Business Continuity Management - CIMA

1y ago
236.02 KB
32 Pages
Last View : 7d ago
Last Download : 4m ago
Upload by : Lilly Andre

MANAGEMENTS T R AT E G YMEASUREMENTM A N AG E M E N T AC C O U N T I N G G U I D E L I N EBusiness ContinuityManagementByEric KrellPublished by:

N OT I C E TO R E A D E R SThe material contained in the Management Accounting Guideline Business Continuity Management is designed to provideillustrative information with respect to the subject matter covered. It does not establish standards or preferred practices.This material has not been considered or acted upon by any senior technical committees or the board of directors of eitherthe AICPA or the Society of Management Accountants of Canada and does not represent an official opinion or position ofeither the AICPA or the Society of Management Accountants of Canada.

MANAGEMENTS T R AT E G YMEASUREMENTM A N AG E M E N T AC C O U N T I N G G U I D E L I N EBusiness ContinuityManagementByEric KrellPublished by The Society of Management Accountants of Canadaand The American Institute of Certified Public Accountants

Copyright 2006 by the Society of Management Accountants of Canada (CMA-Canada).All rights reserved.Reproduced by arrangement with CMA-Canada.For information about the procedure for requesting permission to make copies of any part of this work, please Permissions Request Form for e-mailing requests and information on fees are available there by clicking on thecopyright notice at the foot of the AICPA homepage.1 2 3 4 5 6 7 8 9 0 PP 0 9 8 7 6ISBN 0-87051-622-1

S T R AT E G YBU S I N E S S C O N T I N U I T YM A N AG E M E N TINTRODUCTIONTen months elapsed between theconception of this ManagementAccounting Guideline (MAG) and itscompletion. During that time, the crucialimportance of business continuitymanagement (BCM) capabilities has beendriven home, repeatedly and painfully, ona global scaleLondon’s subway system and HurricaneKatrina’s and Hurricane Rita’s disastrouseffects on large swaths of the U.S. GulfCoast in August and September 2005offer proof that both public and privateBCM capabilities have a long way to go.The terrorist attacks of Sept. 11, 2001,served as a gruesome wakeup call toNorth American corporate managersresponsible for preparing theirorganizations to respond to disasters.TheDecember 2004 Indian Ocean tsunami,the July 7, 2005, terrorist attacks onThe frequency of man-made and naturaldisasters has increased in recent years.The nature of disasters has also changed:who could have imagined five years agothat civilian passenger airplanes would beused as a weapon of war? Moreimportant, the impacts of disasters oncompanies have greatly increased andintensified thanks to technologicalCONTENTSEXECUTIVE SUMMARYPageINTRODUCTIONDEFINITION AND SCOPE OF BUSINESSCONTINUITY MANAGEMENT (BCM)DRIVERS OF BUSINESS CONTINUITYMANAGEMENTROLES AND RESPONSIBILITIESDEVELOPING EFFECTIVE BCMCAPABILITIESADDITIONAL INSIGHTS TO HELPREADERS TAILOR BCM TO THEIRORGANIZATIONSSOFTWARE APPLICATIONS CAN HELPSUPPORT BCM PROCESSESBCM IN ACTION: EXAMPLES OF“GOOD” PRACTICESCONCLUSIONBIBLIOGRAPHYSUGGESTED READINGAPPENDIX 1: BCM-RELATEDREGULATIONS AND GUIDELINESAPPENDIX 2: IT - HIGHLY DETAILEDDATA CLASSIFICATIONAPPENDIX 3: BCM SOFTWAREUSAGE SURVEYAPPENDIX 4: RESPONDING TOA BLACKOUT568111316212123252627292930In the 21st Century, organizations thatfail to define and implement effectiveresponses to disasters will be definedby their ineffective responses to disasters.Among leading companies, an IT-centricapproach to disaster recovery is givingway to business continuity management(BCM). BCM capabilities enableorganizations to restore their businessesto normal operations following businessinterruptions, which range from a simplepower outage to a Category 4 hurricane.The finance and accounting managers —along with the senior-level executives,functional and operational managers andcorporate directors — who read thisguideline will learn how to define BCMand its essentials and processes; identifythe BCM-related roles of corporatemanagers and directors; work through aBCM framework for developing andmaintaining effective business continuitymanagement processes; and see examplesof leading BCM capabilities in practice.5

MANAGEMENTS T R AT E G YMEASUREMENTadvances, progressing globalization and theextension of the supply chain. Companies of allsizes are “connected” to their suppliers andcustomers to a much greater degree today thanever before.When a disaster occurs, its effectsquickly ripple up and down the supply chain. To present a step-by-step framework fordeveloping and maintaining effective businesscontinuity management processes;As a result, management teams and corporateboards face much more pressure to make theirorganizations more resilient when disasters,ranging from simple power outages to Category 4hurricanes to synchronized suicide bombings,strike.To date, however, the corporate BCMcapabilities necessary to establish that resiliencygenerally have ranged from absent to insufficient.This deficiency has a high cost: a University ofMinnesota study finds that 93 percent ofcompanies that lose critical systems for morethan 10 days quickly file for bankruptcy; anotherstudy finds that 90 percent of organizations thatexperience a “catastrophic loss of data andequipment” without a business continuity plan inplace go out of business within 24 months of theloss (Kahan, 2005). To present examples of sound businesscontinuity management capabilities in practice.The 9/11 Commission’s exhaustive investigativeresearch concludes that the Sept. 11, 2001,terrorist attacks revealed failures in imagination,policy, capabilities and management.The purposeof this guideline is to help organizations addressand prevent those failures while providing financeand accounting managers with a foundation onwhich to further develop their BCM thinking,strategy and processes.The purpose of this Management AccountingGuideline is not to fear monger (a tactic practicedby some BCM service providers that should berecognized and disregarded), but to help financeand accounting professionals enable theirorganizations to make the most effective andcost-efficient investment in the BCM capabilitiesthat best meet the needs of the business.The specific objectives of this guideline are asfollows:While the target audience of the guidelineis finance and accounting managers, all seniorlevel executives, functional and operationalmanagers and corporate directors will benefitfrom its content.DEFINITION AND SCOPE OFBUSINESS CONTINUITYMANAGEMENT (BCM)Establishing and maintaining business continuitymanagement processes begins with three steps:1. Defining business continuity management;2. Identifying and defining the key components ofa viable BCM framework; and3. Placing BCM in the context of organizationalrisk managementBCM DefinedThis guideline agrees with the BCM definitionput forth by the U.K.-based Business ContinuityInstitute (BCI):“Business ContinuityManagement (BCM) is a holistic managementprocess that identifies potential impacts thatthreaten an organization, and provides aframework for building resilience and thecapability for an effective response thatsafeguards the interests of its key stakeholders,reputation, brand and value-creating activities.”This guideline defines stakeholders asemployees, customers, suppliers, investors, andthe community or communities in which anorganization operates. To identify the drivers that make BCM a vitalcorporate and management competency in the21st Century;Business continuity planning is the processthrough which organizations establish thecapabilities necessary to protect their assetsand continue key business processes after adisaster — an unexpected business interruptioncaused by natural or man-made events — occurs. To establish and define the roles andresponsibilities that corporate managers andboards fulfill in developing effective BCM practices;The following framework (see Exhibit 1)illustrates the components of businesscontinuity planning: To define business continuity management as acorporate capability and to identify its essentialcomponents and processes;6 To provide an overview of the softwareapplications available to support BCM planningand execution processes;

BUSINESS CONTINUITY MANAGEMENTExhibit 1: Business Continuity PlanningAssessment andObjective SettingCritical ProcessIdentificationBusiness ImpactAnalysis3rd Party Providers People Facilities Technology DataContinuity ResponseApproaches:Preparation andCrisis ManagementValue toBusinessCustomersCost toSustainMonitoring, TestingImprovingAlthough the discipline still has a long way to go,organizational business continuity managementhas evolved significantly over the past twodecades. In the past,“disaster recovery” wasusually centered in data processing or informationtechnology (IT) departments.These early effortsprimarily focused on getting hardware, softwareand data up and running again after a disruption.These days, it is generally recognized that businesscontinuity planning efforts require a crosscompany perspective and therefore should not belimited to the IT department.That said, manyeffective continuity tactics have emerged fromdisaster recovery efforts that arose in the ITfunction during the past decade. For example,many of the same principles that apply to data andsystems backup also apply to facilitiesmanagement and backup.More recently, disaster recovery has expandedinto “business continuity planning,” a phrase thatwas primarily used to emphasize the need tomove continuity efforts beyond the IT departmentand weave them throughout the organization.Most recently, the use of terms like “businesscontinuity management” and “business resiliency”have increased, emphasizing the proactive natureof current continuity efforts. A business continuityplan, as the chart above illustrates, begins withexecutive-level assessments of an organization’scontinuity objectives.That assessment is followedby the identification of the organization’s mostimportant business processes.Then, financemanagers and other business managers analyze thecritical components of those processes: people,facilities, technology systems and the data thesystems contain.The analysis should also considerhow an unexpected business interruption mightaffect suppliers and customers.The ensuing response processes ensure that all ofthe components that enable a critical businessprocess are restored within a prudent amount oftime. Defining what is prudent demands input fromthe finance and accounting function because itrequires a comprehensive understanding of (a) eachprocess’ value to the business; and (b) the cost ofrestoring the process within a given amount of time.The resulting plan should then be monitored,tested and, when necessary, adjusted or improved.7

MANAGEMENTS T R AT E G YBCM and Organizational Risk ManagementMEASUREMENTKey TermsBusiness ContinuityManagement (BCM):Management's capability toidentify potential impacts thatthreaten an organization and toprovide a framework for buildingresilience and an effectiveresponse that safeguards theinterests of its key stakeholders,reputation, brand and valuecreating activities. Stakeholdersinclude employees, customers,suppliers, investors, and thecommunity or communities inwhich an organization operates.Business Continuity Planning(BCP): The process throughwhich an organization establishesand maintains business continuitymanagement capabilities.Thisprocess includes assessmentsand objective setting, criticalprocess identification, businessimpact analysis, and continuityresponse strategies, as well asmonitoring, testing andimproving these areas.Disaster Recovery Planning:Often used as a synonym forBCP, but also a term associatedmore with IT-related responsesto business interruptions.Business Impact Analysis: Theprocess of identifying how aspecific business process, or set ofbusiness processes, would likelybe affected by an unexpectedinterruption.Crisis Management: A termthat refers to the processesenacted after a businessinterruption has occurred tolimit the negative effects of theinterruption while returning thebusiness to normal operatingmode as effectively and efficientlyas possible.(continued)8Business continuity management is a subset ofcompanywide or enterprise risk management (atopic addressed in the Management AccountingGuideline “Identifying, Measuring, and ManagingOrganizational Risks for Improved Performance.”)BCM’s rising importance and IT-based history havecaused internal debates about who owns theBCM function and how BCM relates to acompany’s existing risk management efforts.Again, business continuity management is asubset of a larger risk management strategy.The most significant difference between riskmanagement and business continuity managementrelates to the output of each process. Riskmanagement strategies (either risk avoidance, riskacceptance, or risk mitigation — through riskreduction, risk sharing or transfer of the risk) are“pre-event” responses to perceived risks. MostBCM strategies and tactics focus on the processesthat need to take place after an event or disasteroccurs; the objectives of those processes are torestore the business to normal operations asefficiently and effectively as possible.3. The essential obligation to protect, preserveand build value;4. New regulations and guidelines pertaining to BCM;5. The business benefits of effective businesscontinuity management; and6. The generally insufficient quality of existingcorporate BCM capabilities.Driver 1: A Rise in Business InterruptionsThe number of terrorist incidents worldwide hasescalated since the Sept. 11, 2001 attacks usheredin a new age of man-made disasters. Bombings inAfrica, the Middle East, East Asia, London andMadrid have killed thousands.There were 651“significant terrorist attacks” worldwide in 2004,according to the U.S. State Department.Thatfigure is three times the number of attacks thatoccurred in 2003 (Danner, 2005).Driver 2:The Growing Impact of BusinessInterruptionsThe need for business continuity managementcapabilities continues to increase due to thefollowing drivers:Most companies now operate in a moreconnected business climate. Numerousorganizations of all sizes are virtually tethered to agrowing number of customers, suppliers anddistributors through an extended web oftechnology systems and processes.Thatconnectivity exacerbates the negative impact of aprolonged business interruption. Not only didlarge automobile companies lose millions ofdollars to production delays when the U.S.Canadian border was closed and just-in-timeinventories dried up in the wake of the Sept. 11,2001 terrorist attacks, their suppliers and theirsuppliers’ suppliers also suffered financial setbacks.1. A rise in the number of natural and man-madebusiness interruptions;2. The growing impact of business interruptionson organizations due to rising businessinterconnectivity;Even “normal” disasters, such as hurricanes,power outages, earthquakes and climate change,now inflict abnormal consequences due to theever-increasing interconnectedness of the globaleconomy.Those consequences are virtuallyThe Business Continuity Institute’s “Good PracticeGuidelines (2005)” present a partial, but useful,comparison of the two disciplines; a portion ofthis comparison follows (see Exhibit 2).DRIVERS OF BUSINESSCONTINUITY MANAGEMENTEXHIBIT 2: GOOD PRACTICE GUIDELINESRISK MANAGEMENTBUSINESS CONTINUITY MANAGEMENTKey MethodRisk AnalysisBusiness Impact AnalysisKey ParametersImpact and ProbabilityImpact and TimeType of IncidentAll types of events, usuallysegmentedEvents causing significant businessinterruption

BUSINESS CONTINUITY MANAGEMENTguaranteed to continue.“Earth, by its verynature, is a prolific architect of mayhem andpurveyor of calamity,” a recent Popular Sciencecover story reports.“The only thing we can doto protect ourselves is strive to learn whereand when such massive natural disasters willhappen — because, rest assured, they willhappen (Behar, 2005).”The Swiss Reinsurance Company publishes anannual report detailing the human and financialtolls of natural catastrophes and man-madedisasters, and 2004 was a costly year on bothcounts, extending what the report describes as a“discernable upward trend.” The catastrophesrecorded by Swiss RE caused more than 300,000deaths worldwide and directly attributablefinancial losses of more than 123 billion. Propertyinsurers covered 49 billion of that amount.Driver 3:The Essential Obligation to Protect,Preserve and Build ValuePut simply, ensuring business continuity is one ofthe top priorities of any company’s seniorexecutive team. Senior management is chargedwith the duty of building corporate value.To doso, that value must be protected and preservedduring periods of uncertainty. Effective businesscontinuity management capabilities allow acompany to return to the status quo as quicklyand as cost-effectively as possible.Driver 4: New Rules and RegulationsThe fact that insurance covered only 40 percentof catastrophe and disaster costs reflects anothercompelling driver of business continuitymanagement, which is why the growing numberof new industry guidelines, organizational rulesand government regulations on businesscontinuity management represents, in most cases,a positive development.On April 7, 2004, the U.S. Securities and ExchangeCommission (SEC) approved New York StockExchange (NYSE) Rule 446,“Business Continuityand Contingency Plans.” The new rule illustratesthe degree to which new laws, rules and guidelinesare driving the need for stronger businesscontinuity management capabilities at a growingnumber of North American companies.NYSE Rule 446 requires NYSE members andmember organizations to establish and maintainbusiness continuity plans.Those plans must “bereasonably designed to enable [the memberorganization] to meet its existing obligations tocustomers, and address the existing relationshipswith other broker-dealers.” The plans must bereviewed at least annually and “updated wheneverthere is a material change in a firm’s operation,structure, business, or location that affects theinformation set forth in the BCP.”The adjective “material” calls to mind theSarbanes-Oxley Act of 2002, the sweeping law thataffects all companies that are publicly listed onexchanges in the United States. Although theSarbanes-Oxley Act does not mandate publiccompanies to establish and maintain businesscontinuity plans, many of the law’s principalobjectives point to the need for effective businesscontinuity management capabilities.Indeed, some external auditors are reviewing theirclients’ business continuity processes in the postSarbanes era.These requests make sense,according to a leading risk management firm:“ for SOA compliance, it is prudent to considerbusiness continuity issues as well. An importantaspect of managing a company’s overall risk,including its continuation as a going concern, is itsability to effectively address business continuity anddisaster recovery, particularly with respect to thosebusiness processes that are critical to the successfulachievement of the company’s business objectives.A company’s processes, systems, and controls mustmake available all material information needed for fairpresentation and disclosure in its SEC reports,including the update of accounting estimates withcurrent and reliable information. On a more strategicscale, an organization’s business continuitymethodology and approach must be agreed to bymanagement as the foundation for mitigating financialand reputation risk posed by business interruption.”(Benvenuto and Zawada, 2004).In the United Kingdom, Publicly AvailableSpecification (PAS) 56 provides a guide to“Business Continuity Management.” Thespecification is sponsored by the BusinessContinuity Institute, which offers the discipline’smost widely respected certification, the Fellow ofBusiness Continuity Institute or FBCI. PAS 56 willform the basis of a “British Standard for BusinessContinuity Management.” Some experts notethat PAS 56 could eventua

BUSINESS CONTINUITY MANAGEMENT (BCM) Establishing and maintaining business continuity management processes begins with three steps: 1. Defining business continuity management; 2. Identifying and defining the key components of a viable BCM framework;and 3. Placing BCM in the context of organizational risk management BCM Defined