Everything you want to know about Business Continuity
By Tony Drewitt
()
About this ebook
Everything you want to know about Business Continuity will show you how to develop a modern response to the operational risk landscape and how to prepare your organisation for interruptions to your key activities, minimising the impact on your bottom line, reputation and credibility. You will be able to identify and assess the risks to your company and put in place a ‘fit-for-purpose’ business continuity plan which will enable you to meet the expectations of your customers and stakeholders in the event of an unforeseen incident.
Tony Drewitt
Tony Drewitt is a professional member of the Business Continuity Institute (BCI). He has been a practising consultant in the field of operational risk management and business continuity management (BCM) since 2001, working with a wide range of small, medium and large organisations, to develop BCM policies, strategies and plans. Tony started his career as a mechanical engineer in industry, and has held a range of posts in sales and marketing, general management and management consulting. He was one of the first practitioners to achieve certification under BS25999 (predecessor to ISO22301) for a client in 2008. Tony is the author of the already successful ITGP publications ISO 22301: A Pocket Guide, A Manager’s Guide to ISO 22301 and Everything You Want to Know about Business Continuity.
Read more from Tony Drewitt
A Manager's Guide to ISO22301: A practical guide to developing and implementing a business continuity management system Rating: 4 out of 5 stars4/5ISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5
Related to Everything you want to know about Business Continuity
Related ebooks
The Business Continuity Management Desk Reference Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management: Choosing to Survive Rating: 3 out of 5 stars3/5Business Continuity Planning: A Step-by-Step Guide With Planning Forms Rating: 0 out of 5 stars0 ratingsAdaptive Business Continuity: A New Approach Rating: 0 out of 5 stars0 ratingsDisaster Recovery and Business Continuity: A quick guide for organisations and business managers Rating: 0 out of 5 stars0 ratingsCompliance Management: How Organizations Achieve the Highest Level of Business Integrity Rating: 0 out of 5 stars0 ratingsData Governance: Governing data for sustainable business Rating: 0 out of 5 stars0 ratingsPCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance Rating: 5 out of 5 stars5/5Business Continuity Management A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Business Continuity Exercises: Testing Your Plan Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management Systems: Implementation and certification to ISO 22301 Rating: 0 out of 5 stars0 ratingsBusiness Continuity Exercises: Quick Exercises to Validate Your Plan Rating: 0 out of 5 stars0 ratingsISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Validating Your Business Continuity Plan: Ensuring your BCP actually works Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning: Increasing Workplace Resilience to Disasters Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsBusiness Continuity and Disaster Recovery Planning for IT Professionals Rating: 0 out of 5 stars0 ratingsBusiness Continuity: Playbook Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management: Global Best Practices Rating: 0 out of 5 stars0 ratingsMastering 21st Century Enterprise Risk Management - 2nd Edition: The Future of ERM - Book 1 - Executive's Guide Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning BCP A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning BCP A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsBusiness Continuity from Preparedness to Recovery: A Standards-Based Approach Rating: 0 out of 5 stars0 ratingsThe Certified Operational Risk Manager Rating: 0 out of 5 stars0 ratingsIT Risk Management Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsBuilding a Corporate Culture of Security: Strategies for Strengthening Organizational Resiliency Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management Program A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning BCP Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratings
Computers For You
The Invisible Rainbow: A History of Electricity and Life Rating: 4 out of 5 stars4/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5Elon Musk Rating: 4 out of 5 stars4/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsProcreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5The Insider's Guide to Technical Writing Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsEverybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Summary of Max Tegmark's Life 3.0 Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Artificial Intelligence: The Complete Beginner’s Guide to the Future of A.I. Rating: 4 out of 5 stars4/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Master Builder Roblox: The Essential Guide Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5
Reviews for Everything you want to know about Business Continuity
0 ratings0 reviews
Book preview
Everything you want to know about Business Continuity - Tony Drewitt
Everything You Want to Know About
Business Continuity
Everything You Want to
Know About Business
Continuity
TONY DREWITT
IT Governance Publishing
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are always at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:
IT Governance Publishing
IT Governance Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely
Cambridgeshire
CB7 4EH
United Kingdom
www.itgovernance.co.uk
© Tony Drewitt 2012
The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2012
by IT Governance Publishing.
ISBN 978-1-84928-202-4
PREFACE
Business continuity (BC) is a fairly new concept in many organisations, with the probable exception of banks and some other financial institutions that have traditionally been much more reliant on computer systems than many others and so have had ‘disaster recovery’ arrangements in place for quite some years.
As attitudes to what is acceptable in business, government and even the voluntary sector change, there is simply more pressure on more of us to do something about business continuity. But many people feel that they are already doing the majority of what business continuity comprises; however whilst they are probably doing some of it, it is unlikely that they are doing most of it.
Business continuity is still effectively a voluntary activity for most organisations and it is left to the rather general diligence requirements of the Companies Act (in the UK) and the relevant state incorporation laws in the USA, as well as the requirements for listed corporations, to provide statements of internal control and risk management. However, there is growing pressure and expectation upon organisations of all types to formalise their operational resilience by way of business continuity arrangements, though for many the term ‘resilience’ is arguably more appropriate–as we shall see later.
Of course, the ultimate in resilience would include spare everything! People, workplaces, information and communication systems, processing facilities and so on; all running and fully maintained, just waiting for you to ‘invoke‘ should the need arise. Even the very few companies that could afford this don’t have it; it simply doesn’t make any economic sense.
At the other end of the spectrum are the many organisations that have given no real thought to what might happen if there were some significant interruption to their daily activities; as the world changes their negligence of these risks will continue to become more and more unacceptable.
On the day I started writing this book, Japan suffered one of the most severe earthquakes in its history and the resulting tsunami wrought devastation upon Sendai and surrounding areas, dominating world news for some time. Like the World Trade Center attack in 2001 and others since then, this latest disaster will have more and more people thinking about whether they should finally do something about business continuity, or perhaps review what they already have in place.
But whatever the reason for addressing business continuity now, readers of this book will want to know that there isn’t anything else out there; that they haven’t missed something important to do with business continuity that isn’t covered in this book.
Business continuity isn’t like, for example, financial accounting. There are no statutory, or even standard, methods for doing it. And whilst there are guidelines and now even a few national standards, it is still largely up to each organisation to decide how it is going to implement its resilience arrangements. So there are a number of approaches to the various parts of a ‘reasonable’ business continuity programme; there is the intuitive approach and the analytical approach, both of which are covered. But there are few very fundamental differences between any of the approaches that I have ever come across, so I am confident that there isn’t anything else out there, of real value, that this book doesn’t cover. I have been to numerous conferences and presentations from people who call themselves ‘thought leaders’, and have not come across any thinking, ideas or philosophy regarding business continuity that is fundamentally at odds with what is covered in this book.
If you act on everything in this book and get the Board’s cognisant approval for those actions, your organisation should have an entirely reasonable and fit-for-purpose set of BC arrangements that sit well with today’s corporate governance and corporate social responsibility requirements, codes and expectations.
ABOUT THE AUTHOR
Tony Drewitt is a business continuity practitioner and a professional member of the Business Continuity Institute (BCI). He has been a practising consultant, trainer and technical expert in the field of operational risk management and business continuity management (BCM) since 2001, working with a diverse range of organisations of all sizes to put in place effective and sustainable business resilience arrangements and crisis management capabilities.
Tony started his career as a mechanical engineer in manufacturing industry and has since held a range of technical, commercial and senior management positions before becoming a full-time management consultant 10 years ago. He was one of the first consultants in the UK to achieve full certification under BS25999-2, and delivers a range of business continuity foundation courses and masterclasses for a wide variety of organisations throughout the UK.
Tony is the author of the already successful ITG publications BS25999: A Pocket Guide and A Manager’s Guide to BS25999.
ACKNOWLEDGEMENTS
My thanks to Lita Cuen of LCRisq, San Diego, California for helping me with the US corporate governance aspects of this book.
We would like to thank John Kyriazoglou, CICA, M.S., B.A. (Honours), International IT and Management Consultant, for his helpful feedback when reviewing the manuscript.
CONTENTS
Introduction
Does it really matter?
Corporate governance and CSR
DR, BC, BCP or BCM?
Chapter 1: The Operational Risk Landscape for Business and Other Organisations
Weather
Energy
Operational risk management
The risk management process
Chapter 2: What Does BCM Actually Achieve?
Tangible benefits
Chapter 3: An Incredibly Short History: Early DR to 2011 BCM
Continuity and resilience
Chapter 4: The Role of Standards and Independent Validation
Business continuity standards
Other standards
Compliance
Supply chain
Corporate governance
Chapter 5: The Management System Approach versus a Simple BC Plan
Chapter 6: Planning the BCMS
What is a BCMS?
Chapter 7: Identifying the Organisation’s Requirements
Risk assessment
Business impact analysis
Chapter 8: Strategy and Options
Contingencies
Physical infrastructure
Information
People
Seasonality
Incident level
Output
Chapter 9: Incident and Crisis Response
Incidents, crises and disasters
The response organisation
The response team
Competencies
Response plans
Communications
Full recovery
Insurance
Chapter 10: The Assurance Process
Exercise programme
Maintenance programme
Audit programme
Management review programme
Continual improvement
Summary
Chapter 11: BCM as a Competitiveness/Assurance Tool
The insurance argument
Cost-effectiveness
Peace of mind
Chapter 12: Tools and Software
The BC software market
What to look for in BC software
Chapter 13: The New World of Sustainability
BIA
Business as usual
Incident response
Chapter 14: How to Do It
Visible programme
Awareness
Certification
Summary
Appendix 1: Acronyms
Appendix 2: Business Continuity Policy
Policy statement
Appendix 3: A Simple Risk Register
Appendix 4: Incident Response Plan
Use of this plan
The crisis management team (CMT)
Recovery time objectives
Response and recovery activities
Ending the business continuity phase
Appendix 5: Scenario Plan
Appendix 6: Activity Recovery Plan
Appendix 7: Document Review and Control Procedure
General
Version control
Retrieval and distribution
Appendix 8: Corrective and Preventive Actions Form
Appendix 9: Exercise Methodology/Procedure
Desktop exercise
Full exercise
IT DR exercise
Continuous improvement
Reporting requirements
Exercise programme
Appendix 10: BCM Software Vendors
Appendix 11: Suggested Software Enquiry Form
Appendix 12: BCM Audit Programme and Procedure
Appendix 13: IT Disaster Recovery Plan/Procedure
Recovery time objectives
ITG Resources
INTRODUCTION
Business continuity (BC) is a relatively new discipline, although people running organisations have been doing increasing amounts of the things that make up BC since the Industrial Revolution. The risks haven’t changed that much, but the way that we, as a society, think about risks has.
There are some newer risks, of course, particularly those to do with computers and information technology systems, but those have really grown at the same pace as the technologies themselves; it is simply that we are now more aware of many of the risks, and our attitude to how acceptable they are has changed.
This book is aimed at people involved in the running of all types of organisation; whether a private sector ‘for profit’ company, public service or voluntary sector organisation, or even the defence forces, all organisations exist to fulfil a purpose, even if that purpose is not the generation of financial wealth and its distribution to owners, stakeholders or anyone else.
Actually, all organisations work more or less the same as a company, or corporation; they have people and other resources with which they do, or make, things for customers, or people that they call something else. The organisation’s income doesn’t always come directly from those customers, but it does come from somewhere and if the organisation doesn’t do what it is supposed to be doing, then the time will come when its income reduces, or even stops altogether.
So the principles of risk management should be the same for any organisation, and while some may measure their risks in different ways, it is ultimately the supply, or availability, of resources and money that enables any organisation to meet the corporate governance requirements of the modern world.
Ultimately, most of us need three things: our health, other people and money. Money enables us to acquire everything else that we need apart from our health and other people.
And so whilst many organisations, particularly in the public and voluntary sectors, may state that their primary purpose is something other than ‘the bottom line’, ultimately it is money that enables them to be the best, or biggest, or the ‘brand leader’, or to serve their community, or anything else that they wish to do.
Business continuity is a way, the most comprehensive way, of ensuring that any organisation can protect the interest of its customers and owners by ensuring that everything reasonable is done to make it resilient to unexpected, or unforeseen, situations that prejudice its ability to do what it does.
But this is selective; it is for each organisation to decide whether, for example, it wants to see the loss of a major contract as a BC scenario. If a major customer stops buying, and paying for, the organisation’s products or services, does it matter why? If they stop buying because their factory or offices have been burned down, is that really any different from them doing so because they have found another supplier?
It is ultimately a matter of policy that each organisation decides whether loss of business is a scenario that should be included within its BC arrangements, as well as similar scenarios, such as loss of a key supplier.
Although risk is interwoven in everything an organisation does, this book looks in depth at one of the three fundamental types of risk: what we are calling operational risk.
The three types of risk are:
1 that the organisation ceases to be viable due to adverse levels of business, profitability, cost fluctuations and compliance with relevant legislation, contracts and codes;
2 that the organisation’s viability is jeopardised because it engages in some activity that its customers haven’t directly asked for;
3 that the organisation is viable, but its ability to operate is reduced or removed by some unexpected situation, incident or materialised threat.
Most organisations base their BC arrangements only on the third category, most often referred to as operational risk, and this is the approach that the rest of this book is based upon.
Does it really matter?
Many people think that BC isn’t worth the effort and expenditure. But that is usually based on intuition, although in some cases it may also be true. Most organisations have some ingredients in place anyway, such as insurance, stocks of raw materials, spare equipment and locks on the doors, but to write down some sort of plan as to how they would respond in the event of an interruption might seem too much effort, or even a ‘waste of time’. However, for the great majority it will almost certainly be worthwhile looking at the organisation to assess its true resilience to the unknown and putting in place a plan that enables relevant people to make the best decisions in the event that something does go wrong.
Corporate governance and CSR
The way that the world now thinks about risks is very different from how it was in the middle of the last century. In those days, people in charge were assumed to know what they were doing, and if things went wrong it was still assumed that they had