risks and exposures;Provide management control of risks and exposures; Provide preventative measures where appropriate;Provide preventative measures where appropriate; Take proactive management control of any Take proactive management control of any business interruption;business interruption;BCP Provides a balance between acceptable potential losses and acceptable One-time and annual costs. Risk assessment identifies key sources of vulnerabilities having different impacts, and taking pro-active steps in a manner to avoid such incidents.TESTNG OF BCP IS MANDATORY else RECOVERY WOULD BE (Sample Testing is not enough)
NEED FOR BCP - Video
Issue 1 © Intertek QATAR www.intertek.com 11
ISO 22301:2012
Issue 1 © Intertek QATAR www.intertek.com 12
Process Approach and PDCA
12
Your Your ProcessesProcesses
PLAN DO
CHECKACT
ContinualImprovement
The Plan-Do-Check-Act (PDCA) methodology applies to all processes
• Activities• Controls• Documentation• Resources• Objectives
• Analyze/review• Decide/change• Improve effectiveness
Deploy & conform with plan
Measure & monitor for conformity & effectiveness
Issue 1 © Intertek QATAR www.intertek.com 13
Issue 1 © Intertek QATAR www.intertek.com 14
BIRD’S EYE VIEW OF BUSINESS CONTINUITY MANAGEMENT SYSTEM – KEY ELEMENTS
Issue 1 © Intertek QATAR www.intertek.com 15
Process Approach Introduction
• Process – set of interrelated or interacting activities that uses resources to transform inputs into outputs
• Process Approach – systematically identifies and manages the linkage, combination, and interaction of a system of processes within an organization
• ISO 22301 – based on processes needed and their interactions
15
Issue 1 © Intertek QATAR www.intertek.com 16
Process Approach Emphasis
The process approach emphasizes the importance of:
• Understanding and meeting requirements• Looking at processes in terms of added value• Obtaining results of process performance and effectiveness• Use of objective measurements to improve processes
16
Issue 1 © Intertek QATAR www.intertek.com 17
Fundamentals of an ISO 22301 BCMS
• ISO 22301 –BCMS REQUIREMENT STANDARD– Description, rationale, benefits, application, PDCA– Emphasis on planning
• ISO 22313 - BCM GUIDANCE STANDARDS - in line with ISO 31000
• Business Continuity Institute – good practice guidelines
17
Issue 1 © Intertek QATAR www.intertek.com 18
Purpose of ISO 22301• Applies to any type or size organization in any industry or sector• Tried and tested framework for a systematic approach• Provides a framework to meet customer, internal and statutory
and regulatory requirements• Sets standardized requirements for business continuity• Model for consistently meeting business needs despite
disruptions• Basis for certification that specified requirements are met
18
Issue 1 © Intertek QATAR www.intertek.com 19
19
An ISO 22301 BCMS in Practice
• Requires internal audits• Verifies effective management• Ensures organization is fully in control of its
activities• Fosters customer confidence
• Allows engaging a certification body to obtain certificate of conformity
• Provides, via certification, the credibility of an independent assessment
• Provides a system that adds value
ISO 22301 states what must be done; a properly documented BCMS describes how required processes are to be done.
19
Issue 1 © Intertek QATAR www.intertek.com 20
Key Business Continuity Terms• Business Impact Analysis
• Risk Appetite
• Risk Assessment
• BCM program & plan
• BCM response
• Activity
• Critical activities
• Exercise & Testing
• Incident management plan
• BCP Invocation
• Recovery Time Objective (RTO)• Maximum Allowable Time of Disruption (MAO)
20
Issue 1 © Intertek QATAR www.intertek.com 21
Issue 1 © Intertek QATAR www.intertek.com 22
Impact can be quantitative or qualitative:• Loss of key personnel
• Loss of physical assets
• Loss of information
• Disruption of service
• Violation of law, penalties• Brand image, reputation, credibility• Financial/revenue• Customers, suppliers, partners (External Interested Prties)
• Environmental/H&S
22
Impact Analysis
Issue 1 © Intertek QATAR www.intertek.com 23
RISK APPITITE – Further Explanations
Issue 1 © Intertek QATAR www.intertek.com 24
RESILIENT – Further Explanation
Issue 1 © Intertek QATAR www.intertek.com 25
RECOVERY TIME OBJECTIVE (RTO) & MAXIMUM TIME OF DISRRUPTION FROM ZERO LEVEL
RTOMAO
Issue 1 © Intertek QATAR www.intertek.com 26
MAO
RTO
RECOVERY TIME OBJECTIVE (RTO) & MAXIMUM TIME OF DISRRUPTION FROM REDUNDANCY LEVEL
Issue 1 © Intertek QATAR www.intertek.com 27
Interested Parties – ISO 22313:2010
27
Issue 1 © Intertek QATAR www.intertek.com 28
A 1 10 J
B 2 11 K
C 3 12 L
D 4 13 M
E 5 14 N
F 6 15 O
G 7 16 P
H 8 17 Q
I 9 18 R
EXTERNAL INTERESTED
PARTIES
EXTERNAL INTERESTED
PARTIES
INTERNAL INTERESTED PARTIES
Step 1> Identifying Interested parties as per Scope of BCMS
Issue 1 © Intertek QATAR www.intertek.com 29
INTERESTED PARTIES
BUSINESS RELATIONSHIPS KEY PROCESSES / ACTIVITY
BUSINESS IMPACT w.r.t. LOSS OF $ IN THE TIME FRAME, IF THE PROCESS IS NOT AVAILABLE
RTO< 5 DAYS 5 – 15 DAYS 15 DAYS – 30 DAYS RISK APPIITE
(Time / $ Loss)
DESIGN COMPANY AS A VENDOR
OUTSOURCING OF DESIGN OF BUSINESS APPLICTION AS PER PREDEFINED SCOPE
1. DESIGN & DEVELOPMENT NO ISSUE NOT ACCEPTABLE(Activate
Redundancy)
NOT ACCEPTABLE (Activate BCP)
MAO = 30 DAYS
MAX. 15 DYS OR < USD 50,000 4 Days2. VERIFICATION AND VALIDATION NOT ACCEPTABLE
(Activate Redundancy)3. DESIGN CHANGE
INTERESTED PARTIES
BUSINESS RELATIONSHIP
SKEY PROCESSES / ACTIVITY
BUSINESS IMPACT w.r.t. LOSS OF $ IN THE TIME FRAME, IF THE PROCESS IS NOT AVAILABLE RTO
< 30 MINUTES 30 Minutes to 1 Hour DAYS > 1 hour RISK APPIITE
(Time / $ Loss)
NET WORK VENDOR
PROVIDING NETWORK FOR
THE ONLINE SHOPPING SITE
COMPANY
1. POWER SUPPLY FOR TELECOM EQUIMENT ON TOWERS
NO ISSUE(Activate Redundancy) NOT ACCEPTABLE
(Activate BCP)NOT ACCEPTABLE
(Activate BCP)MAO = 1 hour
MAX. 15 DYS OR < USD 5,000 15 Minutes2. NETWORK CAPACITY
NOT ACCEPTABLE(Activate Redundancy)3. NETWORK SECURITY ASPECT (SOC)
BUSINESS IMPACT ANALYSIS - Samples
THIS SHALL HELP IN PRIORITISING THE RISKS BASED ON SEVERITY OF THE IMPACT ON BUSINESS BASED ON THE KEY ASPECT SAY > $ or TIME
Issue 1 © Intertek QATAR www.intertek.com 30
Approaches to Business Impact Analysis (BIA)
• There is no single “right” way to conduct a BIA• Any method that satisfies 8.2 is acceptable• The BIA method may offer either
– One BIA technique for universal use– A selection of techniques together with guidance on selecting one
appropriate to the needs of specific activities (e.g. a BIA technique suited to HR activities may not be equally suitable for IT or H&S)
• Following slides illustrate a variety of BIA techniques
30
Issue 1 © Intertek QATAR www.intertek.com 31
BIA Report – Example Headings
• Executive Summary• BIA Method Summary• BIA by Department / Process
– Operations– R&D– Finance– Sales & Marketing– HR– Vendor Management– Compliance and Risk
• Summary of Critical Activities and Impacts
31
Analyses impact of disruption of critical activities that support key products and services which, themselves, are of course cross-functional
Issue 1 © Intertek QATAR www.intertek.com 32
Identify Risks and Opportunities
• Implementation of a BCMS assists in providing controls to mitigate risks
• Ensure review of risks and opportunities when assessing your current system and performing a gap analysis
• Determine appropriate risk and opportunity treatments
You may find these useful:
• ISO 31000:2009, Risk management – Principles and guidelines
• ISO/IEC 31010:2009, Risk management – Risk assessment techniques
32
Issue 1 © Intertek QATAR www.intertek.com 33
RIS
K L
EVEL
HIGH
/
71 - 100
Medium
/
41 - 70
Low
/
1 - 40
RISK MITIGATION ( Risk Reduction )
Risk Mitigation – Implemeting Controls for Risk
Reduction
No matter which ever controls implemented, following are the facts:1. Shall definitely bring down the risk of C, I & A – till the time control is effective;2. What ever control – risk cannot be brought to ZERO – can only reduce the risk; 3. In IT, controls can reduce the “PROBABILITY” only;4. Residual risks shall always be there – one must remember 24x7;
Issue 1 © Intertek QATAR www.intertek.com 34
BUSINESS CONTINUITY PLAN - VIDEO
BUSINESS CONTINUTIY PLANS – as per anticipated risks
Take away > Redundancy is the SECTRET OF SUCCESS OF BUSINESS CONTINUITY PLANS
Issue 1 © Intertek QATAR www.intertek.com 35
BIRD’S EYE VIEW OF BCMS
Issue 1 © Intertek QATAR www.intertek.com 36
Critical BC Focus Aspects of Organization(anticipate maximum disruptions)
All Single Point of Failures [No Redundancies]
Residual Risks Identified in Risk Assessments [after considering all the controls]
Unknown causes of redundancy failures
No actions taken on BC Testing failures
Unknown / Ignored Risks
Issue 1 © Intertek QATAR www.intertek.com 37
1. Realization for the need to implement BCMS2. Think and understand and realise the need of BCMS3. Accept the need for BCMS4. Attempt to learn how to do BCMS5. Learn the BCMS Concept and Start BCMS6. Create Base line of BCMS7. Implement & Test BCMS – understand Residual Risk8. Perform Internal Audits & Management Reviews9. Implement Corrective Actions10.Get Audited and get Certified towards ISO 22301:2012
Realization of the Need to Implement BCMS (ISO 22301:2012) and get Certified
Issue 1 © Intertek QATAR www.intertek.com 38
A CURRENT FACT
FINANCIAL COMPANY IN NEW YORKBENIFITTED FROM BUSINESS CONTINUITY
CORE SITE IN NEW YORK CONTROLLED THE DEVASTRATING
INCIDENT
Issue 1 © Intertek QATAR www.intertek.com 39
Thank You!
Any Questions !