ISO whitepaper, January Inspiring Business Confidence.

Transcription

1 Inspiring Business Confidence. ISO whitepaper, January 2015 Author: Graeme Parker

2 ISO is the new International Standard for Business Continuity Management released by the International Organisation for Standardisation (ISO). It is designed to help ensure organisations are suitably prepared to continue delivering to their customers in the event of an interruption. The standard is very flexible meaning it can be used by many organisations large and small to deliver numerous business benefits such as: Cost reduction gained through a greater understanding and management of risk Protection of brand and reputation Increased confidence of customers and clients Compliance with contractual and legal requirements The ability to win future business by easily meeting bid, tender and customer requirements In addition, there are a number of other benefits of using ISO as your approach to Business Continuity Management. This paper aims to explain exactly what ISO is, what Business Continuity is all about, how ISO can help and exactly what is involved in applying it. Introduction Organisations across the world face risks which could interrupt their business and ability to fulfil customer requirements or needs. Of course people always consider the rare yet dramatic incidents, fire, floods, earthquakes, terrorist attacks and so on. What about other more mundane interruptions? What happens when there is no power in your premises, staff cannot get to work because of weather conditions or transport issues, or your key IT equipment fails. And what about business risks, what happens if you are unable to secure the credit and finance you need, or a key supplier in your supply chain ceases to trade? Business Continuity is all about answering those questions and ensuring effective plans are in place to guarantee customers continue to receive the service they expect no matter what goes wrong. Without doubt some things are much more likely to occur than others and you cannot plan for everything, but some simple risk management techniques can ensure your organisation can stay in business and maintain and even enhance its reputation. ISO provides a flexible and certifiable framework which will help to address the Business Continuity issues that concern your organisation. History Some readers may already be familiar with the BS Business Continuity Standard. The new ISO standard is the next step with a move from a British to International Standard. The development of Business Continuity standards has been a gradual evolution from the use of professional standards through to the Business Continuity Institute publishing good practice guidelines in In 2006 BS was published by the British Standards Institute and in 2007 the certifiable BS was released allowing organisations to have their Business Continuity Management System (BCMS) independently reviewed and certified. 2

3 The initial draft version of ISO was developed in 2010 and progressed through a number of versions until its final release and approval in The following diagram shows a brief history of the evolution of Business Continuity standards: 1997 Professional practice standards exist in the UK and the US 1999 Uniform assessment of BCM for Y2K FSA requires Good Practice guidelines 2003 Publication of PAS 56 BCI publishes BCM Good Practice Guidelines 2006 BSI publishes BS BSI publishes BS ISO publishes final version of ISO History of the ISO standard What is Business Continuity? As already highlighted earlier Business Continuity is a business driven process to ensure your organisation can continue to fulfil legal, customer and client requirements and maintain a good reputation in the event of a business interruption. Effective Business Continuity is designed to: Help to proactively develop resiliency against disruption. Through effective risk management there are many potential problems that can be addressed before they actually interrupt the business; Provide a rehearsed, repeatable and proven method to restore key activities in the event of an interruption; Provide clear capacity to protect an organisation s reputation and brand; Ensure that organisation can manage risks which have been realised. In the world of Business Continuity many terms such as Contingency Planning, Emergency Management, Disaster Recovery, Crisis Management and others are used which could lead to confusion and unnecessary complexity. All of these elements are important and are all linked to Business Continuity Planning. The following aims to explain the terms and how they relate to each other. 3

4 Emergency Management Emergency Management is concerned with serious events which involve Emergency Procedures, for example procedures to be followed in the event of a fire or other such situation. They do not deal with how the organisation will continue to operate but are extremely important for any organisation whose number one responsibility in an emergency is the protection of life, health and safety of people. Crisis Management Crisis Management is a key part of the Business Continuity planning and is the process of handling and managing an event when it occurs. This will cover the co-ordination and management of people, organisation of workspace, equipment and facilities. In order to protect your brand and reputation this should also consider how you communicate with your customers, public and media who may well have an interest depending on the nature of the event and your organisation. Disaster Recovery Disaster Recovery is part of Business Recovery and is focused on getting business back to normal. So where as Business Continuity is all about continuing to serve your customers and clients, Disaster Recovery helps restore the normality after the interruption. Disaster Recovery is sometimes considered as an IT term with the key aim of getting IT systems back up and running. IT Disaster Recovery is of course critical to most businesses; however IT Disaster Recovery Plans should always be designed to fulfil your Business Continuity requirements and not the other way around. So, Business Continuity is more widely focused covering all of the above and many more elements as shown in the diagram below. Given the many elements that Business Continuity is concerned with, a good framework is required to ensure oversight and management of all the areas. ISO is designed to address all these elements whilst being flexible enough to allow organisations to manage Business Continuity in a way that suits them. Business Continuity Management Risk Management Emergency Management IT Disaster Management Organisational Elements Facilities Management Supply Chain Management Quality Management Environmental Management Health & Safety Knowledge Management Human Resources Security Crisis Communication & PR 4

5 Why is Business Continuity important to your organisation? By now you will have a good idea why Business Continuity is important. You may have contractual obligations to meet; an interruption may have a major impact on your organisation and the trust of your customers. There are many reasons why Business Continuity is important but here are a few statistics and examples to show this is more than just a theory: 2 out of 5 enterprises experiencing a disaster will go out of business within 5 years, Gartner estimates that 40% of all businesses which lose all their data go out of business within 5 years Gartner 30% of businesses never reopen, while 29% go out of business within 2 years Meta Insurance Disaster Report 80% of Businesses that do not have Business Continuity plans go out of business within 13 months of a major incident Business Continuity Institute Top 5 consequences of a disaster, 2006: 1. Decreased employee productivity (62%) 2. Data Loss (43%) 3. Reduction in profits (40%) 4. Damage to customer relationship (38%) 5. Reduction in Revenue (27%) Veritas Research Recovery Group These statistics clearly highlight the need for Business Continuity planning however what about some real world examples of business interruptions and impacts: Buncefield Fire The Buncefield Fire was a major incident which occurred at the Hertfordshire Oil Storage Terminal near the M1 motorway in the south of England. On the 11th December 2005 a series of explosions occurred at the site eventually overwhelming 20 large storage tanks. The event was the biggest explosion of its kind in the UK since 1974 and took two days to extinguish. The explosions caused many serious problems in the local area, 224 people required medical attention, hundreds of homes in the Hemel Hempstead area were evacuated, 227 schools along with libraries and other public buildings across Hertfordshire and Buckinghamshire were closed for three days, along with a further 78 schools closing in nearby borough of Luton on the 13th December. In addition to these issues local motorways were closed and some instances of fuel panic buying occurred along with Heathrow airport being required to adjust fuelling plans for some aircraft operating from Heathrow. A number of businesses were seriously affected by the issues at Buncefield particularly those in the Maylands industrial area. The headquarters of Fujifilm and buildings belonging to 3Com Corporation were 5

6 badly damaged. In the case of Fujifilm the building was damaged beyond repair. In all, six buildings were designated for demolition with a further 30 requiring major repair before they could be re-occupied. Northgate Information Solutions were also seriously affected leading to a number of websites and IT systems hosted by Northgate to become unavailable. The website of the Labour Party and the IT system handling admissions to the Addenbrooke Hospital in Cambridgeshire were affected for several days. Online fashion retailer ASOS were forced to close for five weeks resulting in 4million of lost sales. UK and Ireland Floods In November and December 2009, UK and Ireland were hit by severe floods across both countries with Cumbria and Dumfies and Galloway being affected in the UK and the Irish counties of Clare, Cork, Galway and Westmeath suffering. In addition to the serious human consequences with many homes being flooded, numerous businesses were disrupted, along with power supplies and road and rail transport links causing difficulties for business around both countries. Flooding is becoming an increasing problem in many areas of the world due to a combination of climate change and the pressure to build in more and more flood threatened areas. For more information see: Blackberry Outage On the 10th October 2011 Research in Motion (RIM) suffered from several technical issues with servers at the Slough offices resulting in service outages for up to 70 million customers in Europe, the Middle East and India. This outage affected personal and business users alike including those using Blackberry Enterprise Servers and lasted for three days, leaving some businesses having communication difficulties with their customers. In a press conference RIM s co-ceo Mike Lazaridis explained: On Monday, we had a hardware failure that caused a ripple effect in our system, a dual redundant high-capacity core switch designed to protect the infrastructure failed, this caused a cascade failure in our system, There was a back-up switch but the back-up did not function as intended and this led to a backlog of data in the system. The failure in Europe, in turn, overloaded systems elsewhere. When we restarted the system based in Europe the data queue processing took much longer than we had expected to restore to our standard service levels, this backlog impaired service levels According to an article in the International Business Times the estimated cost to RIM could be in the region of $350 million, however the outage resulted in many negative news reports and required senior management to make public apologies on behalf of the company. The longer term financial losses from a damaged reputation are difficult to quantify and is one of the key possible impacts of any Business Continuity incidents. Many other high profile examples where tested Business Continuity plans would be critical can be named as well as numerous day to day examples, in essence the above examples show an unexpected incident can occur at any time but the impacts can be managed by applying a proactive approach to Risk and Business Continuity Management. 6

7 Why should you use 22301? The amount of effort you need to apply to build a Business Continuity solution can appear to be overwhelming. While building your solution you need to follow a program that involves a number of clearly defined steps. Once you have selected these steps you should identify the associated costs in order to avoid unnecessary overspending. There is no business case to be made for failing to control costs. As soon as you have finished implementing all these steps you want to make sure they work and have the desired effect, so you need to be able to verify them. Even then the Business Continuity effort does not end here, once you have implemented and verified the solution, you need to maintain it and make sure it still aligned to your business strategy and objectives. All of these complicated requirements and issues can be addressed by adopting the new ISO standard. This standard is focused on the implementation and operation of a Business Continuity Management System (BCMS) that addresses all of the issues mentioned above and enables you to manage, coordinate and control your Business Continuity efforts. The ISO standard is vendor and technology neutral. This means it will fit the requirements of most organisations without creating a vendor lock-in or applying to one or two specific technology situations. Obviously, the ISO standard allows for specific solutions to be integrated into the BCMS, but it is not written with a specific technology solution in mind. The standard follows the same structure as some of the better-known ISO standards like ISO 9001 and ISO These ISO standards follow the Plan/Do/Check/Act model and demand very similar things to ISO For example requirements for Internal Audit, Management Review and Management Commitment are exactly the same across all of these standards. Because of these similarities, some of the work performed while implementing other standards can be re used, especially the risk identification and management steps from ISO This can save considerable time, resources and money when designing and implementing an ISO Business Continuity Management System. By integrating the BCMS with the management systems of other ISO standards, an organisation can make significant savings on operational costs and efforts. Instead of maintaining two or three separate management systems, only one needs to be maintained. This has the additional benefit that the different management systems can be aligned and thus enforces each other. 7

8 Because of the Plan/Do/Check/Act cycle built into the standard, it becomes almost natural to adapt the BCMS implementation to changes in the environment of the organisation. Identifying these changes and managing them through the PDCA cycle will automatically incorporate them into the BCMS. There is no need to redo the complete business continuity program all over again. As already stated the ISO standard is vendor neutral and has been written in such a way that it can be independently certified, similar to the ISO 9001 and ISO An independent certification body can verify the implementation and operation of the BCMS. Once the organisation has attained this certification, this can be used to provide assurance to customers and can be used as a very strong marketing tool. As the standard is independently verifiable, an organisation is not bound to one audit or certification firm, but can choose from any certification body that provides the best fit and value to the business. How? The steps taken to build a Business Continuity Management System according to the ISO standard follow the generic steps used in building other management systems (e.g. in building an ISMS based on ISO 27001). These steps are listed below and should help you get an idea on the benefits and impact of establishing an ISO based BCMS. Step 1 Establish external and internal context of the BCMS. In this step the organisation should determine in what context the BCMS must operate, what information systems are managed by the BCMS and what the legal and business requirements are for Business Continuity, and potentially Disaster Recovery. Performing a Business Impact Analysis will help in determining the scope and selecting the business critical information systems. 8

9 Step 2 Once the context has been established, the organisation needs to be mobilised to show commitment to the implementation and operation of the BCMS to be built. Building and operating a BCMS, like any other management system, will require financial and time commitments. The benefits and commitments needed should be communicated to the right level of management within the organisation in order to ensure that the BCMS is actively supported by all levels within the organisation. The management s support and commitment is crucial to the success of the project! This commitment takes the form of establishing and communicating a Business Continuity policy, defining roles and responsibilities in the organisation and giving the right authority to people within the organisation. Step 3 After getting the support and commitment of upper management, the goals and objectives of the BCMS need to be formulated. These should be based on the business drivers and needs for continuity. The final version of the BCMS should both effectively and efficiently support these drivers and goals. By performing a risk analysis, the organisation should determine what are the specific threats to these goals and drivers. Once these threats have been assessed, controls need to be selected which can reduce these risks to an acceptable and manageable level. Step 4 The set of controls selected after the risk assessment need to be implemented in the organisation and should be applied to people, processes and technology. Once they have been implemented, they need to be tested for both effectiveness and efficiency. Step 5 After building this initial version of the BCMS, it needs to be embedded in the organisation so it can be operated. This initial version of the BCMS will most probably not cover all aspects and systems due to limited time and resources. Like any ISO standards based management system, the BCMS follows the plan-do-check-act cycle of continuous improvement. Using the PDCA cycle, the BCMS can be expanded and improved in a controlled manner. Future benefits Implementing and maintaining a BCMS based on the ISO standard has important future benefits. Due to its vendor and technology neutral nature there is no threat of vendor or technology lock-in. The organisations stay in control of their own business continuity and can choose from a number of players in the market, both for implementation and certification. Implementing a BCMS along with a QMS (ISO 9001) and or an ISMS (ISO 27001), and integrating them will reduce costs, ease operation and makes it easier to keep the alignment to the business goals. In the long run, this will save organisations money, time, and of course protect their image, brand and reputation. Integrating these management systems into an overall business risk management strategy becomes easier and adapting to new risks and opportunities will require less effort. 9

10 Conclusion Organisations need to be in control of the various risks which they face; from information security, health and safety of its employees, investing in people, financial probity, business continuity, the impact on the environment... The list is endless! Existing clients, strategic partners, and prospective customers are all judging how fit you are for business by looking at way in which you manage these risks. Our aim is to help you control your business risks, ensuring you can take advantage of business opportunities! We aim to improve operational efficiency to allow your business to see a good return on its investment through addressing those risks, demonstrating professional practices and adhering to applicable legislation and regulations. Organisations that have taken this approach have proven that it has helped them to succeed in business along with lowering costs and we are convinced that we can help you to achieve greater success too. Parker Solutions Group uses a holistic approach to managing these risks and thus improving your business. Our consultants have helped many organisations achieve certification and compliance to recognised ISO standards as well to other recognised standards across the globe. These ISO standards can be integrated seamlessly. They share many principles, so by looking at getting your business compliant in a number of areas can provide you with outstanding value for money. We ensure your business is compliant with current legislation, certified to industry standards and fit for business! 10

11 About PARKER Solutions Parker Solutions Group was established by Managing Director Graeme Parker in response to the increasing risks and challenges that organisations across the globe are facing. We are providers of professional training, services and coaching across multiple risk disciplines. Our aim is to enable your organisation to become resilient to threats, to increase your ability to seize opportunities and to ease the effort of meeting compliance requirements. Our international multi-disciplinary team of professionals is on hand to provide solutions across key risk areas including Cyber Security, Business Continuity, IT and Technology Risk, Energy, Safety, Sustainability and Environmental risk. With our strong knowledge and experience of standards in these areas along with our innovative and proportionate approach we are ready to enable your organisation. Our mission is to ensure that Governance and Risk Management efforts are implemented efficiently as possible and become a business enabler. We firmly believe that addressing risk should not be a cost or necessary evil but should be a benefit to your organisation. With a strong team of professionals Parker Solutions Group helps organisations make Risk Management become a business enabler by increasing efficiency and reducing un-necessary cost. All our solutions are linked to the key objectives of your organisation. We are more than just a consultancy, we can make recommendations and we also have the ability to go that one step further and actually implement working solutions covering people, processes and technologies. Our professional coaching and training services are also designed to enable your organisation to become self-sufficient reducing the reliance on external consultants. Whether your organisation is a small business, large multinational or a public sector organisation you can be assured that providing a highly professional and excellent service is the core principal of Parker Solutions Group. We have professionally certified and dedicated people with proven skills in the services we offer. Our people have experience working with and assisting a wide variety of organisations around the globe. We would like to thank PECB for generously providing the graphics for this whitepaper. For further information and free no obligation discussion please contact us on: 6 George Street, Driffield, York, YO25 6RA UK enquiries@parkersolutionsgroup.co.uk +44 (0)