Strengthening the weakest link:
Business Continuity Management for
SMEs
Essen, 5 October 2010
Dr. L. Marinos, ENISA
SME working assumption
• SMEs are generated out of entrepreneurship and have low
level of resources for “non-productive” investments
• Most of SMUs (esp. owners) have low level of BC knowledge
• SMEs are not in the position to fully develop BCP
• Even in case that there is some IT-knowledge, availability is
usually not part of it
• SMEs tend to use standard components (soft- and hardware)
What is Business Continuity?
• Business Continuity is the ability to continue the
business in an (for the customer) acceptable.
• For SMEs needs to be:
• Low cost
• Simple
• Practical
• Affordable on the long term
Business Continuity (Full version)
Interface to other operational and product processes
Conduct Business
Impact Analysis
Adapted
Risk Management
Activities
Define BCM
Framework
Initiate BCM Programme
Design BCM
Approach
Assess Risks and Impacts
Determine Recov. Options
Analyze Results
Agree Recovery Strategy
Prioritize Recovery
Define Critical Resource
Requirements
Design BCP
Identify the Organisation
Incident Response Plan
Incident Management Plan
Assign BCM and Incident
Responsibilities
Define BCM Policy
Deliver BCP
Business Recovery Plan
Test BCP
Recovery Support Plan
Determine Type of Test
Write Test Plan
Conduct Test
Recurrence
Short term
IT Service Continuity Plan
Deliver Debrief/Test Report
Business Resumption Plan
Long term
Middle term
Communications and
Media Plan
Sustain BCM Programme
Train Staff
Maintain and Review BCP
Develop Awareness
Problems with BC (..as other sec issues)
•
•
•
•
•
•
•
•
•
Too complicated
Not business oriented
Too focused on technical assets
Too much concentration on threats
Too reliant on estimates of “probability”
Threat and vulnerability assessments too technical
Unrealistic targets
No clear action plan
TOO SLOW!
Source: Jeremy Ward
Business Continuity „Light“
• Low expertise in the area of BC
• Simply structured
• Balance between simplicity and effectiveness
• Understandable relations between used terminology
• Good basis for knowledge transfer
ENISA-Approach
Phase 1
Phase 2
Select Risk
Profile
Critical Assets
Identification
Phase 3
Controls
Selection
Phase 4
Implementation
and
Management
Controls
Implementation Plan
Business Continuity
Plan
Org. Control Cards
Org. Control Cards
Org.
Control Cards
Organizational
Continuity Controls
Asset Control
Asset Control
Cards
Cards
Asset Based
Continuity Controls
http://www.enisa.europa.eu/act/rm/risk-management-for-smes-and-micro-enterprises
In Conclusion
• We see tendencies for simpler approaches
• Become business oriented (no technical, threat etc.)
• Promote through professional associations
• Develop corresponding certification schemes
• Promote generation of a relevant “market”
Thank you for your attention
louis.marinos@enisa.europa.eu
ENISA Risk Management Web Pages: www.enisa.europa.eu/rmra