• Save
Business Continuity Planning
Upcoming SlideShare
Loading in...5
×
 

Business Continuity Planning

on

  • 1,901 views

Business Continuity &

Business Continuity &
Disaster Recovery
Planning - Using BS 25999 – 1
Code Of Practice As A Model

Statistics

Views

Total Views
1,901
Views on SlideShare
1,895
Embed Views
6

Actions

Likes
1
Downloads
0
Comments
1

3 Embeds 6

http://www.slideshare.net 3
http://www.linkedin.com 2
https://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Business Continuity Planning Business Continuity Planning Presentation Transcript

  • Business Continuity & Disaster Recovery Planning Using BS 25999 – 1 Code Of Practice As A Model Presenter: Dipankar Ghosh Date: 16/11/2008
  • Agenda
    • Overview
    • Business Continuity Management (BCM) Lifecycle
    • BCM Programme Management
    • Understanding The Organisation
    • Determining Strategy
    • Developing And Implementing Responses
    • Exercising, Maintaining & Reviewing
    • Embedding BCM In The Organisation’s Culture
  • Overview
    • What Is BCM?
      • Business-owned, business-driven process that establishes a fit-for-purpose strategic and operational framework that:
        • Proactively improves an organisation’s resilience against disruptions to its activities
        • Provides a rehearsed method of restoring an organisation’s ability to supply its key products and services within an agreed time after a disruption
        • Delivers a proven capability to manage a business disruption and protect the organisation’s reputation and brand
    • Benefits Of BCM
      • Allows proactive identification of impacts of disruptions
      • Allows to have effective response mechanisms to minimise impact of disruptions
      • Provides ability to manage uninsurable risks
      • Could enhance reputation
      • Might allow gaining of competitive advantage
  • The BCM Lifecycle
  • BCM Programme Management
    • Developing, Publishing And Communicating BCM Policy
      • Define scope of the BCM within the organisation
      • Define principles, guidelines and minimum standards to be achieved
    • Assigning Responsibilities
      • Appoint person with appropriate authority to oversee and implement the programme
      • Appoint a team to support the above person in implementation
    • Implementing Business Continuity In The Organisation
      • Use any recognised project management method to implement the programme
      • Design, build and implement the programme
      • Communicate the programme to stakeholders
      • Provide appropriate training to staff
    • Ongoing Management
      • Keep the programme current
      • Regular performance monitoring and programme review
      • Regular exercising of the BCM capability
      • Establishing and implementing change management practice in a standard way
    • Documenting BCM
      • Document BCM Policy, Scope, Risk Assessments, BIA, Plans etc.
  • The BCM Lifecycle
  • Understanding The Organisation
    • Identify The Organisation’s Key Products And Services
    • Understand
      • Goals and Objectives of the organisation
      • Stakeholder obligations
      • Statutory requirements, contractual obligations
      • Operating environment
    • Identify Key Assets, Resources and Activities
    • Understand Interdependencies
      • Of Its Activities, Reliance On Its Partners, And Their Reliance On The Organisation
    • Conduct Business Impact Analysis (BIA) For Each Activity
      • Assess impacts that would occur if its activities are disrupted – on staff, public, premises, technology, information
      • Assess impacts because of statutory duties and regulations, contractual obligations
      • Assess Damage to reputation, Damage to financial viability, Damage to environment
      • Establish Maximum Tolerable Period Of Disruption (MTPD) for each activity
      • Establish Recovery Time Objectives (RTO) of all critical ativities
    • Identify Critical Activities To Set Priorities
      • Those activities that have the greatest impact in the shortest time
    • Determine Resource Requirements For Business Continuity
      • Estimate resources (Staff, Premises, Technology, Equipment, Information, External Services and Suppliers) required for each activity for recovery and after resumption
  • Understanding The Organisation
    • Undertake Risk Assessments
      • Analyse risks – vulnerabilities within resources/processes, threats that could exploit these vulnerabilities, likelihood of occurrence, impact of occurrence.
      • Determine criteria for risk acceptance
      • Identify acceptable levels of risk
    • Determine Choices – 4T’S
      • Treat – By using Business Continuity
      • Tolerate – By accepting the risk
      • Transfer – By purchasing insurance, for example
      • Terminate – Suspend or terminate product or service
  • The BCM Lifecycle
  • Determining The Business Continuity Strategy
    • Strategy Options For Critical Activities Dependent Upon
      • MTPD
      • Cost of implementation
      • Consequences of inaction
    • Strategies For Following Organisational Resources
      • People – maintain core skills/knowledge, use 3 rd parties, multi-skill, succession planning, knowledge management
      • Premises – alternative locations within and outside, provided by 3 rd party specialists, home working
      • Technology – provision from within/outside organisation, 3 rd parties, geographical spread, inventories and spares, remote access, redundancies, failovers (auto/manual), backups
      • Information – ensure CIA and Currency, ensure you meet Recovery Time Objectives (RTO) based on BIA, hardcopy/electronic formats
      • Supplies – adequate inventories, storage in another location, 3 rd party arrangements in short notice, alternative suppliers, key suppliers to have BCM, SLAs
      • Stakeholders – protect interest of key stakeholders, customers, business partners & contractors by recognising specific considerations for each of them and ensuring that their interests are protected
    • Strategy For Civil Emergencies
      • Local bodies (city councils, municipalities, police etc.) – have close contact and relationship with them and be aware of their policies, arrangements etc. in case civil emergencies occur within the community
  • The BCM Lifecycle
  • Developing And Implementing A Business Continuity Response
    • Until Now We Have
      • Identified the organisation’s critical activities
      • Evaluated threats to these activities
      • Chosen appropriate strategies to reduce likelihood and impact of risks
      • Chosen appropriate strategies for recovery and continuity of the business
    • The Next Step Is To Build A Business Continuity Response
      • Development and implementation of appropriate plans
      • Ensuring arrangements for the continuity of critical activities
      • Ensuring management of any incidents that may occur
  • Understanding The Incident Timeline INCIDENT OCCURS INCIDENT RESPONSE BUSINESS CONTINUITY RECOVERY/RESUMPTION – BUSINESS AS USUAL TIMELINE Incident Timeline – 3 main phases over time WITHIN MINUTES TO HOURS: STAFF/VISITORS ACCOUNTED FOR, CASUALTIES DEALT WITH DAMAGE CONTAINMENT/LIMITATION, DAMAGE ASSESSMENT, INVOCATION OF BCP WITHIN MINUTES TO DAYS: CONTACT STAFF, CUSTOMERS, SUPPLIERS ETC., RECOVERY OF CRITICAL BUSINESS PROCESSES, REBUILD LOST WORK IN PROGRESS WITHIN WEEKS TO MONTHS: DAMAGE REPAIR/REPLACEMENT, RELOCATION TO PERMANENT PLACE OF WORK, RECOVERY OF COSTS FROM INSURERS Overall Recovery Objective: Back to normal as quickly as possible PURPOSE OF PLAN – MANAGE THE INITIAL, ACUTE PHASE OF THE INCIDENT PURPOSE OF PLAN – RECOVER/MAINTAIN ACTIVITIES TO REACH NORMAL BUSINESS OPERATIONS
  • Contents Of Plans
    • Generic Content
      • Purpose and Scope – critical activities to be recovered, timescales of recovery, recovery levels needed for each critical activity, situation in which the plan is to be utilised.
      • Roles and responsibilities – of people and teams for both decision making and authority to spend, authority to invoke
      • Invocation of plan – clear guidelines on who can invoke plan and under what situations, how to mobilise teams, immediate meeting points, subsequent meeting/recovery locations.
      • Standing down – clear guidelines on standing down once incident is over
      • Document owner and maintainer – plan to contain name of the primary plan owner and also the person responsible for reviewing and updating it periodically
      • Contact details – Essential contact details of key stakeholders of the plan
    • Incident Management Plan Content
      • Task and action lists – ensure safety of life is addressed first, be based upon the BIA exercise, should deliver the strategies and tactics chosen by the organisation, help prevent further loss or unavailability of critical activities and supporting resources
      • Emergency contacts – guidelines on how and under what circumstances staff and their relatives and emergency contacts, next-of-kin and emergency contacts list to be kept updated.
      • People activities – responsibilities for emergency actions such as site evacuation, safety, first aid, locating and accounting for people in the site, ongoing communication with staff and customers
      • Media response – communications strategy, templates for statements, trained and competent people to handle media
      • Stakeholder management – communication plan and responsibilities to handle key stakeholders
  • Contents Of Plans
    • Incident Management Plan Content – contd.
      • Incident Management Location – define location, room or space from where the incident will be managed, should be fit for purpose, effective communications systems
      • Annexure (as appropriate) –
        • contact information and mobilisation process of relevant agencies, organisations required to support the response
        • maps, charts, floor plans, photographs, site access plans
        • equipment storage/staging areas
        • response strategies agreed upon by third parties
        • claims management procedure for insurance and legal claims
        • logs/forms to record vital information about the incident such as incident timeline, details of causalities, etc.
    • Business Continuity Plan Content
      • Task and action lists – checklists of tasks on:
        • how BCP is invoked
        • person responsible for invoking BCP
        • procedure to used by the person in invoking, including persons to be consulted
        • persons who will be informed when the decision is taken
        • detailed procedure for manual workarounds, recovery etc.
        • how and when all such information is communicated
      • Resource requirements – people, premises, technology, communications, information, supplies
      • Responsible persons – nominated persons who will manage the continuity and recovery phases
      • Annexure – logs/forms to record vital information, especially with regard to decisions made .
  • The BCM Lifecycle
  • Exercising (Testing), Maintaining And Reviewing
    • Purpose
      • Determine reliability of the plan
      • Develop teamwork & confidence, obtain feedback
      • Provide practice to the implementers
      • Ensure all critical activities have been considered and the strategies chosen were appropriate
      • Demonstrate competence of the response teams
    • Exercising (Testing)
      • Realistic, planned carefully and agreed with all stakeholders; to minimise disruption & ensure risk due to exercising is minimised
      • Must have clearly defined objectives, post-test debriefing and reporting with recommendations with timetable for implementation
      • Scale and complexity of the tests should be based on the recovery objectives
      • May include 3 rd parties, outsource partners etc. who could be considered as a part of the testing activity
    • Maintaining
      • Ensure that the programme is kept updated and current based on:
        • Reviews
        • Tests
        • Any change in business conditions, new/changed products or services, new/changed processes
        • Questioning of assumptions etc.
      • Ensure that a formal change control process is established and all key personnel have the latest version of all documents
      • Establish documented evidence of proactive management of the BCM programme
      • Verify that key personnel implementing the programme are competent and trained
      • Verify that the organisation is monitoring and controlling the risks it faces
      • Establish documented evidence that any change in the organisation’s key drivers is taken into account in the plans
  • Exercising (Testing), Maintaining And Reviewing
    • Reviewing
      • Top management periodically to review BCM capability to ensure continuing suitability, adequacy and effectiveness
      • Verify compliance with BCM policy, applicable laws, standards & good practice
      • Address possible changes in policy, strategies, objectives by taking into account test results, changed business circumstances & continual improvement
      • Frequency and timing of reviews in accordance with laws, regulations, size of organisation, stakeholder requirements.
    • Self-assessment
      • To ensure robust, effective and fit-for-purpose BCM competence and capability
      • Qualitative verification of organisation’s ability to recover from an incident
      • Should be conducted against organisation’s goals and objectives and relevant industry standards and good practices
    • Independent Audit
      • Provision for independent audit by competent persons to verify its BCM competence and capabilities and identify real and potential deficiencies.
    • Verification Goals of Self-assessments & Audits
      • All key products & services and critical activities and resources required to support them identified
      • BCM policy, strategies and plans in accordance with organisation’s objectives and priorities
      • BCM competence & capability are effective and fit-for-purpose to handle an incident
      • BCM solutions are effective, fit-for-purpose and up-to-date and also appropriate based on risks faced by the organisation
      • Organisation’s BCM exercising and maintenance programme have been implemented effectively
      • Incorporation of improvement actions based on real incidents, tests and reviews
      • Ongoing programme on training and awareness
      • BCM policy and procedures have been effectively communicated to all relevant staff and the staff understand their roles and responsibilities
      • Change control processes are implemented effectively
  • Exercising (Testing), Maintaining And Reviewing Types and methods of exercising BCM strategies ANUALLY OR LESS DEFINED OPERATIONS FROM ALTERNARIVE SITE FOR A FIXED TIME INVOCATION IN CONTROLLED SITUATION – NOT DISRUPT NORMAL BUSINESS EXERCISE CRITICAL ACTIVITIES MEDIUM ANUALLY OR LESS - BUILDING/CAMPUS/EXCLUSION ZONE-WIDE EXERCISE EXERCISE FULL BCP INCLUDING INCIDENT MANAGEMENT ANNUALLY/BI-ANNUALLY INCOPRPORATE ASSOCIATED PLANS USE OF ‘ARITIFICIAL’ SITUATION TO VALIDATE BCP TO VERFY THAT RECOVERY WILL BE SUCCESSFUL SIMULATION ANNUALLY INCLUDE INTERACTION AND VALIDATE PARTICIAPNT’S ROLE CHALLENEGE BCP CONTENT WALK-THROUGH OF PLAN COMPLEX AT LEAST ANNUALLY ANNUALLY UPDATE/ VALIDATION AUDIT/ VERIFICATION REVIEW/AMEND CONTENT CHALLENGE BCP CONTENT DESK CHECK SIMPLE GOOD PRACTICE FREQUENCY VARIANTS PROCESS EXERCISE COMPLEXITY
  • The BCM Lifecycle
  • Embedding BCM In Organisation’s Culture
    • Purpose
      • To be successful BCM has to be come a part of the organisation’s management culture
      • Creating a culture for BCM can be a difficult and lengthy journey – requires tremendous commitment from management and those involved in programme implementation
      • However, BCM will not be effective if this does not become a part of the organisation’s culture
      • A positive BCM culture will:
        • Allow effective implementation
        • Instil confidence among stakeholders that it has the ability to handle disruptions
        • Increase resilience by ensuring consideration of BCM implications in all decisions
        • Minimise likelihood and impact of disruptions
      • To develop BCM culture it should be supported by:
        • Leadership from senior management
        • Assignment of responsibilities
        • Awareness raising
        • Skills Training
        • Exercising plans
    • Raising Awareness
      • Process to identify and deliver BCM awareness. Measure effectiveness of delivery
      • BCM staff to be aware of any relevant external BCM information – from local authorities, regulators, emergency services etc.
      • Provide for an ongoing BCM education and awareness programme – team meetings, newsletters, journals, induction programmes, web sites and intranets, plan testing, visits to alternative sites
    • Skills Training
      • Process to identify and deliver BCM training to all relevant staff. Measure effectiveness of delivery
      • BCM staff to be trained on:
        • BCM programme management
        • Business Impact Analysis (BIA)
        • Risk and threat assessments
        • Developing and implementing BCP
        • Exercising BCP
        • Media communications
      • Non-BCM staff to be trained on their specific skills to undertake their nominated roles
  • To Sum Up
    • Here are the key takeaways
      • We must
        • Know that our organisations face risks
        • Accept that the risks can and may disrupt our businesses from time to time
        • Understand what our key deliverables are to our customers
        • Understand our critical activities and resources that produce the key deliverables
        • Have preventive actions in place to eliminate/avoid the risks of disruptions, if possible
        • Have actions in place which will minimise likelihood of the disruptions occurring
        • Have actions in place which will minimise the impact of disruptions if they occur
        • Have plans in place which will help us to recover quickly from such disruptions
        • Test those plans regularly, and update them as circumstances change and shortcomings are discovered
        • Make BCM a part of your organisation’s culture
  • An Finally…
    • It is worth keeping in mind the Boys Scout Motto:
    • Be Prepared,
    • Be Very Prepared
  • Business Continuity & Disaster Recovery Planning
        • Questions?