| ||The Basics of ISO 31000 – Risk Management|
January 19, 2011 by Glen Bricker
After approval by the ISO member bodies, the ISO Technical Management Board Working Group on risk management released ISO 31000:2009, Risk Management – Principles and Guidelines in November of 2009. The authors designed the standard to be applicable for any organization and any risk type, but, unlike the familiar ISO quality standards, ISO 31000 is not certifiable.
For those familiar with the AS/NZS 4360:2004 standard on risk management, this ISO standard should be easily recognizable. With the exception of wording changes, ISO 31000 is essentially the same standard. For those unfamiliar with the AS/NZS standard, or those unfamiliar with a formal, structured risk management process, the remainder of this article will discuss the structure and key elements of ISO 31000.
| ||The Death of All Hazards Planning?|
December 20, 2010 by Christopher Burton
The time has come for business continuity to evolve beyond the idea of “all hazards” planning and deal directly with the core causes of business interruptions. This article details an approach that takes everything you loved about all hazards planning and enhances it with detailed procedures focused on the resources that your organization cares about most.
| ||BP: Ushering in a Risk Conscious World|
September 30, 2010 by Ross Ladley
In the time following the Macondo (BP) well blowout, the world watched a true disaster unfold. As the days turned into weeks, then weeks into months, and even after BP finally stopped the flow of oil into the gulf, disgust remains on the minds of many because of one simple fact: the disaster appears – by most accounts – to have been totally preventable.
| ||The Intersection of Business Continuity and Data Breach Preparedness|
August 13, 2010 by Brian Zawada
The assertion that data breach prevention and preparedness is strictly an information technology security issue could not be further from the truth. Proper planning for, and response to, a data breach event requires a multi-faceted approach, with participation from diverse elements of the organization. Although an IT Security department may be an obvious choice to lead the development of data breach incident planning, business continuity professionals possess an array of preparedness approaches, processes, skills, information and relationships that could contribute to the development of appropriate levels of preparedness to respond to this type of crisis. Furthermore, as business continuity professionals continue to seek new areas in which they can add value, data breach is an excellent opportunity.
This article presents the business case as to why business continuity professionals need to learn about this unique threat and how they can add value to the planning effort.
| ||Plan Do Check Act (PDCA) – How it Applies To Business Continuity|
June 30, 2010 by Jacque Rupert
The business continuity industry has heard a lot about Plan, Do, Check Act (PDCA) recently. Nearly every emerging standard is following this approach, from BS 25999 and NFPA 1600 (2010 edition) to the new American business continuity standard being created by ASIS. However, there seems to be a lot of confusion about what PDCA is – and what it means for business continuity. This article breaks down the components of a PDCA approach to business continuity, with a focus on which activities will provide your organization’s program the most value.
| ||Great Ideas: The Top Five Questions to Ask Your Critical Suppliers|
April 19, 2010 by Brian Zawada
As Published in the March/April 2010 Issue of Continuity Insights Magazine
It seems as though a growing number of organizations are finally getting around to assessing their critical suppliers’ business continuity capabilities.
The most common approach used to perform this activity is a survey. Unfortunately, surveys often go unanswered, especially long ones. And in many cases, survey questions are written in such a way as to be open to interpretation.
Considering ever-present time and resource constraints, it is essential that surveys – or even interviews – be streamlined. And here’s how to do just that.
| ||Risk Assessment Purpose and Pitfalls|
November 11, 2009 by Ryan Hutton
Fire, flood, swine flu, power loss, severe storms, workplace violence, supplier loss, and a myriad of other events threaten the very existence of organizations large and small. Risk management and business continuity professionals are challenged with addressing these threats, with an equal focus on mitigation and continuity planning. Today’s executive demands an equal focus on proactive risk mitigation, as opposed to an exclusive focus on reactive response and recovery planning. A proper, value-added risk assessment process provides a method to bring structure, clarity and focus to the mitigation aspect of the risk management effort. This article aims to make the case for risk assessment process execution and the role it plays in building the foundation of solid risk management, as well as some of the more common risk assessment pitfalls to avoid.
| ||The Dangers Associated With A Template|
April 01, 2009 by Brian Zawada
Key Takeaway – Use a template to enable decentralized planning since it provides structure and consistency, as well as an outline of key concepts to address. However, establish the template as the minimum and pair the template with training to explain how the plan would be used during a disruptive event, and to enable the development of quality, detailed content.
| ||Managing Expanding Supply Chain Risks|
March 02, 2009 by Glen Bricker
As has been confirmed by the events of the last year, risks to an organization can come from any number of often unpredictable sources, and can result in an impact far more serious and long-lasting than anyone would have imagined. Relationships that up to now have been assumed to be secure, from banking relationships to the stability of a country’s financial system, have been called into question.
| ||How Enterprise Risk Management Can Improve Your Credit Rating|
October 20, 2008 by Glen Bricker
Recently, Standard & Poor’s announced that they will begin to evaluate Enterprise Risk Management (ERM) processes with non-financial companies in the third quarter of 2008. S&P also indicated that it will begin to consider ERM program maturity and capability in determining ratings as of the fourth quarter.
| ||Who Should Be On My Business Continuity Steering Committee?|
August 05, 2008 by Susan Giffin
When designing or transforming business continuity programs, our consultants are often asked, “Who should participate on our organization’s business continuity steering committee?” While the answer may seem simple and straightforward for some, too often steering committees contain the wrong combination of participants, the wrong “level” of individuals and/or a focus on the wrong objectives.
| ||Proactive versus Reactive – Business Continuity’s Role in Treating Risk, Not Just Reacting to It|
March 10, 2008 by Glen Bricker
As our industry evolved, we moved from methodologies based on information technology-focused disaster recovery to more holistic, but still reactive, business continuity. Now, our industry’s rhetoric, and a growing number of its standards, point to more proactive practices, commonly called business resiliency. Still, all of the approaches start from the same point; something bad has or will happen.
| ||FFIEC Expands Pandemic Planning Guidance for Financial Institutions|
January 23, 2008 by Stacy Gardner
For financial institutions waiting for more formal guidance from the Federal Financial Institution Examination Council (FFIEC) before planning for a pandemic, the time is here. The FFIEC, an interagency council that prescribes uniform standards for the United States financial industry, recently followed up the industry’s “Interagency Advisory on Influenza Pandemic Preparedness” and NCUA’s “Letter to Credit Union 06-CU-06 - Influenza Pandemic Preparedness” with new guidance.
| ||Introducing Title IX: Voluntary Certification|
January 21, 2008 by The Avalution Team
The “buzz” in the business continuity industry is the enactment of “Implementing Recommendations of the 9/11 Commission Act of 2007”. Also known as H.R. 1 and Public Law 110-53, this legislation includes a key section on Private Sector Preparedness (Title IX) addressing the development and implementation of a “Voluntary Private Sector Preparedness Accreditation and Certification Program”.
| ||Crisis Communications: Influence How Your Organization is Viewed During an Incident|
November 21, 2007 by Stacy Gardner
Confusion, speculation and fear during and after an incident often cause people to overreact. Without reassurance, the human imagination can run wild and assume the worst. As such, one of the most critical aspects of responding to a disaster situation is implementing efficient and effective crisis communications to both reassure stakeholders and minimize reputational damage.
| ||Pandemic Webinar Q&A|
October 30, 2007 by The Avalution Team
Avalution Consulting co-owners Brian Zawada and Robert Giffin recently presented a webinar, sponsored by Continuity Insights, titled "Practical Pandemic Planning For Businesses".
Many questions were submitted by the 200 participants, but due to time restraints, there was not enough time to answer them all, so the questions and our answers are listed below.
| ||Influencing Cause AND Effect|
October 08, 2007 by Brian Zawada
I was recently involved in a conversation with a group of business executives that embarked on a process to develop a business continuity program. During the initial business continuity steering committee, one executive added some thoughts regarding recent “regional” events, such as 9/11, Hurricane Katrina and the 2003 Northeast Blackout. “We couldn’t have seen any of those events coming, no one could. Although we didn’t have plans at the time, how could any business continuity plan have helped? We would have had to improvise regardless.”
| ||Are You 'Done' with Business Continuity?|
September 29, 2007 by Brian Zawada
I attended DRJ in September 2007 and had one of those thought-provoking conversations with a conference attendee that stopped by the Avalution vendor exhibit on Sunday night. Actually, she was the first person to stop during the conference. Her perspective on business continuity was particularly thought provoking...
| ||Introducing BS25999|
September 07, 2007 by Lucine Ghazarian
British Standard 25999 is a business continuity standard that was developed by a committee of practitioners chosen by the British Standard Institute (BSI). The standard provides basic guidance and recommendations for a wide range of organizations in need of a business continuity management system (BCMS). Although 25999 is not yet certifiable, it is becoming more and more widespread, competing as a leader amongst business continuity standards due to its easy to follow framework and actionable recommendations.
| ||Effectively 'Selling' Business Continuity to Top Management|
August 20, 2007 by Chris Stafford
Business continuity is a rapidly growing risk management discipline within most organizations, but in many cases top management does not fully support business continuity efforts, in terms of both resources and program scope. Without this support, a business continuity program cannot grow and thrive. This perspective defines the key methods to increase management’s interest in formal business continuity processes, how to understand top management’s perspective, the role of culture on business continuity decision-making, and how to ultimately present continuity requirements to management for consideration.
| ||Defining What to Plan For|
June 06, 2007 by Susan Yardis
Determining the scope of your business continuity planning efforts or what event you will plan to recover from, is a key activity that frames your entire business continuity program. However, some organizations hold themselves back by defining assumptions that are either too wide or too narrow. Although this activity is important, it should not be an exhaustive effort that takes time away from more critical tasks such as strategy development and implementation. So, should you plan for a worst-case scenario, or should you have scenario-specific plans. This article answers this key question – NEITHER.
| ||Business Continuity As a Proactive Position|
December 29, 2006 by Brian Zawada
There are certain job responsibilities which are common amongst business continuity professionals everywhere, though these are often influenced by organizational views on risk and approaches to risk management. In addition to administrative tasks such as presentations, budgeting, and human resource-related tasks, the following five responsibilities often fall under the job description of business continuity professionals:
| ||Podcast: The Risk Assessment Executives Are Begging For!|
August 13, 2006 by Brian Zawada
Listen to Avalution's Brian Zawada explore the value of a business continuity-oriented risk assessment and the relationship to enterprise-wide risk management and business impact analysis processes. It concludes with an example of how to use the proposed risk assessment methodology when it comes to an emerging threat - the Avian Flu.
| ||The Intersection of BCM and ERM|
May 19, 2006 by Brian Zawada
As Business Continuity Management (BCM) programs continue to evolve and mature, Enterprise Risk Management (ERM) processes are just beginning to take hold. The promise of competitive advantage through effective risk management has captured the attention of executive managers worldwide. And with crises capturing headlines every day, more and more executive managers are developing or maturing their business continuity programs. Can BCM jumpstart ERM? Why have both? Brian Zawada explores the drivers for both BCM and ERM, as well as how the two intersect and complement one another.