business continuity management for libraries
DESCRIPTION
การบริหารความต่อเนื่องทางธุรกิจสำหรับห้องสมุด( โดย ดร. บรรจง หะรังษีTRANSCRIPT
การบรหิารความตอ่เนื�องทางธรุกจิสําหรับหอ้งสมดุ(Business Continuity
1
(Business Continuity Management for Libraries)
โดย ดร. บรรจง หะรังษี
BCM Topics
� BCM programme management� Understanding the organization� Determining business continuity strategy� Developing and implementing a BCM response� BCM exercising, maintaining and reviewing BCM � BCM exercising, maintaining and reviewing BCM
arrangements� Embedding BCM in the organization’s culture� Workshops:
� Estimate resource requirements for Library Loan Service
� Determine business continuity strategy for Library Loan Service
Business Continuity
� Business continuity is strategic (เชิงกลยทุธ์) and tactical (แปลงกลยทุธ์สู่การปฏิบตัิ) capability of
the organization to plan for and respond to incidents and business disruptions in to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
4
Business Continuity Management
� Business Continuity Management (BCM) is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.
5
BCM Process in BCI
1
2
13
4
5
6
6
Activity = process/a set of processes to produce/support one or more product/service
7
BCM programme management
� Programme management enables the business continuity capability to be both established and maintained in a manner appropriate to the size and complexity of appropriate to the size and complexity of the organization.
8
Understanding the organization
� The activities associated with "Understanding the organization" provide information that
�enables prioritization of an organization’s �enables prioritization of an organization’s products and services and the urgency to deliver them.
(This sets the requirements for selection of appropriate BCM/BC strategies.)
9
Determining business continuity strategy
� Determining business continuity strategy enables a range of strategies to be evaluated.
� This allows an appropriate response to be chosen for each product or service, such that the organization can continue to deliver those products and services:the organization can continue to deliver those products and services:� at an acceptable level of operation; and � within an acceptable timeframe
during and following a disruption. � The choice made will take account of the
resilience and countermeasure options already present within the organization.
10
Developing and implementing a BCM response
� Developing and implementing a BCM response results in the creation of a management framework and a structure of incident management, business of incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
11
BCM exercising, maintaining and reviewing BCM arrangements
� BCM exercising, maintenance, review and audit leads to the organization being able to:
demonstrate the extent to which its strategies �demonstrate the extent to which its strategies and plans are complete, current and accurate; and
� identify opportunities for improvement
12
Embedding BCM in the organization’s culture
� Embedding BCM in the organizations culture enables BCM to become part of the organization’s core values and instils confidence in all stakeholders in the ability confidence in all stakeholders in the ability of the organization to cope with disruptions.
13
1 BCM programme management1 BCM programme management
14
BCM programme management
� The BCM programme (management) of an organisation provides the framework around which the BCM capability is designed and built.designed and built.
15
Benefits of a BCM Programme (Management)
The organization:� is able to proactively identify the impacts of an
operational disruption;� has in place an effective response to disruptions
which minimizes the impact on the organization;� maintains an ability to manage uninsurable risks;� maintains an ability to manage uninsurable risks;� encourages cross-team working;� is able to demonstrate a credible response
through a process of exercising;� could enhance its reputation; and� might gain a competitive advantage, conferred
by the demonstrated ability to maintain delivery.
16
1 BCM programme management
1a. THE BUSINESS CONTINUITY MANAGEMENT POLICY� 1a.1 REFLECTING ORGANISATIONAL CONTEXT
� 1a.2 BCM POLICY CONTENTS
� 1a.3 BCM PROGRAMME SCOPE & DETERMINING CHOICES
� 1a.4 OUTSOURCED ACTIVITIES
1b. PROGRAMME MANAGEMENT1b. PROGRAMME MANAGEMENT� 1b.1 ASSIGNING RESPONSIBILITIES
� 1b.2 IMPLEMENTING BCM IN THE ORGANISATION
� 1b.3 PROJECT MANAGEMENT
� 1b.4 ONGOING BC MANAGEMENT
� 1b.5 DOCUMENTATION
� 1b.6 INCIDENT READINESS & RESPONSE
17
REFLECTING ORGANISATIONAL CONTEXT� This is to understand the direction and focus of
the business before embarking on other stages (business impact analysis or risk assessment)
� Need to study and understand the business plan for growth/downsize, restructure, etc., in the short, medium or long term.for growth/downsize, restructure, etc., in the short, medium or long term.� This type of information may not be visible to the
person charged with business continuity activity.
� Knowledge of business plans will also be required.
� Need to set the geographic scale for the clear choice of continuity strategies.
18
Organisational Strategy
� Aspects of the organisation’s strategy likely to affect the BCM Programme are:
�Expansion (or contraction) strategy
�Development of new products or services�Development of new products or services
�Key business change or restructuring
�Relocation or location consolidation
19
Regulatory Requirements
e.g.,
� Regulatory/Statutory requirements
� Health and safety regulations
20
Scale
� Decide on the maximum geographic extent that the organisation wants to, or needs to, plan to survive. This could be determined by:determined by:
�Geographical extent (or market/customer area)
�Products, market sectors or specific customer requirements
21
BCM POLICY CONTENTS
� The BCM Policy is the key document which sets out the scope and governance of the BCM programme.
22
BCM PROGRAMME SCOPE & DETERMINING CHOICESFrom the Business Strategy studied and understood,
� Set the scope to ensure clarity of what areas of the organisation are included within the BCM programme. � The scope can be defined by identifying which products and
services fall within in it.
Conduct a Business Impact Analysis to ascertain the � Conduct a Business Impact Analysis to ascertain the effects of a loss of product and services.
� Consider the strategy options for each product and service.
� Provide executive management with the evaluation report to choose the options, which they can determine.
� Ensure the agreed option is ‘signed-off’ by the executive management including the financial and resource provisions.
23
Activity = process/a set of processes to produce/support one or more product/service
24
What Areas to Include/Exclude
� Decisions on which products, services or locations to include within the scope may be determined by one or more of the following factors:� A customer requirement� A regulatory/statutory requirement� Perceived high-risk location due to proximity to other industrial
premises or physical threats such as floodingPerceived high-risk location due to proximity to other industrial premises or physical threats such as flooding
� Product being an overwhelming proportion of organisational income
� Reasons why product, service or location may be excluded from the scope:� Product/service nearing end of life (would be terminated if
supply interrupted)� Product/service with low margins (termination or outsourced)� A perceived low- risk location
25
‘Do nothing’ Strategy
� A ‘do nothing’ strategy may be acceptable for the least urgent activities identified in the BIA result. � Where the organisation has identified that an activity
has a RTO greater than a few months, this gives enough time for buildings to be found and utilities to enough time for buildings to be found and utilities to be installed post-incident with minimal planning and preparation.
� Another case for ‘do nothing’ is that� if the cost of BCM is judged to be too high or � the risk is deemed low (because disruption is felt to
be unlikely or would have a low impact), then
accept the risk.
26
Strategy Options
‘Do nothing’ Strategy
Premises
27
Business Continuity
� If Business Continuity is the chosen strategy then it requires that suitable measures (BCM arrangements) are put in place to ensure that the various activities place to ensure that the various activities supporting their delivery can be continued or recovered within the required timescales.
28
Acceptance
� If the cost of BCM is judged to be too high or the risk is deemed low (because disruption is felt to be unlikely or would have a low impact) then the risk can be ‘accepted’.
� In this event the organisation may choose to do nothing about it or put in place measures to deal In this event the organisation may choose to do nothing about it or put in place measures to deal with it if the risk occurs. Such measures may include:� An Incident Management capability� Measures to protect against specific high-probability
threats such as fire
29
Transfer
� A risk may be transferable to a third-party who may be more able to manage it. Such measures include:
� Outsourcing. More and more organisations are outsourcing business critical processes and activities outsourcing business critical processes and activities to create virtual organisations. It is important to remember that the risk to the organisation’s reputation and brand image cannot be shifted to outsourced providers; the risk and responsibility always remains with the business.
30
Transfer
� Off-shoring, using in-house resource or outsource providers away from the centre of the business (usually in a far country), may introduce other concerns to be considered, such as security, political and environmental risks, etc. and environmental risks, etc.
� Insurance - transferring some of the financial costs of an incident (e.g. fire, bomb attack) to an insurance company.
� However in a major incident this can only provide money to support business resumption to a small degree and is not sufficient as a solution on its own.
31
Change, suspend or terminate
� Change, suspend or terminate the product/service if possible.
32
OUTSOURCED ACTIVITIES
� If part or all of a product or service delivery is outsourced, the ultimate responsibility for its continuity remains with the organisation and cannot be transferred to the outsourcing company.
� Customers will expect the organisation to have made an informed choice about their partners and taken informed choice about their partners and taken appropriate measures to assure delivery.
� The purpose is to ensure that the organisation’s delivery of products and services is not disrupted by a failure of a third party supplier of goods or services which are provided either to the organisation or direct to the customer on the organisation’s behalf.
33
Important Issues in Outsourcing
� Have a specification for BCM requirements in contract terms
� Have an agreement on realistic Service Levels for use during incidentsLevels for use during incidents
� Involve outsourcing companies in BCM training, awareness and exercising
� Have documentation for results of exercises
34
PROGRAMME MANAGEMENT
� Key steps in BCM Programme Management are:
�Assigning responsibilities
�Implementing BCM in the organisation�Implementing BCM in the organisation
�Project Management
�Ongoing management
�BCM documentation
�Incident readiness and response
35
ASSIGNING RESPONSIBILITIES
� The key to a successful BCM programme is the early identification of clearly defined roles, responsibilities and authorities to manage the BCM programme and process throughout the organisation.The purpose of assigning roles and � The purpose of assigning roles and responsibilities is to ensure that the tasks required to implement and maintain the programme are allocated to specific andcompetent individuals whose performance can be monitored.
36
ASSIGNING RESPONSIBILITIES
� A member of the Executive should be given overall accountability for the organisation’s BCM capability and its effectiveness.
� This ensures that a BCM programme is given the correct level of importance within the organisation correct level of importance within the organisation and a greater chance of effective implementation.
� An individual should be appointed to manage the BCM programme. This person may be known as the BC Manager.
37
BCM Programme Board and Team� BCM Programme Board (BCM
Committee) – a management group to give advice, guidance and management oversight
� Incident Management Team – a team comprising representatives of all teams involved in incident of all teams involved in incident response to coordinate, manage and resolve incidents (hopefully until closure)
� BCM Team (BCM operational team) – a series of business and service recovery teams representing critical business processes and their supporting services, e.g., IT services
38
IMPLEMENTING BCM IN THE ORGANISATION
� The purpose of this step is to ensure that a sustainable BCM programme is implemented in the organisation.
� The documented and repeatable process � The documented and repeatable process for BCM should be created and adopted throughout the organization.
39
PROJECT MANAGEMENT
� Project management disciplines should be adopted and used, such as GRACE, PMBoK,….
� This is to help manage projects to implement the BCM programme, mainly to complete projects within the required time, cost and efforts.
� Typical project stages in a BCM programme include:� Typical project stages in a BCM programme include:� Awareness raising
� Defining programme scope (Write Policy)
� Business impact analysis
� Risk Analysis
� Continuity option selection
� Developing and implementing the BC plan
� Developing and managing a desktop exercise to test the BC plan
40
ONGOING BC MANAGEMENT
� The Executive of the organisation should:
�Appoint a person or team to manage the BCM programme
�Define the scope of the BCM programme�Define the scope of the BCM programme
�Approve the continuity budget
�Monitor the performance of the BCMprogramme
41
ONGOING BC MANAGEMENT
� The appointed BCM team should (in consultation with the Executive):� Develop and approve a BCM process and programme.� Undertake or manage the BCM activities� Promote BCM across the organisation and externally
where appropriatewhere appropriate� Manage the continuity budget� Maintain the BCM documentation� Report on the current state of readiness to the
Executive on a regular basis highlighting where there are gaps to be corrected
� Train BCM members
42
DOCUMENTATION
� A set of BCM documentation includes:� BCM Policy including scope and principles� BCM roles, responsibilities and resources� Training and competency records for BCM personnel� Business Impact Analysis� Business Impact Analysis� Risk analysis� BCM Strategies including papers supporting the
choice of the strategies adopted� Incident Response structure� Incident Management Plans� Business Continuity Plans
43
DOCUMENTATION
�Departmental Business Resumption Plans
�Exercise Schedule and reports
�Awareness and training programme
�Service Level Agreements with customers and suppliersService Level Agreements with customers and suppliers
�Contracts for third party recovery services such as workspace and salvage
�Maintenance and review (audit) programme, reports and corrective actions
44
INCIDENT READINESS & RESPONSE
A process/plan to handle incidents until returning to a normal situation needs to be defined like:
� Receive notification of an incident.
� Assess situation then:� either manage response through appropriate prepared plans� either manage response through appropriate prepared plans
� or escalate to Incident management team
� Contain - Is there anything that can be done immediately to stop the problem getting worse?
� Look at the Incident Management Plan - is there a pre-planned response that fits this incident?
� Follow the documented response procedure
45
INCIDENT READINESS & RESPONSE
� Predict the likely outcome and adapt the BC Plan to provide a response strategy
� Implement the response strategy
Evaluate the progress of the response � Evaluate the progress of the response
� If the situation is OK, stand down the response
� Review the effectiveness of the response
ตวัอยา่ง IncidentResponse/ Response/ Management Plan
ตวัอยา่ง
BC Plan
กรณีใช ้Strategy ทางเลอืก 1
ตวัอยา่ง
BC Plan
กรณีใช ้ กรณีใช ้Strategy ทางเลอืก 2/3/4
� Workshops:
�Estimate resource requirements for Library Loan Service
�Determine business continuity strategy for �Determine business continuity strategy for Library Loan Service