Contenu connexe Similaire à The RM To BC Route Presentation Notes John Agius 21052012 (20) The RM To BC Route Presentation Notes John Agius 210520121. The RM to BC route – how ISO 31000 benefit Business Continuity
John Agius – May 2012
Accompanying notes (paper) for the presentation with the same title prepared for the G31000 ISO
31000 Conference 2012 - Paris, France, 21 – 22 May 2012, Paris, France
Abstract
What is commonly termed as “business continuity” is a type of disruption-related risk influencing the
achievement of organizational continuity objectives and in particular the uninterrupted delivery of
key products and/or services. Disruption-related risks should be treated as such and are best dealt
with as part of the treatment options available within the risk management discipline. Continuity
plans are one of the tools that can be adopted to manage disruption-related events.
Moreover, experience dictates that organizations that decide to implement BC have RM, together
with the basic BC prerequisites, already established through the RM process within the organization.
Thus, taking the RM to BC route is not only the right way but the most efficient and best effective
approach.
Introduction
Consciously or not, organizations deal with risk. In handling risks effectively and efficiently an
organization is able to ensure continuity of its operations and the delivery of its key products and
services. In other words, the management of risk makes it possible for organization to achieve
objectives. And objectives do not always materialize as expected. As a result organizations operate
in a continuum of uncertainty. This uncertainty effect from the handling of probable threats, missed
or would-be opportunities and/or potential disruptive incidents on set-objectives is termed ‘risk’
(ISO 31000, 2.1).
“Many organizations have a well-established RM function, maintain a corporate risk-register (RR)
and have risk-assessment (RA) embedded in the organization in as much as all managers are
expected to assess risks as part of their normal practices and procedures. Threat assessments,
therefore, may already be available for the organization’s activities. However the presence of a risk
management function is not a pre requisite for an effective BCM programme” (BCI-GPG, 2010: 53).
ISO 31000 Conference
Paris, France 21 – 22 May 2012 1
© J. Agius
2. The first part of the BCI statement is true whereby ‘all’, and not simply ‘many’, organizations that
decide to implement BC have RM established within the organization. Hindsight indicates that this is
the case every time. The statement that “the presence of a RM function is not a pre requisite for an
effective BCM programme”, i.e. the handling and treatment of disruption-related risks, is only true if
such a function is implemented independently of or in total absence of a BC programme. However,
BC or the handling of disruption-related risks cannot exist without an RM function and an RM
function would not be complete without a BC programme.
“RM and BC only exist as a consequence of risk awareness. Every company … accurately or
otherwise, has risk management nearer the board and above business continuity” (Power Peter,
2010). This in no way implies that RM is above BC or vice versa since both specialisms are an equal
and integral part of the same concept of management. In this regard, it must be stated that there is
also a historical perspective on how RM emerged from traditional management and how the failures
of RM led to the establishment of BC as we know it today with the three philosophies (management,
RM & BC) running in silo. However, modern management thinking is currently exploring avenues on
how to reintegrate the different management systems into an “overall integrated management
system”.
This new thinking may well consider incorporating established scientific research to help
substantiate the scientific value of modern management development. One example is Turner’s
“Disaster Sequence Model” (DSM) which established how disaster events resulting in disruption-
related incidents do not occur instantly. Turner’s research ably developed by Toft and Reynolds
indicates that there is always an incubation process that triggers an incident that leads it into a
disaster.
The DSM model by Turner (1978) indicate the sequence of events that initiates from a series of
unnoticed set of events leading to the onset of an incident, then into a crisis, followed by a process
of rescue and salvage (recovery) attempt and possibly a disaster, if things do not turn right.
The following sections look at:
1. A concise historical view of Management, RM and BC phases
2. The Disaster Sequence Model - DSM
3. The treatment of risk
4. How ISO 31000 can benefit BC
5. Conclusions
1. A concise historical view of Management, RM and BC phases:
Management:
Management (general) was traditionally based on intuition and limited informed decision-making of
day-to-day management issues. Management tools have been developed over time e.g. SWOT
(Strengths, Weaknesses, Opportunities and Threat) and the 4D’s (Define, Design, Do, and Deliver)
and other useful tools. These management tools streamlined management into a quasi-scientific
model. Yet, general management (as it was initially labelled) was broad and lacking focus on specific
management issues amongst them ‘threats’ and the effect these had on management objectives.
ISO 31000 Conference
Paris, France 21 – 22 May 2012 2
© J. Agius
3. Eventually, when the effects of threats started to get complicated and serious, focus on threat
management was needed. As a result RM emerged and later evolved as an independent
management system.
Risk Management:
The handling of threats and the effects these had on organizations was initially perceived as the
management of risk (nowadays it is referred to as the down-side of risk). The first RM concepts
were based on tools specifically developed to manage risk emerging from the effects that threats
were having on organisations. One of the tools to manage threats was the 4T’s. This was based on
measures to terminate, treat, transfer or take the risk with a view to ensure that organizations
continue to move forward in achieving their objectives.
What the 4T’s and other RM tools failed to take into consideration were risks arising as a result of
missed and would-be opportunities and those emerging from the effects unexpected disruption-
related events had on the objectives set by organizations.
Through the introduction of sophisticated technological systems and processes and high market
demands, the effects of disruptive incidents began to leave their mark on organizations set to deliver
critical products and services. Since RM lacked the capacity to manage disruptive situations and
disruption was no longer limited to MIS or computer-installation systems, organizations had an
urgent need to identify methods to handle the effects from disruptive events.
Initially, DRP (disaster recovery planning) in the US attempted to provide the solution. This
“inevitable created the demand for third party consultancy … initially aimed entirely at Data
Processing or MIS (as IT/ITC was then generally called) and was technical in nature” (BCI GPG 2010,
9). However, the problems emerging as a result of the ‘risk from business disruption’ were beyond
data processing and MIS. Consequently, rather than entrenching the BC principles within existing
general or business management systems or within the risk specialism, a new discipline was
developed as a totally separate management philosophy This philosophy was to be named business
continuity management (BCM).
It is noteworthy the fact that the strong focus in the search for solutions to disruption-related risks
led to the total neglect of the difficulties encountered by issues related to the up-side of risk. As a
result, issues related to missed and would-be opportunities have been totally ignored. Some risk
practitioners still argue against the up-side element in risk and continue to consider the
management of opportunity as a separate issue outside of risk management.
Business Continuity:
According to the BCI-GPG-2010 (p. 9), the first signs of BCM evolved out of disaster recovery
planning (DRP). The first known use of the term “Business Continuity” is said to have been made by
Ron Ginn (later to become the inaugural BCI Chairman) back in 1986, after he had researched the
subject in the United States and interviewed many leading practitioners. Ginn wrote a book entitled
“Continuity Planning” which postulated an application of the DRP skill-set to a much wider range of
business risks and potential operational interruptions. In 1988 a UK organization by the name of
“Survive” created a forum in which DR people could share their experiences and knowledge.
Eventually, in 1991 “Survive” dropped the references to DRP and re-branded itself “The Business
ISO 31000 Conference
Paris, France 21 – 22 May 2012 3
© J. Agius
4. Continuity User Group”. This step had a significant impact in changing the external perception of the
subject. Concurrently, two of the largest US-owned DR companies also changed their position,
seeing “Continuity” as a more upbeat message than “Recovery”.
It can therefore be said that the appearance of BCM is the result of the failure of RM and DRP from
providing a plausible solution to the effects disruptive-related incidents were having on
organizations during the late 1970’s and the mid-1980’s.
2. The Disaster Sequence Model - DSM:
Natural, man-made or systems failures do not happen instantly. These are caused through latent
defects that build up within the natural environment, systems and processes. Badly managed
and/or not managed at all, latent defects can lead to disasters. In his DSM model Turner describes
the sequence of events associated with the developments leading to disasters (Toft & Reynolds,
1997). At the most general level the model consists of three separate but interrelated parts:
• the incubation period of actions and events prior to a disastrous situation
• the event triggering the incident/disaster and the immediate aftermath of recovery, and
• the learning process through investigation, analysis, reports and recommendations.
The DSM model can be easily adopted to better understand how to effectively manage risks from
disruptive-related events. The different stages of Turner’s DSM model are as follows (Toft &
Reynolds, 1997: 22):
1. Stage I – notionally normal starting point:
(a) Initially culturally accepted beliefs about the world and its hazards;
(b) Associated precautionary norms set out in laws, codes of practice, *mores and
**
folkways,
2. Stage II – the incubation period: the accumulation of an unnoticed set of events
which are at odds with the accepted beliefs about hazards and the norms for their
avoidance.
3. Stage III – precipitating event: forces itself to the attention and transforms the
general perception of Stage II.
4. Stage IV – onset: the immediate consequence of the collapse of cultural precautions
becomes apparent.
5. Stage V – rescue and salvage: first stage adjustment – the immediate post-collapse
situation is recognised in ad hoc adjustments which permit the work of rescue and salvage
to be started.
6. Stage VI – full cultural readjustment: an inquiry or assessment is carried out and
beliefs and precautionary norms are adjusted to fit the newly gained understanding of the
world where knowledge gained is absorbed into the culture of organisations/society.
*Mores: customs, conventions. Practices
**Folkways: The unconscious group ways of doing things (living,
ISO 31000 Conference thinking & acting) serving as compelling guides of conduct
Paris, France 21 – 22 May 2012 4
© J. Agius
5. Disaster Sequence phases relevant to the understanding of disruption-related risk & disaster events
Turner’s DSM model can be easily applied to the effective understanding and management of day to
day business activity, risk situations and disruption events as well as to aid the continued
advancement of management. The incorporation of advanced management tools and models like
Turner’s DSM provides for a systematic and structured approach to the assessment and treatment of
disruption-related risk events.
3. The treatment of Risk:
Good risk management (RM) entails effective treatment to the “internal and external factors and
influences that make it uncertain whether and when organizations will achieve their objectives” (ISO
31000: Introduction).
Generally risk treatment to the first two types of risks:
• ‘threats’ and
• ‘opportunities’
is dependent on “the way in which consequence and likelihood are expressed and the way in which
they are combined to determine a level of risk” (ISO 31000, 5.4.3).
In the case of the third type of risk:
• ‘disruption-related’
the ‘time’ factor is added to the ‘consequence’ and ‘likelihood’ factors associated to the other types
of risks. This is so because time may drastically affect the level of consequential impact of a
disruptive incident.
ISO 31000 Conference
Paris, France 21 – 22 May 2012 5
© J. Agius
6. Risk treatment can involve (ISO 31000, 2.25, 5.5.1):
• avoiding the risk,
o by terminating it altogether;
o by deciding not to start or continue with the activity that gives rise to the risk
whether the risk is the result of a ‘threat’, an ‘opportunity’ or a ‘disruptive incident’.
• taking or increasing the risk,
o to pursue opportunities;
o to take full advantage and maximize the benefit;
o to decide whether a ‘disruptive incident’ to key products and/or services needs
intervention to reduce the likelihood of occurrence, the shortening of the period of
disruption and/or limiting the impact from disruption.
• removing the source,
o and make sure that the threat, opportunity and/or disruptive incident do not
negatively affect the organization.
• changing the likelihood and/or consequence;
o by intervening to change the probabilities;
o by modifying the potential impact;
o by modifying the probability and impact levels of potential disruptive incidents.
• sharing it with others,
o by passing it on to insurance;
o by contracts and risk financing
o by seeking new partnership to share the threat and/or maximise opportunity;
o by subcontracting to specialist organizations and share the threats/benefits;
o by equally applying the above to situations emerging from disruptive incidents.
• retaining the risk
o by informed decision;
o by doing nothing about it;
o by being ready to intervene should the threat, opportunity and/or disruptive
incident arise.
• invoking continuity procedure
o to reduce the likelihood of disruption (ISO 22301, 8.3.4.3. (a))
o to shorten the period of disruption (ISO 22301, 8.3.4.3. (b))
o to limit the impact of disruption on the organization’s key products and services (ISO
22301, 8.3.4.3. (c))
o “preparing and implementing risk treatment plans identifying resource
requirements including contingencies” (ISO 31000, 5.5.3), reliance, dependence, etc;
o “establish, implement and maintain a formal and documented process for business
impact analysis (BIA), risk assessment (RA) and other assessment techniques that
establishes the context of assessment, defines the criteria and evaluates the
potential impact” with regards to “disruption related risks” (ISO 22301, 8.3.3.4 (c));
o “establish documented plans that detail how the organization will manage a
disruptive event and how it will recover or maintain its activities to a predetermined
level, based on management-approved recovery objectives” (ISO 22301, 5.4.5).
ISO 31000 Conference
Paris, France 21 – 22 May 2012 6
© J. Agius
7. 4. How ISO 31000 benefit BC:
The benefits of using the ISO 31000 route to BC rather than managing the two approaches in silo are
many. With a frame-of-mind focused on disruption-related risks, the following is a list of benefits
within the ISO 31000 standard documentation applicable to the development of BCMS:
Principles:
• creates value to the organization;
• is an integral part of the organizational processes;
• aids the decision making process;
• explicitly addresses the principle of uncertainty resulting from the effect of disruptive
events;
• it is systematic, structured and timely;
• is based on the best available disruption management information;
• is tailored to the organization;
• takes human and cultural factors into account;
• it is transparent and inclusive;
• it is dynamic, iterative and responsive to change, and
• facilitates continual improvement and enhancement of the organization in terms of
improving the overall integrated management system.
Framework:
• Makes use of the Plan-Do-Check-Act (PDCA) cycle amply aided by the ISO 31000 framework
of Design, Implement, Monitor & Review and Continual Improvement model;
• Provides the necessary mandate, commitment, support and funding by top management
and the Board of directors much needed for the successful implementation of an effective
BCMS activity;
• The required elements for managing the risk of disruption effectively and in line with other
organisational:
o Risks,
o context,
o RM and BC policies,
o accountability,
o roles and responsibilities,
o organizational processes integration,
o functional activities,
o resources required to implement the BC plan,
o critical and alternate staff,
o awareness and training programs,
o internal and external communication and reporting mechanisms most essential for
the successful implementation of a BCMS incorporating the identification of:
organizational vulnerabilities;
continuity and recovery team members;
ISO 31000 Conference
Paris, France 21 – 22 May 2012 7
© J. Agius
8. scope, purpose and value to the organization, as well as,
the necessary lines of defence (BoD: Board of Directors, RMSC: Risk
Management Steering Committee & IAC: Internal Audit Committee) for the
necessary sponsorship, direction and audit of the RM and BCMS
implementation mechanisms.
• The development of a strategy to implement the organizational, RM framework and
processes to facilitate the risk assessment (RA) and business impact analysis (BIA) of the BC
plan and the identification of variances that can be translated into potential opportunities;
• The framework monitoring and review - having established processes in place help to
establish a well-managed organization; regular departmental/unit status reports of BC
progress; internal and/or external audits to sustain the BCMS implementation; regular RM
and BC audits with a view to validate performance against controls;
• Top management support and involvement towards the concept of continual improvement
of the framework encouraging departments/units to establish the culture and attitude that
RM and BC are not static and nearly everything the organization does can be improved and
ought to be reviewed to enable the identification of new opportunities.
Process/es:
• An established, globally agreed to and supported RM process/es directly affecting BCMS;
• The use of enterprise-wide risk management (EWRM) processes and guidelines;
• In-depth awareness and understanding of the organization and its context;
• An establish risk assessment process providing well founded risk identification, analysis and
evaluation methodology;
• A systematic and logical approach to the management of all types of risk incorporating the
effective handling of threats, opportunity considerations and disruption related risks that
can be modified through one or more treatment options;
• Established communication and consultation structure with customers, stakeholders and
management;
• Effective monitoring and review of all aspects of organizational risks and disruptive
eventualities
Others:
• Increased competitive advantage supported by a globally designed and agreed to RM
standard;
• Greater understanding of the effects of disruptive events in relation to the other
organizational risks;
• Enhanced customer confidence;
• Improved stakeholder trust and support;
ISO 31000 Conference
Paris, France 21 – 22 May 2012 8
© J. Agius
9. 5. Conclusions:
Organizations of all types and sizes face internal and external factors and influences that make it
uncertain whether and when they will achieve their objectives. As stated earlier on, the effect this
uncertainty has on an organization’s objectives is “risk” (ISO 31000, 2.1). Risks can be of three
different types namely:
• Threat
• Opportunity
• Disruption-related
In acknowledging that organizations operate in an ‘uncertain’ environment, ISO 31000 illustrates
that objectives can have different aspects within different fields/specialisms of management.
Being the organizational efforts and/or actions to obtain or accomplish a goal, organizational
objectives are not always achieved as planned. The route from designing and setting objectives to
their launch, implementation and materialization passes through a complicated environment of
‘uncertainty’ thus ‘risk’. Risk, RM and BC are part of an overall integrated management system that
are best treated utilizing established and well researched RM tools.
RM & BC architecture within an overall Integrated Management System
Thus, the integration of RM and BC is not only beneficial it is also more efficient and less costly. The
launch of the “risk management” standard (ISO 31000: 2009 series) and of “business continuity” (ISO
22301: 2012 series), as well as of other standards, “will further increase the use of international best
practice” (CMI, 2012) in management. These are not perfect and will require continuous updating in
line with new thinking. This development will continue to further reduce the gap between the
different management concepts towards the promotion and the integration rather than the
fragmentation of modern management thinking and practice.
ISO 31000 Conference
Paris, France 21 – 22 May 2012 9
© J. Agius
10. Bibliography
G31000 (2012) “ISO 31000 International Conference 2012, Paris, France – 21 – 22 May 2012”, at
http://www.g31000conference2012.org/
----------<>----------
BCI, GPG (2010) Good Practice Guidelines 2010, Global Edition, Berkshire: BCI
CMI (2012) “Planning for the worst, The 2012 BCM Survey”, Reproduced at
http://www.managers.org.uk/sites/default/files/u28/4354BCMreport2012v3.pdf
ISO 22301 (exp.) Societal security – Business continuity management – Requirements, Secretariat:
SIS, ISO/TC 223
ISO 22313 (exp.) Societal Security – Business continuity management systems – Guidelines,
Secretariat: SIS, ISO/TC 223,
ISO 31000 (2009) Risk management – Principles and guidelines, Geneva: ISO
ISO 31000 (2009) Risk management – Risk assessment techniques, Geneva: ISO/IEC
Power, Peter (2010) “Risk and Continuity: Convergence is in the air…” Reproduced at Continuity
Central, http://www.continuitycentral.com/feature0765.html April 2012
Toft, B. and Reynolds, S. (1997) Learning from Disasters: a management approach, Leicester:
Perpetuity Press, p. 22.
Turner, B. A. (1978) Man-Made Disasters, Wykeham, London
----------<>----------
John Agius M.Sc. (Leic.) RCDM, MIAP, Dip. Law & Admin., Dip. J&PW
The RM to BC Route - How ISO 31000 benefits Business Continuity
Risk and Business Continuity Management have been developed as a result of the effects of uncertainty that organizations face in achieving their
objectives. The likelihood of deviations from set objectives, whether negative and/or positive, compels organizations to be proactive and
prepared to intervene in good time to manage adverse effects and pursue opportunities. In the event of business disruptions organizations are
obliged to provide for resiliency and to ensure that alternative arrangements are in place for business to continue to operate whatever the
circumstances. John’s presentation tackles the process RM plays in establishing an effective and efficient BCMS and how ISO 31000 benefit this
process.
About the Author:
John is a Risk-and-Business-Continuity manager having strong industry and academic experience in the profession and the associated resilience
disciplines. Originating from electronics and Computing John moved from DRP in Data Processing and MIS way back in the 1970’s to RM and BC
as known today. Coupled with his 30+ years of professional experience in Management, the Police, Law, Security, planning & environmental
enforcement and Telecommunications his knowledge is backed by an MSc in Risk, Crisis & Disaster Management from the University of Leicester
in England and various other prestigious certifications. He is a part-time visiting lecturing staff at the University of Malta and other tertiary and
further education institutions lecturing Risk Management and Assessment.
LinkedIn profile - http://mt.linkedin.com/in/johnagius
ISO 31000 Conference
Paris, France 21 – 22 May 2012 10
© J. Agius