![Page 1: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/1.jpg)
Business Continuity Planning
Public Entities Risk Management Forum 5th July 2012
Presented by Mark Penberthy FBCI
![Page 2: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/2.jpg)
“Overcoming Practical Challenges”
Business Continuity Management (BCM)
AGENDA 1. What is BCM?
2. Relationship with Risk Management...
3. Where do I start?
4. Lifecycle / Process Flow
5. Critical Components (and Influences)
6. When is BCM Complete?
![Page 3: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/3.jpg)
Section 1
What is BCM?
![Page 4: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/4.jpg)
Business Continuity Definition
• ISO 22301
“Capability of the organisation to continue delivery of products or services at acceptable,
predefined levels, following a disruptive event”
![Page 5: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/5.jpg)
In Simple Terms
• Disruptive event?
• Products and Services (Mission Critical)
• Focussed on primarily disruption to • Buildings and facilities
• Skills and knowledge
• ICT
• Supplies
• How quickly do we need to restore... • Operations
• Data (How much data can we afford to lose)?
![Page 6: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/6.jpg)
Disruptive Events: Europe ‘95 –’09
![Page 7: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/7.jpg)
And 2010...
![Page 8: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/8.jpg)
Risk Definition
Risk = Impact x Probability
Probable events – Power failure
– Communications failure
– Hardware failure
• Lower likelihood – Aircraft
– Floods
– Fire
![Page 9: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/9.jpg)
Products? / Services?
• Public Sector mainly services driven, however
• Estimated 300 SOE’s
• Electricity; Transportation and Telecommunications
• Products and services through Local Government
• Information flow between Government departments
![Page 10: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/10.jpg)
Brand South Africa
• Government Departments / SOE’s providing essential services to support the National Economy
• Supply Chain Obligations
• Best Practise (ISO)
• “Brand doesn’t matter – we have a monopoly”
• “We are now extremely brand conscious”!
• Recent Treasury Bond Auction
![Page 11: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/11.jpg)
Non-performance?
• Impacts?
• No competition...
• Market share?
• Impacts upon other entities
• Impacts on Economy?
• Brand and Reputation?
– Coastal Cities
![Page 12: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/12.jpg)
Mission Critical?
• How is criticality determined?
• At what stage of the lifecycle?
– Tangible and intangible impacts
– Seasonality
– Interdependencies
– Regulatory / Legislative
– Supply Chain?
• What does the risk analysis focus on?
![Page 13: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/13.jpg)
What is BCM NOT!
BCM is NOT Disaster Recovery (DR) and the two should never be confused!
• DR is a legacy concept which addresses the recovery of technology only
•
• Whereas BCM is focused on continued delivery of services and products!
![Page 14: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/14.jpg)
Section 2
Relationship with Risk Management
![Page 15: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/15.jpg)
Primary Issues
• “BCM is complementary to a risk management... sets out to understand the risks to operations, and the consequences of those risks” (BS 25999)
• “Shall identify and document...Links between the BC policy and the organisation’s objectives, including the overall risk management strategy” (ISO 22301)
![Page 16: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/16.jpg)
BCM Focus
By focusing on the impact of disruption, BCM identifies those products and services on which the organization depends for its survival...
...or put another way, its reason for existence!
What needs to be done before an incident occurs to protect its people, premises, technology, information, supply chain, stakeholders and reputation. (BS 25999)
![Page 17: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/17.jpg)
BCM and Risk Management
BCM is a key contributor to effective corporate governance. It is often positioned under Risk Management and allows stakeholders to ask searching questions, such as:
• The company’s business and operating model • Key value creating products and services • Key dependencies – critical assets and processes • How the company will respond to a loss of or threat to any of these • What the main threats are today and on the horizon (Scanning) • Evidence that the continuity plans will work in practice
(GPG 2010)
![Page 18: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/18.jpg)
Section 3
Where do I Start?
![Page 19: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/19.jpg)
Where Do I Start? • Management Buy-In • Policy • Programme Management
– Project definition – Scope – Funding – Awareness and Skills
• Business Impact Analysis – Determine Criticality and time constraints
• Risk Analysis • BCM Strategy
![Page 20: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/20.jpg)
Large Organisations
Urgent
Important
Activities
Non Critical Activities
![Page 21: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/21.jpg)
Developing Awareness
• Corporate newsletters, bulletins, articles staff magazines • Intranet web sites • Professional BCM practitioners within the organization • Remuneration and rewards through the performance and appraisal system • Participation in other organization’s BCM exercises or real events • Inclusion of BCM related objectives through the organization’s performance and appraisal mechanisms • Induction programme • Executive briefings
![Page 22: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/22.jpg)
Section 4
Life cycle / Process Flow
![Page 23: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/23.jpg)
BCM Lifecycle
What’s missing?
POLICY
![Page 24: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/24.jpg)
Process Flow
•Awareness
•Buy-in
•Top Down
•Skills
•Ownership
•Funding
•Training
Policy
• Input
• Output
• End-to-end
Activities • Impact over time
• Services
• Urgency
• Data loss
Operations
• Critical ops
• RTO
• RPO
• Enablers
• Dependencies
MCA’s
• Risk analysis
• Reduce the threat of disruption to MCA’s
Protect
• People
• Premises
• Resources
• (IT, telecoms, power, supplies)
Strategy
![Page 25: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/25.jpg)
Initial Output
• Business Impact Analysis Report – MCA’s
– RTO / RPO
– Interdependencies
– Enablers
– Critical skills
– Critical times
– Resources • People, premises, resources etc.
• Risk Analysis Report
![Page 26: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/26.jpg)
Balance of Programme?
• Once “understanding the organisation” is complete... – Implement recovery strategy
– Alternative site configuration
– Resource configuration
– Supply chain
– Business Continuity Plans
– IT Continuity Plans
– Test, Maintain & Review
![Page 27: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/27.jpg)
Section 5
Critical Components
![Page 28: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/28.jpg)
Critical Components / Attributes
• Management buy-in
• Policy
• Budget
• Ownership and Accountability
• Awareness
• Evacuation (Protecting skills and assets)
• Crisis Management (Threats to Brand and Reputation)
![Page 29: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/29.jpg)
Influences
• Regulatory – PFMA
• Governance – King II & III – Stakeholder interests – IT Governance
• Compliance – Auditor General
• Standard – ISO 22301
![Page 30: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/30.jpg)
ISO 22301 Excerpt
• Scope – Applicable to all organisations, regardless of size, type
and nature
• Management commitment – Top management shall provide evidence of its
commitment to BCM by: – Establishing a BCM Policy – Establish BCM objectives and plans – Establish roles responsibilities and competencies – Appoint persons responsible for BCMS with
appropriate authority and competency
![Page 31: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/31.jpg)
Auditor General
• “Weakening of Pillars of Governance”
– Management of supply chains
– Service delivery
– Security of government information
– Accuracy of Government reports
Terence Nombembe
![Page 32: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/32.jpg)
Certification Training
• Global (Business Continuity Institute)
• Why Certification? (Necessary Competence)
• BCM Skills Base
– International
– Local
– Africa
![Page 33: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/33.jpg)
Section 6
When is BCM Complete?
![Page 34: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/34.jpg)
It is never complete!
• The initial aim will be to successfully complete an implementation of the BCM lifecycle, but the long term goal of BCM programme management is to improve the organization’s BCM capability, and hence its operational resilience, with successive iterations of the BCM Lifecycle
![Page 35: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/35.jpg)
Resilience?
• BCM increases an organisations resilience
• Resilience is widely defined as the ability of an organization to absorb, respond and recover from disruptions
![Page 36: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/36.jpg)
BCM Lifecycle
![Page 37: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/37.jpg)
When is BCM not required?
A hospital bed that is not occupied does not mean that it is not required!
![Page 38: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/38.jpg)
Currency
Agree a programme of ongoing exercising and maintenance of the BCM plan (solution) to ensure it remains current
• Up-to-date
• Deployable
• Resourced
• Funded
• Best practise!
![Page 39: Business Continuity Planning - National Treasury. Risk... · BCM and Risk Management BCM is a key contributor to effective corporate governance. It is often positioned under Risk](https://reader035.vdocument.in/reader035/viewer/2022062920/5f0208477e708231d4023d7b/html5/thumbnails/39.jpg)
If a country does not have a reputation for strong corporate governance practices, capital will flow elsewhere. If investors are not confident with the level of disclosure, capital will flow elsewhere. If a country opts for lax accounting and reporting standards, capital will flow elsewhere. All enterprises in that country – regardless of how steadfast a particular company’s practices may be – suffer the consequences.
Markets must now honour what they perhaps, too often, have failed to recognise.
Markets exist by the grace of investors. And it is today’s more empowered investors that will determine which companies and which markets will stand the test of time and endure the weight of greater competition.
It serves us well to remember that no market has a divine right to investors’ capital.
Arthur Levitt, former Chairperson of the United States Securities and Exchange Commission
Governance