BUSINESS CONTINUITY MANAGEMENT

Similar documents
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Management Policy. Guidance

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Business Continuity Management Policy

An introduction to business continuity planning

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Head of Protective Services Specialist Operations. Business Continuity Manager

Business Continuity. Building a Program Fit for Purpose

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

BCP Methodology Benefits realisation

Citizens Property Insurance Corporation Business Continuity Framework

Introducing ISO 22301

Business Continuity Plan Activation and Review

The Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector

Business Continuity Policy. Interim Governance Consultant. October Greenwich Executive Group

Business Continuity Advice. Loss of premises

Yale University Business Continuity Planning Quick Start Guide

CFPA-E No 2:2013 N. Business Resilience. An introduction to protecting your business CFPA-E -GUIDELINES

Business Continuity Framework

Business Continuity Policy & Procedure (incorporating IT contingency plans)

BUSINESS CONTINUITY AS A SERVICE

Head of Security and Business Continuity

Business Continuity Management Policy and Procedure

Essential Concepts. For Effective. Business Continuity Planning

Flexible Working Guidelines

The Urbis Academy Trust Risk Management Strategy

Business Continuity Planning: As A Business Owner, What Do I Need to Consider? David Sutton Manager, Environment, Safety and Health.

General Guidance for Developing, Documenting, Implementing, Maintaining, and Auditing an SQF Quality System. Quality Code. SQF Quality Code, Edition 8

THE HARBOUR MEDICAL PRACTICE EASTBOURNE

JCU Business Continuity Management Plan

Strategic Planning for Credit Unions. NACCUG Office, 1 st December 2014

Business Loans Network Limited ("ThinCats", the Firm ) Business Continuity Policy ( BCP ) v.2

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

Protecting Information Assets - Week 9 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protecting Information Assets

White Paper: ITSC Planning: Performing Business Impact Analysis

US Business Continuity Safeguarding Your Business from a Disaster

Job Description. SmartGrowth Administrator. SmartGrowth Programme Manager

Navigating the Intersection of Vendor Management and Business Continuity

Business Continuity and Natural Disaster Resilience: Where Are We Heading? Adopting best practices for weather safety based on new science

Business Continuity Policy

Relax and eat your breakfast. Thanks for coming to listen to me today, before we are done you will wish it was Friday.

National Ambulance Service 1 of 21 NAS Headquarters Version th September 2011 Authorised by NAS Leadership Team

Incident/ Issue. Department/Work Area School/College University. Notify Secretary or Dept Sec of Court.

Defending the Fortress Women in FM 15 th July Samantha Bowman Senior Facilities Manager

Hours of Work: 37.5 hours per week (part time hours negotiable)

Presentation on Crisis Management and Business Continuity. ISCA Breakfast Talk 13 September See Hong Pek, Partner, PwC

BUSINESS CONTINUITY MANAGEMENT POLICY

OPERATIONAL RISK MANAGEMENT MODULE

DRAFT ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management system implementation guidance

Melanie Quinlan, Business Continuity & Compliance Manager, Resources & Quality Assurance

The Easy Guide to Determining Business Continuity Strategies

Disaster recovery planning how to create a resilient strategy

Business Continuity Guide 2017

UNIVERSITY OF ABERDEEN ADVISORY GROUP ON BUSINESS CONTINUITY & RESILIENCE BUSINESS CONTINUITY POLICY

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

STANDARD SUPPORT SERVICE FOR LARGE BUSINESS CUSTOMERS SOLUTION DESCRIPTION

ISO whitepaper, January Inspiring Business Confidence.

AUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED PROFESSIONAL ENGINEER IN LEADERSHIP AND MANAGEMENT

Occupational Health and Safety. Improvement Standard

THE COMPLETE GUIDE TO ISO14001

Point of view Digital Business Resilience in Financial Services

Corporate policy. Business Continuity Management Policy. Issue sheet

WIC 104 RISK MANAGEMENT AND BUSINESS CONTINUITY PLANNING FOR LOCAL WIC AGENCIES. Peg Jackson, DPA, CPCU National WIC Association

Emergency Operations Plan Annotated Outline

Audit Committee Self Assessment

Disaster Preparedness & Your Supply Chain

Level 5 NVQ Diploma in Management and Leadership Complete

Operations Manager. Candidate Information Pack. Going beyond what schools ordinarily do

Operating Management System Framework

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

STATE OWNED ENTERPRISES REMUNERATION GUIDELINES

SERVICE PROCEDURE NOVEMBER 2011

Disaster Preparedness & Your Supply Chain

Risk and risk management

WILTSHIRE POLICE FORCE POLICY

Managing the workforce. Cutting costs and restructuring

BUSINESS CONTINUITY FOR FINANCIAL ADVISOR USE ONLY

COUNCIL VOLUNTEER POLICY FRAMEWORK

Tier I assesses an institution's process for identifying and managing risks. Tier II provides additional verification where risk is eviden

3. STRUCTURING ASSURANCE ENGAGEMENTS

Operations Department, Research Support Division

Community & Client Services. Health & Regulatory Services

ENVIRONMENTAL AUDITING GUIDE TD 16/16/E

Business Continuity & IT Disaster Recovery

Your Checklist Guide for Effortless Crane Hire

The anglo american Safety way. Safety Management System Standards

Field/Mobile Working Policy

Is your supplier risk management keeping pace with your strategic

Conception Design Construction Operation.

Group Health & Safety. Management System

Business Continuity & Disaster Recovery

AUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED PROFESSIONAL ENGINEER

Book A : REFERENCE DOCUMENTS

Wales Millennium Centre Behavioral Competencies Framework 1

BOARD CHARTER JUNE Energy Action Limited ABN

Safety Management System (SMS) Guidance Document. Safety Resources

Security Operations. BS EN ISO 9001: 2008 Issue 1.2: 21/10/2016. Quality Manual. Managing Director. Controlled / Uncontrolled when printed

Building a Standard for Business Continuity Planning

Update from the Business Continuity Working Group

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

DECISION 10/2014/GB OF THE GOVERNING BOARD OF THE EUROPEAN POLICE COLLEGE ADOPTING THE EUROPEAN POLICE COLLEGE S INTERNAL CONTROL STANDARDS AND

Contents An Introductory Overview of ITIL Service Lifecycle: concept and overview...3 I. Service strategy...6 The 4 P's of ITIL Service

Transcription:

BUSINESS CONTINUITY MANAGEMENT RCG020-V1-01/2017 Page 1 2017 Royal & Sun Alliance Insurance plc

Contents Introduction... 3 Business Continuity Management... 3 Getting started... 3 Business Impact Analysis... 4 Risk Assessment... 4 The Planning Phase... 6 Developing the BCP... 6 Invocation & Communication... 7 The Post Planning Phase... 8 Exercising the BCP... 8 Review & Up-date Arrangements... 8 Further Information... 9 RCG020-V1-01/2017 Page 2 2017 Royal & Sun Alliance Insurance plc

Introduction We live in an unpredictable world. No matter how effectively a business protects itself through insurance, there are some risks that cannot be anticipated, nor insured. Appropriate insurance can provide monetary protection in case of events such as fire, flood, denial of access or acts of terrorism. Typically cover relates to the shortfall in gross profit for a specified period following the damage event. However, insurance can never provide total security against the long-term or permanent loss of customers brand value share price markets quality key employees The only effective protection against serious disruption of your business is Business Continuity Management The following are designed to help you to alleviate the effects of an incident and to develop a recovery plan tailored to the needs of your organisation. Business Continuity Management Business Continuity Management (BCM) is about having resilience to business interruption and just-in-case recovery procedures for business-critical processes. These recovery procedures take the form of a Business Continuity Plan (BCP) that includes the key actions, personnel, contact information and services needed to manage the incident and the recovery process. The breadth and depth of planning will depend upon the size, nature and complexity of your organisation. Getting started You should start by asking yourself these questions: How complex is our business? The nature of the business and its operations will be a major factor in considering recovery strategies. What size is our business? This has a bearing on how many people you would need to involve both in the planning and the initial recovery process and how you organise into teams. Which processes are business-critical? Prior knowledge about which parts of your business must be given recovery priority is fundamentally important. RCG020-V1-01/2017 Page 3 2017 Royal & Sun Alliance Insurance plc

What resources will be required? You will need to make an early assessment of the likely costs of planning and recovery. You will then need to budget accordingly. Who should be involved? You will need to involve people with the right skills and experience. Business Impact Analysis In the aftermath of a disaster there will be competing requirements for recovery. Business Impact Analysis (BIA) provides the necessary focus for prioritised recovery of businesscritical processes. The purpose of BIA is to: identify and evaluate business-critical processes; prioritise reinstatement or replacement needs; identify resource requirements to achieve this. The easiest way to address BIA is to list all your processes and decide (yes or no) whether you consider them to be business-critical. Bear in mind that, whilst some processes may not be business-critical all the time, you need to be planning recovery from a worst case and timing of an event or set of circumstances. Where the answer is yes, Apply a scale (say 1-3 with 1 being highest priority), to recovery priorities. Decide what facilities and resources would be required to achieve these recovery priorities. Give realistic consideration to how quickly the resources could be replaced or alternatives made available. Use this information as the basis for developing your recovery strategies. Risk Assessment Risk assessment is about understanding the business interruption risks to which your organisation is exposed, the likelihood of occurrence and the probable level of impact. The benefit of carrying out a risk assessment is the assurance that appropriate loss prevention and damage limitation arrangements are in place. The benefit of carrying out the BIA, as well as the risk assessment, is that it enables you to focus attention on activities, processes and resources that have been identified as business-critical. Risk assessment is a required procedure for health and safety in the workplace and the same approach should be used for BCM. The purpose is to: Identify and measure the risks (fire, flood etc.) and threats (loss of power, communications etc.) to your business; Review the controls in place to reduce risks and threats; Reduce the risks and threats, where necessary, by implementing further controls; Assess the impact on your operations should a loss happen. RCG020-V1-01/2017 Page 4 2017 Royal & Sun Alliance Insurance plc

The main areas that should be addressed are hardware the physical arrangements in place for example fire detection and suppression devices and security installations, and software for example the human element, operating procedures, training and working practices. Risk assessment is accomplished by a combination of physical inspection and by review of the procedures and practices in place. The outcome of the process will result in a better understanding of your business interruption exposures and resilience and will provide you with the opportunity to make appropriate improvements to your risk control measures and programmes. Listed below are the major headings for evaluation with examples of the issues to be investigated: The organisation What are your key activities and processes, how immediate would be the effect of interruption? Premises Are they specialised or standard ; what alternatives are available; does location matter; how long to re-build; is there likely to be planning opposition, special conditions, difficulties with site access? Key personnel Do you have key teams or individuals; is their loyalty and flexibility, are they readily replaceable; are they deputised; do they have unique knowledge or contacts? Customer base Are you a just-in-time business; how fierce is competition; what is the level of customer loyalty; are there seasonal/periodic peaks to your business? Utilities What is your reliance upon electricity, gas, water; what is the resilience of supply; what are your fallback arrangements? Plant & Equipment Are there production or process bottlenecks ; are there long lead times for key items; what is the history of breakdown; are strategic spares kept; where are these located? Product What are the lowest quantities and highest demand levels for raw materials, components, finished goods and consumables; how long to replace; is direct supply to customers possible? Technology How important are IT and telecommunications; is there adequate physical protection; how long for system hardware and software replacement; what service level is contractually provided; do you have stand-by power? RCG020-V1-01/2017 Page 5 2017 Royal & Sun Alliance Insurance plc

Data Do you have vital paper based or electronic data; is confidentiality, integrity and availability adequate; are back-up arrangements for data and software appropriate? Suppliers and sub-contractors Are these vital to your operations; what is their resilience to supply interruption; are there alternatives? The Planning Phase Developing the BCP The prime requirement is to document or otherwise record the BCP to ensure its availability in the event of disaster. The plan should include: brief overview of objectives and strategy; team membership; roles, responsibilities and procedures; supporting database information. Objectives & Strategy The BIA process provides the base-line information on which to set the objectives and build the strategy that should identify recovery requirements and timeframes and alternative strategies for recovery. Examples of possible strategies include contracted assistance, alternative premises, alternative suppliers, direct supply and standby facilities. Teams Large organisations will require separate teams to plan and manage recovery; these may include: Crisis Management Team Emergency Response Team Facilities Recovery Team Technology Recovery Team Business Recovery Team(s). Smaller businesses may require fewer teams and very small organisations may require only a single team. Consider, however, the potential for trauma and stress and the workload that is likely to fall upon key individuals in the event of a major incident. Typical roles and responsibilities are set out below: Crisis Management Team Plan invocation, command and control; media relations; content of internal and external communications. RCG020-V1-01/2017 Page 6 2017 Royal & Sun Alliance Insurance plc

Emergency Response Team Evacuation and employee and public safety; damage evaluation; post-incident security; emergency services liaison. Facilities & Technology Recovery Team(s) Provision of accommodation, furniture, plant, equipment, consumables, systems and data recovery Business Recovery Teams Recovery of business-critical processes, as pre-established. These roles and responsibilities must be clearly defined but be sufficiently flexible to respond to unanticipated incidents and circumstances. There should be deputies to cover for absences. Invocation & Communication Pre-define circumstances for plan invocation; give particular consideration to businessclosed periods. Pre-define responsibilities within the plan. Use a cascade or communication chain system when dealing with a large number of people. It is essential that controlled communication be made with all potentially interested parties, as soon as possible. The BCP should include contact details and responsibility for ensuring that communication takes place and it is the right message. Those with whom early contact is essential are likely to include management and recovery teams, employees, shareholders, business partners, insurers, suppliers, customers, media, public authorities and sources of assistance. These may include disaster recovery service suppliers, building contractors, facilities and equipment suppliers, emergency glaziers and plumbers and utilities companies. Awareness & Training Training is the essential basis for assuring the ability of teams to respond effectively to a disaster. Initial training should address the need for, and the practical application of, BCM. Training will also arise as part of the plan preparation process where it will occur as part of checking the assumptions underpinning the strategy and validating the viability of the plan procedures and resources. This element of planning and training is best achieved by the use of informal talks-through of the procedures, adjusting and revising as required. Ongoing training should be incorporated via the Review & Maintenance regime that should be part of ensuring continuing applicability of the plan and knowledge of those who have BCM responsibilities. Security & Availability The BCP needs to be available, no matter what the circumstances. The size of your organisation will dictate how many other people will need a copy of all or part of the BCP but, the more copies in circulation, the more complex it will be to maintain. Ideally, a full copy should be kept offsite, secured and readily available at all times and in all circumstances. RCG020-V1-01/2017 Page 7 2017 Royal & Sun Alliance Insurance plc

Record Keeping Regardless of the circumstances of BCP invocation, it is imperative to keep written records. Benefits include the ability to carry out post-event checks on the efficacy of the BCP, to capture details of expenditure, to control expenditure and to validate insurance claims. Each team should record all pertinent actions, resources used and expenditure. The Post Planning Phase Exercising the BCP Create a programme of periodic exercises, each designed to try out one or two components of your plan. (The invocation procedures are an important example). Certain elements of Business Continuity Plans lend themselves more readily to physical testing, for example, IT recovery plans that are based upon a contractual response provide just such opportunities. Desk-top exercises using pre-prepared loss scenarios should be used to exercise the integration of the full plan. As with all training and exercising, opportunity should be used to up-date, amend or add to the BCP, as necessary. Review & Up-date Arrangements BCM is a continuous process. As your business and its processes change, your BCP must reflect these changes and your teams must be able to respond positively. The BCP should include appropriate maintenance arrangements. The recovery strategy, procedures and supporting database should be reviewed at least annually. For most organisations, there will be need for more frequent reviews, particularly where there are changes of process, product, personnel etc. In essence, the arrangements put in place should allocate clear responsibilities for review and up-date of risk exposures and controls, recovery priorities, strategy, recovery procedures, supporting data, training (including personnel changes) and BCP exercise and testing. Your Business Continuity Plan could mean the difference between survival and failure. However, it will only be as useful as the last time it was reviewed and up-dated. RCG020-V1-01/2017 Page 8 2017 Royal & Sun Alliance Insurance plc

Further Information Further information on Business Continuity Management is available from the Business Continuity (BCI) - www.thebci.org.uk To assist you, RSA work in partnership with the RISCAuthority who have developed a BCM planning tool called Robust. This is available via the RISCAuthority - https://robust.riscauthority.co.uk/ The RISCAuthority also publish a BCP Template for Small Businesses, which may also be found on their website. http://www.riscauthority.co.uk/free-document-library/riscauthority-library_detail.businesscontinuity-template-for-small-businesses.html Disclaimer The information set out in this document constitutes a guide and should not be construed or relied upon as specialist advice. RSA does not guarantee that all hazards and exposures relating to the subject matter of this document are covered. Therefore RSA accepts no responsibility towards any person relying upon these Risk Control Guides nor accepts any liability whatsoever for the accuracy of data supplied by another party or the consequences of reliance upon it. RCG020-V1-01/2017 Page 9 2017 Royal & Sun Alliance Insurance plc

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback