Business Continuity Management - Chartered Institute of ...

1 MANAGEMENTSTRATEGYMEASUREMENTB usiness ContinuityManagementByEric KrellPublished by: Management ACCOUNTING GUIDELINENOTICE TO READERSThe material contained in the Management Accounting Guideline Business Continuity Managementis designed to provideillustrative information with respect to the subject matter covered. It does not establish standards or preferred material has not been considered or acted upon by any senior technical committees or the board of directors of either the AICPA or the Society of Management Accountants of Canada and does not represent an official opinion or position of either the AICPA or the Society of Management Accountants of ContinuityManagementByEric KrellMANAGEMENT ACCOUNTING GUIDELINEP ublished by The Society of Management Accountants of Canadaand The American Institute of Certified Public AccountantsCopyright 2006 by the Society of Management Accountants of Canada (CMA-Canada).All rights by arrangement with information about the procedure for requesting permission to make copies of any part of this work, please Permissions Request Form for e-mailing requests and information on fees are available there by clicking on thecopyright notice at the foot of the AICPA 2 3 4 5 6 7 8 9 0 PP 0 9 8 7 6 ISBN 0-87051-622-1 INTRODUCTIONTen months elapsed between theconception of this Management Accounting Guideline(MAG) and itscompletion.

2 During that time, the crucialimportance of Business continuitymanagement (BCM) capabilities has beendriven home, repeatedly and painfully, ona global scaleThe terrorist attacks of Sept. 11, 2001,served as a gruesome wakeup call toNorth American corporate managersresponsible for preparing theirorganizations to respond to 2004 Indian Ocean tsunami,the July 7, 2005, terrorist attacks on London s subway system and HurricaneKatrina s and Hurricane Rita s disastrouseffects on large swaths of the GulfCoast in August and September 2005offer proof that both public and privateBCM capabilities have a long way to frequency of man-made and naturaldisasters has increased in recent nature of disasters has also changed:who could have imagined five years agothat civilian passenger airplanes would beused as a weapon of war? Moreimportant, the impacts of disasters oncompanies have greatly increased andintensified thanks to technologicalBUSINESS CONTINUITYMANAGEMENTCONTENTS EXECUTIVE SUMMARYIn the 21st Century, organizations that fail to define and implement effectiveresponses to disasters will be defined by their ineffective responses to leading companies, an IT-centricapproach to disaster recovery is giving way to Business Continuity Management (BCM).

3 BCM capabilities enableorganizations to restore their businessesto normal operations following businessinterruptions, which range from a simplepower outage to a Category 4 finance and accounting managers along with the senior-level executives,functional and operational managers andcorporate directors who read thisguideline will learn how to define BCM and its essentials and processes; identifythe BCM-related roles of corporatemanagers and directors; work through aBCM framework for developing andmaintaining effective Business continuitymanagement processes; and see examplesof leading BCM capabilities in 5 DEFINITION AND SCOPE OF Business Continuity Management (BCM) 6 DRIVERS OF Business Continuity MANAGEMENT8 ROLES AND RESPONSIBILITIES 11 DEVELOPING EFFECTIVE BCM CAPABILITIES13 ADDITIONAL INSIGHTS TO HELP READERS TAILOR BCM TO THEIR ORGANIZATIONS16 SOFTWARE APPLICATIONS CAN HELP SUPPORT BCM PROCESSES21 BCM IN ACTION: EXAMPLES OF GOOD PRACTICES21 CONCLUSION23 BIBLIOGRAPHY25 SUGGESTED READING26 APPENDIX 1: BCM-RELATED REGULATIONS AND GUIDELINES27 APPENDIX 2: IT - HIGHLY DETAILED DATA CLASSIFICATION29 APPENDIX 3: BCM SOFTWARE USAGE SURVEY29 APPENDIX 4: RESPONDING TO A BLACKOUT30 PageSTRATEGY56 MANAGEMENTSTRATEGYMEASUREMENT advances, progressing globalization and theextension of the supply chain.

4 Companies of allsizes are connected to their suppliers andcustomers to a much greater degree today thanever a disaster occurs, its effectsquickly ripple up and down the supply a result, Management teams and corporateboards face much more pressure to make theirorganizations more resilient when disasters,ranging from simple power outages to Category 4hurricanes to synchronized suicide bombings, date, however, the corporate BCMcapabilities necessary to establish that resiliencygenerally have ranged from absent to deficiency has a high cost: a University ofMinnesota study finds that 93 percent ofcompanies that lose critical systems for morethan 10 days quickly file for bankruptcy; anotherstudy finds that 90 percent of organizations thatexperience a catastrophic loss of data andequipment without a Business Continuity plan inplace go out of Business within 24 months of theloss (Kahan, 2005).The 9/11 Commission s exhaustive investigativeresearch concludes that the Sept.

5 11, 2001,terrorist attacks revealed failures in imagination,policy, capabilities and purposeof this guideline is to help organizations addressand prevent those failures while providing financeand accounting managers with a foundation onwhich to further develop their BCM thinking,strategy and purpose of this Management AccountingGuideline is not to fear monger (a tactic practicedby some BCM service providers that should berecognized and disregarded), but to help financeand accounting professionals enable theirorganizations to make the most effective andcost-efficient investment in the BCM capabilitiesthat best meet the needs of the specific objectivesof this guideline are asfollows: To define Business Continuity Management as acorporate capability and to identify its essentialcomponents and processes; To identify the drivers that make BCM a vitalcorporate and Management competency in the21st Century; To establish and define the roles andresponsibilities that corporate managers andboards fulfill in developing effective BCM practices; To present a step-by-step framework fordeveloping and maintaining effective businesscontinuity Management processes; To provide an overview of the softwareapplications available to support BCM planningand execution processes; To present examples of sound businesscontinuity Management capabilities in thetarget audienceof the guideline is finance and accounting managers, all senior-level executives, functional and operationalmanagers and corporate directors will benefitfrom its AND SCOPE OF Business Continuity Management (BCM) Establishing and maintaining Business continuitymanagement processes begins with three steps:1.

6 Defining Business Continuity Management ;2. identifying and defining the key components ofa viable BCM framework; and3. Placing BCM in the context of organizationalrisk managementBCM DefinedThis guideline agrees with the BCM definitionput forth by the Business ContinuityInstitute (BCI): Business ContinuityManagement (BCM) is a holistic managementprocess that identifies potential impacts thatthreaten an organization, and provides aframework for building resilience and thecapability for an effective response thatsafeguards the interests of its key stakeholders,reputation, brand and value-creating activities. This guideline defines stakeholders asemployees, customers, suppliers, investors, andthe community or communities in which anorganization Continuity planning is the processthrough which organizations establish thecapabilities necessary to protect their assets and continue key Business processes after adisaster an unexpected Business interruptioncaused by natural or man-made events following framework (see Exhibit 1)illustrates the components of Business Continuity planning: Business Continuity MANAGEMENT7 Although the discipline still has a long way to go,organizational Business Continuity managementhas evolved significantly over the past twodecades.

7 In the past, disaster recovery wasusually centered in data processing or informationtechnology (IT) early effortsprimarily focused on getting hardware, softwareand data up and running again after a days, it is generally recognized that businesscontinuity planning efforts require a cross-company perspective and therefore should not belimited to the IT said, manyeffective Continuity tactics have emerged fromdisaster recovery efforts that arose in the ITfunction during the past decade. For example,many of the same principles that apply to data andsystems backup also apply to facilitiesmanagement and recently, disaster recovery has expandedinto Business Continuity planning, a phrase thatwas primarily used to emphasize the need tomove Continuity efforts beyond the IT departmentand weave them throughout the recently, the use of terms like businesscontinuity Management and Business resiliency have increased, emphasizing the proactive natureof current Continuity efforts.

8 A Business continuityplan, as the chart above illustrates, begins withexecutive-level assessments of an organization scontinuity assessment is followedby the identification of the organization s mostimportant Business , financemanagers and other Business managers analyze thecritical components of those processes: people,facilities, technology systems and the data thesystems analysis should also considerhow an unexpected Business interruption mightaffect suppliers and ensuing response processes ensure that all ofthe components that enable a critical businessprocess are restored within a prudent amount oftime. Defining what is prudent demands input fromthe finance and accounting function because itrequires a comprehensive understanding of (a) eachprocess value to the Business ; and (b) the cost ofrestoring the process within a given amount of resulting plan should then be monitored,tested and, when necessary, adjusted or improved. Value to Business Cost to Sustain Monitoring, Testing Improving Continuity Response Approaches: Preparation and Crisis Management Business Impact Analysis Critical Process Identification Customers People Facilities Technology Data 3rd Party Providers Assessment and Objective Setting Exhibit 1: Business Continuity Planning 8 MANAGEMENTSTRATEGYMEASUREMENTBCM and Organizational Risk ManagementBusiness Continuity Management is a subset ofcompanywide or enterprise risk Management (atopic addressed in the Management AccountingGuideline identifying , Measuring, and ManagingOrganizational Risks for Improved Performance.)

9 BCM s rising importance and IT-based history havecaused internal debates about who owns theBCM function and how BCM relates to acompany s existing risk Management , Business Continuity Management is a subset of a larger risk Management most significant difference between riskmanagement and Business Continuity managementrelates to the output of each process. Riskmanagement strategies (either risk avoidance, riskacceptance, or risk mitigation through riskreduction, risk sharing or transfer of the risk) are pre-event responses to perceived risks. MostBCM strategies and tactics focus on the processesthat need to take place after an event or disasteroccurs; the objectives of those processes are torestore the Business to normal operations asefficiently and effectively as Business Continuity Institute s Good PracticeGuidelines (2005) present a partial, but useful,comparison of the two disciplines; a portion ofthis comparison follows (see Exhibit 2).DRIVERS OF Business Continuity MANAGEMENTThe need for Business Continuity managementcapabilities continues to increase due to thefollowing drivers:1.

10 A rise in the number of natural and man-madebusiness interruptions;2. The growing impact of Business interruptionson organizations due to rising businessinterconnectivity;3. The essential obligation to protect, preserveand build value; regulations and guidelines pertaining to BCM;5. The Business benefits of effective businesscontinuity Management ; and6. The generally insufficient quality of existingcorporate BCM 1: A Rise in Business InterruptionsThe number of terrorist incidents worldwide hasescalated since the Sept. 11, 2001 attacks usheredin a new age of man-made disasters. Bombings inAfrica, the Middle East, East Asia, London andMadrid have killed were 651 significant terrorist attacks worldwide in 2004,according to the State is three times the number of attacks thatoccurred in 2003 (Danner, 2005).Driver 2:The Growing Impact of BusinessInterruptionsMost companies now operate in a moreconnected Business climate. Numerousorganizations of all sizes are virtually tethered to agrowing number of customers, suppliers anddistributors through an extended web oftechnology systems and exacerbates the negative impact of aprolonged Business interruption.