Successfully reported this slideshow.
Benchmarking of
BCM in Action
Jeremy Wong
Senior Vice President
GMH Continuity Architects
jeremy@gmhasia.com
GMH Continuity Architects
• A leading consultancy focusing on
business continuity, disaster recovery and
crisis management...
Proven BCM Consulting
Experience
All images are copyright and trademarks of its respective owners.
China & Hong Kong | Jap...
Agenda
• Benchmarking Your Organisation’s BCM Against
an Internationally Standards
• Getting Your Organisation Ready
• Cer...
BS25999: Benchmarking Your
Organisation’s BCM Against
International Standards
BS25999 In A Nutshell
BS 25999 is a Business Continuity Management (BCM) standard
in two parts:
1. BS 25999-1:2006 Busines...
Business Continuity
Management System
• A management system is the framework of
processes and procedures used to ensure th...
BS25999 PDCA Cycle
Plan
Establish the
BCM
Do
Implement
and operate
the BCM
Check
Monitor and
check the
BCM
Act
Maintain an...
BS25999 - Benefits
• Provide a common framework based on
internationally accepted best practices for
implementing and mana...
Challenges
• Administration for administration’s sake
• Competencies –us and them!
• Lack of clarity over terminology e.g....
“There are risks and costs to a programme of
action…but they are far less than the long
ranging costs of comfortable inact...
Conclusion – the end of the
beginning?
• Positive experience
• Disciplined and structured
• Makes you think:
– What you do...
Getting Your Organisation
Ready
Steps
• Establish the BCM Practices
• Assess state of BCMS
– Gap Analysis
• Ready for audit and beyond
– Identify auditees...
Competency Built-in
Implementation
Business Continuity Reports – BC Plan
Business
Impact
Analysis
Recovery
Strategy
Plan
D...
BCM Roadmap
Business Continuity Reports – BC Plan
BC-DR Test / Exercise
External BS25999 Audit
Business
Impact
Analysis
Re...
BCP Planning Methodology
Source:
Goh, Moh Heng (2008): Managing Your Business Continuity
Planning Project 2nd Edition ISBN...
Project Management
Objectives
• Formulate a workable
project proposal.
• Seek endorsement and
commitment on the
project fr...
Risk Analysis and
Review
Objectives
• identify vulnerabilities
• Establish reliable
recommendations
for:
– Minimizing
impa...
Business Impact
Analysis
Objectives
• Determine impact of
unavailability/failure/
disaster on business
functions.
• Determ...
Recovery Strategy
Objectives
• Establish business
functions & job priorities
vis-à-vis business needs.
• Determine process...
Plan Development
Objectives
• Train and equip users
with skill to complete
the Microsoft Word
plan template.
• Establish r...
Testing and
Exercising
Objectives
• Formulate an
objective mechanism
to validate the
"workability" of the
complete Busines...
Assess State of BCM
- Gap Analysis
• Organisations with established BCM Programmes
could decide to do a gap analysis.
– Re...
Certification Audit
Preparing for Certification
Audit
• BS25999 Internal Audit training
• Pre-Audit Gap Analysis
• Final Audit - Stage 1
• Fin...
Pre-Audit Assessment – Our
Approach
• No special preparation ahead of the analysis
• Assessor given full site tour
– Servi...
Final Audit (External)
• Stage 1
– Formal desktop review to ensure all elements of the
proposed scope and the standard are...
Final Audit (External)
• Stage 2
– Evaluation of the effectiveness of the implementation of
the BCM system and conformance...
The Audit Process
– Lessons Learnt
• Preparation
– You can’t take your BCM off the shelf a month before the audit,
blow th...
External Audits
Thank You
Upcoming SlideShare
Loading in …5
×

BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking in Action

1,055 views

Published on

BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html

Benchmarking of BCM in Action by Jeremy Wong, Senior Vice President, GMH Pte Ltd
• Designing and building an effective and efficient benchmarking roadmap encompassing all stakeholders
• Understanding BC Management programme versus BC Management System (BCMS)
• Preparing BC team on justifications of roadmap to management and major stakeholders
• Implementing self assessment process and performing gap analysis to your BC programme
• Sharing of learning, pitfalls and challenges in implementing organization BC Management System

Published in: Business
  • Be the first to comment

BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking in Action

  1. 1. Benchmarking of BCM in Action Jeremy Wong Senior Vice President GMH Continuity Architects jeremy@gmhasia.com
  2. 2. GMH Continuity Architects • A leading consultancy focusing on business continuity, disaster recovery and crisis management in Asia Pacific since 1999. • Our core business is in safeguarding our clients’ businesses through the sound application of proven, business-oriented methodologies. GMH is an accredited partner of BCM Institute.
  3. 3. Proven BCM Consulting Experience All images are copyright and trademarks of its respective owners. China & Hong Kong | Japan | Philippines Taiwan | Malaysia | Singapore |Thailand
  4. 4. Agenda • Benchmarking Your Organisation’s BCM Against an Internationally Standards • Getting Your Organisation Ready • Certification Audit.
  5. 5. BS25999: Benchmarking Your Organisation’s BCM Against International Standards
  6. 6. BS25999 In A Nutshell BS 25999 is a Business Continuity Management (BCM) standard in two parts: 1. BS 25999-1:2006 Business Continuity Management. Code of Practice Provides general guidance and seeks to establish processes, principles and terminology for Business Continuity Management. 2. BS 25999-2:2007 Specification for Business Continuity Management Specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited. The BS25999 standard aims to provide a means of measurement that is consistent and recognised.
  7. 7. Business Continuity Management System • A management system is the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve a set of related business objectives • Management systems connect business continuity planning efforts to the most senior leaders in an organization: – requirements and strategies (“Plan”) – resources, processes and procedures (“Do”), – reviews and assessments (“Check”) in order to standardize performance – constantly improve (“Act”)
  8. 8. BS25999 PDCA Cycle Plan Establish the BCM Do Implement and operate the BCM Check Monitor and check the BCM Act Maintain and continual improvement of the BCM Requirements & Expectation of BCM by Stake-holders and Interested Parties Managed Business Continuity of the Organisation
  9. 9. BS25999 - Benefits • Provide a common framework based on internationally accepted best practices for implementing and managing business continuity • Provide a framework for organization of any type, size and location • Bring a common understanding to all stakeholders • Provide customers with external assurances, thereby increasing confidence
  10. 10. Challenges • Administration for administration’s sake • Competencies –us and them! • Lack of clarity over terminology e.g. MTPD • Integrated management systems –not quite! • Awareness-raising
  11. 11. “There are risks and costs to a programme of action…but they are far less than the long ranging costs of comfortable inaction.” - John F. Kennedy
  12. 12. Conclusion – the end of the beginning? • Positive experience • Disciplined and structured • Makes you think: – What you do – How you do it – And why you do it • Continual improvement Ongoing assessment What does success look like?
  13. 13. Getting Your Organisation Ready
  14. 14. Steps • Establish the BCM Practices • Assess state of BCMS – Gap Analysis • Ready for audit and beyond – Identify auditees and audit schedule – Produce evidence in standardized acceptable format – Conduct internal audit – Conduct external audit – Operate BCM in accordance to the governance regime – Continue improvement on BC capabilities
  15. 15. Competency Built-in Implementation Business Continuity Reports – BC Plan Business Impact Analysis Recovery Strategy Plan Develop- ment Risk Analysis & Review Program Management Fundamentals of BCM Session 3 Session 4 Session 5 Session 6 Each Session-Day is a minimum of 2 weeks apart Session 2Session 1 Policy and Framework Risk Assessment Report Business Impact Report Recovery Strategy Report Business Continuity Plans Test Plan Testing & Exercising
  16. 16. BCM Roadmap Business Continuity Reports – BC Plan BC-DR Test / Exercise External BS25999 Audit Business Impact Analysis Recovery Strategy Plan Developme nt Test & Exercises Risk Analysis & Review Internal Audit Program Manageme nt 1 2 3 4
  17. 17. BCP Planning Methodology Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2
  18. 18. Project Management Objectives • Formulate a workable project proposal. • Seek endorsement and commitment on the project from management committee: – Objective; – Scope; – Approach; – Schedule; and – Manpower. • Establish project management structure and control. Tasks • BCM Steering Committee & BCP Project Team • Review and understand organisation environment. • Agree and formalise project management structure and resource allocation. • Establish project administration reporting and control mechanism. Deliverables • Project plan proposal includes: – Definition; – Scope ; – Objective; – Roles & Responsibilities. • Project workplan. • Project reporting mechanism. 18
  19. 19. Risk Analysis and Review Objectives • identify vulnerabilities • Establish reliable recommendations for: – Minimizing impact of identified threats – Immediate and effective response to potential causes of disaster Tasks • Identify exposure to internal & external threats and the likelihood of these threats occurring • Recommend preventive responses and escalation procedures in conjunction with crisis management implementation • Evaluate findings and prepare a status report & recommendation. Deliverables • Comprehensive risk and threat profile to the organization, with key disaster scenario • Recommendation for: – Countermeasures – Immediate Response Procedures – Security Risk Review – to be implemented to minimize the risks • Summary report of recommendations agreed with senior management
  20. 20. Business Impact Analysis Objectives • Determine impact of unavailability/failure/ disaster on business functions. • Determine critical business needs and tolerable limits. • Establish business criticality/ impact criteria using Business Impact Analysis Questionnaires (BIAQ). • Prioritise the importance of each business unit vis-à-vis established criteria. • Consolidate findings and rankings. • Present results to management committee to confirm critical classifications and priority listings. • Detailed report on findings (approved by management) containing: – - tolerable limits; – classification of criticality; – prioritised critical business functions; – minimum resources; – Critical applications and systems; and – - restoration priority. • Impact analysis of unavailability of business functions (quantitative and qualitative).
  21. 21. Recovery Strategy Objectives • Establish business functions & job priorities vis-à-vis business needs. • Determine processing requirements for priority business functions. • Identify and formalise backup for everything needed to survive a disaster. • Ensure that alternative processing procedure is available for continuity of critical business needs whilst recovery is in progress. Tasks • Analyse all division functions to prioritise them based on business needs. • Analyse hardware and software requirements to run high priority critical functions so that sufficient backup can be arranged. • Review and establish backup arrangements, if necessary. • Identify necessary interim processing procedures for critical functions. • Seek management’s review and endorsement of findings and recommendations. Deliverables • List of strategic plans for recovering prioritised critical functions. • List of critical functions requiring interim manual processing procedures. • Recommend alternate interim processing procedures.
  22. 22. Plan Development Objectives • Train and equip users with skill to complete the Microsoft Word plan template. • Establish recovery procedures to fully restore normal business operations after a disaster, based on selected strategies. • Ensure consistency and comprehensiveness of coverage. Tasks • Determine recovery teams set-up and functional responsibilities. • Identify members of each recovery team. • Develop specific procedures for each recovery team. • Review and edit (based on agreed structure) the plan component to ensure consistency and comprehensiveness of documentation. Deliverables • Propose: – Recovery team structure; – Staffing of the recovery teams with names of specific staff members; and – List of action steps to be taken by each member of respective recovery team. • Completed Business Continuity Plan.
  23. 23. Testing and Exercising Objectives • Formulate an objective mechanism to validate the "workability" of the complete Business Continuity Plan. Tasks • Design an overall program for testing of plan. • Develop plans and schedules for specific tests. • Develop an evaluation mechanism. Deliverables • List of tests to be conducted. • List of responsibilities of parties involved: – Objectives, policies, guidelines, responsibilities and test specifications. • Specific test plan: – Description, scenarios, procedures and criteria. • Evaluation forms/checklists for recovery plan tests.
  24. 24. Assess State of BCM - Gap Analysis • Organisations with established BCM Programmes could decide to do a gap analysis. – Review BCM programme against an internationally recognised standard (e.g. BS25999) – Identify gaps in compliance – Make recommendations – Prioritize and schedule implementation – Chart roadmap to BCM success
  25. 25. Certification Audit
  26. 26. Preparing for Certification Audit • BS25999 Internal Audit training • Pre-Audit Gap Analysis • Final Audit - Stage 1 • Final Audit - Stage 2
  27. 27. Pre-Audit Assessment – Our Approach • No special preparation ahead of the analysis • Assessor given full site tour – Services provided to customer & supporting processes / activities – Operational structure – Key threats and impacts • Used the day to confirm our understanding of BS25999 requirements and how they applied to the organization • Findings summarised in written report with identified issues recorded
  28. 28. Final Audit (External) • Stage 1 – Formal desktop review to ensure all elements of the proposed scope and the standard are addressed by the BCM system – Assesses readiness to proceed to Stage 2 – Primary focus on review of documented BCM system – Interactive session – Findings summarised in written report
  29. 29. Final Audit (External) • Stage 2 – Evaluation of the effectiveness of the implementation of the BCM system and conformance to the standard – All elements of BCM system assessed – Multiple audit methodologies –all interactive – Departmental level review of BCM system – Exercising, Maintaining & Review – Closing Meeting – Final close out of identified issues
  30. 30. The Audit Process – Lessons Learnt • Preparation – You can’t take your BCM off the shelf a month before the audit, blow the dust off it and expect to gain certification • Scope – Critical to certification but easy to get wrong – Are all interdependencies of critical activities covered by your system? • BCM documentation – Available & easy to access – Attention to detail –Does it all hang together? • People – Available & aware of what to expect • BCM culture – Is BCM alive in the organisation? • Don’t expect to be told if your plans will work
  31. 31. External Audits
  32. 32. Thank You

×