340 likes | 518 Views
Business Continuity Management. Dewar Donnithorne-Tait Adfingo. Within a government context AFCEA Europe TechNet 2006, Sofia, Bulgaria Thursday 19th October 2006. Background. Formerly: Defence Systems
E N D
Business Continuity Management Dewar Donnithorne-Tait Adfingo Within a government context AFCEA Europe TechNet 2006, Sofia, Bulgaria Thursday 19th October 2006
Background • Formerly: • Defence Systems • Sun Microsystems lead on UK Government BCM panel (Office of Government Commerce) right after 9/11 • Latterly: • eGovernment Minster’s personal strategic adviser, FEDICT, Belgium (this presentation mainly based on this experience) • Business Continuity Institute
BCM Business Continuity Management (BCM) is a process which embraces all aspects of the organization, which identifies threats and contingencies and which provides a framework to provide capabilities and responses to assure continuous business operation and to protect the interests of stakeholders.
IA Information Assurance (IA) is a comprehensive approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. Comment. IAAC describes IA to board directors as ‘the certainty that the information within an organization is reliable, secure and private. IA encompasses both the accuracy of the information and its protection, and includes disciplines such as information security management, risk management and business continuity planning.’ Definition proposed by the Information Assurance Advisory Council (IAAC), UK.
Disaster Recovery Disaster Recovery is the process for bringing back systems, processes and data to the original position, which prevailed before an accident/calamity/catastrophe/disaster occurred Comment. It is reactive to an event occurring, although procedures should be tested and rehearsed frequently
Security Security is the protection, guard or defence against threat. Comment. It can be active or passive. In organizational terms the threat is measured in terms of potential damage to the organization. The security classifications afforded relate to the potential damage to the organization if security is breached. The level of protection increases with the degree of classification. Government security generally conforms very closely to this model. The term personal security is traditionally taken to mean protection from physical attack, but with the advent of increased ICT use, viruses and other electronic attacks the use of personal firewalls and back-ups bring personal electronic security more into line with the organizational definition. In government, security is generally regarded as an organizational issue and this is how the term is used in this presentation.
Privacy • Privacy - two relevant definitions: • Absence or avoidance of publicity or display, being withdrawn from public interest, seclusion • Private or personal matters or relations Comment. The key feature is that privacy is about the choice of the individual, social group and occasionally organization to keep things from the knowledge of others; this could be for reasons which might not prevent damage, as in the sense of security. In some states, certain rights and levels of privacy have been made rights (individual and sometimes also organizational depending on the state). For BCM, several sorts of private information may be involved, such as client/customer records.
A Governance Model Purpose Core Values Long-Term Goal(s) Short-Term Goal Short-Term Goal Short-Term Goal Objective Objective Objective Strategy Strategy Strategy Capability Capability Capability Activities: People, Processes, Systems, Policies Resource Resource Resource
Implementing BCM Adapted from ‘Business Continuity Management: Good Practice Guidelines’, The Business Continuity Institute, 2002
Stage 1: Understanding the Business • Organizational Purpose, Core Values, Strategy, Objectives, Capabilities, Resources • Critical Business Factors (eg people, processes, systems) • Business Outputs and Deliverables • Business Impact Analysis • Risk Assessment and Control
Stage 2: Business Continuity Management Strategies • Organisation (Corporate) BCM Strategy • Process Level BCM Strategy • Resource Recovery BCM Strategy (including people)
Stage 3: Develop and Implement a BCM Capability • Plans and Planning • External Bodies and Organisations • Crisis and/or BC event/incident Management • Sourcing (intra-organisation and/or outsourcing providers) • Emergency Response, Recovery Solutions and Operations • Communications • Public Relations and the Media
Stage 4: Building and Embedding a BCM Culture • An on-going programme of: • Awareness • Education and Culture Building • Training
Stage 5: Exercising, Maintenance and Audit • Exercising of BCM plans • Rehearsal of staff and BCM teams • Testing of technology and BCM systems • BCM Maintenance • BCM Audit
Stage 6: BCM Programme Management, Policy, Assurance • Senior Commitment and proactive participation • Organisation (Corporate) BCM Strategy • BCM Policies • BCM Framework • Roles, Accountability, Responsibility and Authority • Finance • Resources • Assurance • Audit • Management Information System: Metrics/Benchmark • Compliance: Legal/Regulatory issues • Change Management
RESPONSIBILITIES • Ever-increasing trend to reliance on knowledge, automation, mass-customisation • Technical burden tends to fall on ICT staffs • But BCM is a pan-organisation activity, which needs to be led from the highest levels • In government, this is typically ‘Prime Minister’s Office’ or ‘Ministry of Interior’ • Other government departments, including ICT functions, play their part within overall approach
PRINCIPLES OF GOVERNMENT BCM(Adapted from Business Continuity Management: Good Practice Guidelines, The Business Continuity Institute, 2002) • Business Continuity Management (BCM) and Crisis Management are an integral part of government Corporate Governance. • BCM activities must match, focus upon and directly support government goals and business strategy. • BCM must provide organisational resilience to optimise government product and service availability and as a value-based management process, BCM must optimise resource efficiencies. • BCM is a business management process that must add value. • The component parts of government own their business risk and their management of business risk should be based on risk levels appropriate for all government stakeholders.
PRINCIPLES 2 • The government must recognise and acknowledge that reputation, brand image, stakeholder value and risk cannot be transferred or removed by intra-governmental sourcing and/or outsourcing. • All BCM strategies, plans and solutions must be government main-line business owned and driven. They should not be viewed as a specialised, separate category. • BCM must be considered at all stages of the development of new government business operations, products, services and internal infrastructure projects. • BCM must be considered as an essential part of the business change management process. • The relevant legal and regulatory requirements for BCM must be clearly defined and understood before undertaking a government BCM programme.
PRINCIPLES 3 • There must be agreed, published and distributed organisation policy, strategy, framework and exercising guidelines for government BCM and Crisis Management. • All BCM strategies, plans and solutions must be based upon: the identified government business Mission Critical Activities (MCA); their dependencies; the single points of failure identified by a Business Impact Analysis (BIA). • The competency of government BCM practitioners should be based on and benchmarked against standards, such as the ten professional competency standards of the Business Continuity Institute. • The government and its component parts must implement and maintain a robust exercising, rehearsal and testing programme to ensure its BCM and Crisis Management capabilities are effective, efficient and economic.
PRINCIPLES 4 • All third parties, including joint venture companies and service providers, upon which the government is critically dependent for the provision of products, services, support or data, must be required to demonstrate an effective, proven and fit-for-purpose BCM capability. • The government's BCM and Crisis Management capabilities should reflect these good practice guidelines. • All BIA must be conducted in respect of government products and services in an end-to-end context. • The government and its component parts are accountable and responsible for maintaining an effective, up-to-date and fit-for-purpose BCM competence and capability.
BCM & IA • ‘IA encompasses both the accuracy of the information and its protection, and includes disciplines such as information security management, risk management and business continuity planning.’ • The Turnbull Report in the UK advocates and provides a basis for a risk-based approach to corporate governance, which has to be interpreted to cater for levels of risk acceptable to government functions. However, the continually increasing dependence on ever more complex information systems means that more emphasis needs to be given to the information risk management element of government corporate governance. (The Turnbull Report on Corporate Governance - Internal Control: Guidance for Directors on the Combined Code, 1999, London) • IA can be viewed as a major subset of BCM
IAAC Deliberations • An IAAC discussion paper recommended: • The incorporation of IA into guidelines for corporate governance • The development of further metrics and IA maturity models to assist in the creation of appropriate risk management tools • Compliance with a management standard, with the minimum standard being ISO 17799 • Development of theory and tools for the measuring and monitoring of dependency risks • Development of the insurance markets to provide more efficient tailored services • Senior management awareness, communicated in business language, of the risks and dependencies faced by organisations
Some MetricsSource: Performance Concepts quoted in Business Continuity, Director Publications Ltd, London, 2000 Organisations in possession of a BCM plan Sector Yes No No Comment • Finance 32 56 12 • Computing, Technology 31 60 9 • Telecom 31 65 4 • Public Sector 26 44 30 • Manufacturing 23 48 19 • Retail 16 70 10 • Entertainment, Media 16 76 8 • Transport, Logistics 12 64 24
Some More Metrics 1Source: Performance Concepts quoted in Business Continuity, Director Publications Ltd, London, 2000 • 38% of those interviewed couldn’t distinguish between Business Continuity Management and Disaster Relief • 88% suffered serious events not covered by plans • Up to 90% reduction in total loss can be achieved by having by good, tested plans • 94% do not seek managerial approval of plans prior to implementation • 92% upgrade BCM capability significantly after a disaster • 70% do not view DR/BCM as an integral part of biz planning • 22% consider integrated company-wide planning important • 20% do not consider protection of data & systems important
Some More Metrics 2Source: Performance Concepts quoted in Business Continuity, Director Publications Ltd, London, 2000 • 88% of e-business is not included in organizational Business Continuity Management and Disaster Relief plans • 57% of disasters are IT-related • 61% do not publish BCM plans to all employees • Only 11% of organisations had active board-level involvement in BCM • 92% fail to update BCM plans after new system introduction • 84% do not identify risks in Supply Chain Management (SCM) • 10% of disasters are in SCM • 29% of involved had no formal training • 38% confident in their skills
Discussion Dewar Donnithorne-Tait MA MBA FIoD www.adfingo.net m: +44-7703-105006 e: dewardt@aol.com