SlideShare une entreprise Scribd logo
1  sur  48
Télécharger pour lire hors ligne
Business Continuity Management

      Is your BCM Framework
     comprehensive & tested?


       Anand Subramaniam
“People with opinions just go around
       bothering one another.”

                              - The Buddha




                                         2
Highlights
   BCP Overview
   Risk Management - AS/NZS 4360:99
   Planning Consideration
   BCP Planning & Recovery Process
   Assessment / Questionnaire




                                       3
BCM Overview
Business Continuity Management (BCM)

Business Continuity
Planning:                                     IT (Disaster)
to maintain continuity of                     Recovery Planning:
critical processes &                          Recovery of critical
functions, e.g.:                              systems and applications
• customer service
• administration
• billing

                  Crisis Management:
                  Organisation & ability to
                  manage any crisis or disaster


                                                                     5
Context - BCM, BCP & DRP

 Business Continuity   Overall Approach to
    Management         Business Continuity

       Business
    Continuity Plans
                       Address Continuity
                         of Processes
        IT Disaster
      Recovery Plans

                       One Specific Type
                            of Plan

                                        6
BCM – Success Criteria
   Commitment
   Organisation
   Communication
   Testing & training
   Plan maintenance & review




                                   7
Example - Process Drivers
   Supply Chain Netw Risks
                        ork
   Limited Redundancy in Operations
   Just in Tim Operations- JIT, Lean
               e
   LowM   axim Acceptable Dow
                um                  ntim e
   Single Points of Failure in Operations
   Financial, Reputation, Legal, M arket Risks
   Reliance Upon Technology to Accom     plish
    Job
                                              8
Following a Crisis…Insurance won’t
 Address Customer Migration
 Restore damage to company image
 Retain customer confidence and market
  share
 Replace valuable employees or improve
  employee morale
 Develop and bring new products into the
  marketplace
                                            9
Goals
 Integrate Operational and Business Risk
  Reduction with Business Continuity
 Create a Risk Reduction / Disaster Resistance
  Mentality
 Cover all aspects of the Response / Recovery
  process from Emergency Response through
  Business Recovery
 Integrate all key aspects of planning- Security,
  Crisis Management, Crisis Communications,
  Damage Assessment and Restoration, Business
  Resumption
                                                 10
Incident Overview
                                        Incident


Resume                               Incident                                Resume
            No     Is it a                              Is it an IT    No    Business
business                           reporting &                              normal IT
                  ‘crisis’?                             ‘disaster’?           as usual
as usual                            escalation                              operations
                        Yes                                    Yes
                 Convene                           Invoke DRP: Convene
                  CCT                 BCPs           DMT to coordinate



                                    Implement             DRP
 Manage          Manage HR
 Salvage             &               BCPs for
 & Repair         PR Issues          Business
                                     processes      Restore Hardware
                                                    & Communications
                                      Process
                                   restoration &      Applications               Off-site
                                   data catch-up     & Data Recovery             back-up

             Business resumption
              & Cost recovery


                                                                                     11
Incident Management
Respond
•   Identify, report & assess Incident/Crisis
•   Emergency procedures
•   Escalate ⇒ activate CMT
•   Isolate/contain damage

               Restore
               •   Stabilise - CMT coordinate company wide response
               •   Damage control
               •   Short term restoration of operations & customer service
               •   Work-around & BCPs
               •   Manage indirect consequences, e.g. media coverage
                                                  Recover
                                                  •   Assess impact (cost)
                                                  •   Repair damage
                                                  •   Recover image & market share
                                                  •   Cost recovery, e.g. insurance


                                                                                      12
Risk Management - AS/NZS 4360:99
Risk Management Process (AS/NZS 4360:99)

                           Establish context




                                                         Monitor & Review
Consultation and
Communication




                             Identify risks
                   A                                 A
                   S                                 S
                   S
                   E
                             Analyse risks           S
                                                     E
                   S                                 S
                   S                                 S
                   M                                 M
                   E
                   N
                       Evaluate & prioritise risks   E
                                                     N
                   T                                 T



                              Treat risks


                                                                            14
Risk Management Components

      Risk Control
(Proactive - minimises                   Risk Transfer
   risk exposure and                      (Insurance &
  reduces likelihood,                      Contracts -
      e.g. Security)                  Manages Cost of Risk)

                 Business Continuity &
                 Contingency Planning
               (Reactive - Minimises impact
                    or consequences)
                                                        15
Planning Consideration
Set the Scene
   BCM Team
   Business Unit - BCPs
   BCM Project / Program
   Business Impact Analysis
   Identify key business processes
   Incident/Crisis Management Organisation
   Risk identification, assessment &
    treatment
                                              17
Identify / Prioritise Key Business Processes


     Vital           Important          Deferrable
                     Can be partially   Can be interrupted
    Not easily       transferred for      for extended
  transferred or      limited period;     period; minor
  replaced; low          moderate        inconvenience
 tolerance, high         tolerance;
      cost of        potentially high
interruption; data         cost of
      may be            interruption
   permanently
  damaged/lost



                                                         18
Business Impact Analysis

   Key                     MTO
Resources
                           Determines
     Examines         Maximum Tolerable
dependency of Vital   Outage (MTO); i.e.
    & Important          the restoration
 processes on Key     timeframe, for each
    Resources               resource



                                            19
BCP Components
 Objectives, scope, possible scenarios
 Organisation, responsibilities & communications
 Incident impact assessment, escalation & plan
  invocation
 Procedures & checklists for phases:
    Respond
    Restore: Vital & Important Processes
    Recover
 Emergency contact lists
 Document control & maintenance
                                                20
BCP – Planning Consideration
 Emergency Response Planning
 Business Resumption Planning
 Crisis Management and Communication
     Staff
     Public relations
     Continuity of Customer Service
     Information Technology & Services
     Salvage & restoration of documents (e.g.
      licenses), records and artifacts

                                                 21
BCP Planning & Recovery Process
BCP – Operation Flow
 Every operation is different…
 The response process is sim   ilar…
 Can be m   odeled to any operation
 Flow chart that follow depicts a typical
                        s
  recovery sequence
 Identifies the key escalation points, and
  plans that are activated


                                              23
Key Factors
 Each step in process can be defined and
  m easured
 Can form m  easurem grid for process
                       ent
 Provide an indication of the issues to be
  addressed at each step in the process




                                              24
BCP Planning & Recovery Process
                  Pre-Incident Planning Process


     RISK                      RISK                      RISK
IDENTIFICATION             QUANTIFICATION             MITIGATION


   STEP 1                       STEP 2                   STEP 3




                           INCIDENT

            Post-Incident Response Planning Process


EMERGENCY                    CRISIS                    Business
 RESPONSE                  MANAGEMENT                 Resumption

  STEP 4                       STEP 5                   STEP 6

                                                                   25
Step 1 - Risk Identification
 Physical risks identified
 Operational risks identified
 Critical single source suppliers identified
 Revenue impact potential identified
 Contractual/Regulatory exposures
  identified
 Process flow mapped

                                                26
Step 2 – Risk Quantification
 Physical risk controls identified and evaluated for
  effectiveness
 Operational risk controls identified and evaluated for
  effectiveness
 Residual risk identified and translated to outage and
  impact potential
 Outage potential translated to revenue impact, regulatory
  impact, long term migration potential, etc.
 Risk and impact quantification used to develop mitigation
  priorities


                                                         27
Step 3 – Risk Mitigation
 Future mitigation priorities supported by
  risk ID, and quantification
 Physical and Operational risk reduction
  from mitigation quantified
 Mitigation issues assigned time frame and
  responsibility
 Review process addresses mitigation
  issue resolution

                                          28
Step 4 – Emergency Response
 Emergency Response Team is in place and trained
 All potential hazard scenarios are considered
 Evacuation and Take Cover procedures are in place and
  tested
 Employee gathering spots are defined
 Plan addresses notification and direction of police, fire,
  EMS, and Utilities
 Restoration and Reconstruction contractors identified
  and engaged
 Damage Assessment Team and Plan is developed



                                                           29
Step 5 – Crisis Management
 Roles and Responsibilities are detailed
 CMT directs both Restoration and Resumption
 Disaster Declaration criteria / decision points are defined
 Facility Crisis Management Team identified and
  complete
 Crisis Communications Plan is in place for all effected /
  interested parties
 Damage Assessment reporting is linked with CMT
  operations
 CMT is the focal point for local recovery and Corporate
  liaison


                                                            30
Step 6 – Business Resumption
 Restoration of Host Site is addressed
 Manufacturing Contingency Plans are in place
 Mitigation of customer impact is captured in the plan
 Alternative Production operations are defined in detail
 IT and Telecommunications recovery plan is identified
 Recovery teams are identified with detailed Roles and
  Responsibilities
 Restoration of productive capacity and capability with
  timeframes




                                                            31
Response - Key Elements
 Emergency Response Team- Safety, Security, Medical,
  Line Management, Environmental

 Crisis Management Team- Senior leadership, Operations
  Management

 Damage Assessment Team- Facility and Utilities
  Engineering, Process Maintenance, Purchasing,
  Logistics, Security

 Crisis Communications- HR / Communication Specialists

 Business Resumption- Line Management and Staff

                                                        32
Assessment / Questionnaire
Management
   Do you have a clearly defined, documented and approved management
    process to manage the BCM program?
   Does your BCM program clearly identify and comply with regulatory, legal,
    policy and principle requirements?
   Are there professionally qualified BCM practitioners involved in the
    implementation of this program?
   Is there overall accountability and responsibilities for the management of the
     BCM program been clearly defined and documented?
   Have you successfully demonstrated (including crisis management)
    competence and capability via exercising, rehearsal and testing or
    invocation?
   Does your BCM program incorporate the allocation of dedicated resources
    and finance as a part of the annual budget development and management
    process?
   Does your program provide assurance that suppliers (internal and/or
    outsourced providers) have an effective, up-to-date and fit-for-purpose BCM
    capability?
   Do you have a Management Information System (MIS) to monitor and
    provide regular reports concerning the status of BCM?

                                                                                34
Policy
 Do you have a clearly defined, documented and
  approved BCM policy?
 Does your BCM policy enable corporate governance, the
  discharge of its responsibilities and satisfaction of its
  legal and regulatory obligations?
 Does the policy provide a clearly defined, documented
  and approved set of BCM guidelines and minimum
  standards?
 Does your policy provide a clearly defined, documented
  and approved independent audit process including
  frequency and triggers of your BCM capability?


                                                         35
Assurance
 Do you have a clearly defined, documented and
  approved BCM assurance management process and
  frequency?
 Do you have clearly defined, documented and approved
  KPIs (objectives, targets and standards) for BCM?
 Do you have a clearly defined and documented
  monitoring, evaluation and review process for your BCM
  KPIs?
 Does the assurance process provide clearly defined,
  documented and approved management information
  assurance reports?
 Does your assurance process provide clearly defined,
  approved, prioritised and documented remedial action
  plan(s) to implement the agreed recommendations?

                                                       36
Business Impact Analysis
 Have you adopted a clearly defined and
  documented standard BIA process (insourcing
  and outsourcing)?
 Was the current BIA completed within the last 12
  months?
 Does your BIA identify resource recovery
  requirements?
 Do you have a process to ensure that a BIA is
  carried out as a part of all project and change
  management including new developments of
  (and major changes to) IT systems, services and
  their sourcing?
                                                37
Risk Assessment
 Do you have a clearly defined, documented and approved risk
  management strategy?
 Do you have an approved standard process to carry out an
  operational risk assessment?
 Do you have a clearly defined and documented process to ensure
  the approved risk methodology, tools, techniques and criteria are
  consistently applied?
 Do you have a clearly defined, documented and approved
  organisation risk appetite benchmark, including the acceptance of
  residual risk?
 Has a risk assessment been completed within the last 12 months?
 Have you identified areas of high risk concentration and introduced
  risk management controls (an action plan) to eliminate, mitigate,
  reduce, transfer the effects of identified key threats, vulnerabilities,
  exposures or liabilities?



                                                                         38
Organisation Process Strategy
 Is your BCM strategy clearly aligned / linked to
  the overall strategic aims and business
  strategies?
 Do you have a clearly defined, documented and
  approved BCM framework?
 Have you identified key roles, responsibilities
  and authorities for the BCM strategy?
 Has the selected process level BCM
  strategy(ies) been fully evaluated to ensure fit-
  for-purpose and capable of working within the
  required timescales?
                                                  39
Resource Recovery
 Do you have a clearly defined, documented and
  approved resource recovery strategy?
 Does the resource recovery strategy incorporate the
  resource recovery requirement from the BIA?
 Have the key roles, accountabilities, responsibilities and
  authorities within the resource recovery BCM strategy
  been clearly defined and documented?
 Have both technical (e.g. IT, telecommunications) and
  non-technical issues been considered within the
  resource recovery strategy?
 Has the insourcing and outsourcing of your products and
  services been included within the resource recovery?

                                                           40
BCM Implementation
 Human Resources
  Do you have mandatory instructions, advice,
   process, procedure or guidelines concerning
   • casualties and fatalities
   • confidential staff counseling and staff welfare?


 Communication
  Do you have instructions, advice, process,
   procedure or guidelines concerning internal
   and external communications?
                                                        41
Implementation (Contd.)
 Information Technology & Communication
  (ITC)
   Do you have ITC resumption and recovery strategies? Has this
    been clearly documented?
   Have you identified a technical recovery site which is not to be
    affected by the same incident?
   Have your business owners, technical and/or specialist third
    party service providers successfully tested the resumption
    and/or recovery of the IT systems and software?
   Is there an inventory of all IT systems software and a process for
    its restoration, including licensing arrangements?
   Are there arrangements in place for specialist software in
    escrow?
   Are there SLA’s in place and have they have tested in case of
    disaster?


                                                                    42
Implementation (Contd.)
 Security
    Have you tested the appropriate physical security and environmental
     controls?
 Insurance
    Are insurance policies and their coverage limits reviewed regularly for
     adequacy and cost benefit?
 Checklist / Forms
    Is there an up-to-date task list that clearly identifies both mandatory and
     discretionary tasks together with the individuals accountable or
     responsible for their completion within an allocated timeframe?
    Do you provide an auditable process for tracking and recording the
     completion of the BCP task list after the plan has been invoked and any
     additional on-going tasks?
    Is there an up-to-date (internal and external) contact lists of all
     stakeholders including key service providers / contactors?
    Does the BCP provide a situation management and decision log
     template?

                                                                               43
Implementation (Contd.)
 Data
    Are there clearly defined backup procedures for all applications, hardware and
     data (both electronic and paper, e.g. records, unique records or documents) and
     clearly defined recovery and restoration processes and procedures in place?
    Can vital records (both electronic and paper) and their dependencies be
     recovered simultaneously at more than one disaster site if required?
 Business Process
    Do you have a process for recovering work in progress and work backlog
     processing?
    Do you have a process for the provision of manual operations and fallback
     solutions and related activities wherever gaps exist between IT resumption
     and/or recovery capabilities and BCM needs?
    Do you have clearly defined change control process to ensure BCM
     requirements and selected BCM solutions are maintained in an up-to-date and
     fit-for-purpose status?
 Emergency Procedures.
    Do you have documented emergency evacuation procedures and when were
     they last tested?



                                                                                   44
Training & Culture
   Do you have a clearly defined, published and approved BCM vision and
    policy statement?
   Are their training / cultural programs in place to achieve the outcomes?
   Has you BCM policy, principles and program been communicated?
   Does you executive or senior and middle management proactively
    demonstrate its support and strong commitment to the BCM vision, policy
    and program?
   Are the implementation and maintenance of the BCM policy and principles
    strictly monitored and evaluated?
   Are BCM roles, accountabilities, responsibilities and authorities clearly
    defined and documented within job descriptions at all levels of the
    organisation?
   Is your BCM integrated with the reward, recognition, performance
    management and appraisal system?
   Do you have clearly defined and documented KPIs for BCM?
   Is there a formal BCM awareness or induction training program for all new
    and existing managers and staff?


                                                                                45
Current State Assessment




                           46
“Sometimes, the question is more important
             than the answer.”


                                      - Plato



                                           47
Good Luck
http://www.linkedin.com/in/anandsubramaniam




                                              48

Contenu connexe

Tendances

Business Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBusiness Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBob Winkler
 
Business continuity management www.reconglobal.in
Business continuity management   www.reconglobal.inBusiness continuity management   www.reconglobal.in
Business continuity management www.reconglobal.inSatya Yadav
 
Business Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementBusiness Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementAndrew Styles
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planingHanaysha
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity PlanningBharath Rao
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Goutama Bachtiar
 
Business continuity overview slideshare
Business continuity overview slideshareBusiness continuity overview slideshare
Business continuity overview slideshareChris Greenhill
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Building a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintBuilding a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintluweinet
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301IT Governance Ltd
 
What is business continuity planning-bcp
What is business continuity planning-bcpWhat is business continuity planning-bcp
What is business continuity planning-bcpAdv Prashant Mali
 
PECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
Effective Business Continuity Plan Powerpoint Presentation Slides
Effective Business Continuity Plan Powerpoint Presentation SlidesEffective Business Continuity Plan Powerpoint Presentation Slides
Effective Business Continuity Plan Powerpoint Presentation SlidesSlideTeam
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesSlideTeam
 

Tendances (20)

Business Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBusiness Continuity Planning Presentation Overview
Business Continuity Planning Presentation Overview
 
Business continuity management www.reconglobal.in
Business continuity management   www.reconglobal.inBusiness continuity management   www.reconglobal.in
Business continuity management www.reconglobal.in
 
Business Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementBusiness Continuity - Business Risk & Management
Business Continuity - Business Risk & Management
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planing
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Risk and Business Continuity Management
Risk and Business Continuity ManagementRisk and Business Continuity Management
Risk and Business Continuity Management
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)
 
Business continuity overview slideshare
Business continuity overview slideshareBusiness continuity overview slideshare
Business continuity overview slideshare
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Building a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintBuilding a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprint
 
Business Continuity Planning Presentation
Business Continuity Planning PresentationBusiness Continuity Planning Presentation
Business Continuity Planning Presentation
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard
 
Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301
 
What is business continuity planning-bcp
What is business continuity planning-bcpWhat is business continuity planning-bcp
What is business continuity planning-bcp
 
PECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysis
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides
 
Effective Business Continuity Plan Powerpoint Presentation Slides
Effective Business Continuity Plan Powerpoint Presentation SlidesEffective Business Continuity Plan Powerpoint Presentation Slides
Effective Business Continuity Plan Powerpoint Presentation Slides
 
Bcp drp
Bcp drpBcp drp
Bcp drp
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
 

En vedette

PP4/小光/Creative thinking
PP4/小光/Creative thinkingPP4/小光/Creative thinking
PP4/小光/Creative thinkingPunch Party
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
Current state of agriculture and mitigation: NAMAs, quantifying emissions and...
Current state of agriculture and mitigation: NAMAs, quantifying emissions and...Current state of agriculture and mitigation: NAMAs, quantifying emissions and...
Current state of agriculture and mitigation: NAMAs, quantifying emissions and...FAO
 
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...BCM Institute
 
Gartner Study Current State Assessment
Gartner Study Current State AssessmentGartner Study Current State Assessment
Gartner Study Current State AssessmentFairfax County
 
Operational research
Operational researchOperational research
Operational researchDr Ramniwas
 
8 stepfuturestatevaluestreammapping
8 stepfuturestatevaluestreammapping8 stepfuturestatevaluestreammapping
8 stepfuturestatevaluestreammappingPanview
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT SlidesYodhia Antariksa
 

En vedette (10)

PP4/小光/Creative thinking
PP4/小光/Creative thinkingPP4/小光/Creative thinking
PP4/小光/Creative thinking
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
 
Current state of agriculture and mitigation: NAMAs, quantifying emissions and...
Current state of agriculture and mitigation: NAMAs, quantifying emissions and...Current state of agriculture and mitigation: NAMAs, quantifying emissions and...
Current state of agriculture and mitigation: NAMAs, quantifying emissions and...
 
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
Dr Goh Moh Heng Building Your Organization Business Continuity Management Com...
 
Gartner Study Current State Assessment
Gartner Study Current State AssessmentGartner Study Current State Assessment
Gartner Study Current State Assessment
 
Operational research
Operational researchOperational research
Operational research
 
Understanding Business Architecture
Understanding Business ArchitectureUnderstanding Business Architecture
Understanding Business Architecture
 
8 stepfuturestatevaluestreammapping
8 stepfuturestatevaluestreammapping8 stepfuturestatevaluestreammapping
8 stepfuturestatevaluestreammapping
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT Slides
 

Similaire à Assess Your Business Continuity Management Process

BC Components and CM Lifecycle
BC Components and  CM LifecycleBC Components and  CM Lifecycle
BC Components and CM LifecycleZaszou
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
 
Virtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or EnablerVirtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or Enablersubtitle
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Global Risk Forum GRFDavos
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurancegainline
 
Be Solid & Trusted New Change Management (Ncm) En Linked In
Be Solid & Trusted New Change Management (Ncm) En Linked InBe Solid & Trusted New Change Management (Ncm) En Linked In
Be Solid & Trusted New Change Management (Ncm) En Linked Infsw13169
 
Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals updateExo Futures
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmapbtrmuray
 
Business continuity
Business continuityBusiness continuity
Business continuityMeenu S
 
Business Resilience
Business ResilienceBusiness Resilience
Business Resiliencerix57
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
Business Continuity Planning Seminar
Business Continuity Planning SeminarBusiness Continuity Planning Seminar
Business Continuity Planning Seminarcmckinney
 
Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk Management
Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk ManagementKorean Banks Efforts To Prepare For Bcp.Effective Operational Risk Management
Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk ManagementEnterprise Security Risk Management
 
Solvency II IT Impacts
Solvency II   IT ImpactsSolvency II   IT Impacts
Solvency II IT ImpactsAli BELCAID
 
Operational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in KenyaOperational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in Kenyachasecooper
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk TransferCBIZ, Inc.
 
Benefits tracking gsw
Benefits tracking gswBenefits tracking gsw
Benefits tracking gswwoznite65
 

Similaire à Assess Your Business Continuity Management Process (20)

BC Components and CM Lifecycle
BC Components and  CM LifecycleBC Components and  CM Lifecycle
BC Components and CM Lifecycle
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontier
 
Virtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or EnablerVirtualisation:- Business Continuity Solution or Enabler
Virtualisation:- Business Continuity Solution or Enabler
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012Microsoft power point   risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
 
Solvency II - Programme Assurance
Solvency II - Programme AssuranceSolvency II - Programme Assurance
Solvency II - Programme Assurance
 
Be Solid & Trusted New Change Management (Ncm) En Linked In
Be Solid & Trusted New Change Management (Ncm) En Linked InBe Solid & Trusted New Change Management (Ncm) En Linked In
Be Solid & Trusted New Change Management (Ncm) En Linked In
 
Business continuity management fundamentals update
Business continuity management fundamentals updateBusiness continuity management fundamentals update
Business continuity management fundamentals update
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmap
 
Business continuity
Business continuityBusiness continuity
Business continuity
 
Business Resilience
Business ResilienceBusiness Resilience
Business Resilience
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
 
Business Continuity Planning Seminar
Business Continuity Planning SeminarBusiness Continuity Planning Seminar
Business Continuity Planning Seminar
 
Operational risks
Operational risksOperational risks
Operational risks
 
Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk Management
Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk ManagementKorean Banks Efforts To Prepare For Bcp.Effective Operational Risk Management
Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk Management
 
Solvency II IT Impacts
Solvency II   IT ImpactsSolvency II   IT Impacts
Solvency II IT Impacts
 
Operational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in KenyaOperational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in Kenya
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
PD25888: Recovery Planning
PD25888: Recovery PlanningPD25888: Recovery Planning
PD25888: Recovery Planning
 
Benefits tracking gsw
Benefits tracking gswBenefits tracking gsw
Benefits tracking gsw
 

Plus de Anand Subramaniam (20)

Lean transformation
Lean transformationLean transformation
Lean transformation
 
Lean principles
Lean principlesLean principles
Lean principles
 
Lean thinking
Lean thinkingLean thinking
Lean thinking
 
Anand dossier 2
Anand dossier 2Anand dossier 2
Anand dossier 2
 
Anand short dossier
Anand short dossierAnand short dossier
Anand short dossier
 
Set up reduction
Set up reductionSet up reduction
Set up reduction
 
Waste Walk ~ Audit
Waste Walk ~ AuditWaste Walk ~ Audit
Waste Walk ~ Audit
 
Muda in service industries
Muda in service industriesMuda in service industries
Muda in service industries
 
Defects Vs. Errors
Defects Vs. ErrorsDefects Vs. Errors
Defects Vs. Errors
 
3 MU
3 MU3 MU
3 MU
 
Ninbennoaru Jidoka
Ninbennoaru JidokaNinbennoaru Jidoka
Ninbennoaru Jidoka
 
Gemba kaizen
Gemba kaizenGemba kaizen
Gemba kaizen
 
LSS Idea Generation to Project Execution
LSS Idea Generation to Project ExecutionLSS Idea Generation to Project Execution
LSS Idea Generation to Project Execution
 
LSS - 5 Year Strategy
LSS -  5 Year StrategyLSS -  5 Year Strategy
LSS - 5 Year Strategy
 
Lean Six Sigma Projects & Strategy Linkage
Lean Six Sigma Projects & Strategy LinkageLean Six Sigma Projects & Strategy Linkage
Lean Six Sigma Projects & Strategy Linkage
 
CMMI & Six Sigma Integration
CMMI & Six Sigma IntegrationCMMI & Six Sigma Integration
CMMI & Six Sigma Integration
 
CMMI Capability Maturity Model Integration
CMMI   Capability Maturity Model Integration CMMI   Capability Maturity Model Integration
CMMI Capability Maturity Model Integration
 
8 D – Problem Solving Process
8 D – Problem Solving Process8 D – Problem Solving Process
8 D – Problem Solving Process
 
Total Productive Maintenance
Total Productive MaintenanceTotal Productive Maintenance
Total Productive Maintenance
 
TPM Implementation Strategy
TPM Implementation StrategyTPM Implementation Strategy
TPM Implementation Strategy
 

Dernier

Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZKanakChauhan5
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentationbaron83
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGlokeshwarmaha
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxWorkforce Group
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 

Dernier (20)

Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZ
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentation
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 

Assess Your Business Continuity Management Process

  • 1. Business Continuity Management Is your BCM Framework comprehensive & tested? Anand Subramaniam
  • 2. “People with opinions just go around bothering one another.” - The Buddha 2
  • 3. Highlights  BCP Overview  Risk Management - AS/NZS 4360:99  Planning Consideration  BCP Planning & Recovery Process  Assessment / Questionnaire 3
  • 5. Business Continuity Management (BCM) Business Continuity Planning: IT (Disaster) to maintain continuity of Recovery Planning: critical processes & Recovery of critical functions, e.g.: systems and applications • customer service • administration • billing Crisis Management: Organisation & ability to manage any crisis or disaster 5
  • 6. Context - BCM, BCP & DRP Business Continuity Overall Approach to Management Business Continuity Business Continuity Plans Address Continuity of Processes IT Disaster Recovery Plans One Specific Type of Plan 6
  • 7. BCM – Success Criteria  Commitment  Organisation  Communication  Testing & training  Plan maintenance & review 7
  • 8. Example - Process Drivers  Supply Chain Netw Risks ork  Limited Redundancy in Operations  Just in Tim Operations- JIT, Lean e  LowM axim Acceptable Dow um ntim e  Single Points of Failure in Operations  Financial, Reputation, Legal, M arket Risks  Reliance Upon Technology to Accom plish Job 8
  • 9. Following a Crisis…Insurance won’t  Address Customer Migration  Restore damage to company image  Retain customer confidence and market share  Replace valuable employees or improve employee morale  Develop and bring new products into the marketplace 9
  • 10. Goals  Integrate Operational and Business Risk Reduction with Business Continuity  Create a Risk Reduction / Disaster Resistance Mentality  Cover all aspects of the Response / Recovery process from Emergency Response through Business Recovery  Integrate all key aspects of planning- Security, Crisis Management, Crisis Communications, Damage Assessment and Restoration, Business Resumption 10
  • 11. Incident Overview Incident Resume Incident Resume No Is it a Is it an IT No Business business reporting & normal IT ‘crisis’? ‘disaster’? as usual as usual escalation operations Yes Yes Convene Invoke DRP: Convene CCT BCPs DMT to coordinate Implement DRP Manage Manage HR Salvage & BCPs for & Repair PR Issues Business processes Restore Hardware & Communications Process restoration & Applications Off-site data catch-up & Data Recovery back-up Business resumption & Cost recovery 11
  • 12. Incident Management Respond • Identify, report & assess Incident/Crisis • Emergency procedures • Escalate ⇒ activate CMT • Isolate/contain damage Restore • Stabilise - CMT coordinate company wide response • Damage control • Short term restoration of operations & customer service • Work-around & BCPs • Manage indirect consequences, e.g. media coverage Recover • Assess impact (cost) • Repair damage • Recover image & market share • Cost recovery, e.g. insurance 12
  • 13. Risk Management - AS/NZS 4360:99
  • 14. Risk Management Process (AS/NZS 4360:99) Establish context Monitor & Review Consultation and Communication Identify risks A A S S S E Analyse risks S E S S S S M M E N Evaluate & prioritise risks E N T T Treat risks 14
  • 15. Risk Management Components Risk Control (Proactive - minimises Risk Transfer risk exposure and (Insurance & reduces likelihood, Contracts - e.g. Security) Manages Cost of Risk) Business Continuity & Contingency Planning (Reactive - Minimises impact or consequences) 15
  • 17. Set the Scene  BCM Team  Business Unit - BCPs  BCM Project / Program  Business Impact Analysis  Identify key business processes  Incident/Crisis Management Organisation  Risk identification, assessment & treatment 17
  • 18. Identify / Prioritise Key Business Processes Vital Important Deferrable Can be partially Can be interrupted Not easily transferred for for extended transferred or limited period; period; minor replaced; low moderate inconvenience tolerance, high tolerance; cost of potentially high interruption; data cost of may be interruption permanently damaged/lost 18
  • 19. Business Impact Analysis Key MTO Resources Determines Examines Maximum Tolerable dependency of Vital Outage (MTO); i.e. & Important the restoration processes on Key timeframe, for each Resources resource 19
  • 20. BCP Components  Objectives, scope, possible scenarios  Organisation, responsibilities & communications  Incident impact assessment, escalation & plan invocation  Procedures & checklists for phases:  Respond  Restore: Vital & Important Processes  Recover  Emergency contact lists  Document control & maintenance 20
  • 21. BCP – Planning Consideration  Emergency Response Planning  Business Resumption Planning  Crisis Management and Communication  Staff  Public relations  Continuity of Customer Service  Information Technology & Services  Salvage & restoration of documents (e.g. licenses), records and artifacts 21
  • 22. BCP Planning & Recovery Process
  • 23. BCP – Operation Flow  Every operation is different…  The response process is sim ilar…  Can be m odeled to any operation  Flow chart that follow depicts a typical s recovery sequence  Identifies the key escalation points, and plans that are activated 23
  • 24. Key Factors  Each step in process can be defined and m easured  Can form m easurem grid for process ent  Provide an indication of the issues to be addressed at each step in the process 24
  • 25. BCP Planning & Recovery Process Pre-Incident Planning Process RISK RISK RISK IDENTIFICATION QUANTIFICATION MITIGATION STEP 1 STEP 2 STEP 3 INCIDENT Post-Incident Response Planning Process EMERGENCY CRISIS Business RESPONSE MANAGEMENT Resumption STEP 4 STEP 5 STEP 6 25
  • 26. Step 1 - Risk Identification  Physical risks identified  Operational risks identified  Critical single source suppliers identified  Revenue impact potential identified  Contractual/Regulatory exposures identified  Process flow mapped 26
  • 27. Step 2 – Risk Quantification  Physical risk controls identified and evaluated for effectiveness  Operational risk controls identified and evaluated for effectiveness  Residual risk identified and translated to outage and impact potential  Outage potential translated to revenue impact, regulatory impact, long term migration potential, etc.  Risk and impact quantification used to develop mitigation priorities 27
  • 28. Step 3 – Risk Mitigation  Future mitigation priorities supported by risk ID, and quantification  Physical and Operational risk reduction from mitigation quantified  Mitigation issues assigned time frame and responsibility  Review process addresses mitigation issue resolution 28
  • 29. Step 4 – Emergency Response  Emergency Response Team is in place and trained  All potential hazard scenarios are considered  Evacuation and Take Cover procedures are in place and tested  Employee gathering spots are defined  Plan addresses notification and direction of police, fire, EMS, and Utilities  Restoration and Reconstruction contractors identified and engaged  Damage Assessment Team and Plan is developed 29
  • 30. Step 5 – Crisis Management  Roles and Responsibilities are detailed  CMT directs both Restoration and Resumption  Disaster Declaration criteria / decision points are defined  Facility Crisis Management Team identified and complete  Crisis Communications Plan is in place for all effected / interested parties  Damage Assessment reporting is linked with CMT operations  CMT is the focal point for local recovery and Corporate liaison 30
  • 31. Step 6 – Business Resumption  Restoration of Host Site is addressed  Manufacturing Contingency Plans are in place  Mitigation of customer impact is captured in the plan  Alternative Production operations are defined in detail  IT and Telecommunications recovery plan is identified  Recovery teams are identified with detailed Roles and Responsibilities  Restoration of productive capacity and capability with timeframes 31
  • 32. Response - Key Elements  Emergency Response Team- Safety, Security, Medical, Line Management, Environmental  Crisis Management Team- Senior leadership, Operations Management  Damage Assessment Team- Facility and Utilities Engineering, Process Maintenance, Purchasing, Logistics, Security  Crisis Communications- HR / Communication Specialists  Business Resumption- Line Management and Staff 32
  • 34. Management  Do you have a clearly defined, documented and approved management process to manage the BCM program?  Does your BCM program clearly identify and comply with regulatory, legal, policy and principle requirements?  Are there professionally qualified BCM practitioners involved in the implementation of this program?  Is there overall accountability and responsibilities for the management of the BCM program been clearly defined and documented?  Have you successfully demonstrated (including crisis management) competence and capability via exercising, rehearsal and testing or invocation?  Does your BCM program incorporate the allocation of dedicated resources and finance as a part of the annual budget development and management process?  Does your program provide assurance that suppliers (internal and/or outsourced providers) have an effective, up-to-date and fit-for-purpose BCM capability?  Do you have a Management Information System (MIS) to monitor and provide regular reports concerning the status of BCM? 34
  • 35. Policy  Do you have a clearly defined, documented and approved BCM policy?  Does your BCM policy enable corporate governance, the discharge of its responsibilities and satisfaction of its legal and regulatory obligations?  Does the policy provide a clearly defined, documented and approved set of BCM guidelines and minimum standards?  Does your policy provide a clearly defined, documented and approved independent audit process including frequency and triggers of your BCM capability? 35
  • 36. Assurance  Do you have a clearly defined, documented and approved BCM assurance management process and frequency?  Do you have clearly defined, documented and approved KPIs (objectives, targets and standards) for BCM?  Do you have a clearly defined and documented monitoring, evaluation and review process for your BCM KPIs?  Does the assurance process provide clearly defined, documented and approved management information assurance reports?  Does your assurance process provide clearly defined, approved, prioritised and documented remedial action plan(s) to implement the agreed recommendations? 36
  • 37. Business Impact Analysis  Have you adopted a clearly defined and documented standard BIA process (insourcing and outsourcing)?  Was the current BIA completed within the last 12 months?  Does your BIA identify resource recovery requirements?  Do you have a process to ensure that a BIA is carried out as a part of all project and change management including new developments of (and major changes to) IT systems, services and their sourcing? 37
  • 38. Risk Assessment  Do you have a clearly defined, documented and approved risk management strategy?  Do you have an approved standard process to carry out an operational risk assessment?  Do you have a clearly defined and documented process to ensure the approved risk methodology, tools, techniques and criteria are consistently applied?  Do you have a clearly defined, documented and approved organisation risk appetite benchmark, including the acceptance of residual risk?  Has a risk assessment been completed within the last 12 months?  Have you identified areas of high risk concentration and introduced risk management controls (an action plan) to eliminate, mitigate, reduce, transfer the effects of identified key threats, vulnerabilities, exposures or liabilities? 38
  • 39. Organisation Process Strategy  Is your BCM strategy clearly aligned / linked to the overall strategic aims and business strategies?  Do you have a clearly defined, documented and approved BCM framework?  Have you identified key roles, responsibilities and authorities for the BCM strategy?  Has the selected process level BCM strategy(ies) been fully evaluated to ensure fit- for-purpose and capable of working within the required timescales? 39
  • 40. Resource Recovery  Do you have a clearly defined, documented and approved resource recovery strategy?  Does the resource recovery strategy incorporate the resource recovery requirement from the BIA?  Have the key roles, accountabilities, responsibilities and authorities within the resource recovery BCM strategy been clearly defined and documented?  Have both technical (e.g. IT, telecommunications) and non-technical issues been considered within the resource recovery strategy?  Has the insourcing and outsourcing of your products and services been included within the resource recovery? 40
  • 41. BCM Implementation  Human Resources  Do you have mandatory instructions, advice, process, procedure or guidelines concerning • casualties and fatalities • confidential staff counseling and staff welfare?  Communication  Do you have instructions, advice, process, procedure or guidelines concerning internal and external communications? 41
  • 42. Implementation (Contd.)  Information Technology & Communication (ITC)  Do you have ITC resumption and recovery strategies? Has this been clearly documented?  Have you identified a technical recovery site which is not to be affected by the same incident?  Have your business owners, technical and/or specialist third party service providers successfully tested the resumption and/or recovery of the IT systems and software?  Is there an inventory of all IT systems software and a process for its restoration, including licensing arrangements?  Are there arrangements in place for specialist software in escrow?  Are there SLA’s in place and have they have tested in case of disaster? 42
  • 43. Implementation (Contd.)  Security  Have you tested the appropriate physical security and environmental controls?  Insurance  Are insurance policies and their coverage limits reviewed regularly for adequacy and cost benefit?  Checklist / Forms  Is there an up-to-date task list that clearly identifies both mandatory and discretionary tasks together with the individuals accountable or responsible for their completion within an allocated timeframe?  Do you provide an auditable process for tracking and recording the completion of the BCP task list after the plan has been invoked and any additional on-going tasks?  Is there an up-to-date (internal and external) contact lists of all stakeholders including key service providers / contactors?  Does the BCP provide a situation management and decision log template? 43
  • 44. Implementation (Contd.)  Data  Are there clearly defined backup procedures for all applications, hardware and data (both electronic and paper, e.g. records, unique records or documents) and clearly defined recovery and restoration processes and procedures in place?  Can vital records (both electronic and paper) and their dependencies be recovered simultaneously at more than one disaster site if required?  Business Process  Do you have a process for recovering work in progress and work backlog processing?  Do you have a process for the provision of manual operations and fallback solutions and related activities wherever gaps exist between IT resumption and/or recovery capabilities and BCM needs?  Do you have clearly defined change control process to ensure BCM requirements and selected BCM solutions are maintained in an up-to-date and fit-for-purpose status?  Emergency Procedures.  Do you have documented emergency evacuation procedures and when were they last tested? 44
  • 45. Training & Culture  Do you have a clearly defined, published and approved BCM vision and policy statement?  Are their training / cultural programs in place to achieve the outcomes?  Has you BCM policy, principles and program been communicated?  Does you executive or senior and middle management proactively demonstrate its support and strong commitment to the BCM vision, policy and program?  Are the implementation and maintenance of the BCM policy and principles strictly monitored and evaluated?  Are BCM roles, accountabilities, responsibilities and authorities clearly defined and documented within job descriptions at all levels of the organisation?  Is your BCM integrated with the reward, recognition, performance management and appraisal system?  Do you have clearly defined and documented KPIs for BCM?  Is there a formal BCM awareness or induction training program for all new and existing managers and staff? 45
  • 47. “Sometimes, the question is more important than the answer.” - Plato 47