Everything you want to know about Business Continuity

Everything you want to know about Business Continuity

TONY DREWITT
Copyright Date: 2012
Published by: IT Governance Publishing
Pages: 260
https://www.jstor.org/stable/j.ctt5hh5c3
  • Cite this Item
  • Book Info
    Everything you want to know about Business Continuity
    Book Description:

    The book will guide you through domestic and international standards relating to business continuity, with particular reference to ISO22301. Companies achieving certification under the Standard will communicate to their stakeholders their commitment to uninterrupted supply. This practical guide will show you how business continuity management can help your organisation to: carry out realistic risk identification and assessment, put in place a cost-effective, ‘fit-for-purpose’ business continuity plan, be more competitive, enjoy greater customer loyalty, conform to the legal requirements in terms of accountability, compliance, risk awareness, return to ‘business as usual’ as quickly as possible after an unforeseen incident.

    eISBN: 978-1-84928-201-7
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. PREFACE
    (pp. 5-7)
  3. ABOUT THE AUTHOR
    (pp. 8-8)
  4. ACKNOWLEDGEMENTS
    (pp. 9-9)
  5. Table of Contents
    (pp. 10-13)
  6. INTRODUCTION
    (pp. 14-18)

    Business continuity (BC) is a relatively new discipline, although people running organisations have been doing increasing amounts of the things that make up BC since the Industrial Revolution. The risks haven’t changed that much, but the way that we, as a society, think about risks has.

    There are some newer risks, of course, particularly those to do with computers and information technology systems, but those have really grown at the same pace as the technologies themselves; it is simply that we are now more aware of many of the risks, and our attitude to how acceptable they are

    This book...

  7. CHAPTER 1: THE OPERATIONAL RISK LANDSCAPE FOR BUSINESS AND OTHER ORGANISATIONS
    (pp. 19-27)

    Most people in management and senior jobs have a good understanding of risks: what they are, how they are managed and even how to measure them. But there remains in many organisations a blurring of definition about types of risk and who is responsible for them, as well as all sorts of risk that haven’t even been identified.

    Like not having insurance, this is usually only a problem if something actually goes wrong, and in the minds of most people that is really rather unlikely. The majority of people tend to be concerned about things that have gone wrong before...

  8. CHAPTER 2: WHAT DOES BCM ACTUALLY ACHIEVE?
    (pp. 28-36)

    The recent economic downturn has taught many in the business continuity world that BCM is treated as a ‘discretionary’ activity by many people running organisations of all types.

    Do we now wear seat belts in cars because:

    They are there?

    It is a requirement of the law?

    We value our safety and our lives, and we know that road traffic accidents do happen?

    Those of us who can remember the introduction of seat belt laws will also probably recall that we either wore them anyway, or started wearing them if we thought we were going to get caught. Despite the...

  9. CHAPTER 3: AN INCREDIBLY SHORT HISTORY: EARLY DR TO 2011 BCM
    (pp. 37-40)

    In truth, the existence of business continuity as a management discipline, or activity, is simply the result of recognition by people running organisations that something could go wrong. And, whilst this has always been the case, as the world has become more sophisticated and technologically complex, there is more to go wrong, more malevolence, and we just happen to be entering a time when natural hazards appear to be more prevalent and more severe. But the distinct management activity of addressing the risks of things going wrong really began when mainframe and minicomputers started to be used by increasing numbers...

  10. CHAPTER 4: THE ROLE OF STANDARDS AND INDEPENDENT VALIDATION
    (pp. 41-48)

    The concept of an organisation’s capability being assured by some independent body is certainly not new. Since the days of the guilds of craftsmen, suppliers of products and services have sought to improve their standing with their customers by having the quality, reliability or value of what they do vouched for by a respected accreditation body.

    The British Standards Institute was established in the early 1900s, and today there is a bewildering array of national, regional and international standards covering all manner of activities, products and systems and management arrangements.

    The concept of management systems dates back to the late...

  11. CHAPTER 5: THE MANAGEMENT SYSTEM APPROACH VERSUS A SIMPLE BC PLAN
    (pp. 49-52)

    Many organisations have had a go at developing a BCP and many of those have succeeded. Some of these plans have even been tested by way of an exercise, but a probable majority have simply been a plan that works in the mind of its author(s) and have resulted in a ‘box being ticked’; the management can move on to the next, and usually more pressing, matter.

    I recall starting a consultancy assignment for a large public-sector organisation some years ago. During the initial discovery meetings I was told, with some pride, that the pandemic plans had been completed. My...

  12. CHAPTER 6: PLANNING THE BCMS
    (pp. 53-57)

    A business continuity management system (BCMS) is essentially a collection of data, analyses, documents, contingencies and similar arrangements which are documented roles, responsibilities and capabilities that together enable the organisation to respond to an unforeseen incident in the best possible way; that is, to execute, as intended, its business continuity, or incident management, plan.

    An underlying principle is that of ‘Gestalt’: the whole is greater than the sum of the parts. The constituent parts of a BCMS can be, and often are, developed separately, although quite often some are missing or incomplete and do not integrate with the others. The...

  13. CHAPTER 7: IDENTIFYING THE ORGANISATION’S REQUIREMENTS
    (pp. 58-99)

    In BS25999 parlance, risk and impact assessment is what is referred to as ‘understanding the organisation’. Now, most people running organisations already understand them, but what this part of the system is about is analysing the risks of disruption and the sensitivity, or vulnerability, of the organisation’s activities to those disruptions and interruptions.

    On one hand, if the organisation develops plans and spends money on contingencies for risks, or scenarios, that are actually less likely and would give rise to less impact than others, and on the other ignores risks that are more likely or give rise to greater impact,...

  14. CHAPTER 8: STRATEGY AND OPTIONS
    (pp. 100-110)

    In business continuity terms, a strategy is a considered approach to how the continuity of each product or service will, or will not, be maintained, and to what level in the hours, days, weeks and even months following an interruption.

    A premise for this entire subject is that the organisation wants to resume the provision of its products or services, almost regardless of how bad the incident or disruption is and how long it takes to recover.

    There is something of a circular relationship between BIA and strategy, principally because until you know how critical an activity (which supports a...

  15. CHAPTER 9: INCIDENT AND CRISIS RESPONSE
    (pp. 111-139)

    With a well-understood set of activity recovery requirements and known contingency resource availability, or other strategic options, such as product/service replacement, all that is required is a well rehearsed response capability based upon concise, relevant and up-to-date plans and capable people to execute those plans.

    To a large extent, incidents, crises and disasters are all the same thing, but it should be remembered that some situations can unfold more slowly than others, some begin with a ‘bang’ and others, such as IT system failures, don’t involve evacuation or issues of personal safety and welfare.

    There is no shortage of people...

  16. CHAPTER 10: THE ASSURANCE PROCESS
    (pp. 140-156)

    The BCMS should also include a mechanism, or process, for assurance – keeping everything current, relevant and tested, and capable of communicating this level of preparedness to all stakeholders and particularly the Board, who have a legal responsibility to know what is being done about the management of these types of operational risk. So the real value of business continuity arrangements is delivered if:

    1 the response plans, mechanisms and contingency resources are up to date, meet specification and have been tested;

    2 all stakeholders, especially customers, know how well prepared and resilient the organisation is; and

    3 the Board,...

  17. CHAPTER 11: BCM AS A COMPETITIVENESS/ASSURANCE TOOL
    (pp. 157-159)

    There are plenty of arguments about whether business continuity is really necessary as a visible discipline, and about the things that make it important.

    The balance between competitiveness and assurance will always depend on the individual organisation and its risk appetite, but nobody really knows when some new requirement to demonstrate organisational resilience, for which business continuity arrangements are really the only control, will arrive: whether from customers, regulators, legislators, investors, or perhaps an expectation amongst people who can influence the organisation’s existence; the public, perhaps.

    Many organisations are already doing some of what is needed, but cannot demonstrate their...

  18. CHAPTER 12: TOOLS AND SOFTWARE
    (pp. 160-173)

    It would be astonishing to discover that there isn’t a wide variety of software-based tools to help BC Managers to achieve their objectives with a few mouse clicks, and if there are two words of advice on this subject, they must be:

    caveat emptor!

    Naturally, tools of various sorts are essential in keeping pace with the modern organisation, but it really is important to spend some time understanding what these offerings can actually do that cannot be done more easily with existing tools, or in other ways.

    It’s an easy trap to fall into: if BC isn’t your full-time job...

  19. CHAPTER 13: THE NEW WORLD OF SUSTAINABILITY
    (pp. 174-177)

    Sustainability is now a key theme in corporate social responsibility, something that also drives business resilience. So it would be counterintuitive if business continuity arrangements, for all their positive qualities in maximising the organisation’s operational resilience, were to drive a coach and horses through accepted sustainability principles.

    Many would argue, not unreasonably, that in the very unlikely event that the organisation is required to operate in an unsustainable way for, say, three weeks in 10 years, then so be it. If that is what it takes to minimise impact, then it is an acceptable price to pay.

    But in this...

  20. CHAPTER 14: HOW TO DO IT
    (pp. 178-191)

    Once again, many organisations have had a go at implementing some sort of business continuity plan, often in response to an enquiry from a customer, or as a tendering requirement, only to see the plan gather dust and gradually fade into obscurity. A not uncommon scenario is that the plan is developed rather in isolation from the ‘heart’ of the business and as few people as possible have any thing to do with it: a most unsatisfactory situation that leaves a ‘bad taste’ about business continuity.

    Success in developing really effective BC arrangements starts with ‘hearts and minds’. If the...

  21. APPENDIX 1: ACRONYMS
    (pp. 192-192)
  22. APPENDIX 2: BUSINESS CONTINUITY POLICY
    (pp. 193-203)
  23. APPENDIX 3: A SIMPLE RISK REGISTER
    (pp. 204-208)
  24. APPENDIX 4: INCIDENT RESPONSE PLAN
    (pp. 209-215)
  25. APPENDIX 5: SCENARIO PLAN
    (pp. 216-217)
  26. APPENDIX 6: ACTIVITY RECOVERY PLAN
    (pp. 218-220)
  27. APPENDIX 7: DOCUMENT REVIEW AND CONTROL PROCEDURE
    (pp. 221-226)
  28. APPENDIX 8: CORRECTIVE AND PREVENTIVE ACTIONS FORM
    (pp. 227-228)
  29. APPENDIX 9: EXERCISE METHODOLOGY/PROCEDURE
    (pp. 229-232)
  30. APPENDIX 10: BCM SOFTWARE VENDORS
    (pp. 233-234)
  31. APPENDIX 11: SUGGESTED SOFTWARE ENQUIRY FORM
    (pp. 235-238)
  32. APPENDIX 12: BCM AUDIT PROGRAMME AND PROCEDURE
    (pp. 239-243)
  33. APPENDIX 13: IT DISASTER RECOVERY PLAN/PROCEDURE
    (pp. 244-257)
  34. ITG RESOURCES
    (pp. 258-260)