2008年10月24日星期五

Implementation of Business Continuity Management

Business Continuity Management (BCM) becomes more and more significant due to the financial crisis. BSI (HK) Ltd. (www.bsigroup.hk) has provided BCM introduction and implementation training to promote the new standard entitled “BS 25999 Business Continuity Management – Part 1: Code of Practice and Part 2: Specification”. I would like to share what I have learnt from this course on 16-17 Oct 2008.
Firstly, the business continuity lifecycle was introduced in Fig.1.

There were 6 elements:
1) Business Continuity Program Management is a framework for this lifecycle
2) Understanding the Organization (including Business Impact Analysis (BIA),
Risk Assessment (RA) and Determine choices)
3) Determining Business Continuity Strategy (Organization is in a position to choose the
appropriate continuity strategies to enable it to meet its objectives.)
4) Determining and Implementing a BCM Response (including Incident Management Plan
(IMP) and Business Continuity Plan (BCP))
5) Exercising, Maintaining, and Reviewing BCM Arrangements
6) Embedding BCM in the Organization’s Culture (BCM becomes part of the core values
and effective management of the organization)

The training course employed action study to clarify the logical flow so as to understand an organization as follows: (See Fig. 2 & 3)


1) Scope, policy stakeholders, regulatory requirements
2) Define method for determining impact of disruption
3) Identify key products and services
4) Identify activities that support key products and services
5) Identify impacts from disruption to activities
6) Establish maximum tolerable period of disruption (MTPD) for each activity
7) Determine critical activities
8) Identify dependencies relevant to critical activities
9) Determine BC arrangements for external parties
10) Set recovery time objectives (RTO) for critical activities
11) Estimate resources required to recover each critical activity
12) Define and documents method for risk assessment
13) Identify impact of threat to critical activities
14) Determine choices


MTPD and RTO are two of the most important concepts for BCM.
(Photo source from http://www.calamityprevention.com/blog/images/BNM%20MTD.jpg)

The following figure showed the sequence of events of an Incident.

Incident Management Plan (IMP) would start to response an incident once it happens. It included:
· Task and action lists;
· Emergency contacts;
· People activities;
· Media response, etc.
For example, a rumor of BEA:
The prosecution alleged the 18-year-old man posted an online message claiming that BEA was facing closure on September 25, a day after the bank experienced a bank run.
BEA’s IMP was executed quickly and effective. The chairman (David LI Kwok-po) declared it is a rumor in that night and would buy more shares of the bank. During bank run, some actions were taken: 1) extended the service time; 2) returned deposit without limited; 3) registered customers who were not able to be serviced on that day. After chairman and government declarations, it seemed no need to start the BCP.

Business Continuity Plan (BCP) which includes:
· Action plans;
· Resource requirements;
· Responsible person(s);
· Incident log / decision record, etc.

Keys to Success :
1) Defined business continuity system (Say it)
2) Selective documentation (Write it)
3) Conforming implementation (Do it)
4) Effective results (Do it well)
5) Records as evidence (Prove it)
6) Internal audits (Check it)

It is a very good course I recommended to you.

沒有留言:

發佈留言