The RM To BC Route Presentation John Agius_G31000 Conference-Paris 21-22 May 2012 V4.2
1. 21/05/2012
The RM to BC Route
(How ISO 31000 benefit Business Continuity)
Presentation by: John Agius
M.Sc. (Leic.) RCDM, MIAP, Dip. Law & Admin., Dip. J&PW
ISO 31000 Conference
Paris, France 21 – 22 May 2012 Slide: 1
When Organizations decide to implement BC
RM, together with the basic BC prerequisites,
are already established
through the RM process
within the organization.
<>
This is not the exception
but
the case every time
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 2
1
2. 21/05/2012
The RM to BC Route
• ISO 31000 & 22301 Standards Series
• Management
• Risk (and RM)
• BC or Disruption Related Risk?
• We all manage risk
• Historical view of Management, RM & BC
• The Disaster Sequence Model (DSM)
• The treatment of risk
• How ISO 31000 benefit BC
• Way forward
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 3
ISO 31000 & 22301 Series Series
Standard: An researched &
established model depicting
how to develop, deploy and
manage a practice.
ISO 31000: 2009 Risk Management – Principles and guidelines
ISO 22301: 2012
Societal Security-Business Continuity management Systems – Requirements
• Many countries around the globe are/will-be formally adopting the standards
• New framework format:
• Integration of previously independent systems
• Common terms and processes
• Embedding various management systems
• Development process:
• Broad range of experts from around the globe
• Providing an updated framework of good practice
• Building on the work of key National Standards Bodies
• Valid internationalization of standards
• Greater universal consistency
• Meeting the needs of global organizations
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 4
2
3. 21/05/2012
ISO 31000 ISO 31000: Risk Management – Principles and guidelines
ISO 31010: Risk Management – Risk assessment techniques
• 31000:2009
– Provides principles and generic guidelines on risk management. It can
be used by any organization, (public, private or community enterprise,
association, group or individual) and it is not specific to any industry or
sector.
• 31010:2009
– A supporting standard for ISO 31000 and provides guidance on
selection and application of systematic techniques for risk assessment
• 73:2009
– ISO Guide providing the definitions of generic terms related to
risk management.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 5
ISO 22301: Societal Security – Business Continuity
Management Systems - Requirements
ISO 22301 ISO 22313: Societal Security – Business Continuity
Management Systems - Guidance
• 22301:2012
– Specifies the requirements to plan, establish, implement,
operate, monitor, review, maintain and continually improve a
documented management system to prepare for, respond to
and recover from disruption.
• 22313:2012 (expected)
– Provides guidance to ISO 22301 for setting up and managing an
effective BCMS
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 6
3
4. 21/05/2012
Management
• We speak about management - what is management?
• The standards define as:
• Management system:
– Set of interrelated or interacting elements to establish policies
and objectives, and processes to achieve those objectives.
• Integrated Management Systems:
– A management system that merges more than one field, such as
ISO22301, 3.16
quality or environment.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 7
Management is:
The process of reaching organizational goals by working
with and through People, Premises, Technology,
Information, Supplies & Stakeholders.
– Characteristics:
– Continuing and related activities;
– Objectives (Achieving organizational goals)
– Threats & opportunities;
– Resources
– Stakeholders.
– Functions:
– Define/Plan (plan)
– Design/Organize & Influence (do)
– Do/Control (check)
– Deliver/Improve (act)
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 8
4
5. 21/05/2012
Risk & BC
• Risk:
– Effect of uncertainty on objectives. ISO 31000, 2.1
• Risk Management:
– Coordinated activities to direct and control an organization with
regard to risk. ISO 31000, 2.2
• Business Continuity:
– Strategic and tactical capability of the organization to plan for
and respond to incidents and business disruptions in order to
continue business operations at an acceptable predefined level.
• BC Management: ISO22313, 3.3
– Management process which provides a framework for building
capability that safeguards the objectives of the organization
including its obligations. (to what objectives / obligations)
ISO22301, 3.2
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 9
Risk (and RM) – a deeper look
• Risk
– Effect of uncertainty on objectives
• Effect - deviation from the expected - +ve or –ve.
• Objectives - different aspects at different levels
• Risk - characterised by reference to potential events and
consequences, or a combination of these.
• Risk - expressed in terms of a combination of consequences of an
event & likelihood of occurrence.
• Uncertainty – state, even partial, of deficiency of info about the
event, consequence or knowledge.
– Risk – from threats, opportunities & disruptive-incidents
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 10
5
6. 21/05/2012
Threats, Opportunities, Disruptions
• For every Threat – an Opportunity
• For every threat/opportunity – a potential disruption
Threats Opportunities
- Reduced Turnover - Plan to increase Turnover
- Reduced Custom - Seek to improve Custom
- Disruption to plans - Make new/upgrade Plans
- Etc… - Etc…
Disruptive-events
- Potentially occur to both ‘Threats’ and ‘Opportunities’
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 11
Types of risks
• Three
– Threat
• Down-side risk
• An indication or warning of potential danger
– Opportunity
• Up-side risk
• Missed or would-be opportunity
– Disruption-related
• Disruption risk
• Potential interruptions (to key products, services, resources, etc.)
• “risks of disruption to the organization’s prioritized activities and the processes,
systems, information, people, assets, outsource partners and other resources that
support them”.
ISO 22301:2012, 8.3.3.4 (a)
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 12
6
7. 21/05/2012
Risk Specialisms
– BC / DRR Overall management system (ISO 31000, 4.1):
Holistic: General / Business
– Incident Management fields/elements (ISO 22301, 3.16)
e.g. quality, environment, risk, etc…
– Crisis Management specialisms (M_o_R 3rd Edition):
e.g. specialisms (see opposite)
– H&S Integrated management system (ISO 22301, 3.16)
Systematic, timely and structured (ISO 31000, Principles)
– Security
M_o_R: Guidance for Practitioners
– Financial 3rd Edition
Author: OGC (Office of Government Commerce)
– Environmental Publisher: TSO (The Stationery Office, UK)
<Purposely updated in line with ISO 31000>
– Reputational
In this presentation focus is on ‘risk’ and on
– Contract the first specialism in the list i.e.
‘BC’ / ‘DRR’ (Disruption-related risk)
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 13
BC or Disruption risk?
• Business Continuity or Disruption-related risk?
– What is commonly termed as “business continuity” is a type of
disruption-related risk influencing the achievement of organizational
continuity objectives and in particular the uninterrupted delivery of
key products and/or services.
– Disruption-related risks should be treated as such and are best dealt
with as part of the treatment options available within the risk
management discipline.
– Continuity plans - are one of the tools that can be adopted to manage
disruption-related events.
– Manage disruption to:
• achieve, maintain, protect & mitigate - continuity
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 14
7
8. 21/05/2012
Protection through mitigation
• ISO 22301 - 8.3.4.3
– For identified risks requiring treatment, the organization shall
consider proactive measures that:
– a) reduce the likelihood of disruption;
– b) shorten the period of disruption; and
– c) limit the impact of disruption on the organization’s key
products and services.
– The organization shall choose and implement appropriate risk
treatments in accordance with its level of risk acceptance.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 15
We all Manage risk
On Global & National levels organizations:
• Take and manage risks
–Benefit
»profit (hopefully)
–Suffer
»loss (possibly)
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 16
8
9. 21/05/2012
Managing Risk
Risk ownership and
– RISK: is not static Accountability
Remains with the Owner/s
• Overseers
– Sponsors
– Owners
– Managers Risk Management Role
– Practitioners Facilitating RM expertise
– Professionals
• The non-static element of risk demands flexibility
• Flexibility is performed by people
• RM is a discipline practiced by people
• When people Err – Organizations suffer/loose
• When people do well – Organizations benefit/profit
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 17
Management (Methodology)
• Like Risk;
• Management Methodology:
• Overall (general / business) management system
– Is not cast-in-stone
– It is continuously changing / evolving
• So are:
– Standards & Systems
– “ISO is no exception”
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 18
9
10. 21/05/2012
Management (Background)
• Management (overall system):
• Recognizes - roots (where it came from)
• Acknowledges – status quo
• Seek – future direction (way forward)
– Management - Risk & Business Continuity:
• Roots: General / Business management
• Status quo: centred / focused management
• Fragmented; siloed; diverse terminology; etc…
• Future direction: Integrated management
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 19
Management (Status quo)
• Standards
• National
• International
• Non Standards
• Management
• Strategic, Tactical, Operational, etc.
• Risk Management
• IRM; AIRMIC; RMA; PRIMIA; RIMS; PRIMA; GARP;
• Etc. …
• BC Management
• BCI; BCPA; ACP; ICOR; BCM Institute;
• Etc. …
• Disparate approaches
• Segregation rather than Integration, Siloism,
• Confusing Terminology, Different Interpretations
• Incompatible definitions (sometimes)
• Higher costs, inefficiency
• Repetition, Re inventing the wheel
• One hundred and one other issues
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 20
10
11. 21/05/2012
Management, RM & BC Historical
view
– Management (general / business)
• Originally based on intuition & limited informed decisions
• Sporadic/instinctive decision making & Limited planning
• Tools: SWOT (Strengths, Weaknesses, Opportunities, Threats)
• Framework: 4D’s (Define, Design, DO, Deliver)
• Lacking focus on the management of threats
• Thus, the emergence of RM as an independent management system
– Risk management
• Formerly – ‘Threat handling (-ve) within general / business management’
• Focus – threats (opportunity is a recent addition - traditionalists still ignore)
• Tools: RA and other “Risk Assessment Techniques” (see: ISO 31010 – Annex B)
• 4T’s (Terminate, Treat, Transfer, Take)
• Framework: DIM-RI (Design, Implement, Monitor-Review, Improve)
• Lacking focus on - Disruption/Interruption-related Risk
– BC management
• Formerly – ‘Disaster Recovery’ & the failure of RM identifying the ‘Risk of Disruption’
• Focus - ‘Disruption/Interruption/Recovery’ (of critical products & services)
• Tools: RA & BIA and other “Risk Assessment Techniques” (ISO 31010 – Annex B)
• PDCA (Plan, Do, Check, Act – applied to BCMS processes)
• BCM – the result of the failure of RM & DRP from providing a plausible solution to the effects
disruptive-related incidents were having on organizations during the 70’s & mid-80’s.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 21
Management
Integrated Management System
( S M A R T - O b j e c t I v e s)
Internal External
Stakeholders
Stakeholders
Define
Deliver Design
Requirements
Organization
for Managed
preparedness preparedness
and continuity and continuity
Organization DO Environment
management
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 22
11
12. 21/05/2012
Risk Management
Integrated Management System
(Mandate and commitment )
(S M A R T - O b j e c t I v e s)
Design of Process
Principles framework for Stakeholders
- Establish
Stakeholders managing risk Context
- Value Risks
- Org. Process - Assess Risk
- Decisions - Identify
- Uncertainty Continual - Analyze
Implementing
- Information improvement B C
risk - Evaluate
Disruption
- Tailored of the - Treat
Risk management
- HR & Culture
Requirements framework - Various
- Transparent
Organization Managed
Assessment
-
for
Inclusive
preparedness Techniques
preparedness
- Dynamic
- and continuity
Iterative Monitoring andCommunicate
- continuity
- management
Responsive and review of & consult
- Facilitate the framework - Monitor and
review
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 23
Business Continuity Mgmt.
Continual improvement of preparedness
And continuity management system
( S M A R T - O b j e c t I v e s)
Stakeholders Establish Stakeholders
Stakeholders
Stakeholders (Plan)
Risk Business
Maintain and Assess Impact Implement
ment Analysis and Operate
Improve
(Act) Other (Do)
Requirements Assessment
Requirements
Organization Techniques
for Managed
For Managed
preparedness preparedness
preparedness Preparedness
and continuity Monitor and and continuity
and continuity And continuity
management
management review
(Check)
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 24
12
13. 21/05/2012
Management (Present-day)
Integrated Management System
( S M A R T - O b j e c t I v e s)
Internal External
Stakeholders
Stakeholders
Define
Deliver Design
Requirements
Organization
for Managed
preparedness preparedness
and continuity and continuity
Organization DO Environment
management
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 25
Integrated Management (To Be)
Integrated Management System
( S M A R T - O b j e c t I v e s)
Int. / Ext. Int. / Ext.
Stakeholders
Plan
Stakeholders
Principles Process
Stakeholders Other Stakeholders
Act Techniques Do
Requirements
Requirements
Organization Preparedness
Managed
for
preparedness preparedness
and continuity and continuity
Organization Environment
management
Check
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 26
13
14. 21/05/2012
RM & BC Management Model
Integrated Management System
SMART-ObjectIves
(Focus: Risk & Business Continuity)
Stakeholders Design BoD
And Plan Stakeholders
(Board Audit Committee)
Stakeholders
Risks
Sponsors Monitor
Improve BC
Disruption Implementing RMSC
Act Risk
Do (Risk Mgmt.
Process Owners Steering Committee)
Requirements
Organization
for Managed
preparedness preparedness
and continuity Monitoring and continuity
management and review Internal Audit
Business Managers Check Committee
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 27
Disaster Sequence Model (DSM)
• Natural, man-made or systems failure do not happen
instantly
• Latent defects build up unnoticed
• Overlooked latent defects can lead to disasters
• DSM consist of 3 separate but interrelated parts:
• Incubation period
• Triggering event
• Learning process
• DSM model – easily applicable to understand & manage
business activity, threats, opportunities & disruptive-events
effectively
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 28
14
15. 21/05/2012
Turner’s DSM Model SIX
Stages
• Stage I: Toft & Reynolds, 1997: 22
– notionally normal starting point:
(a) Initially culturally accepted beliefs about the world and its hazards;
(b) Associated precautionary norms set out in laws, codes of practice, mores and folkways.
• Stage II:
– the incubation period: the accumulation of an unnoticed set of events which are at odds with
the accepted beliefs about hazards and the norms for their avoidance.
• Stage III:
– precipitating event: forces itself to the attention and transforms the general perception of
Stage II.
• Stage IV:
– onset: the immediate consequence of the collapse of cultural precautions becomes apparent.
• Stage V:
– rescue and salvage: first stage adjustment – the immediate post-collapse situation is
recognised in ad hoc adjustments which permit the work of rescue and salvage to be started.
• Stage VI:
– full cultural readjustment: an inquiry or assessment is carried out and beliefs and
precautionary norms are adjusted to fit the newly gained understanding of the world where
knowledge gained is absorbed into the culture of organisations/society.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 29
Disaster Sequence
Learning
Recovery
Onset
Precipitation
Incubation
Normality
P-D-C-A: (Threat; Opportunity; Disruption) Risk level Timeline
Normal operation Early warning period Disruption event Extended disruption
Activity Triggering Incident RTO MTPD Collapse
Start threat
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 30
15
16. 21/05/2012
Treatment of risk ISO 31000, 2.25, 5.5.1
• avoiding the risk,
– by terminating it altogether;
– by deciding not to start or continue with the activity that gives rise to the risk
whether the risk is the result of a ‘threat’, an ‘opportunity’ or a ‘disruptive
incident’.
• taking or increasing the risk,
– to pursue opportunities;
– to take full advantage and maximize the benefit;
– to decide whether a ‘disruptive incident’ to key products and/or services
needs intervention to reduce the likelihood of occurrence, the shortening of
the period of disruption and/or limiting the impact from disruption.
• removing the source,
– and make sure that the threat, opportunity and/or disruptive incident do not
negatively affect the organization.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 31
Treatment of risk Cont…
• changing the likelihood and/or consequence,
– by intervening to change the probabilities;
– by modifying the potential impact;
– by modifying the probability and impact levels of potential disruptive incidents.
• sharing it with others,
– by passing it on to insurance;
– by contracts and risk financing
– by seeking new partnership to share the threat and/or maximise opportunity;
– by subcontracting to specialist organizations and share the threats/benefits;
– by equally applying the above to situations emerging from disruptive incidents.
• retaining the risk,
– by informed decision;
– by doing nothing about it;
– by being ready to intervene should the threat, opportunity and/or disruptive incident
arise.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 32
16
17. 21/05/2012
Treatment of risk Cont…
• invoking continuity procedure
– to reduce the likelihood of disruption (ISO 22301, 8.3.4.3. (a))
– to shorten the period of disruption (ISO 22301, 8.3.4.3. (b))
– to limit the impact of disruption on the organization’s key products and services
(ISO 22301, 8.3.4.3. (c))
– “preparing and implementing risk treatment plans identifying resource
requirements including contingencies” (ISO 31000, 5.5.3), reliance, dependence,
etc;
– “establish, implement and maintain a formal and documented process for business
impact analysis (BIA), risk assessment (RA) and other assessment techniques that
establishes the context of assessment, defines the criteria and evaluates the
potential impact” with regards to “disruption related risks” (ISO 22301, 8.3.3.4 (c));
– “establish documented plans that detail how the organization will manage a
disruptive event and how it will recover or maintain its activities to a
predetermined level, based on management-approved recovery objectives” (ISO
22301, 5.4.5).
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 33
To Business
Benefits of ISO 31000 Continuity
• Principles:
– creates value to the organization;
– is an integral part of the organizational processes;
– aids the decision making process;
– explicitly addresses the principle of uncertainty resulting from the effect of
disruptive events;
– it is systematic, structured and timely;
– is based on the best available disruption management information;
– is tailored to the organization;
– takes human and cultural factors into account;
– it is transparent and inclusive;
– it is dynamic, iterative and responsive to change, and
– facilitates continual improvement and enhancement of the organization in terms of
improving the overall integrated management system.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 34
17
18. 21/05/2012
Benefits of ISO 31000 Cont…
• Framework:
– ISO 31000 framework aids the: Plan-Do-Check-Act (PDCA) cycle
– Provides the necessary mandate, commitment, support and funding by top
management and the Board of directors towards establishing a BCMS
• The required elements for managing the risk of disruption effectively and in line
with other organisational:
– Risks,
– context,
– RM and BC policies,
– accountability,
– roles and responsibilities,
– organizational processes integration,
– functional activities,
– resources required to implement the BC plan,
– critical and alternate staff,
– awareness and training programs,
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 35
Benefits of ISO 31000 Cont…
• Framework cont…:
– internal and external communication and reporting mechanisms most essential for the
successful implementation of a BCMS incorporating the identification of:
• organizational vulnerabilities;
• continuity and recovery team members;
• scope, purpose and value to the organization, as well as,
• the necessary lines of defence (BoD: Board of Directors, RMSC: Risk
Management Steering Committee & IAC: Internal Audit Committee) for the
necessary sponsorship, direction and audit of the RM and BCMS
implementation mechanisms.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 36
18
19. 21/05/2012
Benefits of ISO 31000 Cont…
• Framework cont…:
• The development of a strategy to implement the organizational, RM framework
and processes to facilitate the risk assessment (RA) and business impact analysis
(BIA) of the BC plan and the identification of variances that can be translated into
potential opportunities;
• The framework monitoring and review - having established processes in place help
to establish a well-managed organization; regular departmental/unit status reports
of BC progress; internal and/or external audits to sustain the BCMS
implementation; regular RM and BC audits with a view to validate performance
against controls;
• Top management support and involvement towards the concept of continual
improvement of the framework encouraging departments/units to establish the
culture and attitude that RM and BC are not static and nearly everything the
organization does can be improved and ought to be reviewed to enable the
identification of new opportunities.
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 37
Benefits of ISO 31000 Cont…
• Process/es:
– An established, globally agreed to and supported RM process/es directly affecting
BCMS;
– The use of enterprise-wide risk management (EWRM) processes and guidelines;
– In-depth awareness and understanding of the organization and its context;
– An establish risk assessment process providing well founded risk identification,
analysis and evaluation methodology;
– A systematic and logical approach to the management of all types of risk
incorporating the effective handling of threats, opportunity considerations and
disruption related risks that can be modified through one or more treatment
options;
– Established communication and consultation structure with customers,
stakeholders and management;
– Effective monitoring and review of all aspects of organizational risks and disruptive
eventualities
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 38
19
20. 21/05/2012
Benefits of ISO 31000 Cont…
• General:
– Increased competitive advantage supported by a globally designed and agreed
to RM standard;
–
Greater understanding of the effects of disruptive events in relation to the
other organizational risks;
– Enhanced customer confidence;
– Improved stakeholder trust and support;
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 39
Conclusions
• The objective of this presentation:
– To trigger discussion on the importance of the integration of a holistic
management system incorporating Management, RM, BCM.
• Integration is:
• More efficient
• Less expensive
• Improves the overall management system
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 40
20
21. 21/05/2012
Way Forward / How
• Integrated Risk Management System
One holistic management approach
General Management
Risk Management,
Business Continuity,
Incident, Crisis and Disaster Management
• Merge not fragment
RM & BC are “not stand-alone activities” but an essential/integral part of the ‘Overall
Management System’ – avoid reinventing the wheel (ISO 31000, 3(b) Principles)
• Gap analysis
Urgently needed to help merge the different activities (currently in silo)
Amalgamation of ISO 31000 & 22301 series
• ISO 31000 is doing a great job:
Getting the activities together – Terminology, definitions, approaches, methodologies,
principles, frameworks, processes, etc…
• BC cannot exist without an RM function
• An RM function is not complete without a BC programme
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 41
Thank you
ISO 31000 Conference
Paris, France 21 – 22 May 2012
Slide: 42
21