Using the GPGs to Solve Business Continuity Problems

Using the GPGs to Solve Business

Continuity Problems

Presented by: Brian Zawada FBCI

US Chapter Board President

What is the BCI?

• Founded in 1994, a Member-Owned, Not-for-Profit

Professional Association of Business Continuity Professionals

• A global membership and certifying organization for business

continuity professionals

• Over 8,000 members in more than 120 countries working in

an estimated 3,000 organizations in the public and private

sectors

• We stand for excellence in the business continuity profession

• Our certified grades provide unequivocal assurance of

• Provide fundamental business continuity skills and specialized business continuity training to develop individual knowledge, skills, and capabilities.

• Provide members with access to peer-based networking opportunities, enabling them to share experiences and knowledge.

To is the BCI’s goal to be ESSENTIAL to a member’s success in the business continuity and resilience profession.

What are the BCI’s Objectives?

What is the BCI?

• Professionals seeking international

recognition of their professional and

technical competency in the BC discipline

• Individuals currently working in BC related

functions who are seeking to improve

their knowledge and understanding of the

BC discipline

• Individuals who are looking to benefit

from being part of a global network of

like-minded professionals to share good

practice in BC and related disciplines

• Newcomers to the discipline who are

considering a career in BC or a related

profession

A Global Membership

• The USA arm of the BCI

• Founded: 2008 in Daytona Beach, FL

• 1000+ members and growing rapidly

• Our strategic goal is to make BCI

membership to business continuity

professionals in the United States

USA Chapter Board Members:

• Rich Bogle • Ted Brown • John Jackson • Alice Kaltenmark • Paul Kirvan • Brian Mackay • Heather Merchan • Margaret Millett • Sean Murphy • Belinda Wilson • Brian Zawada

1.

Internationally Respected Certification

2.

Professional Growth

3.

Networking

4.

Content

5.

“Much More”

•

A global certification brand

aligned to industry best

practices

•

Benefits to you and your

organization:

o

Credibility (recognition of

competency)

o

_Opportunity

o

_Compensation

o

Approach aligned to best practice

1.

Review the GPG

2.

Take the Exam

3.

Complete the Application

• Membership Level Based on Experience

• Summarize Your Experience

• References

Or…

Approach to Membership

The Alternate Route to Membership

The Alternative Route to Membership

was set up for holders of third party

business continuity certifications to

provide an alternative route to BCI

Membership that did not require

applicants to sit for the Certificate of

the BCI (CBCI) examination but instead,

recognize third party certifications as

equivalent qualifications

The Alternate Route to Membership

The following qualifications and credentials

have been identified as at least equivalent to

the CBCI:

• ABCP

• CBCP

• MBCP

•

Training and Education

o Instructor-Led Training

o Custom Training

o E-Learning

o CBCI Exam Online

•

Mentoring Program

• Based on global good practice

• Delivered by a global network of BCI licensed

training partners

• Instructors with years of practical experience

to share

• Certification

CBCI

• Introductory and Awareness training

• Specialist skills classes (Crisis and Incident

Management, Writing Plans, Exercising etc.)

• Master classes (BIA, Developing the Plan, etc.)

• The Good Practice Guidelines Training Course (3 or 5-Day)

• The BCI BCM Audit Course

• The BCI BIA Training Course (2-day) • The BCI Supply Chain Continuity

Management Course

• The BCI Crisis & Incident Management Course

• The BCI Writing Business Continuity Plans Course

• The BCI Diploma

Course Catalog (sample)

• Mentors actively work in Business Continuity or related Professions

• All Mentors are qualified and experienced Business Continuity

professionals and hold either an FBCI, AFBCI or MBCI

• Mentors and Mentees are carefully matched by the BCI based on learning

and development needs

• Share knowledge and expertise

• Contribute to the growth of Business Continuity as a recognized discipline

in industry

• Support the and personal development of new and ‘young’ professionals

Mentoring

Largest Global Network of BCM

Professionals

•

Organized as..

• Chapters: Asia, Australia, Belgium / Netherlands, Canada, Japan, Nordic, South Africa, Switzerland and United States

• Forums: UK and Europe, Africa, Canada, Asia, Middle East, South America

•

Global Conference

•

USA Conferences and Association

Participation

•

BCAW

BCI

Chapters

Forums

•

The BCI Good Practice

Guidelines

•

Continuity Magazine

•

The BCI eNewsletter

•

BCI Benchmark

•

Special Reports (topical and

lessons learned)

•

C-Suite Toolkit

•

Surveys, benchmarking and

white papers

• The most comprehensive and independent

view of current thinking in Business Continuity

• Provides not just the

‘what to do’

, but

answers the

‘why’

,

‘how’

and

‘when’

of good

BC practice

• Written by BC professionals for BC

professionals

• Used in training and examining individuals and

organizations (our body of knowledge)

• Aligned to ISO 22301

A Guide to Global Good Practice in Business Continuity

How can I get a copy of the BCI’s

Good Practice Guidelines (2013)?

BCI members can download a free pdf version from the

Members’ Area

Non-members can purchase a pdf version from the BCI

website

www.thebci.org

•

Discounts

•

Job listings and postings

•

Advocacy (government and academia)

•

Continuing Professional Development (CPD) System

Why BCI: #5 – “Much More”

The capability of the organization to continue

delivery of products or services at acceptable

predefined levels following a disruptive incident.

Source:

• Responsibilities of Top Management

• Setting strategic objectives

• Resources for business continuity

• The importance of the BIA and a stronger

link to the organizations approach to risks

and threats

• Resource requirements, skills and

competence of people involved

• Training, awareness and communications

• Document management

• Exercising and testing

• Monitoring performance and measuring

value of business continuity

ISO 22301

BCI GPG’s (2013)

organization and its context PP1 – Policy & Program Management 4.2 Understand the needs and

expectations of interested parties PP1 – Policy & Program Management 4.3 Determining the scope of the

business continuity management system

PP1 – Policy & Program Management

5.1 Leadership and commitment PP1 – Policy & Program Management 5.2 Management commitment PP1 – Policy & Program Management 5.3 Policy PP1 – Policy & Program Management 5.4 Organizational roles,

ISO 22301

BCI GPG’s (2013)

opportunities PP1 – Policy & Program Management 6.2 Business continuity objectives

and plans to achieve them PP1 – Policy & Program Management 7.1 Resources PP1 – Policy & Program Management 7.2 Competence PP2 – Embedding Business Continuity 7.3 Awareness PP2 – Embedding Business Continuity 7.4 Communication PP2 – Embedding Business Continuity

ISO 22301

BCI GPG’s (2013)

8.1 Operational planning and control PP1 – Policy & Program Management 8.2 Business impact analysis and risk

assessment PP3 – Analysis 8.3 Business continuity strategy PP4 – Design 8.4 Establish and implement

business continuity procedures PP5 – Implementation 8.5 Exercising and testing PP6 – Validation

ISO 22301

BCI GPG’s (2013)

analysis and evaluation PP6 – Validation 9.2 Internal audit PP6 – Validation

9.3 Management review PP2 – Embedding Business Continuity PP6 – Validation

10. Nonconformity and corrective

action PP6 – Validation

10.2 Continual Improvement PP6 – Validation

PP1 – Policy and Program Management

Defines an organization’s policy relating to BC, how it will

be implemented, controlled and validated through a BCM

program

• Setting BC Policy and determining the scope of the BCM program

• Defining governance and assigning roles and responsibilities

• Implementing a BCM program, managing documentation using

program and project management techniques

The BCM program operates at three levels:

Strategic

Decisions are made and policy is determined

Tactical

Operations are coordinated and managed

Operational

Activities are undertaken

PP2 – Embedding Business Continuity

The Management Professional Practice that continually

seeks to integrate BC into day-to-day business activities and

organizational culture

• Organizational Culture

• Skills and Competence

• Managing a Training Program

PP3 – Analysis

Reviews and assesses and organization in terms of what its

objectives are, how it functions and the constraints of the

environment in which it operates.

• Business Impact Analysis (BIA)

PP4 – Design

Identifies and selects appropriate strategies and tactics

• Continuity and Recovery Strategies and Tactics

• Threat (Risk) Mitigation Measures

PP5 – Implementation

Executes the agreed-upon strategies and tactics through

the process of developing plan documentation

• Business continuity plans

• Developing and managing plans at a strategic, tactical

and operational level

PP6 – Validation

Confirms the BCM program meets objectives set in the BC

Policy and that plans are fit for purpose

• Developing an exercise program

• Developing and running exercises

• Maintenance of the BCM program

• Review of the BCM program

GPG

Problem

Description

PP1 – Policy and Program Management

Management Engagement

“My steering committee isn’t coming to meetings anymore or they’ve delegated their role.”

PP2 – Embedding Business

Continuity Participation

“The VP from Department X assigned his administrative assistant as his group’s planner.”

PP3 – Analysis Focus “We have 1000 plans in our software tool… but we’re not sure we’re recovering what truly matters.”

PP4 – Design

Proactive vs Reactive (and scope)

“We seemed to be laser focused on reacting to events. Shouldn’t we be equally focused on preventing disruption in the first place? Also, when it comes to being reactive, is it strange we seem to be predominantly focused on IT?”

PP5 – Implementation Templates vs Plans “No one seems to use the plans we’ve documented. And why would they all read the same, almost as if they’re templates!” “We have 1000 plans, all updated in the last 12 months… but

“My steering committee isn’t coming to meetings anymore or

they’ve delegated their role.”

• Root Cause: The program is focused on planning activities rather than what it’s protecting and the performance of response/recovery strategies.

• Solution: Speak their language in terms of scope (product/services) and program objectives.

“The VP from Department X assigned his administrative assistant

as his group’s planner.”

• Root Cause: Role-specific competencies aren’t defined.

• Solution: For each role, define the skills and experiences

necessary to be successful, and then measure the assignment

process; drive competency improvement.

“We have 1000 plans in our software tool… but we’re not sure

we’re recovering what truly matters.”

• Root Cause: Management has not defined priorities in terms

of products and services, and because of that, the program

focuses on every box on the organizational chart.

• Solution: Perform strategic, tactical and operational level

business impact analyses in order to bring focus to the

program.

“We seemed to be laser-focused on reacting to events. Shouldn’t we be

equally focused on preventing disruption in the first place? Also, when it

comes to being reactive, is it strange we seem to be predominantly

focused on IT?”

• Root Cause: The organization isn’t focused on controls to mitigate risk;

rather, it’s all about focusing on reacting to risk, with too much of a

focus on one specific resource – IT.

• Solution: Use the risk assessment to identify and implement control

enhancement; and identify strategies to address a loss of all resources –

facilities, people, equipment, IT and suppliers/service providers.

“No one seems to use the plans we’ve documented. And why do

they all read the same, almost as if they’re templates?”

• Root Cause: Procedures fail to support the response and

recovery decision-making process.

• Solution: Ensure procedures answer the key questions – what,

who, where, when and how.

“We have 1000 plans, all updated in the last 12 months… but we’re

not sure if we’re actually ready for a disaster”

• Root Cause: The business continuity program is measuring

success based on the execution of activities rather than the

performance of strategies.

• Solution: Determine if you can recover products and services

consistent with management expectations – and report on that!

• ISO 22301 and the GPG’s help improve performance

– ISO 22301 is written for the organization, the GPG’s are

written for the business continuity professional tasked

with implementing best practice

• Both documents leverage the equivalent of centuries

of experience to focus on the best practices

necessary to ensure organizations proactively

mitigate continuity-related risk and

response/recover appropriately

• New training programs (in-person and webinar-based)

• Complementary webinars and print content to introduce emerging practices and member experiences

• Research and other publications to add value to your career and employer

• A renewed mentoring program that matches BCI members based on geography, industry, expertise and need

• An Executive Forum for senior business continuity practitioners in the US to

collaborate and share ideas, modeled after the successful approach used by the BCI in Europe

• A new membership level aimed at the experienced practitioner, the AFBCI • Continued, strong partnerships with DRJ and Continuity Insights

These and other US-focused services are in addition to the

To find out more about BCI Certification, Membership,

Training & Education, or Partnership, visit us in the

Join us or connect with us today

http://www.thebci.org/index.php/home/us-chapter-home

Twitter: @BCI_US_Chapter

LinkedIn: BCI USA – The Business Continuity Institute US Chapter Abby Horan – 703.637.4407