Bci gpg2011-kwt-111214121300-phpapp02


Published on

Published in: Business, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Bci gpg2011-kwt-111214121300-phpapp02

  1. 1. The Business Continuity InstituteThe Good Practice Guidelines – Real life Implementations Muhammad GhazaliMBCI, CBCI, ISMS ISO 27001LA, BS25999 LA Associate Director – Head of BCM Service Protiviti Member firm Middle East
  2. 2. The Good Practice GuidelinesWhy Good Practice GuidelinesThe value of the GPG: Not Just What, but “Why” and “how” Baseline and common language Used for Entry examination Professional Reference document Stage-wise
  3. 3. The Good Practice Guidelines1. BCM Program Management2. Understanding the Organization3. Determining BCM Strategies4. Developing and Implementing BCM Response5. Exercising Maintaining and Reviewing6. Embedding BCM into Organization Culture
  4. 4. BCM Program Management What Why1. Develop the BCM Program Objectives, Mission, Vision, Key2. Identification of owner/member and Service, Product, future strategy, participants of Program acquisitions, geographical scale,3. Development of BCM Policy of the organization competitor strategy, regulatory4. Identification of inclusion and exclusion of the obligation etc. etc.. BCM Program How5. Define and approve the scope of the program Involve the Top ManagementExamples: team BCM Head – That’s probably you… Review documents produced by BCM Steering Committee -Management the organization BCM Roles – Strategic, Tactical and • Business plans Operational • Strategic plans BCM Forum – Selected team members • Annual report • Marketing report
  5. 5. A “Program” Not a “Project” • Set Objectives • See ObligationsProgram Scope • Acceptable level of risk • Statutory, regulatory and contractual issues • Top management commitment and approval • Objectives of the business continuity and scope • Communicated and reviewedOrganizational Policy • Appropriate by nature, scale, complexity, geography and criticality of business activities • Reflect culture, dependencies and operating environment • Defined roles and responsibilitiesResources and • Top management nominees / appointees Competence • BCM competency
  6. 6. Understanding the Organization What WhyKnow your Your Business depends on Process • Operations Staff/skills • Records/Data Assets People • Voice/Data Communications Infrastructures • Facilities & Infrastructure • Equipment Environment Internal and external Suppliers How Threats to all requirement There are three main activities to Impact of those threats “Understanding the Organization”{if you know your enemies and know yourself, you • Business Impact Analysis (BIA)will not be imperiled in a hundred battles} Sun Tzu • Continuity Requirements Analysis (CRA) • Risk Assessment (RA)
  7. 7. Knowing Your Organization - Impact AnalysisBusiness Objectives Key BIA Inputs Recovery Requirements as Output Financial ImpactKey Business Areas • Lost sales revenue • Productivity loss • Permanent customer loss Recovery Time • Loss of interest income Objective (RTO) Operational Impacts • Brand image Critical Processes • Competitive advantage • Customer satisfaction - Business Lines • Increased regulatory oversight MTPOD • Employee Morale - Support Lines Recovery Point Management Tolerances Objective (RPO) • Intolerable/acceptable downtime • Intolerable/acceptable data loss Resource Dependencies • Operations Staff Minimum • Records/Data Assets Operation • Voice/Data Communications • Facilities & Infrastructure Requirements • Equipment
  8. 8. Knowing Your Risks – Risk Assessment (RA) Business Interviews Objectives Questionnaires Workshops BIA BIA of CriticalCritical Processes Dependency Processes Impact over time Business Business Continuity Continuity Strategy Plans Risk RegisterKey Risks / threats Risk Assessment Vulnerability Threats, Impact, Likelihood
  9. 9. Determining BCM Strategies What Why Your Business requires to selectOn the basis of your RTO (Recovery Time Objective), Appropriate continuity options forRecovery Point Objective (RPO) and Maximum each activity that supports thetolerable period of disruption (MTPOD), identify deliverystrategies• The faster you want it – the more it will cost!Separation distance How Asses Continuity options for each• How far away do you need to be critical activity to following levels:• Accessible yet recoverable 1. Initial Continuity – to an initial acceptable level 2. Recovery – to a sustainable level 3. Resumption – back to the normal level
  10. 10. Determining BCM Strategies – ConsiderationsContinuity Strategy Continuity Strategy Continuity Strategy for for for Key Processes Technology Facilities PhysicalAlternate processes IT Systems Location/Space Options to Core / Main Office Equipments/ Customers Application StationaryAlternate Channels User/Branch Data Processing Power Supply of DeliveryAlternate methods Data Center/Voice and Communication Communicationof communication Support to Info. security / Data Transfer Transportation Customers
  11. 11. Developing & Implementing BCM Response What WhyThe GPG identifies the following stages of response: To identify and document • Individual and Teams roles• Emergency response – immediate actions Actions required for• Incident management – management of the Invocation, Crisis, Incident, response to the incident Internal and External,• Business/ IT Continuity – the initial business Communication, call lists, etc. etc. response to the incident (essential activities at acceptable level) How• Recovery – recovery of activities to sustainable The Plan(s) developement include level Appoint an owner• Resumption – resuming operations to ‘normal’ Define the objectives and scope Create Teams for planning, response Agree the responsibilities Document actionable steps Populate the plan Circulate and gather feedback Agree and validate Agree a program
  12. 12. Continuity Plans - Considerations• Simple language• Action Oriented – (Check list…)• Easy to access, maintain and Navigate• Plans are tools / guidelines touse or follow in case required, donot allow them to restrict yourthoughts and responses.
  13. 13. Exercising Maintaining and Reviewing What WhyExercise To Highlight doubtful assumptionsVerifies your assumptions about IT / Buss. Provides Hidden informationContinuity about Gain confidence in exerciceValidates participants Effectiveness of your plan Raise awareness of BCM Response of your teams Verify BCP/ IT Continuity Plans(s) Effectiveness of your strategiesResults offers Opportunities for improvement in How Agree the Scope– what are your BCM Plans priorities? Responses Engage senior stakeholders Strategies Communicate thoroughly –particularly for senior staff Plan frequently - Normal Business is always Busy Make sure the exercise type fits the need
  14. 14. Embedding BCM into Organization Culture What WhyLet the organization know about BCM Management Understanding ofJust like Risk/ Impact/ Threat/Response Human Resource Management (HRM) Management Information System (MIS) Transformation of understanding Financial Management System (FMS) across the organizations Material / Supply Chain Management ProcurementInvolve all members of the organization, because How Continuity is everyone Business • Employee Handbook - Guidelines • BCM Business Cases • Email messages • Intranet BCP Web Site • New Employee Induction Program • Interactive Presentations with Staff • Organize in-house Coaching Sessions