Dr. Wolfgang H.Mahr, M.Sc., BBA, MBCI, CISA governance & continuuuity gmbh CH-8408 Winterthur, Switzerland www.continuuuity.ch LinkedIn, XING, Twitter, BNI wolfgang.mahr@continuuuity.ch 2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page1
Small and Medium Enterprises Why Business Continuity? Benefits from Business Continuity? Survey Results What is BCM, a BC-Plan and the BCM Lifecycle? Values of a BC Planning Who takes responsibility? The BCM Lifecycle The BCM Project Critical Success Factors Conclusions Checklists
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page2
“Small and medium-sized enterprises (SMEs) are the engine of the European economy. They are an essential source of jobs, create entrepreneurial spirit and innovation in the EU and are thus crucial for fostering competitiveness and employment” Günter Verheugen, 2004 to 2010 Member of the European Commission Responsible for Enterprise and Industry
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page3
Due to the importance of SMEs, their management have a direct responsibility to ensure that their organisations are prepared for any form of internal or external disruption and · · · · · · ·
are able to identify potential threats to their business are prepared to identify and address disruptions have a risk management process have a business continuity process in place protect their employees during a disruption Protect their stakeholders interests Are able to maintain business operations during…
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page4
Why Business Continuity?
Would you, your organization, or your management and staff be prepared to recover from this? Do your clients require you to have a BCM plan?
How long would it take you and your staff to return your business back to “pre-disaster” condition?
How much revenue will you lose during recovery?
Have you protected vital business and commercial data, records, orders, invoices?
Are your employees protected?
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page5
Business Continuity benefits
Protecting company value and reputation
Safeguards the reputation and future of the company in an emergency
Increase shareholder value and demonstrates commitment by management
Assures the survival of the company in the case of a serious incident
Minimize financial losses in case of an incident or emergency
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page6
Business Continuity benefits
Competitive advantage
Demonstrates to clients that the company has a BCM process in place
Clients are more likely to select a supplier who has a BCM process
BCM shows that the company is an early adopter of strategic processes
BCM can be translated into an improved company performance
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page7
Business Continuity benefits
Proactive Management
Provides evidence of due care and attention to prevent an emergency
BCM provides management a clear overview of the risk landscape
Implementing BCM is a sign of company strength and strategic direction
BCM indicates being proactive and not reactive to events and threats
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page8
Business Continuity benefits
Continuous operations
BCM identifies the responsibilities of all parties in the event of an emergency
In the event of an incident, management and staff can continue to work
Shorter recovery time from an emergency or disruption
Provides confidence to clients that commitments will be met despite an emergency
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page9
Survey: Business Impacts
15% Organisations undertook a BIA in the last year.
53% Organisations undertook BIA more than 1 to 2 years ago
32% No BIA undertaken at all.
This result reflects those organisations [mostly SMEs] that do not have a Business Continuity. Should these organisations experience a serious disruption they may not survive.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page10
Survey: Supply Chain
48% Organisations have an (full or limited) agreement in place with suppliers. 39% Organisations do not have any agreement or have only "adhoc" (11%). Most of the organizations without an agreement in place are SMEs including those organizations that have no BCM plan and do not undertake a BIA.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page11
Business Continuity Management
Is a holistic management process that identifies potential threats to an organization
It identifies the impacts to business operations that those threats, if realized might cause
It provides a framework for building organizational resilience
Provides the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities
Reference: ISO 22301:2012(E), Clause 3.4
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page12
Business Continuity Plan
A Business Continuity Plan includes: Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and assets. Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations. Policies, strategies, plans, procedures and standards for ensuring that specified operations can be maintained or recovered in a timely manner in the event of a disruption
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page13
What is the BCM lifecycle?
Reference: The Business Continuity Institute
2013-04-23.1 Š 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page14
What is the value of BCM?
Added value” with the provision of a business continuity plan include: Improvement in overall organizational efficiency and identifying the relationship of assets and human and financial resources to critical services and deliverables.
It improves a company’s positioning in ensuring recovery from financial and operational losses, regulatory fines, and damage to assets and business reputation.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page15
What is the value of BCM?
It can eliminate or minimize losses such as: ◦ expected sales revenues, ◦ customer base (market share) due to customer service/satisfaction and competitor PR, ◦ new customer acquisition (and sales revenue) ◦ prevention of negative publicity by your competitors should you experience a disruption.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page16
What is the value of BCM?
It can be used to protect critical elements of your network.
It provides a competitive advantage that can be used as a marketing tool to secure customer confidence, leading to increased sales performance and revenue. It reduces exposure to liability and enables a company to achieve expense control. It facilitates compliance with government regulations (compliance)
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page17
The Lifecycle Process
Stage 1 A Business Impact Analysis should provide data from which an appropriate continuity strategy can be developed as part of the next phase of the Business Continuity Management cycle.
What are the objectives of the organization?
How are the business objectives achieved?
What are the products / services of the organization?
Who is involved (both internally & externally)
What are the time imperatives on the delivery of products or services
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page18
The Lifecycle Process
Stage 2 After a Business Impact Analysis (in Stage 1) it is important to assess the risks to those most critical aspects of your business identified. The resulting BCM Strategies cover ◦ Alternative operating methods to maintain the organization’s business critical processes ◦ Their dependencies as determined in the Business Impact Analysis. ◦ Vulnerabilities and single points of failure
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page19
The Lifecycle Process
Stage 3 It is important to develop a response to challenges identified in the earlier stages of the cycle. Crisis Management Plan – effective and timely management of a crisis is significant factor Business Continuity Plan – brings together the response of the whole organization to a disruptive incident and directs the resumption of business units according to agreed priorities Business Resumption Plan – provides the operational response to an incident of each department of the organisation.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page20
The Lifecycle Process
Stage 4 Once you have developed your plan it will become a key asset to your organization. However just having a plan that sits on a shelf will not be sufficient to ensure your organizations survive an incident
people need to be aware of o its contents o their roles and responsibilities and are taught how to use it.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page21
The Lifecycle Process
Stage 5
Key considerations:
Develop an Exercise Programme –structured exercises Develop a Maintenance Programme – this ensures your organization remains ready to handle incidents despite constant changes Audit your Business Continuity Plans – This will enable an impartial review
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page22
The BCM Project
Step 1: Recognize that Business Continuity is not only for large, international and global companies Step 2: Every company management should adopt forwardlooking business continuity and risk management process and support its implementation at all levels. Step 3: Identify every conceivable, realistic risk that the organization might be faced with and establish approaches to solving the problems. Step 4: Develop your organizations business continuity plan either yourself or by a certified business continuity specialist, adopt the Critical Success Factors, see next page. Step 5: Have your business continuity plan audited by a certified business continuity auditor to ensure it meets requirements.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page23
Critical Success Factors
Senior management buy-in and commitment to Business Continuity is ESSENTIAL. Without this commitment the plan will almost certainly FAIL. For the Business Continuity Plan to be effective, it MUST support the business critical functions. The organization’s Strategic Business Planning MUST be fully integrated with the Business Continuity Planning processes It is essential that Business Continuity is adequately budgeted for and funded. The creation of a culture in your organization that recognizes the purpose and importance of BCP is key. ISO 22301 BCMS Lead Implementer and ISO 22301Lead Auditor Training Courses, with optional exam and certification 2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page24
Critical Success Factors
Business Continuity Plans must be up to date, and tested regularly to remain relevant to the organization. Testing of any Off-Site Disaster Recovery Facility is essential to address peripheral issues i.e. logistics, transport, stock keeping etc. Regularly audit Business Continuity plans In a disaster scenario staff will be under significant pressure and availability of accurate and up-to-date plans and supporting information (numbers, papers, proformas, maps, directions, etc.) will be essential to ensure the organization recovers as quickly as possible.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page25
Conclusions
Business Continuity Management is a continuing process that helps an organization anticipate, prepare for, prevent, respond to and recover from disruptions, whatever the source or affect to the business. Research has illustrated that organizations can suffer devastating results from even minor interruptions. The key to recovery and survival is time and planning. You owe it to yourself and your customers to be an organization that is confident of being ‘back in business’ in the quickest possible time. Make sure that you are not one of those organizations that were
not prepared to survive.
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page26
Checklist for Small Businesses
1) Develop a business continuity / disaster recovery plan. 2) Alternative operational locations Determine which alternative offices are available in advance. 3) Equip your backup operations site with critical equipment, data files and supplies. 4) Safeguard your property Review if your property is able to survive a flood or other disaster and any risks. 5) Contact information Do you have contact information for clients, suppliers and employees? 6) Communications Review reliable methods of communicating with your employees 7) Employee preparation Make sure your employees know the emergency plans and what they should and should not do 8) Customer and supplier preparation Make sure your key customers and suppliers know where you can be contacted and how you will advise them during a crisis 9) Evacuation order When a mandatory evacuation is issued, be prepared to leave immediately. Ensure that critical office records and equipment are protected before any incident. 10) Cash management Be prepared to meet emergency cash-flow needs. 11) Post-disaster recovery procedures Consider now how your post-disaster business may differ. Review and audit your business continuity plan and learn from the disaster. 2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page27
Thank you
2013-04-23.1 © 2013
Kuwait Business Continuity Conference 22 – 23 April 2013
Page28