November
18 Georges Cowan and Christian Dragnef presented “Business
Continuity and Risk Management”.
Their overview showed that organizations want to show their clients
that their supplier will be available even if they face troublesome
times. Clients request that organizations confirm their capability of
making it out of trouble waters.
Business Continuity (BCP) and Information and Communication
Technologies (DRP) standards ensure that organizations can withstand
major interruptions in their buildings, systems, and human presence in
the face of ice storms, pandemics or other disasters. The speakers
presented how these relate to other standards, why is risk management
important to continuity, how to use the Plan-Do-Check-Act methodology,
and the rising importance of Risk Management.
Information threats can affect the bottom line. It is important to
choose the right place to spend on information security. Information
Risk Management can help.
Usage of the standards discussed help build resilience, protect the
interests of key decision makers, the reputation of the organization
and develop new opportunities. Just to mention a few: BS25999 deals
with Information and Communications Technology. BS25777 has the focus
on ICT Continuity Management and discusses ICT Continuity Management
Timescales, Risk Management, and Plan – Do – Check –
Act (PDCA). ISO 27005 brings a Risk Management Perspective and reviews
the Information Security Risk Management Process. BS31100 deals with
the Risk Management Framework.
Private and public UK companies developed together BS 25999.
It provides for organizations of any type, size and location a common
framework, based on internationally accepted best practices for
implementing and managing business continuity. It provides a framework
for improving operational effectiveness, allows for the proactive
management of business risks and their impact, helps demonstrate that
applicable laws, regulations and contractual requirements are being
observed and brings a common understanding to the marketplace
Benefits include: Growing consensus on what is best practice, better
understanding of business benefits among increasing numbers of
organizations. Attitudes are changing as companies realize that risk
management and business continuity disciplines should be working
together. Recognition that it can help reduce business interruptions
ads value to the business by identifying opportunities for improvement.
A business continuity management system ensures that the system once
implemented is maintained and continually improved.
BS 25999- 1: 2006
Is a business driven code of practice for business continuity
management. It establishes the BCM processes, principles and
terminology. It provides a basis for understanding, developing and
implementing business continuity within organizations. It provides a
comprehensive methodology. It is structured along the Plan-Do-Check-Act
philosophy.
It ensures within minutes to hours that staff and visitors are
accounted for, casualties are dealt with, damage containment /
limitation, damage assessment, invocation of BCP.
ICT Continuity Management – BS25777
ICT continuity management focuses not only on the likelihood and impact
of disruptive incidents, but also on the ability of the organization to
detect and respond to the occurrences of such incidents.
Organizations ensure that they are resilient and recoverable at the
appropriate level, any unexpected event within a service is detected,
addressed and investigated in a timely manner; the dependencies between
ICT services and external factors are known and used in assessing risk
and dependencies on the technical components are known and used in
assessing risk and the impact of change.
The time scale for action is function of the location of the product, service or activity.
Risk management ISO 27005
Risk Management Role
Information
assets are categorized by systems, categories and components. So are
the threats and their impacts. Categories include: operational, hazard,
strategic and financial.
ISO 27001 and 27005 are being developed internationally along these lines.
Assets are valuated; ISO 27002 deals with the management system documentation.
Examples of how specific the details of risks are analyzed and documented were given.
Risk Management: BS 31100, BS ISO 31000.
Starting with the principles of managing risk, the framework for
managing, the implementation of risk management and the process for
managing risk are covered.
Categories covered include Categories of Risks; Brand and image;
Environment, Health & Safety; Infrastructure; Threats (internal
resources); Threats (external resources); Strategic (intellectual
property) and changes; Legal risks; Financial risks; Operational risks
(processes).
Risk Management starts with Top Management. It has to take a series of
steps that include related risk assessments and litigation plans,
factors that may impact the organization included as inputs into the
management review, loss prevention and litigation plans for identified
risks as an output of the management review process, mandatory metrics
and dashboards, acceptance that whistle blowers may and will help
Management and board. As a result business continuity is higher up the
organization’s agenda, top management has more corporate
governance responsibilities. BCM is less about the plan itself and
more about ensuring that the requirements are built into every facet of
the business, attitudes are changing as companies realize that risk
management and business continuity disciplines should be working
together.
Standards will help enable organizations enhance their resilience,
establish, manage and improve Business Continuity and Information
Security Management Systems. Business Continuity and Risk Management
will penetrate the organization culture when they implement these
standards.