Business Continuity Management: Choosing to Survive

By Abdullah Al Hour

Business Continuity Management: Choosing to survive shows you how to systematically prepare your business, not only for the unthinkable, but also for smaller incidents which, if left unattended, could well lead to major disasters. A business continuity management (BCM) program is critical for every business today, and this book will enable you to develop and implement yours to maximum effect.

• Language: English
• Publisher: itgovernance
• Release date: Jul 31, 2012
• ISBN: 9781849283007

Abdullah Al Hour

During eight years of deep and daily involvement and practical experience, the author has been responsible for designing, starting, implementing, and maintaining BCM programs in financial and telecom sectors across different geographical regions. Such experience has been actively supported with comprehensive skills and knowledge in risk management, strategy setting and implementation, and project management. Having been in ITDR and BCM leadership positions in IT and risk management areas, the author genuinely understands the complications and dynamics of the interaction of technical and non-technical in BCM. The author is the business continuity manager at a leading financial group. He is a Member of the Business Continuity Institute (MBCI) and was a speaker at the BCM World 2011 and 2012 conferences.

Book preview

Business Continuity Management

Choosing to survive

Business Continuity Management

Choosing to survive

ABDULLAH AL HOUR, MBCI

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader's own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomew’s Walk

Cambridgeshire Business Park

Ely

Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernance.co.uk

© Abdullah Al Hour 2012

The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2012

by IT Governance Publishing.

ISBN 978-1-84928-300-7

PREFACE

The last few years have not been an easy time for the world. Major events have been shocking everywhere, causing severe impacts and consequences. The H1N1 outbreak, earthquakes in Chile and Haiti, and BP’s oil spill in the Gulf of Mexico are living proof of the damage that nature and humans can do. Risks and threats to our societies, businesses, and people have also been increasing, in both quantity and quality. Threats to cyber security, supply chain interruptions, and extreme climatic changes are examples of these.

The effects of these major events and disasters derive partly from our faulty mindset towards understanding and dealing with them. Hoping that nothing bad will happen because it has not happened before is the first thing we need to change. Looking at the world around us, is it the same as it was one year, or even six months, ago? Being in reactive mode and telling ourselves that we can survive by fire-fighting a disaster when it happens is definitely a losing gamble. We can make it through disasters and major events by proactively addressing the risks and be in a ready state. Being proactive should not be performed in an ad-hoc manner. It should follow a systemic and comprehensive approach, covering all the details in the big picture.

Business continuity management (BCM) provides organizations with the effective methods needed to protect them from the impacts and consequences of major incidents or disasters though structured and controlled programs. Proper and effective BCM programs can put the organizations in the driving seat and let them control courses of action by proactively detecting and managing the risks and threats that can lead to disasters. Equally, they keep the organization in a ready state to react to disasters and mitigate their impacts and losses.

BCM is not rocket science. It’s a scientific, logical, and practical methodology that can be customized and enhanced. Now, with the existence of globally accepted standards, BCM programs enjoy common sets of specifications that can be translated into practical implementations and tangible results. Adopting BCM is not an option; it’s a survival decision and is the right step towards protecting an organization.

This book aims to provide a clear, yet strong, introduction to the world of BCM. It builds on internationally recognized standards and best practices like the ISO22301 societal security and ISO27031 ICT readiness for business continuity (IRBC). What we will see within this book is the result of an extensive journey with BCM that has not come to an end. The two main features that are noticeable here are comprehension without overkilling the subject and practicality without underestimation.

ABOUT THE AUTHOR

During eight years of deep and daily involvement and practical experience, the author has been responsible for designing, starting, implementing, and maintaining BCM programs in financial and telecom sectors across different geographical regions. Such experience has been actively supported with comprehensive skills and knowledge in risk management, strategy setting and implementation, and project management. Having been in ITDR and BCM leadership positions in IT and risk management areas, the author genuinely understands the complications and dynamics of the interaction of technical and non-technical in BCM. The author is the business continuity manager at a leading financial group. He is a Member of the Business Continuity Institute (MBCI) and was a speaker at the BCM World 2011 and 2012 conferences.

ACKNOWLEDGEMENTS

I find myself very thankful and grateful to my wife, Raeda, for believing in me and for being extremely patient, appreciative, and supportive during the journey of writing this book.

I also would like to thank all of those who have accompanied me in my professional life and still inspire me every day with their knowledge, wisdom, and insight.

Thanks are extended to the following for their helpful reviews of the manuscript: ir. HL (Maarten) Souw RE, IT auditor, UWV; John Kyriazoglou CICA, MS, BA, International IT and Management Consultant, and Howard Pierpont MBCI, CBM and CBCP, Chairman of the Board of Directors of the Disaster Preparedness and Emergency Response Association www.disasters.org.

Permission to reproduce extracts from the ISO27031 Standard is granted by BSI. British Standards can be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hard copies only: Tel: +44 (0)20 8996 9001, e-mail: cservices@bsigroup.com.

CONTENTS

Chapter 1: Introduction

What is business continuity management?

Benefits of effective BCM programs

Emerging risk and threat topologies

BCM and risk management

BCM and compliance

BCM and insurance

Chapter 2: Setting up the BCM Program

Gathering key success factors

Establishing the governance model

Establishing the BCM organizational unit

Organizations with a regional or international presence

Chapter 3: Running the BCM Life Cycle

Running the BCM life cycle for the first time

Business impact analysis

Risk and threat assessment

Strategies and risk treatment plans

Planning and implementation

Awareness and training

Testing

Rerunning the cycle

Chapter 4: BCM Standards

ISO22301 societal security – preparedness and continuity management systems – requirements

ASIS SPC.1-2009 organizational resilience: security, preparedness, and continuity management systems requirements with guidance for use

Chapter 5: Technology Continuity

IT disaster recovery and readiness for business continuity (ITDR and IRBC)

Technology continuity sites

Technology continuity outside IT

Chapter 6: Technology Continuity Standards

ISO/IEC 27031 information technology – security techniques – guidelines for information and communication technology readiness for business continuity (IRBC)

ISO/IEC 24762:2008 information technology – security techniques – guidelines for information and communications technology disaster recovery sites

Chapter 7: Facilities Management and Physical Security

Facilities management

Physical security preparations

Environmental setups and preparations

Chapter 8: Evacuation Plans

Features of an effective evacuation plan

Evacuation plan development

Communicating the plans

Training and testing

Chapter 9: People and BCM

The importance of people

Succession planning

Chapter 10: BCM Software

The need for BCM software

Role of BCM software within the BCM life cycle

Features of effective BCM software

Deploying BCM software

Appendix 1: BCM Policy

Objective

Policy statement

Policy ownership and maintenance

Disaster definition

Policy guidelines

Appendix 2: BIA Questionnaire

Purpose

Questionnaire contacts

Terminology

Understanding your processes – general process information

Understanding your processes – internal and external dependencies

Understanding your processes – impacts and criticality

Identifying RTO, season, and RPO

Understanding your processes – IT and resource requirements

Succession planning – identification of human resources

Assets required during disaster – identification of recovery resources

Appendix 3: BIA Report

Executive summary

Abbreviations and acronyms

Introduction

Scope

Approach

Assumptions

Consolidated results

Observations

Recommendations

Appendix 4: Risk Assessment Questionnaire

Appendix 5: Risk Assessment Report

Introduction

Objectives

Approach

Summary of results

Detailed risk information

Risk treatment plan

Appendix 6: BCM Strategy Report

Executive summary

Introduction

Key inputs for developing the business continuity strategy

Objectives of the business continuity strategy

Methodology

Overview of the preferred/recommended business continuity strategy for the organization

Business continuity strategy – crisis management

Business continuity strategy – processes

Business continuity strategy – technology

Business continuity strategy – data and information

Business continuity strategy – supplies

Business continuity strategy – people

Business continuity strategy – facilities and premises

Business continuity strategy – business continuity management

Implementation and ownership

Appendix 7: BCM Plan

Scope

Objective

Team leader contact details and responsibilities

Team member details

Activities to be performed immediately after a disaster

Activities to be performed during disaster recovery

Relevant locations

Processes to be performed if IT systems are available

Processes to be performed if IT systems are not available

Resource requirements

List of documents/manuals to be stored off site

Contact list

Vendor list

Sample press release

Handling a media interview

Appendix 8: ITDR Plan

Scope

Objective

Team structure

Activities to be performed immediately after a disaster

Activities to be performed during disaster recovery

Relevant locations

Disaster declaration matrix

Recovery procedures

List of documents/manuals to be stored off site

Contact list

Vendor list

Appendix 9: Evacuation Plan.

Description of building

Map containing building and assembly point(s)

Floor layouts

Handling fire emergencies

Roles and responsibilities

Important emergency numbers

Employees’ emergency contact information

Appendix 10: Test Plans and Forms

Scope

Objectives

Test frequency

Test types

The test process and mechanism

Tests calendar

Detailed test plan

Test preparation form

Test assessment form

ITG Resources

CHAPTER 1: INTRODUCTION

What is business continuity management?

The world is now witnessing continuous advancement and progress in all aspects of life. The formulation of the global economy and global supply chain are among the characteristics of this era as well as part of our modern lives. In order for such advancement and progress to continue and be fruitful, the world needs to provide adequate stability as well as careful planning to achieve prosperity.

Unfortunately, things do not always go as smoothly as we expect them to. Being inherent to people’s presence and activities, failures, incidents, risks, disasters, and crises are taking place more and more across the world. With the close interconnection between economies and people, the results of disasters and crises quickly cross borders, creating an almost global impact. Other people’s problems are no longer just their problems. They could also be ours.

In the last few years, disasters have dramatically increased in frequency, impact, and complexity. In a shocking and saddening news release, the United Nations described 2010 as one of the deadliest years in two decades.¹ During 2010, 273 natural disasters caused a death toll of almost 300,000 people. In addition, these disasters affected the lives of almost 200 million people and the financial impact reached US$110 billion. Two of the worst were the earthquakes that hit Chile and Haiti, with the latter being the worst as its death toll reached almost 200,000, with financial losses of US$8 billion.²

The UN numbers were based on natural disasters, over which people have little or no control. Other disasters result from human activities or failures in human activities. In 2010, a failure on a petroleum facility for British Petroleum (BP) in the Gulf of Mexico caused millions of barrels of oil to spill out, causing severe environmental, economical, and humanitarian impacts. The incident, which was caused by human and process failures, cost BP almost US$7.1 billion in claims submitted by affected parties, governmental and private, in relation to the disaster.³

What makes us extra sensitive to disasters is the financial crisis that we have been living through during these years with budgets shrinking and revenues decreasing. Disasters at such bad times hit harder and have more and more fundamental effects on many levels. They also take considerably longer to recover from than in other times of easier conditions.

One ever-challenging aspect of disasters is the continuous change in their causes, triggers, and impacts. While this always was the case, they now change faster and at a more dramatic pace. What was considered as extreme a few years ago is now being looked on as a normal baseline for measurement. In addition to natural disasters, wars, acts of terror, and technology failures, organizations are also threatened by new risks related to public health and pandemics, supply chain interruptions, and reputational risks resulting from the new social media and the citizen-journalist concept. As everyone can see and feel, our world is not becoming any safer and there should be protection schemes for organizations to provide proper protection from existing and new threats and effective measures to manage them.

What should we do? There is definitely no way to eliminate risks and disasters, and there never will be. But there is something that we can do about them. We may not be able to eliminate them, but we are definitely capable of mitigation.

The core of the mitigation process is to understand the threats and risks and how they affect the organization and its assets. These threats and risks come from many sources: internal and external. The capability of the organization to perform this process follows a learning curve; it gets better, the more it is done properly. The more the organization understands its risks and threats, the more effective and sufficient the mitigation and protection become.

Completing the process of understanding the risks and threats, proactive procedures and measures should be put in place to mitigate these risks and threats. The idea behind proactive measures is to keep the probabilities of the threats and risks occurring as low as possible. Even if they occur, the impacts are also lowered to minimal levels that do not reach the level of a disaster. If disasters occur, there should be proper responses – plans and arrangements – to effectively handle the events and control their results for minimal impact and effect.

Business continuity management provides an organization with the necessary frameworks and implementations that can help define risks and threats to the assets and operations of the organization and devise strategies and plans to manage them in acceptable ways. The ISO22301 Standard defines BCM as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Figure 1: BCM evolution

We will now proceed to shed some light on the history of BCM. What started as a practice within the information technology (IT) field to manage the implications of systems’ failures became an evolving practice within organizations across the globe to manage the implications related to failures affecting all aspects of the organization, including IT. Through continuous evolvement, BCM has moved from being reactive to disasters to being proactively involved in the strategic and operational management of threats and the relevant consequences for the organization. Today, BCM does not only provide an organization with the capability to recover from failures, it creates enhanced levels of resilience to smaller incidents that could develop into disasters. BCM has also moved from being considered as an isolated project to being counted as an ongoing program that serves organizations as long as it exists.

Figure 2: Main features of BCM

Throughout this book we will be highlighting the various components of BCM programs. BCM programs are unique to an organization, yet one can identify shared or common components that exist in almost all BCM programs, regardless of the geographical region or the industry. We will discover how to set up a BCM program and how to go through the BCM life cycle. There will