The document discusses business continuity management and planning. It provides an overview of BCM and related concepts like business continuity planning and disaster recovery planning. It highlights the importance of having a comprehensive BCM framework that is tested. It also discusses risk management, planning considerations, the BCM planning and recovery process, and provides an assessment questionnaire to evaluate a BCM program.
5. Business Continuity Management (BCM)
Business Continuity
Planning: IT (Disaster)
to maintain continuity of Recovery Planning:
critical processes & Recovery of critical
functions, e.g.: systems and applications
• customer service
• administration
• billing
Crisis Management:
Organisation & ability to
manage any crisis or disaster
5
6. Context - BCM, BCP & DRP
Business Continuity Overall Approach to
Management Business Continuity
Business
Continuity Plans
Address Continuity
of Processes
IT Disaster
Recovery Plans
One Specific Type
of Plan
6
7. BCM – Success Criteria
Commitment
Organisation
Communication
Testing & training
Plan maintenance & review
7
8. Example - Process Drivers
Supply Chain Netw Risks
ork
Limited Redundancy in Operations
Just in Tim Operations- JIT, Lean
e
LowM axim Acceptable Dow
um ntim e
Single Points of Failure in Operations
Financial, Reputation, Legal, M arket Risks
Reliance Upon Technology to Accom plish
Job
8
9. Following a Crisis…Insurance won’t
Address Customer Migration
Restore damage to company image
Retain customer confidence and market
share
Replace valuable employees or improve
employee morale
Develop and bring new products into the
marketplace
9
10. Goals
Integrate Operational and Business Risk
Reduction with Business Continuity
Create a Risk Reduction / Disaster Resistance
Mentality
Cover all aspects of the Response / Recovery
process from Emergency Response through
Business Recovery
Integrate all key aspects of planning- Security,
Crisis Management, Crisis Communications,
Damage Assessment and Restoration, Business
Resumption
10
11. Incident Overview
Incident
Resume Incident Resume
No Is it a Is it an IT No Business
business reporting & normal IT
‘crisis’? ‘disaster’? as usual
as usual escalation operations
Yes Yes
Convene Invoke DRP: Convene
CCT BCPs DMT to coordinate
Implement DRP
Manage Manage HR
Salvage & BCPs for
& Repair PR Issues Business
processes Restore Hardware
& Communications
Process
restoration & Applications Off-site
data catch-up & Data Recovery back-up
Business resumption
& Cost recovery
11
12. Incident Management
Respond
• Identify, report & assess Incident/Crisis
• Emergency procedures
• Escalate ⇒ activate CMT
• Isolate/contain damage
Restore
• Stabilise - CMT coordinate company wide response
• Damage control
• Short term restoration of operations & customer service
• Work-around & BCPs
• Manage indirect consequences, e.g. media coverage
Recover
• Assess impact (cost)
• Repair damage
• Recover image & market share
• Cost recovery, e.g. insurance
12
14. Risk Management Process (AS/NZS 4360:99)
Establish context
Monitor & Review
Consultation and
Communication
Identify risks
A A
S S
S
E
Analyse risks S
E
S S
S S
M M
E
N
Evaluate & prioritise risks E
N
T T
Treat risks
14
15. Risk Management Components
Risk Control
(Proactive - minimises Risk Transfer
risk exposure and (Insurance &
reduces likelihood, Contracts -
e.g. Security) Manages Cost of Risk)
Business Continuity &
Contingency Planning
(Reactive - Minimises impact
or consequences)
15
17. Set the Scene
BCM Team
Business Unit - BCPs
BCM Project / Program
Business Impact Analysis
Identify key business processes
Incident/Crisis Management Organisation
Risk identification, assessment &
treatment
17
18. Identify / Prioritise Key Business Processes
Vital Important Deferrable
Can be partially Can be interrupted
Not easily transferred for for extended
transferred or limited period; period; minor
replaced; low moderate inconvenience
tolerance, high tolerance;
cost of potentially high
interruption; data cost of
may be interruption
permanently
damaged/lost
18
19. Business Impact Analysis
Key MTO
Resources
Determines
Examines Maximum Tolerable
dependency of Vital Outage (MTO); i.e.
& Important the restoration
processes on Key timeframe, for each
Resources resource
19
20. BCP Components
Objectives, scope, possible scenarios
Organisation, responsibilities & communications
Incident impact assessment, escalation & plan
invocation
Procedures & checklists for phases:
Respond
Restore: Vital & Important Processes
Recover
Emergency contact lists
Document control & maintenance
20
21. BCP – Planning Consideration
Emergency Response Planning
Business Resumption Planning
Crisis Management and Communication
Staff
Public relations
Continuity of Customer Service
Information Technology & Services
Salvage & restoration of documents (e.g.
licenses), records and artifacts
21
23. BCP – Operation Flow
Every operation is different…
The response process is sim ilar…
Can be m odeled to any operation
Flow chart that follow depicts a typical
s
recovery sequence
Identifies the key escalation points, and
plans that are activated
23
24. Key Factors
Each step in process can be defined and
m easured
Can form m easurem grid for process
ent
Provide an indication of the issues to be
addressed at each step in the process
24
25. BCP Planning & Recovery Process
Pre-Incident Planning Process
RISK RISK RISK
IDENTIFICATION QUANTIFICATION MITIGATION
STEP 1 STEP 2 STEP 3
INCIDENT
Post-Incident Response Planning Process
EMERGENCY CRISIS Business
RESPONSE MANAGEMENT Resumption
STEP 4 STEP 5 STEP 6
25
27. Step 2 – Risk Quantification
Physical risk controls identified and evaluated for
effectiveness
Operational risk controls identified and evaluated for
effectiveness
Residual risk identified and translated to outage and
impact potential
Outage potential translated to revenue impact, regulatory
impact, long term migration potential, etc.
Risk and impact quantification used to develop mitigation
priorities
27
28. Step 3 – Risk Mitigation
Future mitigation priorities supported by
risk ID, and quantification
Physical and Operational risk reduction
from mitigation quantified
Mitigation issues assigned time frame and
responsibility
Review process addresses mitigation
issue resolution
28
29. Step 4 – Emergency Response
Emergency Response Team is in place and trained
All potential hazard scenarios are considered
Evacuation and Take Cover procedures are in place and
tested
Employee gathering spots are defined
Plan addresses notification and direction of police, fire,
EMS, and Utilities
Restoration and Reconstruction contractors identified
and engaged
Damage Assessment Team and Plan is developed
29
30. Step 5 – Crisis Management
Roles and Responsibilities are detailed
CMT directs both Restoration and Resumption
Disaster Declaration criteria / decision points are defined
Facility Crisis Management Team identified and
complete
Crisis Communications Plan is in place for all effected /
interested parties
Damage Assessment reporting is linked with CMT
operations
CMT is the focal point for local recovery and Corporate
liaison
30
31. Step 6 – Business Resumption
Restoration of Host Site is addressed
Manufacturing Contingency Plans are in place
Mitigation of customer impact is captured in the plan
Alternative Production operations are defined in detail
IT and Telecommunications recovery plan is identified
Recovery teams are identified with detailed Roles and
Responsibilities
Restoration of productive capacity and capability with
timeframes
31
32. Response - Key Elements
Emergency Response Team- Safety, Security, Medical,
Line Management, Environmental
Crisis Management Team- Senior leadership, Operations
Management
Damage Assessment Team- Facility and Utilities
Engineering, Process Maintenance, Purchasing,
Logistics, Security
Crisis Communications- HR / Communication Specialists
Business Resumption- Line Management and Staff
32
34. Management
Do you have a clearly defined, documented and approved management
process to manage the BCM program?
Does your BCM program clearly identify and comply with regulatory, legal,
policy and principle requirements?
Are there professionally qualified BCM practitioners involved in the
implementation of this program?
Is there overall accountability and responsibilities for the management of the
BCM program been clearly defined and documented?
Have you successfully demonstrated (including crisis management)
competence and capability via exercising, rehearsal and testing or
invocation?
Does your BCM program incorporate the allocation of dedicated resources
and finance as a part of the annual budget development and management
process?
Does your program provide assurance that suppliers (internal and/or
outsourced providers) have an effective, up-to-date and fit-for-purpose BCM
capability?
Do you have a Management Information System (MIS) to monitor and
provide regular reports concerning the status of BCM?
34
35. Policy
Do you have a clearly defined, documented and
approved BCM policy?
Does your BCM policy enable corporate governance, the
discharge of its responsibilities and satisfaction of its
legal and regulatory obligations?
Does the policy provide a clearly defined, documented
and approved set of BCM guidelines and minimum
standards?
Does your policy provide a clearly defined, documented
and approved independent audit process including
frequency and triggers of your BCM capability?
35
36. Assurance
Do you have a clearly defined, documented and
approved BCM assurance management process and
frequency?
Do you have clearly defined, documented and approved
KPIs (objectives, targets and standards) for BCM?
Do you have a clearly defined and documented
monitoring, evaluation and review process for your BCM
KPIs?
Does the assurance process provide clearly defined,
documented and approved management information
assurance reports?
Does your assurance process provide clearly defined,
approved, prioritised and documented remedial action
plan(s) to implement the agreed recommendations?
36
37. Business Impact Analysis
Have you adopted a clearly defined and
documented standard BIA process (insourcing
and outsourcing)?
Was the current BIA completed within the last 12
months?
Does your BIA identify resource recovery
requirements?
Do you have a process to ensure that a BIA is
carried out as a part of all project and change
management including new developments of
(and major changes to) IT systems, services and
their sourcing?
37
38. Risk Assessment
Do you have a clearly defined, documented and approved risk
management strategy?
Do you have an approved standard process to carry out an
operational risk assessment?
Do you have a clearly defined and documented process to ensure
the approved risk methodology, tools, techniques and criteria are
consistently applied?
Do you have a clearly defined, documented and approved
organisation risk appetite benchmark, including the acceptance of
residual risk?
Has a risk assessment been completed within the last 12 months?
Have you identified areas of high risk concentration and introduced
risk management controls (an action plan) to eliminate, mitigate,
reduce, transfer the effects of identified key threats, vulnerabilities,
exposures or liabilities?
38
39. Organisation Process Strategy
Is your BCM strategy clearly aligned / linked to
the overall strategic aims and business
strategies?
Do you have a clearly defined, documented and
approved BCM framework?
Have you identified key roles, responsibilities
and authorities for the BCM strategy?
Has the selected process level BCM
strategy(ies) been fully evaluated to ensure fit-
for-purpose and capable of working within the
required timescales?
39
40. Resource Recovery
Do you have a clearly defined, documented and
approved resource recovery strategy?
Does the resource recovery strategy incorporate the
resource recovery requirement from the BIA?
Have the key roles, accountabilities, responsibilities and
authorities within the resource recovery BCM strategy
been clearly defined and documented?
Have both technical (e.g. IT, telecommunications) and
non-technical issues been considered within the
resource recovery strategy?
Has the insourcing and outsourcing of your products and
services been included within the resource recovery?
40
41. BCM Implementation
Human Resources
Do you have mandatory instructions, advice,
process, procedure or guidelines concerning
• casualties and fatalities
• confidential staff counseling and staff welfare?
Communication
Do you have instructions, advice, process,
procedure or guidelines concerning internal
and external communications?
41
42. Implementation (Contd.)
Information Technology & Communication
(ITC)
Do you have ITC resumption and recovery strategies? Has this
been clearly documented?
Have you identified a technical recovery site which is not to be
affected by the same incident?
Have your business owners, technical and/or specialist third
party service providers successfully tested the resumption
and/or recovery of the IT systems and software?
Is there an inventory of all IT systems software and a process for
its restoration, including licensing arrangements?
Are there arrangements in place for specialist software in
escrow?
Are there SLA’s in place and have they have tested in case of
disaster?
42
43. Implementation (Contd.)
Security
Have you tested the appropriate physical security and environmental
controls?
Insurance
Are insurance policies and their coverage limits reviewed regularly for
adequacy and cost benefit?
Checklist / Forms
Is there an up-to-date task list that clearly identifies both mandatory and
discretionary tasks together with the individuals accountable or
responsible for their completion within an allocated timeframe?
Do you provide an auditable process for tracking and recording the
completion of the BCP task list after the plan has been invoked and any
additional on-going tasks?
Is there an up-to-date (internal and external) contact lists of all
stakeholders including key service providers / contactors?
Does the BCP provide a situation management and decision log
template?
43
44. Implementation (Contd.)
Data
Are there clearly defined backup procedures for all applications, hardware and
data (both electronic and paper, e.g. records, unique records or documents) and
clearly defined recovery and restoration processes and procedures in place?
Can vital records (both electronic and paper) and their dependencies be
recovered simultaneously at more than one disaster site if required?
Business Process
Do you have a process for recovering work in progress and work backlog
processing?
Do you have a process for the provision of manual operations and fallback
solutions and related activities wherever gaps exist between IT resumption
and/or recovery capabilities and BCM needs?
Do you have clearly defined change control process to ensure BCM
requirements and selected BCM solutions are maintained in an up-to-date and
fit-for-purpose status?
Emergency Procedures.
Do you have documented emergency evacuation procedures and when were
they last tested?
44
45. Training & Culture
Do you have a clearly defined, published and approved BCM vision and
policy statement?
Are their training / cultural programs in place to achieve the outcomes?
Has you BCM policy, principles and program been communicated?
Does you executive or senior and middle management proactively
demonstrate its support and strong commitment to the BCM vision, policy
and program?
Are the implementation and maintenance of the BCM policy and principles
strictly monitored and evaluated?
Are BCM roles, accountabilities, responsibilities and authorities clearly
defined and documented within job descriptions at all levels of the
organisation?
Is your BCM integrated with the reward, recognition, performance
management and appraisal system?
Do you have clearly defined and documented KPIs for BCM?
Is there a formal BCM awareness or induction training program for all new
and existing managers and staff?
45