The document outlines the aim and objectives of implementing a Business Continuity Management System (BCMS) within an organization, focusing on understanding business continuity, using toolkits, conducting business impact analyses, and developing continuity plans in line with ISO 22301:2019 standards. It emphasizes the importance of operational planning, risk assessment, and continuous improvement while detailing the legal responsibilities and strategies for maintaining essential activities amid disruptions. Furthermore, it incorporates various activities and real-world examples to enhance understanding and preparedness for potential incidents affecting organizational operations.

1. AIM AND OBJECTIVES
1 |
Aim
• To develop an understanding of how to implement a BCMS
within your organisation.
Objectives
• To develop an understanding of business continuity.
• To understand how to use the business continuity toolkit.
• To understand how to undertake a business impact analysis for
your organisation
• To understand how to develop a business continuity plan for
your organisation

2. DEFINITIONS – ISO 22301:2019
•BUSINESS CONTINUITY
• THE CAPABILITY OF THE ORGANISATION TO CONTINUE DELIVERY OF PRODUCTS OR
SERVICES AT ACCEPTABLE
• PREDEFINED LEVELS FOLLOWING A DISRUPTIVE INCIDENT.
•BUSINESS CONTINUITY MANAGEMENT
• A HOLISTIC MANAGEMENT PROCESS THAT IDENTIFIES POTENTIAL THREATS TO AN
ORGANISATION AND THE IMPACTS TO BUSINESS OPERATIONS THOSE THREATS, IF
REALIZED, MIGHT CAUSE, AND WHICH PROVIDES A FRAMEWORK FOR BUILDING
ORGANISATIONAL RESILIENCE WITH THE CAPABILITY OF AN EFFECTIVE RESPONSE
THAT SAFEGUARDS THE INTERESTS OF ITS KEY STAKEHOLDERS, REPUTATION, BRAND
AND VALUE- CREATING ACTIVITIES.
• BUSINESS CONTINUITY MANAGEMENT SYSTEM
• PART OF THE OVERALL MANAGEMENT SYSTEM THAT ESTABLISHES, IMPLEMENTS,
OPERATES, MONITORS,
• REVIEWS, MAINTAINS AND IMPROVES BUSINESS CONTINUITY. 2 |

3. BUSINESS CONTINUITY MANAGEMENT
SYSTEM ISO 22301/22313
3 |
A business continuity management system emphasises the importance of
• Understanding the organisation’s needs and the necessity for establishing a business
continuity management policy and objectives
• Implementing and operating controls and measures for managing an organisation’s
overall capability to manage disruptive incidents
• Monitoring and reviewing the performance and effectiveness of BCMS, and
• Continual improvement based on management of objectives

4. ELEMENTS OF BUSINESS CONTINUITY
MANAGEMENT
4 |
Operational
planning
and control
Business
impact
analysis and
risk
assessment
Business
Continuity
Strategy/
Leadership
Establish and
implement BC
procedures
Exercising and
Testing
ISO22313

5. Plan, Do, Check, Act Cycle
The ISO 22301 and 22313 uses a ‘Plan, Do,
Check, Act’ cycle in planning, establishing,
implementing, operating, monitoring,
reviewing, maintaining and continually
improving the effectiveness of an
organisations business continuity
management system
5 |

6. PLAN, DO, CHECK, ACT CYCLE
6 |

7. Activity 1
7 |
In your groups discuss what the legal and/or
regulatory responsibilities for business
continuity are for your organisation

8. ACTIVITY 1- SUMMARY
8 |
• Civil Contingencies Act 2004 and Civil Contingencies Act
2004 (Contingency Planning) Regulations 2005
• ISO 22313:2020 and ISO 22301: 2019
• NHS England Emergency Preparedness, Resilience and
Response Framework last revised 2022
• NHS England Business Continuity Framework last revised 2022
• Health and Safety at Work etc. Act 1974
• NHS Standard Contract

9. ACTIVITY 1 – SUMMARY CONTINUED
9 |
Apart from the legal side – common sense prevails
for the:
• Public we serve
• The staff we employ
• Our partners we work with
• And those who commission our organisation

10. INTERESTED PARTIES
10 |
Adapted for the NHS from
ISO22313

11. ELEMENTS OF BUSINESS CONTINUITY
MANAGEMENT 1
11 |
Operational
planning
and control
Business
impact
analysis and
risk
assessment
Business
Continuity
Strategy
Establish and
implement BC
procedures
Exercising and
Testing
ISO22313

12. BUSINESS IMPACT
ANALYSIS
12 |
• The BIA identifies business continuity requirements,
providing information to determine the most appropriate
business continuity solutions.
• The BIA also identifies the urgency of each activity
undertaken by the organisation by assessing the impact
over time caused by any potential or actual disruption to
this activity on the delivery of products and services.

13. UNDERSTANDING THE
ORGANISATION
13 |
Understanding the Organisation
Purpose of Organisation
Products & Services Products &
Services
Activity
Dependencies and
supporting
activities
Assets and resources
Products &
Services
Activity
Supporting
activity
Assets and
resources
Suppliers &
Partner
O rganisation
s
Interna
l
Contex
t
Externa
l
Context
Patients & Clients
Activity Activity Activity Activity
Adapted for the NHS from
ISO22313

14. BUSINESS IMPACT ANALYSIS
TEMPLATE
14 |
• Risk assessment and treatment
• Prioritisation of activities including recovery time objectives (RTO)
and maximum tolerable period of disruption (MTPoD)
• Identify resources required for maintenance of priority services

15. BUSINESS IMPACT
ANALYSIS
15 |
Activities that cannot tolerate any disruption
Activities which can tolerate very
short periods of disruption
Activities which could be scaled down if
necessary for short periods of time
Activities which could be suspended if
necessary
Source: ISO 22313

16. ACTIVIT
Y 2
16 |
• In your groups:
• Identify your organisation’s/department’s essential
activity/service
• Also identify your organisations legislative requirements.
• What are the resources required to deliver these?
• Are there any apparent risks to maintaining these
prioritised activities?
• How will you reorganise to maintain these prioritised
activities in
the event of a disruptive incident?

17. ELEMENT OF BUSINESS CONTINUITY
MANAGEMENT 2
17 |
Operational
planning
and control
Business
impact
analysis and
risk
assessment
Business
Continuity
Strategy
Establish and
implement BC
procedures
Exercising and
Testing
ISO22313

18. BUSINESS CONTINUITY STRATEGY
OPTIONS
18 |
People
Premises
Technology
Information
Suppliers
Stakeholders
Adapted from PAS 2015

19. ACTIVIT
Y 3
19 |
In your groups discuss:
• Does your organisation have a business continuity strategy?
• What do you think a business continuity strategy should
contain and why?
• Who is the organisation’s senior business continuity
champion?
• Does your organisation have an agreed essential/priority
service list?

20. ELEMENTS OF
BUSINESS CONTINUITY
MANAGEMENT 3
20 |
Operational
planning
and control
Business
impact
analysis and
risk
assessment
Business
Continuity
Strategy
Establish and
implement
BC
procedures
Exercising
and
Testing

21. ACTIVITY 4 CONTINUITY
REQUIREMENTS
21 |
People Premises Technology Information Suppliers
and
Partners

22. ACTIVITY 4 CONTINUITY
REQUIREMENTS
22 |
People
• What number of
staff do you
require to carry
out critical
activities?
• What is the
minimum staffing
level you will
need to deliver
these?
• What skills/level
of expertise are
required to
undertake these
activities?
Premises
• What locations
do your
prioritised
activities operate
from?
• What alternative
premises do you
have?
• What machinery,
equipment and
other facilities
are essential?
Technology
• Is the service
dependant on
electrical medical
equipment?
• What IT is
essential to carry
out your
prioritised
activities?
• What systems
and means of
communication
are required to
carry out your
prioritised
activities
Information
• What
Information is
essential to carry
out your
prioritised
activities?
• How is this
information
stored?
Suppliers and
Partners
• Who are your
priority
suppliers?
• Are key services
contracted
out?
• Do both you and
your suppliers/
partners have
mutual aid
arrangements in
please?

23. DEFINITIO
NS
23 |
Recovery Time Objective (RTO)
• A period of time following an incident within which a
product or service must be resumed, or activity must be
resumed, or resources must be recovered.
Maximum Tolerable Period of Disruption (MTPoD)
• The time it would take for adverse impacts, which might
arise as a result of not providing a product/service of
performing an
activity, to become
unacceptable.
Source: ISO 22301

24. MITIGATING IMPACTS THROUGH EFFECTIVE
BUSINESS CONTINUITY: SUDDEN
DISRUPTION
24 |
ISO22313

25. MITIGATING IMPACTS THROUGH EFFECTIVE
BUSINESS CONTINUITY: GRADUAL
DISRUPTION
25 |
ISO22313

26. INCIDENT
TIMELINE
26 |
• What mechanism could be used to ensure that during and
following an incident the matter is escalated to the
appropriate level in the organisation?
• What are your organisational command and control
arrangements?

27. ACTIVIT
Y 5
27 |
• List as many examples as you can of measures which could
be considered in the context of flooding due to failure of
internal plumbing systems to:
• Reduce the likelihood of a disruption
• Shorten any period of disruption
• Limit the impact of a disruption

28. BUSINESS CONTINUITY INCIDENT EXAMPLES
28 |

29. EXAMPLE – NHS STAFF
STRIKES
29 |
• NHS staff strikes in 2013 and 2014,
Junior Doctors in 2016
• Disputes over staff pay
• The strikes were the first by NHS staff
over pay in more than 30 years

30. EXAMPLE – SEVERE WEATHER
(STORMS)
30 |
During the winter of 2021/22 the UK had experienced 5 storms.
1. Storm Malik – 28/01/22
2. Storm Corrie – 29/01/22
3. Storm Dudley – 14/02/22
4. Storm Eunice – 18/02/22
5. Storm Franklin – 21/02/22
The NHS experienced various business continuity issues throughout
this
period, some of which are mentioned below:
• Travel disruptions
• Structural damage impacted NHS Buildings across the country.
• Outpatient appointments being rescheduled as a result of the severe
weather.
• Roads, bridges and railway lines closed, with delays and
cancellations to transport.

31. EXAMPLE – ROYAL MARSDEN
2008
31 |
• More than 100 firefighters in 25 fire engines
were deployed on the blaze
• Between 80-90 patients were helped onto
the streets whilst the hospital was filled
with thick smoke
• The fire could be seen across the London
skyline
• Further information:
• http://www.webarchive.org.uk/wayback/ar
chive/20
130304124419/
http://www.london.nhs.uk/webfiles
/Corporate/NHSL_FIRE_LR_2.pdf

32. EXAMPLE – WANNACRY – CYBER
ATTACK
32 |
• On Friday 12th May 2017, the NHS, was affected by the WannaCry outbreak, affecting hospitals and GP
surgeries across England and Scotland.
• Although the NHS was not specifically targeted, the global cyber-attack highlighted security vulnerabilities and
resulted in the cancellation of thousands of appointments and operations, together with the frantic relocation
of emergency patients from stricken emergency centres.
• Staff were also forced to revert to pen and paper and use their own mobiles after the attack affected key
systems, including telephones.
• The WannaCry ransomware exposed a specific Microsoft Windows vulnerability, not an attack on
unsupported software.
• Most of the NHS devices infected with the ransomware, were found to have been running the supported,
but unpatched,
Microsoft Windows 7 operating system, hence the extremities of the cyber-attack.
• The ransomware also spread via the internet, including through the N3 network (the broadband network
connecting all NHS sites in England), but fortunately, there were no instances of the ransomware spreading via
NHSmail (the NHS email system).
• NHS England reported at least 80 out of the 236 trusts were affected in addition to 603 primary care and
other NHS organisations, including 595 GP practices.

33. EXAMPLE – BT FLOOD AND FIRE
MARCH 2010
33 |
• ‘...tens of thousands of customers in
parts of North and West London may
be experiencing a loss of broadband
and/or telephone service [...] as this is
a complex incident we cannot
accurately predict when all services
will be restored. We will issue further
updates as the situation changes.
• Any customers needing to make calls
to the emergency services who have
a problem using their phones are
advised to do so by using their
mobile phone, or alternatively by
using a friend or neighbour's
working phone

34. EXAMPLE – CORONAVIRUS
(COVID 19)
34 |
What is Coronavirus?
• Coronavirus, also called COVID-19, is part of a family of viruses that includes the common cold and more serious respiratory
illnesses such as SARS.
• It affects your lungs and airways. For many people, it causes mild symptoms, while for others it can be much more
serious and require hospital treatment.
• Coronavirus is very infectious, which means it spreads very easily. It spreads in much the same way as the common cold
or flu – through infected respiratory droplets like coughs and sneezes – and passes from person to person.
• On Wednesday 29 2020 the UK’s first two patients
• The average ‘incubation period’ – the time between coming into contact with the virus and experiencing symptoms – is 5
days, but it could be anything between 1 and 14 days.
• As of 21/04/22 there have been over 22 million cases of COVID in the UK and over 173,000 deaths.
• As of 15/04/22 there have been a total of 831,579 patients who have been admitted to hospital with COVID-19.
NHS Impacts
• Additional pressures in conjunction with winter pressures on emergency departments
• Staff shortages due to sickness
• Impact on the availability of PPE
• Supply Chain disruption
• Shortage of equipment
• Mental and physical trauma

35. EXAMPLE – CHASE FARM
HOSPITAL 2010
35 |
• Loss of water supply due to burst water
main in Enfield.
• Bowsers (water tanks) are still on site to
ensure the main patient areas continue to
receive water [...] Bottled water is available
for staff and patients.
• The A&E department is open to all walk-in
patients however all other emergencies are
being transferred to Barnet Hospital. Once
the water has resumed A&E services will
return to normal.

36. EXAMPLE – GRENFELL
TOWER
36 |
• 14th June 2017 is when a high rise fire broke out in the 24-storey Grenfell Tower block of flats in North
Kensington, West London, at 00:54 BST due to an electrical fault in a refrigerator.
• 74 people died, 70+ People Injured and 223 escaped.
• Escalated to the external cladding of the building.
• Mutual aid was in place over a period of time.
• There was a multi-agency response.
NHS Impacts
• More than 100 London Ambulance Service Crews were on site.
• At least 20 Ambulances present.
• London hazardous area response team took part in the response.
• Casualties were taken to 5 different hospitals.
• Mental and physical trauma for responding NHS colleagues.
• Additional pressures on surrounding NHS trusts e.g. Kings College Hospital, Chelsea and Westminster, Royal
Free, Guys
and St Thomas’, St Marys and Charing Cross in conjunction with undertaking BAU activities.
• Building inspections around cladding for NHS buildings across the country..

37. ACTIVITY 6: BUSINESS
CONTINUITY STRATEGY
OPTIONS DISCUSSION
37 |
• What strategies might be needed for maintaining core skills
and knowledge?
• What elements should your premises strategy consider to
reduce the
impact of the unavailability of one or more worksites?
• What technology strategies for business continuity could your
organisation adopt in the event of a disruption to the main area of
your building following a fire, with an recovery time objective of
three months?

38. BUSINESS CONTINUITY RESPONSE
PLANS
38 |
• Organisations may have numerous plans.
• These may include:
• Strategic organisational incident response plan
• Department/service response plans
• Building or site response plans
• Technical response plans for IT or clinical
systems

39. BUSINESS CONTINUITY RESPONSE PLAN
CONTENT
39 |
• Document control
• Purpose and scope
• Document owner and reviewer
• Roles and responsibilities
• Plan activation
• Contact details
• Incident management structure and
plan
• Action cards
• Appendences
• Training and Exercising

40. BUSINESS CONTINUITY RESPONSE PLAN
CONTENT
40 |
The plan should:
• set out the prioritised activities to be recovered, the timescales in
which they are to be recovered and the recovery levels needed
• detail the resources available at different points in time to
deliver the prioritised activities
• outline the process for mobilising the necessary resources
• include actions and tasks needed to ensure the continuity and
recovery of prioritised activities
• be stored in a place that’s easily accessible e.g. storing on a
shared drive or hard copies

41. ELEMENTS OF BUSINESS CONTINUITY
MANAGEMENT
41 |
Operational
planning
and control
Business
impact
analysis and
risk
assessment
Business
Continuity
Strategy
Establish and
implement BC
procedures
Exercising and
Testing

42. EXERCISING AND
TESTING
42 |
• Exercises provide an opportunity to test plans in order to
assess how our plans would stand up in a disruption
• Ensures that plans are fit for purpose
• Identify gaps and learning actions
• Continuous updating of core information i.e. contact lists

43. TYPES OF BUSINESS CONTINUITY
EXERCISES
43 |
• It is important for those who are responsible for business continuity to determine which type of business
continuity
exercise is appropriate based on the desired outcomes. This is because exercises vary in levels and
resources required.
• There are five main types of exercise:
• Discussion based exercise - These exercises are considered to be the most cost effective and the
least time
consuming of exercise types. They are commonly structured events where participants can explore
relevant
issues and walk through plans in an unpressurised environment. This type of exercise can focus on a
specific
area for improvement that has been identified with the aim being to find a possible solution.
• Table top exercise - These are commonly used where the discussion is based on a relevant scenario
with a
time line which may run in ‘real time’ or may include ‘time jumps’ to allow different phases of the
scenario to be
exercised. Participants are expected to be familiar with the plans being exercised and are
required to demonstrate how these plans work as the scenario unfolds
• Command post exercise - These typically involve management teams at a strategic, tactical or
operational
level. Participants can be located across the whole organization (and could potentially involve
willing interested
parties), all working from their usual day to day locations. In these exercises, participants are
given information
in a way that simulates a real incident. Participants can be invited to respond as they would for real,
they are expected to deal with the situations that they encounter, linking in to others as necessary
• Live exercise - These exercises can range from a small scale rehearsal of one component of the

44. WHY UNDERTAKE A BUSINESS CONTINUITY
EXERCISE?
44 |
Exercises are undertaken with three main purposes:
• Validation - to validate and identify improvement
opportunities in existing arrangements
• Training - to develop staff competencies and confidence
by giving them practice in carrying out their roles in an
incident
• Testing - to test existing procedures, plans and
systems to ensure they function correctly and offer
the degree of protection expected

45. BUSINESS CONTINUITY OFF THE SHELF
EXERCISE
45 |
• UK Health Security Agency have developed a business continuity off
the shelf exercise.
• The business continuity off the shelf exercise uses three short
scenarios to facilitate the review of local business continuity
preparedness plans and enhance organisational resilience in case of
disruption to the organisations core functions.
• To request an off the shelf exercise email exercises@ukhsa.gov.uk

46. EMBEDDING YOUR BUSINESS
CONTINUITY PLAN
46 |
To embed business continuity within your organisation you must
ensure that business continuity plans are:
• Communicated to staff, as well as the staff having the
appropriate experience and skills to deliver their roles.
• Have buy in and owned by the senior management team.
• Continually exercised.
• Version controlled, so the correct plan is being followed.

47. REVIEWING BUSINESS
CONTINUITY
47 |
Plans should be reviewed and updated when:
• Changes to key staff or partners take place
• The organisation is restructured
• Prioritised activity is delivered differently
• Change to the external environment e.g.. statutory change,
NHS England requirement
• Following lessons identified from an incident or exercise
• As a result of a debrief.
• At agreed periodic intervals.

48. MAINTAINING BUSINESS
CONTINUITY
48 |
• A clearly defined and documented maintenance programme for
business continuity management should be established.
• This programme should:
• ensure that there is an on-going programme for business continuity
training and awareness
• ensure that any changes that impact on business continuity are
reviewed
• identify any new products and services, and their dependent
activities that need to be included in the business continuity
management system
• ensure that the business continuity plans remains effective, fit for
purpose and up to date
• enable existing exercise schedules to be modified when there has been a
significant change in any of the business continuity processes

49. RECORD
KEEPING
49 |
• When responding you need to keep records, but
why is record keeping so important?

50. RECORD
KEEPING
50 |
Why is record keeping so important?
Details of casualties or
near misses that
occur
Legal follow up
Documents
decisions made
Documents
decisions not
made and why
Undertake record
keeping training

51. QUESTIONS
51 |

52. NEXT STEPS……
52 |

53. Business Continuity Planning (BCP) - Best
Practices and Challenges
June 24, 2020

54. About the Speaker – Dhiraj Lal
OVER 32 YEARS IN THE INDUSTRY. EX BCM SPONSOR AND HEAD OF AMERICAN EXPRESS. MIX
OF EXPERIENCE AS PRACTITIONER, TRAINER, AND CONSULTANT . BCI APPROVED
INSTRUCTOR. OVER 15 YEARS IN BCM AND RELATED DOMAINS.
CONTRIBUTING AUTHOR TO : THE ENCYCLOPAEDIA OF BUSINESS CONTINUITY, 3RD
EDITION
AUTHOR OF: STEP BY STEP GUIDE AE/SCNS/NCEMA 7000:2015. IMPLEMENT BCM THE UAE WAY!
Dhiraj Lal, EXECUTIVE DIRECTOR, CONTINUITY & RESILIENCE (CORE)
MBCI, CBCP, CBCI, ISO 22301 Technical Expert, CISA, ITIL, ISO 31000, ISO 27001 Lead Auditor
A Chemical Engineer from IIT Delhi and MBA from IIM Calcutta, , Dhiraj Lal has over 20 years BCM
experience and 32 years overall. He has worked with Citibank, Standard Chartered, Agilent and
American Express, where he was the Program Sponsor and BCM Head. He is Asia’s first BSI
appointed Technical Expert for BS25999/ ISO 22301, and assessed 2 of the top 10 certified
organizations globally. He teaches and consults in BCM (NCEMA 7000/ ISO 22301) and related
domains. He has been invited to present at the BCI Annul conference in the UK, DRI US, BCMI
Singapore, itSMF UK, DRI Asia in Malaysia, ISACA UAE, KSA and India, and also various Middle
East Crisis, BCM and IT Resilience Summits in Abu Dhabi, Dubai, KSA and India

55. ABOUT CONTINUITY & RESILIENCE
ISO 22301 CERTIFIED MANAGEMENT CONSULTING FIRM
•BUSINESS CONTINUITY MANAGEMENT
•CRISIS MANAGEMENT
•IT DISASTER RECOVERY
•INFORMATION SECURITY
•CYBER SECURITY
•RISK MANAGEMENT
WE CONSULT / TRAIN / ASSESS AND CERTIFY IN THESE DOMAINS
WE PROVIDE ADVISORY SERVICES
•AUTOMATION TOOLS – BCM/ ITDR/ MASS COMMUNICATION
•WORKPLACE RECOVERY
•E-LEARNING

56. AGENDA
• BUSINESS CONTINUITY PLANNING
• BUSINESS CONTINUITY IMPLEMENTATION ROADMAP
• BCP IN TIMES OF COVID-19
• CHALLENGES AND BEST PRACTICES

57. Business Continuity Planning
• “Planning to to continue the Business”
• Not a new concept. A fancy name for common sense. In reality, we have
been performing Business Continuity Planning for centuries
• But still, many organizations struggled to restart operations during
COVID-19
• So we need more than just common sense. We need a structured and
formal implementation of common sense.

58. What we do not fully do in BAU common sense
1. Agree timelines, worst case and best case (MTPD and RTO)
2. Base it fully on facts and data (consequences of downtime)
3. Consultative process involving all interested parties
4. Comprehensive, documented and signed off
5. Communicate to all who need to know, including relevant third parties
and service providers
6. Practice, Test & exercise. Review. Maintain & continually Improve
Amazingly, this works…!!

59. Challenges for cyber professionals
• An uneven battle against an unknown enemy who has nothing
better to do
• You have other matters to focus on but they have a single point
agenda – to damage
• You constantly focus on getting better and better - but so do they
• By the sheer law of averages, once in a while they will succeed
• At those times, your best best is to be able to restart fast and within
minimum loss. So you need the world’s best Business Continuity
readiness
 Have you formally put in place the 6 Rs (Reduce, Respond,
Recover, Resume, Restore Return)?
 When did you last practice them?

60. Challenges for cyber professionals
Economic Times, June 24 2020

61. SOME REASONS FOR OUTAGES (GLOBAL DATA)
61
Flood/Water
Power surge
Hurricane
Fire
Hardware error
Earthquake
Network Outage
Human Error
Bombing
Others
Power Outage
Storm Damage
8.5%
8.2%
7.2%
6.6%
5.6%
4.3%
3.6%
3.5%
2.5%
7.4%
31.1%
11.5%
Including:
Software Error 1.2%
Employee sabotage 1.2%
Burst water pipe 1.2%
Miscellaneous 3.8%
Source: Contingency Planning Research Inc.

62. BUSINESS CONTINUITY IS A WISE INVESTMENT
• MINIMIZE BUSINESS DISRUPTIONS AND QUICKLY RECOVER
• RETAIN BUSINESS MODEL AND INCREASE MARKET SHARE AND PROFITS
• PROTECT THE ORGANIZATION’S VALUE AND REPUTATION
• CORPORATE GOVERNANCE AND SHAREHOLDER COMMITMENT
• NATIONAL REQUIREMENTS
• CONTRACTUAL COMMITMENTS, LEGAL AND REGULATORY COMPLIANCE
• MORAL AND SOCIAL RESPONSIBILITIES
• DEMONSTRATE “BEST PRACTICE”
• REDUCE INSURANCE LIABILITIES
62
Lack of BCP is self goal

63. TYPICAL STEPS
Business Continuity Implementation Roadmap

64. INTERNATIONAL BCM STANDARD – ISO 22301
64
Clause 1 : Scope
Clause 2 : Normative references
Clause 3 : Terms and definitions
Clause 4 : Context of the organisation
Clause 5 : Leadership
Clause 6 : Planning
Clause 7 : Support
Clause 8 : Operation
Clause 9 : Performance evaluation
Clause 10 : Improvement

65. Please implement a BCMS – not just BCM
• “Part of the overall management
system that establishes, implements,
operates, monitors, reviews,
maintains and improves business
continuity”– ISO 22301
• Ensure continual improvement via
the PDCA cycle

66. BCP in times of COVID-19
COVID-19 is different from a typical Business Continuity situation
• Much longer duration
• No clarity on final resolution
• Triggered not by damage to resources
• Entire ecosystem is impacted
SOME POSITIVES
• Realization by all
• Even the PM asked entities to
implement Business Continuity
• Tolerance – “It’s Ok”
• Permanent mindset changes

67. Suggestions for professionals
• Don’t stop now – complete the journey
• Protect yourself against other new threats - implement the full BCM
cycle
• Use this opportunity to create permanent BCM readiness and
awareness across all segments
• Get your people ISO22301 trained and your organization ISO22301
compliant – or even ISO22301 certified

68. IMPLEMENT THE FULL
BCM LIFECYCLE
Commitment of
Top Management
Competency of
all resources
Right
communication
and tools
Clearly defined
roles,
responsibilities,
and authorities
Continued
management
focus on the BCM
Program
Choose
the right
people
Provide effective
training in advance
of the
implementation
Best Practices

69. Customers
Citizens
Distributors
Shareholders
Investors
Owners
Insurers
Government
Regulators
Recovery Services
Suppliers
Competitors
Media
Commentators
Trade Groups
Neighbours
Pressure Groups
Emergency Services
Transport Services
Other Response
Agencies
Dependents of staff
THE ORGANIZATION
Top Management
Those who establish policies and
objectives for the BCMS
Those who set up & manage BC
Those who maintain BC Procedures
Owners of business
continuity procedures
Incident Response Personnel
Those with authority to invoke
Appropriate spokespeople
Response Teams
Other Staff Contractors
Build culture across all Interested Parties ..

70. Group/ Audience Training
Top Management Awareness, Crisis Management, Crisis
Communication
Core BCM Team CBCI/ Lead Implementer, Lead Auditor
Core BCM Team Specialised courses (BIA, RA, Plan Writing,
Testing etc.)
Department Coordinator/ BC
Champions
Implementer, Internal Auditor
Audit Team Internal Auditor, Lead Auditor
All Employees Awareness
Build Culture via Training and Awareness

71. Review/
Walkthrough
Table Top Call Tree Simulation IT/ Work Area
Recovery
Integrated
0
1
2
3
4
5
6
7
Cost
Complexity
Risk (of distrurabnce due Test)
Assurance
Frequency
GRAPH NOT TO SCALE
Cost
Complexity
Risk
Assurance
Frequency
Build Culture via tests and exercises

72. ENSURE REVIEW, MAINTENANCE AND IMPROVEMENT
• MAINTENANCE
• ADVANCED TESTING AND EXERCISING
• ONGOING AWARENESS AND TRAINING
• INTERNAL AUDIT AND SELF ASSESSMENT
• MANAGEMENT REVIEW
• SUPPLIER REVIEW
• CORRECTIONS AND CORRECTIVE ACTIONS
• BENCHMARKING
• CONTINUAL IMPROVEMENT
• INSTILLING A BCM MINDSET
72

73. Way Forward=> Organizational Resilience
THE ABILITY OF AN ORGANISATION TO ABSORB AND ADAPT IN A CHANGING ENVIRONMENT (BCI GPG 2018/ ISO
22316:2017)

74. QUESTIONS
?

75. 75
LETS KEEP IN TOUCH!!
Dhiraj Lal, Executive Director +91 99101 10240
dhiraj.l@continuityandresilience.com
Thank You!

76. PHASES OF BUSINESS CONTINUITY
PLANNING
BUSINESS IMPACT ANALYSIS BIA
76

77. PHASES OF BUSINESS CONTINUITY
PLANNING
• BC PLANNING TYPICALLY INCLUDES FIVE PHASES :
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND
ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT PROCESS
77

78. 1- BCP GOVERNANCE
 TO ESTABLISH CONTROL
 THE GOVERNANCE STRUCTURE IS OFTEN IN THE FORM OF A STEERING
COMMITTEE AND A LIST OF APPROPRIATE COMMITTEES, WORKING
GROUPS AND TEAMS TO DEVELOP AND EXECUTE THE PLAN (S) /
DOCUMENTS
 TEAM MEMBERS SHOULD BE SELECTED FROM TRAINED AND
EXPERIENCED PERSONNEL WHO ARE KNOWLEDGEABLE ABOUT THEIR
RESPONSIBILITIES.
 THE NUMBER AND SCOPE OF THE TEAMS WILL VARY DEPENDING ON
ORGANIZATION'S SIZE, FUNCTION AND STRUCTURE
78

79.  IT MAY BE NECESSARY TO BE MULTITASK TEAMS AND
PROVIDE CROSS-TEAM TRAINING.
 THE TEAMS DATA SHALL BE DOCUMENTED IN THE
PLANS/ DOCUMENTS
 CONSIDER DECENTRALIZATION AS A WAY TO PROVIDE
BETTER RESILIENCY
79

80. • EXAMPLES :
 AN ALTERNATE SITE COORDINATION TEAM
 CONTRACTING AND PROCUREMENT TEAM
 DAMAGE ASSESSMENT TEAM
 CRISIS MANAGEMENT TEAM
 FINANCE AND ACCOUNTING TEAM
 HAZARDOUS MATERIALS TEAM
 INSURANCE TEAM
 LEGAL ISSUES TEAM
 TELECOMMUNICATIONS / ALTERNATE COMMUNICATIONS TEAM
 EQUIPMENT TEAM
 PUBLIC AND MEDIA RELATIONS TEAM
 TRANSPORT COORDINATION TEAM
 RECORDS MANAGEMENT TEAM
80

81.  THE DUTIES AND RESPONSIBILITIES FOR EACH TEAM
MUST BE DEFINED, AND INCLUDE IDENTIFYING:
1. THE TEAM LEADER
2. THE TEAM MEMBERS
3. IDENTIFYING THE SPECIFIC TEAM TASKS
4. MEMBER'S AUTHORITY, AND RESPONSIBILITIES
5. IDENTIFYING POSSIBLE ALTERNATE MEMBERS.
6. CREATION OF CONTACT LIST
81

82. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND
ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
82

83. 2- BUSINESS IMPACT ANALYSIS (BIA)
 PROCESS OF ANALYZING THE ACTIVITIES & THE EFFECT THAT THE
BUSINESS DISRUPTION MIGHT HAVE UPON THEM (SOURCE: ISO 22301:2019)
 BIA IS ALL ABOUT DATA ANALYSIS TO IDENTIFY
1) THE ORGANIZATION'S MANDATE AND CRITICAL SERVICES OR
PRODUCTS
2) THE PRIORITY OF SERVICES OR PRODUCTS FOR CONTINUOUS
DELIVERY OR RAPID RECOVERY
3) THE POSSIBLE INTERNAL AND EXTERNAL THREATS AND
4) THE IMPACT OF THE THREATS:. 83

85. 1. INFORMATION OF THE ORGANIZATION'S MANDATE AND CRITICAL SERVICES OR
PRODUCTS CAN BE OBTAINED FROM THE
2. MISSION STATEMENT OF THE ORGANIZATION
3. LEGAL REQUIREMENTS FOR DELIVERING SPECIFIC SERVICES AND PRODUCTS.
4. CONTRACTS AND OTHER OBLIGATIONS
5. CRITICAL SERVICES OR PRODUCTS MUST BE PRIORITIZED BASED ON MINIMUM
ACCEPTABLE DELIVERY LEVELS AND THE MAXIMUM PERIOD OF TIME WITHOUT
DELIVERY
6. IDENTIFY IMPACTS OF DISRUPTIONS TO DETERMINE
7. HOW LONG THE ORGANIZATION COULD FUNCTION WITHOUT THE SERVICE /
PRODUCT PROVISION , AND
8. HOW LONG CLIENTS WOULD ACCEPT ITS SERVICES OR PRODUCTS
UNAVAILABILITY.
85

86. 86

87. BIA RELATED ACTIVITIES
1) SUPPLY CHAIN ANALYSIS
2) ASSESSMENT OF THE MOST CRITICAL BUSINESS
COMPONENTS
3) IT CONTINUITY ANALYSIS
4) IDENTIFY AREAS OF POTENTIAL REVENUE LOSS
5) IDENTIFY ANY ADDITIONAL EXPENSES
6) IDENTIFY INTANGIBLE LOSSES
7) IDENTIFY INSURANCE REQUIREMENTS
8) IDENTIFY DEPENDENCIES
9) ANALYZE CURRENT RECOVERY CAPABILITIES
87

88. 1- SUPPLY CHAIN ANALYSIS
88

89. • CONDUCT SUPPLY CHAIN IMPACT ANALYSIS TO
• THE EVALUATION METRICS MAY INCLUDE THE FOLLOWING :
1) REVENUE IMPACT
2) REPUTATION IMPACT
3) OPERATIONAL IMPACT
4) PRODUCTION IMPACT
5) DELIVERY IMPACT
6) RESEARCH AND DEVELOPMENT IMPACT
7) DELAY IMPACT
8) STAFFING IMPACT
• FIND OUT IF THESE MEMBERS IN THE SUPPLY CHAIN HAVE BC/DR PLANS AND IF YOU
CAN REVIEW THEM / SHARE WITH THEM.
• IDENTIFY & EVALUATE EACH LINK IN TERMS OF BUSINESS IMPACT TO FIND THE
HIGH-IMPACT LINK(S)
89

90. • 2- ASSESSMENT OF THE MOST CRITICAL BUSINESS COMPONENTS
 TO CREATE A COMPLETE BUSINESS CONTINUITY PLAN, YOU NEED TO ASSESS
THE IMPACT OF INTERRUPTION ON FOUR COMPONENTS:
1) PEOPLE (KEY PERSONS - KEY COMPETENCIES )
2) PHYSICAL PROPERTY (EQUIPMENT – STORAGE- ALTERNATE FACILITIES -
………)
3) SYSTEMS (HARDWARE, SOFTWARE, EMAIL, PHONE
SYSTEMS ,COMMUNICATION STATIONS,……..)
4) DATA (CRITICAL TO RUN YOUR BUSINESS)
 BOTH DATA AND SYSTEMS ARE IT SYSTEMS (IT CONTINUITY)
90

91. 3- CONDUCT IT CONTINUITY ANALYSIS
• IS TO DECIDE ABOUT WHICH OF THE ORGANIZATION'S IT FUNCTIONS
/ ASSETS ARE ESSENTIAL FOR BUSINESS CONTINUITY.
• IS TO DECIDE ABOUT HOW TO MANAGE THE TECHNOLOGY SYSTEMS
IN THE EVENT OF A MAJOR DISRUPTION.
• THE EXISTENCE AND SUITABILITY OF IS POLICIES / PROCEDURES / IT
CONTINUITY PLANS
• REVIEW COMPUTER DATA BACKUPS – CABLING – IT SERVICE
PROVIDERS CAPABILITIES -………….
91

92. • 4- IDENTIFY AREAS OF POTENTIAL REVENUE LOSS
 DETERMINE WHICH PROCESSES AND FUNCTIONS THAT
SUPPORT SERVICE OR PRODUCT DELIVERY ARE
INVOLVED WITH THE CREATION OF REVENUE.
 IF THESE PROCESSES AND FUNCTIONS ARE NOT
PERFORMED, IS REVENUE LOST? HOW MUCH? AND
FOR WHAT LENGTH OF TIME?
 IF CLIENTS CANNOT ACCESS CERTAIN SERVICES OR
PRODUCTS WOULD THEY THEN NEED TO GO TO
ANOTHER PROVIDER, RESULTING IN FURTHER LOSS
OF REVENUE?
92

93. • 5- IDENTIFY ADDITIONAL EXPENSES
• IF A BUSINESS FUNCTION OR PROCESS IS INOPERABLE
1)HOW LONG WOULD IT TAKE BEFORE ADDITIONAL EXPENSES WOULD START
TO ADD UP?
2)HOW LONG COULD THE FUNCTION BE UNAVAILABLE BEFORE EXTRA
PERSONNEL WOULD HAVE TO BE HIRED?
3)WOULD PENALTIES FROM BREACHES OF LEGAL RESPONSIBILITIES,
AGREEMENTS, OR GOVERNMENTAL REGULATIONS BE AN ISSUE, AND IF SO,
4) WHAT ARE THE PENALTIES?
93

94. • 6- IDENTIFY INTANGIBLE LOSSES
•
ESTIMATES ARE REQUIRED TO DETERMINE THE
APPROXIMATE COST OF
 THE LOSS OF CONSUMER
 INVESTOR CONFIDENCE
 DAMAGE TO REPUTATION
 LOSS OF COMPETITIVENESS
 REDUCED MARKET SHARE
 VIOLATION OF LAWS AND REGULATIONS
 BUSINESS RELATIONSHIPS WITH VENDORS
94

95.  INCREASED INSURANCE COST
 LOSS OF EMPLOYEES
 LOSS OF FINANCIAL SUPPORT AND CASH FLOW
 LOSS OF COMMUNITY SUPPORT
 COST OF EQUIPMENT AND FACILITIES USED DURING
RECOVERY
 REPLACEMENT, RESTORATION, RECOVERY COSTS NOT
ADJUSTED FOR INFLATION
 INCREASED COST WHEN OPERATIONS RESUME
95

96. • 7- IDENTIFY INSURANCE REQUIREMENTS
 WHAT NEEDS INSURANCE
 THE EXISTING INSURANCE
 THE LEVEL OF COVERAGE.
 WHAT ASPECTS MAY HAVE OVER OR UNDER INSURANCE.
 IS THERE A POLICY/ DOCUMENT IN PLACE RELATED THE
INSURANCE
96

97. • 8- IDENTIFY DEPENDENCIES
 IDENTIFY THE INTERNAL AND EXTERNAL DEPENDENCIES OF
CRITICAL SERVICES OR PRODUCTS,
 IDENTIFY THE EXPECTED IMPACTS FROM A DISRUPTION TO
THOSE DEPENDENCIES.
 INTERNAL DEPENDENCIES INCLUDE
1.EMPLOYEE ( AVAILABILITY – COMPETENCIES)
2.CORPORATE ASSETS SUCH AS EQUIPMENT, FACILITIES,
COMPUTER APPLICATIONS, DATA, TOOLS, VEHICLES.
3.SUPPORT SERVICES SUCH AS FINANCE, HUMAN RESOURCES,
SECURITY ,AND IT SUPPORT. 97

98.  EXTERNAL DEPENDENCIES INCLUDE:
1. SUPPLIERS
2. ANY EXTERNAL CORPORATE ASSETS SUCH AS EQUIPMENT, FACILITIES, COMPUTER
APPLICATIONS, DATA, TOOLS, AND VEHICLES.
3. ANY EXTERNAL SUPPORT SERVICES SUCH AS
 FACILITY MANAGEMENT
 UTILITIES
 COMMUNICATIONS
 TRANSPORTATION
 FINANCE INSTITUTIONS
 INSURANCE PROVIDERS
 GOVERNMENT SERVICES
 LEGAL SERVICES
 HEALTH AND SAFETY SERVICE.
98

99. • 9- ANALYZE CURRENT RECOVERY CAPABILITIES
 ANALYZE CURRENT RECOVERY CAPABILITIES THE
ORGANIZATION ALREADY HAS IN PLACE, AND THEIR
CONTINUED APPLICABILITY
 TRY TO ANSWER THE FOLLOWING QUESTIONS
1) CAN EMPLOYEES WORK FROM HOME OR ANOTHER
LOCATION?
2) DO I NEED A PRE-DETERMINED ALTERNATE FACILITY?
3) DO I HAVE ENOUGH SPARE PARTS / IT EQUIPMENT ?
4) DO CRITICAL VENDORS AND SUPPLIERS HAVE THEIR
99

100. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND
ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
100

101. 3. DOCUMENTS , CONTROLS , MEASURES, AND ARRANGEMENTS FOR BC
 THIS STEP CONSISTS OF THE PREPARATION OF THE MANAGEMENT SYSTEM
DOCUMENTATION INCLUDING:
1) DETAILED RESPONSE PLANS / RECOVERY PLANS
2) POLICIES / OBJECTIVES
3) ARRANGEMENTS
 CONSIDER THE CRITICAL VENDORS AND SUPPLIERS BUSINESS CONTINUITY
PLANS.
 FOCUS ON THREE CATEGORIES OF PROTECTION / SAFETY TO HELP SURVIVE A DISASTER:
1. HUMAN RESOURCES
2. PHYSICAL RESOURCES
3. BUSINESS OPERATIONS. 101

102. • 1- HUMAN RESOURCES
 CONSIDER THE POSSIBLE IMPACT A DISASTER MAY HAVE ON YOUR EMPLOYEES’
ABILITY TO RETURN TO WORK
 ALTERNATE STAFFING PLANS (TO ENSURE YOUR BUSINESS STAYS FUNCTIONAL
WHEN A LARGE PERCENT OF YOUR STAFF IS UNABLE TO COME TO WORK)
 CONSIDER HOW YOUR CUSTOMERS CAN REACH YOU OR RECEIVE YOUR GOODS /
SERVICES
 CREATE EVACUATION PLANS
 DEVELOP AND POST EVACUATION ROUTES / ASSEMBLY LOCATIONS / CREATE A
PHONE-TREE / CONSIDER HAVING AN EMPLOYEE EMERGENCY NUMBER
102

103. • 2- PHYSICAL RESOURCES
 BUILDING (MAINTENANCE - FIRE SYSTEM -……………)
 INTERIOR, EXTERIOR COMPONENTS ( EQUIPMENT – HARD WARE /SOFT WARE)
 MATERIALS / SPARE PARTS
 ALTERNATE FACILITIES (THREE TYPES)
• 1- COLD SITE (THE LEAST EXPENSIVE OPTION)
• 2- WARM SITE (MORE EXPENSIVE THAN
COLD SITES)
• 3- HOT SITE (THE MOST EXPENSIVE
OPTION)
103

104. • 3- BUSINESS OPERATIONS / PROCESSES
1)CRITICAL INPUTS – THINGS NEEDED TO DO YOUR JOB
2)CRITICAL OUTPUTS – THINGS YOU PRODUCE THAT OTHERS WANT OR NEED TO DO THEIR JOB
3)OUTSOURCED PROCESSES
104

105. • EXAMPLES FOR RESILIENCY PLANS / DOCUMENTS AND
ARRANGEMENTS :
1) AN ALTERNATE TELECOMMUNICATION PROVIDER
2) EMERGENCY BACKUP GENERATOR IN CASE OF A POWER OUTAGE
3) AGREEMENTS WITH FUEL PROVIDER
4) ALTERNATE WORK SITE AND EQUIPMENT.
5) ANNUALLY MEETING WITH CRITICAL VENDORS TO DISCUSS THEIR RECOVERY
OPERATIONS AND LOCATIONS
6) DEVELOP THE RELATIONSHIPS WITH CONTRACTORS / VENDORS
7) CREATE MANUAL PROCESSES TO BE USED IN CASE OF THE COMPUTERS ARE
UNAVAILABLE
8) MITIGATING THE DIFFERENT THREATS
105

106. • THE RESPONSE PREPARATION PROCEDURES TO
ANSWER
1) “WHAT TO DO BEFORE A DISRUPTION OCCURS?”
(PROACTIVE ACTIVITIES)
2) “WHAT TO DO WHEN A DISRUPTION OCCURS?”
(RESPONSE – RECOVERY – CONTINUITY)
3) “WHAT TO DO AFTER A DISRUPTION OCCURS?”
(LEARNED LESSONS / CHANGE MANAGEMENT)
106

107. 107

108. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND
ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
108

109. 4- READINESS ACTIVITIES
AWARENESS
INDIVIDUAL AND TEAM – TASK TRAINING
PROCEDURES EXERCISES – TESTING
POST-EXERCISE EVALUATION
109

110. GOALS OF PROCEDURES EXERCISES – TESTING
1. TEST ALL COMPONENTS OF THE PLAN, INCLUDING HARDWARE,
SOFTWARE, PERSONNEL, DATA AND VOICE COMMUNICATIONS,
ETC.
2. ENSURE THE UNDERSTANDING AND WORKABILITY OF
DOCUMENTED RECOVERY PROCEDURES.
3. ADAPT AND UPDATE EXISTING PLANS TO ENCOMPASS NEW
REQUIREMENTS.
4. TRAIN TEAM LEADERS AND MEMBERS IN THE PROCEDURES OF
EXECUTING THE CONTINUITY PLAN.
5. OBTAIN INFORMATION ABOUT RECOVERY STRATEGY
IMPLEMENTATION.
6. VERIFY THAT RECOVERY STRATEGIES ARE VIABLE.
110

111. BUSINESS CONTINUITY PLANNING
• 1. BCP GOVERNANCE
• 2. BUSINESS IMPACT ANALYSIS (BIA)
• 3. DOCUMENTS , CONTROLS , MEASURES, AND
ARRANGEMENTS FOR BC
• 4. READINESS ACTIVITIES
• 5. ASSESSMENT
111

112. 5- ASSESSMENT
• HOW TO ASSESS THE PLAN'S ACCURACY, AND
EFFECTIVENESS
• HOW TO CONDUCT THE INTERNAL OR EXTERNAL AUDIT (BC
READINESS AUDIT)
• IDENTIFY NEEDED IMPROVEMENT
112

113. HOW TO PERFORM BC READINESS AUDIT
1. CHECK FOR THE EXISTENCE OF THE FOLLOWING
DOCUMENTS / INFORMATION :
• EMERGENCY PROCEDURES
• EVACUATION PLAN
• FIRE PROTECTION PLAN
• ENVIRONMENTAL POLICIES
• SAFETY AND HEALTH PROGRAM
• SECURITY PROCEDURES
• FINANCE / PURCHASING PROCEDURES
• FACILITY CLOSING POLICY
• PROCESS SAFETY ASSESSMENT
113

114. • MUTUAL AID AGREEMENTS
• HOT / COLD SITE AGREEMENTS
• CAPITAL IMPROVEMENT PROGRAM
• HAZARD MATERIALS / WASTE DISPOSAL
• ALTERNATIVE OR MANUAL PROCEDURES
• DISASTER RECOVERY PLANS FOR INFORMATION RESOURCES
114

115. • BASED ON THE REVIEW, ASK THE FOLLOWING QUESTIONS HOW WOULD YOUR
ORGANIZATION RESUME OPERATIONS AFTER

LOSS OF ACCESS TO YOUR FACILITY

LOSS OF ACCESS TO YOUR INFORMATION RESOURCES (IR), OR

LOSS OF KEY PERSONNEL?
• HAVE ANY AUDIT FINDINGS BEEN REPORTED FROM INTERNAL OR EXTERNAL
AUDITORS?
• WOULD MOST INDIVIDUALS KNOW HOW TO REPORT OR RESPOND TO AN EVENT?
• IF POLICIES RELATIVE TO RECOVERY EFFORTS ARE IN PLACE, WHO KNOWS
ABOUT THEM?
• DO PEOPLE KNOW IF THEY HAVE RECOVERY RESPONSIBILITIES? ARE PROGRAM
MANAGERS AWARE OF THEIR OWNER AND USER SECURITY RESPONSIBILITIES?
115

116. • HAS TESTING BEEN DONE TO SEE HOW PEOPLE
WOULD REACT DURING A RECOVERY EFFORT IN THE
FOLLOWING AREAS:
• SENIOR MANAGEMENT
• MANAGEMENT INFORMATION SYSTEMS/ SECURITY
INFORMATION TECHNOLOGY
• RISK MANAGEMENT
• INTERNAL DEPARTMENTS
• AUDITING
• VENDORS
116

117. • 12. CHECK TO SEE IF
 COMPUTER BACKUPS (PC, LAN, MAINFRAME) ARE BEING TAKEN
OFF-SITE ACCORDING TO POLICY
 ALTERNATE WORK LOCATIONS ARE AVAILABLE;
 ITEMS REQUIRED TO BE OFF-SITE ARE REALLY THERE;
 SECURITY MEASURES ARE BEING FOLLOWED;
 EMERGENCY EQUIPMENT (GENERALLY UPS, BATTERIES, ETC.) IS
WORKING CORRECTLY;
 EMERGENCY LIGHTING IS IN GOOD WORKING ORDER AND IN THE
CORRECT PLACES.
117

118. • 8.2.3 RISK ASSESSMENT
• THE ORGANIZATION SHALL ESTABLISH, IMPLEMENT, AND
MAINTAIN A FORMAL DOCUMENTED RISK ASSESSMENT
PROCESS THAT SYSTEMATICALLY IDENTIFIES, ANALYSES,
AND EVALUATES THE RISK OF DISRUPTIVE INCIDENTS TO
THE ORGANIZATION.
•
• NOTE THIS PROCESS COULD BE MADE IN ACCORDANCE WITH ISO
31000.
•
118

119. • THE ORGANIZATION SHALL
• A) IDENTIFY RISKS OF DISRUPTION TO THE
ORGANIZATION’S PRIORITIZED ACTIVITIES AND THE
PROCESSES, SYSTEMS, INFORMATION, PEOPLE, ASSETS,
OUTSOURCE PARTNERS AND OTHER RESOURCES THAT
SUPPORT THEM,
• B) SYSTEMATICALLY ANALYSE RISK,
• C) EVALUATE WHICH DISRUPTION RELATED RISKS
REQUIRE TREATMENT, AND;
• D) IDENTIFY TREATMENTS COMMENSURATE (‫)مناسبة‬WITH
BUSINESS CONTINUITY OBJECTIVES AND IN ACCORDANCE
WITH THE ORGANIZATION’S RISK APPETITE.
• 119

120. 120

121. Risk Criteria
 REFERENCE AGAINST WHICH THE SIGNIFICANCE OF A RISK IS EVALUATED TO
DETERMINE THE LEVEL OF RISK
 RISK CRITERIA CAN BE DERIVED FROM
1) STANDARDS
2) LAWS
3) POLICIES
4) ANY OTHER REQUIREMENTS (INTERESTED PARTIES).
 RISK CRITERIA ARE BASED ON ORGANIZATIONAL OBJECTIVES, AND CONTEXT
 LEVEL OF RISK IS THE MAGNITUDE OF A RISK OR COMBINATION OF RISKS, EXPRESSED IN
TERMS OF THE COMBINATION OF CONSEQUENCES AND THEIR LIKELIHOOD 121

122.  THE RISK CRITERIA INCLUDES :
1) RISK EVALUATION CRITERIA
2) RISK IMPACT CRITERIA
3) RISK ACCEPTANCE CRITERIA.
122

123. Consequences
Moderate
UNIMPORTANT
RISK
ACCEPTABLE
RISK
UNCONTROLLED
RISK
UNCONTROLLED
RISK
IMPORTANT
RISK
UNACCEPTA
RISK
Likelihood
Slightly High
Low Unimportant Uncontrolled
Risk
Medium Acceptable
Risk
High Important Risk
Unacceptable
Risk
Acceptable
Risk
Uncontrolled
Risk
Uncontrolled
Risk
Important
Risk
123

124. RISK MATRIX CONTROL PLAN
124
Risk Level Action and Timescale
Unimportant No action is required and no documented records needed to be kept.
Acceptable
risk
No additional controls are required. Consideration may be given to a
more cost-effective solution or improvement that imposes no additional
cost burden. Monitoring is required to ensure that the controls are
maintained.
Uncontrolled
risk
Efforts should be made to reduce the risk, but the costs of prevention
should be carefully measured and limited. Risk reduction measures should
be implemented within a defined time period.
Where the moderate risk is associated with extremely harmful
consequences, further assessment may be necessary to establish more
precisely the likelihood of harm as a basis for determining the need for
improved control measures.
Important risk Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk
involves work in progress, urgent action should be taken.
Unacceptable
risk
Work should not be started or continued until the risk has been reduced. If
it is not possible to reduce risk even with unlimited resources, work has
to remain prohibited.

125. P
r
o
b
a
b
i
l
i
t
y
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
Consequence
Legend
≥
20 E
:
Extreme risk - immediate action
required
>
10
&
<
20 H
: High risk - urgent management attention needed
>
5
≤ &
10 M
:
Medium risk - management attention as soon as
possible
<
5 L
: Low Risk – periodical evaluation
125

126. Impact / Consequences
Rank
Financial
loss
Strategic
directions and
objectives
Customer Legal OHS Env. InfSec.
5
Very
High
>1M
Negative
Impact on
strategic
directions
execution
Contract
termination
Closure
Fatality /
Catastroph
e / Fatal
Occupation
al Illness
Permanent
damage
Permanent
loss of the
service
4
High
250K to
1M
Negative
Impact on
execution 2
objectives
Major
product
/Service
recall
Non-
renewal of
one of
legal
documents
Partial /
Complete
Incapacity
Long time
damage
Long time
non-
availability
of the
service
3
Moderat
e
50K to
250K
Negative
Impact on
execution 1
objective
Minor
Product /
Service
recall
Formal
Violations
Lost
Working
Days /
Work
Related
Illness
Limited
damage /
Kills fauna ,
flora,
Concerns
global issues,
Temporary
non-
availability
of the
service
2
Slight negative Complaint
Notice /
Medical
Treatment
Case /
Restricted
Aspect
causes slight
impact on
fauna or
Slight
impact on
the service
126

127. Impact Reputation (Corpora
te)
Financia
l (Site)
Legal
Custo
mer
Very High
Regional media
coverage over
multiple days Or
Global media
coverage
More than
$100 M
More than
$10 M
closure
notice
Ending the
contract
High
National media
coverage over
multiple days Or
Single regional
media coverage
$10 - $100M $1 - $10M
no renewal
of operating
permit
Major
product
recall
Moderate
Local media
coverage over
multiple days Or
Single national
media coverage
$1 - $10M $100K - $1M
violation
notice
payment
partial
product
recall
Low
Single local media
coverage
$100K - $1M $10K - $100K
violation
notice
explanation
product
price
concession
Verbal
127