Had You Come to the Last Event 

By Eric Stern, ASQ CQA, Publicity co-chair (for ASQ  Montreal Section 401 Newsletter, January 2010, Volume  60, Issue 1)

November 18 Georges Cowan and Christian Dragnef presented “Business Continuity and Risk Management”.

Their overview showed that organizations want to show their clients that their supplier will be available even if they face troublesome times. Clients request that organizations confirm their capability of making it out of trouble waters.

Business Continuity (BCP) and Information and Communication Technologies (DRP) standards ensure that organizations can withstand major interruptions in their buildings, systems, and human presence in the face of ice storms, pandemics or other disasters. The speakers presented how these relate to other standards, why is risk management important to continuity, how to use the Plan-Do-Check-Act methodology, and the rising importance of Risk Management.

Information threats can affect the bottom line. It is important to choose the right place to spend on information security. Information Risk Management can help.

Usage of the standards discussed help build resilience, protect the interests of key decision makers, the reputation of the organization and develop new opportunities. Just to mention a few: BS25999 deals with Information and Communications Technology. BS25777 has the focus on ICT Continuity Management and discusses ICT Continuity Management Timescales, Risk Management, and Plan – Do – Check – Act (PDCA). ISO 27005 brings a Risk Management Perspective and reviews the Information Security Risk Management Process. BS31100 deals with the Risk Management Framework. Private and public UK companies developed together BS 25999.

It provides for organizations of any type, size and location a common framework, based on internationally accepted best practices for implementing and managing business continuity. It provides a framework for improving operational effectiveness, allows for the proactive management of business risks and their impact, helps demonstrate that applicable laws, regulations and contractual requirements are being observed and brings a common understanding to the marketplace

Benefits include: Growing consensus on what is best practice, better understanding of business benefits among increasing numbers of organizations. Attitudes are changing as companies realize that risk management and business continuity disciplines should be working together. Recognition that it can help reduce business interruptions ads value to the business by identifying opportunities for improvement. A business continuity management system ensures that the system once implemented is maintained and continually improved.

BS 25999- 1: 2006 Is a business driven code of practice for business continuity management. It establishes the BCM processes, principles and terminology. It provides a basis for understanding, developing and implementing business continuity within organizations. It provides a comprehensive methodology. It is structured along the Plan-Do-Check-Act philosophy.

It ensures within minutes to hours that staff and visitors are accounted for, casualties are dealt with, damage containment / limitation, damage assessment, invocation of BCP.

ICT Continuity Management – BS25777

ICT continuity management focuses not only on the likelihood and impact of disruptive incidents, but also on the ability of the organization to detect and respond to the occurrences of such incidents.

Organizations ensure that they are resilient and recoverable at the appropriate level, any unexpected event within a service is detected, addressed and investigated in a timely manner; the dependencies between ICT services and external factors are known and used in assessing risk and dependencies on the technical components are known and used in assessing risk and the impact of change.

The time scale for action is function of the location of the product, service or activity.

Risk management ISO 27005

Risk Management Role 

Information assets are categorized by systems, categories and components. So are the threats and their impacts. Categories include: operational, hazard, strategic and financial.

ISO 27001 and 27005 are being developed internationally along these lines.

Assets are valuated; ISO 27002 deals with the management system documentation.

Examples of how specific the details of risks are analyzed and documented were given.

Risk Management: BS 31100, BS ISO 31000.

Starting with the principles of managing risk, the framework for managing, the implementation of risk management and the process for managing risk are covered.

Categories covered include Categories of Risks; Brand and image; Environment, Health & Safety; Infrastructure; Threats (internal resources); Threats (external resources); Strategic (intellectual property) and changes; Legal risks; Financial risks; Operational risks (processes).

Risk Management starts with Top Management. It has to take a series of steps that include related risk assessments and litigation plans, factors that may impact the organization included as inputs into the management review, loss prevention and litigation plans for identified risks as an output of the management review process, mandatory metrics and dashboards, acceptance that whistle blowers may and will help Management and board. As a result business continuity is higher up the organization’s agenda, top management has more corporate governance responsibilities. BCM is less about the plan itself and more about ensuring that the requirements are built into every facet of the business, attitudes are changing as companies realize that risk management and business continuity disciplines should be working together.

Standards will help enable organizations enhance their resilience, establish, manage and improve Business Continuity and Information Security Management Systems. Business Continuity and Risk Management will penetrate the organization culture when they implement these standards.


Eric Stern, CQA, ericst@iseffective.com
For networking with local quality professionals explore these groups: http://tech.groups.yahoo.com/group/Quality_Montreal/ http://www.linkedin.com/groups?gid=90170