Everything you want to know about Business Continuity

By Tony Drewitt

Everything you want to know about Business Continuity will show you how to develop a modern response to the operational risk landscape and how to prepare your organisation for interruptions to your key activities, minimising the impact on your bottom line, reputation and credibility. You will be able to identify and assess the risks to your company and put in place a ‘fit-for-purpose’ business continuity plan which will enable you to meet the expectations of your customers and stakeholders in the event of an unforeseen incident.

• Language: English
• Publisher: itgovernance
• Release date: Mar 15, 2012
• ISBN: 9781849282024

Tony Drewitt

Tony Drewitt is a professional member of the Business Continuity Institute (BCI). He has been a practising consultant in the field of operational risk management and business continuity management (BCM) since 2001, working with a wide range of small, medium and large organisations, to develop BCM policies, strategies and plans. Tony started his career as a mechanical engineer in industry, and has held a range of posts in sales and marketing, general management and management consulting. He was one of the first practitioners to achieve certification under BS25999 (predecessor to ISO22301) for a client in 2008.  Tony is the author of the already successful ITGP publications ISO 22301: A Pocket Guide, A Manager’s Guide to ISO 22301 and Everything You Want to Know about Business Continuity.

Book preview

Everything You Want to Know About

Business Continuity

Everything You Want to

Know About Business

Continuity

TONY DREWITT

IT Governance Publishing

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are always at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomew’s Walk

Cambridgeshire Business Park

Ely

Cambridgeshire

CB7 4EH

United Kingdom

www.itgovernance.co.uk

© Tony Drewitt 2012

The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2012

by IT Governance Publishing.

ISBN 978-1-84928-202-4

PREFACE

Business continuity (BC) is a fairly new concept in many organisations, with the probable exception of banks and some other financial institutions that have traditionally been much more reliant on computer systems than many others and so have had ‘disaster recovery’ arrangements in place for quite some years.

As attitudes to what is acceptable in business, government and even the voluntary sector change, there is simply more pressure on more of us to do something about business continuity. But many people feel that they are already doing the majority of what business continuity comprises; however whilst they are probably doing some of it, it is unlikely that they are doing most of it.

Business continuity is still effectively a voluntary activity for most organisations and it is left to the rather general diligence requirements of the Companies Act (in the UK) and the relevant state incorporation laws in the USA, as well as the requirements for listed corporations, to provide statements of internal control and risk management. However, there is growing pressure and expectation upon organisations of all types to formalise their operational resilience by way of business continuity arrangements, though for many the term ‘resilience’ is arguably more appropriate–as we shall see later.

Of course, the ultimate in resilience would include spare everything! People, workplaces, information and communication systems, processing facilities and so on; all running and fully maintained, just waiting for you to ‘invoke‘ should the need arise. Even the very few companies that could afford this don’t have it; it simply doesn’t make any economic sense.

At the other end of the spectrum are the many organisations that have given no real thought to what might happen if there were some significant interruption to their daily activities; as the world changes their negligence of these risks will continue to become more and more unacceptable.

On the day I started writing this book, Japan suffered one of the most severe earthquakes in its history and the resulting tsunami wrought devastation upon Sendai and surrounding areas, dominating world news for some time. Like the World Trade Center attack in 2001 and others since then, this latest disaster will have more and more people thinking about whether they should finally do something about business continuity, or perhaps review what they already have in place.

But whatever the reason for addressing business continuity now, readers of this book will want to know that there isn’t anything else out there; that they haven’t missed something important to do with business continuity that isn’t covered in this book.

Business continuity isn’t like, for example, financial accounting. There are no statutory, or even standard, methods for doing it. And whilst there are guidelines and now even a few national standards, it is still largely up to each organisation to decide how it is going to implement its resilience arrangements. So there are a number of approaches to the various parts of a ‘reasonable’ business continuity programme; there is the intuitive approach and the analytical approach, both of which are covered. But there are few very fundamental differences between any of the approaches that I have ever come across, so I am confident that there isn’t anything else out there, of real value, that this book doesn’t cover. I have been to numerous conferences and presentations from people who call themselves ‘thought leaders’, and have not come across any thinking, ideas or philosophy regarding business continuity that is fundamentally at odds with what is covered in this book.

If you act on everything in this book and get the Board’s cognisant approval for those actions, your organisation should have an entirely reasonable and fit-for-purpose set of BC arrangements that sit well with today’s corporate governance and corporate social responsibility requirements, codes and expectations.

ABOUT THE AUTHOR

Tony Drewitt is a business continuity practitioner and a professional member of the Business Continuity Institute (BCI). He has been a practising consultant, trainer and technical expert in the field of operational risk management and business continuity management (BCM) since 2001, working with a diverse range of organisations of all sizes to put in place effective and sustainable business resilience arrangements and crisis management capabilities.

Tony started his career as a mechanical engineer in manufacturing industry and has since held a range of technical, commercial and senior management positions before becoming a full-time management consultant 10 years ago. He was one of the first consultants in the UK to achieve full certification under BS25999-2, and delivers a range of business continuity foundation courses and masterclasses for a wide variety of organisations throughout the UK.

Tony is the author of the already successful ITG publications BS25999: A Pocket Guide and A Manager’s Guide to BS25999.

ACKNOWLEDGEMENTS

My thanks to Lita Cuen of LCRisq, San Diego, California for helping me with the US corporate governance aspects of this book.

We would like to thank John Kyriazoglou, CICA, M.S., B.A. (Honours), International IT and Management Consultant, for his helpful feedback when reviewing the manuscript.

CONTENTS

Introduction

Does it really matter?

Corporate governance and CSR

DR, BC, BCP or BCM?

Chapter 1: The Operational Risk Landscape for Business and Other Organisations

Weather

Energy

Operational risk management

The risk management process

Chapter 2: What Does BCM Actually Achieve?

Tangible benefits

Chapter 3: An Incredibly Short History: Early DR to 2011 BCM

Continuity and resilience

Chapter 4: The Role of Standards and Independent Validation

Business continuity standards

Other standards

Compliance

Supply chain

Corporate governance

Chapter 5: The Management System Approach versus a Simple BC Plan

Chapter 6: Planning the BCMS

What is a BCMS?

Chapter 7: Identifying the Organisation’s Requirements

Risk assessment

Business impact analysis

Chapter 8: Strategy and Options

Contingencies

Physical infrastructure

Information

People

Seasonality

Incident level

Output

Chapter 9: Incident and Crisis Response

Incidents, crises and disasters

The response organisation

The response team

Competencies

Response plans

Communications

Full recovery

Insurance

Chapter 10: The Assurance Process

Exercise programme

Maintenance programme

Audit programme

Management review programme

Continual improvement

Summary

Chapter 11: BCM as a Competitiveness/Assurance Tool

The insurance argument

Cost-effectiveness

Peace of mind

Chapter 12: Tools and Software

The BC software market

What to look for in BC software

Chapter 13: The New World of Sustainability

BIA

Business as usual

Incident response

Chapter 14: How to Do It

Visible programme

Awareness

Certification

Summary

Appendix 1: Acronyms

Appendix 2: Business Continuity Policy

Policy statement

Appendix 3: A Simple Risk Register

Appendix 4: Incident Response Plan

Use of this plan

The crisis management team (CMT)

Recovery time objectives

Response and recovery activities

Ending the business continuity phase

Appendix 5: Scenario Plan

Appendix 6: Activity Recovery Plan

Appendix 7: Document Review and Control Procedure

General

Version control

Retrieval and distribution

Appendix 8: Corrective and Preventive Actions Form

Appendix 9: Exercise Methodology/Procedure

Desktop exercise

Full exercise

IT DR exercise

Continuous improvement

Reporting requirements

Exercise programme

Appendix 10: BCM Software Vendors

Appendix 11: Suggested Software Enquiry Form

Appendix 12: BCM Audit Programme and Procedure

Appendix 13: IT Disaster Recovery Plan/Procedure

Recovery time objectives

ITG Resources

INTRODUCTION

Business continuity (BC) is a relatively new discipline, although people running organisations have been doing increasing amounts of the things that make up BC since the Industrial Revolution. The risks haven’t changed that much, but the way that we, as a society, think about risks has.

There are some newer risks, of course, particularly those to do with computers and information technology systems, but those have really grown at the same pace as the technologies themselves; it is simply that we are now more aware of many of the risks, and our attitude to how acceptable they are has changed.

This book is aimed at people involved in the running of all types of organisation; whether a private sector ‘for profit’ company, public service or voluntary sector organisation, or even the defence forces, all organisations exist to fulfil a purpose, even if that purpose is not the generation of financial wealth and its distribution to owners, stakeholders or anyone else.

Actually, all organisations work more or less the same as a company, or corporation; they have people and other resources with which they do, or make, things for customers, or people that they call something else. The organisation’s income doesn’t always come directly from those customers, but it does come from somewhere and if the organisation doesn’t do what it is supposed to be doing, then the time will come when its income reduces, or even stops altogether.

So the principles of risk management should be the same for any organisation, and while some may measure their risks in different ways, it is ultimately the supply, or availability, of resources and money that enables any organisation to meet the corporate governance requirements of the modern world.

Ultimately, most of us need three things: our health, other people and money. Money enables us to acquire everything else that we need apart from our health and other people.

And so whilst many organisations, particularly in the public and voluntary sectors, may state that their primary purpose is something other than ‘the bottom line’, ultimately it is money that enables them to be the best, or biggest, or the ‘brand leader’, or to serve their community, or anything else that they wish to do.

Business continuity is a way, the most comprehensive way, of ensuring that any organisation can protect the interest of its customers and owners by ensuring that everything reasonable is done to make it resilient to unexpected, or unforeseen, situations that prejudice its ability to do what it does.

But this is selective; it is for each organisation to decide whether, for example, it wants to see the loss of a major contract as a BC scenario. If a major customer stops buying, and paying for, the organisation’s products or services, does it matter why? If they stop buying because their factory or offices have been burned down, is that really any different from them doing so because they have found another supplier?

It is ultimately a matter of policy that each organisation decides whether loss of business is a scenario that should be included within its BC arrangements, as well as similar scenarios, such as loss of a key supplier.

Although risk is interwoven in everything an organisation does, this book looks in depth at one of the three fundamental types of risk: what we are calling operational risk.

The three types of risk are:

1  that the organisation ceases to be viable due to adverse levels of business, profitability, cost fluctuations and compliance with relevant legislation, contracts and codes;

2  that the organisation’s viability is jeopardised because it engages in some activity that its customers haven’t directly asked for;

3  that the organisation is viable, but its ability to operate is reduced or removed by some unexpected situation, incident or materialised threat.

Most organisations base their BC arrangements only on the third category, most often referred to as operational risk, and this is the approach that the rest of this book is based upon.

Does it really matter?

Many people think that BC isn’t worth the effort and expenditure. But that is usually based on intuition, although in some cases it may also be true. Most organisations have some ingredients in place anyway, such as insurance, stocks of raw materials, spare equipment and locks on the doors, but to write down some sort of plan as to how they would respond in the event of an interruption might seem too much effort, or even a ‘waste of time’. However, for the great majority it will almost certainly be worthwhile looking at the organisation to assess its true resilience to the unknown and putting in place a plan that enables relevant people to make the best decisions in the event that something does go wrong.

Corporate governance and CSR

The way that the world now thinks about risks is very different from how it was in the middle of the last century. In those days, people in charge were assumed to know what they were doing, and if things went wrong it was still assumed that they had