BCM Institute MTE Dr Goh Moh Heng - SS540 Safeguard


Published on

BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html

Find out more on what the major challenges in implementing TR19 (the standard prior to the newly launched SS540:2008 Singapore standard), and how to implement your BCM programme and also achieve your SS540 certification.

The launch of SS540 has raised many questions about how far a company must now go to meet the safeguards standards In the spirit of networking & dialogue amongst BCM & DRP professionals, BCM Institute continues the bi-monthly Meet-the-Experts sessions by inviting subject matter experts to provoke thought, debate issues on hand and take questions from the audience. BCM Institute provides the room & coffee, you bring your minds.

This event is organised and brought to you by BCM Institute.

Published in: Business
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BCM Institute MTE Dr Goh Moh Heng - SS540 Safeguard

  1. 1. “SS540 Safeguards” BCM Institute, Meet-The-Experts, Singapore 21st January 2009 worldcontinuitycongress.com| bcm-institute.org
  2. 2. BCM STEERING COMMITTEE Clause 8.4.1 This Committee shall consist of: • Minimum of one member from the organisation’s executive Management; • Heads of the various units; and • Organisation BCM coordinator. worldcontinuitycongress.com| bcm-institute.org
  3. 3. PROCESS APPROACH Figure 1 – PDCA Methodology Requirements Managed and business PLAN expectations continuity Establish the BCM of of the business organisation continuity ACT DO by Maintain and continual Implement and operate stakeholders improvement of the BCM the BCM and interested parties CHECK Monitor and check the BCM 3 worldcontinuitycongress.com| bcm-institute.org
  4. 4. PROCESS APPROACH Figure 2 – The BCM framework BCM Components Policies Processes People Infrastructure Risk Analysis and Review Business Impact Analysis Strategy BCM Areas BC Plan Tests and Exercises Program Management 4 worldcontinuitycongress.com| bcm-institute.org
  5. 5. RISK ANALYSIS AND REVIEW RA can be conducted concurrently with BIA 1. Deliberate and select appropriate cost-effective risk treatments Risk Treatment (5.2.3) Avoidance, Reduction, Transfer, Acceptance Risk Treatment Recommended Recommended Risk Zone Treatment Review Timeline High Avoidance / Reduction Quarterly Med Reduction / Transfer Half-yearly Low Acceptance Yearly worldcontinuitycongress.com| bcm-institute.org
  6. 6. RISK ANALYSIS AND REVIEW 2. Select a probable disaster from the list of potential disaster for subsequent BCM development efforts (5.2.4) Identify immediate threat(s) faced by company Think outside the box • What can stop your employees from showing up? • What can prevent your customers from buying your company’s products or services • What can prevent your on-time delivery? Your suppliers? Transportation? • What can damage or impact the quality of your products or services? • What happens if you and your employees are denied access to your company’s premise? worldcontinuitycongress.com| bcm-institute.org
  7. 7. RISK ANALYSIS AND REVIEW 3. Consistent risk analysis approach (5.2.5) Corporate, Finance, Operations & Facilities, ISO 9001 etc Probability 1 2 3 4 5 Unlikely Low likelihood Likely High likelihood Inevitable 1 in 100 years 1 in 10 years 1 per year 1 per 6 months 1 per month Impact 1 2 3 4 5 Negligible Low Moderate Significant Catastrophic Business disruption: Business disruption: Business disruption: Business disruption: Business disruption: > 8 hours to 1 1 to 2 hours > 2 to 4 hours > 4 to 8 hours > 1 to 3 days day Risk = Probability x Impact worldcontinuitycongress.com| bcm-institute.org
  8. 8. BUSINESS IMPACT ANALYSIS 1. Minimum Business Continuity Objective (MBCO) - Executive management to set organisation's MBCO (6.2.1) - Each business unit shall identify the minimum level of services and/or products that must be provided to support the organisation’s MBCO ( worldcontinuitycongress.com| bcm-institute.org
  9. 9. BUSINESS IMPACT ANALYSIS 2. Critical business functions recovery time requirements (6.3.3) - Recovery time objective (RTO) The period of time within which systems, applications, or functions must be recovered after a disruption has occurred. - Recovery point objective (RPO) The point in time at which systems and data must be recovered after a disruption has occurred. worldcontinuitycongress.com| bcm-institute.org
  10. 10. BUSINESS IMPACT ANALYSIS 3. Prioritising critical business functions (6.3.4) Also refer to Priority for analysing impact (6.2.5) Sample Category A – business units which have an impact on life safety and health Category B – business units which have no impact on life safety and health but have RTOs less than or equal to 1 day Category C – business units which have no impact on life safety and heath and have RTOs greater than 1 day worldcontinuitycongress.com| bcm-institute.org
  11. 11. STRATEGY 1. Strategy Formulation (7.2.2) • Revert to alternate processing capability • Arrange reciprocal arrangements • Establish alternate site or business facility • Arrange for alternate source of supply • Outsource to external vendor • Transfer of operation to subsidiary business units • Rebuild from scratch after disaster • Do not take any action worldcontinuitycongress.com| bcm-institute.org
  12. 12. STRATEGY 2. Recovery time requirements - Ensure selected strategy can achieve Recovery Time Objective (RTO) of CBF. 3. The priority for allocation of resources for recovery strategies shall be in accordance to the prioritization of CBFs established during BIA. worldcontinuitycongress.com| bcm-institute.org
  13. 13. BC PLAN 1.Complement and gap all existing plans - Crisis communications - Emergency response - Utility breakdown - IT DR BC Plan shall be reviewed in its entirely at least once a year (10.2.5) Saving and preservation of human lives shall overrule all other considerations. (8.2.5) worldcontinuitycongress.com| bcm-institute.org
  14. 14. BC PLAN 2. Disaster declaration officer (8.4.5) - list of assessment criteria of incident versus disaster Damage assessment team (DAT) (8.4.8) The team shall produce within a stipulated time a report that contains disrupted operations, downtime estimates, and recommendation for the next course of action. Also refer to Initial damage assessment (8.3.2) - recommendation of disaster declaration. worldcontinuitycongress.com| bcm-institute.org
  15. 15. BC PLAN Criteria for activation (8.2.3) Denied access or potential denied access of more than x hours of Business Units’ primary operating sites. The incidents under the consequence of denied of access of primary operating site as a result of a disaster include, but are not limited to, fire, bomb threat, explosion, anthrax threat, and among others. worldcontinuitycongress.com| bcm-institute.org
  16. 16. BC PLAN 3. Pre-incident preparation (8.3.1) There shall be formal processes to ensure that pre-incident measures are carried out to address each identified and its impact on CBFs. These measures shall include the following generic responses to identified risks: • Risk avoidance; • Risk reduction; • Risk transfer; and • Risk acceptance. worldcontinuitycongress.com| bcm-institute.org
  17. 17. BC PLAN 4. Head of EOC (8.4.4) - At least one senior staff member - approved by the executive management - absolute authority worldcontinuitycongress.com| bcm-institute.org
  18. 18. TESTS AND EXERCISES 1. Level and frequency (9.2.2) The BC plan shall be tested and exercised on a periodic and systematic basis at 2 levels: a.Discrete level. Each CBF is tested or exercised individually, independent of other CBFs. This shall be carried out at least once a year. b.Integrated level. In addition to the discrete level test, all CBFs are tested or exercised together to access their interdependencies and peak usage of resources. This shall be carried out at least once every two years. worldcontinuitycongress.com| bcm-institute.org
  19. 19. TESTS AND EXERCISES 2. Recommendations and corrective actions (9.3.4) - Implemented and completed within the agreed time frame - review and update the progress of outstanding items until completion - incorporated as part of the audit plan worldcontinuitycongress.com| bcm-institute.org
  20. 20. PROGRAMME MANAGEMENT 1. Organisation BCM Policy (10.2.1) worldcontinuitycongress.com| bcm-institute.org
  21. 21. PROGRAMME MANAGEMENT 2. BCM internal audit (10.2.8) - Conducted annually - Encompass external parties Also refer to Vendor Contracts (10.2.9) - Incorporate appropriate BCM requirement clause worldcontinuitycongress.com| bcm-institute.org
  22. 22. PROGRAMME MANAGEMENT In addition, selected government or public agencies will consider the applicant’s level of preparedness as part of the procurement process, and companies with business continuity management (BCM) in place will be “viewed favorable”. Source: Pg 9, Today, 8 Nov 08 worldcontinuitycongress.com| bcm-institute.org
  23. 23. PROGRAMME MANAGEMENT 3. BCM manual (10.2.11) Also refer to Sample table of contents of a BCM manual (Annex A) - Document control worldcontinuitycongress.com| bcm-institute.org
  24. 24. PROGRAMME MANAGEMENT 4.BCM Culture - Continuous “buy-in” and support from Senior Management - part of processes and operational environment - Invest $$ worldcontinuitycongress.com| bcm-institute.org
  25. 25. Contact Us Singapore (Headquarter) 315 Outram Road #15-04, Tan Boon Liat Building Singapore 169074 Course info@bcm-institute.org Certification certification@bcm-institute.org Website www.bcm-institute.org www.worldcontinuitycongress.com worldcontinuitycongress.com| bcm-institute.org