Business Continuity Management (BCM)


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Continuity Management (BCM)

  1. 1. Business Continuity Management (BCM) <ul><ul><li>Best Practices </li></ul></ul><ul><ul><li>25 August 2008 </li></ul></ul><ul><ul><li>By Ros Yusoff </li></ul></ul><ul><ul><li>NUBE </li></ul></ul>
  2. 2. OVERALL IMPLEMENTATION APPROACH -confidential- Building Your Team & Capabilities Staff / Management Awareness & Training Training Matrix & Master Plan Short Training Sessions Workshops / Awareness Sessions Organizational Roles Incorporate R&R into JD’s Defining Roles & Responsibilities Defining the Committees & Teams Continual Improvement Testing & Review Update Review Testing Understanding Your Business Requirements & Strategy Policies Business Impact Risk Assessment Continuity Strategies Initiation Program Management Project Statement Timeline Maturity Assessment Preventive Measures Assurance Implementation Develop RTP Risk assessment Workshops Emergency Response Escalation & Notification Damage Assessment Life & Safety Crisis Mgmt Disaster Declaration Data & Record Recovery Plan Development Procedure Development Checklist Development Contact Information
  3. 3. Building the Team & Capabilities <ul><li>Identify the Champion </li></ul><ul><ul><li>Must be a person who has the overall view of all the processes involved </li></ul></ul><ul><li>Identify the key personnel & the backup personnel for each critical process </li></ul><ul><li>Incorporate BC roles & responsibilities into JD’s </li></ul><ul><ul><li>Make them as part of KPI’s </li></ul></ul><ul><li>Develop a skill matrix that your organization needs </li></ul><ul><ul><li>Draft annual training plan </li></ul></ul><ul><ul><li>Hold lots and lots of awareness sessions </li></ul></ul><ul><ul><li>Focus on specific skills required for the different team members </li></ul></ul>-confidential-
  4. 4. Understanding Your Business <ul><li>Initiation stage </li></ul><ul><ul><li>In-house vs. Outsource (make the decision) </li></ul></ul><ul><ul><ul><li>In-house: Get well-trained; get the experience required </li></ul></ul></ul><ul><ul><ul><li>Outsource: Never outsource fully </li></ul></ul></ul><ul><ul><li>Perform a maturity assessment (gap analysis) </li></ul></ul><ul><ul><ul><li>Should be brief and simple </li></ul></ul></ul><ul><ul><li>Develop the project/program based on the results of the maturity assessment </li></ul></ul><ul><ul><li>Do not rush to get it done. Get it done right </li></ul></ul>-confidential-
  5. 5. Understanding Your Business <ul><li>Requirements & strategy </li></ul><ul><ul><li>Define the policies </li></ul></ul><ul><ul><ul><li>The policies must be implementable during disasters </li></ul></ul></ul><ul><ul><li>Perform risk assessment & BIA </li></ul></ul><ul><ul><ul><li>Only high-level risk assessment to determine critical threats in relation to Availability </li></ul></ul></ul><ul><ul><ul><li>BIA - to determine the criticality of systems </li></ul></ul></ul><ul><ul><li>Identify preventive measures that exist already </li></ul></ul><ul><ul><li>Propose recovery strategies </li></ul></ul><ul><ul><ul><li>Go back to the manual way when possible </li></ul></ul></ul><ul><ul><ul><li>Minimally, should have off-site storage for critical data </li></ul></ul></ul><ul><ul><li>Go back and review BIA </li></ul></ul>-confidential-
  6. 6. Implementation <ul><li>Emergency response </li></ul><ul><ul><li>Life and safety first </li></ul></ul><ul><ul><li>Identify an alternate place to work at </li></ul></ul><ul><ul><ul><li>Determine requirements at the alternate place (voice communications is crucial during disaster) </li></ul></ul></ul><ul><ul><li>Notification & escalation procedures must be simple </li></ul></ul><ul><ul><ul><li>Ensure that contact information is accurate (requires frequent updates) </li></ul></ul></ul><ul><ul><li>Determine documents & records required to recover critical business </li></ul></ul><ul><ul><ul><li>War chest </li></ul></ul></ul>-confidential-
  7. 7. Implementation <ul><li>Plan development </li></ul><ul><ul><li>Recovery plans </li></ul></ul><ul><ul><ul><li>When possible, only use checklists </li></ul></ul></ul><ul><ul><ul><li>Should be developed by the team members that would be involved in the recovery activities </li></ul></ul></ul><ul><ul><ul><li>The goal is never to recover 100% of the business, but to an acceptable level </li></ul></ul></ul><ul><ul><ul><li>Use simple, straight forward sentences </li></ul></ul></ul><ul><ul><ul><li>Incorporate information security requirements into your plans </li></ul></ul></ul><ul><ul><li>Do not forget to draft the restoration plans </li></ul></ul><ul><ul><ul><li>Back to the original site </li></ul></ul></ul><ul><ul><li>Do not forget to develop plans for the mobilization of staff to the alternate site </li></ul></ul><ul><ul><ul><li>Transportation, office supply, food, accommodation … </li></ul></ul></ul>-confidential-
  8. 8. Continual Improvement <ul><li>Testing (exercising) & review </li></ul>-confidential- Event Phase Situation Crisis Management Plan Business Management Plan One Immediate aftermath Media management Strategic assessment Damage assessment Formal invocation of BC services Casualty management Two Damage contained Media management Monitoring of BC teams Mobilizing alternate resources Staff communications Three Resumption beginning Stood down Regular meetings for updates Managing alternate resources Resumption of critical functions Four Consolidation Review Resumption of further functions Back to originate site
  9. 9. Continual Improvement <ul><li>Compliance & Audit </li></ul><ul><ul><li>Must have a thorough understanding of the business, individual functions, and interdependent relationships </li></ul></ul><ul><ul><li>Challenge management related to potential risk </li></ul></ul><ul><ul><li>Participate in BIA workshops </li></ul></ul><ul><ul><li>Challenge recovery strategies </li></ul></ul><ul><ul><li>Participate during testing </li></ul></ul><ul><ul><li>Involve the right people as Subject Matter Experts </li></ul></ul>-confidential-
  10. 10. Hallmarks of a World-class BCP <ul><li>Centralized at the enterprise level </li></ul><ul><li>Identify a Control Champion </li></ul><ul><li>Committed and visible support from management </li></ul><ul><li>Buy-in at all levels, even non-key personnel </li></ul><ul><li>Use generally accepted standards </li></ul><ul><li>Perform constant review and testing </li></ul><ul><ul><li>MTDs are reviewed against Client Charters </li></ul></ul><ul><li>Must be cost effective – strategies must be “lean & mean” </li></ul>-confidential-