Business Continuity and Risk Management: Essentials of Organizational Resilience
()
About this ebook
Written by Scribd Editors
There are many career possibilities in the fields of business continuity and risk management. To prepare students for these careers, Kurt J. Engemann and Douglas M. Henderson created a comprehensive textbook called Business Continuity and Risk Management: Essentials of Organizational Resilience.
The authors of this textbook have years of experience within the field. Using clear and concise language, they explain the basic concepts and main ideas in a way that students can easily grasp and apply.
Chapters in this book include:
- Fundamentals of Business Continuity Management
- Business Continuity Management Organization
- Business Impact Analysis
- Risk Assessment
- Strategy Development
- And so much more
Business Continuity and Risk Management is a state-of-the-art textbook that includes extensive downloadable instructor resources. Enjoy development training, slides, syllabi, a test bank, discussion questions, and case studies. With this comprehensive textbook, your students have the foundation they need to pursue a wide variety of careers within the fields of business continuity and risk management.
Kurt J. Engemann
Kurt J. Engemann is the Director of the Center for Business Continuity and Risk Management and Professor of Information Systems in the Hagan School of Business at Iona College. He has consulted professionally over the past thirty years in the area of risk management decision modeling for major organizations and has been instrumental in the development and implementation of comprehensive business continuity management programs. Dr. Engemann is a Certified Business Continuity Professional (CBCP) with the Disaster Recovery Institute International. Professor Engemann is the editor-in-chief of the International Journal of Business Continuity and Risk Management and the International Journal of Technology, Policy and Management. He teaches courses in the areas of Business Continuity and Risk Management, Systems Analysis and Design, Operations Management, Statistics and Decision Analysis. He has a PhD in Operations Research from New York University and has published extensively in the area of risk management and decision modeling. Professionals from a number of Wall Street banking firms and Fortune 500 companies attend his graduate courses in business continuity and risk management.
Related to Business Continuity and Risk Management
Related ebooks
Business Continuity Planning: A Step-by-Step Guide With Planning Forms Rating: 0 out of 5 stars0 ratingsA Risk Management Approach to Business Continuity: Aligning Business Continuity and Corporate Governance Rating: 0 out of 5 stars0 ratingsBusiness Continuity: Playbook Rating: 0 out of 5 stars0 ratingsBusiness Continuity from Preparedness to Recovery: A Standards-Based Approach Rating: 0 out of 5 stars0 ratingsBusiness Continuity Exercises: Quick Exercises to Validate Your Plan Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management: Global Best Practices Rating: 0 out of 5 stars0 ratingsStrategic Risk Management: New Tools for Competitive Advantage in an Uncertain Age Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management: Choosing to Survive Rating: 3 out of 5 stars3/5Security Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsEverything you want to know about Business Continuity Rating: 0 out of 5 stars0 ratingsEnterprise Security Risk Management: Concepts and Applications Rating: 0 out of 5 stars0 ratingsThe Risk Doctor's Cures for Common Risk Ailments Rating: 0 out of 5 stars0 ratingsCultural Calamity: Culture Driven Risk Management Disasters and How to Avoid Them Rating: 0 out of 5 stars0 ratingsBusiness Continuity State of the Industry Report Rating: 0 out of 5 stars0 ratingsIn Hindsight: A compendium of Business Continuity case studies Rating: 0 out of 5 stars0 ratingsGRC, The Backbone of Enterprise Management Rating: 0 out of 5 stars0 ratingsCollaborative Crisis Management: Prepare, Execute, Recover, Repeat Rating: 0 out of 5 stars0 ratingsEnhanced Enterprise Risk Management Rating: 0 out of 5 stars0 ratingsBecoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Executing Crisis: A C-Suite Crisis Leadership Survival Guide Rating: 0 out of 5 stars0 ratingsEnterprise Risk Management: A Common Framework for the Entire Organization Rating: 5 out of 5 stars5/5The Manager’s Guide to Risk Assessment: Getting it Right Rating: 4 out of 5 stars4/5Risk Analysis and the Security Survey Rating: 4 out of 5 stars4/5The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsAdaptive Business Continuity: A New Approach Rating: 0 out of 5 stars0 ratingsManager's Guide to Crisis Management Rating: 4 out of 5 stars4/5Validating Your Business Continuity Plan: Ensuring your BCP actually works Rating: 0 out of 5 stars0 ratingsIoannis Tsiouras - The risk management according to the standard ISO 31000 Rating: 3 out of 5 stars3/5
Management For You
The Motive: Why So Many Leaders Abdicate Their Most Important Responsibilities Rating: 5 out of 5 stars5/5The 12 Week Year: Get More Done in 12 Weeks than Others Do in 12 Months Rating: 4 out of 5 stars4/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5The 7 Habits of Highly Effective People: 30th Anniversary Edition Rating: 5 out of 5 stars5/5Emotional Intelligence Habits Rating: 5 out of 5 stars5/5Summary of The Laws of Human Nature: by Robert Greene - A Comprehensive Summary Rating: 4 out of 5 stars4/52600 Phrases for Effective Performance Reviews: Ready-to-Use Words and Phrases That Really Get Results Rating: 3 out of 5 stars3/5Great Ceos Are Lazy: How Exceptional Ceos Do More in Less Time Rating: 4 out of 5 stars4/5Malcolm Gladwell's Blink The Power of Thinking Without Thinking Summary Rating: 4 out of 5 stars4/5Spark: How to Lead Yourself and Others to Greater Success Rating: 5 out of 5 stars5/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5The New One Minute Manager Rating: 5 out of 5 stars5/5The Ideal Team Player: How to Recognize and Cultivate The Three Essential Virtues Rating: 4 out of 5 stars4/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5Principles: Life and Work Rating: 4 out of 5 stars4/5The 5 Languages of Appreciation in the Workplace: Empowering Organizations by Encouraging People Rating: 4 out of 5 stars4/5The 360 Degree Leader Workbook: Developing Your Influence from Anywhere in the Organization Rating: 4 out of 5 stars4/5Managing Oneself: The Key to Success Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Quiet Leadership: Six Steps to Transforming Performance at Work Rating: 4 out of 5 stars4/5Extreme Ownership: How U.S. Navy SEALs Lead and Win | Summary & Key Takeaways Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5The 4 Disciplines of Execution: Revised and Updated: Achieving Your Wildly Important Goals Rating: 4 out of 5 stars4/5Summary of The Five Dysfunctions of a Team: by Patrick Lencioni | Includes Analysis Rating: 4 out of 5 stars4/5The 12 Week Year (Review and Analysis of Moran and Lennington's Book) Rating: 5 out of 5 stars5/5Multipliers, Revised and Updated: How the Best Leaders Make Everyone Smarter Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5The Coaching Habit: Say Less, Ask More & Change the Way You Lead Forever Rating: 4 out of 5 stars4/5
Reviews for Business Continuity and Risk Management
0 ratings0 reviews
Book preview
Business Continuity and Risk Management - Kurt J. Engemann
Business Continuity and Risk Management:
Essentials of Organizational Resilience
By
Kurt J. Engemann,PhD, CBCP
Douglas M. Henderson, FSA, CBCP
ISBN 9781931332545 (Softback)
ISBN 9781931332736 (PDF)
ISBN 9781931332897 (EPUB)
Rothstein Associates Inc., Publisher
Brookfield, Connecticut USA
www.rothstein.com
Business Survival™ Weblog: Business Continuity for Key Decision-Makers from Rothstein Associates at www.rothstein.com/blog
Copyright © 2012, by Kurt J. Engemann and Douglas M. Henderson
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher.
No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein.
ISBN 9781931332545 (Softback)
ISBN 9781931332736 (PDF)
ISBN 9781931332897 (EPUB)
Library of Congress Control Number
(LCCN) 2011933801
PUBLISHER:
Philip Jan Rothstein, FBCI
Rothstein Associates Inc.
The Rothstein Catalog on Disaster Recovery
4 Arapaho Rd.
Brookfield, Connecticut 06804-3104 USA
203.740.7444
203.740.7401 fax
info@rothstein.com
www.rothstein.com
Keep informed of the latest business continuity news. Sign up for Business Survival™ Weblog: Business Continuity for Key Decision-Makers from Rothstein Associates at www.rothstein.com/blog
Foreword
As a business continuity professional serving New York’s Wall Street firms, I have been an active part of how the profession has evolved. Not that long ago, business continuity was viewed as an afterthought by many organizations - a form to complete and a box to check off. The defining moment, however, for me and many senior managers now leading business resiliency and risk programs in major corporations - as well as our firms’ senior leaders - was the crucible of the World Trade Center disaster – September 11th. This unimagined tragedy of unimaginable proportions taught us that no threat is impossible. Planning and preparation for both the possible and impossible, we learned, are essential for any organization.
Many of us learned business continuity and risk management by doing it, strengthened along the way by a growing international body of experience and knowledge drawn from practitioners and academicians. Kurt Engemann and Douglas Henderson have made a fundamental contribution with their focus on resiliency issues. In an open source
format, they have assembled a core curriculum spanning a discipline that traditionally took major portions of a career to experience and understand. A blend of theory, common sense, best practice and cases, this versatile textbook provides a structured learning tool and encyclopedic reference guide for business continuity and risk management students, teachers, practitioners, and executives.
One of my favorite chapters focuses on awareness and exercises. In March 2001, at the Wall Street firm where I headed Business Continuity at the time, we completed a major disaster recovery exercise for a scenario covering the complete loss of our primary data center near the World Trade Center. This scenario and much worse was realized six months later. On that day our preparation and exercises rewarded us with the restoration of key information processing capabilities at a backup location in just over two hours. Through resilient operations and people, these efforts played a key role in helping restore basic functionality to the markets and the financial services industry affected by 9-11.
No one can foresee the future. But I believe that this can be no excuse for lack of preparation, management support or exercises that improve awareness and continuously sharpen our organizational and technical response to adversity. We repeatedly experience the unimaginable - whetherMumbai terror attacks, tornado clusters, earthquakes or tsunamis. Crises will continue to arise, as will our need to understand and practice the essentials of organizational resilience.
Roseann McSorley
Roseann McSorley
Managing Director
Global Business Resiliency Head
JPMorgan Chase & Co.
New York City
Note: The writer is not necessarily representing the views or opinions of JPMorgan Chase & Co.
Foreword
Business Continuity Management has been around for the best part of 30 years through its antecedents in Disaster Recovery and Emergency Preparedness. Arguably Risk Management has an even longer pedigree given its evolution from insurance and loss control. Together they form the backbone of how a business or public body protect themselves from threats and hazards of all types.
Given their importance in an increasingly risky world and their relative maturity as business disciplines, it is strange that little has been done to structure the subject in a way that is accessible to students and the wider academic community. Most relevant books and professional journals are targeted at either the professional practitioner or those with general interest in the topic. Most relevant books and professional journals are targeted at either the professional practitioner or those with general interest in the topic. What has been missing is a college core textbook that covers the basic body of knowledge for aspiring students wishing to gain academic qualifications en route to a professional career in Business Continuity or Risk Management.
This new book by Kurt Engemann and Douglas Henderson does much to redress this deficiency in our arsenal of published literature. Written at a level which is very comprehensive but still easily readable it provides a route-map through the terminologies, methodologies and philosophies of the subject. It is impossible to define the subject matter as precisely as many would like; there are many sources of good practice and national standards circulating globally and many competing views about what constitutes best practice. There are even many debates about the intrinsic nature of BCM and Risk. Are they really about Regulation and Compliance or are they about the improvement of Organizational Resilience? Some might argue they are about both.
Given these still unanswered questions, Engemann and Henderson has given us a fair picture of the state of the art
and one in which most subject matter experts could feel reasonably comfortable. They have combined the formal coverage of traditional topics like Business Impact Analysis and Strategy Development with some strong content particularly suitable to those set on a career in Risk Management. Their treatment of Risk Modeling as a specialized area in the book is challenging and interesting. Although not all will want to delve too deeply into the theoretical basis for such techniques, the Chapter on Probability and Statistics makes enlightening reading for those who do.
Alternatively for those of a more practical bent, the range of case studies included are informative and provide ample evidence of the value and importance of the topics covered and their application. As Technical Director at the Business Continuity Institute, one of my specific duties is to encourage the inclusion of BCM as a serious topic in graduate and masters business programs. I believe this book will form a cornerstone of many such programs and I look forward to it facilitating the discussions I plan to have with many academic bodies in the coming months and years. The Business Continuity Institute welcomes this book and wishes the authors well in their efforts to engage with both the business and academic communities in a language that both will understand.
Lyndon Bird
Lyndon Bird, FBCI
Technical Director and Board Member
The Business Continuity Institute
Foreword
Businesses can be interrupted and destroyed by a number of threats – manmade and natural. Engemann and Henderson have done something about it with this book. For years, Business Continuity Planning Professionals have passionately attempted to address these issues, often working with knowledge gained from years of experience, trials, failures and limited resources.
Kurt Engemann and Doug Henderson decided to actively recruit talented learners into the field through their research, experience with real clients, writing and the graduate certificate program at Iona College. In this book, they provide the facts and examples on which decisions should be made, not knee-jerk reactions to crises, but researched, professional practices that produce informed decisions prior to, during and following a business interruption or crisis. The book cements the notion that BCP professionals will achieve greater success if they collaborate with external resources.
The integration of NIMS and ICS into the private sector has been the hallmark of my professional practice, and Engemann and Henderson endorse this practice.
This is a book that will inform the novice, support the expert and enhance every business continuity planner’s efforts to create a resilient organization. The book is well organized as an instructional tool, a reference guide, and as a toolkit for practitioners. The outlines provided in the Appendices are worth the price of the book. Students at both the undergraduate and graduate levels will find what they need to build a strong foundation for business resiliency, regardless of the nature of the business career they seek.
Adult learners, and those already BCP practitioners, will find solid support and proven practices to enhance and improve their work. Most of all, an executive, a student, or a practitioner who absorbs the content of this book will be better prepared to function in a field where preparedness is absolutely essential. This book will serve you well in your education and practice.
Dr. Thomas D. Phelan
Dr. Thomas D. Phelan
Program Director
Emergency and Disaster Management and Fire Science
American Public University System
Brief Contents
Copyright
Forewords
Preface
About the Authors
Chapter I: Fundamentals of Business Continuity Management
Chapter II: Business Continuity Management Organization
Chapter III: Business Impact Analysis
Chapter IV: Risk Assessment
Chapter V: Strategy Development
Chapter VI: Disaster Recovery for Information Technology
Chapter VII: Information Systems Security
Chapter VIII: Emergency Response
Chapter IX: Enhancing Coordination with External Agencies
Chapter X: Business Continuity Plan
Chapter XI: Crisis Communication
Chapter XII: Crisis Information Management Systems
Chapter XIII: Sustaining Organizational Resilience
Chapter XIV: Fundamentals of Probability and Statistics
Chapter XV: Statistical Applications in Risk Management
Chapter XVI: Simulation Modeling and Supply Chain Risk
Chapter XVII: Risk and Decision Modeling
Case Study A: Alpha Investment Services
Case Study B: Beta Widget Makers
Case Study C: Supply Chain Analysis
Case Study D: Sample Risk Assessment
Case Study E: Phased Pre-Positioning of Employees
Case Study F: Tabletop Exercise
Glossary
Appendices
Index
Table of Contents
Copyright
Forewords
Preface
About the Authors
Section I: Development
Chapter I: Fundamentals of Business Continuity Management
Objectives
Business Continuity and Risk Management
BCM Responsibility
BCM Development Process
Project Management
Professional Standards
Professional Terminology
Information Technology and Business Continuity
Green BCM
Review Topics
Case Studies
Bibliography
Chapter II: Business Continuity Management Organization
Objectives
Overview of BCM Organization
Key BCM Individuals and Groups
Review Topics
Case Studies
Bibliography
Chapter III: Business Impact Analysis
Objectives
Organization Objectives and Business Impact Analysis
Recovery Time Objective
Recovery Point Objective
Operations
Interdependencies
Single-Point-of-Failure
Support Infrastructure and Physical Environment Requirements
BIA Provides Direction for BCM
Review Topics
Case Studies
Bibliography
Chapter IV: Risk Assessment
Objectives
Risk
Threat Identification
Controls Identification and Evaluation
Event Probability Estimation
Impact Estimation
Risk Measure Evaluation and Risk Prioritization
Risk Treatment
Review Topics
Case Studies
Bibliography
Chapter V: Strategy Development
Objectives
Developing Strategies
Selecting Strategies
Specific Strategies
Implementing Strategies
Review Topics
Case Studies
Bibliography
Chapter VI: Disaster Recovery for Information Technology
Objectives
Overview of Disaster Recovery Planning
IT Alternate Site
IT Alternate Site Provider
IT Alternate Site Location
Data Center Controls
Data Center Recovery
Information Management
Information Security
Review Topics
Case Studies
Bibliography
Chapter VII: Information Systems Security
Objectives
The Control Environment
Information Systems Auditing Considerations
Information Technology and Security Considerations
Conclusion
Review Topics
Bibliography
Section II: Implementation
Chapter VIII: Emergency Response
Objectives
Emergency Response Overview
Pre-Crisis Activities
Actions during the Pre-Strike Phase
Actions during the Strike Phase
Interfacing with Civil Authorities
Review Topics
Case Studies
Bibliography
Chapter IX: Enhancing Coordination with External Agencies
Objectives
External Relations Overview
External Relations throughout the Four Phases: Overview
Opportunities to Develop Relationships in the Mitigation and Preparedness Phases
External Relations throughout the Four Phases
State and Local Government Agencies
Non-Government Organizations (NGOs)
Review Topics
Bibliography
Chapter X: Business Continuity Plan
Objectives
Business Continuity Plan Overview
BCP Objectives
Organization
Requirements
Strategies
Activation
Actions
Communication
Maintenance
Review Topics
Case Studies
Bibliography
Chapter XI: Crisis Communication
Objectives
Crisis Communication Overview
Crisis Communication Team
Media Communication
Systems and Equipment – Key Features
Systems and Equipment – Evaluation
Crisis Communication Procedures and Protocols
Review Topics
Case Studies
Bibliography
Chapter XII: Crisis Information Management Systems
Objectives
Systems for Crisis Information Management
Information Management during Crisis
How Information Technology is Used
Social Media In Crisis Communications
Institutional Initiatives
Review Topics
Bibliography
Section III: Maintenance
Chapter XIII: Sustaining Organizational Resilience
Objectives
Making BCM Effective
Awareness and Training
Testing and Exercising
Maintaining and Updating
Review Topics
Case Studies
Bibliography
Section IV: Risk Modeling
Chapter XIV: Fundamentals of Probability and Statistics
Objectives
Fundamentals of Probability and Statistics
Graphical Presentation of Data
Stem and Leaf Plot
Frequency Distributions
Measures of Central Tendency
Measures of Dispersion
Basic Probability Concepts
Discrete Probability Distributions
Continuous Probability Distributions
Review Topics
Bibliography
Chapter XV: Statistical Applications in Risk Management
Objectives
Forecasting Techniques
Regression Analysis
Maintenance Modeling
Reliability Modeling
Review Topics
Bibliography
Chapter XVI: Simulation Modeling and Supply Chain Risk
Objectives
Introduction
Case 1: Supply Chain Analysis
Case 2: A Three Tier Supply Chain
Conclusions
Review Topics
Bibliography
Chapter XVII: Risk and Decision Modeling
Objectives
Introduction
Decision Making Environments
Decision Making under Certainty
Decision Making under Risk
Decision Making under Uncertainty
Other Decision Making Models under Uncertainty
Recent Approaches
Other Decision Making Models
Dealing with Imprecise Information
Decision Making under Uncertainty and Imprecise Information
Review Topics
Bibliography
Section V: Case Studies
Case Study A: Alpha Investment Services
Operations
Resource Requirements
Information Technology
Revised Recovery Time Objectives
Crisis Communication
Case Study B: Beta Widget Makers
Operations
Resource Requirements
Information Technology
Revised Recovery Time Objectives
Crisis Communication
Case Study C: Supply Chain Analysis
Supply Chain Analysis
Case Study Questions
Bibliography
Case Study D: Sample Risk Assessment
Introduction
Risk Analysis
Risk Assessment Illustration
Probability
Expected Disruption
Impact
Risk Evaluation
Review Topics
Bibliography
Case Study E: Phased Pre-Positioning of Employees
Objectives
Employee Release Groups
Plan of Action
Review Topics
Bibliography
Case Study F: Tabletop Exercise
Tabletop Exercise Overview
Alpha Investment Services Tabletop Exercise
Beta Widget Makers Tabletop Exercise
Section VI: Additional Information
Glossary
Appendices
Appendix A: Organizational Functions
Appendix B: Disaster Assistance Plan
Appendix C: Building Fortification
Appendix D: Pandemic Outbreak Planning and Response
Appendix E: Emergency Operations Center (EOC)
Appendix F: Evacuation Procedures
Appendix G: Shelter-in-Place Procedures
Appendix H: Hurricane Preparation Steps
Appendix I: Tornado Preparation Steps
Appendix J: Severe Winter Storm Preparation Steps
Appendix K: DHS Advisory Code System
Appendix L: Assigning Actions by Department
Appendix M: National Weather Service Terms
Appendix N: Seismic Terms
Index
Preface
Objective
The viability of an organization can be seriously challenged by a disaster. Numerous recent events have focused attention on the need to be prepared for such events. The objective of this text is to provide a comprehensive study of the critical field of business continuity and risk management with particular emphasis on decision making using a holistic approach. The coverage of the book is derived from the growing body of knowledge of practical methods, experiences and research to lead an organization in the process of systematic decisions to protect people, the environment, assets and operations from disastrous events.
Because business continuity and risk management often deals with events that are improbable, analyzing these risks is challenging. Risks come in many varieties, and there is a growing concern and associated effort for organizations to respond to the challenge. Organizational resiliency can be accomplished through an effective program in business continuity and risk management based on an understanding of risk methodologies and technologies.
This book can serve as a primary text in an undergraduate or graduate level course that focuses on business continuity and risk management or as a supplemental text in a closely related field. Business students majoring in any concentration, including operations, information systems, management science, finance, accounting, marketing, human resources, management and international business will find the material both interesting and useful. In addition, emergency management students and management engineering students will also find this book very valuable.
A wide range of educational and training needs are addressed by the book. In addition to being a text for college courses, this book is also intended for use in professional training programs and as a self-study manual.
Contents
The main portion of the book is divided into the sections entitled: Development, Implementation, Maintenance, and Risk Modeling.
Section I: Development
Chapter I: Fundamentals of Business Continuity Management overviews the essential components of business continuity and risk management.
Chapter II: Business Continuity Management Organization analyzes the organizational structure that needs to be in place to effectively prepare for, respond to and recover from a crisis event.
Chapter III: Business Impact Analysis determines the importance of the organization’s activities by assessing the impact over time of their interruption and establishes continuity and recovery objectives.
Chapter IV: Risk Assessment examines threats and prioritizes planning by assessing the likelihood of events and their potential impact on critical functions.
Chapter V: Strategy Development examines strategy identification, selection and implementation necessary for an organization to effectively respond to a crisis event.
Chapter VI: Disaster Recovery for Information Technology examines alternate site selection, data center controls, information management procedures and information technology principles to provide continuation and recovery of the systems and communication capabilities of an organization.
Chapter VII: Information Systems Security reviews security controls and auditing considerations and applies these concepts to various information technology applications.
Section II: Implementation
Chapter VIII: Emergency Response defines the immediate actions taken during a crisis event with the prioritized objectives of life-safety, environmental protection and asset protection.
Chapter IX: Enhancing Coordination with External Agencies examines how an organization should interface with external agencies during disaster mitigation, preparation, response and recovery phases.
Chapter X: Business Continuity Plan discusses the central plan documentation that defines continuity and recovery procedures for crisis events.
Chapter XI: Crisis Communication investigates the importance of emergency communication, media communication plus the devices and systems used to conduct crisis communication.
Chapter XII: Crisis Information Management Systems reviews the role that information systems play in the process of managing emergency information before, during and after an event.
Section III: Maintenance
Chapter XIII: Sustaining Organizational Resilience discusses the importance of awareness and training, testing and exercising, and maintaining and updating to ensure that plans remain operable and current.
Section IV: Risk Modeling
Chapter XIV: Fundamentals of Probability and Statistics develops a foundation in probability and statistics that is very useful in business continuity and risk management.
Chapter XV: Statistical Applications in Risk Management explores forecasting techniques, regression analysis and reliability modeling.
Chapter XVI: Simulation Modeling and Supply Chain Risk examines simulation modeling in business continuity and risk management with application to supply chain analysis.
Chapter XVII: Risk and Decision Modeling examines decision making techniques under risk and uncertainty.
Case Studies and Discussion Topics
Several case studies are incorporated in the book to provide a practical application of the material. The case studies are designed to enhance the connection between business continuity and risk management concepts and practical applications. Two of these case studies are examined throughout the book, providing a comprehensive view of business continuity management.
In addition to the case studies, review topics are presented at the end of each chapter. These review topics examine the primary subjects covered in the chapter. There are also discussions embedded within the text of several chapters that relate business continuity principles to practical application.
Application
This book is designed to be used in a variety of courses and its modular design allows for the inclusion of topics based upon the objective of each course.
Sections I, II and III comprise the core material for an introductory course focusing on the basics of business continuity management. The inclusion of Chapters VII and XII in a course is dependent on the extent to which the foundational material is to be enhanced with a more comprehensive coverage of information systems. Likewise, Chapter IX extends coverage of emergency management beyond the basic level.
Section IV may be included in a course if a more comprehensive approach that includes risk modeling is the intent.
Supplementary Materials
Instructor Resources are available including: PowerPoint presentations, discussion - suggested solutions, review topics - suggested solutions, case studies - suggested solutions and a test bank. Contact the Publisher at info@rothstein.com for details.
Contributing Authors
Shoshana S. Altschuller, PhD
Daniel P. Iradi, JD
José M. Merigó, PhD
Holmes E. Miller, PhD
Donald R. Moscato, PhD, CDP
Ore A. Soluade, PhD.
Conclusion
We hope that our text provides a solid foundation for and appreciation of the importance of business continuity and risk management.
Kurt J. Engemann, PhD, CBCP
Douglas M. Henderson, FSA, CBCP
September, 2011
About the Authors
Kurt J. Engemann is the Director of the Center for Business Continuity and Risk Management and Professor of Information Systems in the Hagan School of Business at Iona College. He has consulted professionally over the past thirty years in the area of risk management decision modeling for major organizations and has been instrumental in the development and implementation of comprehensive business continuity management programs.
Dr. Engemann is a Certified Business Continuity Professional (CBCP) with the Disaster Recovery Institute International. Professor Engemann is the editor-in-chief of the International Journal of Business Continuity and Risk Management and the International Journal of Technology, Policy and Management. He teaches courses in the areas of Business Continuity and Risk Management, Systems Analysis and Design, Operations Management, Statistics and Decision Analysis. He has a PhD in Operations Research from New York University and has published extensively in the area of risk management and decision modeling.
Douglas M. Henderson, President of Disaster Management, Inc., has 20 years of experience in management with major consulting firms. In August of 1992, Doug was the key associate of the Emergency Response Team for a consulting firm located in South Miami-Dade County. Inspired by the real life business experience with Hurricane Andrew and concerned about the lack of preparation within the business community, Mr. Henderson founded Disaster Management, Inc. in 1993.
Mr. Henderson’s clients include Bombardier Capital Group, CP Ships, Discovery Channel Latin America, Intek Plastics, Kemper-NATLSCO, Professional Golfers’ Association (PGA), University of Miami, United Educators Insurance Company and numerous other organizations of all sizes. The activities he has undertaken on behalf of these organizations includes conducting site inspections and writing Risk Assessment reports, Business Impact Analysis reports, Business Continuity Plans, Emergency Response Plans and the facilitating of tabletop exercises.
Mr. Henderson has a Degree in Mathematics from the University of Arizona. His professional credentials include FSA – Fellow, Society of Actuaries, and CBCP – Certified Business Continuity Professional. He is the author of the book Is Your Business Ready for the Next Disaster? and is the author of the Comprehensive Business Continuity Management Program, the Continuity of Operations Plan for Colleges and Universities, the Hurricane and Flood Plan, and several other planning templates.
SECTION I: DEVELOPMENT
Development begins with senior management’s commitment to a Business Continuity Management program and commitment to improve organizational resiliency. The main components of development begin with the program initiation and the allocation of resources and assignment of responsibilities. Development includes the identification and analysis of the organization’s operations, the assessment of natural and man-made threats to the organization, and the selection of the strategies needed to meet the established response, continuity and recovery objectives. Development also includes an analysis of information technology and other organization controls and exposures to manage risks.
CHAPTER 1
Fundamentals of Business Continuity Management
Objectives
» Define Business Continuity Management (BCM)
» Define the relationship between BCM and risk management
» Review BCM responsibilities
» Identify BCM benefits, costs and the commitment required
» Examine the BCM development process
» Review the use of a project management approach within BCM
» Review the data collection process for BCM
» Present an overview of professional standards and terminology
» Review the relationship between information technology and business continuity
» Define Green BCM.
Business Continuity and Risk Management
Planning for disasters may take a backseat to more immediate concerns, especially for a manager who considers such events as improbable and who has not thought through the potential impact of being unprepared. However, a prudent manager will develop contingency plans to provide for the continuation of essential operations. Senior managers should review the criticality of the organization’s products and services to determine priorities and when operations must resume in order to avoid significant losses.
Operations will be disrupted if one or several required resources are unavailable. The event of the loss of a resource can be due to any one of several potential disasters. Identifying these possible events requires a review of all internal and external resources required to deliver an organization’s products and services.
Planning must focus on those events that can result in significant losses. Such events are identified by comparing the expected recovery time associated with the event to the length of time operations can be interrupted before incurring significant losses.
Alternative strategies can reduce the risk of an event. The selection of the set of alternatives to be used will depend on their respective costs and benefits. In certain cases the decision is obvious. When the selection is not obvious a cost-benefit analysis may be required.
Business continuity refers to the actions taken to sustain and/or resume operations impacted by crisis events. Frequently the term business continuity by itself also implies recovery. Business Continuity Management (BCM) is a holistic management program that identifies potential events that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, the environment, reputation, brand and value creating activities. Resilience is the ability of an organization to withstand the impact of a crisis event.
Risk management consists of the processes of risk assessment, risk communication and risk treatment. Risk management and BCM are sometimes mistakenly seen as competing fields. However, risk management and BCM are strongly tied together and viewing the fields separately is unhelpful. Risk management tends to be preventative, whereas BCM tends to deal more with consequences. Risk management processes provide important inputs for BCM and also deals with control for risks. On the other hand, BCM goes beyond risk management to plan for the inevitable disaster. Utilizing business continuity and risk management in an integrated fashion is coherent and productive.
There are multiple purposes for BCM. BCM is used to prevent serious disruptions, if possible, and to mitigate the impact of occurring disruptions. BCM is designed to provide safety for people and the environment, minimize the interruption of operations, mitigate damages, maintain customer service standards, maintain quality controls, reduce legal exposures and comply with regulations.
Risk management is the foundation of comprehensive BCM and provides an analytic basis and an economic justification for decision making regarding the allocation of resources. Risk management is a continual process of decisions resulting in how risks are treated, whether accepted, avoided, reduced or transferred.
Conceptually, risk management decisions are extremely difficult. The difficulty arises because these decisions must come to grips with uncertainties surrounding highly unlikely events with major, potential adverse impact upon the operation of an organization. The use of risk management for contingency planning can provide an organization with considerable savings through effective use of insurance and implementation of cost-effective loss reduction strategies.
BCM Responsibility
There are many challenges facing organizations regarding BCM. Communication of the benefits of BCM and similarly communication of the risk of not having a BCM program are foremost among these challenges. BCM should be partnered strategically with the organization to be most beneficial and the effectiveness of the program should be thoroughly evaluated. There is a need for regulations to ensure compliance, and likewise, there is a need for industry standards to promote widespread implementation of BCM.
The Board of Directors is an organization’s highest management authority and has ultimate responsibility for the organization's performance. The Board of Directors must establish policies and objectives to ensure the organization’s survival and fulfillment of its mission. Law imposes strict duties on directors because they exercise control and management over the organization. Internal control is the direct responsibility of the directors and these duties apply to each director separately.
Senior management holds specific powers conferred by the authority of the Board of Directors and has the responsibility of managing the organization. Senior management is responsible to initiate and oversee BCM to ensure the organization’s preparedness and resiliency for a broad spectrum of critical events. It is the responsibility of all employees of an organization to understand their role in BCM and to actively participate as directed.
If there is a management of money or property among two or more parties a fiduciary responsibility is created. Although fiduciary responsibilities vary somewhat between different countries, a fiduciary is required to perform duties to the highest standards and to avoid any conflicts of interest.
BCM Benefits
Communication is a critical factor in obtaining support for BCM. Senior management should be made aware of the dangers of not having BCM. Examples of disasters in relevant industries are useful in establishing the necessity of BCM and obtaining support. Highlighting actual incidents that could have been disasters is also most useful.
There are many benefits to an organization to have comprehensive BCM. Effective BCM decreases exposure, reduces downtime, secures assets and improves security. The process of developing BCM improves employee understanding and provides cross-functional training. Also, BCM protects markets, provides legal compliance and helps avoid liability.
A presentation to senior management should relate BCM to the organization’s mission, explain the risks to which the organization is vulnerable, explain management’s accountability and liability and provide a foundation to develop BCM policy.
BCM Costs
The cost-justification of BCM is similar to the cost-justification of a good insurance policy: there is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis. Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective. BCM is not a vehicle that will likely produce a short term return on investment. However, as with any other venture, BCM must ultimately be cost effective to remain funded. Many of the important benefits of BCM (for example, employee goodwill and customer satisfaction) are clearly important but are difficult to measure. All of these factors contribute to the challenge of securing a financial commitment from senior management for BCM.
The cost of establishing and maintaining BCM includes both initial and ongoing expenses related to various activities and assets, including:
Developing BCM analysis and documentation.
Backup facilities and equipment.
Organization assets dedicated to emergency response.
Physical improvements designed to mitigate damages.
Training programs for employees.
Exercising the BCM program.
Maintaining BCM documentation.
Insurance.
BCM Commitment
Before any program can commence and be successful, a commitment must be secured from the highest levels of the organization. Significant senior management-level participation at the corporate level is needed to oversee the program. Sufficient authority and resources have to be allocated to the BCM program for it to be successful.
A senior executive should act as sponsor and champion of the BCM program. Management is typically aware of the need for business continuity planning but may need assistance in many aspects of project initiation and management.
Senior management should ensure that prudent precautions are in place to prevent or mitigate a crisis, with the primary emphasis being on having the organization prepared to respond to safeguard people. Fundamentally, senior management is responsible for protecting the organization.
Senior management needs to develop and implement a business continuity policy tailored to its needs. The organization should define a BCM policy so that all operational components have documented and exercised plans for the full range of resources required. A generic example of such a statement is: ‘We are committed to providing continuous operations for our entire organization under normal circumstances and rapid recovery from disruptive events.’
BCM is not a short term project that comes to completion, but rather it is an ongoing, continuous program. BCM should be comprehensive across the entire organization and prioritized by operational needs. To be effective, BCM should always be current and properly tested to ensure that the proper measures are taken in the event of a situation requiring BCM activation. It is necessary to develop an approach with a budget and a timeframe. Key decisions are needed to resolve several questions as follows:
Do we have the internal expertise to complete the program? Do we want to use the services of a consultant? The consultant may shorten the time necessary to develop the BCM program and also add much value to it.
Which software should be utilized for the BCM program? Word processing templates come in