• 05Mar

    Meet the business continuity manager’s new best friend

    Author: Brian Davey  Reposted from ComputerWeekly.com
    IT and information security professionals have a new best friend. That indispensable buddy is, believe it or not, a standard: business continuity management standard BS 25999 to be precise.

    Let me explain.

    BS 25999 was launched in December 2006 (part 1, code of practice) and November 2007 (part 2, specification). It outlines how to implement a business continuity management programme in an organisation and advocates use of a technique called business impact analysis.

    Among other things, business impact analysis attempts to understand an organisation’s critical activities and the resources required, including IT systems and services, to keep those activities running at an acceptable level should a serious incident, such as a malicious act causing destructive loss of premises, occur.

    A gap analysis is then conducted to determine any differences between the resources the business needs over time from the point of the incident, and the current recovery capability. In effect, the analysis identifies the recovery time objectives and recovery point objectives. The former describe how soon after an outage each system or service needs to be operational, while the latter identify the pre-incident point in time the data needs to be recovered to.

    The recovery time and point objectives define the availability requirements of the business, which is an essential element of information security management.

    Potential solutions are then explored to fill any gaps discovered. The gap analysis provides a good appreciation of how IT systems and services could be adversely affected by an incident and addresses any misconceptions the business may have regarding the IT department’s ability to recover systems and services.

    In my experience as a consultant, such misconceptions are common yet can have major implications for the organisation’s wellbeing. Should a serious incident occur, and the business be unable to recover its critical activities quickly enough to keep impacts within acceptable levels, the consequent loss of credibility, direct financial loss, breach of contracts, and so on, could ultimately damage the bottom line.

    The business impact analysis helps business managers gain a better understanding of the extent to which they rely on IT systems and services. The gap analysis allows the IT department to propose ways of filling any existing gaps in recovery time objectives or recovery point objectives through targeted solutions.

    Senior management can then either accept the current risk exposure where gaps exist or else provide the IT department with the necessary budget to close the gaps. Either way, senior management will understand the IT recovery capability and how it relates to business need, eliminating any misconceptions.

    BS 25999 is the fastest-selling British standard ever. When part 2 was launched, 100 companies had already pre-registered for an accreditation audit. If your organisation doesn’t yet have a business continuity management programme in place, then you should recommend it implements one. The benefits to be gained by the IT department - indeed, the organisation as a whole - make the standard a powerful management tool, with the business impact analysis element helping to improve information security.

    Embrace BS 25999. It’s your new best friend.

    Filed under: BS 25999, General
    No Comments
  • 04Mar

    Business continuity’s role in supply chain resilience

    By Charlie Maclean-Bristol. for ContinuityCentral.com

    Until relatively recently, business continuity management for most companies focused primarily on the risks associated with IT failure or the loss of a building. The increasing reliance upon outsourcing in a more global business environment, however, has pushed supply chain risks firmly onto the business continuity agenda.

    For many organisations, the supply of raw materials, manufacturing processes, and product storage are now regularly outsourced. Even those functions that were traditionally considered in-house activities, such as finance, purchasing, internal auditing, HR and occupational health are now considered outsourceable activities. In this supply chain-reliant environment, the loss of just a single critical supplier can have a devastating impact on a company.

    The nature of the supplier
    Suppliers by their very nature can be more susceptible to incidents than the organisations which they supply. Often smaller, leaner, providing ‘just in time’ services and in many cases supplying only a single product, these factors amplify the impact which a disruption can have.

    It is often the case, particularly with niche suppliers, that their services are being used by a number of different companies. As such, any disruption can have a much more pronounced ripple effect, impacting on multiple organisations. A good example of this occurred during the fuel stoppages of 2001 in the UK, when the water industry suddenly became aware of how over-reliant it was on ICI at Runcorn which produced 70 percent of the chlorine used in water treatment.

    An organisation should also be fully aware of the risk posed by disruption to 2nd or 3rd tier suppliers in the supply chain to their ability to continue operating.

    In the firing line
    The threats to the supply chain are many and varied, as can be seen in the following diagram. The risks can vary from a natural disaster to political instability, to getting caught up in a company dispute.

    BS 25999 does not effectively deal with supply chain risk. The Standard states that accountability for business continuity remains vested within the organisation, that the organisation’s dependency on suppliers should be understood, suppliers should have effective business continuity arrangement in place, awareness programmes may extend to suppliers, and that the suppliers’ business continuity arrangements should be audited. Part 1 section 7.7 provides some information on developing a supplier strategy but it is limited.

    Managing the risks
    To effectively manage supply chain risks a business continuity manager needs three key pieces of information:

    1. He/she should identify the organisation’s critical activities so that critical suppliers can be ascertained;

    2. He/she should ascertain the potential impact of the loss of a supplier by conducting a BIA;

    3. He/she should undertake a full risk assessment to understand the potential risks which could affect the supplier.

    Only once this information has been gathered can the business continuity manager start to mitigate the supplier’s risks.

    A three-pronged approach
    The strategy for dealing with supply chain risks should be in three parts. Firstly, the business continuity manager must educate purchasers in how to make ‘risk aware’ purchasing decisions. To do this they must make sure that buyers are aware of which suppliers are critical to the organisation and which are not. Purchasing of non-critical services can be made on a pure commercial basis, but decisions relating to critical suppliers should be risk-based. Buyers should be aware of the consequence of the loss of a supplier so they can weigh this against the commercial element of the deal.

    A supplier strategy should then be drawn-up detailing buying strategies that can be used to mitigate supplier risk. These could include: diversification (buying from more than one supplier); asking suppliers to stockpile stock; ensuring that the supplier has excess capacity; and establishing stringent failure to perform clauses.

    The business continuity manager should also educate buyers in how to examine the supplier itself and not just the product being supplied. This is usually carried out as part of the tender process, but often without sufficient rigour. In reviewing the supplier, the buyer should consider: the quality of all of the organisation’s products - not just those being supplied; their incident history; key personnel dependencies (is the person who deals with the product liable to move to another organisation, for example?), financial stability, volume flexibility and the quality of the business continuity plans that are in place.

    The business continuity manager is key to reviewing the supplier’s level of business continuity planning as they are best placed to assess it validity and its quality. According to research conducted recently by the Business Continuity Institute: “Where organisations insist on the supplier having a business continuity management plan … 18 percent are happy to rely on no more than a statement from the supplier. 27 percent ask only to read the supplier’s business continuity plans and a further 27 percent don’t know how the supplier’s plans are verified.”

    Secondly, the business continuity manager should ensure that operational staff are fully aware of which suppliers are critical to the organisation, and the potential impact of their failure. All operational personnel should also be trained in incident management so that if there is a failure they can respond quickly and effectively.

    The business continuity manager should also encourage staff to closely monitor suppliers to ensure any problems are detected early. ‘Near misses’, or any drop in quality should be investigated as they may suggest a more serious problem which can then be dealt with. The business continuity manager should also monitor the media for any negative press relating to the company. A key part of supply chain risk mitigation is recognising the signs early and dealing with them in the proper manner.

    Thirdly, the business continuity manager can also play a key role in helping the suppliers themselves improve their business continuity planning. As mentioned previously, suppliers are often much smaller than the organisations which they supply, and may not have a dedicated business continuity management resource or the necessary skills to implement an effective business continuity strategy. The business continuity manager should therefore work in partnership with their firm’s suppliers to help them develop their business continuity plans and should then involve them in any exercises or awareness sessions.

    Loss of a supplier is major risk, and one which will only increase as organisations continue to extend their outsourcing networks. The business continuity manager can play a vital role in reducing this risk by educating buyers in how to adopt a risk-based approach to selecting critical suppliers, educating operational staff on the risks posed by suppliers, and helping suppliers themselves improve their business continuity strategy.

    Author: Charlie Maclean-Bristol MBCI FEPS is a director of PlanB Consulting
    www.planbconsulting.co.uk
    T: 0790 844 8555

    Note
    The author recommends the book ‘The resilient enterprise’ by Yossi Sheffi for further insights into supply chain management.

    Filed under: BS 25999, Business Continuity
    No Comments
  • 31Jan

    BS25999 - Is it Right for your Organization?

    The recent release of part two of the British Standard for Business Continuity Management (BS25999) has given planners another avenue to explore when designing their business continuity program.

    The British Standards Institution (BSI) released the second part of BS25999 in late October 2007 and it has been well received by global organizations.

    BS25999 actually includes two standards, BS25999-1 and BS25999-2. The first was released in 2006 and addresses practices and policies; the second specifies procedures for business continuity management. The standard’s intent is to provide guidelines for implementing business continuity management within an organization.

    According to BSI, BS25999 is the world’s first internationally recognized standard for Business Continuity Management (BCM). It includes requirements covering the whole BCM lifecycle, based on BCM best practices.

    The standard has garnered much attention from businesses around the world. It has become the most downloaded standard from the BSI website. In fact, thousands of companies in the United Kingdom are implementing BS25999.

    The basic intent of the standard is to provide best practices for an organization’s personnel, infrastructure and information technology in order to get back in business with minimal disruption if disaster strikes.

    While it may seem this is similar to other standards in the market, there are some notable differences.

    “BS25999 is unlike other directives, policies or standards that are prescriptive in nature,” said Bob Reilly, senior associate at Booz Allen Hamilton. “It is a management standard that audits processes and procedures to establish and maintain a continuity program.”

    Those who complete the BS25999 procedures can apply for certification through BSI. External auditors will evaluate an organization’s business continuity management process. If certification is achieved, it can provide suppliers, investors and clients assurance that rigorous methods will be used to protect the organization in the event of a disruption.

    “The standard audits continuous process improvement and compliance to corporate policies, unlike other certifications or audits that just represent a snap-shot in time,” said Reilly.

    According to the BSI website, the auditors will be looking for documented evidence that processes are in place and will bring technical experts with them to ask why particular decisions were made.  

    Whether the BS25999 standard becomes a hit in North America remains to be seen. Organizations who are interested should discern the differences between this standard and others that are available on the market and make decisions on what, if any, works best in their organization.  

    For further input and comparison on the BS25999 standard, visit the ongoing discussion at www.drj.com.

    Filed under: BS 25999, Business Continuity, General
    No Comments
« Previous Page Next Page »