280 likes | 383 Views
ANZUIAG CONFERENCE 2002 Business Continuity Management. Colin Maslen, MBCI. Characteristics of today’s world. Complexity Coupling Scope and size Speed Visibility. ‘For the first time, human-caused crises can now rival natural diasters in scope and magnitude’ (Mitroff, 2001). Examples ….
E N D
ANZUIAG CONFERENCE2002Business Continuity Management Colin Maslen, MBCI
Characteristics of today’s world • Complexity • Coupling • Scope and size • Speed • Visibility
‘For the first time, human-caused crises can now rival natural diasters in scope and magnitude’ (Mitroff, 2001)
Examples … • Challenger Explosion • AT&T Network Breakdown • Exxon Valdez • Lockerbie • Union Carbide and Bhopal • Piper Alpha • Barings • Enron • September 11
‘Never before had the ability of business to recover been played out in the full glare of the worldwide media’ (Honour, 2002)
Business Continuity & the NY World Trade Centre (cont’d) • Deutsche Bank successfully switched operating system to back-up facility • Lehman Brothers used mirrored site in New Jersey - able to trade equities when New York Stock Exchange reopened on September 17
Business Continuity & the NY World Trade Centre • Comdisco had history of 421 DRP invocations before 11 Sept, then 74 invocations in 48 hours • IBM emergency operations centre already on full alert for a tropical storm in Gulf of Mexico
Crises/Disasters: Some Australian Examples • Hoddle Street massacre • Victorian power crisis • Longford gas plant explosion • Mobil jet fuel contamination • Product tampering in the pharmaceutical industry • Bankstown Civic Centre fire • Knox City Council fire • Auckland CBD power crisis • Childers backpacker hotel fire
Risk management - components Risk Control (Proactive - minimises risk exposure and reduces likelihood, e.g. Security) Risk Transfer (Insurance & Contracts - Manages Cost of Risk) Business Continuity & Contingency Planning (Reactive - Minimises impact or consequences)
Business Continuity Management • Business Continuity • Planning: • to maintain continuity of • critical processes & • functions, e.g.: • customer service • administration • billing IT (Disaster) Recovery Planning: Recovery of critical systems and applications Crisis Management: Organisation & ability to manage any crisis or disaster
business continuity management overall approach to business continuity business continuity plans address continuity of processes IT disaster recovery plan one specific type of plan In context - BCM, BCP and DRP
Crisis management … the organisational capacity to manage a ‘crisis’ or ‘disaster’ through to recovery
Getting Started • BCM Team • Incident/Crisis Management Organisation • BCM Project/Program • Risk identification, assessment & treatment • Identify key business processes • Business Impact Analysis • Division/Faculty BCPs
Establish context Consultation and Communication Monitor and Review Identify risks A S S E S S M E N T A S S E S S M E N T Analyse risks Evaluate and prioritise risks Treat risks The Risk Management Process (AS/NZS 4360:99)
Identifying / Prioritizing Key Business Processes • Vital: Not easily transferred or replaced; low tolerance, high cost of interruption; data may be permanently damaged/lost • Important: Can be partially transferred for limited period; moderate tolerance; potentially high cost of interruption • Deferrable: Can be interrupted for extended period; minor inconvenience
Critical Business Processes: Examples • Student administration: enrolments, fees, student records, examinations, graduations; accommodation • Faculties: Budgeting; programming the academic year; resource allocation • Finance: payroll; accounts; tax • Human resources: HR records, remuneration; superannuation, worker’s compensation • On-line teaching
Business Impact Analysis (BIA) • Examines dependency of Vital & Important processes on Key Resources • Determines Maximum Tolerable Outage(MTO); i.e. the restoration timeframe, for each resource
BCP Components • Objectives, scope, possible scenarios • Organisation, responsibilities & communications • Incident impact assessment, escalation & plan invocation • Procedures & checklists for phases: • Respond • Restore: Vital & Important Processes • Recover • Emergency contact lists • Document control & maintenance
Planning considerations • Emergency Services’ priorities • Staff • Communications: primary & back-up • Public relations • Continuity of Customer Service • Information Technology & Services • Salvage & restoration of documents (e.g. licences), records and artifacts
Incident Is it an IT ‘disaster’? Is it a ‘crisis’? Resume business as usual Incident reporting & escalation Resume normal IT operations Business as usual No No Yes Yes Invoke DRP: Convene DMT to coordinate Convene CCT BCPs DRP Implement BCPs for Business processes Manage Salvage & Repair Manage HR & PR Issues Restore Hardware & Communications Process restoration & data catch-up Applications & Data Recovery Off-site back-up Business resumption & Cost recovery The big picture ...
Incident/Crisis Management • Respond • Identify, report & assess Incident/Crisis • Emergency procedures • Escalate activate CMT • Isolate/contain damage • Restore • Stabilise - CMT coordinate company wide response • Damage control • Short term restoration of operations & customer service • Work-arounds & BCPs • Manage indirect consequences, e.g. media coverage • Recover • Assess impact (cost) • Repair damage • Recover image & market share • Cost recovery, e.g. insurance
BCM - The Essential Ingredients • Commitment • Organisation • Communication • Testing & training • Plan maintenance & review
Sources of Information • Business Continuity Institute • BCI’s Business Guide to Continuity Management • ANAO’s Best Practice Guide: Business Continuity Management - Keeping the wheels in motion • Standards Australia: OB/7 Working Group Draft Business Continuity Management Guideline
Bombing at Hebrew University • 31 July 2002 • Bomb planted in university cafeteria • Killed 7 and wounded more than 80