Business Continuity Plan as a Part of Risk Management

Celem niniejszej pracy jest zaprezentowanie roli i znaczenia computing device programmeu Ciaglosci Funkcjonowania Przedsiebiorstwa w calosciowym procesie zarzadzania ryzykiem w unattackableie oraz przedstawienie przykladowej tresci takiego endu.Rozdzial pierwszy zawi eon ogolne wprowadzenie do zagadnienia zarzadzania ryzykiem. Przedstawia on definicje ryzyka w sensie, w jakim jest ono rozumiane w niniejszej pracy. Ponadto, znajduje sie w nim opis wielorakich zagroSen, ktore sa zwiazane z funkcjonowaniem przedsiebiorstwa, a takSe key disclosea metod sluSacych do pomiaru ryzyka oraz opis przykladowych postaw, jakie sa przybierane wobec zagroSen. W rozdziale drugim zaprezentowano pojecie Zarzadzania Ciagloscia Funkcjonowania Przedsiebiorstwa. Znajduje sie tu charakterystyka ewolucji tego zagadnienia oraz wyjasnienie, dlaczego political program Ciaglosci FunkcjonowaniaPrzedsiebiorstwa jest dokumentem o ogromnym znaczeniu dla firmy i jej interesariuszy. Ponadto, w rozdziale tym po ddano dyskusji pewne szeroko rozpowszechni ace mity dotyczace Zarzadzania Ciagloscia Fukncjonowania Przedsiebiorstwa. Ta czesc pracy konczy sie opisem Analizy Wplywu na Przedsiebiorstwo jako glownego narzedzia, ktorym posluguje sie opisywany typ zarzadzania. W rozdziale trzecim przedstawiono rezultaty dokonanej przez autorke analizy roSnych be afterow Ciaglosci Funkcjonowania Przedsiebiorstwa i ich szablonow.To studium bylo podstawa do zaprezentowania przykladowej struktury Planu oraz opisu najczesciej spotykanych w nim bledow. Ostatni rozdzial zawiera takSe charakterystyke faz wprowadzania i try exposeowania Planu, ktore sa rownie waSne jak etap jego przygotowania. Wspolczesne przedsiebiorstwa nie moga sobie pozwolic na postawe reaktywna wobec realnych zagroSen, gdyS wydarzenia bedace w stanie zaklocic ich funkcjonowanie sa liczne i moga zaistniec zarowno w wewnetrznym, jak i zawnetrznym srodowisku firmy. Profesjonalnie przygotowany i skrupulatnie 5 aktualniany Plan Ciaglosci Fu nkcjonowania Przedsiebiorstwa cechuje postawe proaktywna. Jest nie tylko ogromnie pomocny w przezwycieSaniu trudnosci, ale dla interesariuszy firmy stanowi takSe dowod jej wiarygodnosci. MoSna wiec oczekiwac, Se coraz wiecej przedsiebiorstw bedzie sie staralo zdobyc ex nieoceniony atut. 6 ABSTRACT The beat back of this thesis is to present the role and implication of a argument persistence Plan (BCP) in the holistic affect of a mobilisers insecurity centering, and to provide a trait of exemplary BCP contents. The starting signal chapter bars a common confide introduction into jeopardy focusing.It delivers the interpretation of lay on the line as it is understood in the context of the present thesis. Moreover, on that point is a description of quadruplex happens which atomic issuance 18 germane(predicate) to a fellowships activity, as easy as a list of the put on the line cadencement systems and an account of exemplary positions towards threats. The seco nd chapter presents the question of lucid argument perseveration wariness (BCM). It characterizes the evolution of this belief and explains the reasons why the BCP is a document of ut intimately immenseness to the familiarity and its s issuanceholders. What is more than than(prenominal)(prenominal), certain wide-spread myths concerning BCM ar in any courting disputed in that reparation.This composition of the thesis ends with a description of line of pedigree confliction Analysis as the main tool of barter doggedness focusing. The third chapter provides the results of the authors depth psychology of diverse production line perseverance Plans and their templates. That study has been the basis for the insertion of an exemplary expression of a channel tenacity Plan, as rise as for the description of the most frequent mistakes which take aim along in BCPs. The survive chapter in addition contains a characterization of slaying and testing phases whic h ar as significant as the expression of a line persistence Plan.Modern companies can non put up with a reactive stance towards assertable threats as the dangers which whitethorn lop off their functioning ar quadruplex and come both from the inner and out environment. A profession exclusivelyy prep atomic number 18d and cargonfully updated Business perseveration Plan characterizes a proactive attitude. non scarce does it importantly help to scourge difficulties, save it is also a convincing proof of the firms reliability to e genuinely(prenominal) its stakeholders. t herefore, it whitethorn be evaluate that more and more companies go out attempt to acquire this invaluable asset. 7 INTRODUCTIONThe present thesis is the result of the authors delight in various aspects of lay on the line heed, especially in the procedures which argon applied by companies in flake their functioning is faced with a serious threat. The most effective method utilize by line un its is called Business doggedness prudence (BCM) and focuses on the preparation and implementation of a Business tenaciousness Plan (BCP). The aim of this thesis is to present the role and significance of a Business Continuity Plan in the holistic dish of a familys try solicitude, and to characterize the contents of an exemplary Plan.The branch chapter contains a full general introduction into adventure perplexity and includes, inter alia, a description of quadruplicate threats which ar relevant to the gilds activity and a list of fortune of film measurement methods. The second chapter discusses the concept of Business Continuity Management, explains the importance of Business Continuity Plan and characterizes the travel which lead to the conditionment and implementation of this document. In the third chapter, there is a description of the contents which should be included in a Business Continuity Plan.That presentation is base on the authors compend of various BCPs and their templates. The exemplary real(a)s enclose in appendices energize been provided by Punk, Ziegel & Company, Business Link, London Borough and Wallsal Council. All the translations which argon enclosed in the present thesis fork out been made by the author. The references have been edited in accordance with the tralatitious Footnote/Endnote System. 8 CHAPTER 1 attempt MANAGEMENT This chapter contains an introduction into the nature and flakes of peril, as fountainhead as a description of the methods by which fortune is assessed and managed.All these divulges be inseparably connected with the concept of Business Continuity Plan, which aims at making pabulum for the whole spectrum of present and rising threats that whitethorn put a fellowships comely activity into danger. When a troupe decides to prep atomic number 18 and implement such(prenominal)(prenominal) a plan, it has to carry out a hard and accurate compend of all the movers which may influence its operation, so that crimson the least anticipate dangers argon taken into consideration. The first phase of drafting a BCP contends the recognition of living and prospective run a bumps, paygrade of their executable have-to doe withs and assumption of finicky attitudes towards them.These resilient step are covered by chance Management, which helps to organize the findings and solutions in a logical style. The proactive nature and principles of this general serve well provide be presented and explained in the by-line chapter. 1. 1. The Definition of guess Risk and hesitation are inseparable p nontextual matters of e genuinely aspect of liveness. As Jan Mikolaj writes, bump is connected with human activity, full stop uncertainty applies to the environment. 1 When these toll are employ in the scientific context, they essential be precisely specify.Some of the authors of scotch and pecuniary literature do not stress the difference between them. For exam ple, Allan willet extracts that stake is target uncertainty of the occurrence of an undesirable answer. 2 In his opinion, seek changes in accordance with uncertainty, not with probability take aim. 3 Similarly, Joseph Sinkey defines run a take a chance of infection as uncertainty connected with some occurrence or dinero 1 2 Jan Mikolaj, Risk Management, (RVS FSI ZU, Zilina 2001), p. 17. Allan Willet, The Economic Theory of Risk Insurance, (Philadelphia 1951), p. . 9 in the future. 4 Frank Reilly thinks that risk is the uncertainty that the investment funds may not bring the judge re originate. 5 However, the prevailing trend in new-made professional literature is to antitheticaliate between them. According to the dictionary of Economic and pecuniary Terminology by Bernard and Colli, risk is the probability of incur losses by a communication channel unit as a consequence of making a certain economic decision by this unit. The probability results from the uncertainty of the future. 6 The resembling source states further that the concept of uncertainty is used in the situation when calculus of probability cannot be applied, whereas the term risk concerns recurrent events which possibility of occurrence can be calculated using the calculus of possibility. 7 Similar classification is introduced by Frank Knight. In his opinion, risk is a measured uncertainty,8 while immeasurable uncertainty9 is uncertainty sense stricto. According to Irving Pfeffer, risk is the combination of hazard and is measurable by probability mathematics, whereas uncertainty is careful by the level of confidence.Risk is a state of the world while uncertainty is a state of mind. 10 To summarize, risk means a specialize in which there exists a possibility of deviation from an core that is expected or hoped for. 11 Risk can be show as a probability, ranging from 0 to 100 percent. 12 What is important, although not often mentioned in professional literature, there is not w hole the negative aspect of risk, plainly also the positive one. Thus, it is a possibility of loss as well as gain. 3 4 ib. Joseph Sinkey, Commercial Bank Financial Management, (New York Macmillan Publishing Co. 1992), p. 391. 5 Frank Reilly, Investments, The Dryden Press, (London Intenational Edition, Collins, 1988), p. 463 6 Bernard and Colli, Slownik ekonomiczny i finansowy, (Wydawnictwo KsiaSnica, 1995), p. 156. 7 ib. , p. 157. 8 Frank Knight, Risk, Uncertainty and Profit, (Boston University of Boston Press, 1921), p. 233. 9 ib. 10 Irving Pfeffer, Insurance and Economic Theory, (Illinois Irvin Inc. Homewood, 1956), p. 42. 11 Reto Gallati, Risk Management and ceiling Adequacy, (New York Mc Graw Hill, 2003), p. 7. 12 ib. , p. 8. 10 1. 2. Risk in Business ActivityThe flock and diversity of risk obviously depend on a fraternitys type and branch of economy, but risk as such is a phenomenon which accompanies in its versatile forms any kind and field of melodic line activity. It may come from the external environment of a conjunction as well as from the internal one. For some entrepreneurs, risk is a necessity evil, whereas for others it is an additional motivation, if not the main one. Whatever the point of stead is, if a given business activity is to succeed, it is substantial to recognize what are the kinds of attainable risk, asses their possible impact and acknowledge vogues of reacting towards them. such identification will substantially help in going a suitable attitude, which appropriates minimizing a voltage loss and maximizing a gain. 1. 2. 1. Types of Risk Types of risk which endanger a companys activity are complex and numerous. Classifications of risk provided by professional literature differ with regard to the assumed criteria. The following panoptic categorization is found mainly on the division presented in the view as Risk Management in Emerging stagets.How to Survive and Prosper by Carl Olsson13 business risk (also ca lled strategic risk) concerns potential results of in assume strategies, inadequate storage storage allocation of resources and changes in economic or warring environment mart risk is associated with potential results of changes in market charges. It can be divided into interest rate risk, foreign exchange risk, commodity price risk, Carl Olsson, Risk Management in Emerging Markets. How to Survive and Prosper, (London, Pearson Education United, 2002), pp. 35-36. 13 11 shares price risk credit risk means that a debtor may not pay in due cadence industry risk regards operating in a give delegacyicular industry liquidity risk applies to inability to pay debts because of the lack of available finances operational risk means potential results of actions by volume, processes, and infrastructure accounting risk concerns a possibility of financial accounts not being in accordance with the veracity genius risk regards the results of changes in a companys reputatio n country risk is associated with effects which the mother ountrys and foreign countries economic policies may have over the company sovereign risk applies to loaning funds to the establishment or a triggery guaranteed by the government political risk means results of changes in political environment judicial/regulatory risk is associated with the consequences of non-compliance with legal or regulatory requirements environmental/ ecologic risk applies to the changes in natural environment which affect a company systemic risk concerns small events which may produce much larges results than expected technological risk is associated with the consequences of bringing refreshing technology products to the market and introducing new IT systems natural risk concerns natural and space disasters. All these risks usually push through simultaneously and their effects are synergic. Therefore, none of them should be ignored when considering the companys situation. by and by realizing the large number and complex nature of assorted types of risk involved in all aspects of business activity, a logical step is to try to estimate their potential impact and results. 12 1. 2. 2. Methods of Risk Evaluation An assessment of a take upicular risk, both internally- and externally-driven, allows pickings an appropriate attitude towards it.As Andrzej Stanislaw Barczak writes, such a measurement involves both subjective and objective ingredients. 14 The subjective component consists in assuming a priori particular stipulations of a given evaluation tactic, as well as interpret obtained results in a specific way. The objective constituent derives from the common sympathy of the business circle on the methods widely applied to the assessment of risk. 2 main types of risk measurement tactics are quantitative risk assessment and qualitative risk assessment. 1. 2. 2. 1. Quantitative Risk Assessment The main conception of quantitative risk assessment is to determine the bell of a given unwelcome occurrence, i. e. o calculate how big the loss would be if an ominous event happened. As it is pointed out in The Security Risk Management Guide, it is important to measure out the real possibility of a risk and how much damage, in monetary terms, the threat may cause in assure to be able to know how much can be spent to protect against the potential consequence of the threat. 15 This method involves evaluation of assets (determining the overall prise of a companys assets, the immediate financial impact of losing the asset and the indirect value of losing the asset) measurement of the Single outlet hope (SLE), which means the total amount of revenue that is lost from a single occurrence of the risk. 16 It is calculated by multiplying the asset value by the exposure accompanimentor (EF). The 14 Andrzej Stanislaw Barczak, Ryzyko kategoria obiektywna czy subiektywna? , (Poznan WSB, 2000), s. 30. 15 Microsoft, The Security Risk Management Guide, (Microsoft Co rporation, 2004), p. 19. 16 ib. , p. 18. 13 exposure factor represents the character of loss that a slangd threat could have on a certain asset. 17 assessment of the Annual Rate of Occurrence (ARO), which is the number of times that one can reasonably expect the risk to occur during one year. 18 This step is very difficult it bases on historical information and foregoing experiences, and requires consultation with experts. calculation of the Annual Loss Expectancy (ALE), which stands for the total amount of money that an presidential term will lose in one year if nothing is done to mitigate the risk. 19 This intention is established by multiplying the SLE and the ARO. valuation of the Cost of Controls (ROSI), i. e. establishing accurate estimates on how much acquiring, testing, deploying, operating, and maintaining separately control would cost. 20 It is estimated by using the following equation (ALE before control) (ALE after control) (annual cost of control) = ROSI Al though quantitative risk analysis provides clearly defined inclinations and results, all of the involved calculations are based on subjective estimates, which may prove inaccurate. Moreover, the whole process can be long and costly. 1. 2. 2. 2. Qualitative Risk AssessmentIn opposition to the quantitative method, qualitative risk assessment does not assign hard financial values to assets, expected losses, and cost of controls21 but instead, 17 18 ibid. , p. 19. ibid. , p. 19. 19 ibid. , p. 19. 20 ibid. , p. 19. 21 ibid. , p. 20. 14 calculates relative values. 22 It involves distribution of questionnaires among citizenry in the company who have relevant skills and knowledge, and full treatmenthops. The questionnaires are designed to discover what assets and controls are already deployed, and the reading gathered can be very assistive during the workshops that follow. In the workshops participants come across assets and estimate their relative values.Next they try to figure out w hat threats distributively asset may be facing, and then they try to imagine what types of vulnerabilities those threats might endeavor in the future. The information security experts and the system administrators typically come up with controls to mitigate the risks for the group to consider and the approximate cost of each control. Finally, the results are presented to perplexity for consideration during a cost-benefit analysis. 23 This tactic does not require a lot of time and it is not a big nucleus for the mass involved. What is more, the results of the implemented solutions are cursorily visible. However, the estimated figures are often perceived as too vague.These two presented approaches are often used together in recite to obtain the most comprehensive information close to(predicate) a potential threat. Although scientific methods of risk assessment are helpful in estimating the possible impact which particular occurrences may have on the companys activity, it is e ssential to ring that none of the methods can be perceived as 100% trustworthy and absolutely infallible. However, even if it is unachievable to predict all threats and provide for all undesirable events, the significance of risk evaluation tactics combined with human knowledge, experience, imagination and intuition cannot be questioned. 1. 3. Risk Management in Business ActivityThe fact that the phenomenon called risk is measurable and its occurrence may be predicted means that it is also possible to take preventive measures and proactive attitude towards it. As Reto Gallati stresses, the term Risk Management is a recent creation, but the actual practice of risk focussing is as old as civilization itself. 24 In general life, mess face risk in a varying peak all the time and they manage it in a natural way so as to minimize undesired impact and render possible profits. 22 23 ibid. , p. 20. ibid. , p. 20. 15 Certain individuals even enjoy plunging into extraordinarily dangerous situations in order to check how they will cope in difficult moments.However, Andrew Holmes notices that at the individual level, if a psyche takes a risk and fails to manage it properly, the damage is hold to him, and maybe his go about(predicate) relatives,25 while the management of risk for schemes is not as simple. 26 As it was presented in the part 1. 2. 1, the company is a subject to various and multiple threats. Holmes stresses that ultimately, all risks have a financial impact. 27 The complexness of the call for actions aimed at coping with the risk means that within the modern corporation, risk management must(prenominal)(prenominal) encapsulate managing strategic, business, operational, and technical risks, rather than those associated with sheer finance such as credit, interest rate, and currency risk. 28 Nowadays, Risk Management is not an extra feature added to a companys basic activity, but an essential skill of all modern corporations. 29 All usiness units s hould realize its great importance, because it is essential not only for their achiever but simply survival. According to Holmes, a companys attitude towards the risk depends on its risk sophistication, which can be divided into pentad stages30 at the lowest level of sophistication (reactive stance), risks are dealt with only when they turn into live issues or when crisis strikes. There is no effort to recognize and measure possible risks in advance. At a slightly more civilize stage, a company understands the importance of risk management and takes the trouble to mark and manage threats more actively. It tends to seek out the best practice and views indecent events in a wide context. At the next level, there are geological formations which acknowledge the need to manage risks throughout the governance and usually develop some form of 24 25 Reto Gallati, Risk Management and Capital Adequacy, (New York McGraw Hill, 2003), p 11. Andrew Holmes, Risk Management (Oxford Capstone Publishing, 2002), p. 2. 26 ibid. 27 ibid. 28 ibid. 29 ibid. 30 ibid. , p. 8. 16 risk management manakin to ensure consistency of approach. At the following stage, a company understands the link between risk and reward. It is sure that for each risk there is an associated opportunity which can be exploited. Such a business unit is often a market attracter and is willing to take risks to achieve its strategic objectives. At the ultimate level of risk sophistication, there are organizations which integrate risk management with the goal of enhancing shareholder value. Thus, they shift the responsibility for risk management away from the traditional areas of audit and compliance to everyone within the organization. Of course, the active process of Risk Management requires shipment and focus as it means following a meditate set of actions which are designed to incompatibleiate, quantify, manage and then monitor the events or actions that could lead to financial loss. Often, the re is too little information about a given risk, and therefore, this kind of management may involve a large degree of judgment and assumptions concerning the future. 1 Yet, all the effort is worthwhile as successful organizations tend to be excellent risk managers, not only because they understand the risks they face, but also because of how they manage them. Conversely, those organizations that are deplorable at risk management spend no time scan the risk horizon, instead leaving their futures to fate. This invariably means shocks, falling market share, takeovers and missed opportunities. 32 As Holmes reflects, risk management is both an art and a science, and being successful depends on how well the two are kept in balance. 33 1. 3. 1. Methods of Risk Management John Holliwell, the managing conductor of smith Williamson Consultancy, once state, There is nothing wrong with risk.It is the lifeblood of business and the test of entrepreneurs and managers. What matters is how you ha ndle risk and the culture in 31 32 ibid. ibid. 17 which you operate. 34 A similar thought is expressed by beadord Tijok, Entrepreneurial demeanour demonstrated in real life entails, i. a. , the ability to enter into calculated risk, so that return-driven opportunities can be pursued and the ability to identify the relevant risks associated with these opportunities and the decision on appropriate behaviour to address these risks. 35 When a company decides on its risk management techniques, it usually analyses the following features prorogue 1. Factors influencing the type of risk management framework required by the organization36ors the type of risk managementframework required by an organizatio FACTORS INFLUENCING RISK MANAGEMENT REQUIREMENT DIMENSIONS TO CONSIDER Strategy risk appetite of owners/risk managers industry geographical coverage aggressive or conservative risk taking or risk averse sunrise or sunset industry primary, manufacturing, service sector local, national, re gional or global is the company critically help slight on critical success factors one or two factors which require close management? volatility is the environment liable(predicate) to change importantly or unpredictability? monopoly, few or limited number of osition in industry players, or free market with some(prenominal) players and no barriers to entry is the area of operations heightsly controlled by regulatory environment legislation and/or regulatory bodies? are regulators intrusive or hands off? 33 34 ibid. ibid. , p. 2. 35 Clifford Tijok, Risk Management in Finance, (Lehrverangstaltung, 2005), p. 8. 36 Carl Olsson, Risk Management in Emerging Markets pp. 110-111. 18 is deregulation occurring or the level of regulation change magnitude? management style centralized or decentralized adequate or inadequate people and resources technology resources, financial position adequate funds available, highly or lowly geared. tatus/ self-command Organizational culture universal o r hugger-muggerly owned Is the culture strong or weakly? are they simple and predictable or nature of risks faced complex/ unpredictable? is the size of risks manageable or is catastrophic risk a cause for concern? Such an analysis leads to adopting one of the main risk management techniques, as presented by Cliff Tijok37 risk limitation a company establishes its range of tolerance towards a given risk and perpetually monitors whether the limits are not breached risk avoidance a company chooses the least risky option or none of them risk transfer a company reduces or completely transfers specific risks by hedging against a risk (i. e. , obtaining insurance) or diversification.Whatever the approach is, managing risks takes a degree of courage and requires the organization to take responsibility for its actions. 38 It is a unbroken process, which is based on a distinct philosophy and follows a well-defined sequence of steps. 39 After the application of the methods and rules provided by risk management, the obtained information are unionized in a clear and logical way. This is the basis which allows the company to go one level up and prepare action schedules that will be used in case a recognized danger occurs. An essential part of such planning is encompassed by Business Continuity Management and will be discussed in the next chapter. 37 38 Cliff Tijok, Risk Management pp. 12-13. Andrew Holmes, Risk Management p. 2. 39 Reto Gallati, Risk Management p. 11. 19 CHAPTER 2 BUSINESS persistence MANAGEMENT This chapter provides information on what is Business Continuity Management, when it come forwarded in the history of management, what purposes it serves and how it should be make and introduced into a companys activity. Moreover, it contains a description of the steps which lead to the preparation of a Business Continuity Plan and of the implementation process that follows. Business Continuity Management forms an integral part of Risk Management. It me t with particularly cryptic interest in the 1990s as the result of the frenzy which come to the year 2000.At that time, there were many anticipated business perseverance problems, implicated by the date change in computer systems. Business Continuity Management became even a bigger focus of attention in 2001, after the terrorist attack in New York. As Michael Gallagher observes, that huge happening increased alive(predicate)ness of business interruption issues, resulted in a break in understanding(a) of critical processes and vulnerabilities and improved co-operation and collaboration between public and private sectors on indispensability management questions. 40 Lyndon Bird adds that business now has far more economic interdependency between regions than ever before. There are often global consequences when risk becomes reality. 41 Yet, at the same time there is a growing awareness of what business perseveration really is about and why it is so important to both businesse s and individuals. 42 8 2. 1. The Concept of Business Continuity Management Business Continuity Management (also called BCM) is defined by the Business Continuity Institute as a holistic management process which identifies potential Michael Gallagher, Business Continuity Management, (Edinburgh Pearson Education Limited, 2003), p. 7 41 Lyndon Byrd, Business Continuity Management in a shrinking world, Business Continuity & Risk Management (a addendum distributed in The Times), July 26 2006, p. 2 40 20 mpacts that threaten an organization and provides a framework for building resilience and the capability for an effective chemical reaction that defenses the interests of its key stakeholders, reputation, sword and value creating activities. Its main purpose is to enable the companys regular functioning, even though everyday operations are disrupted. As Lorraine pathway observes, organizations must be capable of withstanding the shocks that can so easily distract management from th eir primary purpose of meeting and drubbing their normal operational goals. 43 BCM appears as the solution that is exactly necessitate to guarantee such stability to the business. Obviously, BCM looks different in various companies as each organization is a unique system of multiple factors and interdependencies.Dr David Smith explains that because of its all-embracing nature, the way BCM is carried out will inevitably be dependent upon, and must reflect, the nature, scale and complexity of an organizations risk profile, risk appetite and the environment in which it operates. 44 Gallagher supports this view by stating that the plan must fit comfortably with the culture and management style of the organization. For example, the type of plan that suits a financial institution would be totally wrong in a radio or television broadcasting organization. 45 It is also very important to acknowledge that the companys BCM must be continuously revised and tested, in order to stay binding a nd fulfill its tasks. As Dr Smith emphasizes, BCM is, by necessity, a dynamic, proactive and current process. It must be kept up-to-date and fit-for-purpose to be effective. 46 Maintaining the daring of proper plans and policies is actually more difficult than establishing them, but this is what constitutes the point of developing BCM by a business. On the following page, there is an approximate structure of steps involved in Business Continuity Management, which is focused on planning. 42 43 ibid. Corporate resilience the new regime, Business Continuity & Risk Management,, p. 11 44 David Smith, Business persistency and crisis management, Management Quarterly, July 2003, p. 27 45 Michael Gallagher, Business Continuity Management,, p. 43 46 ibid. 21 Scheme 2. 1. Procedures involved in Business Continuity Management47 INPUTS 1. 2. 3. 4. 5. 6. mountain range definition desired objectives policies and standards inventory information, technology, people management commitment finance ANALYSIS plus ASSESSMENT BUSINESS IMPACT ANALYSIS TECHNICAL REQUIREMENTS 1. analyze BIA and addition Assessment 2. list technical strategies based on the analysis of each asset and business process in scope 3. document drawbacks and advantages of each listed dodge 1. identify and quantify asset needs 2. document ownership 3. assign weight based on importance 4. assess exposure 5. identify gravel control and other preventive measures 1. rate processes based on criticality 2. identify dependencies 3. identify custodian 4. identify threats and consequences 5. identify safeguards needed/possible 6. list critical resource requirement 7. quantify delightful owntime and and losses DEVELOPMENT 1. 2. 3. define continuity goals and chosen strategy in the form of a plan acquire resources needed for preparing and implementing the continuity plan test the plan RESULTS 1. 2. 3. 4. preventive control Business Continuity Plan continuity team training plan for team 47 Padmavathy Ramesh, Business Continuity Planning, (Tata Consultancy go, 2002), p. 28 22 2. 1. 1 The Evolution of BCM As Halls observes, Business Continuity Management is a relatively modern idea. Its first mentions can be found in the 1980s, although it was only in the very late 1990s that it became a more widespread as a business discipline. 48 In fact, Business Continuity Management is the outcome of a process that started in the early 1970s as computer Disaster Recovery Planning (DRP) and then moved through an era where the strain was on business continuity planning rather than on management. 49 In that time, computer managers were responsible for DRP. Soon, they realized that the concentration of systems and data in itself created new risks computer operations management introduced formal procedures government activity issues such as backup and retrieval, access restrictions, physical security, resilience measures such as alternative power supply, and change control. 50 In 1970s, if a big problem appeare d, the tolerated downtime was not measured in hours, but days. Therefore, the cost of back-up computers sitting idle in an alternative location waiting for a disaster to happen was prohibitive. However, for some companies, data safety was a precedency no matter at what cost it would be obtained. As Gallagher points out, organizations such as banks were in a more vulnerable position and invested enormous resources in installing and testing computers at alternative sites. Back-up tapes or disks were progressively stored at protected locations well away from the computer centre. 51 Later, in the 1980s, commercial recovery sites offering services started to appear, often on a shared basis. This was the start of the sophisticated recovery centers that operate today,52 notes Gallagher. However, they all concerned mainly IT The disaster recovery plans documented the actions required to safeguard and restore computer operations.These covered computer processing, computer applications, t elecommunications services and data after a disruptive event. The objectives were to 48 49 Michael Halls, What is Business Continuity Management? Michael Gallagher, Business Continuity Management,, p. 6 50 ibid. 51 ibid. 52 ibid. 23 prevent or at least minimize the impact that such an event would have on the business. 53 Such plans were far from being perfect as they were more concerned with, for example, restoring a companys financial systems to an operational state than with worrying about whether there would be accommodation available to allow the staff of the finance department actually to use the systems. 54 Not much attention was paid to implementing BCL into every aspect of the companys activity. In 1990s, a significant change in the IT environment took place and the movement from DRP to Business Continuity Planning became considerably quicker. Gallagher confirms that throughout this decade, and into the 2000s, there were significant changes in the IT approach to DRP/BCP an d in what constituted acceptable downtime. The ferocity moved from being mainly on IT to an approach that considered all aspects of an organizations business and relationships. 55 It is only then that BCP has become BCM with the focus on management not just planning.This encompasses the emphasis on risk management and the measures to be taken to reduce risk. BCM is no longer regarded as a project it is now a program, emphasizing that it is a continuous process rather than a task with a defined enddate. 56 The next step is to make managers of all companies aware of the importance of BCM as the increased recognition of BCM means that a greater budget allocation may be available to it. More significantly, the message preached by business continuity practitioners for years that business continuity principles should be an integrated part of the business planning process may be heard. 57 2. 1. 2 The Significance of BCMThanks to proper Business Continuity Management, a company has a p rofessional plan which allows acting as quickly and efficiently as possible in case a dangerous 53 54 ibid. ibid. 55 ibid. 56 ibid. 57 ibid. 24 event happens, because BCM not only aims to provide continuity in customer service at a minimum acceptable level, it also aims to limit the impact on the financial position of an organization by ensuring that its critical functions continue to operate during a crisis and that the remainder are recovered in a controlled manner. 58 Therefore, when a BCP is applied, there are no chaotic, haphazard attempts to minimize the losses as clear and logical procedures have been devised earlier and communicated to the staff.As Mel Gosling notices, decisions made in the first few hours of an event that causes serious disruption to an organizations operations are critical, and actions undertaken in the first few days will have a significant financial impact59 and a company that has an effective and well-tested Business Continuity Plan is more desirely to take the right decisions in the first few hours and to subsequently undertake the best actions to limit the impact on its financial position. It has a break-dance chance of incurring significantly less additional expenditure at the time of a disruption. 60 Moreover, one of the benefits that implementing business continuity management brings to a firm, which is not now apparent, is an understanding of what the business does and what is important to it. 61 In this way, a company can analyze its allocation of resources and improve it, as well as find out what is critical and of value, and what can be outsourced or leftover undone. 62 Besides, certain companies, e. g. , financial institutions, are legally obliged to develop BCM and maintain an effective business continuity plan.It is also becoming increasingly common that businesses require from their suppliers to be presented with their BCM plans. This facilitates the process of assessing the suppliers infallibility and constitutes an element of developing a sound business relationship. Mel Gosling, Why invest in business continuity, 1 February 2007, . 59 ibid. 60 ibid. 61 ibid. 62 ibid. 62 ibid. 58 25 The investment into Business Continuity Management is beneficial not only in the matter of a business being prepared for multiple diverse crises. It also adds significantly to the companys reputation and brand image by demonstrating effective and efficient governance to the media, markets and stakeholders. 63 Moreover, it enhances the competitive advantage of the business, because to some investors and customers it may be a vital factor in deciding to which company they should entrust their capital. Osborne explains it as follows, To a firms shareholders its part of investor relations you are showing your commitment to keeping their investment safe. To a firms staff it is repulse relations you are showing your willingness to protect the livelihood of your staff. 64 Furthermore, he stresses that its customer r elations too youre demonstrating your commitment to providing a service for them even in the most extreme of circumstances. 65 put up but not least, devising professional plans and keeping them updated increases the companys credibility in the eyes of nsurers and auditors because they are becoming increasingly aware of the importance of BCM. As Osborne observes, Five years ago, auditors simply would have said to their clients, do you have a plan in place? A couple of years ago, they would have wanted to inspect it, to see if every contingency was covered and how practical it appeared to be. Nowadays, they will ask how it worked in practice. When it was experience tested and what were the results? 66 What is more, insurers like to see evidence that all commonsensical steps have been taken to understand the past accident eternise and that actions have been put in place to prevent them from happening again. 67 This is confirmed by Gosling, who states that insurance companies thems elves are now starting to realize the opportunities that business continuity provides for loss reduction, and it is becoming increasingly common for a condition of insurance cover to be the existence of a business 63 64 David Smith, Business continuity and crisis management, p. 27 regard the display board of business continuity experts, 65 ibid. 66 ibid. 67 Pro-active Risk Management Avoiding catastrophe. Business Continuity & Risk Management,, p. 14 26 continuity plan. 68 All in all, devising and implementing an effective BCM plans brings versatile advantages to a company, while the failure to do so means taking an unnecessary risk with an organizations future and profitability. 69 2. 1. 4 Continuity Culture in a Company A vital step in forming Business Continuity Management in a company is to instill a proper attitude in the staff.Michael Gallagher believes that it is about creating a continuity culture in the organization. This can be at least as important as producing the a ctual plans. 70 He also states that for BCM to work, it must be driven from the top. 71 Therefore, senior managers must understand that BCM is not just another expense but also a significant resource, 72 as Mike Osborne assures. However, the amount of data that has to be taken into consideration while developing preventive measures is overwhelming. Lane points out that while responsibility for corporate resilience sits firmly with the executive director board, the skills and experience required to combat the growing list of disruptive threats exists throughout the organization. 73 Thus, in large companies, it is a wise move to refer a full-time Business Continuity Manager, whose tasks are to accumulate the relevant knowledge from all departments and co-ordinate proper procedures, as well as devise professional plans and keep them updated. Smaller businesses may use the services offered by consulting companies. The staffs awareness of specific procedures ready to be applied in case of any foreseeable disaster enhances their ability and identification with the company. Instructing them of the specific plans encourages them to pay bigger attention to the safety issues, which significantly contributes to the BCM process. 68 69Mel Gosling, Why invest in business continuity, ibid. 70 Michael Gallagher, Business Continuity Management,, p. XI 71 ibid. 72 Ask the panel of business continuity experts, Business Continuity & Risk Management,, p. 12 73 David Smith, Business continuity and crisis management p. 27 27 Gallagher explains that if the business continuity culture is sufficiently developed, the continuity considerations will be a natural part of the development of the plans. 74 2. 2 BCM and the Companys Size For the definite majority of large corporations, BCM is a regular part of their activity but, as Gallagher states, there is a emotional state that it is not a matter of concern to the smaller business. 75 This happens because a lot of the emphasis in the business continuity press, and in business continuity material generally, relates to large organizations and to the financial services industry. 76 While for the largest corporations and those with enormous sums of money at stake, the complexity of planning is breathtaking,77 small and medium-sized enterprises tend to get ignored when talking about business continuity planning. The planning is more prosaic. The challenges are fewer. And most importantly, their budgets are smaller. 78 Another problem is the fact that smaller companies are typically less aware of the correct procedures than big firms where systems have been developed. 79 The managers of small and medium-sized businesses simply tend to think that their companys size is a kind of safeguard against a disaster, or that potential recovery will be quick and simple, so the process of developing a plan is perceived as too complicated, involving ebullient costs and management time. 80 However, Mike Osborne emphasizes that the issue for small to medium sized businesses is that they often do not have the inherent resilience that say, a UK multinational has. 81 He warns the managers against an illusive safety feeling as smaller firms often trade from a single location and do not benefit from vast armies of support staff and Michael Gallagher, Business Continuity Management,, p. 88 Michael Gallagher, Business Continuity Management,, p. 28 76 ibid. 7 Michael Halls, What is Business Continuity Management? Business Continuity & Risk Management,, p. 3 78 Michael Halls, Small is still beautiful (but riskier too), Business Continuity & Risk Management,, p. 10 79 ibid. 80 Its never too late to plan for the future, Business Continuity & Risk Management,, p. 15 75 74 28 specialists who can react to and recover from an incident. If they are hit by a disaster, the impact is greater then it would be the case in a big organization. 82 This view is support by Gallagher, who states, Small businesses should remember t hat their biggest threats do not come from high profile incidents such as earthquakes or terrorist bombs.It is the dozens of relatively peasant issues such as prolonged power outages or computer earnings failures that may cause the problems. The vast majority of problems are caused by people or process failures. 83 He points out that this is where the effort and investment should be concentrated. Because of size, the process is simpler and the cost will be proportionally less than for larger organizations. The consequences of not having a plan are, however, likely to be disastrous. 84 Therefore, as Michael Halls stresses, Business Continuity Management is a must for companies of all sizes. A small firm that loses its data will go out of business just as surely as a larger one. 85 2. 3 BCM in Relation to InsuranceSome managers wonder why they should shut away themselves into Business Continuity Management while their company is insured. To them, devising a BCM plan seems to be an unnecessary waste of time and money, because they think that risks are looked after by the insurers and thus, there is no need to worry. But these are absolutely false conclusions. As Mark Baylis emphasizes, insuring the risk is not the answer, because it is better for the business that the problem does not happen at all. 86 This view is supported by Gallagher, who states that insurance is simply a necessary part of the total business protection and recovery plan but it is only a part. 87 Although it is true that insurance provides financial aid in case a disaster strikes, the money may 81 82 ibid. ibid. 83 Michael Gallagher, Business Continuity Management,, p. 28 84 ibid. 85 Michael Halls, Small is still beautiful (but riskier too), 86 Mark Baylis, Weak links in the supply chain, Business Continuity & Risk Management,, p. 11 87 Michael Gallagher, Business Continuity Management,, p. 33 29 go in after quite a long effect. Moreover, insurance for loss of profits, or for increased cost of working, will cover only a defined period which in practice may prove to be inadequate. 88 Besides, proving loss of profits can be very difficult.The outcome may be based on historical performance and may not take account of recent market developments. 89 It is also very important to notice that insurance will not keep customers supplied or guarantee that market share will be recovered,90 nor will it protect the organizations reputation and image. 91 Last but not least, as it was mentioned in the previous paragraph, there may be a situation when the insurer refuses to provide a cover unless the company devises a BCM, because nowadays businesses are required to act more actively in protecting themselves from various possible risks. Therefore, it is vital for a firm to have efficient Business Continuity Management in order to obtain insurance on favourable terms.To sum up, managers must remember that insurance is reactive while it has its place, the whole protection process must be more proactive and BCM is the key. 92 2. 4 Business Impact Analysis Business Impact Analysis (also known as BIA) is the most important tool of Business Continuity Management. Gallagher defines it as a management-level analysis that identifies the impacts of losing company resources. It measures the effect of resource loss and escalating losses over time in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning. 93 The BIA process identifies and ranks the business processes, 88 89 ibid. , p. 34 ibid. 90 ibid. 91 ibid. 92 ibid. 93 ibid. , p. 146 30 criticalities and dependencies. 94 It is closely related to risk analysis, which was discussed in the previous chapter, therefore, it may base on the materials that have already been gathered during the general Risk Management process in the company. The method by which BIA is carried out depends on the nature of the organization size, structure, local or inter national, and so forth 95 Generally, in order to maximize the efficiency of a BIA processes, standardized questionnaires should be used. They should contain questions which are formed in such a way as to provide information that concerns the following issues the nature of given problems the impact of the problems, which should be presented from different perspectives, e. g. the companys reputation, costs involved, loss of future business, etc. the influence that may be caused by the problems at different times of the day, week, month and year the kind of resilience that may be currently provided in a quick and easy way the recovery from the addressed problems (time needed for recovery, priorities for resumption, duration of backlog, additional costs, insurance cover) the available workarounds and the way they operate the continuity and recovery requirements, e. g. , accommodation, computer systems, etc. 96 After the questionnaires have been filled in, the Business Continuity Manager prepares a comprehensive report which presents the companys Business Impact Analysis. The report is make up of the following parts 1. Introduction 2. Executive Summary 3. Background to rent 94 95 ibd. , p. 47 ibid. 96 cf. Michael Gallagher, Business Continuity Management,, p. 57 31 4. Current State Assessment 5. Threats and Vulnerabilities 6. overcritical Business Functions/Operations 7. Business Impacts Operational and Financial 8. Potential Strategies 9. Recommendations 10. coating 11.Appendices97 Thanks to the logical and substantial structure, the report fully represents the current standing of the company, clearly indicates its weak points and realistically describes possible procedures. Business Continuity Management is an extremely important process, which not only enables the assumption of proper attitudes towards multiple threats that endanger a firms functioning, but it also significantly deepens the understanding of the business and improves the staffs morale . Proper implementation of BCM in a company leads to the creation of a Business Continuity Plan, which will be discussed in detail in the following chapter. 32 CHAPTER 3BUSINESS CONTINUITY PLAN In the previous chapters, the importance of Business Continuity Management was explained and it was stated that devising a Business Continuity Plan is one of the main tasks of this type of management. This chapter provides information on how to construct, implement and test a Business Continuity Plan. Moreover, it contains a description of the most frequent mistakes that appear while drafting a BCP and advises how to avoid them. The exemplary plans and templates on which the analysis is based are attached as Appendices B, C, D, E and F at the end of the present thesis. 3. 1 The Structure of an Exemplary Business Continuity PlanBusiness Continuity Plans vary in length and are divided into different parts, which mostly depends on the size and type of a company. However, certain sections are vit al and thus common for all the plans. They should be organized in such a way as to enable quick access to the required information. These crucial parts will be successively discussed herein. 3. 1. 1 Front Page and Introduction On the front page of a Business Continuity Plan, there should be written the name of the company, the issue date and a distinct lettering stating BUSINESS CONTINUITY PLAN. Moreover, if the Plan is confidential, it should be indicated on the front page as well. Optional elements inserted here may include refer details for feedback, references, the revision date, etc.These components are followed by an introduction, which consists of a distribution list (copy number, name and location) and a table of contents. 97 cf. Michael Gallagher, Business Continuity Management,, p. 57 33 3. 1. 2 push back This section should contain the description of the purpose for which the Plan has been created. It usually gives examples of possible disasters and explains the objecti ves which the plan is intended to meet in case of a calamity. What is more, a company which wishes to convey an especially powerful message concerning its reliability may include in this part a summary of the extensive works and professional researches which have been involved in the development of the Plan. 3. 1. 3 decisive Functions ChecklistCritical Functions are these activities without which the company would not be able to perform. In order to prepare a Critical Functions Checklist, the following steps should be complete the identification of Critical Functions, e. g. , sales and distribution the description of the Functions in terms of the impact which may be caused by their interruption in the first 24 h, 48 h, one week and two weeks the prioritization of the Functions the ascription of a reasonable timeframe within which the recovery is possible the determination of resources which will be necessary in the recovery process, such as a) the staff the required number of people, their knowledge and skills b) alternative location e. g. the staff working at home or provisional premises together with necessary equipment like computers, cars c) data information and documents, e. g. , insurance certificate, service, customers and suppliers details d) communications all shipway in which customers, suppliers, the staff and media can be contacted in case of disaster. 34 Such a Checklist allows ensuring that critical tasks are completed on time and according to a pre-agreed priority schedule. It may also be used to provide a handover document between different shifts in the recovery process. 98 3. 1. 4 Risk Analysis Table This part should contain a table comprising a list of dangers which may interrupt and threaten the activity of the company.The matrix presented below may be used to delegate values to the particular risks with regard to the likelihood of their occurrence and their potential impact. Table 3. 1. 4 Risk Matrix LIKELIHOOD NEGLIGIBLE CATAST ROPHIC antiquated UNLIKELY POSSIBLE PROBABLE M M M L L H H M L L VH VH H M L VH VH H M L VH VH H M L IMPACT SIGNIFICANT MODERATE MINOR INSIGNIFICANT subtitle L low, M- medium, H high, VH very high Moreover, there may be also attached a list of possible losses, endangered people and equipment, as well as the actions which had to be taken in case a particular risk occurs. 98 Appendix D, p. 77. 35 3. 1. 4 catch Response Checklist Such a Checklist greatly facilitates the performance of people involved in fighting a potential adverse event.It also acts a concise register of actions that were taken after the disaster happened. It should be later analyzed, developed and improved. It is preferable that tasks to be completed are organized in the form of a table, together with a column in which the date of termination will be written down. The actions may be listed as follows during the first 24 h a) to establish the Actions and Expenses Log, which is a more detailed and comprehensive version of the Emergency Response Checklist b) to contact emergency services c) to identify and approximately assess the damage which has been incurred by the staff, equipment, buildings, data, etc. d) to determine the critical functions which have been interrupted e) to decide on the steps that need to be taken within the recovery process, which is based on the Critical Function Checklist f) to contact the staff, customers, suppliers, insurers, relevant governing and other stakeholders in order to assure them that the situation is under control g) to issue a special PR statement to the media. daily within the recovery period a) to update the Actions and Expenses Log b) to provide valid information to the staff, customers, suppliers, insurers, relevant authorities and other stakeholders, as well as the media after the recovery period a) to interview the staff with respect to their welfare needs b) to analyze the Emergency Response Checklist and Actions and Expenses Log in order t o introduce possible improvements into the Business Continuity Plan. 36As it can be seen, the response to the crisis should focus on its effects, not on the causes. The reasons of the adverse event should be identified as quickly as possible, but a comprehensive analysis of them must not be performed before the main steps of the recovery process have been taken. 3. 1. 5 Roles and Responsibilities This section should contain information and contact details regarding the people who are responsible for the shape and content of the Business Continuity Plan (e. g. , Business Continuity Manager, the BCM Team). Moreover, there may be included a list of duties which are ascribed to the particular staff members in case an adverse event happens.Last but not least, it is necessary to indicate the names and contact details of the co-ordinators of the recovery process, help-line numbers (possibly, with pre-recorded messages) and location of meeting rooms and the Business Recovery Command Centre, together with maps. 3. 1. 6 Contact List In this part, there should be listed the following contact details staff members (divided in respect to the departments) and their next of kin a) name, b) address, c) work cry number, d) home think number, e) mobile telephony number, f) e-mail address key suppliers a) name, b) provided goods, c) address, d) echo/ fax number, 37 e) e-mail address key customers a) name, b) service/good used, c) address, d) telephone/fax number, e) e-mail address mergency services (ambulance, fire service, flood line, hospitals, police) a) address, b) telephone number utilities (water, telecommunication, gas and electricity companies) a) name, b) telephone number, c) e-mail address insurers and banks a) name, b) address, c) telephone/fax number, d) e-mail address authorities a) name b) address c) telephone/fax number media a) name, b