Assess Your Business Continuity Management Process


Published on

Review your Business Continuity Management Processes

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Assess Your Business Continuity Management Process

  1. 1. Business Continuity Management Is your BCM Framework comprehensive & tested? Anand Subramaniam
  2. 2. “People with opinions just go around bothering one another.” - The Buddha 2
  3. 3. Highlights  BCP Overview  Risk Management - AS/NZS 4360:99  Planning Consideration  BCP Planning & Recovery Process  Assessment / Questionnaire 3
  4. 4. BCM Overview
  5. 5. Business Continuity Management (BCM) Business Continuity Planning: IT (Disaster) to maintain continuity of Recovery Planning: critical processes & Recovery of critical functions, e.g.: systems and applications • customer service • administration • billing Crisis Management: Organisation & ability to manage any crisis or disaster 5
  6. 6. Context - BCM, BCP & DRP Business Continuity Overall Approach to Management Business Continuity Business Continuity Plans Address Continuity of Processes IT Disaster Recovery Plans One Specific Type of Plan 6
  7. 7. BCM – Success Criteria  Commitment  Organisation  Communication  Testing & training  Plan maintenance & review 7
  8. 8. Example - Process Drivers  Supply Chain Netw Risks ork  Limited Redundancy in Operations  Just in Tim Operations- JIT, Lean e  LowM axim Acceptable Dow um ntim e  Single Points of Failure in Operations  Financial, Reputation, Legal, M arket Risks  Reliance Upon Technology to Accom plish Job 8
  9. 9. Following a Crisis…Insurance won’t  Address Customer Migration  Restore damage to company image  Retain customer confidence and market share  Replace valuable employees or improve employee morale  Develop and bring new products into the marketplace 9
  10. 10. Goals  Integrate Operational and Business Risk Reduction with Business Continuity  Create a Risk Reduction / Disaster Resistance Mentality  Cover all aspects of the Response / Recovery process from Emergency Response through Business Recovery  Integrate all key aspects of planning- Security, Crisis Management, Crisis Communications, Damage Assessment and Restoration, Business Resumption 10
  11. 11. Incident Overview Incident Resume Incident Resume No Is it a Is it an IT No Business business reporting & normal IT ‘crisis’? ‘disaster’? as usual as usual escalation operations Yes Yes Convene Invoke DRP: Convene CCT BCPs DMT to coordinate Implement DRP Manage Manage HR Salvage & BCPs for & Repair PR Issues Business processes Restore Hardware & Communications Process restoration & Applications Off-site data catch-up & Data Recovery back-up Business resumption & Cost recovery 11
  12. 12. Incident Management Respond • Identify, report & assess Incident/Crisis • Emergency procedures • Escalate ⇒ activate CMT • Isolate/contain damage Restore • Stabilise - CMT coordinate company wide response • Damage control • Short term restoration of operations & customer service • Work-around & BCPs • Manage indirect consequences, e.g. media coverage Recover • Assess impact (cost) • Repair damage • Recover image & market share • Cost recovery, e.g. insurance 12
  13. 13. Risk Management - AS/NZS 4360:99
  14. 14. Risk Management Process (AS/NZS 4360:99) Establish context Monitor & Review Consultation and Communication Identify risks A A S S S E Analyse risks S E S S S S M M E N Evaluate & prioritise risks E N T T Treat risks 14
  15. 15. Risk Management Components Risk Control (Proactive - minimises Risk Transfer risk exposure and (Insurance & reduces likelihood, Contracts - e.g. Security) Manages Cost of Risk) Business Continuity & Contingency Planning (Reactive - Minimises impact or consequences) 15
  16. 16. Planning Consideration
  17. 17. Set the Scene  BCM Team  Business Unit - BCPs  BCM Project / Program  Business Impact Analysis  Identify key business processes  Incident/Crisis Management Organisation  Risk identification, assessment & treatment 17
  18. 18. Identify / Prioritise Key Business Processes Vital Important Deferrable Can be partially Can be interrupted Not easily transferred for for extended transferred or limited period; period; minor replaced; low moderate inconvenience tolerance, high tolerance; cost of potentially high interruption; data cost of may be interruption permanently damaged/lost 18
  19. 19. Business Impact Analysis Key MTO Resources Determines Examines Maximum Tolerable dependency of Vital Outage (MTO); i.e. & Important the restoration processes on Key timeframe, for each Resources resource 19
  20. 20. BCP Components  Objectives, scope, possible scenarios  Organisation, responsibilities & communications  Incident impact assessment, escalation & plan invocation  Procedures & checklists for phases:  Respond  Restore: Vital & Important Processes  Recover  Emergency contact lists  Document control & maintenance 20
  21. 21. BCP – Planning Consideration  Emergency Response Planning  Business Resumption Planning  Crisis Management and Communication  Staff  Public relations  Continuity of Customer Service  Information Technology & Services  Salvage & restoration of documents (e.g. licenses), records and artifacts 21
  22. 22. BCP Planning & Recovery Process
  23. 23. BCP – Operation Flow  Every operation is different…  The response process is sim ilar…  Can be m odeled to any operation  Flow chart that follow depicts a typical s recovery sequence  Identifies the key escalation points, and plans that are activated 23
  24. 24. Key Factors  Each step in process can be defined and m easured  Can form m easurem grid for process ent  Provide an indication of the issues to be addressed at each step in the process 24
  25. 25. BCP Planning & Recovery Process Pre-Incident Planning Process RISK RISK RISK IDENTIFICATION QUANTIFICATION MITIGATION STEP 1 STEP 2 STEP 3 INCIDENT Post-Incident Response Planning Process EMERGENCY CRISIS Business RESPONSE MANAGEMENT Resumption STEP 4 STEP 5 STEP 6 25
  26. 26. Step 1 - Risk Identification  Physical risks identified  Operational risks identified  Critical single source suppliers identified  Revenue impact potential identified  Contractual/Regulatory exposures identified  Process flow mapped 26
  27. 27. Step 2 – Risk Quantification  Physical risk controls identified and evaluated for effectiveness  Operational risk controls identified and evaluated for effectiveness  Residual risk identified and translated to outage and impact potential  Outage potential translated to revenue impact, regulatory impact, long term migration potential, etc.  Risk and impact quantification used to develop mitigation priorities 27
  28. 28. Step 3 – Risk Mitigation  Future mitigation priorities supported by risk ID, and quantification  Physical and Operational risk reduction from mitigation quantified  Mitigation issues assigned time frame and responsibility  Review process addresses mitigation issue resolution 28
  29. 29. Step 4 – Emergency Response  Emergency Response Team is in place and trained  All potential hazard scenarios are considered  Evacuation and Take Cover procedures are in place and tested  Employee gathering spots are defined  Plan addresses notification and direction of police, fire, EMS, and Utilities  Restoration and Reconstruction contractors identified and engaged  Damage Assessment Team and Plan is developed 29
  30. 30. Step 5 – Crisis Management  Roles and Responsibilities are detailed  CMT directs both Restoration and Resumption  Disaster Declaration criteria / decision points are defined  Facility Crisis Management Team identified and complete  Crisis Communications Plan is in place for all effected / interested parties  Damage Assessment reporting is linked with CMT operations  CMT is the focal point for local recovery and Corporate liaison 30
  31. 31. Step 6 – Business Resumption  Restoration of Host Site is addressed  Manufacturing Contingency Plans are in place  Mitigation of customer impact is captured in the plan  Alternative Production operations are defined in detail  IT and Telecommunications recovery plan is identified  Recovery teams are identified with detailed Roles and Responsibilities  Restoration of productive capacity and capability with timeframes 31
  32. 32. Response - Key Elements  Emergency Response Team- Safety, Security, Medical, Line Management, Environmental  Crisis Management Team- Senior leadership, Operations Management  Damage Assessment Team- Facility and Utilities Engineering, Process Maintenance, Purchasing, Logistics, Security  Crisis Communications- HR / Communication Specialists  Business Resumption- Line Management and Staff 32
  33. 33. Assessment / Questionnaire
  34. 34. Management  Do you have a clearly defined, documented and approved management process to manage the BCM program?  Does your BCM program clearly identify and comply with regulatory, legal, policy and principle requirements?  Are there professionally qualified BCM practitioners involved in the implementation of this program?  Is there overall accountability and responsibilities for the management of the BCM program been clearly defined and documented?  Have you successfully demonstrated (including crisis management) competence and capability via exercising, rehearsal and testing or invocation?  Does your BCM program incorporate the allocation of dedicated resources and finance as a part of the annual budget development and management process?  Does your program provide assurance that suppliers (internal and/or outsourced providers) have an effective, up-to-date and fit-for-purpose BCM capability?  Do you have a Management Information System (MIS) to monitor and provide regular reports concerning the status of BCM? 34
  35. 35. Policy  Do you have a clearly defined, documented and approved BCM policy?  Does your BCM policy enable corporate governance, the discharge of its responsibilities and satisfaction of its legal and regulatory obligations?  Does the policy provide a clearly defined, documented and approved set of BCM guidelines and minimum standards?  Does your policy provide a clearly defined, documented and approved independent audit process including frequency and triggers of your BCM capability? 35
  36. 36. Assurance  Do you have a clearly defined, documented and approved BCM assurance management process and frequency?  Do you have clearly defined, documented and approved KPIs (objectives, targets and standards) for BCM?  Do you have a clearly defined and documented monitoring, evaluation and review process for your BCM KPIs?  Does the assurance process provide clearly defined, documented and approved management information assurance reports?  Does your assurance process provide clearly defined, approved, prioritised and documented remedial action plan(s) to implement the agreed recommendations? 36
  37. 37. Business Impact Analysis  Have you adopted a clearly defined and documented standard BIA process (insourcing and outsourcing)?  Was the current BIA completed within the last 12 months?  Does your BIA identify resource recovery requirements?  Do you have a process to ensure that a BIA is carried out as a part of all project and change management including new developments of (and major changes to) IT systems, services and their sourcing? 37
  38. 38. Risk Assessment  Do you have a clearly defined, documented and approved risk management strategy?  Do you have an approved standard process to carry out an operational risk assessment?  Do you have a clearly defined and documented process to ensure the approved risk methodology, tools, techniques and criteria are consistently applied?  Do you have a clearly defined, documented and approved organisation risk appetite benchmark, including the acceptance of residual risk?  Has a risk assessment been completed within the last 12 months?  Have you identified areas of high risk concentration and introduced risk management controls (an action plan) to eliminate, mitigate, reduce, transfer the effects of identified key threats, vulnerabilities, exposures or liabilities? 38
  39. 39. Organisation Process Strategy  Is your BCM strategy clearly aligned / linked to the overall strategic aims and business strategies?  Do you have a clearly defined, documented and approved BCM framework?  Have you identified key roles, responsibilities and authorities for the BCM strategy?  Has the selected process level BCM strategy(ies) been fully evaluated to ensure fit- for-purpose and capable of working within the required timescales? 39
  40. 40. Resource Recovery  Do you have a clearly defined, documented and approved resource recovery strategy?  Does the resource recovery strategy incorporate the resource recovery requirement from the BIA?  Have the key roles, accountabilities, responsibilities and authorities within the resource recovery BCM strategy been clearly defined and documented?  Have both technical (e.g. IT, telecommunications) and non-technical issues been considered within the resource recovery strategy?  Has the insourcing and outsourcing of your products and services been included within the resource recovery? 40
  41. 41. BCM Implementation  Human Resources  Do you have mandatory instructions, advice, process, procedure or guidelines concerning • casualties and fatalities • confidential staff counseling and staff welfare?  Communication  Do you have instructions, advice, process, procedure or guidelines concerning internal and external communications? 41
  42. 42. Implementation (Contd.)  Information Technology & Communication (ITC)  Do you have ITC resumption and recovery strategies? Has this been clearly documented?  Have you identified a technical recovery site which is not to be affected by the same incident?  Have your business owners, technical and/or specialist third party service providers successfully tested the resumption and/or recovery of the IT systems and software?  Is there an inventory of all IT systems software and a process for its restoration, including licensing arrangements?  Are there arrangements in place for specialist software in escrow?  Are there SLA’s in place and have they have tested in case of disaster? 42
  43. 43. Implementation (Contd.)  Security  Have you tested the appropriate physical security and environmental controls?  Insurance  Are insurance policies and their coverage limits reviewed regularly for adequacy and cost benefit?  Checklist / Forms  Is there an up-to-date task list that clearly identifies both mandatory and discretionary tasks together with the individuals accountable or responsible for their completion within an allocated timeframe?  Do you provide an auditable process for tracking and recording the completion of the BCP task list after the plan has been invoked and any additional on-going tasks?  Is there an up-to-date (internal and external) contact lists of all stakeholders including key service providers / contactors?  Does the BCP provide a situation management and decision log template? 43
  44. 44. Implementation (Contd.)  Data  Are there clearly defined backup procedures for all applications, hardware and data (both electronic and paper, e.g. records, unique records or documents) and clearly defined recovery and restoration processes and procedures in place?  Can vital records (both electronic and paper) and their dependencies be recovered simultaneously at more than one disaster site if required?  Business Process  Do you have a process for recovering work in progress and work backlog processing?  Do you have a process for the provision of manual operations and fallback solutions and related activities wherever gaps exist between IT resumption and/or recovery capabilities and BCM needs?  Do you have clearly defined change control process to ensure BCM requirements and selected BCM solutions are maintained in an up-to-date and fit-for-purpose status?  Emergency Procedures.  Do you have documented emergency evacuation procedures and when were they last tested? 44
  45. 45. Training & Culture  Do you have a clearly defined, published and approved BCM vision and policy statement?  Are their training / cultural programs in place to achieve the outcomes?  Has you BCM policy, principles and program been communicated?  Does you executive or senior and middle management proactively demonstrate its support and strong commitment to the BCM vision, policy and program?  Are the implementation and maintenance of the BCM policy and principles strictly monitored and evaluated?  Are BCM roles, accountabilities, responsibilities and authorities clearly defined and documented within job descriptions at all levels of the organisation?  Is your BCM integrated with the reward, recognition, performance management and appraisal system?  Do you have clearly defined and documented KPIs for BCM?  Is there a formal BCM awareness or induction training program for all new and existing managers and staff? 45
  46. 46. Current State Assessment 46
  47. 47. “Sometimes, the question is more important than the answer.” - Plato 47
  48. 48. Good Luck 48