Business Continuity Management
advertisement
July 2007 Business Continuity Management (BCM) The Integration of Tactical Response and Strategic Business Recovery VICTORIAN MANAGED INSURANCE AUTHORITY Example Only Board Crisis Management Team Core Team always activated CEO Mutual Aid Crisis Manager Duty Manager Other CMTs CFO Support Team activated as required Grp Mgr Corp. Affairs Co. Secretary Support specialists Grp Mgr Operations Information & Communication Coordinators Other ERTs Emergency Response Team Emergency Controller Duty Officer Planning Officer Operations Officer Logistics Officer Mutual Aid Resources Comms Officer Media Support Specialist Support Site Emergency Team Systems Control Media Liaison Site Commander Field Supervisor Site Radio Operator Mutual Aid Resources Emergency Services Commander VICTORIAN MANAGED INSURANCE AUTHORITY Basic Definitions Incident Management Framework Emergency Response Crisis Management Disaster Recovery Plan Business Continuity Plan Business Continuity Management VICTORIAN MANAGED INSURANCE AUTHORITY BCP to BCM Simplified Current Historical VICTORIAN MANAGED INSURANCE AUTHORITY BCM – A Process Overview Comments General Intent BCM is a management process of “considered activities”. BCP is a tactical plan. BCM process offers a “considered management approach” to address a prescribed threat / event. It does not necessarily provide the solution - but it introduces the “test of reasonableness” into a “measurable framework” Protection of Enterprise Value BCM process attempts to introduce rigour while retaining flexibility by way of application – “events simply don’t happen they way we plan” BCM activities overlap – they are not sequential in their development or their application – but they need to be managed in parallel across time BCM activities vary in their applied complexity and intensity as determined by the “dynamics” of the event. VICTORIAN MANAGED INSURANCE AUTHORITY BCM – So what is really different? Introduction of legislation / regulations / standards Existence of Royal Commissions / Investigations Increased litigation in the business community Speed of Information Transfer No longer enough to just “fix” the problem Increased Community Awareness Higher Expectations – All Parties Decreasing Levels of Tolerance Increasing Complexity of Business Environment Incremental damage caused by Perception becoming reality Increased awareness of “Precedent” VICTORIAN MANAGED INSURANCE AUTHORITY BCM – What should your client be trying to do? High Level Actions Determine – Criticality of their Business within their operating environment Aim – to protect Enterprise Value Be seen to Act – Diligently Assess – Maximum Acceptable Outage for their business / location Derive - Business Recovery Options / Priorities / Alternatives Document - Structured actions for RESPONSE through RECOVERY Engender – a process of CONTINUOUS IMPROVEMENT VICTORIAN MANAGED INSURANCE AUTHORITY BCM Component Elements - Overview Incident Management Framework Manage Expectations Optimise Tactical Response Optimise Recovery Strategy TIME VICTORIAN MANAGED INSURANCE AUTHORITY BCM Component Elements - Overview Incident Management Framework Objectives: a clearly defined Command and Control by Policy & Process allows efficient “transitioning” from Response through to Recovery incorporating Crisis Management provides defined notification, activation, communication, escalation and tracking criteria by Policy & Process is “adaptive; dynamic and assessable” reflects the operating culture and requirements of the business VICTORIAN MANAGED INSURANCE AUTHORITY BCM Component Elements - Overview Incident Management Framework Some Basic Elements Structure Control Notification & Activation Tasking Information Management VICTORIAN MANAGED INSURANCE AUTHORITY Example Only Board Crisis Management Team Core Team always activated CEO Mutual Aid Crisis Manager Duty Manager Other CMTs CFO Support Team activated as required Grp Mgr Corp. Affairs Co. Secretary Support specialists Grp Mgr Operations Information & Communication Coordinators Other ERTs Emergency Response Team Emergency Controller Duty Officer Planning Officer Operations Officer Logistics Officer Mutual Aid Resources Comms Officer Media Support Specialist Support Site Emergency Team Systems Control Media Liaison Site Commander Field Supervisor Site Radio Operator Mutual Aid Resources Emergency Services Commander VICTORIAN MANAGED INSURANCE AUTHORITY Minister Example Only Board CEO Response Level 2 - Corporate STRATEGIC Crisis Manager (As required) Communication Management Business Team Leaders BCP or ITDRP activation Incident Controller Response Level 1 - Site TACTICAL Evacuation (As required) Business Support Recovery Manager Recovery Coordinators Emergency Services Liaison Site security Initial Assessment Functional teams Activated As required Initial Response Transition over Time VICTORIAN MANAGED INSURANCE AUTHORITY BCM Component Elements - Overview Incident Management Framework- Structure Objectives Right Teams - Right Place - Right Time - To Solve Right Problem Must be capable of operating independently and / or AT SAME TIME of normal business structure Teams must be linked and capable of interacting with wider environment / community Highly adaptive – easy to use – reflect “cultural response” of both the organisation and its operating environment Structural Activation must be “idiot proof” VICTORIAN MANAGED INSURANCE AUTHORITY BCM Component Elements - Overview Incident Management Framework- Control Objectives: introduce extra / “lead” time into the mix maximise “speed of considered response” introduce “efficiencies of scale” – remove bottlenecks minimise “time dependent load” on system elements improve efficiency of decision making process VICTORIAN MANAGED INSURANCE AUTHORITY BCM Component Elements - Overview Incident Management Framework Notification & Activation Objectives clear EASY guidelines to “most senior executive” level - supported by POLICY activation criteria supported by appropriate “Delegations of Authority” clearly defined - Business and “After Hour” criteria for each “activation level” – defined points of confirmation with notification guidelines process MUST be adaptive activation criteria must reflect “tactical & strategic” exposure – perceived or otherwise VICTORIAN MANAGED INSURANCE AUTHORITY Incident Management Framework Tasking Objectives clearly defined roles; responsibility and delegated authority defined position descriptions for all “team leaders” and “key” functional positions actionable checklists for “generic” activities and functional teams defined activation protocols - only “required” roles need to be activated – remainder stay on call tasking to be assigned to “most able” not necessarily “most senior” person to provide: Redundancy through deputies Resiliency through appropriate deployment of resources; Efficiency through changeover; monitoring and reporting VICTORIAN MANAGED INSURANCE AUTHORITY Incident Management Framework Information Management Observation: 3 things that make life difficult and can really “stuff you up” 1. Communications! 2. Communications!! 3. Communications!!! VICTORIAN MANAGED INSURANCE AUTHORITY Incident Management Framework Information Management Objectives: Strive to minimise corruption of data Establish “practical” communication protocols Differentiate between communication channels – manage accordingly Be able to “monitor” communications Implement an “effective” reporting / tracking regime Check “filter” points; remove bottlenecks; Manage information flow & load VICTORIAN MANAGED INSURANCE AUTHORITY Incident Management Framework Other Considerations effective differentiation and management of “hazard & outrage” sleep mode; transitioning and stand – down arrangements stakeholder management; prioritisation & communication incident tracking & reporting potential for “formal 3rd party” post incident inquiry credibility & reputation ROI optimisation of recovery VICTORIAN MANAGED INSURANCE AUTHORITY BCM – So what is really different? Real Life Examples Bankstown City Council World Trade Centre Sydney Water No longer enough to just “fix” the problem Kraft Insurance Company (UK) Barings Bank Hurricane Rita (USA) Blood Bank (France) VICTORIAN MANAGED INSURANCE AUTHORITY BCM - Some Post-Event Observations 1. Expect multiple and concurrent points of failure in critical systems 2. Consider “broader” geographical / political / economic / impacts (local-regional-global) 3. Scrutinise system / process redundancies vs interdependencies 4. Consider “cross industry” impacts 5. Consider greater emphasis on “mutual aid” and shared services 6. Increase scrutiny on Supply Chain vulnerability 7. Place greater emphasis on “human capital”, its availability and associated intellectual property 8. Do not underestimate the impacts of “corporate / community” culture and “post event” behaviour 9. Scrutinise logistics / distribution channels and their interdependency on technology VICTORIAN MANAGED INSURANCE AUTHORITY VICTORIAN MANAGED INSURANCE AUTHORITY SESSION 6 Ensure Continuous Improvement Types of Training: Introductory awareness training – all staff Team Leader development training Specialist functional support training (eg Log keepers; Telephone Support Team; Admin Support etc) Web-based advisory / update training Scenario based training by: Desktop exercise Interactive role play exercise Live simulation 3rd party integrated training (eg whole of industry response; supply chain tests etc) VICTORIAN MANAGED INSURANCE AUTHORITY
