实现全面业务复原力的 10 个步骤

彼得·舒马赫：欢迎各位参加今天的网络研讨会，主题是《全面提升企业韧性的十大步骤》，特邀Prevalence公司全球产品与交付高级副总裁艾利斯特·帕尔主讲。我是彼得·舒马赫，担任本次研讨会的主持人。在正式开始前，请允许我说明几项注意事项。 首先提醒各位，当前所有参会者麦克风均处于静音状态。但我们仍希望保持互动性，请随时通过Zoom实时控制台提交问题。若时间允许，将在本次会议结束时安排现场问答环节。本次研讨会全程录制，录播视频将于次日通过邮件发送至各位邮箱。 我知道各位参与并非为听我讲话，现在我将把时间交给Alistair。非常感谢，Alistair，请开始吧！

艾利斯特·帕尔：是的，非常感谢你，彼得。大家好，无论你们身处世界哪个角落，早上好或下午好。唉，可惜我没有彼得那般富有磁性的嗓音，但希望大家能在接下来的一小时里多包涵。那么，我们先从简短的开场介绍开始。 我知道彼得已提及关键要素，但为重申今日议题，在进入核心内容和细节讨论前，我将介绍今日与会嘉宾。我们设有问答环节，如有疑问，请随时使用Zoom窗口中的提问功能。 本次会议时长一小时。我将用30-35分钟阐述核心议题，随后还有几位特邀嘉宾发言。今日与我们同在的是亚当·凯尔斯。作为Prevant的管理顾问，亚当长期专注于为第三方客户群制定业务韧性措施。 亚当将用10-15分钟分享他亲身实践中验证有效的案例内容。这些资料已发布在Prevant官网，我们将在最后环节说明获取方式——所有资源均免费开放。 会议结束时我们会对此进行深入解析。今天我们还邀请到托马斯·汉弗莱。托马斯你好，你在吗？

托马斯·汉弗莱：你好。是的。

Alistair Parr: Hello Thomas. Thank you. So Thomas is our content manager and uh Thomas will be talking a bit about some of the regulations and frameworks that have uh either come out in the recent years or expected to emerge over the next couple of years in regards to business resilience. So to highlight today uh we will be generally talking about good practice around third parties specifically around business resilience. Okay. So to begin I appreciate this is probably quite straightforward for a lot of people. But what is business resilience and why is it valuable? Now, as I’m sure you can see from the screen in front of you now, there is multiple areas that touch on business resilience. It’s not limited to a single factor. A lot of what we tend to focus on is the supply chain resilience piece at the bottom right. And that’s something that’s very often overlooked in day-to-day management of suppliers by and large. A lot of the organizational resilience measures that we’ve seen particularly in the uh in the advent of CO 19 were focused internally. They were looking at in response. They’re looking at business continuity and crisis management, human resources. Yet, very, very few organizations we saw factored in third parties in their pandemic planning, those that have pandemic planning at all. So, when we’re looking at business resilience as we talk over the course of today’s session, we really see it as an amalgamation of of different areas and focus and domains uh which enforce that continuity of service. So, it isn’t just limited to those internal use cases, it is very much external as well. And we appreciate that communications and uh interactions between all of these key facets make up an effective business resilience mechanism. So what is business resilience and why is it valuable? Well, apparently in the last few months, as we’ve all seen, unfortunately, the business does need to prepare for factors which are outside of its control. And that’s not as easy as perhaps a while back where we had somebody sitting there changing backup tapes. Business resilience is a far more encompassing uh environment now where we do have to focus on all these different capabilities and considerations. So where does supply chain factor in the entire business resilience piece? So as a concept most organizations are considering third parties as an external function and rightly so in some respects uh to what they do but the reality is when you actually start looking at third party risk it’s that that blurred line between internal and external isn’t really there. That third party is ultimately on managing systems and assets and enabling us to generate revenue in much the same way as anybody else does in the organization. But the key challenge with it is that we don’t necessarily have the visibility on what they’re doing. We don’t have ownership over how they do it and we have that complexity around integrations. Now a lot of organizations we speak to try and manage that using three key areas. So there’s the communications aspect. So how often do we communicate and how SLAs’s, how do we track success with our third parties and then of course incident management. How do we extrapolate the necessary data that we need from them in the event of an issue? But by and large, most organizations we speak to are still psychologically entwined to that concept of a third party is external and doesn’t necessarily incorporate it into their wider governance uh and business resilience planning. So when we’re looking at mature environments and mature customers, what we typically tend to see now is that every single thing that they apply internally their organization. So the governance aspects of it, the audit and compliance remmits that they mandate, uh the risk management and tracking, the incident management aspects, everything that I showed you a couple of slides ago that needs to be woven into the third party estate as much as it is internal. So this concept of internal external is removed and we are ultimately looking at uh critical assets or critical functions of the organization and that could incorporate contractors, service providers, internal users, assets etc. that that’s The line is certainly blurred now. Okay. So as a tip, what standard processes are typically being used broadly in business resilience? Now what we tend to see is a record, respond, recover concept. So a lot of what we’re focusing on here is is ultimately looking to understand uh how do we manage incidents and events once we’re dealing with all of our critical assets in the business. And that starts of course with with ownership the organizations we deal with who tend to be uh relatively unprepared in the situation they need to really start with that ownership. So who do they need to allocate responsibilities for in the business and this is an endemic issue that we tend to see where the organizations don’t have somebody assigned to manage critical assets and provide visibility to the people who need to know it whether that’s legal procurement infosc uh risk compliance etc. Nobody really tends to understand what is the context around an asset or something. critical for the business, how is it functioning? So, starting with ownership and finding who’ll be able to give us clear answers on on situations is key. And when we start looking at incident management on the whole, we appreciate that we need to do things such as start recording obviously key processes, understand what they’re doing, analyze how they function, build up alternatives wherever we can understand what is truly revenue generating and therefore mandatory, what’s based on regulation is mandatory as well. So, do we need to process data in a particular way? We can’t say transfer all the personal processing to a different third party uh without suitable due diligence or analysis. There’s a lot of complexity involved in identifying and recording what it is that we actually intend to do with that data and that entire data set. Now, in the face of CO 19, a lot of the organizations we dealt with are really starting this whole record process from scratch. They will have business resilience in the form of data outages and shortages, but aren’t necessarily looking at the critical assets and functions of of what they do. Uh for example, is when start looking at sectors uh such as retail where they don’t entirely have the distribution networks available to do say on premise deliveries in the same sense they rely on bricks and mortar stores. Organizations we’re speaking to are a having issues with supply chains understanding how they can source uh the goods that they need and then b in turn focusing on distribution or redistribution as it may be. Now in retail the organizations we’ve spoken to who’ve had the most success have of course considered that from the outset. So they’ve got distribution partners uh for downstream. They’ve been able to scale say with with food deliveries for the food retailers for example, they have those mechanisms in place and that is very much reliant on third parties supporting them. It wasn’t a case of bringing in teams and teams of contractors and short-term while that may help in some brick and mortar stores. It was about understanding how can they work around the issue that they have been presented with. So if a supplier is unable to provide or they’re unable to open say certain sites and facilities, can they think outside the box and other alternative ways of of conducting business in order to drive that revenue. So it’s not just a case here of recording the exact same capability that we would be uh trying to to address. So it’s not a direct mirror. And then finally when we start looking at respond and recover really what we are touching on here is some of the resilience planning for instant response. So once an event has happened how do we communicate effectively and in the face of CO 19 most of the organizations we speak to are really starting to touch now on some of the post invent improvement aspects. Some normalities of course returning to some states in the US and we appreciate now that with uh with that normality comes the ability to start looking at how they can address it for say in the face of COVID a resurgence if if they have to return back to a lockdown situation. How can that be managed effectively without having the same outages that they’ve experienced in the first place? So that ties on recovering, reducing downtime and of course improving uh you know the customer confidence. and being demonstrated as agile and resilient. So, it’s generally a long path, but the key takeaway I’d really share here is that record piece. We need to make sure that we have clear, concise ownership and we’re aware of what it is we’re actually trying to maintain and we focus on critical assets in order to do that. So, what do I actually need in order to make this function and be effective? We need lots of collaboration, clearly work, and certainly luck. I think it’s fair to say most organiz ations we’ve dealt with in the face of COVID 19 for example have been either extremely lucky uh or have in turn had to win and deal with some of the repercussions from a lack of uh resilient planning around business resilience particularly around their third party supply chains and downstream deliverables to customers. So as a brief bit of insight uh there is a resilience gap study that was conducted so 4,000 stakeholders who were responsible and ultimately owned uh the resilience processes in organizations and these ranged from small mom and pop style shops up to large multinationals with hundreds of thousands of employees. But universally, it seems or at least 34% of them blamed complexity as the biggest barrier. So if we look back at our previous process slide here, it’s about the complexity of the working environment. How do we understand what it is we’re actually doing? And I think that shared beyond business resilience, it is again a factor in risk management. compliance audit and so on. 20% of them blamed siloed business units. So a lack of communication internally within the organizations and 24% again blame poor visibility here. So fundamentally complexity and a lack of internal communication is key. So what we generally are recommending here to people is to look inside the organization before you start looking outside at third party resilience. So if we’re looking internally at the business, what types of context ultimately are we looking to uh to consolidate. Now much like data discovery in a whole, it’s the who, the what, the where, the why, the how. So who or what parts of the business have critical information? What is that critical information or services or processes and how they function? Where is it being stored and how is it being stored? And then why? So does it genuinely need to be there? To touch on the point again earlier on, one of the biggest challenges we see when we look at business resilience planning is people try to mirror what they already have and that’s not necessarily the case. Uh we’ve seen situations of co 19 with customers surprisingly where they’ve enforced some robust resilience plans and they’ve realized that they’ve been able to uh function in a in a a less standardized state and they’ve been able to actually maintain some of their resilience plans moving forward. So not actually reverted back. They’ve saved money. There’s some operational expenses is because they’ve been forced into realizing that there are alternatives to how they current function. A good example of that would be the remote working capabilities where we suddenly see reams and reams of uh previously office based workers now suitably working remotely and teams realizing the results of savings by not filling up office space the whole time. So the who the what the where the why and the how. So look at it almost as a data mapping exercise where we want to understand what is critical to the business what is revenue generating and much like when we start looking at uh data mapping again we can start building up visual maps to understand what’s actually happening in the business and letting us prioritize what we need to. The reality is we won’t need to ring fence business resilience around all third parties or around the entire organization. We simply need to be able to classify uh the type of process, identify where it is, how often that we actually tend to conduct that activity, uh whether it’s subject to any governance or oversight. It might be a regulated process for some reason. Does it touch on regulated data? Do they need physical access in order to achieve that and so on. All of that can ultimately be fed into a simple calculator to help you prioritize identify what it is that is most critical and what is ultimately has the uh the highest amount of risk in order to try and maintain it in the event of a uh resilience situation. And to make that effective, of course, organizations change over time. We recommend doing that that internal mapping for business resilience. at least quarterly if you can uh certainly annually for the organizations where quarterly is too aggressive but uh but we would be looking for a regular uh and consistent review on where that data resides. It does need to touch on technology capabilities of course as well. So we need to understand what technologies are necessary in order to make that function happen and then of course you can use things like eiscocovery technologies internally within the business to actually identify if that is truly the case. Quite often one of the issues that we pick up on is that the business will say I am a truly a crisp process. I’m I’m a real necessary function of this organization as they’re naturally going to say but the reality is when you actually start doing things like eiscocovery on what they’re actually doing quite often we find out that reality doesn’t necessarily meet what the business is telling us. So for those who have the capabilities and resources in hand you can certainly work with with teams such as the data loss prevention teams to start actually tracking say key critical information whether it’s business sensitive data uh whether it’s customer information or so on you can usually use to pinpoint some of your resilience uh focus and of course then raising discrepancies to owners and purging uh areas from your resilience planning where necessary. So in the face of naturally co 19 I’m sure we’re all sick and tired of it and in recent months uh this image probably looks like some business centers scattered across the globe but would it have address exceptional circumstances based on COVID 19 and what we’ve seen and appreciate it’s pandemic related but uh the answer is simply well no not necessarily most organizations we’ve spoken to feel that there are things they could have done better uh in the face of say the pandemic but certainly having that additional visibility would have given them the comfort and the insight and the knowledge to be able to react better and that’s ultimately all that we’re trying to do here with business resilience is can we at least try and maintain critical business functions in the best way possible and if we learn a few things along the way we’re all the better for it. So what reporting is important now in order to be prepared for business resilience looking at third parties and internally as coverage visibility ownership and improvement are the key areas that we’ve picked up on. We’ve seen success in using maturity assessments against this. So you can use the Carnegie capability maturity model to self assess yourself between one to five uh across each of these domains and then give you an overall rolled up score. But from a coverage standoint, point is again how frequently are you doing assessments in the business? Do you have comprehensive coverage of the organization? Uh do you have onboarding workflows for the business in order to assess its uh uh the awareness of anything that’s been added or that’s new? And of course, are you including third parties in that piece from a visibility standpoint? Assessment types. Do we look at critical information? Are we focused on outsourcing activities as well? Uh is it limited to just uh data privacy or risk based assessments?. And do we cover resilience and anger, the reporting mechanisms and strength. How do we actually report this back up to the organization and uh of course assessment cadence there again and evidence management. So how do we collect and store evidence and build those plans that enable us to work effectively? Looking at improvement factors. So what audit mechanisms, how do we feed that back to any audit teams that we have? Remediation definition. How do we define what we’re actually going to achieve and what’s viable? And we’ve seen organizations use things such as fair models or their internal own internal calculations to estimate cost versus uh return for business resilience. That certainly is viable. Those program road maps and the steering groups. We do recommend for resilience much like you manage uh risk and you may have risk committees or steering groups or working groups. We’d recommend incorporating business resilience particularly for third parties in some of those sessions. Uh the outages is of course a risk and should get fed into the standard risk models. Now only ship. Something hopefully we’re articulating here clearly is the fact that to manage third party business resilience and internal there is a requirement to own uh to have internal owners within the business who have responsibilities. We won’t be ever successful in managing business resilience. If it’s a small organization, we might be okay because we can generally touch on those processes. But if it’s a large organization or it’s ever evolving, the complexities are there where we need subject matter knowledge experts in the business to feed into our resilience planning. And that feeds into our delegation of duties. The more that we can get uh the various asset or process owners to manage, then the more prepared we’re going to be. We get asked a lot of questions about incident management. Now, incident management is of course pretty key and we saw many many incident management plans come about in the face of CO 19. But any instant management plan really needs to consider uh reporting. So the communications plan needs to understand who we going to talk to and how identification mechanisms do we have simple defined types of incident that we can react accordingly to so we’re invoking the right people the event planning so tied to those cataloged events we should be building those playbooks that are reviewed regularly. Uh we see customers doing things like tabletop sessions to assess their suitability to react to the situations I appreciate some parts of the business see that as a bit of fun but uh the reality is it does actually psychologically start getting people used to this concept of dealing with uh events following playbooks and then of course uh reactions. So coms need to focus on what we doing to fix an issue and overcommunicate. So for those of you who involved in any cutting edge development or technology or anything like that appreciate that the most important thing when you’re offering a service is communicating and overcommunicating is key in an incident. So tied to that timely identification we want to be able to make sure that we are able to identify an event quickly and readily. Uh and part of that is making sure that our third parties have mechanisms to report back to us and say we’ve had an incident where it’s a data breach, a service outage, change of ownership, whatever it may be. There needs to be clear mechanisms internally and externally for highlighting something that’s considered an event. When we’re looking at notifications, appreciate there might be with situations such as GDPR, there might be requirements to notify customers within uh 72 hours of any breaches or issues. So be mindful of time frames whether you have regulatory mandatory time frames or self-imposed time frames. Make sure that anything you build for your resilience plans are embedded into that press release. Something that we’ve we’ve been inundated with again over the last few months is how do we control the talk tracks of piece uh these pieces and something we’ve been exposed to a fair amount here is how do we communicate things well to large volumes of people and quite often you can draw in say obviously the PR teams if you have them. Otherwise, the marketing teams, funnily enough, seem to be very uh very aware on how to effectively communicate a situation. Uh much like you manage third party risk assessments or dealing with third parties where you can speak to your marketing guys because they quite often uh can can support or provide guidance on how to manage these things. Associates. So, inform your providers and partners. Something that gets overlooked very often is uh that lateral communications uh as well as the internal communications. So everybody focuses on in an event speaking to customers and there’s certainly a requirement there to have clear concise guidance for communicating to partners, associates and of course internally. Uh the amount of damage you can see from an incident happening or an outage happening and then not communicating that through the business effectively means you lose lose that internal impetus in order to drive things forward. So uh we we would definitely recommend people focus on that internal communications as well. So moving on then to continuous management. So we’ve spoken about quarterly or annual reviews pulling data from the business as it’s ever evolving and ever changing. Uh something we deem very important here is the cadence on how we manage business resilience. So how do we report it? How do we escalate it? How do we consistently enhance and assess it? So a lot of organizations are dealing with the implementation phase in the last couple of months uh and are now starting to move towards the review and enhancement phases. So for us successful positions Business resilience starts with success criteria. What are we actually trying to achieve? So, not defining too broad a scope is key. It’s got to be very very finite and focused on what we have to uh discovering that within the business, documenting what we need to signing off what that new resilience plan looks like and then getting the stakeholders to self-manage each of their respective elements. Uh and then of course ongoing testing, updates, reporting, uh content alignment as the business evolves and then moving on to general broader business efficiency. So when you look at the continuous management of business resilience on a whole, it’s it’s very much about defining a manageable and accurate scope and then providing the capabilities for the various feeds, whether it’s the internal business users or third parties to update that over time. If it’s a static document sitting on a SharePoint or Teams folder somewhere, then that means we’re halfway already to to losing the battle there. So finally, how resilient should I be of course it’s all about being proportionate. So there are resources of course out there ISO22301 31,000 uh Thomas will be talking a bit about those in in a few minutes but fundamentally it’s about being proportionate. Uh we could certainly use risk management methodologies in order to improve our business resilience capabilities. So speaking to the business understanding what’s happening uh we could focus on being business enabling much like information security it’s very easy for business resilience to start being seen as a blocker as opposed to an enabler when really all it is is making sure that people can get the job done. A costbenefit analysis is naturally very very important to all of this. We need to make sure that any measures we take in order to uh say maintain a hot site that’s available 24/7 may be disproportionate to uh the actual functions that it’s supporting. So we certainly recommend reviewing whatever you’ve built for business resilience to make sure that it’s actually financially viable or justifiable. uh and then of course make sure that from a governance standpoint that you’re not overlooking anything key. We are hearing various conversations of people who have had to make sudden changes in the face of say co 19 uh and are dealing with the potential flack on that downstream. So as regulators etc start querying how people have been reacting to it. Uh the ones we’re talking to generally have a bit of understanding to the situation but nonetheless we are seeing u situations happen where regulators are looking at organizations patients uh to see how their resilience has been in the pandemic situation and for some it has not been looking good and to reiterate the same point there be proportionate everything that I’ve been speaking about conceptually here and we’ll move on to some of the the tactical details in a moment but everything that we’ve been talking about here is about proportionality if we’re dealing with third parties if we’re dealing internally within the business if we’re dealing with business stakeholders etc there’s so many moving parts to this that it’s only effective if we bring fence the very very key and critical aspects of what we need to achieve and work there in order to make it continuous. So finally for me then so business resilience recovery is also important and as we’ve been seeing over the last couple of months that return to normality isn’t as simple as it may have seemed. So we’re seeing as I said certain functions have proven to potentially be more effective in uh in the resilience uh situation. So people working remotely for examp example, there seems to be some continuation of that happening as lockdown is is gradually being used across the globe. Uh but in certain aspects as well, we’re seeing supply chains fall apart as well where entire uh organizations that have been providing core services to some of our customers uh that this just simply disappeared. So there’s been strong efforts to try and find alternatives, backup plans, etc.. Uh and the third party procurement have been back in the fold again to look at alternative providers, backup providers, etc.. So providing things like uh backup lists, etc. for organizations is certainly not a not a bad thing. But by and large, we’re generally seeing that as people revert back from say COVID 19, there have been lessons learned, things that they are taking on board and continuing and of course black holes or situations that they need to fix. So now moving on to some insight into some recommended frameworks. Uh we’re going to talk for about uh five to 10 minutes here. We’ve got Thomas speaking about uh some of the standards and frameworks that he’s been dealing with that could serve as a good foundation for any of your business resilience means. Thomas, are you with us?

托马斯·汉弗莱：是的。你好。谢谢你，阿利斯泰尔。呃，你听得到我吗？

阿利斯泰尔·帕尔：我能做到。是的。谢谢。

托马斯·汉弗莱：很好。是的，我的意思是，在思考业务韧性、业务连续性时，显然需要始终考虑的关键点之一是：是否存在最佳实践？是否有可用的框架？是否有方法论和模型？这些不仅要能获得客户、合作伙伴或监管机构的认可，还应能帮助规范和塑造我们管理业务连续性的方式。 国际标准化组织（ISO）制定的22301标准无疑是最广泛应用且知名度最高的基准实践之一。该标准多年前取代了英国BS259标准，是构建、维护和优化业务连续性管理体系最通用的规范。 如同多数ISO标准，该体系通过认证机制实现某种程度的正式认可，同时构建了更广泛的配套标准体系。通常以22301为核心驱动标准，进而提供更全面的指导——无论是针对特定行业领域，还是更广泛的运营应用场景。这同样是我所参与制定的内容。 例如针对供应链连续性管理的22318标准（当前正在制定中）就颇具参考价值。值得关注的是，在ISO主导的国际标准体系之外，各地还存在着聚焦本土议题或利益的标准，这些标准或借鉴ISO最佳实践，或构建更具国家特色的框架体系。 艾利斯特在前张幻灯片提到的BS65000组织韧性标准便是典型案例。新加坡长期以来制定的50.7标准则专注于信息通信技术（ICT）领域的灾难恢复。 而在美国，ASUS BCGDL标准详细规定了应急准备、危机管理和灾难恢复要求，该标准由美国国家标准协会（ANSI）协同制定。因此，各地标准机构乃至政府部门制定本土化框架和最佳实践已相当普遍。 此外，若进一步思考ISO体系本身，常会发现其他广泛采用的框架与标准，例如27000系列信息安全管理体系标准——该标准虽涉及业务连续性，但侧重点有所不同。以27001为例，其关注企业在规划业务连续性与韧性时如何管理信息安全要求。 这个话题颇具现实意义——尤其当我们回顾疫情初期全球多国实施封锁时，企业被迫紧急关闭运营。关键问题在于：信息安全是否成为核心考量？在企业被迫短期内为员工（特别是未适应远程办公场景的员工）启用居家办公能力时，相关安全措施是否得到落实？ 这些标准旨在规范治理方法，建立框架以识别业务连续性计划、恢复流程及评估方法论，通过持续演练确保计划始终契合业务需求——基于已识别灾难影响进行适配，同时不断优化业务连续性机制的构建方式。此外还需关注更广泛的关键环节，例如爱丽丝早前提及的 艾丽丝先前提及的沟通环节。企业是否有效向客户及第三方传递信息？若涉及关键第三方（尤其是单一来源供应商），其如何融入规划流程？当最坏情况发生需启动业务连续性计划时，企业与这些供应商的协作紧密程度如何？现有标准与框架众多。 ISO 22301标准（2019年最新修订版）无疑是最广泛采用且知名的。但值得注意的是，各地存在诸多本土化标准，例如新加坡SS507标准，或是美国国家标准协会的ASUSBC GDL标准。Alistister，

阿利斯泰尔·帕尔：非常非常感谢。好的，太棒了。这真是个极具洞见的观点。那么接下来我们将进入一些示例环节，一些快速入门的示例。今天我们有亚当在场。亚当，你现在在场吗？

亚当·凯尔斯：是的。你好，阿利斯泰尔。

艾利斯特·帕尔：大家好。现在我将把屏幕权限交给您，希望您能为我们解读一些关于业务韧性的核心内容——这些正是我们通常希望了解的领域。

Adam Kales: Perfect. Thank you. So, I’ll share my screen momentarily. Okay, hopefully you should be able to see my screen and business resiliency business resiliency plan. Okay, so what we wanted to do when um all this started with uh COVID 19, we identified that um there may be a number of organizations out there who hadn’t previously concentrated on business resiliency. That wasn’t one of their main focuses. And because of that, they may be considered slightly immature in terms of the documentation, the process and the procedures that they have around business resilience. So we wanted to be able to provide a a suite of templates which are adaptable enough to be used by a range of organizations both in terms of size and type of organization in terms of the services that they deliver and whether they are at the beginning of their business resiliency journey or if they have already got a mature resilience program in place. These documents are designed either to be used as their initial core documentation or certainly elements of it extracted out of it to be um incorporated into their current uh business resiliency program. Uh and the idea of it that this is provided to you as a free resource uh available through our portal through our website of which then you can cherrypick those elements which best suit you and also provide that onward as well to your third parties. If they themselves um need some assistance in improving their business resiliency processes. Uh so what you have in front of you is one of the core documentations that you’d expect to see as part of your business resilience program. So we have the business resiliency plan and this provides those core elements. So certainly I wouldn’t consider this to be the be all and end all but certainly the initial starting point of this um of this template of where you can take this and then start running and start the core ele ments of your business program. Okay. So, it includes things like the business continuity strategy that overarching statements of how you’re going to approach business continuity. Uh the scope responsibilities um plan invocation. So, when is the business resiliency plan and those incident response plans going to be put in place? Who the primary stakeholders are and then falling out of that a number of annexes which will include the business impact assessment, risk assessment, a racy matrix s a critical third party register, critical third party gap analysis and maintenance requirements. So this is certainly one of those core um documents that you would want to see in place. So moving on, we have a third party business continuity gap analysis. So the ability to understand and identify who your critical vendors are. So a critical vendor being somebody who without those in place you would either one not being not be be able to continue uh functioning uh providing the services that you provide or two it would have such a severe impact that it would severely diminish your ability to provide your service and your products. Okay. Um so with that as well as we scroll down um it has some overarching information on how you would approach uh conducting that gap analysis and then u utilizing perhaps some form of automation and and to be able to deliver this at an enterprise level. Okay. Then we have the business impact analysis procedure. Okay. So this lays out in a very short and high level way of the scope responsibilities and the procedure of what you need to follow to conduct a business impact analysis. Okay, including recovery point and time objectives. And as you can see, we have made it adaptable enough that if you wanted to, you can simp simply insert the relevant details to make it specific to yourselves and then you can start using this template uh immediately. What also we have as we linked in with those annexes that we covered on the first uh document that uh business uh continuity plan we have a number of annexes here. So we have the business impact analysis. So a tabular format of where you can identify a critical system or service the process or activity that system um prov provides an impact score. Now, this may be quite subjective or objective depending on the amount of data information that you currently have available to it. And certainly, if you’re able to draw on existing data resources that you may have conducted through any form of information security or data mapping uh process activities, then you can certainly utilize that in determining what the impact and the likelihood of the system failing and if it does fail, the impact that it may have upon your organization. establish RTO and RPO timelines and also uh the minimum um time to um return that service back to full functionality. Okay. Uh the minimum resources needed. So essentially um for these systems and services to continue functioning, what is the minimum requirements you need as an absolute minimum to continue with those systems? Okay. And the priority of what it means to you as an organization. We also incorporated a risk matrix as um uh as some form of guidance as well including a level of terminology. Moving on, we have a template for risk assessments. Okay, being able to conduct a a risk assessment against a particular resource, what that risk the risk description and so on throughout. So in the same manner as you would have a risk register for information security risk for instance, you can have one specifically tailored to business discontinuity requirements. A racing matrix is has been provided and again these are here for uh suggestives as the one of some of the more likely uh areas that you would want to consider but certainly introducing your own or um uh adapting it specifically to how your organization works. We have the critical third party register. So once you have identified those critical third parties being able to record that they are a critical third party and those key contact details of who the service owner is internally, who the external supplier relationship manager is, the supplier contact and any additional doc comments associated with it. So once you’ve conducted a gap analysis, so for instance, if you have a critical third party, if they were to go down, what would be the fallback procedure for that to be? And if you identified that there is a gap, then you’d be able to annotate that in a register such as this. Moving on to maintenance requirements. So this brings into mind so any resources that you would need to use as part of business continuity business resilience. So for instance it was mentioned earlier on about remote working. So certainly before COVID 19 um there may be a number of people who were used to just going into the office and working from the home environment was a rarity more than anything. But suddenly uh you needed all these additional resources uh for instance laptops for instance. and you have these resource of laptops which under normal circumstances wouldn’t be utilized. But what you need to do so for the time that you do need to literally pick them up and run with them as such need to make sure they are in an acceptable condition to be able to you to be able to use straight away. So what that does that what what does that mean? That means that we have antivirus in there, firewalls in there, that software has been updated appropriately simply that they’re charged that they have been checked over recently and all these maintenance requirements whether it’s a laptop some form of generator backup locations or premises whichever the case may be can be stipulated down here and importantly an owner assigned to it so they are aware that they have ownership over that uh and over those particular maintenance requirements. So moving swiftly on a third party discovery template so we mentioned about identifying your critical third parties uh and what are some of the elements wrap around that. So for instance uh we have a number of risk factors associated with it which will help you determine uh if a supplier is considered green, amber or red and a number of highlevel questions of which you may want to consider asking to determine what may uh what may be considered a critical third party and it could be based on type of service uh being delivered. Uh the types of data that they interact with for instance if the supplier is um the sole provider of a service and also um how they transfer data and information across uh including any specifics to you as an organization and any other attributes that you want to include in that which will then start to build up a picture of the criticality of your third parties. Okay. Now what we have designed as well is a number of communications templates. So communication throughout all this process even before this has started communication is key. Communication in terms of understanding what the business resilient plan is what it means not just to uh the organization but to individuals who are key stakeholders in this who have key responsibilities in this as well. But also moving into when we have to enact those business resiliency and those um incident uh response plans for instance in terms of getting the information across directed at the right people at the right level and at the right time and also we have designed a number of communication templates these being just a couple of those examples. both internal. So for instance um to team members to um team leaders uh to those in senior uh management positions for instance we have designed uh a template to fit each requirement. So for instance we have here uh key personnel internal phase one low infection risk. So right at the very beginning um this is something that you may want to consider sending out to the relevant people internally within the organization. Moving on we have a third party email template. So for instance, you want to communicate a clear, concise message directed to the right people in the right manner and in the right format. So whether that’s by email, whether it’s via social media, whether it’s um internal communication, whichever the case may be, you have a template ready to rock and roll so that you can utilize it uh and run with it when you need to. And you’re not scrabbling around in the dark trying to pull something together very quickly. It’s already part of the business resiliency process. What we also have is activation procedures and criteria guidelines. So again certain um prerequisites which um you has predetermined that if these situations occur then you have a clearcut procedure to follow in terms of what is acted what is activated who is activated who is informed and the process to follow that. Okay and those have been laid out in a in a very in a a high level but detailed format. Then we have authorized communication method. So it may be appropriate that actually certain communications may only be appropriate for certain levels of communication or certain types of people that you’re interacting with. And again we have provided a template for you to be able to lay that down and record that as you move forward. So also have escalation paths and we’ve provided some examples here of those various escalation paths for a number of different use cases. Okay. So we have first of all those staff contact numbers of those relevant key stakeholders who need to be informed for office locations for instance critical suppliers. Okay, the information security team and also um uh things like uh security and technology if it’s specifically around that who needs to be informed starting at the CISO for instance and ending with information security analysts and actually all this can be adapted to suit your particular needs. Okay. So again, uh we’ve alluded to a couple of times the fact that one of the big changes that we’ve experienced is the amount of homework in which has had to happen just simply because we have not been able to go into the office locations and that is still continuing very much now and being able to work coherently in the home environment and productively but also ensuring that you’re maintaining good standards. So good data hygiene for instance, making sure that you have the controls, procedures in line um uh in mind um working from the home environment as you would do working in the office environment as well. And what we’ve done is we have designed a um remote working training package for you to either deliver this through some form of online training session or send direct to whichever relevant um users, home workers who are going to benefit from this, which presumably would be the majority of them. And covering topics such as um data hygiene. Um, going down to things like spam and malicious filing uh at the end there, but also covering secure working spaces, making sure that you have those good measures in place. Set up a designated workspace, day-to-day homework, okay, clear desk, clear screen policy, okay, so you can maintain those good working methods at home as you would do in the office environment. And then finally, to accompany that, a remote working policy. So wrapping up that training that you’re um that you can either send or deliver with an actual remote working policy. So you have something that you can actually refer back to and you have guidelines in place for remote working. Okay. So I believe that uh takes me to the end of not not all of that documentation but certainly uh a good representation of what is available to you and as I say as a free resource for you be able to access through our website. So, thank you very much for your attention.

阿利斯泰尔·帕尔：非常感谢你，亚当。感激不尽。好的。接下来这五到十分钟左右，我们将进入开放问答环节。问题可以向我（亚当）提出，内容涉及刚才所见内容；当然也可以向托马斯提问，他将从标准和框架角度解答。 那么，再次提醒各位，如果您有任何问题，请将其提交至Zoom会议的问答区，我们将很乐意开始解答。这里有一个问题是针对托马斯的，关于业务韧性框架的对齐问题。您认为对齐框架是否像满足其他监管要求那样具有强制性，还是更像是锦上添花的选择？

托马斯·汉弗莱：嗯，是的，好问题。实际上两者都有可能。通常企业可能会发现自己不得不走正式认证的道路，比如获得ISO 22301认证，这可能是出于合同要求，也可能是监管机构的强制要求。 正如我们从ISO 2701等其他标准中看到的，某些行业和行业机构已将其作为中标和签约的强制性因素。从业务连续性的角度来看，这种情况完全可能发生。 除此之外，虽然非强制要求，但我始终强烈建议采用22301标准——不仅因其是公认的最佳实践，更能助力各类企业（无论国内企业、跨国公司或全球多地域组织）建立正式治理框架，塑造业务连续性实践体系，并提供持续评估改进业务连续性与灾难应对策略的框架。 跨国公司或全球多地域机构，都能建立正式治理框架，塑造业务连续性实践，并持续评估改进灾难恢复策略。

阿利斯泰尔·帕尔：非常感谢你，汤姆。我这里有个关于内容的问题想请教亚当。 我们收到过许多关于不同垂直领域的具体问题。客户表示他们从事零售业，也有人在B2B而非B2C领域工作。他们想知道需要对内容进行多少调整才能适应自身场景。亚当，你在不同垂直领域部署该方案时是否有相关经验、见解或发现？B2B和B2C领域之间是否需要进行大量内容调整？

亚当·凯尔斯：嗯，是的，这个问题问得很好。谢谢。本质上这份文档为你提供了一个起点。所以理想情况下，如果你没有任何基础框架，这份文档就能为你提供绝佳的起点，指引你从何处着手。不过正如我开场时所说，这并非万能的解决方案。 它代表了你至少应该具备的基准要求。理想情况下，你确实需要根据自身所在的垂直领域进行调整，确保文档能精准契合你所在组织的具体情况。 若不进行调整，你仍能从中获益，但若能融入你组织特有的工作方式，就能获得额外价值——当然，这需要进行时间成本分析。 若您有时间投入研究分析，明确需要添加哪些组织特色印记，那么当真正运用这些文档制定业务韧性计划时，这种定制化调整将极大助力您的工作。 因此我认为，为充分发挥文档价值，确实需要进行适配调整。但作为起点，这无疑是条可行的路径。

阿利斯泰尔·帕尔：太棒了。谢谢你，亚当。我这里有个问题：除了针对关键供应商的入职流程、控制措施及全生命周期持续监控外，我们是否建议为其制定详细的应急预案？这个我来回答。 是的，我们强烈建议将应急计划整合到供应商入驻和监控流程中，而非简单叠加。成功的实践案例是：利用PCF（通用合规框架）或其他替代方案，将韧性要求、合规要求以及数据处理隐私要求等信息直接嵌入初始入驻流程。 这样我们就能在前期获取所有关键信息，并在与供应商（抱歉，是与客户）进行常规合同审查时，确保逐项核查这些内容。因此，作为入驻流程的一部分，我们必须确保您已为关键供应商制定应急预案。 若缺乏明确的风险升级路径和流程，这本身就应成为风险管理中的隐患。我们常发现旧版合同往往限制了对供应商的管控权限——例如可能剥夺审计权、无法强制执行严格的SLA等条款。 因此我们看到客户正在更新标准模板。虽然您未必能将这些模板强加于行业巨头——他们往往只会耸耸肩提供自己的模板——但务必努力在合同或修订条款中纳入关键内容，例如与供应商直接沟通的应急通道、沟通升级时限等业务连续性保障措施。 在采购领域，我们观察到企业正形成双供应商机制：除主供应商外，还需配备可短期启用的备用供应商。 虽然无法直接与备选供应商签订条款，但至少可预先建立合作基础，以便在紧急情况下快速启动合作。在进入下一个问题前，请注意彼得即将发起快速投票以结束本次讨论，请各位在我们处理最后一个问题时随时参与投票。 在结束前我们再回答最后一个问题。亚当，今天讨论的内容在内部和外部是否完全适用？您认为我们管理供应商的方式会与管理内部业务有所不同吗？

亚当·凯尔斯：嗯，是的，我认为内部利益相关方和内部业务部门的管理方式，与管理第三方供应商的方式存在差异。这种差异本质上取决于贵组织自身的运营模式，但关键在于：贵公司与第三方签订了合同，他们向贵公司提供服务。 因此在处理第三方事务时，你拥有更强有力的立场——尤其在要求其自身建立相应机制方面，这与对待内部业务部门的态度截然不同。而管理内部业务部门时，则需考量内部资源可用性等要素，关注其自身需要建立的机制。 因此我认为，对待内部利益相关方与关键第三方或普通第三方时，存在本质区别。

阿利斯泰尔·帕尔：太棒了。非常感谢你，亚当。很抱歉今天无法回答所有问题，但如果你有任何疑问，或者想进一步了解我们免费提供的内容，请随时联系我们。我们非常乐意为你提供支持。 在此特别感谢亚当今日的真知灼见，您的分享令我们受益匪浅。同样衷心感谢托马斯的精彩见解。两位的洞察力都令人钦佩。我们将发送包含会议录音及资源信息的链接。再次感谢各位今日的聆听与参与，祝大家剩余时间愉快！