======================= Australian Risk Policy Institute Winter Seminar – July 2008 Risk Policy in Business Continuity Miles Pearson ======================= Description Business Continuity is about managing interruptions in the availability of key enabling resources to ensure critical outputs and deliverables continue to be delivered ======================= Risk Policy Considerations National Critical infrastructure that sustains Australian communities must be identified and business continuity planning completed. In practice this would be a business impact analysis of “Business Australia”. Where the relationship between key deliverables and infrastructure is identified as critical, alternative infrastructure must be established to maintain the functioning of society should such failure occur. ======================= Risk Policy Considerations State & Local Similar to the National approach, the business of running a community will benefit from completing a business impact analysis for that “business” Both State and/or Federal Governments should require such activity for areas they are responsible for ======================= Risk Policy Considerations Organisational The establishment of a business continuity policy to articulate expectations of managers and staff in applying business continuity should be developed, promulgated and supported This policy can be the mechanism by which the recommended control practices are implemented ======================= Stakeholders Australian Governments – Commonwealth, State & Local – and associated departments, agencies and entities Listed (ASX) and non listed companies and their owners (including employees and shareholders) Small Business Consumers Providers of critical social and economic infrastructure Australian community ======================= Context The environment and dependencies of modern businesses continues to change and become more complex. This complexity often revolves around relationships. Product Line Level || ||=Product Line Strategy || |-Competition || |-Segment || |-Packaging || |-Delivery || |-Pricing || ||=Release Planning || ||=Development || |-Requirements || |-Design || |-Implementation || |-Test || ||=Production || |-Manufacturing || |-Control || ||=Sales & Marketing || |-Supply Chain || ||=Support || |-CRM || |-Maintenance || || ======================= Consequences of Ineffective Control Deliverables and outputs unable to be met Loss of consumer confidence and market share Reduction in overall value Contractual breach Organisational collapse ======================= Consequences of Effective Control Improved understanding of the processes that enable outputs and deliverables. Recovery priorities established and based on the priority of outputs and deliverables Opportunities to diversify can become more apparent Demonstrable assurance regarding control ======================= Consequences of Time The timing of a business continuity event (resource availability interruption) plays a significant part in the magnitude of impact It does not however influence the planning and preparation of contingencies because the event must be taken to have occurred at the worst possible time in order to be effectively controlled ======================= Cause/s Fail to establish priority of business outputs and deliverables Fail to understand critical processes Fail to identify key enabling resources Fail to understand the relationship between processes and resources. Fail to develop workable contingencies Fail to test and exercise business continuity contingencies ======================= Control Approach Mandating this risk to business units within an entity or organisation, and providing a framework for analysis and contingency development is the recommended approach to controlling the risk of business continuity. ======================= Control Practice Establish Governance and oversight Create a business continuity function List organisational outputs or business deliverables Conduct process analysis – relationships Determine alternative processes or resources Agree recovery priorities Test and exercise contingencies