The Definitive Handbook of Business Continuity Management (eBook)

ANDREW HILES was founder and Chairman of the first international user group for business continuity and disaster recovery planning; founding Director and first Chairman and Fellow of the Business Continuity Institute; and a founder of the World Food Safety Organisation. He is an acclaimed international presenter on crisis, risk and business continuity management and author of five other books on these topics - this book and others are required reading at many universities around the world. As a Director of Kingswell International, Andrew delivers consultancy, workshops and seminars across Russia, Europe, the Pacific Rim and Australasia, North and South America, the Middle East, India, China and Africa and has presented on radio and television. In 1997 he was presented with the Western Press Award for services to business; in 1999 was nominated for lifetime achievement at the Business Continuity Institute / Corporate Insurance and Risk Awards in London; and in 2004 he was inducted to the BC Hall of Fame by CPM magazine in Washington DC. Andrew recently contributed the BC section to Qatar Finance - The Ultimate Resource and continues to serve his blue chip clients internationally.

The Definitive Handbook of Business Continuity Management 3
About the Editor 4
Contents 9
Contributors 15
Foreword 19
Preface 21
Introduction to the 3rd Edition 23
Introduction 23
Disasters 2008 24
Disasters 2009 and 2010 26
Natural disasters 26
Flood 28
Terrorism 29
Fire and explosion 29
Business Continuity 31
Disaster Recovery 31
Resilience Engineering 33
Summary 34
How to Use this Book 35
Section One Achieving and Maintaining Business Continuity: an executive overview 37
1 Enterprise Risk Management 39
Background 39
Events, Risks and Opportunities 40
Expanding on Risk Management 41
Business Objectives 41
Components of the COSO ERM Framework 42
Helping Organizations to Reduce their Exposure to Risk 44
Benefits of Implementing COSO’s ERM Framework 44
Effectiveness 45
Risk Categories 45
Limitations 46
ERM Organization 46
COSO Sources 47
Other Frameworks and Relevant Standards 47
How do Organizations Implement ERM? 48
Take-up of ERM 49
The Chief Risk Officer 53
The CRO role: job description 53
Relations in Risk Management 55
Conclusion 56
2 Developing a BCM Strategy in Line with Business Strategy 59
Introduction 59
Earnings per share (EPS) 60
EBITDA 60
Return on investment (ROI) 60
The Balanced Scorecard 61
Understanding the Organization and its Environment 63
Step 1 – Using what is already a vailable 63
Step 2 – Asking questions 64
Step 3 – Building the BCM strategy 64
Step 4 – Writing the strategy: what the strategy looks like 65
Conclusion 66
3 The Importance of Business Strategy in Business Continuity Planning 67
What is Business Continuity? 67
The Historic Context for Business Continuity Planning 68
Business Continuity Planning within a Business Strategic Context 68
Weighing business opportunity and accounting for the opportunity cost of capital and management 69
Stakeholders involved in the decision making need to have a clear understanding of the business 70
Evaluate strategic risk mitigation and Business Continuity strategies not only from a controls perspective but also from a strategic viewpoint 70
Identify areas for investment/disinvestment 70
Conclusion 71
4 Multilateral Continuity Planning 73
The Case for Multilateral Continuity Planning 73
MCP Approach 76
Project Success Factors 81
Benefits of Multilateral Continuity Planning 83
Conclusion 84
5 Marketing Protection: a Justification for Funding of Total Asset Protection Programmes? 87
Total Asset Protection: The Concepts 87
Marketing Protection 88
Brand Value 89
Advertising Campaigns and the Return on Them 93
Impact of Disaster 97
Delivery versus Expectation 98
Third Party Impact 99
Conclusions 100
6 Operational Risk Management 101
6-1 Operational Risk Management: a Primer 102
What is Operational Risk Management (ORM)? 102
What is the Scope of Operational Risk Management? 102
What is the Value of Operational Risk Management? 103
How Can We Manage Operational Risk? 103
The Operational Risk Model 105
The ORM Lifecycle and Process 108
6-2 Operational Risk Management: Risk and Consequences 110
The Global Financial Meltdown: Why Did it Happen? 110
The Objective of Operational Risk Management 111
Conclusion 132
7 Crisis Management, Emergency Management, BCM, DR: What’s the Difference and How do They Fit Together? 133
Overview 133
Starting from the Top 133
Common Terms in BCM Practice 134
Crisis Management 134
Emergency Management 135
Contingency Planning 136
Disaster Recovery 137
Inter-relationships Between Terms 138
The Ten Areas of Professional Practice of BCM 139
Summary 141
8 Business Continuity and Ethics 143
Business Continuity Ethics 143
A Moral Justification of Business Continuity 144
Two types of moral arguments 145
The Duty to Business Continuity 146
Codes of Ethics 147
Duties to Employees 148
Social Engineering as Penetration Testing 149
Shareholders and the Community 151
Duties to the Profession 152
Section Two Planning for Business Continuity: a ‘how-to’ guide 155
9 Business Continuity Management Methodology 157
Introduction 157
What is Business Continuity Management? 157
A Structured Management System 159
The Business Continuity Management Lifecycle 159
BCM programme management 160
Understanding the organization 161
Determining Business Continuity strategy 161
Developing and implementing a BCM response 162
BCM exercising, maintaining and reviewing BCM arrangements 162
Embedding BCM in the organization’s culture 162
Coordination and Management of the Process 162
A Practical Approach 163
Programme initiation 164
Awareness workshop 165
Business impact analysis 165
Risk assessment 167
Strategy development 168
Plan writing 168
Plan walk-through 169
BCM programme completion 169
Plan exercising 169
Plan maintenance 170
Auditing 171
Summary 171
10 Project Initiation and Control 173
Project Initiation 173
Project Costs – Start-up and Ongoing 174
Projected Rebuild Costs 175
Projected Potential Savings 175
Project Management 176
Phase One – information gathering 177
Phase Two – plan development 179
Phase Three – Business Continuity process 181
Continuing Visible Support 183
Corporate recovery teams 183
On-going support from upper management 189
Employee BCP a wareness 189
11 Risk Evaluation and Control: Practical Guidelines for Risk Assessment 191
Introduction 191
Operational Risk and BCM 192
Objective of Risk Evaluation and Control 192
Threats and Vulnerabilities 192
Assessing the Risk 193
Why Undertake Risk Analysis? 193
Risk Evaluation 194
Asset and threat identification 195
Quantification of potential losses 195
Assessment of vulnerabilities 195
Evaluation of solutions 196
Is Risk Control Worth Doing? 197
An Alternative Approach to Assessing Threats within a BCM Programme 198
To Finish … Some Ideas to Make it Work 199
12 Business Impact Assessment 201
12-1 Business Impact Analysis 202
Introduction 202
Fundamentals – When to Undertake the BIA for the First Time 203
Fundamentals – Understanding the Purpose and Goals of the BIA 204
A Walk Through a Comprehensive BIA 205
When to Review or Update the BIA 216
Conclusion 217
12-2 Business Impact Analysis: Building a Better Mousetrap 219
Another Way? 219
True Cost of Disaster 223
Societal Impact of Disaster: Social Value 231
BIA: Snapshot or Movie? 236
Conclusion 237
13 BC Strategies for Information and Communications Technology 245
13-1 Strategies for Continuity and Availability for Information and Communications Technology (ICT) 246
Introduction 246
Assessing Information Availability Needs 248
Understanding the Business Information Flow 251
Protecting Critical Information 252
Business Analysis 253
Development of Programme 263
Interactive (Managed IT Solutions) 267
External-facing Applications 268
Networking and Communications 273
Embedding the Culture 279
Other Issues 280
Further Reading 281
13-2 Business Continuity for Telecommunications 283
Introduction 283
Business Continuity Strategies 285
Conclusion 293
13-3 Planning to Recover Your Data: More Options 295
Current State of IT DR Preparedness 295
Understanding Downtime 296
Budget 297
Availability 299
On-site Data Protection and Recovery Options 301
Off-site Data Protection and Recovery Options 309
Summary 315
13-4 Business Continuity Strategies for the Business or Work Areas 316
Introduction 316
Business/Work Area Recovery 318
Types of Contingencies 320
Organization, Administration and Support Issues 324
Vital Records and Paper Documentation Issues 325
Restoration 325
Salvage Considerations 326
14 Strategies for Different Market Sectors 329
14-1 Business Continuity Strategies for the Financial Sector 330
Introducing the Financial Sector 330
The Impetus for Business Continuity: Regulators and Regulation 330
The Banking, Finance Services and Insurance Environment 334
What About the People? 339
Insurance 340
Conclusion 340
14-2 Business Continuity Strategies for Manufacturing and Logistics 342
Introduction 342
Developing Strategies 344
Conclusions 349
14-3 Business Continuity and the Supply Chain 350
Definitions and Fundamentals 350
The Supply Chain Risk Management Landscape 351
What Are the Supply Chain Risks? 352
Building the Framework for Managing Supply Chain Risks 353
Purchasing Critical Products and Services 356
Monitoring 361
Contingency Planning 361
Further Reading 362
14-4 Case Study: Implementing Business Continuity in the Upstream and Midstream Energy Sector (Petrochemicals and Refineries) 364
Background 364
Case Study Introduction 364
Business Continuity Plan Development 365
Learning Experiences 366
Recommendations for Future Implementations of PU BCPs 367
14-5 From an Island to a Continent: Business Continuity in a Telecommunication Company 368
Introduction 368
Orange Dominicana ID 369
Orange Dominicana’s BCM Programme 370
Conclusion 386
14-6 BC Strategies in the Retail Sector 388
Introduction 388
14-7 Strategies for Funding Recovery 398
Funding Strategies 398
Parallels 399
Approach to Risk 399
What Is Usually Covered? 401
The Policy 402
The Pre-loss Review 402
Thinking Wider 403
Retained Insurance – Captive or Accepted Risk? 405
Insurance has an Essential Role 405
Delivery of the Promise 406
Added Value of a Disaster Manager 407
Conclusion 408
15 Developing and Implementing the Written Plan 409
Developing the Plan: Scoping 409
Where do you start? 409
Business Continuity strategy: options 410
Outsourcing Business Continuity Planning: plan management and maintenance 414
Lateral thinking 414
Insurance 415
Options and strategy recommendations 415
Option evaluation 416
How the Plan Builds Up 416
Service contracts 418
Business Continuity organization and roles 418
The Plan 420
Authorization to invoke 420
Plan documentation 420
Plan format 421
The End – or The Beginning? 423
16 Awareness and Training 447
Introduction 447
Awareness: Benefits of Business Continuity Planning 448
Establish BC Policy 449
Establishing Objectives and Components of the Programme 450
Functional Awareness and Training Requirements for ‘The Players’ 450
Developing the Training Methodology 451
Acquiring or Developing Training Aids 451
Identifying External Training Opportunities 452
Corporate Awareness 452
Awareness through Maintenance, Review, Audit and Exercising 453
Summary 454
17 BC Plan Testing 455
17-1 BC Plan Testing 456
Introduction 456
Overview 457
Testing 460
Maintenance 475
The Future 477
Conclusion 479
17-2 Testing vs. Exercising: What’s the Difference? 480
Testing versus Exercising 480
When Should You Start Your Exercise Programme? 481
Scenario Testing: A Novel Approach 482
Surprise Testing 482
18 BCM Audit 485
Introduction 485
Audit Objective 486
Determining the Maturity Level of the Organization 488
Individual Audit Approach 490
Defining the Audit Programme 491
Audit Planning 493
Audit Deployment 495
Fieldwork 495
Analysis 498
Reporting 500
Management presentations 503
BCM Audit Areas 504
Understanding the organization 504
Determining BCM options and strategy 506
Developing and implementing a BCM response 508
Exercising, maintaining and reviewing 508
Embedding the BCM culture 511
BCM programme management 513
Annex 18.1 Overview of BCM Audit Requirements for Selected Countries 513
Appendix 1 Case Studies 517
AN INTRODUCTION TO THE CASE STUDY SECTION 518
Statistics 518
Case Studies: Introduction 519
A1 A STORM, EARTHQUAKE, EXPLOSION: A GENERAL OVERVIEW 524
Hurricanes and Storm Damage 524
Earthquakes 526
Explosion 528
Conclusion 530
A1 B LIVING NIGHTMARES 531
Generators that Don’t 531
Litigation and Near Misses 531
I Told You So … 531
Oops! 532
A Miss is as Good as a Mile 532
Solid Investment 533
A1 C WORLD TRADE CENTER EXPLOSION – FEBRUARY 26, 1993 534
Background 534
Problems 534
The Explosion 534
Outcome 535
Considerations 535
Client Reactions 536
Lessons 536
A1 D HURRICANE ANDREW, MIAMI – AUGUST 24, 1992 537
Background 537
Preparation 537
Lessons 538
Hurricane Andrew’s Toll 538
A1 E CHICAGO FLOODS – APRIL 13, 1992 540
Background 540
Impact 540
Events 540
What Went Right? 541
What Went Wrong? 541
Reflections 541
A1 F THIRTY SECONDS OF TERROR! THE CALIFORNIA EARTHQUAKE 542
Background 542
A Personal View 542
Situation Status 544
Summary 544
Key Issues Learnt 544
A1 G AFTER THE FIRE: FIRST INTERSTATE BANK, LOS ANGELES 546
Background 546
Solutions 546
A1 H ONE MERIDIAN PLAZA, PHILADELPHIA 548
Background 548
The Fire 548
The Ultimate Decision 550
The Conclusions 551
Significant Factors 551
The Lessons 552
A1 I THE MERCANTILE FIRE 553
Background 553
Major Problems 553
Actions 554
Some Advice 554
Positive Factors 555
Assistance from Vendors 556
Vendor Relationships 556
What Went Well? 557
Lessons Learnt 557
Summary 558
A1 J HOW FLOODS CAN RUIN YOUR DAY: LONDON COLLEGE OF PRINTING 559
Background 559
Lessons 560
A1 K FLOOD HIGHLIGHTS 561
A1 L A CAUTIONARY TALE 564
Lightning Can Strike Twice 564
Lessons 566
A1 M IT HAPPENED TO THEM 567
Background 567
Lessons 568
A1 N FIRE HIGHLIGHTS 570
A1 O WESSEX REGIONAL HEALTH AUTHORITY 573
Picking up the Pieces 573
The Response 574
Lessons 575
A1 P THE BISHOPSGATE BOMB – APRIL 25, 1993 576
Explosions – Do they Really Happen? 576
The Impact of the Bishopsgate Bomb 576
Some Case Studies from Bishopsgate 577
Lessons 578
Food for Thought 578
A1 Q CITY BOMB BLAST, ST MARY AXE – APRIL 10, 1992 579
Background 579
Mocatta’s Experience 579
A1 R EXPLOSION ROUNDUP 581
A1 S STOP THIEF! 584
The Growth and Impact of Computer and Component Theft 584
Precautions 585
Conclusion 586
A1 T MISCELLANEOUS HIGHLIGHTS 588
A1 U LESSONS IN RISK MANAGEMENT FROM THE AUCKLAND POWER CRISIS 590
Introduction 590
How Long Did it Take to Get Started? 590
What Strategies were Used to Continue Business? 591
Difficulties Encountered 592
How Bad Was the Crisis? 594
Financial Impacts 595
Operational Impacts 595
Intangible Impacts 595
Status of Business Continuity Plans 596
The Pitfalls of Generators 598
Risk Management and Business Continuity Planning 598
A1 V FOOT AND MOUTH: A PREVENTABLE DISASTER 601
The Beginning: A Disease Concealed 601
FMD Takes a Grip 601
The Disease 603
Impact 603
Lessons Not Learnt 607
The Lessons 608
A1 W THE MADRID RAIL BOMBINGS – MARCH 11, 2004 610
Background 610
Lessons 611
A1 X ISTANBUL BOMBINGS – NOVEMBER 2003 612
Background 612
Impact 612
A1 Y LONDON BOMBINGS – JULY 7, 2005 (7/7) 613
Background 613
Impact 613
Lessons 614
A1 Z BUNCEFIELD (UK) OIL TERMINAL DISASTER – DECEMBER 11, 2005 616
Background 616
General Impact 616
Impact on Businesses 616
Summary 619
Emergency Response 619
The Cost 620
Lessons 620
And Finally … 621
A1 AA INTELLECTUAL PROPERTY THEFT ANDBUSINESS CONTINUITY 622
How to Deal with the Traitors 624
What to Do with the ‘Mole’ 625
How to Manage the Crisis so as to Limit the Damage 626
How to Keep the Matter Quiet 626
A1 AB EUROCLEAR BANK USES BCM FRAMEWORK TO MANAGE THE IMPACT OF THE COLLAPSE OF LEHMAN BROTHERS 628
The BCI Partnership 628
Executive Summary 628
The Euroclear Group 628
The Extension of the Business Continuity Management Framework 629
The Exercise 630
The Real Crisis 630
Key Lessons from the Crisis 630
The BCI View 631
A1 AC THE TOYOTA RECALLS, 2009–2010 633
Toyota: The Company 633
Direct Impact on Toyota 635
Total Impact on Toyota 641
Knock-On Costs 641
Lessons 645
Slogans and Irony 645
After the Storm 645
A1 AD THE ICELANDIC VOLCANIC ASH PLUME – APRIL 2010 647
Background 647
The Eruption – Impact 647
Passenger Compensation 650
The Winners 650
The Losers 651
Is it All Over? 652
A1 AE THE 2010 BP OIL SPILL – GULF OF MEXICO 655
Chronology of Events 655
The Cost 659
By End June, 2010 660
July 2010: Where Next? 661
July 2010: Clean-up Options 661
July 12, 2010: The Breakthrough 662
What BP Got Right 662
What Minerals Management Service and BP Got Wrong – What We Can Learn 662
Oh, Well … 664
Appendix 2 Guidance Notes 667
A2 A PANDEMIC PLANNING 668
Background and Considerations 668
Specific Issues to be Addressed 669
A2 B SELECTING THE TOOLS TO SUPPORT THE PROCESS 677
Introduction 677
What are BCM Tools? 678
A Brief History 679
Business Continuity Planning Development Software 681
Business Impact Analysis Tools 684
Automated Callout and Notification 686
Incident Management and Simulation Testing Tools 687
Conclusion 689
A2 C THE ROLE OF INSURANCE 691
Is it Safe to Rely on Insurance? 691
Beware the Small Print 691
Self-insurance 693
Insured Value 693
Uninsured Losses 694
It’s Not All Bad News 696
Lessons 696
A2 D FIVE NINES: CHASING THE CHIMERA? 697
A2 E CONSULTANCY WITHOUT TEARS 704
Annex A2 E.1 Pre-Engagement Questionnaire 707
A2 F COPING WITH PEOPLE IN RECOVERY 710
Objectives 710
Qualification 710
The Catalysts 711
Proximity to an Incident Influences Reaction 711
How do People Deal with Difficult Events that Change their Lives? 712
Psychological Reactions to an Incident 715
Why Does Management Need to Respond to the Human Side of Traumatic Incidents? 717
What’s the Benefit to My Company? 717
Do you Honestly Think a Critical Incident is Likely to Happen to My Business? 717
Why Should I Invest Money in This? 718
If Such an Event did Happen, Wouldn’t Our HR Department be Able to Handle It? 718
What if I Already Have a Business Continuity Planin Place? 718
If I Have an Employee Assistance Programme (EAP), Surely This Will Help? 719
Is a Trauma Care Programme Different to Counselling? 719
How to Respond? 719
Policy 720
Widespread Incidents 721
The Significance of Personal Territory 721
Soft and Hard Incidents 722
Post Traumatic Stress Disorder (PTSD) 722
Pastoral Issues 723
Leadership 724
Coping Without People 726
Research Results 727
Conclusion 727
A2 G BENCHMARKING AND BUSINESS CONTINUITY: EXPLORING AND USING BENCHMARKING TO ASSESS AND DEVELOP YOUR BUSINESS CONTINUITY MANAGEMENT PROGRAMME 728
Introduction 728
Best Practice Benchmarking 730
Summary 738
A2 H CHANGING ATTITUDES TO BUSINESS CONTINUITY IN PRIVATE AND PUBLIC SECTORS 740
Introduction 740
The Origins and Evolution of Business Continuity Management 741
Guidelines, Principles, Practices and Standards 744
People, Perceptions and Attitudes 746
Appendix 3 Professional Associations, Certification Standards and Resources for BCM Practitioners 751
Professional Associations 752
Emergency Preparedness, Business Continuity and Disaster Recovery Information Exchange Associations 767
Resources 767
Organizations 768
Appendix 4 International Perspectives 771
A4 A INTERNATIONAL STANDARDS AND LEGISLATION IN BUSINESS CONTINUITY 772
Introduction 772
Value of Standards 772
Business Continuity Standards 772
How IT Managers can Effectively Utilize BC Standards 773
Business Continuity Legislation 774
Making Standards Relevant to Your Organization 775
A4 B BUSINESS CONTINUITY MANAGEMENT: INTERNATIONAL PERSPECTIVES IN 2010 782
Introduction 782
The Different Drivers for BCM 783
What has Changed since 2000? 785
BCM in a Global Context 785
Cultural BCM Differences 786
A4 C BUSINESS CONTINUITY PLANNING IN THE MIDDLE EAST AND THE INDIAN SUBCONTINENT 789
Objectives 789
Middle East 789
India 792
India BCM Survey – by the BCM Institute 798
Sri Lanka 800
Pakistan 800
Bangladesh 800
A4 D BUSINESS CONTINUITY MANAGEMENT IN AFRICA 801
Background to Business Continuity Management in Africa 801
Future Growth of Business Continuity Management in Africa 802
Constraints in Africa 804
A4 E BUSINESS CONTINUITY IN CHINA 807
Glossary of General Business Continuity Terms 809
Index 813
EULA 835