Top Banner
Dustbustinʼ (using a management system) Clive Lunn FBCI, CRM
16

Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Apr 22, 2018

Download

Documents

lythuan
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Dustbustinʼ(using a management system)

Clive Lunn FBCI, CRM

Page 2: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

  “The problem”

  The Business Continuity Management lifecycle

  Getting executive attention

  The missing link(s)

  “Dustbustin”

  Summary

  Q & A

Page 3: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

  BC Manager – “must” implement best practice or national / international standards

  Department Managers – must do their “day job”

  Conflicting priorities   BCM not in KPI   BCM not in job description   Risk management

  “how much is enough”?

Must do a BIA, BCP, Exercises, etc

You want me to do WHAT?

BCM manager Dept. manager

Page 4: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

 BCM Practitioners typically focus on the “Doing” components – BIA, Strategy, Plans, Exercises, Education

Pivotal to success

Page 5: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

They will usually only endorse BCM efforts if: 1.  There is a damned good BIA available or; 2.  There is a “burning platform”   Option 1 is best, 2 leads to panic and pressure

  Recommended approach must show how they will increase the likelihood of attaining corporate objectives by decreasing risk

 To attain objectives you must:

 Ensure continuity of critical processes

 Protect resources  Secure supply  Recover if necessary

Bovine risk management 101

Need exec support PS can also get “dusty”

Page 6: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Help !

Plans are only one element

Page 7: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

 Programme management is the single point of failure  It is the “hub” around which all other activities rotate

The “Dustbuster”

Page 8: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Program Management*

Plan

Do

Check

Act

Approve Policy Approve Standards & Practices Define Roles & Responsibilities Define Program Scope Agree Annual Goals

Maintain Framework Develop Action Plan Execute Planning Life Cycle Coordinate implementation Input to BG Planning Audit

Track & Report Outcomes Aligned to changing Goals Aligned to leading practices Mitigates regulatory risks Support BCMS Audit

Review & Amend Policy Amend Standards & Practices Amend Roles & Resp. Amend Scope & Goals Approve BCM Strategies

*Your PDCA activities may be distributed differently

Page 9: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Plan   “What do we want to achieve”

  Policy   Executive endorsement, high level objectives   Target “maturity level”   Risk tolerance (difficult)   Risk escalation criteria (possibly based on risk matrix)

  Standards & Practices – e.g.:   BS25999, CSA Z-1600, ASIS SPC 1-2009   Risk evaluation criteria, documentation standards

  Roles & Responsibilities (RACI)   Who does what – planning cycle & response   Includes executive responsibilities e.g. steering committee

  Program Scope   What’s in and out? – operations, locations, subsidiaries, suppliers…

  Annual Goals   Rolling targets & this year’s deliverables

Page 10: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Do   “Create deliverables”

  Maintain Framework   The PDCA management system   Tools and templates, training and education materials

  Develop Action Plan   Project plan to achieve goals set in planning phase

  Execute Planning Life Cycle*   BIA, RA, Strategy, Plans, Exercises, Training, Maintenance

  Coordinate implementation, e.g:   ITDR strategy should address business’ needs   Multi-stakeholder collaboration – “peacekeeper / arbitrator”   Overall prioritisation (with agreement from steering committee)

  Input to BG Planning Audit   Ideally Internal Audit checks the business against agreed

standards and:   The BC manager “helps” the business comply with the standards

Page 11: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Check   “Are we achieving our objectives & doing this in

the most appropriate way”   Track & Report Outcomes

  Are business groups up to date & aligned with Policy, Standards, Annual Goals?

  Aligned to changing corporate goals   Organizations priorities usually change over time, does the BCM program

still address risks to (current) corporate objectives?   Aligned to leading practices

  Are leading practices changing, are newer & better ways emerging, do we need to adopt these?

  Mitigates regulatory risks   What new regulations apply to us and does the BCM program effectively

mitigate these, or do we need to change anything?   Support BCMS Audit

  Occasionally the program should be audited to ensure it is appropriate given the risk profile of the organization

Page 12: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Monitoring tool sample

Page 13: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

Act   “Continuous improvement”

  Review & Amend Policy   To reflect changing risk appetite or circumstances

  Amend Standards & Practices   Implement newer practices if deemed appropriate

  Amend Roles & Resp.   To reflect changes to company structure, size, authority levels or

BCM program   Amend Scope & Goals

  As BCM program matures (able to do more), changing regulations or practices

  Approve BCM Strategies   Large capital expenditures needed   Overall prioritisation   Where response strategy may negatively impact another part of the

business

Page 14: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

  BC Manager – must implement agreed BCM activities

  Aligned priorities   “day job” takes priority   BCM in KPI and job

description   Risk management / BCM

maturity agreed – we know “how much is enough”

BCM effort as directed by policy (I’m here to help!)

Sure, it is number 4 on my priority list

BCM manager Dept. manager

Page 15: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

  BCM is a program, not a project

  BCM is a risk management discipline – requires trade-offs

  BCM is not “just about the plan”

  Governance process is critical to ensure success

  A plan-do-check-act management system will assist to:   Ensure the executive team are engaged   Ensure everyone is on the same page regarding “how much is

enough”   Ensure roles and responsibilities are properly defined   Ensure deliverables and scope are properly defined   Ensure planning and risk mitigation efforts are aligned   Ensure consistent understanding of business interruption risks   Provide a mechanism for the program manager to “Steer the ship”

Page 16: Dustbustin - EPICC Seminar 2010/BC Hydro... · national / international standards ... documentation standards ... (current) corporate objectives? Aligned to leading practices

  Questions?

According to the WHO: H1N1 is dead, H3N2 is coming & H5N1 is still waiting in the wings