Friday, June 5, 2009

ISO 38500: IT Governance

go here

ISO/IEC 38500

From Wikipedia, the free encyclopedia

(Redirected from ISO 38500)

The ISO/IEC 38500:2008,^[1] Corporate governance of information technology standard, provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.

ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. It is organized into three prime sections, specifically, Scope, Framework and Guidance ^[2]

The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:

Responsibility;
Strategy;
Acquisition;
Performance;
Conformance;
Human behaviour.

It also provides guidance to those advising, informing, or assisting directors.

Sunday, May 31, 2009

ensure SUPPLY CHAIN Continuity

SECTOR SPECIFIC INFORMATION :
RETAILING

Monday, January 5, 2009

Preparing for the worst

January 5, 2009

Risk planning should be priority for entrepreneurs
Daryl-Lynn Carlson, Financial Post Published: Monday, January 05, 2009
Tyler Anderson/National Post

Risk is always a factor in launching a business, although not all entrepreneurs recognize the potential for peril that could bring operations to a grinding halt.
Extreme weather, a mass power grid failure or even an incident of gunfire unleashed amid an urban centre can paralyze a small business for days, or even longer.

Such risks coupled with the increased dependency on technology render up-to-date contingency planning and emergency preparedness an integral New Year's resolution for business sustainability.

Jonathan Davids didn't have to endure a bona fide disaster to realize he needed a far more specialized service to ensure his Internet-based media business, Soko Company, would survive an emergency.

With clients that include Unilever, Ford and Johnson & Johnson along with three well-patronized sites of his own, Mr. Davids switched within two years of his launch to a mainframe server provider based in Texas that has ample back-up locations.

"Any Web site needs to have 100% 'up' time," Mr. Davids says, explaining that an initial server provider he'd retained near his home base in Toronto failed to accommodate the volume of traffic his sites began drawing, never mind the prospect of a catastrophe.

"The public has very little tolerance for a Web site that's gone down. I want the peace of mind that my Web sites are safe." So well-equipped is his new Texas provider that during a series of weather-related power outages across North America in 2006, Soko's Web sites remained up and running on a continual basis. "In the last three years, we've had zero downtime," he says.

Under the Soko banner, Mr. Davids operates three flagship Web sites: Soko.com,a lifestyle resource with information ranging from health to relationships; LiveDress.com,which connects shoppers with retailers; and DriverSense.com,which is filled with automotive information. Each site is updated regularly with articles by contributing writers. Besides searching for service stability, Mr. Davids also recently purchased various insurance policies to cover any liabilities that may arise connected with
content published on his sites. "It was just in the last year that we looked into different kinds of insurance," he says.

"Even though we publish disclaimers, what happens if someone decides to sue us? A lawsuit could drain our business."

He acknowledges that many younger entrepreneurs may not consider insurance or contingency planning a priority at the outset of a business launch.
"But I would say that insurance and ensuring that your company, whatever it is, is available to consumers when you say it will be and having a contingency plan so you are reliable is important," he says.

Ann Wyganowski is an emergency preparedness and contingency planning expert who runs a Toronto-based consulting firm, HZX Business Continuity Planning, and serves as president of the Toronto Disaster Recovery Information Exchange.

She acknowledges that specialty insurance and contingency planning are not always a high priority for smaller business operators.
"Everybody thinks it won't happen to them," she says of the potential for a catastrophic incident. "That's human nature."

Ms. Wyganowski suggests that entrepreneurs could be better informed of how certain incidents could affect them and what types of planning measures are required.
"What I see is a lot of confusion between business continuity and emergency preparedness," she says.

Emergency preparedness is the immediate response to take care of personnel and assets at the premises in the event of a disastrous incident - a plan that could even save lives.

"In the event of a shooting near your business, do your employees know what to do?," she asks, whilenot mentioning such an incident occurred in downtown Toronto three years ago. "Are they going to run and take a look? That could endanger their lives." Ms. Wyganowski helps businesses to assess risk based on geographic location and operations, and develop a response that will be executed properly.

Business continuity "is about protecting your business after people and assets are safe and taking steps to make sure business will run and recover," she says.
Governments are increasingly requiring their suppliers to have contingency plans that comply with guidelines set out by the Canadian Standards Association, Ms. Wyganowski says. "If you are a smaller company and want to work with government clients, they will want to know if you're CSAZ1600 compliant," she says, citing the document guidelines for federal contingency planning standards.

While a contingency expert can recommend measures or factors to consider, plans should be developed by entrepreneurs themselves and rehearsed to ensure they are practical in application. "I have never done two business continuity plans that were alike; every business is different," Ms. Wyganowski says.
To get started, she recommends entrepreneurs peruse information available through the Web sites run by Emergency Management Ontario, the Canadian Centre for Emergency Preparedness and Public Safety Canada.

The Insurance Bureau of Canada also has resources for risk management and preparedness as well as means for entrepreneurs to ascertain whether they purchased the appropriate coverage, says James Geuzebroek, IBC's media relations manager.

"In a world fraught with risk, it's important for business owners to have the right insurance coverage in place," Mr. Geuzebroek says. "It's not just about property loss. Liability coverage, for instance, provides important protection at a time when society is increasingly looking to the court system to settle conflicts.
"Also, business owners should consider the costs of not being able to operate their business for a period of time. For this, there is business interruption coverage."

The IBC includes a commercial insurance section on its Web site, and Canadian entrepreneurs with questions can find their regional IBC office under Contact Us.
smallbusiness@nationalpost.com
Posted by Vistabilities at 1:42 PM

0 comments:
Post a Comment

more

Tuesday, May 6, 2008

Is your company risk-intelligent?

Sanjay Krishnan in Mumbai May 10, 2005
Is your organisation risk-intelligent? That is the question Indian companies are increasingly asking themselves.
Faced with newer types of risk profiles across their enterprise the concept of the chief risk officer -- or the CRO -- may soon mark its presence in India.
Whilst the concept of enterprise risk management has been around since the early 1990s, the spectacular collapse of mega corporates like Enron and Arthur Andersen in the recent past has brought risk management into focus like never before.

In India too, with the banking sector slated to embrace Basel II norms, it is very likely that a holistic approach to risk management will soon be teed off in the financial institutions in the country.

Basel II is a set of binding rules set by central bankers from around the world, under the auspices of the International Bank of Settlements in Basel, Switzerland, and is aimed at producing uniformity in the way banks and banking regulators approach risk management across national borders.

So while risk management, as a practice, is enforced across business divisions today, there is no one who is holistically looking at it.
For example, the IT infrastructure in a bank may be taken care of by the IT department that will not only monitor usage but also restrict access from within. At the same time the credit risk portfolio will be handled by the individual business division, while the investment risk would be handled by yet another division.

Points out Deb Ghosh, chief architect at the $417-million, Nasdaq-listed TIBCO, an enabler of real-time business and one of the world's largest independent business integration software companies: "Today enterprise-wide risks are dispersed in silos. While each business division head may be looking at risk associated with their business there is no enterprise-wide risk assessment."

According to Ghosh, whose company competes with the likes of International Business Machines and BEA Systems, historically operational risk across an enterprise has been managed in an ad-hoc manner, with different departments implementing different policies and procedures.
To compound the maze, factors related to risk have been managed with auditing procedures, wherein potential or future risk factors are almost always not identified, leaving no scope for it to be averted -- a perfect recipe for a disaster to happen.

Indian IT industry watchers point out that organisations have so far been able to do with the position of chief security officers (CSOs) who handle risk factors but these are only IT-related. The CSO in a bank will neither be able to comprehend nor understand the way credit risk is assigned or measured.

Enter the CRO.
The CRO oversees the enterprise risk management process of managing financial and non-financial risk for the entire company. There are four main categories of risks: strategic, financial, operational, and compliance and the CRO can comprehend, evaluate, avert the risks which would mean that the person concerned needs to have a multi-functional domain expertise.

According to estimates put out by analysts at Forrester Research, close to 75 per cent of the largest companies in the world will create a position of a chief risk officer by 2007.
Future CROs though have one man to thank -- James Lam, an independent consultant and president of James Lam & Associates, was once vice chairman of New York-based risk management consultancy ERisk.

Lam defined and developed the CRO role when GE Capital hired him in 1993 to set up a new capital markets business. Later, he joined Fidelity Investments in the same capacity.
The position of a CRO has come about partly because of the pressure regulators and shareholders have put on companies to properly divulge the business risk. CROs in a financial institution will have to integrate credit risk, market risk, operational risk, economic capital and risk transfer.

At the end of the day whether the concept of enterprise risk management works or not will largely depend on how the business process is managed in an enterprise. And according to TIBCO's Ghosh, business process management would probably be the first step to managing risk holistically also.

"A good business process management system will orchestrate information from one process system to another and make it seamless and intelligent." And TIBCO is eyeing India's BFSI (banking, financial services and insurance), telecom and discrete manufacturing sectors to offer such solutions.

No surprise then that more than 40 per cent of the CROs are found in the insurance/banking/financial services sector and 50 per cent are found in energy or utilities companies, which are the most risk prone businesses.

In the Indian context some recent judicial decisions may end up forcing companies look at creating CRO positions. The Supreme Court has only days back taken away the immunity of the companies to be prosecuted in financial irregularities.

The apex court has ruled that corporate bodies can always be prosecuted in financial irregularity cases and courts can impose fine on them.
A five-judge constitution Bench headed by Justice N Santosh Hegde gave the ruling while setting aside an earlier ruling of the court that companies cannot be prosecuted in economic offences as they were not a natural person and could not be imprisoned if found guilty.

Why adopt ERM
There are multiple forces that mandate the adoption of ERM.
Regulatory
Corporate Governance and Internal Controls -- made famous (or infamous depending on how you look at it) by Sarbanes Oxley Act;

Basel II Accord.
Part of the larger initiative of 'outside-in' approach to total customer process platform
The risk in the business is passed on to the business -- directly (customer business continuity may be adversely affected) or indirectly (reputational risk).

Innovation in products/services
Particularly modern exotic products are often cuts across traditional lines making integrated risk treatment mandatory.

Benefits of ERM
Whatever the case that has made you think about ERM, keep in mind that it's not the slap on the wrist by a big brother.
Prudent risk management is just plan simple 'better business.' Period.

Today 15 per cent of financial companies measure the integrated effects of risks across the entire organisation. In three years this proportion is expected to rise to 43 per cent.

A couple of servers
"Ninety per cent of companies with an ERM program report that they are "very confident" in managing their risks, compared with only 45 per cent of those without such a programme." -- Tillinghurst Survey
Eighty-four per cent of the companies in a recent Oliver Wyman survey believe that ERM has the potential to improve their price/earnings ratio and cost of capital.

Strategic benefits of ERM
1. Enhancing shareholder and policyholder value through:
Systematic assessment of all relevant types of risk, using qualitative and quantitative methods;
Improving capital efficiency and costs savings through more effective management of internal resources and capital;
Providing an objective basis for allocating resources;
Reducing expenditures on immaterial risks;
Exploiting natural hedges and portfolio effects;
Protection against earnings-related surprises; and
The selection of financial and operational strategies for maximising the optimal balance of value to both policyholders and shareholders.

2. Transactional benefits of ERM
Risk-based pricing;
Pricing (particular pricing services) is a hot topic amongst Indian bankers. Risk adjusted pricing models can greatly benefit the business model of banks;
Customer profitability and portfolio management;
Reduce insurance premiums; and
Reduce unprofitable dealings with clients.

3. Other benefits of ERM
Supporting informed decision-making;
Uncovering areas of high-potential adverse impact on drivers of share value;
Identifying and exploiting areas of 'risk-based advantage';
Ability to aggregate business unit risks across an enterprise enabling better understanding of risk across functions and business units;
Building investor confidence;
Establishing a process to stabilise results by protecting them from disturbances; and
Demonstrating proactive risk stewardship.

PAS 56 has now been withdrawn and replaced by BS 25999-1:2006. The NEW standard for Business Continuity Management.

go here

Friday, April 11, 2008

Learn about Business Continuity Management System

Confederation of Indian Industry (CII) in partnership with the British Standards Institute is organizing one day Seminars in the major business centers i.e New Delhi, Mumbai and Bangalore on 14th, 15th April and 17th April 2008 respectively with the aim to spread awareness among businesses in India of the unsuspected risks they face to their business and to equip them with the know-how for dealing with these in the most effective manner.

The theme of the Seminars would be centered on the core concepts enunciated in the BS 25999 series of Standards and how these have helped businesses worldwide to improve their inherent resilience to withstand anticipated or unanticipated business disruption, such as due to communication failure, pandemic, disasters and many other business risks. The event is jointly supported by National Disaster Management Authority (NDMA), BCM Institute and Secure Matrix and the organisations associated with the Launch events are IBM, Satyam, Citigroup and Accenture.

Through a series of presentations and a workshop-style session you will have the opportunity to: Learn about Business Continuity Management System and how it can benefit your business by enhancing your resilience while identifying business improvement opportunities. Learn how effective Business Continuity Management contributes to good financial performance I am enclosing the BCM invite pdf and the necessary link to review the event. Please follow the following links http://www.bsigroup.co.in/en-in/Assessment-and-certification-services/Management-systems/Standards-and-schemes/BS-25999/Event/ or else http://cii-iq.org/banners/banner_3/banner_3.html

Please inform me at sandhyakhamesra@bsigroup.com if you are interested so that I can ensure your participation.

Best Regards,

Sandhya Khamesra

Thursday, March 13, 2008

Implementing a Business Continuity Plan

When business is heavily dependent on IT infrastructure, all risks and threats need to be considered. A well documented Business Continuity Plan ensures that your data and infrastructure are covered. by Brian Pereira
NEXT month marks the first anniversary of the September 11 terrorist attacks on key sites in the US. While those events shook the world, and threw security forces into a state of high alert, it also impacted the corporate world. IT managers (even CEOs) are now dead serious about securing their prized assets data and infrastructure. While concepts like Disaster Recovery (DR) aren't new, the issue of Business Continuity (BC) has suddenly gained importance.
Business Continuity is the ability of a business to continue its operations with minimal disruption or downtime in the advent of natural or intentional disasters. BC begins with a plan that addresses all risks and secures systems that are vital to business operations.
It's imperative for companies that are heavily dependent on IT infrastructure to design and implement a Business Continuity Plan (BCP). So how prepared are Indian enterprises to counter disasters?
The Information Risk Management (IRM) practice of KPMG-India recently conducted a survey to check the preparedness of Indian industry. The results of the survey were shocking:
79 percent of the respondents do not have a documented and tested BCM (Business Continuity Management) plan.
Among the respondents highly dependent on IT, 64 percent do not have a corporate-wide BCM plan in place to address business disruption risks.
The survey covers more than 100 private and public sector organizations spread across various industry segments. (See box on page 26 for a snapshot of the survey results).
According to the META Group, 80 percent of Global 2000 organizations have some form of disaster recovery or business continuity plan in place, but only 60 percent of these plans are reasonably complete and actionable i.e. they adequately address sufficient coverage of resources and can be successfully executed by the owning organizations.
A Gartner Research report titled 'What is Crisis Management' indicates something similar. Gartner says 85 percent of Global 2000 enterprises have established a disaster recovery plan for core technology and infrastructure, but only 15 percent have a full-fledged business continuity plan. In another report Gartner projects that by 2005 more than 70 percent of large enterprises will have invested in business continuity planning compared to fewer than 25 percent today.
The need for a PlanWhile everyone stresses the importance of BCP and DRP, few Indian organizations actually get down to documenting, implementing and testing it.
"India is a fairly risk-prone country. We've had natural disasters but we've always recovered from these. This attitude has been the same in the corporate world. In the past there has been minimal interest in Business Continuity," says Sanjay Dhawan, Executive Director-IRM practice, KPMG.
Dhawan says it is now imperative for Indian businesses to have business continuity plans. "Global businesses are not interested in getting into a relationship (with Indian businesses) unless these service providers are prepared for recovering from a disaster. Also, global businesses fear that a war (or a war like situation) could break out in India, and therefore they need increasing assurance on the continuity and availability of its business associations in India."
Many organizations are heavily dependent on IT infrastructure. So if disaster strikes and these organizations cannot recover quickly enough, the consequences could affect business along the entire value chain. Business revenue drops, brand equity takes a beating; there's loss of customers (who choose alternatives) and permanent loss of shareholder value.
Disasters, both natural and intentional, are unpredictable. Natural disasters could be earthquakes, floods, hurricanes, or fire. Intentional disasters are caused by disgruntled humans and range from virus/hacker attacks to nuclear attacks. Then there are other causes for business disruption like hardware and communications failure.
A business continuity plan is insurance against such disasters and ensures that key (if not all), business functions continue.
Designing the planA BCP necessitates the provisioning for redundancies at all levels. That includes not just servers, storage, networking equipment and connectivity links, but also other infrastructure like air-conditioning and power supplies. The plan should cover all risks that could possibly affect your business.
According to KPMG, a BCP must factor in all the risks, and should ensure continued availability, reliability, and recoverability of resources. It should balance the costs of risk management with the opportunity cost of not taking appropriate action.
"A business continuity plan should provide an enterprise-wide risk-based approach, covering People, Processes, Technology and Extended Enterprise to ensure continuing availability of business support systems and minimize disruption risks," says Dhawan.
Most corporates today outsource support functions and rely on third-party support for non-core business operations (like logistics). So the plan should also extend to external entities like customers, partners and suppliers. BCP must also address business risks like:
Customer end risks
Supplier end risks
IT hardware and software risks
Business core process risks
Business partner risks
Snapshots of the KPMG survey on Business Continuity Management
79 percent of the respondents do not have a documented and tested Business Continuity Management plan.
Among the respondents highly dependent on IT, 64 percent do not have a corporate -wide BCM plan in place to address business disruption risks.
21 percent of the organizations surveyed store entire data backups at onsite locations only.
Among the respondents taking backups, 32 percent did not test the backups for reliability.
44 percent of the respondents have faced some form of a disaster in the past two years. Though 75 percent claimed that they were able to recover within the maximum permissible downtime during these disasters, 91 percent of these had not actually estimated the maximum permissible downtime for various processes.
While 35 percent of respondents have a corporate-wide BCM plan in place, 28 percent of these do not have a formal mechanism to declare disaster.
64 percent of the organizations surveyed have not envisaged any kind of alternative facility to ensure continuity of business in case of a major disaster.
Of the respondents having a BCM plan, 65 percent have never tested it.
Courtsey: KPMG-India
BCP considerations for Business Continuity
1. Asset Identification & classificationIt is very important for the organization to identify and value its assets. Not all the assets are critical to business operations. In the event of a disaster, the available resources should be directed towards ensuring the safety of assets that are most valuable.2. Risk Analysis and ManagementAll the potential risks along with their impact on the business need to be analyzed. There must be a mitigation strategy that identifies the potential threats and puts appropriate controls in place to reduce the vulnerabilities. The organization needs to define the "acceptable risk" it is prepared to take.3. Emergency Response MechanismThere must be a plan and detailed procedures in place to respond in cases of emergencies. Responsibilities, resources and process must be defined in detail and communicated. Pre and Post disaster activities must be clearly identified and addressed.
4. Communication & ReviewThe business continuity plans have to be shared with all the stakeholders, including employees and partners, to be effective. There must also be periodic reviews to align the plans with changing business needs and objectives.
Courtesy: Infosys
Implementation scenarioAccording to KPMG the highest level of seriousness for business continuity is reflected in the banking and finance sector. The manufacturing sector is also serious about it, followed by the infocom and entertainment sectors (see charts). Companies particularly in the IT services sector, are increasingly working towards business continuity management, in order to meet the security requirements of their global clients. An example is Infosys Technologies.
Infosys is putting together a disaster recovery plan to ensure that its large global customers continue to get round-the-clock support, even if the subcontinent goes to war. It will set up disaster recovery sites in Singapore and Canada. The plan is to move employees to these sites and resume operations in the advent of an emergency.
Incidentally, Infosys' Bhuba-neshwar facility was affected by the cyclone that hit Orissa in October 1999. But it was able to restore facilities within 60 hours because it had a well-defined BCP and procedures.
Other large corporations that have successfully implemented full-scale business continuity plans are now leveraging on their experience to offer consulting services to other companies. NSE for instance has a division called NSE.IT, which offers consulting services for business continuity to companies like BPCL and Clearing Corporation of India. Incidentally, NSE shifted its recovery site from Pune to Chennai because Chennai is in another state and another seismic zone. According to Satish Naralkar, CEO, NSE.IT, if the National Stock Exchange Building in Mumbai is hit by a disaster, business will resume within 24 hours at the recovery site in Chennai.
Datacenters like Cyquator Technologies and Global Telesystems Ltd (GTL) offer shared infrastructure for enterprises who want to set up hot sites. These datacenters have provided redundancy at all levels, replicating everything from servers and switches to power supplies. Some are also setting up disaster recovery sites in other cities.
BarriersWhen implementing BCP an IT manager is confronted with all types of obstacles, the primary one being investment.
But industry analysts advise companies to identify key risks first and give priority to systems that are most critical to business. Of course, the ultimate objective is to create redundancies for almost all systems and set up a hot site at another location.
While the cost of setting up a hot site may be exorbitant for smaller companies, there are other innovative alternatives. For instance, organizations with similar infrastructure could have reciprocal arrangements to act as backup/recovery sites for each other. One could also outsource this to Network Operations Centers or datacenters.
The other impediment is attitude. Disaster Recovery has traditionally been considered a technical issue, and the purview of the IT department. But analysts say this is more than a technical issue and it concerns even the highest levels of management.
"I don't think BCP is just a CIO's problem it's a business issue," says Sameer Kapoor, Executive Director, PricewaterhouseCoopers. "Whatever decisions are going to be taken, have to be taken with the business interest in mind. I think the decision making at times goes wrong because people look at only the short-term benefits the immediate profitability or impact on business. They do not look at the larger issue of sustainability or survivability of the organization in a competitive environment."
Naralkar of NSE.IT compares this to the Y2K situation. He says the main barrier now is convincing top management. "Chairmen of various companies were aware about the implications of Y2K and had given a mandate that preparatory steps must be taken. Once a mandate like this comes from that office, they also monitor it."
Naralkar says an IT Head (CIO/CTO) has to sell to top management, what impact a disaster will have on business in the absence of a BCP.
Once management is convinced, the investment and commitment will follow. Then the challenge is to design a plan and implement it in phases.
Brian Pereira can be reached at brianp@networkmagazineindia.com

Business Risk Services

Areas of Focus
Ernst & Young's Business Risk Services offer strategic and operational services that help companies around the world evaluate and enhance their risk and control functions.
Ernst & Young can help you in these areas:
Enterprise Risk Assessment The key to effectively protecting and growing returns for an organization's shareholders is to identify and manage the risks that could prevent the organization from achieving its business objectives. When key risks are clearly identified, risk management efforts can focus on the risks that could have the most significant impact on the organization. Our Enterprise Risk Assessment is a highly effective and practical approach that provides insight on inherent risks and then links them to the organization's objectives, initiatives, and business processes to help that organization define, improve, and monitor opportunities.
For more information, download the Enterprise Risk Assessment brochure (pdf, 617kb), or contact Global Leader Mike Kaiser +1 312 879 5964
Risk and Control Framework AssessmentIn most organizations, risk management and internal control activities are numerous and fragmented. This lack of alignment and coordination can result in overlaps or gaps in risk coverage. Through our Risk and Control Framework Assessment, we help companies identify and understand the misalignments, challenges, and improvement opportunities in their risk and control frameworks. This assessment provides a clear definition of focus areas and efforts that can help management drive incremental improvements that will mitigate risk and enhance overall performance.
For more information, contact Global Leader Mike Kaiser +1 312 879 5964
Internal Audit Maintaining a strong internal control structure has never been more important to executives, audit committees, and board members. It is imperative that internal audit departments have access to the global resources, knowledge, and tools to address the highest priority risks faced by the organization. Our internal audit professionals have valuable experience gained from providing internal audit services to both public and private companies across all industries, locally and globally.
For more information, download the Internal Audit Functional Performance Assessment brochure (pdf, 498 kb), or contact Global Leader Bob Trombley +1 216 583 3990
Internal ControlsBoards, audit committees, and senior executives are being challenged to develop and maintain an internal control environment that meets the governance expectations of stakeholders and anticipates future regulatory requirements. At the same time, they also must demonstrate that the approach provides benefits to the business to justify the investment. Our deep internal controls experience helps you develop a tailored and tangible approach to internal controls that is focused on your business and its environment.
For more information, download the Internal Control Services brochure (pdf, 440kb), or contact Global Leader Inge Boets +32 03 270 1223
Risk RemediationOur risk remediation service is an approach focused on risk mitigation through improving the effectiveness and efficiency of the related processes and controls. Process and control reviews have tremendous potential to provide added business insight. By uncovering deficiencies, these reviews help identify performance and control improvement opportunities. More and more companies are taking the next step to start improvement efforts to remediate deficiencies.
For more information, download the Risk Remediation brochure (pdf, 1mb), or contact Global Leader John Stalla +1 216 583 4012>Program Advisory ServicesMounting regulatory requirements for disclosure and transparency, coupled with the complexity inherent to large programs, has placed sponsors and managers under increased pressure to demonstrate their programs and projects will deliver to expectations. Similarly, stakeholders are interested that their programs and projects will be successful, benefits will be realized, and changes to the organization will be sustainable.
For more information, download the Program Advisory Services brochure (pdf, 1.1mb) or contact Global Leader Teresa Pierce +1 216 583 896">Contract Risk ServicesWe assist clients with all aspects of the contract life cycle, including risk assessment, internal and external monitoring, process improvements, Sarbanes-Oxley Section 404 compliance, and internal audit support. Our extensive experience with contract life cycles, risks, and controls provide a foundation to assess a company's risk profile and potential exposure surrounding business partner contracts. We analyze compliance with stated contract terms, which can lead to revenue recovery, improved business partner relations, and compliance.
For more information, download the Contract Risk Services brochure (pdf, 647kb), or contact Global Leader Neil Aaron +1 212 773 8101
}
}

About Risk Advisory
Overview
Risk Issues
Library
}

Risk Advisory Services
Actuarial Services
Business Risk Services
Financial Services Risk Management
Fraud Investigation & Dispute Services
Technology and Security Risk Services
Contacts
Find your nearest Business Risk Services contact.
//-->

Ernst & Young refers to one or more of the member firms of Ernst & Young Global Limited (EYG), a UK private company limited by guarantee. EYG is the principal governance entity of the global Ernst & Young organization and does not provide any service to clients. Services are provided by EYG member firms. Each of EYG and its member firms is a separate legal entity and has no liability for another such entity's acts or omissions. Certain content on this site may have been prepared by one or more EYG member firms.

more

Risk Assessment (process of risk analysis and risk evaluation) canonly be completed after you choose the Risk Assessment Approach.
So the order would be
1) Choose Risk Assessment approach
2) Risk Analysis (identify sources of Risk and estimate the Risk)
3) Risk Evaluation (compare the estimated risk against given riskcriteria to determine the significance of the risk)
4) Risk Acceptance (for those which are Risk criteria or Managementdirective)
5) Risk treatment (for those that can be treated)
With regards
Madhukar

Monday, March 3, 2008

Fire, Flood and Fraud

Home
Dr David Smith to Present at WCC
Tuesday, 26 February 2008

Dr David J Smith BCCE , FBCI will be presenting at the upcoming World Continuity Congress . His presentation will cover three cases studies entitled “Fire, Flood and Fraud”. The first concerns the largest explosion and subsequent fire in the Europe since the second world war – Buncefield which was the London Heathrow Airport Fuel Farm. The second relates to the flooding in the UK during the summer of 2007. The third will provide a brief up-to-date history of rouge traders within banking. Within this context it demonstrates that business continuity is just not about fire and flood; it is also about people and their view of risk and how historical lessons do not seem to have been learnt.
Click here for more information

more

Friday, February 29, 2008

BCM Awareness presentation

go here

Thursday, February 21, 2008

Disruptions

Your business continuity is liable to the following risks:

- Fire in plant/office
- ISP Failure
- Currency fluctuations
- Loss making orders booked
- Raj Kumar dies: Indias IT capital comes to a halt
- Shiv Sena wing attacks North Indians: UP work force leaves en masse in Nashik and Ambad
- Tsunami
- Mumbai floods
- US spy satellite plumets to earth
- ENRON
- Arthur Andersen
- ICICI Cash crunch
- 9/11
- Avian Flu
- Leo Mattel toys recall
- Mad cow disease
- Surat Plague
- fault lines in mumbai region
- Nuclear attack threat from Pakistan
- Poaching of your key persons by competitors
- death of your key person
- Suing by employees and customers

Business Continuity Management minimizing disruptions

The story begins as "Don" Vito Corleone, the head of a New York Mafia "family", oversees his daughter's wedding. His beloved son Michael has just come home from the war, but does not intend to become part of his father's business. Through Michael's life the nature of the family business becomes clear. The business of the family is just like the head of the family, kind and benevolent to those who give respect, but given to ruthless violence whenever anything stands against the good of the family. Don Vito lives his life in the way of the old country, but times are changing and some don't want to follow the old ways and look out for community and "family".

An up and coming rival of the Corleone family wants to start selling drugs in New York, and needs the Don's influence to further his plan. The clash of the Don's fading old world values and the new ways will demand a terrible price, especially from Michael, all for the sake of the family

This post was made by me after the input I got from attending Shri Pankaj Rais presentation on BCM at the BSI Consultants meet in Mumbai

Many thanks Pankaj ji

SXD
TQMC

Wednesday, February 20, 2008

Continuity and risk

ISO/PAS 22399 provides international best practice for preparedness and continuity management

Natural disasters, acts of terror, technology mishaps and environmental accidents have clearly demonstrated that no one is immune to intentional or unintentional crises.

ISO/PAS 22399:2007 has been developed to address the global awareness that both the public and private sector must proactively prepare for unexpected, disruptive incidents. Applying ISO management system standards to enterprise risk management ISO management system standards can be important tools in a company-wide risk management programme.

The first step is to understand what is meant by a generic risk management system. Next, the organization needs to look at how a standards-based system can be implemented.

Sunday, February 17, 2008

Product Liability Insurance

Liability insurance

Liability insurance is a part of the general insurance system of risk transference. Originally, individuals or companies that faced a common peril, formed a group and created a self-help fund out of which to pay compensation should any member incur loss. The modern system relies on dedicated carriers to offer protection against specified perils in consideration of a premium. Liability insurance is designed to offer specific protection against third party claims, i.e., payment is not typically made to the insured, but rather to someone suffering loss who is not a party to the insurance contract. In general, damage caused intentionally and contractual liability are not covered under liability insurance policies. When a claim is made, the insurance carrier has the right to defend the insured. The legal costs of a defense are not affected by any policy limits, which is useful because they can be significant where long trials are held to determine either fault or the amount of damages.
Contents
1 Overview of liability insurance
1.1 Public liability
1.2 Product
1.3 Employers
2 Evidentiary rules regarding liability insurance
3 External links
//
more

Product liability insurance
In product liability insurance (PLI) terms, a product is any physical item that is sold or given away.
Products must be "fit for purpose". Under the Consumer Protection Act 1987, you're legally responsible for any damage or injury that a product you supply may cause.
Your responsibilities
If you supply a faulty product, claimants may try to claim from you first, even if you did not manufacture it. You'll be liable for compensation claims if:
your business' name is on the product - ie the manufacturer made it for your brand
your business repairs, refurbishes or changes it
you imported it from outside the European Union
you cannot clearly identify the manufacturer
the manufacturer has gone out of business
Otherwise, the manufacturer is liable - or the processor, where the product involves parts from multiple manufacturers.
However, you must also:
show that the products were faulty when supplied to you
show that you gave consumers adequate safety instructions and warnings about misuse
show that you included terms for return of faulty goods to the manufacturer or processor in any sales contract you issued to the consumer
make sure that your supply contract with the manufacturer or processor covers product safety, quality control and product returns
have good quality control and record-keeping systems
The nature of risk, ie the viability of a claim and the premium, is affected by:
who the product is sold to
how and where it is used
any warnings or labels provided
What is covered
PLI covers you against compensation awarded as a result of damage to property or personal injury caused by your product. Bear in mind that if someone is awarded personal injury compensation, the NHS can claim to recover the costs of hospital treatment (including ambulance costs). This applies to incidents that occur either on or after 29 January 2007.
Read about the Injury Costs Recovery Scheme on the Department of Health (DoH) website.
PLI may not cover you against financial losses to a business or person caused by a faulty product which you manufactured, serviced or supplied. Download a guide to the Consumer Protection Act 1987 from the Department for Business, Enterprise and Regulatory Reform (BERR) website (PDF).
PLI also covers you against unforeseen circumstances, such as product faults your quality control system couldn't trace. However, if you simply make an inferior product, you may be unable to make a claim, or even get insurance. Bad workmanship is not covered either.
Before issuing a policy your insurer will want to know that your:
manufacturing or services are conducted according to industry best practice
staff are adequately trained
equipment and systems are appropriate, up to date and well maintained
How much cover to take out
Most businesses have cover of between £1 million and £5 million. The norm is £2 million.
To reduce your premiums, implement quality control measures. This ensures lower premiums, reduces the risk of compensation claims and helps protect your reputation in the marketplace.
Subjects covered in this guide
Introduction
How liability insurance works
Employers' liability compulsory insurance
Public liability insurance
Product liability insurance
Pollution risk insurance
Property owners' liability insurance
Professional indemnity insurance
Directors' and officers' liability
Seek specialist advice

more

Types of Small Business Insurance
Professional Liability Insurance (Errors and Omissions, E&O)Professional Liability insurance, also referred to as Errors and Omissions insurance or E&O , is insurance to protect you and your company in the event a client alleges they have suffered a financial loss as a result of an error or an omission committed by you in the delivery of your professional services. This coverage is separate from a General Liability (GL) policy which would cover you mainly for bodily injury or property damage liability.

Workers' Compensation Insurance

Workers Compensation insurance provides medical and disability coverage for your company employees in the event of a work related illness or injury. The employers' liability portion of most Workers' Compensation policies protects your company in the event that an employee files suit claiming that your company's negligence was the cause of the work related illness or injury. Workers' Compensation insurance is required in many states.

Business Liability Insurance Package Policy

Often referred to as a Business Owners Policy (BOP), a General Liability package policy protects your company in the event that a client is injured on your premises or if you or one of your employees injures someone or damages property at a client's location. The General Liability coverage on a business liability insurance policy also meets your landlord's requirement that you carry business premises liability insurance.

Umbrella Liability Insurance

An Umbrella Liability (more accurately Excess Liability) provides coverage for claims that exceed the amount of coverage on your General Liability policy and may also add coverage to your Commercial Auto coverage as well as the Employers' Liability coverage on your Workers' Compensation policy. Coverage is triggered when claims are in excess (thus the name) of the underlying insurance.
For more information on Workers' Compensation insurance, Professional Liability insurance (E&O insurance), General Liability insurance, and Umbrella Liability insurance see our Coverage Review pages.

Product liability insurance

A SMALL Chicago manufacturer of camping tents had his product liability insurance cancelled recently; the premium had been $2,700 annually. The new insurer — who was found after some difficulty — charged a premium of $27,000 for less coverage. That figure exceeded the earnings for six of the nine years that this struggling firm has been in business. The manufacturer employs about 100 persons in the inner city, and their jobs are clearly threatened by this huge new cost.
In Moline, a company which makes emergency and fire alarm signal equipment and employs 35 persons saw its product liability premium jump from $300 in 1974 to $15,000 in 1976. The company reported, "Some cities are requiring a certificate of insurance ... in order to bid on jobs. Big conglomerates have [this], but we cannot provide [it]." The company has had no claims against its product since 1928.
A manufacturer of electronic printed circuit boards with a work force of 15 and a sales volume of $181,000 does not carry product liability insurance. The reason: "If we had to purchase this type of insurance above and beyond our present insurance, such as Workmen's Comp, health, fire and theft, we would not be able to compete with foreign competition; in fact we would lock up the plant and quit."
These cases, taken from the files of the Illinois Manufacturers' Association, illustrate the growing problem of product liability insurance costs. Testimony by the association before the Illinois Insurance Laws Study Commission in February 1977 revealed that manufacturers in the state are worried about the impact of these costs on profits and prices. Dozens of industrial concerns, particularly small companies, are threatened with extinction because of soaring insurance costs or lack of adequate insurance. The problem is so serious that some firms are operating without product liability insurance because the premiums are too high or they cannot get the coverage at any price.
Product liability relates to the legal responsibility of one who makes or sells a product to compensate a user, consumer or others who suffer injury or damage as a result of the use of the product. Generally, small and medium-size businesses purchase product liability insurance as part of their general liability coverage. Large firms are self-insurers for small product claims and may buy insurance as part of an umbrella policy to provide for catastrophic loss.
The problem
How big is the product liability problem? According to a November 1977 report by the federal Interagency Task Force on Product Liability, the problem has not yet reached the crisis proportions of the medical malpractice issue a few years ago. Product liability insurance costs have risen sharply since 1974, but most manufacturers can still get insurance. However, the higher rates have hit small businesses hard, particularly makers of products in which there is a risk of personal injury. The Illinois Manufacturers' Association reports that manufacturers of machine tools and other kinds of capital equipment are having trouble, as well as makers of pharmaceuticals, hard tools and sporting goods. Even those who make simple products with no moving parts, such as hammers and ladders, have been much affected.
While giants like General Motors can devote millions of dollars to safe product manufacture and design and have the capacity to self-insure all but the most catastrophic risks, a smaller firm may not be able to spend such large sums. It must rely heavily on product liability insurance to protect its assets. Since firms with less than 20 employees make up the majority of the more than 300,000 manufacturing establishments operating in the U.S., their product liability problems can have considerable economic impact.
In addition, the federal task force found that while the average cost of product liability insurance is less than 1 per cent of sales in most of the industries studied, it was as high as 10 per cent in some. And the consumer at the end of the line may be paying more than 1 per cent because retailers and distributors must also purchase product liability insurance and pass the costs along.
Product liability costs cannot be blamed as "the sole and direct" cause of numerous business failures, the task force said. But it did find these costs to be one of several reasons why small businesses in high risk lines go under. And firms that are now doing without insurance may not be able to withstand a large product liability judgment in the
PHILLIP M. ROWELL Legislative analyst for the Illinois House Democratic staff, he has done extensive research on product liability.
6/July 1978/Illinois Issues
future.
One of the causes of this budding crisis is a sharp increase in the number of product liability claims filed. Not too long ago, product liability coverage was a profitable, though small line of business for insurance companies. The courts, by and large, acted within the constraints of readily definable causes of action such as negligence and breach of warranty. However, in the 1960's new attitudes and values began to emerge which gave rise to a wave of demands for greater consumer protection. These demands, championed by a number of consumer activists, gained wide support in the news media, the courts, the legislatures and enforcement agencies. The attention given to consumer protection heightened the public's awareness of the possibility of recovering for damages. The result was a new breed of claim-conscious consumers.
Consumerism
The impact of consumerism is evidenced in today's federal consumer protection legislation. In 1967, the National Commission on Product Safety was established and resulted in the Consumer Product Safety Act of 1972 which covers products for use in households, schools, recreation or for personal use or consumption. Also in 1972, the Occupational Safety and Health Act was enacted. It is concerned with safety of premises, tools and equipment for the protection of employees.
Another cause of burgeoning product liability suits is the nation's rapidly expanding economy. New products enter the stream of commerce each year, many of them complex and technologically sophisticated. Consumers have high expectations for the performance of these products as well as those already in use.
And, it cannot be denied that there is a safety problem. Many injuries at home and at work are related to faulty products. National Safety Council statistics show that in 1975 there were 21.4 million product-related injuries in the home including 110,000 permanent disabilities and 25,000 deaths. The estimated loss to the U.S. economy was $6 billion. In America's work places, the council estimates that there were 8.7 million product-related injuries in 1975 with 2,200 disabling injuries and 12,600 deaths for a total economic loss, both at home and at work, of $16 billion.
The new wave of consumer awareness and legislation has helped to focus the attention of manufacturers on the need for increased safety in design, improvements in quality control and inspection, and proper instructions and warnings to potential users. The insurance industry has stressed that manufacturers must do everything they can to produce the safest possible products. However, because of interpretations of the law, the insurance industry feels that efforts to improve product safety could even backfire against a manufacturer. For instance, modifications to improve the safety of a product have been used as evidence in court that the product was not originally as safe as it could have been. The result is a growing conflict between the insurance industry and the judicial system.
In Illinois, the law of product liability has been expanding at a rapid rate since 1965 when the Illinois Supreme Court handed down the landmark decision Suvada v. White Motor Co. The Suvada decision was the culmination of a trend toward a broader definition of tort liability for faulty products. "Tort" is a wrongful act, not involving a crime or a breach of contract, for which one can be held responsible for civil damages. (For details on the Suvada decision, see box, p. .)
The causes of the product liability problem are unsafe products, uncertainties with personal injury litigation and industry ratemaking practices
Since Suvada, producers of consumer products have found themselves in court as defendants to claims based on legal theories unknown to them. And, consumers who are injured by defective products are finding that they no longer have to bear the burden of rising medical expenses and loss of income. Not surprisingly, they are filing more lawsuits against the producers of defective products.
With the litigation system wide open, it isn't just the producers who are getting sued. Illinois wholesalers and distributors have also been involved in an increasing number of product liability claims and have found their insurance premiums going up or — in extreme cases — disappearing altogether with the termination of coverage. Although these firms have nothing to do with the design, manufacture or maintenance of the products they sell, they have been held liable for injuries to workers using those products. Even if the suits are dismissed, there is still the expense of preparing a legal case.

Insurance Products
- Marine Insurance
- Theft/Burglary Insurance
- Engineering Insurance
- Liability Insurance
Business Solutions
Employee Solutions
Product Liability Workmen's Compensation Public Liability

Product Liability Insurance in India

Basics of Legal Liability

Liability arises from a civil wrong or breach of personal duty imposed by law on a person and owed to his/her fellow citizens. In some countries legal rights and duties are framed in a Civil Code. In others they are not codified but drawn from the precedent of decisions handed down in the courts over the centuries; this is known as "Common Law".

Products Liability

Products Liability insurance indemnifies the seller or supplier (including manufacturer, wholesaler, etc.) of goods in respect of liabilities that may arise from the product after it has left their immediate control. Some common general exceptions under these policies are : - Liability to employees - Liability assumed by the insured under agreement - Liability for Personal Injury/Bodily injury/property loss due to gradual seepage/pollution or contamination and cost of removing, seeping, polluting or contaminating substances. However accidental pollution can be covered - Fines or penalties, exemplary or punitive damages - Damage directly or indirectly caused by arising out of use of asbestos
Other Policies of Interest

Workmen Compensation

This policy provides cover to employees who sustain personal injury by accident or disease in the course of employment in the business.

Insurance is the subject matter of solicitation. IRDA Registration No: 102. Granted on October 23, 2000.

more

The PLI premium for a Company (if ISO 9001 certified) is only 0.5% of your annual sales turnover for claims in India. The max claim settlement is Rs 1 crore

The Insurance premium is 2.5% if you want coverage in germany

Saturday, February 16, 2008

Need for BCM

The Asia-Pacific region experiences nearly 60 per cent of the world's natural disasters. India, on account of its geographical position, climate and geological setting, is the worst-affected. The country is regularly faced with drought, floods, earthquakes, cyclones and more recently, the tsunami.
The Tsunami which struck the Indian sub-continent in December, 2004 caused damage to assets estimated at about $575 million and productivity losses about $450 million. Overall rehabilitation and reconstruction needs in the four mainland tsunami-affected states and territories of India are to the tune of US$1.2 billion, according to a Damage and Needs Assessment Report prepared jointly by the World Bank, Asian Development Bank, and United Nations at the request of the Government of India.
The earthquake that struck western and central Gujarat on January 26, 2001 caused enormous loss of life and near total destruction of physical assets, affecting around 20 million people. The state was totally unprepared for the disaster.

What is the worst thing that can happen to your organization? How will you deal with it? If there is even a slight chance that it could happen, assume that it will. What are you going to do about it? How prepared are you to handle a large scale emergency? These are some of the questions you need to address

BS 25999-2:2007 "Specification for business continuity management".

BS25999-2:2007 is the companion standard to BS 2599-1:2006, the code of practice for business continuity management.BS25999-2 specifies requirements for establishing, implementing, operating, monitoring, reviewing, exercising and improving a business continuity management system and if required, for achieving certification that the business continuity capability is appropriate for the size and complexity of the organisation.The requirements specified are generic and intended to be applicable to all organisations. The specification can be used by internal and external parties to assess an organisation's ability to meet its stakeholders business continuity needs.7799.com offers a range of services to organisations implementing a business continuity management system; including training, development and implementation of a BCM System and risk based auditing.Our Risk Assessment and Risk Treatment software exceeds the requirements for Risk Assessment required by BS 25999-2.

Banks and BCM

go here

BS 25999

go here

Draft version of BS 25999-1 now available for download
The British Standards Institution has published the draft version of BS 25999-1, Code of Practice for Business Continuity Management, on its website.
BSI is now seeking comments from business continuity professionals on the proposed new standard and the deadline for submissions is 31st August 2006.

Visit http://www.bsi-global.com/Risk/BusinessContinuity/bs25999.xalter to download a free draft-for-comment version of BS 25999-1 and to find out how to send your comments to BSI.

BS25999 and other standards
Various standards and legislation relate to business continuity management - this page overviews the main ones

more

BS 25999-1:2006 replaces PAS 56, which has now been withdrawn

BS 25999

BS 25999 is BSI's standard in field of Business Continuity Management (BCM). This standard replaces PAS56, a Publicly Available Specification, published in 2003 on the same subject.
Contents[hide]
1 Structure
2 Contents
3 Timelines
4 See also
5 External links
//
more

Making sense of BS 25999
What are the key features of the new British Standard for business continuity management and why should organisations consider adopting it? Ron Miller investigates. Of all of the disciplines for maintaining information availability - security, infrastructure, managed IT and the like, perhaps the best known - but least understood - is business continuity management (BCM).

This is partly because actually putting your finger on what BCM involves has historically been a very subjective business. A BCM process could include anything from disaster recovery tactics to more proactive planning and response. There are also many different views on the importance of technology planning versus employee considerations and physical workspace. The need to create a recognisable benchmark for BCM, providing peace of mind for customers, partners and suppliers alike, for organisations of every size, was the driving force behind the first ever British Standard for BCM, BS 25999.

For the first time, the standard lays down a hard and fast definition and describes each of the elements that constitute it. Despite the growing focus on BC due to high profile incidents such as Buncefield and July 7, the standard marks a historic change in the way that British firms need to plan and operate.

Finalised by BSI at the end of October 2006, part one of BS 25999 (part two is due in 2007) defines BC as follows: 'A strategic and tactical capability of the organisation to plan for and respond to incidents and business interruptions in order to continue business operations at an acceptable pre-defined level.'

Elsewhere the standard makes it clear that a BCM programme must be 'supported by top management'. The definition - and indeed the stipulations of the standard itself - do not break much new ground, but the fact that it will eventually enable organisations to apply for BSI 'kitemarks' to demonstrate compliance, does.

The parts in italics are of particular interest. BCM practitioners must show they have buy-in from the highest levels of management, and prove that their plans are consistently in line with business operations. A new BC standard for all Whilst BS 25999's predecessor, PAS 56, was criticised for being too 'corporate' in its approach and not having sufficient relevance to small businesses or the public sector, the new standard has much greater 'scaleability'.

This is an important difference, since small businesses make up 99 per cent of all businesses in the UK, yet according to industry studies less than half of them have a plan in place should a disaster strike. In addition, no two businesses are the same, so every individual company must assess every element of their business to identify risks and weaknesses. Only then can tailored BCM processes be developed. What classifies as a disaster for one company can be very different to another. If a small accountancy firm fails to backup its data, and has no plans for keeping that data secure in the event of a fire, it could be taken to court for failure to comply with one of the plethora of data storage regulations affecting financial organisations.

If a fashion website crashes because of an IT failure, it will lose not only the custom it would normally receive for that time period, but also new potential customers, and its reputation with existing customers. Recent research from the CBI shows that, despite the fact that 60 per cent of medium-sized firms currently use the internet in their supply chains, less than half have security to cope with online attacks or have backup plans in place. Disasters can and will happen - SunGard Availability Services responds to an average of three invocations (disasters) every two weeks helping our customers avoid unnecessary or prolonged downtime.

BS 25999 applies the BC lifecycle laid down in PAS 56 as the bedrock for BCM in every organisation. To be compliant, organisations will need to demonstrate they have analysed their operations in line with the lifecycle - even if they don't actually adopt the relevant measures. However, small businesses shouldn't look upon BCM as a compliance headache or 'yet another red tape exercise', but rather take the opportunity to review workflow and productivity, alongside departmental and organisational efficiency to help gain competitive advantage in the ever-increasing competitive business landscape.

Companies that get their BCM and information availability strategies right will have much to gain - SunGard recently found that one in three customers would simply go elsewhere to find products and services that aren't immediately available, whilst only seven per cent of shoppers would wait for products to be restocked. As many companies find out the hard way, solid planning can be the difference between loss of profits, operations, customers or growing a business in the face of adversity. BS 25999 can make this success happen.

Is your company the weakest link in the supply chain? BS 25999 looks set to spur on great advances for the continuity of supply chains. The rapid growth of e-business and increased automation through all business processes, whether it's order processing or communication chains, has placed an enormous burden on IT systems. Companies need to understand that it's not only their own BCM systems that are under the microscope, but also the BC plan of every company in their broader supply and service chain.

A good illustration is the retail sector, where any glitch in a supply chain can mean severe consequences for a retailer as just-in-time deliveries and low in-store stock levels have become the norm. For example, in 2004 a major UK retailer experienced problems with its warehousing and delivery operations. A raft of new automated warehouses - built as part of a £multi-billion investment programme in the retailer's supply chain, IT systems and infrastructure - failed to function properly.

This led to huge disruption to the supply chain and, subsequently, the business itself. The supply chain became clogged and goods were delivered to stores at the wrong time. Staff were deployed in the wrong places at the wrong times, meaning that stock languished in the storeroom or delivery yard rather than on the shelves. Managers were ordering stock 48 hours in advance, fearful that the automated warehouses would not deliver what they wanted on time. The effects of this mess went all the way to the board. Senior figures were forced to resign as their previous promises to shareholders to transform the business went up in flames.

In that year, the company wrote off £260m against ineffective supply chain equipment and ineffective IT systems. However, even worse than the financial loss, was the damage the episode caused to the company's reputation and brand, which it is still fighting to recover from to this day. Getting 'the board' on board The BCM lifecycle of BS 25999 is intended to 'embed BCM in the organisation's culture' as an ongoing process that happens in association with all other phases. In addition, section 4.3 of BS 25999 stipulates that 'The BCM policy should be owned at a high level, e.g. a board director or elected representative'.

Thus, compliance will only be achieved when the entire organisation becomes involved - and most importantly is driven from the boardroom. The most successful BCM begins with the board helping to define scope, and making provisions for regular testing - at least once every year - in order to be certain the process can be implemented in a crisis. Despite the rising number of risks organisations face, many still don't test their plans and processes regularly, if at all. If your employees have to scramble to find the continuity plan in the face of adversity, it's already too late, and the time and effort spent planning will be wasted. Once plans are in place and tested they must be regularly reviewed and updated.

BS 25999 introduces the requirement for planners to understand and reflect business operations, and raises the issue of keeping plans up-to-date. The BCM lifecycle (see Figure 1) helps organisations embed a continuous culture of BCM to ensure that processes, policies and procedures accurately reflect the always changing risk environment. Figure 1: BS 25999 Business Continuity Management Lifecycle Keep it simple Finally, a word about complexity - or avoiding it. It's no accident that the entire text of BS 25999 runs to less than 50 pages: the Standards Committee went to great lengths to keep the document concise, relevant and practical.

The same could be said of any BC plan: 250 pages of elaborate analysis will be useless if your IT systems have failed and you have hundreds of frustrated end-users beating a path to your door! As it was developed in close collaboration with industry - from businesses, to BC experts, to policymakers - BS 25999 is by any measure the definitive guide to BCM. The processes behind it, and the resulting documentation, require careful consideration and detailed analysis to make it a practical business success. The author Ron Miller is a managing consultant with SunGard Availability Services.

References 1 Henley Management College Report Out-of-Business As Usual? for AXA (September 2005). 2 YouGov on behalf of SunGard Availability Services carried out the survey during November 2005, with respondents drawn from a cross section of demographic groups and ages. 2,342 people were interviewed through an online omnibus survey. (ITadviser, Issue 48, March/April 2007)

BUSINESS CONTINUITY CONFERENCE

20th September 2007, Manchester
The National Computing Centre have put together a one-day conference to look at Business Continuity something that hopefully as a business you will never have to encounter, but what if the worst does happen? Are you confident that your business can handle any disaster that comes your way? .

This conference will cover the issues associated with Business Continuity through case study approaches and will provide best practice advice from practitioners and professionals within the field.
Book online >>

more

Wednesday, October 24, 2007

Business continuity guides

Download the following PDFs for a documents which overview a variety of guides to business continuity management.
Australia Japan UK USA
LINKS:After a years of department collaboration and development the Government of Saskatchewan Business Continuity Guide has been approved for release.
Guidelines for BCM implementaion in the banking sector: Association of Italian Banks

more

Sunday, September 30, 2007

Terrorism

There is no getting away from it: one way or another all our businesses are vulnerable to risk, whether from an act of terrorism, unusual weather conditions, unreliable service providers or thoughtless or careless employees. Our work can be brought to a standstill, our clients disappointed and at worst we lose income and reputation. Forget the headline events. As has been pointed out before, it is the simple things that tend to go wrong: 90% of all catastrophes are “quiet catastrophes”, for example failures in heating causing staff to walk out, or air conditioning faults leading to computer crashes.
more

BS 25999 Business Continuity Management
Risk and business continuity management is, without doubt, due diligence. Planning for crisis or disaster is an aspect of management that can only be short changed at your peril. However, it is a complex science, and not a five minute job.

There are of course a range of tools to assist and to help create process. However, until relatively recently, there has been little effort to create a generally accepted framework.
PAS56 BSI, in conjunction with the BSI originally published a guide which established the process, principles and terminology of BCM. Specifically, PAS 56 described the activities in and 'outcomes' of establishing a business continuity management process, and provided a series of recommendations for good practice.

It provided a generic management framework for incident anticipation and response, as well as describing evaluation techniques and criteria. It was produced through the British Standards Institution. The sponsors were the BCI and Insight Consulting, although a number of other organizations were consulted during the development, including Sainsbury's, EDS, The Post Office and the OGC.

The Emergence of BS25999
In November 2006 and official standard was published to replace PAS56. This was BS 25999-1. It was produced through the British Standards Institution (Subcommittee BCM/1/-/2), which constituted representatives from a number of organizations and industry bodies. Others were additionally consulted during the development.

Is It A Standard?
Yes. In fact BS25999 will actually embrace two standards: BS 25999-1 and BS 25999-2. The former is a code of practice (which is the document based upon PAS56, as desribed above) and altter is a specification, which is yet to be published.

It is also important to understand that a standard does not purport to include all the necessary provisions of a contract.

So What Is It For?
It is intended to provide assistance to the person responsible for implementing business continuity management within an organization. It describes a framework and process for the Business Continuity Manager to use and offers a range of good practice recommendations.
WHAT NEXT? Hopefully this website can offer some instruction and background. Please feel free to browse the pages above. A copy of BS25999 itself can be obtained from SD's: BS25999 Download Site. Alternatively, it is included in the BS25999 Starter Kit.

more

BS 25999 is BSI's standard in the field of Business Continuity Management (BCM). This standard replaces PAS56, a Publicly Available Specification, published in 2003 on the same subject.
Contents
1 Structure
2 Contents
3 Timelines
4 See also
5 External links
//
more

tqmcintl Industry: Consulting Location: Mumbai : Maharashtra : India ISO 9001 QMS ISO 13485 ENGINEERING NEWS UP-DATE ISO 22000 Explosion protected not Flame proof WTO CRO ISO TQM Information Security Management and ISO 27001 Software QA ISO 17025 CE Marking ISO 14000 GMP requirements SA 8000 ISO 20000 COBIT COPC STANDARD Lean Six Siqma ISO 17021 5 S Energy Manager boiler and pressure vessels eSCM useful Reference tables ERP Management Consultant hotels and restaurants Fami QS Food borne diseases and infections storing food grains Halal and Kosher wet tissues ready made garmets marking Inspection, measuring and testing equipment

BUSINESS CONTINUITY MANAGEMENT (PAS 56)

Friday, June 5, 2009

ISO/IEC 38500

From Wikipedia, the free encyclopedia

See also

Sunday, May 31, 2009

Monday, January 5, 2009

Tuesday, May 6, 2008

Monday, May 5, 2008

Friday, April 11, 2008

Thursday, March 13, 2008

Monday, March 3, 2008

Friday, February 29, 2008

Thursday, February 21, 2008

Wednesday, February 20, 2008

Sunday, February 17, 2008

Saturday, February 16, 2008

Wednesday, December 26, 2007

Wednesday, October 24, 2007

Sunday, September 30, 2007

Search This Blog

Links

Blog Archive

About Me