Understanding Your Organisation

1,408
-1

Published on

Presentation explains the first step to be taken in designing and defining an appropriate BCM strategy that is fit for an organisation

Published in: Business, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,408
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Understanding Your Organisation

  1. 1. UNDERSTANDING YOUR ORGANISATION - The bedrock on which a BCM policy & strategy rests Presented by: Eneni Oduwole at the 1 st Annual RIMAN/BCI BCM Workshop, Sept. 2008
  2. 2. Why? ? ? <ul><li>To understand the scope and focus of BCM plan </li></ul><ul><li>Determine key products & services to focus on </li></ul><ul><li>Determine scope of stakeholder involvement </li></ul>Eneni Oduwole, Sept. 2008
  3. 3. Considerations <ul><li>BCM is a holistic risk management process </li></ul><ul><li>BCM must align with the Organization’s objectives and obligations to all stakeholders </li></ul><ul><li>Statutory requirements of the organization </li></ul><ul><li>Impact of failure on stakeholders </li></ul>Eneni Oduwole, Sept. 2008
  4. 4. Your Organization <ul><li>Mission & vision </li></ul><ul><li>Strategic objectives </li></ul><ul><li>Business objective/goals </li></ul><ul><li>Key drivers for achieving goals </li></ul><ul><li>Critical business units </li></ul><ul><li>Critical business functions / processes </li></ul><ul><li>Critical systems </li></ul><ul><li>Critical support structures </li></ul>Eneni Oduwole, Sept. 2008
  5. 5. Components <ul><li>Business Impact Analysis </li></ul><ul><li>Estimating Continuity Recovery Requirements </li></ul><ul><li>Evaluating Threats (Risk Assessments) </li></ul>Eneni Oduwole, Sept. 2008
  6. 6. Business Impact Analysis (BIA) <ul><li>Identifies, quantifies and qualifies the business impacts of a loss, interruption or disruption of business processes </li></ul><ul><li>Provides appropriate continuity strategies for different business functions </li></ul><ul><li>Identifies the timescale and extent of the impact of a disruption at several levels in an organization </li></ul>Eneni Oduwole, Sept. 2008
  7. 7. Considerations for scoping <ul><li>Impact on business of loss of ability to deliver critical services or products </li></ul><ul><li>Interruption to internal & external activities that would disrupt the delivery of key products or services </li></ul><ul><li>Disruption of a key business area’s activity </li></ul>Eneni Oduwole, Sept. 2008
  8. 8. Purpose of BIA <ul><li>Identify and prioritize impacts that would lead to loss or disruption </li></ul><ul><li>Ascertain maximum tolerable period of disruption </li></ul><ul><li>Identify external & internal dependencies </li></ul>Eneni Oduwole, Sept. 2008
  9. 9. BIA Concepts <ul><li>Maximum Tolerable Period of Disruption (MTPD) – duration after which the organization cannot continue in business whether financially or through loss of reputation </li></ul><ul><li>Seasonality – tolerable outage for periodic functions e.g. year-end activities, one-off contracts with significant penalties for breach of deadlines </li></ul>Eneni Oduwole, Sept. 2008
  10. 10. BIA Concepts <ul><li>Recovery Time/Point Objectives (RTO / RPO) - point or timeframe required for information to be restored </li></ul><ul><li>Mission critical activities – activities that are time-critical, time-sensitive and urgent for recovery </li></ul>Eneni Oduwole, Sept. 2008
  11. 11. BIA Process <ul><li>Identify critical business activities across the organization </li></ul><ul><li>Identify suitable staff that would drive the process </li></ul><ul><li>Estimate the impact of loss in the event of business disruption </li></ul><ul><li>Allocate acceptable recovery timescales to activities </li></ul><ul><li>For multiple sites, prioritize critical recovery sites </li></ul>Eneni Oduwole, Sept. 2008
  12. 12. BIA Process <ul><li>Identify critical business activities across the organization </li></ul><ul><li>Identify suitable staff that would drive the process </li></ul><ul><li>Estimate the impact of loss in the event of business disruption </li></ul><ul><li>Allocate acceptable recovery timescales to activities </li></ul><ul><li>For multiple sites, prioritize critical recovery sites </li></ul>Eneni Oduwole, Sept. 2008
  13. 13. Estimating Continuity Requirements (ECR) <ul><li>Collect information on the number of resources required to resume business </li></ul><ul><li>Resources include </li></ul><ul><ul><li>Human resource complement </li></ul></ul><ul><ul><li>IT infrastructure and availability </li></ul></ul><ul><ul><li>Physical documents & stationery </li></ul></ul><ul><ul><li>Site to resume business (DR Site) </li></ul></ul><ul><ul><li>Internal & External dependencies </li></ul></ul>Eneni Oduwole, Sept. 2008
  14. 14. Purpose of ECR <ul><li>Provide the resource information required to derive an appropriate recovery strategy </li></ul><ul><li>Identify resource requirements of internal dependencies </li></ul><ul><li>Identify resource requirements of external dependencies </li></ul>Eneni Oduwole, Sept. 2008
  15. 15. BCR Process <ul><li>Quantify continuity requirements for: </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>Infrastructure </li></ul></ul><ul><ul><li>Consumables </li></ul></ul><ul><li>Identify and allocate minimal critical resources required to respond & resume business </li></ul><ul><li>Document phased plan for business recovery and restoration (rate at which resources would be increased during the recovery process) </li></ul>Eneni Oduwole, Sept. 2008
  16. 16. Evaluating Threats or Risk Assessments (RAS) <ul><li>Risk Assessment evaluates the probability and impact of a variety of threats that could lead to a disruption </li></ul><ul><li>Prioritization of these threats </li></ul><ul><li>Concerns: </li></ul><ul><ul><li>Not possible to identify all threats </li></ul></ul><ul><ul><li>Estimates are based on historical events or gut-feel; may not provide accurate basis </li></ul></ul><ul><ul><li>Impacts fluctuate over time and at different rates depending on business strategy and external environment </li></ul></ul><ul><ul><li>Use of numeric scales sometimes over-emphasize impact of minor events </li></ul></ul>Eneni Oduwole, Sept. 2008
  17. 17. Purpose of RAS <ul><li>Identify internal & external threats that could cause disruptions </li></ul><ul><li>Assess the probability and impacts of these threats </li></ul><ul><li>To prioritize the threats according to an agreed formula </li></ul><ul><li>To design an appropriate risk management control programme and action plan </li></ul>Eneni Oduwole, Sept. 2008
  18. 18. Assumption of RAS <ul><li>All realistic threats can be identified </li></ul><ul><li>Statistics used are accurate and applicable </li></ul><ul><li>Risk Assessment provides basis for prioritization </li></ul>Eneni Oduwole, Sept. 2008
  19. 19. RAS Process <ul><li>Impact is estimated using a scoring system </li></ul><ul><li>A scoring system is used for determining the likelihood of occurrence (probability or frequency) </li></ul><ul><li>Risk is derived by combining the scores for impact & probability of each threat </li></ul><ul><li>Prioritize risks according to derived formula and ability to control threat </li></ul><ul><li>Agree on action plan for risk treatment (accept, reduce, avoid, transfer or share risk) </li></ul><ul><li>Management sign-off </li></ul>Eneni Oduwole, Sept. 2008
  20. 20. Methods & Techniques of Data Collection <ul><li>Workshop </li></ul><ul><li>Questionnaires (paper or automated software) </li></ul><ul><li>Interviews (structured & unstructured) </li></ul>Eneni Oduwole, Sept. 2008
  21. 21. <ul><li>The first step required when developing an appropriate BCM strategy for your organization is… </li></ul><ul><li>Understanding your Organization… </li></ul>Hope you now know… Eneni Oduwole, Sept. 2008

×