Business Continuity Management: Choosing to Survive
3/5
()
About this ebook
Business Continuity Management: Choosing to survive shows you how to systematically prepare your business, not only for the unthinkable, but also for smaller incidents which, if left unattended, could well lead to major disasters. A business continuity management (BCM) program is critical for every business today, and this book will enable you to develop and implement yours to maximum effect.
Abdullah Al Hour
During eight years of deep and daily involvement and practical experience, the author has been responsible for designing, starting, implementing, and maintaining BCM programs in financial and telecom sectors across different geographical regions. Such experience has been actively supported with comprehensive skills and knowledge in risk management, strategy setting and implementation, and project management. Having been in ITDR and BCM leadership positions in IT and risk management areas, the author genuinely understands the complications and dynamics of the interaction of technical and non-technical in BCM. The author is the business continuity manager at a leading financial group. He is a Member of the Business Continuity Institute (MBCI) and was a speaker at the BCM World 2011 and 2012 conferences.
Related to Business Continuity Management
Related ebooks
A Manager's Guide to ISO22301: A practical guide to developing and implementing a business continuity management system Rating: 4 out of 5 stars4/5Everything you want to know about Business Continuity Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning: A Step-by-Step Guide With Planning Forms Rating: 0 out of 5 stars0 ratingsISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Business Continuity Management Systems: Implementation and certification to ISO 22301 Rating: 0 out of 5 stars0 ratingsBusiness Continuity: Playbook Rating: 0 out of 5 stars0 ratingsDisaster Recovery and Business Continuity: A quick guide for organisations and business managers Rating: 0 out of 5 stars0 ratingsISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5Business Continuity Management: Global Best Practices Rating: 0 out of 5 stars0 ratingsIoannis Tsiouras - The risk management according to the standard ISO 31000 Rating: 3 out of 5 stars3/5Risk Management and ISO 31000: A pocket guide Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5Implementing an Integrated Management System (IMS): The strategic approach Rating: 5 out of 5 stars5/5Crisis Management at the Speed of the Internet: Trend Report Rating: 0 out of 5 stars0 ratingsERM - Enterprise Risk Management: Issues and Cases Rating: 0 out of 5 stars0 ratingsIT Auditing and Application Controls for Small and Mid-Sized Enterprises: Revenue, Expenditure, Inventory, Payroll, and More Rating: 0 out of 5 stars0 ratingsSolving for Project Risk Management: Understanding the Critical Role of Uncertainty in Project Management Rating: 0 out of 5 stars0 ratingsSecure Your Business: Insights to Governance, Risk, Compliance & Information Security Rating: 0 out of 5 stars0 ratingsThe Business Continuity Management Desk Reference Rating: 0 out of 5 stars0 ratingsBusiness impact analysis Complete Self-Assessment Guide Rating: 4 out of 5 stars4/5Validating Your Business Continuity Plan: Ensuring your BCP actually works Rating: 0 out of 5 stars0 ratingsBusiness Continuity from Preparedness to Recovery: A Standards-Based Approach Rating: 0 out of 5 stars0 ratingsBusiness Impact Analysis BIA The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning BCP A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsBusiness Continuity and Disaster Recovery Planning for IT Professionals Rating: 0 out of 5 stars0 ratingsRisk Management Complete Self-Assessment Guide Rating: 5 out of 5 stars5/5Business Continuity Planning: Increasing Workplace Resilience to Disasters Rating: 0 out of 5 stars0 ratings
System Administration For You
ConfigMgr - An Administrator's Guide to Deploying Applications using PowerShell Rating: 5 out of 5 stars5/5Linux Command-Line Tips & Tricks Rating: 0 out of 5 stars0 ratingsLinux Bible Rating: 0 out of 5 stars0 ratingsLearn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsLinux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Learn Cisco Network Administration in a Month of Lunches Rating: 0 out of 5 stars0 ratingsMastering Microsoft Endpoint Manager Rating: 0 out of 5 stars0 ratingsPractical Data Analysis Rating: 4 out of 5 stars4/5Learn PowerShell in a Month of Lunches, Fourth Edition: Covers Windows, Linux, and macOS Rating: 0 out of 5 stars0 ratingsCompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Improve your skills with Google Sheets: Professional training Rating: 0 out of 5 stars0 ratingsCybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Wordpress 2023 A Beginners Guide : Design Your Own Website With WordPress 2023 Rating: 0 out of 5 stars0 ratingsLearn PowerShell Scripting in a Month of Lunches Rating: 0 out of 5 stars0 ratingsLinux Commands By Example Rating: 5 out of 5 stars5/5Web Penetration Testing with Kali Linux Rating: 5 out of 5 stars5/5Mastering Bash Rating: 5 out of 5 stars5/5Operating Systems DeMYSTiFieD Rating: 0 out of 5 stars0 ratingsSummary of Lights Out: by Ted Koppel | Includes Analysis Rating: 0 out of 5 stars0 ratingsNetworking for System Administrators: IT Mastery, #5 Rating: 5 out of 5 stars5/5Mastering Windows PowerShell Scripting Rating: 4 out of 5 stars4/5Learn SQL Server Administration in a Month of Lunches Rating: 0 out of 5 stars0 ratingsPowerShell: A Beginner's Guide to Windows PowerShell Rating: 4 out of 5 stars4/5Bash Command Line Pro Tips Rating: 5 out of 5 stars5/5
Reviews for Business Continuity Management
1 rating0 reviews
Book preview
Business Continuity Management - Abdullah Al Hour
Business Continuity Management
Choosing to survive
Business Continuity Management
Choosing to survive
ABDULLAH AL HOUR, MBCI
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader's own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:
IT Governance Publishing
IT Governance Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely
Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernance.co.uk
© Abdullah Al Hour 2012
The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2012
by IT Governance Publishing.
ISBN 978-1-84928-300-7
PREFACE
The last few years have not been an easy time for the world. Major events have been shocking everywhere, causing severe impacts and consequences. The H1N1 outbreak, earthquakes in Chile and Haiti, and BP’s oil spill in the Gulf of Mexico are living proof of the damage that nature and humans can do. Risks and threats to our societies, businesses, and people have also been increasing, in both quantity and quality. Threats to cyber security, supply chain interruptions, and extreme climatic changes are examples of these.
The effects of these major events and disasters derive partly from our faulty mindset towards understanding and dealing with them. Hoping that nothing bad will happen because it has not happened before is the first thing we need to change. Looking at the world around us, is it the same as it was one year, or even six months, ago? Being in reactive mode and telling ourselves that we can survive by fire-fighting a disaster when it happens is definitely a losing gamble. We can make it through disasters and major events by proactively addressing the risks and be in a ready state. Being proactive should not be performed in an ad-hoc manner. It should follow a systemic and comprehensive approach, covering all the details in the big picture.
Business continuity management (BCM) provides organizations with the effective methods needed to protect them from the impacts and consequences of major incidents or disasters though structured and controlled programs. Proper and effective BCM programs can put the organizations in the driving seat and let them control courses of action by proactively detecting and managing the risks and threats that can lead to disasters. Equally, they keep the organization in a ready state to react to disasters and mitigate their impacts and losses.
BCM is not rocket science. It’s a scientific, logical, and practical methodology that can be customized and enhanced. Now, with the existence of globally accepted standards, BCM programs enjoy common sets of specifications that can be translated into practical implementations and tangible results. Adopting BCM is not an option; it’s a survival decision and is the right step towards protecting an organization.
This book aims to provide a clear, yet strong, introduction to the world of BCM. It builds on internationally recognized standards and best practices like the ISO22301 societal security and ISO27031 ICT readiness for business continuity (IRBC). What we will see within this book is the result of an extensive journey with BCM that has not come to an end. The two main features that are noticeable here are comprehension without overkilling the subject and practicality without underestimation.
ABOUT THE AUTHOR
During eight years of deep and daily involvement and practical experience, the author has been responsible for designing, starting, implementing, and maintaining BCM programs in financial and telecom sectors across different geographical regions. Such experience has been actively supported with comprehensive skills and knowledge in risk management, strategy setting and implementation, and project management. Having been in ITDR and BCM leadership positions in IT and risk management areas, the author genuinely understands the complications and dynamics of the interaction of technical and non-technical in BCM. The author is the business continuity manager at a leading financial group. He is a Member of the Business Continuity Institute (MBCI) and was a speaker at the BCM World 2011 and 2012 conferences.
ACKNOWLEDGEMENTS
I find myself very thankful and grateful to my wife, Raeda, for believing in me and for being extremely patient, appreciative, and supportive during the journey of writing this book.
I also would like to thank all of those who have accompanied me in my professional life and still inspire me every day with their knowledge, wisdom, and insight.
Thanks are extended to the following for their helpful reviews of the manuscript: ir. HL (Maarten) Souw RE, IT auditor, UWV; John Kyriazoglou CICA, MS, BA, International IT and Management Consultant, and Howard Pierpont MBCI, CBM and CBCP, Chairman of the Board of Directors of the Disaster Preparedness and Emergency Response Association www.disasters.org.
Permission to reproduce extracts from the ISO27031 Standard is granted by BSI. British Standards can be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hard copies only: Tel: +44 (0)20 8996 9001, e-mail: cservices@bsigroup.com.
CONTENTS
Chapter 1: Introduction
What is business continuity management?
Benefits of effective BCM programs
Emerging risk and threat topologies
BCM and risk management
BCM and compliance
BCM and insurance
Chapter 2: Setting up the BCM Program
Gathering key success factors
Establishing the governance model
Establishing the BCM organizational unit
Organizations with a regional or international presence
Chapter 3: Running the BCM Life Cycle
Running the BCM life cycle for the first time
Business impact analysis
Risk and threat assessment
Strategies and risk treatment plans
Planning and implementation
Awareness and training
Testing
Rerunning the cycle
Chapter 4: BCM Standards
ISO22301 societal security – preparedness and continuity management systems – requirements
ASIS SPC.1-2009 organizational resilience: security, preparedness, and continuity management systems requirements with guidance for use
Chapter 5: Technology Continuity
IT disaster recovery and readiness for business continuity (ITDR and IRBC)
Technology continuity sites
Technology continuity outside IT
Chapter 6: Technology Continuity Standards
ISO/IEC 27031 information technology – security techniques – guidelines for information and communication technology readiness for business continuity (IRBC)
ISO/IEC 24762:2008 information technology – security techniques – guidelines for information and communications technology disaster recovery sites
Chapter 7: Facilities Management and Physical Security
Facilities management
Physical security preparations
Environmental setups and preparations
Chapter 8: Evacuation Plans
Features of an effective evacuation plan
Evacuation plan development
Communicating the plans
Training and testing
Chapter 9: People and BCM
The importance of people
Succession planning
Chapter 10: BCM Software
The need for BCM software
Role of BCM software within the BCM life cycle
Features of effective BCM software
Deploying BCM software
Appendix 1: BCM Policy
Objective
Policy statement
Policy ownership and maintenance
Disaster definition
Policy guidelines
Appendix 2: BIA Questionnaire
Purpose
Questionnaire contacts
Terminology
Understanding your processes – general process information
Understanding your processes – internal and external dependencies
Understanding your processes – impacts and criticality
Identifying RTO, season, and RPO
Understanding your processes – IT and resource requirements
Succession planning – identification of human resources
Assets required during disaster – identification of recovery resources
Appendix 3: BIA Report
Executive summary
Abbreviations and acronyms
Introduction
Scope
Approach
Assumptions
Consolidated results
Observations
Recommendations
Appendix 4: Risk Assessment Questionnaire
Appendix 5: Risk Assessment Report
Introduction
Objectives
Approach
Summary of results
Detailed risk information
Risk treatment plan
Appendix 6: BCM Strategy Report
Executive summary
Introduction
Key inputs for developing the business continuity strategy
Objectives of the business continuity strategy
Methodology
Overview of the preferred/recommended business continuity strategy for the organization
Business continuity strategy – crisis management
Business continuity strategy – processes
Business continuity strategy – technology
Business continuity strategy – data and information
Business continuity strategy – supplies
Business continuity strategy – people
Business continuity strategy – facilities and premises
Business continuity strategy – business continuity management
Implementation and ownership
Appendix 7: BCM Plan
Scope
Objective
Team leader contact details and responsibilities
Team member details
Activities to be performed immediately after a disaster
Activities to be performed during disaster recovery
Relevant locations
Processes to be performed if IT systems are available
Processes to be performed if IT systems are not available
Resource requirements
List of documents/manuals to be stored off site
Contact list
Vendor list
Sample press release
Handling a media interview
Appendix 8: ITDR Plan
Scope
Objective
Team structure
Activities to be performed immediately after a disaster
Activities to be performed during disaster recovery
Relevant locations
Disaster declaration matrix
Recovery procedures
List of documents/manuals to be stored off site
Contact list
Vendor list
Appendix 9: Evacuation Plan.
Description of building
Map containing building and assembly point(s)
Floor layouts
Handling fire emergencies
Roles and responsibilities
Important emergency numbers
Employees’ emergency contact information
Appendix 10: Test Plans and Forms
Scope
Objectives
Test frequency
Test types
The test process and mechanism
Tests calendar
Detailed test plan
Test preparation form
Test assessment form
ITG Resources
CHAPTER 1: INTRODUCTION
What is business continuity management?
The world is now witnessing continuous advancement and progress in all aspects of life. The formulation of the global economy and global supply chain are among the characteristics of this era as well as part of our modern lives. In order for such advancement and progress to continue and be fruitful, the world needs to provide adequate stability as well as careful planning to achieve prosperity.
Unfortunately, things do not always go as smoothly as we expect them to. Being inherent to people’s presence and activities, failures, incidents, risks, disasters, and crises are taking place more and more across the world. With the close interconnection between economies and people, the results of disasters and crises quickly cross borders, creating an almost global impact. Other people’s problems are no longer just their problems. They could also be ours.
In the last few years, disasters have dramatically increased in frequency, impact, and complexity. In a shocking and saddening news release, the United Nations described 2010 as one of the deadliest
years in two decades.¹ During 2010, 273 natural disasters caused a death toll of almost 300,000 people. In addition, these disasters affected the lives of almost 200 million people and the financial impact reached US$110 billion. Two of the worst were the earthquakes that hit Chile and Haiti, with the latter being the worst as its death toll reached almost 200,000, with financial losses of US$8 billion.²
The UN numbers were based on natural disasters, over which people have little or no control. Other disasters result from human activities or failures in human activities. In 2010, a failure on a petroleum facility for British Petroleum (BP) in the Gulf of Mexico caused millions of barrels of oil to spill out, causing severe environmental, economical, and humanitarian impacts. The incident, which was caused by human and process failures, cost BP almost US$7.1 billion in claims submitted by affected parties, governmental and private, in relation to the disaster.³
What makes us extra sensitive to disasters is the financial crisis that we have been living through during these years with budgets shrinking and revenues decreasing. Disasters at such bad times hit harder and have more and more fundamental effects on many levels. They also take considerably longer to recover from than in other times of easier conditions.
One ever-challenging aspect of disasters is the continuous change in their causes, triggers, and impacts. While this always was the case, they now change faster and at a more dramatic pace. What was considered as extreme a few years ago is now being looked on as a normal baseline for measurement. In addition to natural disasters, wars, acts of terror, and technology failures, organizations are also threatened by new risks related to public health and pandemics, supply chain interruptions, and reputational risks resulting from the new social media and the citizen-journalist concept. As everyone can see and feel, our world is not becoming any safer and there should be protection schemes for organizations to provide proper protection from existing and new threats and effective measures to manage them.
What should we do? There is definitely no way to eliminate risks and disasters, and there never will be. But there is something that we can do about them. We may not be able to eliminate them, but we are definitely capable of mitigation.
The core of the mitigation process is to understand the threats and risks and how they affect the organization and its assets. These threats and risks come from many sources: internal and external. The capability of the organization to perform this process follows a learning curve; it gets better, the more it is done properly. The more the organization understands its risks and threats, the more effective and sufficient the mitigation and protection become.
Completing the process of understanding the risks and threats, proactive procedures and measures should be put in place to mitigate these risks and threats. The idea behind proactive measures is to keep the probabilities of the threats and risks occurring as low as possible. Even if they occur, the impacts are also lowered to minimal levels that do not reach the level of a disaster. If disasters occur, there should be proper responses – plans and arrangements – to effectively handle the events and control their results for minimal impact and effect.
Business continuity management provides an organization with the necessary frameworks and implementations that can help define risks and threats to the assets and operations of the organization and devise strategies and plans to manage them in acceptable ways. The ISO22301 Standard defines BCM as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
Figure 1: BCM evolution
We will now proceed to shed some light on the history of BCM. What started as a practice within the information technology (IT) field to manage the implications of systems’ failures became an evolving practice within organizations across the globe to manage the implications related to failures affecting all aspects of the organization, including IT. Through continuous evolvement, BCM has moved from being reactive to disasters to being proactively involved in the strategic and operational management of threats and the relevant consequences for the organization. Today, BCM does not only provide an organization with the capability to recover from failures, it creates enhanced levels of resilience to smaller incidents that could develop into disasters. BCM has also moved from being considered as an isolated project to being counted as an ongoing program that serves organizations as long as it exists.
Figure 2: Main features of BCM
Throughout this book we will be highlighting the various components of BCM programs. BCM programs are unique to an organization, yet one can identify shared or common components that exist in almost all BCM programs, regardless of the geographical region or the industry. We will discover how to set up a BCM program and how to go through the BCM life cycle. There will