Supply Chain Security Management (SCSM) and Business ... - ecr-uvt
Supply Chain Security Management (SCSM) and Business ... - ecr-uvt
Supply Chain Security Management (SCSM) and Business ... - ecr-uvt
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Supply</strong> <strong>Chain</strong> <strong>Management</strong> for Efficient Consumer Response<br />
Conference<br />
31 May 2012<br />
Valahia University of Targoviste, Romania<br />
SCM 4 ECR<br />
<strong>Supply</strong> <strong>Chain</strong> <strong>Security</strong> <strong>Management</strong><br />
(<strong>SCSM</strong>) <strong>and</strong><br />
<strong>Business</strong> Continuity <strong>Management</strong>(BCM)<br />
Virgil Popa<br />
Valahia University of Targoviste
Typical Disruption Framework<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> chain disruption<br />
A supply chain disruption is an unintended ,<br />
untoward situation, which leads to supply chain risk .<br />
For the affected firms, it is an exceptional <strong>and</strong><br />
anomalous situation in comparison to every-day<br />
business . <strong>Supply</strong> chain disruption can materialize<br />
from various areas internal <strong>and</strong> external to a supply<br />
chain . Consequently , their nature can be highly<br />
divergent.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> chain risk<br />
It is defined as the negative deviation from the<br />
expected value of a certain performance measure ,<br />
resulting in negative consequences for the focal firm.<br />
Hence , risk is equated with the detriment of a supply<br />
chain disruption. The authors explicitly adopt the<br />
notion of risk as purely negative as the one that<br />
corresponds best to supply chain business reality. As<br />
a, consequence they do not consider either ‘happy<br />
disasters’’ nor the situation where managers<br />
intentionally ‘gamble’ on risk.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> <strong>Chain</strong> Risk examples<br />
Potential Risks to an Organization <strong>and</strong> Its <strong>Supply</strong> <strong>Chain</strong><br />
External, End-to-End Risks<br />
• Natural disasters<br />
• Accidents<br />
• Sabotage, terrorism, crime, war<br />
• Political uncertainty<br />
• Labor unavailability<br />
• Market challenges<br />
• Lawsuits<br />
• Technological trends<br />
Supplier risks<br />
• Physical <strong>and</strong> regulatory risks<br />
• Production problems<br />
• Financial losses <strong>and</strong> premiums<br />
• <strong>Management</strong> risks<br />
• Upstream supply risks<br />
Distribution Risks<br />
• Infrastructure unavailability<br />
• Lack of capacity<br />
• Labor unavailability<br />
• Cargo damage or theft<br />
• Warehouse inadequacies<br />
• IT system inadequacies or failure<br />
• Long, multi-party supply pipelines<br />
Internal Enterprise Risks<br />
• Operational<br />
• Political uncertainty<br />
• Dem<strong>and</strong> variability<br />
• Personnel availability<br />
• Design uncertainty<br />
• Planning failures<br />
• Financial uncertainty<br />
• Facility unavailability<br />
• Testing unavailability<br />
• Enterprise underperformance<br />
• Supplier relationship management<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> chain risk management framework<br />
© SCM 4 ECR Conference 2013 Virgil Popa
How to create a resilience supply chain<br />
Mapping &<br />
critical path<br />
analysis<br />
<strong>Supply</strong> <strong>Chain</strong><br />
risk registrer<br />
Real options<br />
thinking<br />
<strong>Supply</strong> <strong>Chain</strong><br />
underst<strong>and</strong>ing<br />
<strong>Supply</strong> <strong>Chain</strong><br />
desing<br />
principles<br />
Efficiency<br />
vs<br />
redundancy<br />
<strong>Supply</strong> <strong>Chain</strong><br />
Reengineering<br />
Resilient<br />
<strong>Supply</strong><br />
<strong>Chain</strong>s<br />
Sourcing<br />
decissions &<br />
criteria<br />
Collaborative<br />
planning<br />
<strong>Supply</strong> base<br />
strategy<br />
<strong>Supply</strong> <strong>Chain</strong><br />
Collaboration<br />
Supplier<br />
developement<br />
<strong>Supply</strong> <strong>Chain</strong><br />
intelligence<br />
Establish supply<br />
chain continuity<br />
teams<br />
Create a <strong>Supply</strong><br />
<strong>Chain</strong> risk<br />
management culture<br />
Board-level<br />
responsibility<br />
& leadership<br />
Agility<br />
Factor risk<br />
considerations<br />
into decision<br />
making<br />
Visibility<br />
Velocity &<br />
Acceleration<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Resilient company<br />
A resilient company is able to better support the<br />
unpredictability of the global trade obtaining a<br />
competitive advantage, being able to make up more<br />
quickly than the competitors when a catastrophe hit it.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> chain collaboration<br />
A high level of collaborative working across supply chains can help significantly to<br />
mitigate risk. The challenge is to create the conditions in which collaborative working<br />
becomes possible. Traditionally supply chains have been characterized by arms-length,<br />
even adversarial, relationships between the different players. There has not been a<br />
history of sharing information either with suppliers or customers. More recently<br />
however there have been encouraging signs that a greater willingness to work in<br />
partnership is emerging in many supply chains. In the fast moving consumer goods<br />
(FMCG) industry there is now significant collaboration between manufacturers <strong>and</strong><br />
retailers in the form of Collaborative Planning, Forecasting <strong>and</strong> Replenishment<br />
(CPFR) initiatives.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> <strong>Chain</strong> <strong>Security</strong> <strong>Management</strong><br />
<strong>Security</strong> of the supply chain has always been a concern of<br />
transport, logistics <strong>and</strong> manufacturing companies. Concerns about<br />
theft, damage <strong>and</strong> shipment integrity intensify as the value per pound of<br />
cargo increases. Add the threat of organized crime, piracy <strong>and</strong> terrorism,<br />
<strong>and</strong> security pf the supply chain becomes critical to business survival.<br />
<strong>Security</strong>, its dem<strong>and</strong>s <strong>and</strong> constraints, constitute obstacles (logical<br />
<strong>and</strong> physical barriers) in the flow of supply <strong>and</strong> distribution. These “barriers”<br />
created by a perceived increased need for security, or political reasons,<br />
reduce the reaction capacity <strong>and</strong> the physical <strong>and</strong> economical<br />
performance of the company. Integrating the security dimension into the<br />
logistics strategy, organization <strong>and</strong> operations has become a new challenge<br />
for supply chain management.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Protecting <strong>and</strong> Securing the <strong>Supply</strong> <strong>Chain</strong><br />
<strong>Supply</strong> chain security is essential from two perspectives:<br />
First, firms need to prevent loss from theft or damage.<br />
Second, they need to prevent unauthorized intrusion into<br />
shipments that could enable insertion of contrab<strong>and</strong> (drugs,<br />
weapons, bombs, human trafficking, counterfeit goods, etc),<br />
loss of intellectual property or technology contained in the<br />
shipments, <strong>and</strong> tampering (insertion of harmful elements such<br />
as poisons or "Trojan horses" in computing goods).<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Physical security. Suppliers, shippers, <strong>and</strong> logistics partners<br />
should have physical-security deterrents to prevent unauthorized<br />
access to their facilities <strong>and</strong> all cargo shipments. Such features may<br />
include perimeter fencing, controlled entry <strong>and</strong> exit points, guards or<br />
access controls, parking controls, locking devices <strong>and</strong> key controls,<br />
adequate lighting, <strong>and</strong> alarm systems <strong>and</strong> video-surveillance<br />
cameras.<br />
Access controls. Access controls must prevent unauthorized<br />
entry to facilities, maintain control of employees <strong>and</strong> visitors, <strong>and</strong><br />
protect firm assets. They should include the positive identification of<br />
all employees, visitors, <strong>and</strong> vendors at all points of entry <strong>and</strong> use of<br />
badges for employees <strong>and</strong> visitors. Firms should have in place<br />
procedures to identify, challenge, <strong>and</strong> address unauthorized<br />
persons.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Personnel security. Enterprises <strong>and</strong> their partners should<br />
screen prospective employees (in ways consistent with local<br />
regulations) <strong>and</strong> verify employment application information prior to<br />
employment. This can include background checks on educational<br />
<strong>and</strong> employment background <strong>and</strong> possible criminal records, with<br />
periodic subsequent checks performed for cause or sensitivity of an<br />
employee’s position. Firms <strong>and</strong> their partners should also have<br />
procedures in place to remove badges, uniforms, <strong>and</strong> facility <strong>and</strong> ITsystem<br />
access for terminated employees.<br />
Education <strong>and</strong> training. Firms <strong>and</strong> their partners should<br />
establish <strong>and</strong> maintain a security-training program to educate <strong>and</strong><br />
build employee awareness of proper security procedures. Best<br />
practices include training on the threat posed by criminals, terrorists,<br />
<strong>and</strong> contrab<strong>and</strong> smugglers at each point in the supply chain as well<br />
as on ethical conduct <strong>and</strong> the avoidance of corruption, fraud, <strong>and</strong><br />
exploitation.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Procedural security. As noted above, firms <strong>and</strong> their partners<br />
should establish, document, <strong>and</strong> communicate procedural security<br />
measures to employees. Such documentation may include a<br />
security manual, published policy, or an employee h<strong>and</strong>book.<br />
Documentation should include procedures for issuing accessing<br />
devices, identifying <strong>and</strong> challenging unauthorized or unidentified<br />
persons, removing access for terminated employees, IT security <strong>and</strong><br />
st<strong>and</strong>ards, reporting of security incidents or suspicious behavior,<br />
inspection of containers before packing, <strong>and</strong> managing access <strong>and</strong><br />
security to shipping containers. For shipping, such procedures<br />
should include security for shipment documentation, shipping <strong>and</strong><br />
receiving, <strong>and</strong> packaging.<br />
IT security. IT security measures should ensure automated<br />
systems are protected from unauthorized access <strong>and</strong> that<br />
information related to shipment routing <strong>and</strong> timing is protected. This<br />
should include password protection (including periodic changing of<br />
passwords) <strong>and</strong> accountability (including a system to identify any<br />
improper access or alteration).<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Business</strong>-partner security. A supply-chain security program<br />
must ensure that any supply chain partner, as well as any further<br />
sub-contracted suppliers or logistics service providers, employ<br />
practices to ensure the security of all shipments. Any partner used in<br />
the manufacturing, packaging, or transportation of shipments must<br />
have documented processes for the selection of sub-contractors to<br />
ensure they can provide adequate supply-chain security. Suppliers<br />
should ensure that any parties h<strong>and</strong>ling shipments be<br />
knowledgeable of <strong>and</strong> able to demonstrate through written or<br />
electronic communication that they are meeting security guidelines.<br />
Conveyance security. Transportation, particularly drayage<br />
(inl<strong>and</strong> truck support), may be the most vulnerable point of the<br />
supply chain. Procedures that suppliers <strong>and</strong> shippers should follow<br />
include inspection <strong>and</strong> sealing of containers (cf. ISO 17712:2010 on<br />
sealing containers), storage of containers, <strong>and</strong> shipment routing<br />
through freight forwarders or carriers who are certified in a<br />
recognized supply-chain security program or who otherwise<br />
demonstrate compliance with a firm’s SCRM guidelines.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
By <strong>SCSM</strong>, we mean enhancing <strong>and</strong> embedding the<br />
traditional security management aspects into holistic<br />
management of integrated supply chains, especially within a<br />
global context.<br />
<strong>SCSM</strong> has roots in multiple fields: <strong>Supply</strong> <strong>Chain</strong><br />
<strong>Management</strong>; International Trade, Logistics <strong>and</strong> Cross-border<br />
Operations <strong>Management</strong>; <strong>Supply</strong> <strong>Chain</strong> Resilience<br />
<strong>Management</strong>; Quality <strong>Management</strong>; Risk <strong>Management</strong>;<br />
Insurance Policies <strong>and</strong> Instruments; <strong>and</strong> Customs Policies,<br />
Procedures <strong>and</strong> Reforms.<br />
Since 2001 governments, Customs administrations,<br />
international organizations, researchers, <strong>and</strong> businesses have<br />
carried out diverse actions, <strong>and</strong> delivered different types of reports,<br />
<strong>and</strong> articles on the topic. The first pure <strong>SCSM</strong> paper was published<br />
at MIT (Sheffi, 2001), a few months after the infamous terrorist<br />
attacks in September 2001. Since then, researchers <strong>and</strong> industrial<br />
practitioners have organized <strong>and</strong> published <strong>SCSM</strong> conference <strong>and</strong><br />
journal papers, primarily in the US but also in Europe <strong>and</strong> other<br />
continents.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
• Most of the researchers, presently contributing to building <strong>SCSM</strong> theory,<br />
have mainly been active in research fields such as Transportation <strong>and</strong><br />
Logistics (i.e. Sheffi & Rice)<br />
• 2003), <strong>Supply</strong> chain <strong>Management</strong> (i.e. Lee & Wolfe, 2003) <strong>and</strong> <strong>Supply</strong> chain<br />
risk <strong>and</strong> vulnerability (i.e. Christopher & Peck, 2004). The existing<br />
literature on <strong>SCSM</strong>, is somehow adding a layer of security to each<br />
researcher’s own expertise domain. Some of the discussed principles<br />
are presented in the following paragraphs.<br />
• Sheffi (2001) presents the need for companies to simultaneously operate<br />
under heightened security environments <strong>and</strong> the need to prepare for rapid<br />
recovery after terrorist attacks. In addition he establishes seven supply<br />
chain design trade-offs that management will face when designing secure<br />
supply chains:<br />
i) Repeatability vs. unpredictability<br />
ii) The lowest bidder vs. the known supplier.<br />
iii) Centralization vs. dispersion.<br />
iv) Managing risk vs. delivering value.<br />
v) Collaboration vs. s<strong>ecr</strong>ecy.<br />
vii) Redundancy vs. efficiency <strong>and</strong><br />
vii) Government cooperation vs. direct shareholder value.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Supply</strong> chain security (SCS) Good Practices<br />
As stated by Menzer et al (2008), ´<strong>Supply</strong> <strong>Chain</strong><br />
encompasses the planning <strong>and</strong> management of all activities<br />
involved in sourcing <strong>and</strong> procurement, conversion, dem<strong>and</strong><br />
creation <strong>and</strong> fulfillment, <strong>and</strong> all logistics activities´.<br />
The aim of security <strong>and</strong> operational management is to create<br />
<strong>and</strong> maintain systematic, coordinated, <strong>and</strong> cost effective activities<br />
<strong>and</strong> practices in order to prevent exploitation of supply chains for<br />
criminal purposes, <strong>and</strong> to enable quick response in case of a<br />
security breach.<br />
Crimes of interest include (among others): theft, counterfeiting,<br />
customs law violations, organized immigration crime, terrorism, <strong>and</strong><br />
sabotage. Crimes can have intra <strong>and</strong>/or inter-organizational impacts.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
The Strategy includes two goals<br />
Goal 1: Promote the Secure <strong>and</strong> Efficient Movement of Goods<br />
Goal 2: Foster a Resilient <strong>Supply</strong> <strong>Chain</strong><br />
© SCM 4 ECR Conference 2013 Virgil Popa
The White House<br />
Washington<br />
January 23, 2012<br />
“Through the National Strategy for Global <strong>Supply</strong> <strong>Chain</strong> <strong>Security</strong>, we seek to<br />
strengthen global supply chains in order to protect the welfare <strong>and</strong> interest of<br />
the American people <strong>and</strong> secure our Nation*s economic prosperity.”<br />
Barak Obama<br />
© SCM 4 ECR Conference 2013 Virgil Popa
National Strategy for Global <strong>Supply</strong> <strong>Chain</strong> <strong>Security</strong> (the<br />
Strategy)<br />
Through the National Strategy for Global <strong>Supply</strong> <strong>Chain</strong><br />
<strong>Security</strong> (the Strategy), we articulate the United States Government’s<br />
policy to strengthen the global supply chain in order to protect the<br />
welfare <strong>and</strong> interests of the American people <strong>and</strong> secure our Nation’s<br />
economic prosperity. Our focus in this Strategy is the worldwide<br />
network of transportation, postal, <strong>and</strong> shipping pathways, assets,<br />
<strong>and</strong> infrastructures by which goods are moved from the point of<br />
manufacture until they reach an end consumer, as well as<br />
supporting communications infrastructure <strong>and</strong> systems.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Components<br />
This Strategy is focused on those components of the<br />
worldwide network of transportation, postal <strong>and</strong> shipping<br />
pathways, assets, <strong>and</strong> infrastructures by which goods are<br />
moved until they reach an end consumer.<br />
This includes the points of manufacturing, assembly,<br />
consolidation, packaging, shipment, <strong>and</strong> warehousing as well as<br />
supporting communications infrastructure <strong>and</strong> systems.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
ISO 28000:2007 – Specification for security management systems<br />
for the supply chain, offers a framework for providing effective<br />
physical security management through a system that identifies<br />
security threats, assesses risk, establishes objectives for<br />
implementing controls <strong>and</strong> continuously improves the physical<br />
security of the organization.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
SECURITY MANAGEMENT SYSTEM ELEMENTS<br />
There are five key elements that are critical to the development of a<br />
<strong>Security</strong> <strong>Management</strong> System (SMS):<br />
- <strong>Security</strong> <strong>Management</strong> Policy<br />
- <strong>Security</strong> Planning<br />
- Implementation & Operation<br />
- Checking & Corrective Action<br />
- <strong>Management</strong> Review & Continual Improvement<br />
© SCM 4 ECR Conference 2013 Virgil Popa
COMPONENTS OF A SECURITY MANAGEMENT<br />
SYSTEM USING ISO 28000<br />
© SCM 4 ECR Conference 2013 Virgil Popa
SECURITY MANAGEMENT POLICY<br />
A conformant physical security management system (SMS) requires<br />
the organization to have an overall security management policy, authorized<br />
by executive management. The SMS must also have a process for<br />
assessing the security environment in which it operates <strong>and</strong> for determining<br />
if adequate security measures are in place. This examination of the<br />
operational environment includes regulatory requirements as well as the<br />
physical, natural <strong>and</strong> human hazards <strong>and</strong> specific industry requirements.<br />
ISO 28000 articulates a strategy for assessment of risk <strong>and</strong> determining<br />
countermeasures as a core component of providing physical security for the<br />
organization.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
ISO 28001<br />
Specific guidance for implementation of a security<br />
management system for the supply chain is provided in ISO<br />
28001:2007 – Best practices for implementing supply chain<br />
security, assessments <strong>and</strong> plans – Requirements <strong>and</strong> guidelines.<br />
ISO 28001 is intended to assist organizations in establish<br />
reasonable levels of security <strong>and</strong> make better risk-based decisions<br />
for protection of the supply chain. Organizations that are in<br />
compliance with the WCO SAFE<br />
Framework of st<strong>and</strong>ards4 are also in compliance with ISO<br />
28001. In the absence of SAFE Framework compliance,<br />
ISO 27001 is an auditable st<strong>and</strong>ard containing requirements of<br />
a supply chain security process (General<br />
Requirements 4 – 5) <strong>and</strong> guidance for implementing a supply<br />
chain security process<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Joint statement on supply-chain security – EU<br />
The European Union <strong>and</strong> the United States face<br />
similar challenges <strong>and</strong> share a common approach to the<br />
security of the supply-chain.<br />
The terrorist threat must not be allowed to impair<br />
international trade <strong>and</strong> economic development. <strong>Security</strong><br />
policies should be risk based, cost-effective <strong>and</strong> should<br />
facilitate as well as secure transport operations.<br />
We also share the view that national supply-chain<br />
security policies will be ineffective unless they are<br />
supported by enhanced international cooperation to<br />
guarantee their coherence, compatibility <strong>and</strong> cost<br />
effectiveness.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Cooperation effort should be applied in multilateral<br />
fora as well as in bilateral EU-U.S. relations. A robust<br />
response should aim to:<br />
• Prevent the unlawful transport of dangerous <strong>and</strong> illicit<br />
material throughout the supply chain;<br />
• Protect critical elements of the supply chain system<br />
from attacks <strong>and</strong> disruptions;<br />
• Facilitate <strong>and</strong> expedite the smooth flow of legitimate<br />
international trade through the use of multilayered risk<br />
management tools;<br />
• Reduce the costs of security controls by recognising the<br />
high st<strong>and</strong>ards of controls that each performs for cargo<br />
security;<br />
• Build the resiliency of the supply chain.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
To attain these goals, we support the work of multilateral<br />
organizations with responsibilities for components of the system<br />
such as the World Customs Organization (WCO), the<br />
International Civil Aviation Organization (lCAO), the<br />
International Maritime Organization (IMO), <strong>and</strong> the Universal<br />
Postal Union (UPU) in order to:<br />
• Support the building of bridges <strong>and</strong> networks between these<br />
international organizations to enhance collaboration <strong>and</strong> reduce<br />
system vulnerabilities;<br />
• Push forward the adoption of international st<strong>and</strong>ards, develop<br />
<strong>and</strong> adopt new security measures <strong>and</strong> controls <strong>and</strong> advance<br />
global best practices <strong>and</strong> guidelines to deliver both security <strong>and</strong><br />
trade facilitation at all stages of the supply-chain;<br />
• Encourage an integrated, intermodal approach to ensure that<br />
measures <strong>and</strong> st<strong>and</strong>ards developed within these international<br />
organizations for all modes of transport within the supply-chain -<br />
air, l<strong>and</strong>, <strong>and</strong> sea - are compatible;<br />
• Promote <strong>and</strong> support capacity building<br />
© SCM 4 ECR Conference 2013 Virgil Popa
The ‘Container <strong>Security</strong> Initiative’<br />
The US Container <strong>Security</strong> Initiative (CSI) was among the first<br />
initiative to be implemented. It provides for the identification of high-risk<br />
containers, a non-intrusive inspection (x-ray) of suspicious containers, as<br />
well as the introduction of so-called ‘smart containers’.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Recommendations for Government <strong>and</strong> <strong>Business</strong><br />
1. Improve international <strong>and</strong> interagency compatibility of resilience<br />
st<strong>and</strong>ards <strong>and</strong> programmes<br />
2. More explicitly assess supply chain <strong>and</strong> transport risks as part of<br />
procurement, management <strong>and</strong> governance processes<br />
3. Develop trusted networks of suppliers, customers, competitors <strong>and</strong><br />
government focused on risk management<br />
4. Improve network risk visibility, through two-way information sharing<br />
<strong>and</strong> collaborative development of st<strong>and</strong>ardized risk assessment <strong>and</strong><br />
quantification tools<br />
5. Improve pre- <strong>and</strong> post-event communication on systemic<br />
disruptions <strong>and</strong> balance security <strong>and</strong> facilitation to bring a more<br />
balanced public <strong>and</strong> private sector discussion<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Business</strong> Continuity <strong>Management</strong> (BCM)<br />
BCM is a management process with the goal of detecting<br />
serious risks that endanger the survival of an organization early <strong>and</strong> to<br />
implement safeguards against these risks. To ensure the operability, <strong>and</strong><br />
therefore the survival, of a company or government agency, suitable<br />
preventive measures must be taken to increase the robustness <strong>and</strong><br />
reliability of the business processes as well as to enable a quick <strong>and</strong><br />
targeted reaction in case of an emergency or a crisis. <strong>Business</strong> continuity<br />
management consists of a planned <strong>and</strong> organized procedure for<br />
sustainably increasing the resilience of (time-)critical business processes<br />
of an organization, reacting appropriately to events resulting in damages,<br />
<strong>and</strong> enabling the resumption of business activities as quickly as possible.<br />
BSI – St<strong>and</strong>ard 100-4<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Risk <strong>Management</strong> <strong>and</strong> <strong>Business</strong> Continuity <strong>Management</strong> Interface<br />
BCM Guidelines – Western Australian Government<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Business</strong> continuity management systems<br />
• <strong>Business</strong> continuity<br />
strategic <strong>and</strong> tactical capability of the organization to plan for <strong>and</strong><br />
respond to incidents <strong>and</strong> business disruptions in order to continue<br />
business operations at an acceptable predefined level<br />
• <strong>Business</strong> continuity management<br />
holistic management process that identifies potential threats to an organization<br />
<strong>and</strong> the impacts to business operations of those threats, if realized,<br />
might cause, <strong>and</strong> which provides a framework for building<br />
organizational resilience with the capability for an effective response that<br />
safeguards the interests of its key stakeholders, reputation, br<strong>and</strong> <strong>and</strong><br />
value-creating activities<br />
• <strong>Business</strong> continuity management system BCMS<br />
that part of the overall management system that establishes, implements,<br />
operates, monitors, reviews, maintains <strong>and</strong> improves business continuity<br />
Societal security – <strong>Business</strong> Continuity <strong>Management</strong> Systems – Guidance<br />
(ISO / DIS 22313)<br />
© SCM 4 ECR Conference 2013 Virgil Popa
<strong>Business</strong> Continuity <strong>Management</strong> Process<br />
BCM Guidelines – Western Australian Government<br />
© SCM 4 ECR Conference 2013 Virgil Popa
This process involves the following activities:<br />
a. BCM programme management<br />
This includes:<br />
• assigning responsibilities for implementing <strong>and</strong> maintaining the BCM<br />
programme within the council<br />
• implementing business continuity in the council – including the design, build<br />
<strong>and</strong> implementation of the programme<br />
• the ongoing management of business continuity – including regular review<br />
<strong>and</strong> updates of business continuity arrangements <strong>and</strong> plans.<br />
b. Underst<strong>and</strong>ing the organisation<br />
The use of business impact <strong>and</strong> risk assessments (see below) to identify critical<br />
deliverables, evaluate priorities <strong>and</strong> assess risks to service delivery.<br />
• <strong>Business</strong> Impact Analysis (BIA) – identifying the critical processes <strong>and</strong><br />
functions <strong>and</strong> assessing the impacts on the council if these were disrupted<br />
or lost. BIA is the<br />
• crucial first stage in implementing BCM, <strong>and</strong> helps measure the impact<br />
disruptions on the organisation<br />
• Risk assessment – once those critical processes <strong>and</strong> functions have been<br />
identified, a risk assessment can be conducted to identify the potential<br />
threats to these processes.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
c. Determining BCM Strategy<br />
The identification of alternative strategies to mitigate loss, <strong>and</strong> assessment of<br />
their potential effectiveness in maintaining the council’s ability to deliver<br />
critical service functions.<br />
• The council’s approach to determining BCM Strategies will involve:<br />
• implementing appropriate measures to reduce the likelihood of incidents<br />
occurring <strong>and</strong>/or reduce the potential effects of those incidents<br />
• taking account of mitigation measures in place<br />
• providing continuity for critical services during <strong>and</strong> following an incident<br />
taking account of services that have not been identified as critical.<br />
d. Developing <strong>and</strong> implementing a BCM Response<br />
Developing individual service responses to business continuity challenges <strong>and</strong><br />
overarching<br />
• <strong>Business</strong> Continuity Plan to underpin this.<br />
• This <strong>Business</strong> Continuity Plan ensures that actions are considered for:<br />
• the immediate response to the incident.<br />
• interim solutions or maintaining an emergency level of service, leading on to<br />
reinstating full services.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
e. Exercising, maintaining <strong>and</strong> reviewing<br />
Ensuring that the business continuity plan is fit for purpose, kept up to<br />
date <strong>and</strong> quality assured. An exercise programme will enable the<br />
council to:<br />
• demonstrate the extent to which strategies <strong>and</strong> plans are complete,<br />
current <strong>and</strong> accurate <strong>and</strong><br />
• identify opportunities for involvement.<br />
f. Embedding BCM in the council’s culture<br />
The embedding of a continuity culture by raising awareness throughout<br />
the council <strong>and</strong> offering training to key staff on BCM issues.<br />
This could also include:<br />
• incorporating BCM in the staff induction process<br />
• items in Governance Matters<br />
• e-mail bulletins<br />
• pages on TOM<br />
• booklets <strong>and</strong> prompt cards<br />
• staff development session.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
The goal of business continuity management is to ensure<br />
that important business processes are only interrupted<br />
temporarily or not interrupted at all, even in critical situations,<br />
<strong>and</strong> to ensure the economic existence of the organisation even<br />
after incurring serious damage. A holistic approach is therefore<br />
critical in this regard. All aspects necessary for maintaining the<br />
continuity of the critical business processes when damage is<br />
incurred should be examined, not only the aspect of information<br />
technology resources. IT-service continuity management is a part of<br />
business continuity management.<br />
© SCM 4 ECR Conference 2013 Virgil Popa
Thank you for<br />
your attention!