Business Continuity from Preparedness to Recovery
A Standards-Based Approach
Table of Contents
Copyright
Acquiring Editor : Sara Scott
Editorial Project Manager : Marisa LaFleur
Project Manager : Punithavathy Govindaradjane
Designer : Mark Rogers
Butterworth-Heinemann is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford OX5 1 GB, UK
225 Wyman Street, Waltham, MA 02451, USA
Copyright 2015 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
ISBN: 978-0-12-420063-0
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalogue record for this book is available from the Library of Congress
For information on all Butterworth-Heinemann publications visit our website at http://store.elsevier.com/
Preface
I remember as a child in Kindergarten climbing up the stairs to the slide in the playground when a 3.75 magnitude earthquake struck very close to the area of my school in Daly City, CA. Daly City was the closest town to the epicenter of the 1906 San Francisco earthquake. The teachers in the playground were yelling What was that, what was that? I do not know why at that age I knew it was an earthquake, but thought the teachers were pretty dumb for not recognizing the cause of the ground moving beneath their feet. An earthquake of that size, depending on the type and soil conditions, is noticeable, especially if close to the epicenter, but not enough to start pulling out your cache of emergency provisions.
In the days prior to the earthquake, my mother would walk with me to and from school, but on that day she started a new job and I was to make the trek solo. Just two blocks from home after Kindergarten let out for the day, the strongest earthquake to hit the Bay Area since 1906 registered 5.3 on the Richter scale. I was all alone. I could see the street turn into rolling waves coming toward me. I tried to run but remember going nowhere. I could not stand and fell down. Above the noise generated by the earth movement, my grandmother at home could hear me screaming a city block away. I was so traumatized, I did not return to school for the remainder of the term. I can honestly say that I flunked Kindergarten.
My interest in natural phenomena is likely an outgrowth of my early years. Educating and protecting people from the harm they can cause and helping organizations become resilient in the face of disasters so the economies that support the workers remain intact seems like the right thing to do.
As the former librarian for a major business continuity professional organization, I was amazed that the great majority of the books I reviewed did not give the reader a road map to put together an effective holistic business continuity program. My interests in emergency management, emergency response, data systems, and business management gave me, I believe, a unique perspective that was missed by most authors. When I was asked to write a book solely dedicated to business continuity, I struggled with the dilemma of what I could do that was different from my first book and different from the hundreds of other books on the same subject. The competing standards have value to the profession, but there are few publications on the market that adequately explain what is required in a manner that does not cause a great deal of confusion. I hope this publication cuts through the confusion and leads the Business Continuity Manager to a path that produces an effective management system that will hold up to the standards. Bear in mind that my intent is NOT to say Here is how you get certified under the standards. If you are looking for certification, buy a copy of the standards. My intent is to show how to develop a program (management system) built under the standards that will help ensure resilience when a disaster happens.
The standards are intended to tell you what you need for an auditable program but not how to develop and manage the program. The purpose of this publication is to allow the reader to design and implement an effective Business Continuity Management System according to the ISO 22301 Societal securityBusiness continuity management systems standard, the ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems standard, and to the NFPA 1600:2010 and 2013 Standard on Disaster/Emergency Management and Business Continuity Programs. It draws on many of the related ISO standards that include The Risk Management Standard and the Internal Auditing Guidance. While I have included information on all three standards, I have emphasized the ISO standard. When I refer to a standard in the text without qualification (i.e., ASIS or NFPA), I am referring to ISO 22301.
For my own use, and in preparation for this publication, I have attended a number of presentations, classes, and webinars and have sifted through piles of literature on the implementation of the standards. I have seen and heard a lot of confusion and misinformation about what to do with the Plan, Do, Check, Act of the Deming Cycle. At almost every class or webinar I attend, I make it a point to ask how business continuity managers are to incorporate PDCA into their planning and into their plans. I ask this in part to gauge the presenters knowledge of the standards. The answers I got were all over the spectrum It is not needed at all to Forget everything before Clause 4 to The plan must be organized along the lines of PDCA and of the clauses in the standard. This reminds me of a number of years ago when the focus was on planning according to the Incident Command System (ICS). It seemed that none of the seminar presenters knew much about ICS or how to apply it to business continuity. Similarly, the presenters on the standards know a lot about business continuity (most seem to be sales people though) but fewer understand the standards or management systems in general.
