5. Business Continuity Management (BCM)
Planning: IT (Disaster)
to maintain continuity of Recovery Planning:
critical processes & Recovery of critical
functions, e.g.: systems and applications
• customer service
Organisation & ability to
manage any crisis or disaster
6. Context - BCM, BCP & DRP
Business Continuity Overall Approach to
Management Business Continuity
One Specific Type
7. BCM – Success Criteria
Testing & training
Plan maintenance & review
8. Example - Process Drivers
Supply Chain Netw Risks
Limited Redundancy in Operations
Just in Tim Operations- JIT, Lean
LowM axim Acceptable Dow
um ntim e
Single Points of Failure in Operations
Financial, Reputation, Legal, M arket Risks
Reliance Upon Technology to Accom plish
9. Following a Crisis…Insurance won’t
Address Customer Migration
Restore damage to company image
Retain customer confidence and market
Replace valuable employees or improve
Develop and bring new products into the
Integrate Operational and Business Risk
Reduction with Business Continuity
Create a Risk Reduction / Disaster Resistance
Cover all aspects of the Response / Recovery
process from Emergency Response through
Integrate all key aspects of planning- Security,
Crisis Management, Crisis Communications,
Damage Assessment and Restoration, Business
11. Incident Overview
Resume Incident Resume
No Is it a Is it an IT No Business
business reporting & normal IT
‘crisis’? ‘disaster’? as usual
as usual escalation operations
Convene Invoke DRP: Convene
CCT BCPs DMT to coordinate
Manage Manage HR
Salvage & BCPs for
& Repair PR Issues Business
processes Restore Hardware
restoration & Applications Off-site
data catch-up & Data Recovery back-up
& Cost recovery
12. Incident Management
• Identify, report & assess Incident/Crisis
• Emergency procedures
• Escalate ⇒ activate CMT
• Isolate/contain damage
• Stabilise - CMT coordinate company wide response
• Damage control
• Short term restoration of operations & customer service
• Work-around & BCPs
• Manage indirect consequences, e.g. media coverage
• Assess impact (cost)
• Repair damage
• Recover image & market share
• Cost recovery, e.g. insurance
13. Risk Management - AS/NZS 4360:99
14. Risk Management Process (AS/NZS 4360:99)
Monitor & Review
Analyse risks S
Evaluate & prioritise risks E
15. Risk Management Components
(Proactive - minimises Risk Transfer
risk exposure and (Insurance &
reduces likelihood, Contracts -
e.g. Security) Manages Cost of Risk)
Business Continuity &
(Reactive - Minimises impact
16. Planning Consideration
17. Set the Scene
Business Unit - BCPs
BCM Project / Program
Business Impact Analysis
Identify key business processes
Incident/Crisis Management Organisation
Risk identification, assessment &
18. Identify / Prioritise Key Business Processes
Vital Important Deferrable
Can be partially Can be interrupted
Not easily transferred for for extended
transferred or limited period; period; minor
replaced; low moderate inconvenience
tolerance, high tolerance;
cost of potentially high
interruption; data cost of
may be interruption
19. Business Impact Analysis
Examines Maximum Tolerable
dependency of Vital Outage (MTO); i.e.
& Important the restoration
processes on Key timeframe, for each
20. BCP Components
Objectives, scope, possible scenarios
Organisation, responsibilities & communications
Incident impact assessment, escalation & plan
Procedures & checklists for phases:
Restore: Vital & Important Processes
Emergency contact lists
Document control & maintenance
21. BCP – Planning Consideration
Emergency Response Planning
Business Resumption Planning
Crisis Management and Communication
Continuity of Customer Service
Information Technology & Services
Salvage & restoration of documents (e.g.
licenses), records and artifacts
22. BCP Planning & Recovery Process
23. BCP – Operation Flow
Every operation is different…
The response process is sim ilar…
Can be m odeled to any operation
Flow chart that follow depicts a typical
Identifies the key escalation points, and
plans that are activated
24. Key Factors
Each step in process can be defined and
Can form m easurem grid for process
Provide an indication of the issues to be
addressed at each step in the process
25. BCP Planning & Recovery Process
Pre-Incident Planning Process
RISK RISK RISK
IDENTIFICATION QUANTIFICATION MITIGATION
STEP 1 STEP 2 STEP 3
Post-Incident Response Planning Process
EMERGENCY CRISIS Business
RESPONSE MANAGEMENT Resumption
STEP 4 STEP 5 STEP 6
27. Step 2 – Risk Quantification
Physical risk controls identified and evaluated for
Operational risk controls identified and evaluated for
Residual risk identified and translated to outage and
Outage potential translated to revenue impact, regulatory
impact, long term migration potential, etc.
Risk and impact quantification used to develop mitigation
28. Step 3 – Risk Mitigation
Future mitigation priorities supported by
risk ID, and quantification
Physical and Operational risk reduction
from mitigation quantified
Mitigation issues assigned time frame and
Review process addresses mitigation
29. Step 4 – Emergency Response
Emergency Response Team is in place and trained
All potential hazard scenarios are considered
Evacuation and Take Cover procedures are in place and
Employee gathering spots are defined
Plan addresses notification and direction of police, fire,
EMS, and Utilities
Restoration and Reconstruction contractors identified
Damage Assessment Team and Plan is developed
30. Step 5 – Crisis Management
Roles and Responsibilities are detailed
CMT directs both Restoration and Resumption
Disaster Declaration criteria / decision points are defined
Facility Crisis Management Team identified and
Crisis Communications Plan is in place for all effected /
Damage Assessment reporting is linked with CMT
CMT is the focal point for local recovery and Corporate
31. Step 6 – Business Resumption
Restoration of Host Site is addressed
Manufacturing Contingency Plans are in place
Mitigation of customer impact is captured in the plan
Alternative Production operations are defined in detail
IT and Telecommunications recovery plan is identified
Recovery teams are identified with detailed Roles and
Restoration of productive capacity and capability with
32. Response - Key Elements
Emergency Response Team- Safety, Security, Medical,
Line Management, Environmental
Crisis Management Team- Senior leadership, Operations
Damage Assessment Team- Facility and Utilities
Engineering, Process Maintenance, Purchasing,
Crisis Communications- HR / Communication Specialists
Business Resumption- Line Management and Staff
33. Assessment / Questionnaire
Do you have a clearly defined, documented and approved management
process to manage the BCM program?
Does your BCM program clearly identify and comply with regulatory, legal,
policy and principle requirements?
Are there professionally qualified BCM practitioners involved in the
implementation of this program?
Is there overall accountability and responsibilities for the management of the
BCM program been clearly defined and documented?
Have you successfully demonstrated (including crisis management)
competence and capability via exercising, rehearsal and testing or
Does your BCM program incorporate the allocation of dedicated resources
and finance as a part of the annual budget development and management
Does your program provide assurance that suppliers (internal and/or
outsourced providers) have an effective, up-to-date and fit-for-purpose BCM
Do you have a Management Information System (MIS) to monitor and
provide regular reports concerning the status of BCM?
Do you have a clearly defined, documented and
approved BCM policy?
Does your BCM policy enable corporate governance, the
discharge of its responsibilities and satisfaction of its
legal and regulatory obligations?
Does the policy provide a clearly defined, documented
and approved set of BCM guidelines and minimum
Does your policy provide a clearly defined, documented
and approved independent audit process including
frequency and triggers of your BCM capability?
Do you have a clearly defined, documented and
approved BCM assurance management process and
Do you have clearly defined, documented and approved
KPIs (objectives, targets and standards) for BCM?
Do you have a clearly defined and documented
monitoring, evaluation and review process for your BCM
Does the assurance process provide clearly defined,
documented and approved management information
Does your assurance process provide clearly defined,
approved, prioritised and documented remedial action
plan(s) to implement the agreed recommendations?
37. Business Impact Analysis
Have you adopted a clearly defined and
documented standard BIA process (insourcing
Was the current BIA completed within the last 12
Does your BIA identify resource recovery
Do you have a process to ensure that a BIA is
carried out as a part of all project and change
management including new developments of
(and major changes to) IT systems, services and
38. Risk Assessment
Do you have a clearly defined, documented and approved risk
Do you have an approved standard process to carry out an
operational risk assessment?
Do you have a clearly defined and documented process to ensure
the approved risk methodology, tools, techniques and criteria are
Do you have a clearly defined, documented and approved
organisation risk appetite benchmark, including the acceptance of
Has a risk assessment been completed within the last 12 months?
Have you identified areas of high risk concentration and introduced
risk management controls (an action plan) to eliminate, mitigate,
reduce, transfer the effects of identified key threats, vulnerabilities,
exposures or liabilities?
39. Organisation Process Strategy
Is your BCM strategy clearly aligned / linked to
the overall strategic aims and business
Do you have a clearly defined, documented and
approved BCM framework?
Have you identified key roles, responsibilities
and authorities for the BCM strategy?
Has the selected process level BCM
strategy(ies) been fully evaluated to ensure fit-
for-purpose and capable of working within the
40. Resource Recovery
Do you have a clearly defined, documented and
approved resource recovery strategy?
Does the resource recovery strategy incorporate the
resource recovery requirement from the BIA?
Have the key roles, accountabilities, responsibilities and
authorities within the resource recovery BCM strategy
been clearly defined and documented?
Have both technical (e.g. IT, telecommunications) and
non-technical issues been considered within the
resource recovery strategy?
Has the insourcing and outsourcing of your products and
services been included within the resource recovery?
41. BCM Implementation
Do you have mandatory instructions, advice,
process, procedure or guidelines concerning
• casualties and fatalities
• confidential staff counseling and staff welfare?
Do you have instructions, advice, process,
procedure or guidelines concerning internal
and external communications?
42. Implementation (Contd.)
Information Technology & Communication
Do you have ITC resumption and recovery strategies? Has this
been clearly documented?
Have you identified a technical recovery site which is not to be
affected by the same incident?
Have your business owners, technical and/or specialist third
party service providers successfully tested the resumption
and/or recovery of the IT systems and software?
Is there an inventory of all IT systems software and a process for
its restoration, including licensing arrangements?
Are there arrangements in place for specialist software in
Are there SLA’s in place and have they have tested in case of
43. Implementation (Contd.)
Have you tested the appropriate physical security and environmental
Are insurance policies and their coverage limits reviewed regularly for
adequacy and cost benefit?
Checklist / Forms
Is there an up-to-date task list that clearly identifies both mandatory and
discretionary tasks together with the individuals accountable or
responsible for their completion within an allocated timeframe?
Do you provide an auditable process for tracking and recording the
completion of the BCP task list after the plan has been invoked and any
additional on-going tasks?
Is there an up-to-date (internal and external) contact lists of all
stakeholders including key service providers / contactors?
Does the BCP provide a situation management and decision log
44. Implementation (Contd.)
Are there clearly defined backup procedures for all applications, hardware and
data (both electronic and paper, e.g. records, unique records or documents) and
clearly defined recovery and restoration processes and procedures in place?
Can vital records (both electronic and paper) and their dependencies be
recovered simultaneously at more than one disaster site if required?
Do you have a process for recovering work in progress and work backlog
Do you have a process for the provision of manual operations and fallback
solutions and related activities wherever gaps exist between IT resumption
and/or recovery capabilities and BCM needs?
Do you have clearly defined change control process to ensure BCM
requirements and selected BCM solutions are maintained in an up-to-date and
Do you have documented emergency evacuation procedures and when were
they last tested?
45. Training & Culture
Do you have a clearly defined, published and approved BCM vision and
Are their training / cultural programs in place to achieve the outcomes?
Has you BCM policy, principles and program been communicated?
Does you executive or senior and middle management proactively
demonstrate its support and strong commitment to the BCM vision, policy
Are the implementation and maintenance of the BCM policy and principles
strictly monitored and evaluated?
Are BCM roles, accountabilities, responsibilities and authorities clearly
defined and documented within job descriptions at all levels of the
Is your BCM integrated with the reward, recognition, performance
management and appraisal system?
Do you have clearly defined and documented KPIs for BCM?
Is there a formal BCM awareness or induction training program for all new
and existing managers and staff?
46. Current State Assessment
47. “Sometimes, the question is more important
than the answer.”
48. Good Luck