This document provides an overview and summary of the Business Continuity Institute (BCI), its Good Practice Guidelines, and Horizon Scan report. It discusses that the BCI is a global organization for business continuity professionals with over 8,000 members. It outlines the BCI's Good Practice Guidelines, which provide best practices for business continuity. It also summarizes the Horizon Scan report, which identifies the top threats to organizations and trends in business continuity based on a survey. It discusses how these threats like cyber attacks, data breaches, and terrorism impact business continuity professionals and their role in organizational resilience and risk mitigation.
Falcon's Invoice Discounting: Your Path to Prosperity
BCI Guidelines & Horizon Scan 2016
1. The BCI, Good Practice Guidelines, and
Horizon Scan
BCI US Chapter
Christopher Rivera, MBCI
2. • Business Continuity Institute background
• Overview of BCI’s Good Practice Guidelines
• Overview of Horizon Scan
Agenda
11/28/2016 www.thebci.org 2
4. • Founded in 1994, a Member-Owned, Not-for-Profit Professional
Association of Business Continuity Professionals
• A global membership and certifying organization for business continuity
professionals
• Over 8,000 members in more than 120 countries working in an estimated
3,000 organizations in the public and private sectors
• We stand for excellence in the business continuity profession
• Our certified grades provide unequivocal assurance of technical and
professional competency
What is the BCI?
11/28/2016 www.thebci.org 4
5. • Professionals seeking international recognition of their professional and
technical competency in the BC discipline
• Individuals currently working in BC related functions who are seeking to
improve their knowledge and understanding of the BC discipline
• Individuals who are looking to benefit from being part of a global network
of like-minded professionals to share good practice in BC and related
disciplines
• Newcomers to the discipline who are considering a career in BC or a
related profession
Who can be a member of the BCI?
11/28/2016 www.thebci.org 5
6. BCI Chapters
A global membership
11/28/2016 www.thebci.org 6
Membership by Region
Asia
Australasia
Belgium / Netherlands
Canada
Japan
Nordic
SADC
Swiss
USA
Africa (5%)
Central America & West Indies (1%)
North America (15%)
Asia (9%)
Europe (12%)
South America (5%)
Australia (7%)
Middle East (4%)
United Kingdom (42%)
9. A Guide to Global Good Practice in Business Continuity
• The most comprehensive and independent view of current thinking in
Business Continuity
• Provides the what, why, how and when of good BC practice
• Written by BC professionals for BC professionals
• Used in training and examining individuals and organizations (our body of
knowledge)
• Aligned to ISO 22301
• Reference material for academic institutions
The BCI Good Practice Guidelines
11/28/2016 www.thebci.org 9
10. • BCI members can download a free
PDF version from the Members’
Area of the BCI website
• Non-members can purchase a PDF
version from the BCI website at
https://shop.thebci.org/shop/sho
p.php?sid=144
How can I get a copy of the GPG?
11/28/2016 www.thebci.org 10
12. The capability of the organization to continue delivery of products or
services at acceptable predefined levels following a disruptive incident.
Source: ISO 22301:2012
The BCI’s Definition of Business Continuity
11/28/2016 www.thebci.org 12
13. • Responsibilities of Top Management
• Setting strategic objectives
• Resources for business continuity
• The importance of the BIA and a stronger link to the organizations approach to risks
and threats
• Resource requirements, skills and competence of people involved
• Training, awareness and communications
• Document management
• Exercising and testing
• Monitoring performance and measuring value of business continuity
GPG Alignment to ISO 22301?
11/28/2016 www.thebci.org 13
14. Defines an organization’s policy relating to BC, how it will be implemented,
controlled and validated through a BCM program
• Setting BC Policy and determining the scope of the BCM program
• Defining governance and assigning roles and responsibilities
• Implementing a BCM program, managing documentation using program
and project management techniques
• Managing outsourced activities and supply chain continuity
PP1 – Policy and Program Management
11/28/2016 www.thebci.org 18
15. The BCM program operates at three levels
• Strategic - decisions are made and policy is determined
• Tactical - operations are coordinated and managed
• Operational - activities are undertaken
PP1 – Policy and Program Management
11/28/2016 www.thebci.org 19
16. The Management Professional Practice that continually seeks to integrate BC
into day-to-day business activities and organizational culture
• Organizational Culture
• Skills and Competence
• Managing a Training Program
• Managing an Awareness Campaign
PP2 – Embedding Business Continuity
11/28/2016 www.thebci.org 20
17. Reviews and assesses and organization in terms of what its objectives are,
how it functions and the constraints of the environment in which it operates
• Business Impact Analysis (BIA)
• Threat Analysis (includes risk assessment)
PP3 – Analysis
11/28/2016 www.thebci.org 21
18. Identifies and selects appropriate strategies and tactics
• Continuity and Recovery Strategies and Tactics
• Threat (Risk) Mitigation Measures
• Incident Response Structure
PP4 – Design
11/28/2016 www.thebci.org 22
19. Executes the agreed-upon strategies and tactics through the process of
developing plan documentation
• Business continuity plans
• Developing and managing plans at a strategic, tactical and operational
level
PP5 – Implementation
11/28/2016 www.thebci.org 23
20. Confirms the BCM program meets objectives set in the BC Policy and that
plans are fit for purpose
• Developing an exercise program
• Developing and running exercises
• Maintenance of the BCM program
• Review of the BCM program
PP6 – Validation
11/28/2016 www.thebci.org 24
21. How does the GPG work in the real-world
11/28/2016 www.thebci.org 25
Problem Description
Management
engagement
“My steering committee isn’t coming to
meetings anymore or they’ve delegated their
role.”
Participation
“The VP from Department X assigned his
administrative assistant as his group’s planner.”
Focus
“We have 1000 plans in our software tool… but
we’re not sure we’re recovering what truly
matters.”
Proactive vs
Reactive
(and scope)
“We seemed to be laser focused on reacting to
events. Shouldn’t we be equally focused on
preventing disruption in the first place? Also,
when it comes to being reactive, is it strange we
seem to be predominantly focused on IT?”
Templates vs
plans
“No one seems to use the plans we’ve
documented. And why would they all read the
same, almost as if they’re templates!”
Measurement
“We have 1000 plans, all updated in the last 12
months… but we’re not sure if we’re actually
ready for a disaster.”
Solution
GPG
PP1 – Policy and
Program
Management
PP2 – Embedding
Business
Continuity
PP3 – Analysis
PP4 – Design
PP5 –
Implementation
PP6 – Validation
23. • The goal of the BCI has been to promote a more resilient world
• When the Institute celebrated its 20th anniversary in 2014, the focus was
not on our past achievements but our vision of the future
• From that vision emerged the BCI 20/20 Think Tank, a worldwide group of
thought leaders with a passion to drive the profession forward
BCI Horizon Scan
11/28/2016 www.thebci.org 27
24. BCI 20/20 – two focal points
11/28/2016 www.thebci.org 28
Advisory
• Help in shaping the profession
• Developing career opportunities for those who have chosen to pursue this
field
Advocacy
• Raise the profile and value of business continuity and resilience
• Build the value of resilience into organizational strategies
• As professionals learn more and more about the threats and translate
those threats into business risks – which includes how to work with senior
executives to manage these risks – the real and perceived value of our
efforts will only increase
25. Issues concerning the BCI in 2016
11/28/2016 www.thebci.org 30
Excerpt from BCI Horizon Scan Report 2016
26. A 2016 study of threats and business
risks by insurer Allianz confirms
management is in line with evolving
threats as we, business continuity
professionals, are facing – which is
good news for executive sponsorship
Business risks mirror BC concerns
11/28/2016 www.thebci.org 31
Excerpt from Allianz Risk Barometer Top Business Risks 2016
27. As a key protective discipline,
business continuity ensures
organizational resilience by building
an effective response to disruptive
events.
Horizon scanning is a useful tool that
can provide an objective perspective
on threats and uncertainties that may
lead to business disruption.
These conclusions inform – or even
confirm – strategies undertaken by
organizations to prepare for
disruption.
Introduction to Horizon Scanning
11/28/2016 www.thebci.org 32
28. Cyber attacks (85%), data breach (80%)
and unplanned IT outages (77%) remain
the top three threats facing
organizations, with data breaches
moving into second place in 2016
The use of the Internet for malicious
attacks (83%), growing influence of
social media (63%) and the loss of a key
employee (56%) are the top three trends
Investment levels for BC are up for more
organizations (23% from 18%) with more
businesses using ISO 22301 as a
framework for BCM implementation
(52% from 44%)
Horizon Scan Report 2016 headlines
11/28/2016 www.thebci.org 33
29. Top 10 threats worldwide
11/28/2016 www.thebci.org 34
Excerpt from BCI Horizon Scan Report 2016
30. Investment trends in business continuity
35
Excerpt from BCI Horizon Scan Report 2016
31. Top 10 based on level of concern
11/28/2016 www.thebci.org 36
Excerpt from BCI Horizon Scan Report 2016
32. Top 5 trends and uncertainties
37
Excerpt from BCI Horizon Scan Report 2016
33. Ranked 1st were Cyber Attacks in both
2016 and 2015, which were ranked
third in 2013 and second in 2014 (not
surprising given all the incidents we
hear about almost daily)
Most DRJ attendees agreed this was
and is a major concern and
acknowledged the close association
with Data Breach, Terrorism and
Security, increasing the relevance of
this threat
Tracking threats
11/28/2016 www.thebci.org 38
How does this affect us as BC
Professionals?
• Recognition that this threat has IT
availability and even business
continuity implications
• Leverage crisis management and
crisis communications processes in
response
# 1 Cyber Threats
34. Ranked 2nd were data breaches, which
ranked third in 2015
DRJ discussion surrounded the fact that
data breaches come in many forms, both
cyber / internet related as well as the old
fashion stealing of reports and copying
files to a flash drive
Data breach related exercises are a key
focus of attendees as well as
differentiating IT related response plans
from incorporating breach response into
crisis management plans
Tracking threats
11/28/2016 www.thebci.org 39
How does this affect us as BC
Professionals?
• Leverage crisis management and
crisis communications processes in
response
• Facilitate adoption of strategies
related to data privacy and
protection
# 2 Data Breaches
35. Ranked 3rd were unplanned IT outages,
which ranked second in 2015
Still a top 10 issue and area of key focus in
most IT DR and BC programs
While most respondents see emerging
threats such as cyber and data breaches as
more impactful, IT outages are still a major
focus
Discussion among the DRJ attendees focused
on the changing face of IT, as software as a
service, cloud computing and outsourced IT
change the landscape and require differing
strategies, often outside of the organizations
direct control
Tracking threats
11/28/2016 www.thebci.org 40
How does this affect us as BC
Professionals?
• The evolution of IT services to
external providers moves control
outside our direct ability to
manage
• Coordination of recoveries
becomes more challenging across
providers
# 3 Unplanned IT outages
36. Moving from 10th in 2015 to 4th in
2016, Terrorism has re-emerged for
resilience and continuity
professionals
This increase may be attributed to
the recent terrorist attacks which
occurred during the survey period
Most participants acknowledged the
threat, and felt it was driving
attention to incident response and
crisis management plans, plus a focus
on tracking
Tracking threats
11/28/2016 www.thebci.org 41
How does this affect us as BC
Professionals?
• Indirectly, recent events are
creating protectionist measures
impacting global operations and
trade (Brexit)
• Local or regional nature of events
creates access and credentialing
issues
# 4 Terrorism
37. Ranked 5th in the 2016 scan, which is
up from 6th in 2015
Adding to the puzzle we mentioned
earlier, along with cyber and data
breaches, Security is clearly an area
of concern for organizations
Part of the senior level discussions at
DRJ had to do with organizational
issues and placement of security vs
continuity and recovery in
organizations
Tracking threats
11/28/2016 www.thebci.org 42
How does this affect us as BC
Professionals?
• Security events impact travel and
facility availability
• No issues of placing BC in Security
as long as there is a recognition of
more than response, business-
aligned strategies still necessary
# 5 Security Incident
38. During a discussion at DRJ Spring in Orlando, the review of the Horizon Scan
report drove numerous discussions regarding how different threats or
scenarios could lead to a disruption, including:
• Treat the business risk rather than focus on the case… but there are
exceptions
• The business environment can lead to business risk, not just traditional
threats such as natural and man-made disasters
11/28/2016 www.thebci.org 43
The changing risk landscape
39. The Horizon Scan session at DRJ discussion also led to discussions regarding owning versus contributing to risk mitigation.
– For example, does/should the BC professional “own” data breach-related mitigation?
– Alternatively, is there a role the BC professional can/should play when it comes to data breach mitigation – and
response?
Specific to many of the threats highlighted in the Horizon Scan report, and based on the contributions made by the DRJ Spring
senior professionals, “ownership” is often based on the threat or risk.
– But beyond ownership, the BC professional can also serve as a cross-functional facilitator, with the objective to
bring diverse skill sets together to mitigate risk to a level consistent with the organization’s risk appetite
The discussion regarding ownership also led to a discussion on competencies, and what the BC professional needs to know to
get involved in broader resiliency initiatives.
– Different from being an expert in all risk disciplines, the BC professional needs a familiarity with different types of
risks and where to go to seek assistance.
– More broadly, to be successful in managing or contributing to risk management, the BC professional needs a broad
understanding of the business (products/services, customers, processes and resources), as well as skills specific to
communications (oral/written), sales, and facilitation.
11/28/2016 www.thebci.org 44
Risk mitigation ownership
40. Resilience – adaptive capacity of an organization in a complex and changing environment (ISO
22316)
• Business continuity is not the same as organizational resilience.
• The effective enhancement of organizational resilience will require a collaborative effort between many
management disciplines.
• No single management discipline can credibly claim ‘ownership’ of organizational resilience, and
organizational resilience cannot be described as a subset of another management discipline or
standard.
• Business continuity principles and practices are an essential contribution for an organization seeking to
develop and enhance effective resilience capabilities.
• The wide range of activities required to develop and enhance organizational resilience capabilities
provide an opportunity for business continuity practitioners to broaden their skills and knowledge,
building on the foundation of their business continuity experience and credentials.
BCI’s statement on resilience
45
41. Owner Facilitator Participant
It depends on the risk or threat
In the context of an ever-increasing focus on resilience and the engagement
of multiple disciplines, what’s the business continuity professional’s role?
The role of the BC Professional?
46
44. Responsibilities
• Increases the organization’s preparedness for disruptive incidents by
implementing capabilities to enable the continuation of product and
service delivery at acceptable predefined levels
• Collaborates with other disciplines to create a more resilient organization,
taking ownership of assigned risks and participating as a team member in
mitigating other risks
A proposed job description
49
45. Duties
• Engages management to establish appropriate business continuity
requirements
• Enables the selection of effective capabilities to respond to and recover from
disruptive incidents
• Leads the evaluation of response and recovery capabilities, as well as the
development of the competencies necessary to plan and respond effectively
• Implements the processes necessary to drive continual improvement and
manage the effects of organizational change
A proposed job description
50
46. A proposed job description
51
Business Continuity
Analyst
Business Continuity Leader Resilience Professional
Skills
• Oral and written
communications
• Inquiry
• Project management
• Sales (including
relationship building)
• Strategic and tactical
thinking
• Management (in general)
• Facilitation
techniques
Enablers
• Knowledge of the
organization and its
resources
• Knowledge of the
organization’s products
and services and
customer usage
• Knowledge of other
management and
risk disciplines
47. • Threats are real and expanding, leading to increased business risk
• These changes are leading to changes in our profession
Business Continuity Analyst
Business Continuity Leader
Resilience Professional
• Our success will be based on our knowledge of the organization and its
business environment, including customers and their expectations
Summary
11/28/2016 www.thebci.org 52
48. Join or connect with us today
@BCI_US_Chapter
BCI USA – The Business Continuity Institute US Chapter
www.thebci.org
membership@thebci.org