* Business Continuity Management Awareness Presentation for MAMPU


Published on

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

* Business Continuity Management Awareness Presentation for MAMPU

  1. 1. Business Continuity Management Awareness Presentation for MAMPU 04/29/10 By Prabha Ramanathan AUGUST 21 st 2007
  2. 2. OBJECTIVE <ul><li>To provide a basic appreciation on the importance of Business Continuity Management in the Public Sector. </li></ul><ul><li>To provide an overview on implementing BCM in a government organisation. </li></ul>04/29/10
  3. 3. BACKGROUND INFORMATION Technical Committee on Business Continuity Management TC - BCM 04/29/10
  4. 4. TC - BCM <ul><li>The Technical Committee (TC) on Business Continuity Management (BCM) was formed to develop business continuity management standards for local consumption. </li></ul><ul><li>We also review Business Continuity related standards on behalf of Department of Standards Malaysia </li></ul><ul><li>TC – BCM reports to Industrial Standards Committee “O” ( ISC-O) which looks at Society Risk </li></ul><ul><li>SIRIM is appointed by Department of Standards Malaysia to develop Malaysian Standards. </li></ul>04/29/10
  5. 5. Composition <ul><li>Prabha Ramanathan – Chairman (BKI) </li></ul><ul><li>Roslina Harun – Secretary (SIRIM) </li></ul><ul><li>Wan Asriah Wan Adnan ( Bursa Malaysia) </li></ul><ul><li>Sue Wing Hoong (CSC) </li></ul><ul><li>Johnny Choo Chin Chai (Alliance Bank) </li></ul><ul><li>Ros Aziah Mohd Ismail (IP-Secure) </li></ul><ul><li>Zahri Yunos (CyberSecurity Malaysia) </li></ul>04/29/10
  6. 6. Composition <ul><li>Sophia Hashim ( MAMPU) </li></ul><ul><li>Maslina Daud ( CyberSecurity Malaysia) </li></ul><ul><li>Bahyah Bakri (Bursa Malaysia) </li></ul><ul><li>Mohd Daud Dahar ( Bank Negara) </li></ul><ul><li>Aliza Nayan ( Securities Commission) </li></ul><ul><li>Stan Singh Jit ( PIKOM ) </li></ul><ul><li>Shreedhar ( ASTRO ) </li></ul>04/29/10
  7. 7. Goals of TC- BCM <ul><li>BCM Framework – an overview of the processes that must be followed when developing BC Plans (completed MS 1970) </li></ul><ul><li>BCM Guidelines – a guide on how to implement business continuity plans </li></ul><ul><li>BCM Checklist – a self assessment checklist to gauge the level of preparedness / readiness </li></ul>04/29/10
  8. 8. Objective of BCM Standards <ul><li>BCM is something that should be practice by all organizations in all industries immaterial of their size. </li></ul><ul><li>Hence the need for an acceptable minimum level of practice i.e. a standard. </li></ul><ul><li>The standards developed by TC-BCM is this minimum level of practice for all sectors, private and public </li></ul>04/29/10
  9. 9. Use of Standards 04/29/10 TC – BCM STAN DARDS Banking Health Government Insurance Telecommunication Manufacturing Number of Controls
  10. 10. The Malaysian BCM Standard 04/29/10
  12. 12. The history of business continuity 04/29/10 Disaster Recovery Planning Business Continuity Planning Business Continuity Management Alternative Planning / Plan B Fallback Plans , Contingency Plans IT or Technical Contingency Plans Organization wide Contingency Plans Holistic Contingency Plans
  13. 13. What is Business Continuity Management? 04/29/10 Monitor & Response Recover & Resume Rectify & Restore Migrate & Normalize A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities Source: Business Continuity Institute (UK) Disaster Management Phases ( Execution ) Prevention Response Continuity of Service (Recovery& Resumption Restoration Normalization Risk Management Emergency Response, Crisis Management, Public Relations Business Resumption Plans, Disaster Recovery Plan Damage Restoration, Includes installation & commissioning Migration, Restart of all business functions, Stand Down Pre - Incident Incident Post - Incident PHASES ACTIONS
  14. 14. BCM Framework <ul><li>a structure that will design, develop, implement and maintain infrastructures, resources, processes, policies and strategies to respond, recover, resume, restore and normalize the mission critical operations of an organization in an effective manner. </li></ul>04/29/10 BCM
  15. 15. Business Continuity Management Why do you need it? 04/29/10
  16. 16. Why is BCP Needed? <ul><li>Good Corporate Governance </li></ul><ul><li>Safeguarding assets and liabilities, stakeholder interests </li></ul><ul><li>Business Requirements (Local / International) – BNM, SC, SOX, Basel, ISO17799 </li></ul><ul><li>Requirement by Business Partner and/or Customer </li></ul>04/29/10
  17. 17. Why we need BC Standards? 04/29/10 Infrastructure Dependence (power, voice, data, logistics, food) System Up Time (computing, data,networks, etc.) Legal & Fiduciary Duties Environment
  18. 18. Corporate Governance <ul><li>Malaysian Code of Corporate Governance – it is a requirement by Securities Commission that all listed companies in Malaysia to comply with the Malaysian Code of Corporate Governance </li></ul><ul><ul><li>Part of the Principle Responsibilities of the BOD are:- </li></ul></ul><ul><ul><ul><li>Identify principal risk and ensure the implementation of appropriate systems to manage these risks. </li></ul></ul></ul><ul><ul><ul><li>Reviewing the adequacy and the integrity of the company’s internal control systems and management information systems, including systems for compliance with applicable laws, regulations, rules, directives and guidelines. </li></ul></ul></ul><ul><ul><ul><li>Succession Planning of Senior Management </li></ul></ul></ul>04/29/10
  19. 19. Post-9/11 Surge in Regulations and Standards 04/29/10 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 Source: Marsh (c) 2004 Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Federal and Legislative BC Requirements for IRS Basel Capital Accord MAS Proposed BCP Guidelines (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) Post 9-11 Pre 9-11 20 1991 - 2001 2002 - 2004 Source : [email_address]
  20. 20. Business Requirements <ul><li>It is foreseeable that in the near future, the resiliency or continuity capability of an organisation will be a yardstick in doing business. </li></ul><ul><li>We have seen with the implementation of Sarbanes Oxley Act in the US, many local players who are supplies or business partners were required to show BC plans </li></ul>04/29/10
  21. 21. What BCM standards are available? <ul><li>BS 25999 – 1 : Business Continuity Management – Code of Practice ( British Standard Institute, UK ) </li></ul><ul><li>BS 25999 – 2 : Business Continuity Management – Specification ( British Standard Institute ) </li></ul><ul><li>HB 221: 2005 : Handbook on Business Continuity Management ( Australian Standards, Australia ) </li></ul><ul><li>NFPA 1600 : Standard on Disaster / Emergency and Business Continuity Management Program ( National Fire Protection Association, USA ) </li></ul><ul><li>TR 19 : Technical Reference for Business Continuity Management ( SPRING, Singapore ) </li></ul><ul><li>MS 1970 : Business Continuity Management Framework ( Department of Standards, Malaysia ) </li></ul>04/29/10
  22. 22. Malaysian Examples <ul><li>Major stock trading organisation </li></ul><ul><li>Major airport - early 90s </li></ul><ul><li>Shoe manufacturing company </li></ul><ul><li>Flooding of building basement in KL </li></ul><ul><li>Finance company software leading to malfunctioning of ATMs </li></ul><ul><li>Flooding of electricity substation </li></ul><ul><li>National Power Grid failure </li></ul><ul><li>Fire at bank branch on the 1st day of business at branch's new premises.  Substantial damage at upper floor, ground floor also damaged.  Was able to resume business on the same day at the previous premise located nearby. </li></ul><ul><li>Power outage for 3 days at Bank’s Headoffice.  IT systems ran on gen set, power was gradually restored by floors. Impact: no A/C, significant loss of productivity. </li></ul><ul><li>The automatic teller machine network of a large local bank was disrupted for 13 hours nationwide. </li></ul><ul><li>Lightning destroyed the main power circuit board of a factory cause a 8 hour shut down of its plant and losses in excess of RM5 million. </li></ul><ul><li>Data Center of a manufacturing company was flooded damaging their key servers </li></ul>04/29/10
  23. 23. Business Continuity Management How is it different from Disaster Recovery Planning 04/29/10
  24. 24. BCP - Composition 04/29/10 Emergency Management Crisis Management Contingency Plans Disaster Recovery Plans Business Resumption Plans Business Continuity Plans
  25. 25. Definition - BCP <ul><li>BUSINESS CONTINUITY PLANNING (BCP): Process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. </li></ul><ul><li>SIMILAR TERMS: Contingency Planning, Disaster Recovery Planning. </li></ul>04/29/10
  26. 26. Definition - DRP <ul><li>DISASTER RECOVERY PLANNING (DRP): The technological aspect of business continuity planning. </li></ul><ul><ul><li>The advance planning and preparations that are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster. </li></ul></ul><ul><li>SIMILAR TERMS: Contingency Planning; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster Preparedness. </li></ul>04/29/10 DRII
  28. 28. DRP vs BCP 04/29/10 Major Plan Components BCP = Business Continuity Planning BRP = Business Resumption Planning DRP = Disaster Recovery Planning
  29. 29. Business Continuity Management Who should be involved 04/29/10
  30. 30. Organisation Structure 04/29/10 Crisis Management Director Incident Response Director Business Continuity Director Damage Restoration Director Public Relations & Communication Director Safety & Welfare Director Crisis Management Committee
  31. 31. Brief Roles & Responsibilities 04/29/10 Crisis Management Director Authority who has the veto power. Crisis Management Committee A group of senior management personnel who will manage the situation from start to finish and provide the necessary management support to the working teams Incident Response Director Person who is responsible to manage the situation at ground zero, to stabilize the situation and work with local authorities. Reports back to the CMC on a regular basis Business Continuity Director Person who is responsible to recover and resume critical business operations at the alternate facilities Damage Restoration Director Person who is responsible to prepare a permanent working environment for business to return to normal Public Relations & Communication Director Person who is responsible for all communication to stakeholders and public during a time of emergency, crisis or disaster Safety and Welfare Director Person who is responsible to ensure the safety and welfare of the staff until operations is back to normal.
  32. 32. BCM Team Structure 04/29/10 BCM Director Technical Recovery Team Support Recovery Team Customer Centric Recovery Team BCM Coordinator Back Office Recovery Team
  33. 33. Brief Roles & Responsibilities 04/29/10 Business Continuity Director Person who is responsible to recover and resume critical business operations at the alternate facilities Technical Recovery Team This is one or more teams responsible for preparing and maintaining the technology used at the recovery site Support Recovery Team This is one or more teams responsible for supporting the recovery process such as administration, logistics, finance, etc Customer Centric Recovery Team This is one or more teams responsible for recovering and resuming critical functions which are directly dealing with customer. i.e. front counters, call center, etc Back Office Recovery Team This is one or more teams responsible for recovering and resuming functions that support the critical functions. i.e. application processing, etc
  34. 34. Selection Guidelines <ul><li>Members of the BCM recovery team should be on a voluntary basis </li></ul><ul><li>Members of the BCM recovery team must be experienced and knowledgeable in operations matters </li></ul><ul><li>Elderly or sickly people ( hypertension, weak heart, high blood pressure, obese, etc) should not be selected as team members. </li></ul>04/29/10
  35. 35. Business Continuity Management How do I start? 04/29/10
  36. 36. Note <ul><li>The process of developing the plans, either Business Continuity Plans for Disaster Recovery Plans, is the same. </li></ul><ul><li>The difference is only in the scope of work and area to be covered. </li></ul><ul><li>A disaster recovery plan must provide for the ‘End Users’ needs </li></ul>04/29/10
  37. 37. BKI’S METHODOLOGY 04/29/10 1. Project Initiation 2. Vulnerability Study 3. Business Impact Analysis 4. Develop BCP Strategies 5. Establish Alternate Facility 6. Plan Development 7. Education and Training 9. Plan Maintenance Program 8. Scenario Testing PROJECT MANAGEMENT & REPORTING Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
  38. 38. Module 1 - Initiate the Project <ul><li>It is crucial that a BC Project is started in a proper manner to ensure that it is completed in a timely and effective manner </li></ul><ul><li>This stage involves study, discussions, analysis leading to the deliverable – The Project Charter </li></ul><ul><li>In addition, there will be: </li></ul><ul><ul><li>Awareness sessions </li></ul></ul><ul><ul><li>Kickoff meeting </li></ul></ul>04/29/10
  39. 39. Module 2 : Risk Assessment <ul><li>The purpose of this module is to identify the operational vulnerabilities of an organisation. </li></ul><ul><li>The outcome of this module is a Risk Assessment report which provides a priority listing of vulnerabilities and a set of recommendations to prevent / mitigate it. </li></ul>04/29/10
  40. 40. Module 3 : Business Impact Analysis <ul><li>BIA determines impact (financial & non-financial) in the event business is disrupted for a significant period of time. ( The BIA process is somewhat independent from the Risk Assessment process ) </li></ul><ul><li>The Business Impact Analysis deliverable includes a listing of critical business functions and their </li></ul><ul><ul><li>Recovery Time Objectives, </li></ul></ul><ul><ul><li>Recovery Point Objectives </li></ul></ul><ul><ul><li>Minimum operating resources </li></ul></ul><ul><ul><li>Internal and External Dependences </li></ul></ul>04/29/10
  41. 41. Module 4: Develop BC Strategies <ul><li>This modules provides the BC planners with a high-level specification of the plans. </li></ul><ul><li>In this module, high level BC Policies and Procedures are documented </li></ul><ul><li>This module gets its input from the previous BIA process </li></ul>04/29/10
  42. 42. Module 5 : Establish Alternate Facility <ul><li>In the event the primary business premises is destroyed or severely damaged, critical business functions need to operate at an alternate facility </li></ul><ul><li>This facility may be complete or partially setup with furniture, fittings and equipment </li></ul><ul><li>This facility may be owned or rented from a commercial entity </li></ul>04/29/10
  43. 43. Module 6 : Plan Development <ul><li>Using the information from Module 4 & 5, action steps which describe “what needs to be done”, “when to do it” and “how to do it” are documented. </li></ul><ul><li>Each team within the business continuity structure will have a recovery plan. </li></ul>04/29/10
  44. 44. Module 7: Education & Training <ul><li>In this module, the respective players in the organisation’s business continuity plan will be given the appropriate education on the principles of business continuity planning as well as training in the use of the recovery plans developed in the previous module. </li></ul>04/29/10
  45. 45. Module 8: Scenario Testing <ul><li>Testing is a mechanism used to verify the completeness of the recovery plan. </li></ul><ul><li>It also provides an avenue for team members and management to practice their recovery activities </li></ul><ul><li>The goals and complexity of testing should increase over time </li></ul>04/29/10
  46. 46. Module 9 : Plan Maintenance <ul><li>The business continuity plan is a ‘LIVING DOCUMENT’ </li></ul><ul><li>Keeping it “current” is a major task which takes effort and support from senior management </li></ul><ul><li>It is necessary to implement a Maintenance Program </li></ul>04/29/10
  47. 47. Take Away Points <ul><li>BCM is a process and not a project. </li></ul><ul><li>The initial development of a BC Plan is a tedious and time consuming activity. It needs to be given adequate attention to be successful (i.e. workable) </li></ul><ul><li>Like Risk Management, the responsibility for BCM rest on everyone’s shoulder and not just the BCM Manager </li></ul><ul><li>BIA is an important process within BCM and must be conducted on a regular basis </li></ul>04/29/10
  48. 48. Take Away Points (con’t) <ul><li>Top Management support and participation is required. </li></ul><ul><li>A annual budget should be allocated for the running & maintenance of the BCM program </li></ul><ul><li>Testing must be religiously conducted in a manner that encourages improvement and preparedness. </li></ul><ul><li>A maintenance program must be implemented to ensure adequacy and completeness of the BCM elements. </li></ul>04/29/10
  49. 49. THANK YOU CONTACT DETAILS [email_address] 012 - 3160609 04/29/10