The document outlines a business continuity planning seminar presented by Charles C. McKinney. It discusses initiating business continuity governance, performing risk assessments, conducting business impact analyses, and developing a business continuity strategy. The seminar covers establishing governance structures, defining standards and policies, assessing risks, determining critical business functions and resource requirements, and creating a strategy around mitigation and alternate site planning.
This document provides an overview of business continuity management systems (BCMS). It discusses the benefits of BCMS, including reducing costs and protecting reputation. It also outlines the key components of establishing a BCMS, such as business impact analysis, risk assessment, developing continuity strategies, and performance evaluation. Finally, the document presents two case studies that illustrate how organizations implemented effective BCMS to respond to a terrorist attack and earthquake.
Business Continuity Management PowerPoint Presentation SlidesSlideTeam
Presenting this set of slides with name - Business Continuity Management PowerPoint Presentation Slides. This complete deck is oriented to make sure you do not lag in your presentations. Our creatively crafted slides come with apt research and planning. This exclusive deck with fifty-two slides is here to help you to strategize, plan, analyze, or segment the topic with clear understanding and apprehension. Utilize ready to use presentation slides on Business Continuity Management PowerPoint Presentation Slides with all sorts of editable templates, charts and graphs, overviews, analysis templates. It is usable for marking important decisions and covering critical issues. Display and present all possible kinds of underlying nuances, progress factors for an all inclusive presentation for the teams. This presentation deck can be used by all professionals, managers, individuals, internal external teams involved in any company organization.
A small section of the course ECP-901, Business Continuity & Resiliency Management, by the Institute for Business Continuity Training, https://www.ibct.com
The document discusses business continuity management and planning. It provides an overview of BCM and related concepts like business continuity planning and disaster recovery planning. It highlights the importance of having a comprehensive BCM framework that is tested. It also discusses risk management, planning considerations, the BCM planning and recovery process, and provides an assessment questionnaire to evaluate a BCM program.
This handout was provided at the OCNC Business Emergency Preparedness Series workshop hosted by the Orange County Emergency Services and The Chamber on April 11, 2019.
IT-Centric Disaster Recovery & Business ContinuitySteve Susina
IT-centric business continuity planning aims to align IT recovery with business needs. It recognizes that while disaster recovery focuses on restoring IT systems, business continuity prioritizes maintaining business processes. The approach involves business leaders and IT leaders collaboratively assessing risks, mapping processes, developing strategies to restore critical systems based on business priorities, and creating plans to guide response and recovery. Regular testing and updates are needed to ensure plans remain effective over time.
The document outlines the basics of developing a business continuity plan, including defining business continuity planning, its twofold purpose of improving operations and limiting downtime, and providing a framework for creating an effective plan. It recommends assessing risks and critical business functions, preparing emergency management and communication plans, backing up data, reviewing insurance, and ongoing training to ensure the plan remains updated. Resources for developing a business continuity plan are also listed.
This document provides an overview of business continuity management systems (BCMS). It discusses the benefits of BCMS, including reducing costs and protecting reputation. It also outlines the key components of establishing a BCMS, such as business impact analysis, risk assessment, developing continuity strategies, and performance evaluation. Finally, the document presents two case studies that illustrate how organizations implemented effective BCMS to respond to a terrorist attack and earthquake.
Business Continuity Management PowerPoint Presentation SlidesSlideTeam
Presenting this set of slides with name - Business Continuity Management PowerPoint Presentation Slides. This complete deck is oriented to make sure you do not lag in your presentations. Our creatively crafted slides come with apt research and planning. This exclusive deck with fifty-two slides is here to help you to strategize, plan, analyze, or segment the topic with clear understanding and apprehension. Utilize ready to use presentation slides on Business Continuity Management PowerPoint Presentation Slides with all sorts of editable templates, charts and graphs, overviews, analysis templates. It is usable for marking important decisions and covering critical issues. Display and present all possible kinds of underlying nuances, progress factors for an all inclusive presentation for the teams. This presentation deck can be used by all professionals, managers, individuals, internal external teams involved in any company organization.
A small section of the course ECP-901, Business Continuity & Resiliency Management, by the Institute for Business Continuity Training, https://www.ibct.com
The document discusses business continuity management and planning. It provides an overview of BCM and related concepts like business continuity planning and disaster recovery planning. It highlights the importance of having a comprehensive BCM framework that is tested. It also discusses risk management, planning considerations, the BCM planning and recovery process, and provides an assessment questionnaire to evaluate a BCM program.
This handout was provided at the OCNC Business Emergency Preparedness Series workshop hosted by the Orange County Emergency Services and The Chamber on April 11, 2019.
IT-Centric Disaster Recovery & Business ContinuitySteve Susina
IT-centric business continuity planning aims to align IT recovery with business needs. It recognizes that while disaster recovery focuses on restoring IT systems, business continuity prioritizes maintaining business processes. The approach involves business leaders and IT leaders collaboratively assessing risks, mapping processes, developing strategies to restore critical systems based on business priorities, and creating plans to guide response and recovery. Regular testing and updates are needed to ensure plans remain effective over time.
The document outlines the basics of developing a business continuity plan, including defining business continuity planning, its twofold purpose of improving operations and limiting downtime, and providing a framework for creating an effective plan. It recommends assessing risks and critical business functions, preparing emergency management and communication plans, backing up data, reviewing insurance, and ongoing training to ensure the plan remains updated. Resources for developing a business continuity plan are also listed.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
Business Continuity And Disaster Recovery NotesAlan McSweeney
The document outlines options for implementing business continuity and disaster recovery plans. It discusses assessing requirements, reviewing statistics on data loss, outlining solution components like virtualization and offsite backups, and taking a structured approach to analysis, design, and implementation. The overall goal is to design a practical, cost-effective plan to protect the business from data loss and ensure continuity of operations.
The document provides an overview of key concepts in business continuity and disaster recovery planning including defining recovery point and recovery time objectives, describing alternative recovery strategies like hot sites and warm sites, explaining different types of backups, discussing testing procedures, and outlining responsibilities and concerns to address in developing business continuity and disaster recovery plans. It is intended to help the reader understand the essential elements of ensuring the continued operations of critical business functions in the event of a disruption or disaster.
What’s & Why’s of Business Continuity Planning (BCP) CBIZ, Inc.
Business Continuity Planning (BCP) involves developing strategies and plans to ensure critical business operations can continue functioning in the event of disruptions. This includes identifying risks, maintaining response and recovery plans, and testing through exercises and training. The document discusses the importance of BCP, outlines the BCP life cycle process, and emphasizes the need for actionable and usable plans that prioritize critical functions and can be followed by anyone. It also stresses ongoing risk assessment, plan reviews, and testing to keep the BCP program effective.
Business continuity planning and disaster recoverymadunix
The document discusses business continuity planning and disaster recovery. It provides definitions of business continuity planning, disaster recovery planning, and information systems business continuity planning. It outlines the tasks of an information systems auditor in evaluating business continuity plans, including assessing backup and restore provisions, disaster recovery plans, and the organization's ability to continue essential operations during disruptions. The document also discusses other planning issues like involving relevant organizational units, risk assessments, and documentation of plans.
Business Continuity Planning Presentation OverviewBob Winkler
The document outlines the key steps in developing a business continuity plan, including performing a business impact analysis, developing recovery strategies, creating the plan, and maintaining the plan through regular exercises. It discusses defining critical processes, employees, vendors, and locations and assigning roles and responsibilities to teams to ensure business functions can continue during a disruption. The six steps to building continuity plans are also presented.
This document summarizes The Open Group, an industry consortium focused on enterprise architecture standards. It discusses the Architecture Forum, a working group within The Open Group focused on TOGAF. TOGAF is introduced as an enterprise architecture framework originally based on the TAFIM framework. The document outlines TOGAF 8 "Enterprise Edition", including its scope, goals, and components. It provides an overview of the Architecture Development Method (ADM) process in TOGAF 8, describing the preliminary phase and phases A through F.
This document provides an overview of business continuity management (BCM). It discusses the objectives and composition of the Technical Committee on BCM in Malaysia, which develops BCM standards. The goals of the committee are outlined. BCM is defined and its importance explained from the perspectives of corporate governance, regulations, and business requirements. Key differences between BCM and disaster recovery planning are highlighted. The document provides guidance on establishing a BCM program, including identifying roles and selecting team members. An 8-module methodology for developing a BCM plan is also presented.
Let’s understand the concepts of business continuity and Disaster Recovery in brief. To know more, visit: www.eccouncil.org/business-continuity-and-disaster-recovery
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB
We will cover:
• Importance of Business Impact Analysis (BIA)
• What does new standard ISO 22317 cover?
• Elaborating ISO 22317
Presenter:
This session will be hosted by our partner Dr. Wolfgang H. Mahr, M.Sc., MBCI, the Managing Director of governance & continuity gmbh with more than 20 years of experience.
Business continuity & Disaster recovery planingHanaysha
Disaster recovery (DR) and business continuity planning (BCP) are important for organizations to plan for disasters and disruptions. A DR plan provides procedures to recover IT capabilities at an alternate site after a disaster. A BCP addresses risks to business processes and prepares an organization to continue essential operations. Both plans aim to minimize downtime and losses. Key components of DR plans include establishing recovery teams, developing procedures, training, and arranging alternate IT resources. BCP components involve identifying critical resources, conducting risk and impact analyses, and developing prevention, mitigation and recovery strategies. Maintaining and testing plans is important to ensure preparedness for disasters.
This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.
It is well known that an effective PMO is key to successful and efficient program and project execution. In other words, doing things “right”. Enterprise Architecture is the discipline that plans and monitors enterprise transformation and aligns the business strategy with information technology capabilities. In other words, doing the “right things” to support the business.
Why is it organizations despite having both of these disciplines still struggle with effective enterprise transformation? What can we done to use these disciplines more effectively to effect better business outcomes? What are the roles of each discipline and how do they work together to create business value?
In this presentation, Riaz will address these questions and will provide real life examples that can help build a strong relationship between the PMO and Enterprise Architecture.
Learning Objectives:
• How to build a strong relationship between the PMO and Enterprise Architecture (EA) to deliver positive outcomes for your organization
• Identify the different roles and functions of the PMO and EA as well as their similarities
IDRC Davos 2012 post conference presentation of Glikeria Zigouri,Group Business Continuity Manager,COSMOTE Mobile Telecommunications S.A., Maroussi, Greece about
Implementing a Business Continuity Management System in Telecoms
Disaster Recovery Plan / Enterprise Continuity PlanMarcelo Silva
This document outlines a presentation on developing a Disaster Recovery Plan (DRP) and Enterprise Continuity Plan (ECP). It discusses defining roles and teams for responding to incidents, assessing risks across six resilience layers of strategy, organization, processes, data, technology, and facilities. It also covers training the response team, engaging outside experts, and creating awareness campaigns to implement the DRP/ECP.
Building a Business Continuity CapabilityRod Davis
A detailed overview of the business continuity / disaster recovery planning process. Gives numerous tips for effective execution of plan development. Emphasizes development of a true recovery capability through exercises which reveal weaknesses in the plan or technology leading to improvements.
Developing and Managing Business Continuity Plan (BCP)Goutama Bachtiar
This document provides an overview of business continuity planning (BCP). It discusses the key components of a BCP, including conducting a business impact analysis to understand critical business processes and their maximum tolerable downtimes. The document also covers developing resumption strategies, communicating and training on the BCP, and reviewing and updating the plan on an ongoing basis. The ultimate goal of a BCP is to minimize disruption to an organization and allow for the timely recovery of critical business functions in the event of a disaster or business interruption.
Business continuity planning (BCP) is a process that plans for disruptive events that could impact an organization. It aims to allow organizations to continue operations during emergencies through alternative systems and data protection. BCP involves threat analysis, impact assessment, recovery planning, and testing. It is part of enterprise risk management and helps mitigate risks like reputational damage and financial loss. BCP requires involvement from business units to identify key processes and from senior leaders to promote the BCP culture throughout the organization. The presentation outlines a 4-phase BCP project for an insurance company covering analysis, documentation, capability development, and technology dependencies.
This document discusses disaster recovery and business continuity planning. It defines business continuity planning (BCP) and disaster recovery planning (DRP) as processes for improving an organization's ability to continue operations during adverse events. The key aspects covered include identifying threats, developing recovery teams, creating emergency and backup plans, selecting alternative processing sites, testing plans, and maintaining plans over time. Regular auditing of BCP/DRP is also recommended to ensure plans remain adequate as business needs change.
Business continuity planning (BCP) seeks to mitigate interruptions to core business systems. A BCP identifies critical business functions, assesses risks like power outages or cyberattacks, and develops reduction, readiness, response and recovery plans. It is tested through simulations. Developing a comprehensive BCP is complex for healthcare given systems' criticality and risk to patient care, but consistency in the literature can guide appropriate plan development. Testing assesses a plan's achievability and timely, cost-effective response while ongoing review ensures applicability amid changing systems.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
Business Continuity And Disaster Recovery NotesAlan McSweeney
The document outlines options for implementing business continuity and disaster recovery plans. It discusses assessing requirements, reviewing statistics on data loss, outlining solution components like virtualization and offsite backups, and taking a structured approach to analysis, design, and implementation. The overall goal is to design a practical, cost-effective plan to protect the business from data loss and ensure continuity of operations.
The document provides an overview of key concepts in business continuity and disaster recovery planning including defining recovery point and recovery time objectives, describing alternative recovery strategies like hot sites and warm sites, explaining different types of backups, discussing testing procedures, and outlining responsibilities and concerns to address in developing business continuity and disaster recovery plans. It is intended to help the reader understand the essential elements of ensuring the continued operations of critical business functions in the event of a disruption or disaster.
What’s & Why’s of Business Continuity Planning (BCP) CBIZ, Inc.
Business Continuity Planning (BCP) involves developing strategies and plans to ensure critical business operations can continue functioning in the event of disruptions. This includes identifying risks, maintaining response and recovery plans, and testing through exercises and training. The document discusses the importance of BCP, outlines the BCP life cycle process, and emphasizes the need for actionable and usable plans that prioritize critical functions and can be followed by anyone. It also stresses ongoing risk assessment, plan reviews, and testing to keep the BCP program effective.
Business continuity planning and disaster recoverymadunix
The document discusses business continuity planning and disaster recovery. It provides definitions of business continuity planning, disaster recovery planning, and information systems business continuity planning. It outlines the tasks of an information systems auditor in evaluating business continuity plans, including assessing backup and restore provisions, disaster recovery plans, and the organization's ability to continue essential operations during disruptions. The document also discusses other planning issues like involving relevant organizational units, risk assessments, and documentation of plans.
Business Continuity Planning Presentation OverviewBob Winkler
The document outlines the key steps in developing a business continuity plan, including performing a business impact analysis, developing recovery strategies, creating the plan, and maintaining the plan through regular exercises. It discusses defining critical processes, employees, vendors, and locations and assigning roles and responsibilities to teams to ensure business functions can continue during a disruption. The six steps to building continuity plans are also presented.
This document summarizes The Open Group, an industry consortium focused on enterprise architecture standards. It discusses the Architecture Forum, a working group within The Open Group focused on TOGAF. TOGAF is introduced as an enterprise architecture framework originally based on the TAFIM framework. The document outlines TOGAF 8 "Enterprise Edition", including its scope, goals, and components. It provides an overview of the Architecture Development Method (ADM) process in TOGAF 8, describing the preliminary phase and phases A through F.
This document provides an overview of business continuity management (BCM). It discusses the objectives and composition of the Technical Committee on BCM in Malaysia, which develops BCM standards. The goals of the committee are outlined. BCM is defined and its importance explained from the perspectives of corporate governance, regulations, and business requirements. Key differences between BCM and disaster recovery planning are highlighted. The document provides guidance on establishing a BCM program, including identifying roles and selecting team members. An 8-module methodology for developing a BCM plan is also presented.
Let’s understand the concepts of business continuity and Disaster Recovery in brief. To know more, visit: www.eccouncil.org/business-continuity-and-disaster-recovery
PECB Webinar: Introduction to ISO 22317 – Business Impact Analysis (BIA)PECB
We will cover:
• Importance of Business Impact Analysis (BIA)
• What does new standard ISO 22317 cover?
• Elaborating ISO 22317
Presenter:
This session will be hosted by our partner Dr. Wolfgang H. Mahr, M.Sc., MBCI, the Managing Director of governance & continuity gmbh with more than 20 years of experience.
Business continuity & Disaster recovery planingHanaysha
Disaster recovery (DR) and business continuity planning (BCP) are important for organizations to plan for disasters and disruptions. A DR plan provides procedures to recover IT capabilities at an alternate site after a disaster. A BCP addresses risks to business processes and prepares an organization to continue essential operations. Both plans aim to minimize downtime and losses. Key components of DR plans include establishing recovery teams, developing procedures, training, and arranging alternate IT resources. BCP components involve identifying critical resources, conducting risk and impact analyses, and developing prevention, mitigation and recovery strategies. Maintaining and testing plans is important to ensure preparedness for disasters.
This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.
It is well known that an effective PMO is key to successful and efficient program and project execution. In other words, doing things “right”. Enterprise Architecture is the discipline that plans and monitors enterprise transformation and aligns the business strategy with information technology capabilities. In other words, doing the “right things” to support the business.
Why is it organizations despite having both of these disciplines still struggle with effective enterprise transformation? What can we done to use these disciplines more effectively to effect better business outcomes? What are the roles of each discipline and how do they work together to create business value?
In this presentation, Riaz will address these questions and will provide real life examples that can help build a strong relationship between the PMO and Enterprise Architecture.
Learning Objectives:
• How to build a strong relationship between the PMO and Enterprise Architecture (EA) to deliver positive outcomes for your organization
• Identify the different roles and functions of the PMO and EA as well as their similarities
IDRC Davos 2012 post conference presentation of Glikeria Zigouri,Group Business Continuity Manager,COSMOTE Mobile Telecommunications S.A., Maroussi, Greece about
Implementing a Business Continuity Management System in Telecoms
Disaster Recovery Plan / Enterprise Continuity PlanMarcelo Silva
This document outlines a presentation on developing a Disaster Recovery Plan (DRP) and Enterprise Continuity Plan (ECP). It discusses defining roles and teams for responding to incidents, assessing risks across six resilience layers of strategy, organization, processes, data, technology, and facilities. It also covers training the response team, engaging outside experts, and creating awareness campaigns to implement the DRP/ECP.
Building a Business Continuity CapabilityRod Davis
A detailed overview of the business continuity / disaster recovery planning process. Gives numerous tips for effective execution of plan development. Emphasizes development of a true recovery capability through exercises which reveal weaknesses in the plan or technology leading to improvements.
Developing and Managing Business Continuity Plan (BCP)Goutama Bachtiar
This document provides an overview of business continuity planning (BCP). It discusses the key components of a BCP, including conducting a business impact analysis to understand critical business processes and their maximum tolerable downtimes. The document also covers developing resumption strategies, communicating and training on the BCP, and reviewing and updating the plan on an ongoing basis. The ultimate goal of a BCP is to minimize disruption to an organization and allow for the timely recovery of critical business functions in the event of a disaster or business interruption.
Business continuity planning (BCP) is a process that plans for disruptive events that could impact an organization. It aims to allow organizations to continue operations during emergencies through alternative systems and data protection. BCP involves threat analysis, impact assessment, recovery planning, and testing. It is part of enterprise risk management and helps mitigate risks like reputational damage and financial loss. BCP requires involvement from business units to identify key processes and from senior leaders to promote the BCP culture throughout the organization. The presentation outlines a 4-phase BCP project for an insurance company covering analysis, documentation, capability development, and technology dependencies.
This document discusses disaster recovery and business continuity planning. It defines business continuity planning (BCP) and disaster recovery planning (DRP) as processes for improving an organization's ability to continue operations during adverse events. The key aspects covered include identifying threats, developing recovery teams, creating emergency and backup plans, selecting alternative processing sites, testing plans, and maintaining plans over time. Regular auditing of BCP/DRP is also recommended to ensure plans remain adequate as business needs change.
Business continuity planning (BCP) seeks to mitigate interruptions to core business systems. A BCP identifies critical business functions, assesses risks like power outages or cyberattacks, and develops reduction, readiness, response and recovery plans. It is tested through simulations. Developing a comprehensive BCP is complex for healthcare given systems' criticality and risk to patient care, but consistency in the literature can guide appropriate plan development. Testing assesses a plan's achievability and timely, cost-effective response while ongoing review ensures applicability amid changing systems.
The document discusses business continuity planning (BCP) and disaster recovery planning (DRP). It defines BCP as a plan to continue business operations in the event of a major disaster from both a business process and IT perspective. It stresses that BCP encompasses risk assessment, contingency planning, and DRP, which focuses on recovering IT environments. The document emphasizes that BCP and DRP have become mandatory practices as businesses become more dependent on technology, and auditors and insurers now require them.
The document discusses developing a business continuity plan that goes beyond just disaster recovery. It covers understanding the components of a business continuity plan including conducting risk assessments and gap analyses, developing and implementing continuity plans, establishing disaster recovery plans, and testing plans. It emphasizes that having a business continuity plan can help ensure survival during disasters and support stability, reduce financial losses, and make good business sense. The document outlines critical steps in business continuity planning including assessments, risk and impact analyses, and developing recovery strategies and actions.
Tabletop testing doesn’t have to be complex or time intensive to be effective. It’s as simple as assembling the Crisis Management Team and walking through example recovery scenarios step-by-step.
In this webinar, we show you how to run an effective tabletop test, specific to the risk profile of your business.
The Cloud Computing offers various benefits for the businesses. Here are some of the key factors for SMB's must consider all these aspects before Cloud implementations.
How to leverage BCP/DR for your Info Sec ProgramMoey
In the beginning, every Information Security professional learns about the triad: Confidentiality, Integrity, and Availability. As you grew so did your skills; you learned about controls, frameworks, compliance, and how to test your systems/applications to ensure that all your bits and bytes were safe. But what happened to the Availability? It seems that in the journey of becoming an information security professional, we stopped focusing on a third of the basic principles of Information Security.
This presentation will discuss why Availability goes well beyond DoS. It will discuss how to leverage BCP/DR for the benefit of your information security program by:
• Learning in depth the critical portions of your organizations
• Bringing your risk approach to other highly visible initiatives
• Allowing you to collaborate with teams
• Exposing you to business Executives
E.Saruul provides a summary of events organized and supported by the Business Council of Mongolia (BCM) in 2016 and upcoming events for 2017. In 2016, BCM organized 3 events, co-organized 7 events, supported 12 events, and held monthly meetings and special events like the New Year Ball. Major events included the 1st Annual BCM Summit and working group meetings on topics like nomadic business practices. Upcoming 2017 events outlined include continuing monthly meetings, knowledge sharing sessions, working group activities, and the larger 2nd Annual BCM Summit over two days in June. Members are encouraged to participate in events and activities.
Jason Teo Supply Chain Business Continuity Management Case Study in Infineon ...BCM Institute
Jason Teo, Senior Director Business Continuity Asia & Japan region share his experiences through supply chain resiliency awareness training and Infineon employees are aware of the potential disruption risks associated with transport and logistics operations and the steps necessary to minimize these risks during the World Continuity Congress (WCC) Singapore 22 April 2014 at Carlton Hotel. Copyright 2014 @ World Continuity Congress www.worldcontinuitycongress.com BCM Institute www.bcm-institute.org Read more of Jason Teo @ http://www.bcmpedia.org/wiki/Jason_Teo
Business Continuity Planning: Documentation During EMR Downtime WebcastJulie Champagne
This document discusses business continuity planning and documentation during EMR downtime. It begins by distinguishing between business continuity and disaster recovery, then discusses considerations for EMR downtime including financial costs. Methods for documentation during an outage like paper forms or electronic options are presented. The document concludes by describing a business continuity solution called VitalCenter that allows providers to continue seeing patients and documenting visits electronically during an EMR outage.
This document summarizes a case study of Business Continuity Planning (BCP) at ISM, an IT services company. ISM experienced three major incidents where their BCP was activated: a fiber cable cut in 2008, the Egyptian revolution in 2011, and further unrest in Egypt in 2013. Each time, ISM was able to successfully recover operations through their redundant site structure and contingency plans, transferring services and personnel to backup locations. The document stresses the importance of planning for worst-case scenarios, regular testing of BCP procedures, and keeping documentation up-to-date.
Eskom developed a business continuity management program using 5 building blocks:
1) Governance and accountability with leadership ownership and defined roles
2) Defining recovery strategies through expert agreement on solutions and risk appetite
3) Constituting dedicated or hazard-specific recovery teams with pre-defined roles
4) Integrating assurance, compliance, and reviews into the program
5) Embedding continuous improvement through training, exercises, reviews and tracking enhancements
The key lessons were to obtain executive buy-in, define responsibilities, conduct reviews and exercises, and take a gradual approach to developing the program over time.
Yes, an external auditor can help validate the effectiveness of the BCP. Some key reasons are:
- Provide an independent third-party perspective
- Ensure compliance with regulations and industry standards
- Test processes and identify gaps/areas for improvement
- Verify ability to execute the plan effectively in a disaster scenario
So in summary, an external audit is recommended as part of the BCP management process to independently validate that the plan is robust, compliant and operationally effective.
A short presentation of the essentials of business continuity planning. Often put on the back burner because it's seems too complex. Whereas the principles are quite straightforward.
The A to Z Guide to Business Continuity and Disaster RecoverySirius
The document provides links to several articles on topics related to emergency operations centers, business continuity and disaster recovery, including how to create a cost-effective emergency operations center, operational resiliency as the new approach to business continuity and disaster recovery, the eight steps to an effective vulnerability assessment, and an A-Z guide to business continuity and disaster recovery planning. The document also includes links to the websites of Forsythe and The Good Workshop for additional information on technology consulting and infrastructure services.
Ramco ERP on Cloud - The Best Cloud Computing Solution Worldwide Ramco Systems
Visit: http://www.ramco.com/erp-suite/index.aspx
Why Cloud ERP Software?
Ramco ERP on Cloud gives you incredible cost benefits with no investment. It is the most preferred choice for businesses across the globe as it encompasses in-built intelligence and business acumen for your industry.
Go- through in detail about Ramco ERP on Cloud.
PwC offers internal audit services to help pharmaceutical and life sciences companies optimize their internal audit function in a rapidly changing risk environment. They utilize a "hub and spoke" operating model staffed by industry-experienced professionals to provide traditional internal audit activities and address high-risk areas. PwC focuses on strategic risk assessments, regulatory compliance reviews, supply chain audits, and financial reporting to help companies manage risks across their value chain.
Power point set 001 definitions of strategy spring 2009Ankush Sharma
Strategic management involves three key activities: 1) understanding how firms create competitive advantage, 2) analyzing strategic situations to formulate strategic plans, and 3) implementing strategies and organizing the firm for strategic success. The document discusses definitions of strategy, the importance of defining the business and establishing goals and mission, sources of competitive advantage, and levels of strategy including corporate, business, and functional strategies. Effective strategic decision-making requires addressing factors like time constraints, limited information, and group biases.
IDC Energy Insights - Enterprise Risk ManagementFindWhitePapers
Operational risk management is a rising priority for companies in asset-intensive industry segments. Disparate and disconnected efforts in safety, environmental compliance, and asset utilization at the individual facility are converging to provide better enterprise-wide control and management accountability. Companies that make substantial efforts today will not only improve risk mitigation but create an enduring competitive advantage.
Virtualisation:- Business Continuity Solution or Enablersubtitle
The document discusses virtualization as an enabler for business continuity. It provides an overview of business continuity management (BCM), including definitions, components like people, processes, and premises, and the benefits of virtualization for disaster recovery and improving uptime. The summary emphasizes that while virtualization helps with technology recovery, BCM is broader and aims to demonstrate preparedness to stakeholders through an embedded and tested approach.
The Performance Conference will be held May 3-5, 2011 in Chicago, IL. It will feature 12 comprehensive tracks on strategies for driving growth, sustaining results, managing organizational performance, and more. Business executives from various industries will gather to explore ways to overcome challenges in business performance, discover innovations in performance management, process improvement, customer experience, and business intelligence. The conference will focus on performance management systems, measures, metrics, employee performance, and customer experience. Attendees will include C-level executives, directors, managers, analysts, and others involved in business planning, corporate performance, and strategy execution from industries such as financial services, retail, healthcare, technology, and more.
This document discusses the deployment of Six Sigma at Bechtel, an engineering, procurement, and construction company. It describes how Six Sigma uses rigorous tools and methodologies to improve work quality, profitability, and customer satisfaction. Bechtel implemented Six Sigma to address issues like ineffective lessons learned and talent shortages. The presentation outlines Bechtel's improvement framework, provides examples of Six Sigma projects that increased productivity, and describes how Six Sigma was organized within Bechtel with champions, belts, and executive support. It emphasizes becoming self-sufficient in improvement efforts and establishing a culture focused on process data.
Nearly two thirds (62%) of managers report that cyber security threats are increasingly posing a serious risk to their business, with nearly a third of UK organisations (32%) having come under a cyber attack of some sort in the past 12 months, according to new research published by the Chartered Management Institute (CMI) today.
An overview of AEC (or EC) market drivers, associated business issues and impacts, and enabling technology solutions. Additional insights on advanced tech and that for sustainability processes.
This document provides an introduction to Two Tomorrows, a sustainability consulting firm. It summarizes Two Tomorrows' unmatched client base, experience, and services. The document outlines Two Tomorrows' approach to sustainability which focuses on both creating value and managing issues through business alignment, strategic product development, and cost prevention. It then highlights some of Two Tomorrows' recent assignments demonstrating their work assisting clients with sustainability reporting, assurance, strategic direction, communications, stakeholder engagement, and responsible supply chain development.
Keenan Matthews is a strategic advisory firm that assists companies in accelerating growth through expertise in M&A, strategy, restructuring, corporate finance, and integration. With over 30 years of experience, the firm has developed a global network of industry and process experts. Keenan Matthews specializes in corporate strategy, restructuring, M&A, and capital advisory services to help clients transform their businesses.
Are You Selling Safety? Anyone Buying? November 2009FayFeeney
1) The document discusses strategies for insurance brokers and agents to better sell safety services to clients by understanding their "risk maturity" and readiness to invest in such services. It outlines assessing clients as basic, standard, or enhanced buyers and matching messaging and services accordingly.
2) Agents are encouraged to package safety services into basic, standard, and enhanced levels to meet different clients' needs and buying signals. Meeting with clients involves planning to identify the right service level and presenting a clear client benefit.
3) By properly evaluating a client's risk maturity and tailoring loss prevention services and messaging, agents can help clients meet underwriting standards, improve safety over time, and position safety as a value-add instead of just a
The document provides information about a supply chain management forum in the oil and gas industry. It includes an overview of the speaker's background and company. The speaker discusses why supply chain transformations are important, considerations for transformation using the PACE framework, assessing maturity levels, and key aspects of a successful transformation including executive commitment, change management, understanding financial impacts, and people, processes, and tools. The speaker emphasizes the importance of measurement, understanding strengths and weaknesses, managing risks, and that transformation is a journey rather than a single event.
This document provides an overview and agenda for a presentation on successful IT business integration. Some key points:
1. It discusses the challenges facing IT and business executives in a difficult economic environment with flat IT budgets and increased pressure to demonstrate value.
2. Statistics are presented on top business and technology priorities from a Gartner survey, showing business process improvement and business intelligence as the top priorities.
3. An approach is outlined to transform organizations through self-assessment, defining strategic outcomes, and using balanced scorecards to drive change and close competency gaps.
4. The importance of IT business alignment, governance, and moving from an operational to strategic focus is emphasized to support business goals.
IAF605 week 8 the strategy of international businessIAF605
The chapter discusses the role of strategy in international business. It examines how industry structure and competitive forces impact firm strategy and performance. Managers develop strategy to attract customers, operate efficiently, and compete effectively. The value chain framework helps managers analyze how the company creates value through primary and support activities. Firms face pressures for global integration to benefit from efficiencies but also pressures for local responsiveness to address host country needs. Different industry types and strategy types determine a firm's appropriate integration-responsiveness approach. The homework is to review exam performance, chapter 11, and prepare for chapter 12 by reading the case study on Burger King.
Business Continuity Management-The Case for Return on Investment-white paperGreg Cybulski, CBCP, ARM
The document discusses how business continuity management (BCM) programs can provide both short-term and long-term return on investment (ROI) for organizations. It outlines the key components of a BCM program, including business impact analysis, risk assessment, emergency response planning, and governance processes. Examples are provided of how BCM planning helped organizations reduce risks and increase resilience during events like natural disasters. While some benefits are tangible and easy to quantify, others are intangible, but no less important to the overall ROI of a BCM program. Developing and implementing a full BCM program allows an organization to identify impacts, improve preparedness, and gain competitive advantages through operational resilience.
This document discusses the need for organizations to invest in business continuity management (BCM). It notes that risks are increasingly complex as organizational models evolve. BCM helps protect against risks like supply chain disruptions, loss of market share, and regulatory non-compliance. The document outlines the business case for BCM, noting that companies with strong BCM recover faster and better protect stakeholder value. It also provides a high-level overview of how to approach a BCM project through steps like understanding the business, developing strategies and plans, embedding plans through training and exercises, and establishing proper governance.
This document discusses the value of governance, risk, and compliance (GRC) initiatives for organizations. It notes that increased regulations, data security risks, and a competitive environment are driving organizations to better manage their data and risks through GRC programs. However, implementing GRC solutions can be challenging due to their technical nature and perceiving them only as reactive compliance tools. The document aims to show GRC as strategic, enterprise-wide initiatives that integrate compliance, risk management, and other business functions to provide long-term business advantages beyond just meeting regulations.
This document discusses the value of governance, risk, and compliance (GRC) initiatives for organizations. It notes that increased regulations, data security risks, and a competitive environment are driving organizations to better manage their data and risks through GRC programs. However, implementing GRC solutions can be challenging due to their technical nature and perceiving them only as reactive compliance tools. The document aims to show GRC as strategic, enterprise-wide initiatives that integrate compliance, risk management, and other business functions to provide long-term business advantages beyond just meeting regulations.
WGA Consulting provides business management consulting services to help organizations evolve. They specialize in strategy, innovation, operations, performance, risk management, and organizational development. Their global experience spans industries like aerospace, automotive, banking, education, healthcare, technology, and more. They help clients improve financial and operational performance through functional practices like business strategy, supply chain management, change management, and regulatory compliance. Case studies show benefits like reduced costs, headcount, and improved processes.
Similar to Business Continuity Planning Seminar (20)
3 Simple Steps To Buy Verified Payoneer Account In 2024SEOSMMEARTH
Buy Verified Payoneer Account: Quick and Secure Way to Receive Payments
Buy Verified Payoneer Account With 100% secure documents, [ USA, UK, CA ]. Are you looking for a reliable and safe way to receive payments online? Then you need buy verified Payoneer account ! Payoneer is a global payment platform that allows businesses and individuals to send and receive money in over 200 countries.
If You Want To More Information just Contact Now:
Skype: SEOSMMEARTH
Telegram: @seosmmearth
Gmail: seosmmearth@gmail.com
Structural Design Process: Step-by-Step Guide for BuildingsChandresh Chudasama
The structural design process is explained: Follow our step-by-step guide to understand building design intricacies and ensure structural integrity. Learn how to build wonderful buildings with the help of our detailed information. Learn how to create structures with durability and reliability and also gain insights on ways of managing structures.
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...Aleksey Savkin
The Strategy Implementation System offers a structured approach to translating stakeholder needs into actionable strategies using high-level and low-level scorecards. It involves stakeholder analysis, strategy decomposition, adoption of strategic frameworks like Balanced Scorecard or OKR, and alignment of goals, initiatives, and KPIs.
Key Components:
- Stakeholder Analysis
- Strategy Decomposition
- Adoption of Business Frameworks
- Goal Setting
- Initiatives and Action Plans
- KPIs and Performance Metrics
- Learning and Adaptation
- Alignment and Cascading of Scorecards
Benefits:
- Systematic strategy formulation and execution.
- Framework flexibility and automation.
- Enhanced alignment and strategic focus across the organization.
Discover timeless style with the 2022 Vintage Roman Numerals Men's Ring. Crafted from premium stainless steel, this 6mm wide ring embodies elegance and durability. Perfect as a gift, it seamlessly blends classic Roman numeral detailing with modern sophistication, making it an ideal accessory for any occasion.
https://rb.gy/usj1a2
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA MATKA FAST RESULT MILAN RATAN RAJDHANI MAIN BAZAR MATKA FAST TIPS RESULT MATKA CHART JODI CHART PANEL CHART FREE FIX GAME SATTAMATKA ! MATKA MOBI SATTA 143 spboss.in TOP NO1 RESULT FULL RATE MATKA ONLINE GAME PLAY BY APP SPBOSS
Best practices for project execution and deliveryCLIVE MINCHIN
A select set of project management best practices to keep your project on-track, on-cost and aligned to scope. Many firms have don't have the necessary skills, diligence, methods and oversight of their projects; this leads to slippage, higher costs and longer timeframes. Often firms have a history of projects that simply failed to move the needle. These best practices will help your firm avoid these pitfalls but they require fortitude to apply.
Building Your Employer Brand with Social MediaLuanWise
Presented at The Global HR Summit, 6th June 2024
In this keynote, Luan Wise will provide invaluable insights to elevate your employer brand on social media platforms including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok. You'll learn how compelling content can authentically showcase your company culture, values, and employee experiences to support your talent acquisition and retention objectives. Additionally, you'll understand the power of employee advocacy to amplify reach and engagement – helping to position your organization as an employer of choice in today's competitive talent landscape.
IMPACT Silver is a pure silver zinc producer with over $260 million in revenue since 2008 and a large 100% owned 210km Mexico land package - 2024 catalysts includes new 14% grade zinc Plomosas mine and 20,000m of fully funded exploration drilling.
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This presentation is a curated compilation of PowerPoint diagrams and templates designed to illustrate 20 different digital transformation frameworks and models. These frameworks are based on recent industry trends and best practices, ensuring that the content remains relevant and up-to-date.
Key highlights include Microsoft's Digital Transformation Framework, which focuses on driving innovation and efficiency, and McKinsey's Ten Guiding Principles, which provide strategic insights for successful digital transformation. Additionally, Forrester's framework emphasizes enhancing customer experiences and modernizing IT infrastructure, while IDC's MaturityScape helps assess and develop organizational digital maturity. MIT's framework explores cutting-edge strategies for achieving digital success.
These materials are perfect for enhancing your business or classroom presentations, offering visual aids to supplement your insights. Please note that while comprehensive, these slides are intended as supplementary resources and may not be complete for standalone instructional purposes.
Frameworks/Models included:
Microsoft’s Digital Transformation Framework
McKinsey’s Ten Guiding Principles of Digital Transformation
Forrester’s Digital Transformation Framework
IDC’s Digital Transformation MaturityScape
MIT’s Digital Transformation Framework
Gartner’s Digital Transformation Framework
Accenture’s Digital Strategy & Enterprise Frameworks
Deloitte’s Digital Industrial Transformation Framework
Capgemini’s Digital Transformation Framework
PwC’s Digital Transformation Framework
Cisco’s Digital Transformation Framework
Cognizant’s Digital Transformation Framework
DXC Technology’s Digital Transformation Framework
The BCG Strategy Palette
McKinsey’s Digital Transformation Framework
Digital Transformation Compass
Four Levels of Digital Maturity
Design Thinking Framework
Business Model Canvas
Customer Journey Map
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Neil Horowitz
On episode 272 of the Digital and Social Media Sports Podcast, Neil chatted with Brian Fitzsimmons, Director of Licensing and Business Development for Barstool Sports.
What follows is a collection of snippets from the podcast. To hear the full interview and more, check out the podcast on all podcast platforms and at www.dsmsports.net
Taurus Zodiac Sign: Unveiling the Traits, Dates, and Horoscope Insights of th...my Pandit
Dive into the steadfast world of the Taurus Zodiac Sign. Discover the grounded, stable, and logical nature of Taurus individuals, and explore their key personality traits, important dates, and horoscope insights. Learn how the determination and patience of the Taurus sign make them the rock-steady achievers and anchors of the zodiac.
Taurus Zodiac Sign: Unveiling the Traits, Dates, and Horoscope Insights of th...
Business Continuity Planning Seminar
1. xbñÉÅìíáîÉ=oÉëÉ~êÅÜ=`çìåÅáä=içÖçz
Operations and Technology Research Interest Group
Business Continuity Planning Seminar
y g
Authored and presented by: Charles C. McKinney
EXECUTIVE RESEARCH COUNCIL
léÉê~íáçåë=~åÇ=qÉÅÜåçäçÖó=péÉÅá~ä=fåíÉêÉëí=dêçìéW=mêçàÉÅí=j~å~ÖÉãÉåí=qççäâáí===ö===M
2. Discussion Roadmap
i Introduction to business continuity (2-8)
i Initiating business continuity governance (9-15)
i Risk assessment (16-21)
i Business Impact Analysis (22-26)
i Business continuity strategy (27-32)
i Implementing business continuity plans (33-37)
i Awareness, testing and exercise (38-41)
i Self assessment guide (42-55)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 1
3. Introduction to Business Continuity
i Introduction to the discipline
i Process characteristics
i Key outcomes
i Strategic scope
i Evolving aspirations
i Argument in brief
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 2
4. Introduction to the Discipline
i Organizations need risk management processes to deal with disasters:
– Disruptions to business operations
– Damage to physical and intangible assets
– Loss of human life and well-being (9/11, Katrina)
– Business continuity planning establishes and maintains contingency plans for disasters
i Since the 1960s it has developed into a discipline, and today there are:
– P f
Professional associations (e.g., DRII)
i l i ti (
– Industry roundtables (e.g., FSTC SCOM)
– Professional certifications (e.g., CBCP, MBCP)
– Trade publications and conferences (e.g., CP&M)
– Best practices and industry regulations
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 3
5. Process Characteristics
i Business continuity planning is a process, characterized by:
– Defined inputs, outputs and critical success factors
– Interdependencies with other planning and control processes
– Dependence on people, technology, culture and managerial systems
i Process capability depends on sensing and responding to:
– Internal strengths and weaknesses
– E t
External threats, opportunities and conventions
l th t t iti d ti
Risks t th Enterprise
Ri k to the E t i
Value Chain – Ecosystem
Inbound
bou d Outbou d
Outbound Sa es and
Sales a d Distribution
st but o End User
d Use
Suppliers
S pplie s Purchasing
P chasin Production
P od ction
Logistics Logistics Marketing System Customers
Demand Chain
Supply Chain
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 4
6. Key Outcomes
Focus of business continuity planning is preventing and managing impact of
disasters, so risk exposure is kept to an acceptable level.
Disasters can cause unexpected . . . . . . and destroy shareholder value,
public confidence, and competitive
Loss of revenue
L f
position over the long run.
Loss of productivity
Unusual expenses
According to Gartner Group, 40% of
A di t G t G f
Customer defection
businesses that go through a disaster fail
Market share decline within two years. Early estimates of the
economic impact of 9/11 ranged from $16
Brand deterioration billion to $83 billion.
$
Penalties, fines and liabilities
Knowledge@Wharton estimated the
Harm to employee safety, morale impact of Katrina at $200 billion.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 5
7. Strategic Scope
A comprehensive strategy covers mitigation, planning and critical resources.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 6
8. Strategic Aspirations
Organizations increasingly use real-time information and operations to compete, and their
survival depends on availability of these resources.
Source: Campbell, Alonso, McKinney et al. (KPMG 2001)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 7
9. Argument in Brief
i Organizations aspire to change how they plan for business continuity
i Planning and control systems tend to under-perform in key areas:
– Institutionalizing governance of the business continuity process
– Understanding risks and defining requirements
– Making business continuity investments within a coherent strategy
– Monitoring and stress-testing organizational readiness for a disaster
i Business and risk managers need to plug themselves into the “vital few” root-cause issues,
so they can motivate performance improvement in their enterprises
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 8
10. Initiating Business Continuity Governance
i Initiation activities
i Chartering a steering group
i Articulating standards and policy
i Organizational design considerations
i Building momentum for change
i Process deployment planning
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 9
11. Initiation Activities
i Business continuity plans often evolve through decentralized efforts
i Whether starting fresh or working to improve legacy capabilities, initiating business
continuity can promote good governance and it benefits
ti it t d d its b fit
i Initiation activities typically include:
– Chartering a steering group to oversee business continuity planning
– Assigning roles and responsibilities to process actors
– Agreeing on high-level standards and articulating a policy
– Assigning executive oversight, staff resources and line accountabilities
– Building momentum through dialogue and by achieving quick wins
– Sequencing to deploy process capabilities
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 10
12. Chartering a Steering Group
i A steering group exists to guide process implementation, resolve conflict and monitor
performance – not to manage the process
i Obj ti
Objectives for a steering group may include:
f t i i l d
– Recommend a policy to the CEO and Board
– Approve priorities, investments and resource allotments
– Approve business continuity strategy and standards
– Monitor business continuity projects and process capabilities
– Provide direction to the business continuity manager
– Participate in or review efforts to exercise and test capabilities
– Perform defined roles during a disaster or crisis
i St k h ld coordination and lateral processes indispensable
Stakeholder di ti dl t l i di bl
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 11
13. Articulating Standards and Policy
i At this stage, standards frame the process and educate executives (see example of a
process definition template)
i P li articulates expectations and may include:
Policy ti l t t ti d i l d
– Key terms and definitions
– Policy statement (intent)
– Objectives (measurable outcomes)
– Minimum standards (due care)
– Chain of command for crisis management
i Standards can help to define the policy; need to be consistent with corporate governance
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 12
14. Organizational Design Considerations
The best organizational model supports an organization’s priorities, aligns its stakeholders,
and is appropriate for its risk profile (Motorola case study).
Source: Corporate Executive Board
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 13
15. Building Momentum for Change
i Momentum can be built through:
– Dialogue in the organization
– Attainment of quick wins (see handout)
i Business continuity planning requires long-term commitment without tangible outcomes
unless a disaster strikes
Kotter’s Eight Step Change Model
1. Establish a sense of urgency 5. Empower others to act on vision
2. Form powerful guiding coalition 6. Plan for and create short-term wins
3. Create a vision 7. Consolidate improvements
4. Communicate the vision 8. Institutionalize new approaches
Source: John Kotter, The Heart of Change (2002)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 14
16. Process Deployment Planning
Funding Business Continuity Implementation Planning
i Business continuity costs: i Process charter
– Staff function (headcount) i Sequencing plans:
– Standby sites (IT facilities)
– Deployment schedule
– IT infrastructure
– Project mix
– Third-party services
– Interdependencies
– BU and d
d department planning
t t l i
– Resources
– Testing and exercise
– Project management
– Other costs
i Communications
i Funding and chargeback methods
i Change management
i Infrastructure profiles (tiered service level
standards)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 15
17. Risk Assessment
i Risk assessment purpose
i Key activities and outcomes
i Process case study
i Risk categories
i Complementary tools
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 16
18. Risk Assessment Purpose
i Identify threats to the organization
i Understand vulnerability to these threats
i Determine risk exposure (e.g., ALE)
i Produce requirements to mitigate risk
i Track changes in risk profile over time
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 17
19. Key Activities and Outcomes
i Key activities in a risk assessment:
– Select risk categories and threats
– Determine fact finding methods
fact-finding
– Produce data collection form
– Gather data for the assessment
– Complete and collate forms
– Finalize threat assessment
– Estimate risk exposure
– Communicate work products
i Key outcomes:
– Catalog of threats and risks
– Risk exposure matrix
– Risk assessment report
i Activities and outcomes will depend on process design
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 18
20. Process Case Study
Intel provides a case study of implementing a global, centrally coordinated process to
periodically assess risk and pursue targeted mitigation.
Source: Corporate Executive Board, Intel
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 19
21. Risk Categories
i Traditional risk assessments examined manmade and natural disasters and political acts
(terrorism)
iD
Due t complexity of th
to l it f threats, many organizations now consider:
t i ti id
– Operational risks
– Strategic risks
– Composite risks
i Framework provides way to quantify and stratify exposure
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 20
22. Complementary Tools
i Complementary tools can further risk assessment activities:
– Failure modes and effects analysis (FMEA)
– Simulation and modeling exercises
– Design of experiment methods
i Tools employed in strategic planning and risk modeling groups may be worth exploring,
depending on the complexity of an enterprise’s business model and risk profile.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 21
23. Business Impact Analysis
i Business impact analysis overview
i Key activities and outcomes
i Defining critical resource requirements
i Prioritizing business functions
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 22
24. Business Impact Analysis Overview
i Purpose of business impact analysis is to:
– Assess impacts of a disaster to business areas (e.g., functions)
– Determine criticality of business functions based on impact
– Determine criticality of information systems that support business operations
– Define critical resource requirements for disasters
i Analysis ties estimates of impact to key performance indicators, such as:
– Fi
Financial i
i l impact (
t (e.g., present value of projected revenue l
t l f j t d loss))
– Customer impact (e.g., loss of existing customers and market share)
– Compliance penalties (e.g., liability to pay fines, SLA penalties)
– Unusual expenses (e.g., unplanned cost of facility repairs)
– Shareholder value (i.e., loss of value because of factors attributable to disaster)
(i e
– Other intangible impacts
i Contributes requirements for strategy to manage business continuity
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 23
25. Key Activities and Outcomes
i Key activities in a business impact analysis:
– Determine fact-finding and analytical methods
– Prepare data collection form (see handout)
– Gather and analyze data
– Prioritize business functions
– Determine critical resource requirements
– Report preliminary observations
– Obtain consensus on observations
– Issue report to management
i Key outcomes:
– Analysis of tolerance for a disaster
– Critical resource requirements
i Terminology: RTO versus RPO
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 24
26. Defining Critical Resource Requirements
i Requires use of a standard form to gather information provisioning requirements for:
– Information technology applications
– Server and network capacity
– User desktop configurations
– Vital records requirements
– Staffing needs (including key persons)
– Workspace, telecommunications, etc.
i Definition of critical resource requirements is based on a determination of each
department’s tolerance for a disaster
i See critical resource requirements handout
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 25
27. Prioritizing Business Functions
i Prioritization of business functions should occur for:
– Tolerance for unplanned downtime (recovery time objective)
– Tolerance for unexpected data loss (recovery point objective)
i Organizations typically group their recovery time objectives into buckets that correspond
how quickly business resumption should occur:
– Platinum (zero to four hours)
– Gold (four to twenty-four hours)
twenty four
– Silver (one day to three days)
– Bronze (greater than five days)
i These priorities are communicated to key stakeholders
i Consensus is critical, especially when the analysis is qualitative (by necessity or design)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 26
28. Business Continuity Strategy
i Mitigation and planning
i Organizational issues
i Alternate site options
i Alternate site provider considerations
i Documentation standards
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 27
29. Mitigation and Planning
Business continuity covers mitigation and planning but emphasizes corrective steps.
Mitigation integrates with the enterprise architecture (i.e., hardened patterns)
Application Services
Business
Services User User Business Business Common Information
Access Interaction Process Function Services Management
Services Services Choreography Services Services
Services Information
ER
Business Integration
USE
Service Adaptation
p Reporting
p g
Information
Packaged Acquired Access
Interaction Collaboration Choreography Applications Services
Analytics
Connectivity Presentation Business Rules Custom Personalization
Applications Metadata
Business
Service … … … … … …
Mediation, Messaging,
Mediation Messaging Events
Business
Performance Enterprise Service Bus
Management
BUSINESS
Business Connections
Utility Business Services
Metering Rating Billing Peering Settlement
Business
B i Services
Service
Service Level Automation and Orchestration
Problem Security Workload Configuration Availability Data
Management Services Services Services Services Placement …
Business Resource Virtualization Services
Service
Server Storage Network Resource Mapping Information …
Infrastructure Services
Source: IBM
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 28
30. Organizational Issues
i Incident command system:
– Crisis management team
– Business resumption teams
– Information technology teams
– Incident and emergency teams
– Staff groups (e.g., legal counsel)
i Implementation of a temporary structure to manage through a disaster
i Assignment of decision rights and authorities in a crisis
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 29
31. Alternate Site Options
i Today’s most common solutions address recovery of technology and facilities to support
operations
i Wh
When considering them, ask:
id i th k
– How do people and processes factor into contingency plans?
– How will operations return to normal?
– How will customer satisfaction be maintained?
– Does a business continuity solution support the productivity requirements of information assets?
i Distance from the primary site is an important consideration, along with the logistics of
cutting over to the alternate site in the case of a local or regional disruption
Buy and Build Cold Site Hot Site Redundant Site
Manual Automated
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 30
32. Alternate Site Provider Considerations
i Site maintenance
– Servicing and maintenance
– Frequency of testing
i Site services
i Site resources and upgrade frequency
i Disaster recovery support
i Internal control audits and contingency plans
i Over-subscription ratio and fallback locations
i Exclusion zone for other subscribers
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 31
33. Documentation Standards
i Organization of planning documentation
– Incident response and emergency management
– IT disaster recovery
– Business resumption
– Insurance and loss recovery
– Human resources
– Crisis communications
i Overall guidance on management of business continuity
i Usability of documentation and plan attachments
i Ease of document management and maintenance
g
i Attention to industry regulations (e.g., SEC)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 32
34. Implementing Business Continuity Plans
i Implementation techniques
i Plan element considerations
i Plan sections and contents
i Vital records protection
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 33
35. Implementation Techniques
i Each organization is unique:
– Tailoring contingency plans to requirements
– Retaining flexibility to allow additions modifications and maintenance
additions, modifications,
i There is a need to minimize dependency on:
– key persons
– Third parties
i Along with documenting contingency plans, procedures should be created to ensure:
– Completeness and testing
– Establishment of critical decisions
– Plans are kept current in each department
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 34
36. Plan Element Considerations
i Planning aids can assist stakeholders with learning and using business continuity plans
i Aids to consider using include:
– Job descriptions
– Action plans
– Checklists
– Matrices
– F
Forms
– Other supporting documentation
i Plans should clearly articulate assignments and responsibilities
i Site preparation must be completed in conjunction with documenting plans
p p p j gp
i Planning for IT must factor in restoration of general computing services, recovery of
applications and resumption of transaction processing
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 35
37. Plan Sections and Contents
i There is confusing terminology, including continuity of operations plans, disaster recovery
plans, and business recovery/resumption plans
iC
Comprehensive b i
h i business continuity plans typically cover (
ti it l t i ll (see h d t)
handout):
– Introduction and overall guidelines
– Crisis management organization
– Disaster notification and declaration
– Standby site invocation
– Human resources plan
– IT disaster recovery plans
– Business resumption plans
– Satellite location (small office) plans
– Crisis communications plan
– Facilities assessment and salvage
– Loss recovery
i Many organizations maintain their plans with COTS software
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 36
38. Vital Records Protection
i Backup and recovery procedures support vital records protection
i Vital records protection procedures:
– Protect against ordinary hazards of fire, water, mildew, light, dust, insects, rodents, acids and fumes,
and excessive humidity.
– Protect against human hazards of theft, misplacement, and unauthorized access.
– Protect against disasters of earthquakes, wind storms, explosions, bombings, nuclear fallout, and
radiation.
– Purpose is to protect essential information
i Best practices highlight the following key success factors:
– Identify functions essential to the primary mission of the organization
– Identify records whose informational value to the organization is so great (loss would be so severe)
that special protection is justified
– Have a classification scheme for organization documents/knowledge
– Institute an enterprise service to manage vital records
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 37
39. Awareness, Testing and Exercise
i Awareness Best Practices
i Tailoring for the Audience
i Testing Methods
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 38
40. Awareness Best Practices
i Inform staff of importance of business continuity
i Make line management responsible for orientation
i Use in house newsletters and magazines to feature business continuity
i Periodically distribute emails to employees
i Use corporate intranet to post business continuity plans
i Make mention of business continuity part of performance appraisal
i Use management meetings to communicate issues
i Periodically test and give honest, objective feedback about results
i Involve vendor managers and account managers in the process (extended enterprise
impacts)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 39
41. Awareness Best Practices (Continued)
Leading organizations tailor their awareness-building activities by segmenting their audience
and tailoring materials for each group.
Source: Corporate Executive Board, HSBC
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 40
42. Testing and Exercise Methods
i Many organizations focus testing on proving their information systems will work at the
alternate site
i Th
They do this at the expense of:
d thi t th f
– Reviewing the usability of documentation
– Role-playing disasters (scenario planning)
– Testing organizational capacity and logistics
– Stress testing their business continuity plans
Stress-testing
i Organizations can complement traditional disaster recovery tests with a four-type
approach:
– Documentation review
– V lid ti
Validation exercise
i
– Partial simulation exercise
– Full disaster simulation
i Scarcity of scheduling options with alternate sites is a complicating factor
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 41
43. Self Assessment Guide
Step 1. Develop an understanding of the business continuity planning strategy and approach to understanding risks,
determining priorities and setting objectives.
Review Steps Observations
1.1 Review past reports for outstanding audit issues or previous problems.
Examine:
▪ Regulatory reports
▪ Internal and external audit reports, including SAS 70 reports
▪ Business continuity test results
▪ Organization’s overall risk assessment and profile.
1.2 Review management’s response to issues brought up during the last review of
disaster recovery and service continuity, including:
▪ Adequacy and timing of corrective action;
▪ Resolution of root causes rather than just specific issues; and
▪ Existence of any outstanding issues.
1.3 Interview management and review documentation to identify:
▪ Any significant changes in business strategy or activities that could affect
the business recovery process;
▪ Any material changes in the audit program, scope, or schedule related to
business continuity activities;
▪ Changes to internal business processes;
▪ Key management changes;
▪ Information technology (IT) environments and changes to configuration or
components;
▪ Changes in key service providers (technology, communication, back-
up/recovery, etc.) and software vendor listings; and
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 42
44. Self Assessment Guide (Continued)
Review Steps Observations
▪ Any other internal or external factors that could affect the business
continuity process.
1.4 Determine consideration of newly identified threats and vulnerabilities to the
organization’s business continuity process, including:
▪ Technological and security vulnerabilities
▪ Internally identified threats
▪ Externally identified threats (including known threats published by
information sharing organizations)
Step 2. Determine the existence of an appropriate business continuity plan (BCP).
Review Steps Observations
2.1 Review the written BCP and verify that the BCP:
▪ Addresses the recovery of each business unit/department/ function
according to its priority ranking in the risk assessment
▪ Considers interdependencies among systems and provisions for recovery of
these interdependencies
▪ Takes into account:
- Personnel
- Facilities
- Technology (hardware, software and other equipment)
- Telecommunications and network services
- Vendors
- Utilities
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 43
45. Self Assessment Guide (Continued)
Review Steps Observations
- Documentation (data and records)
- Law enforcement
- Security
- Media
- Customers
- Shareholders/stakeholders
▪ Addresses emergency response and crisis management, including:
Existence of call trees for managers, employees, suppliers and customers
Existence of decision-making authorities for designated teams, staff and
managers
Establishment of authority for declaring a disaster
Existence of contingency plans for specific emergency situations
Designation of public relations and customer relations spokespersons
Provisioning for temporary office space for key personnel
Provisioning for replacement equipment from vendors
2.2 Review the organization and scope of documented disaster recovery and
business continuity plans to determine if:
▪ Disaster recovery procedures for IT systems are clearly delineated
▪ Business resumption procedures for critical departments/functions are
clearly delineated
▪ Emergency response plans are clearly delineated
▪ Documentation of standards for emergency response, disaster recovery and
business resumption provides guidance to individual(s) serving in crisis
management, disaster recovery coordination and team leadership roles
2.2 Determine if resources are assigned to ensure the BCP is maintained and
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 44
46. Self Assessment Guide (Continued)
Review Steps Observations
periodically updated.
Step 3. Assess corporate governance of business continuity planning, including direction, oversight and support from the
board of directors and senior management.
Review Steps Observations
3.1 Determine if the board or senior management has established an enterprise-wide
business continuity planning process appropriate for the size and complexity of
the organization, which defines the organization’s business continuity strategy.
3.2 Determine if a senior manager has been assigned responsibility to oversee the
development, implementation, testing, and maintenance of the BCP.
3.3 Determine if the board has ensured that adequate resources, including sufficient
human resources, are devoted to the business continuity process.
3.4 Determine if senior management reviews and approves the written BCP(s) and
testing results at least annually.
3.5 Determine if senior management periodically reviews each business unit,
business process, department, and subsidiary to prioritize its criticality for
disaster recovery and business resumption importance and recovery
prioritization.
3.6 If applicable, determine if senior management has confirmed the existence and
evaluated the adequacy of BCPs for its external service providers.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 45
47. Self Assessment Guide (Continued)
Step 4. Determine if a business impact analysis (BIA) and risk assessment have been completed and are adequate.
Review Steps Observations
4.1 Determine if all functions and departments were included in the BIA.
4.2 Determine if the BIA identifies maximum allowable downtime for critical business
functions, acceptable levels of data loss and backlogged transactions, and the
cost and recovery time objectives associated with unplanned downtime.
4.3 Review the risk assessment and determine if it includes scenarios and probability
of occurrence of disruptions of information services, technology, personnel,
facilities, and external service provisioning from internal and external sources,
including:
▪ Natural events such as fires, floods, and severe weather;
▪ Technical events such as communication failure, power out-ages, and
equipment and soft-ware failure; and
▪ Malicious activity including network security attacks, fraud, and terrorism.
4.4 Determine if the risk assessment and BIA have been reviewed and approved by
senior management and the board.
4.5 Evaluate if the business impact analysis includes financial and non-financial
impact indicators, including revenue loss, unusual expenses, customer impact,
operational impact, and compliance with laws, regulations, contracts and other
legal obligations.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 46
48. Self Assessment Guide (Continued)
Step 5. Determine if appropriate risk management over the business continuity process is in place.
Review Steps Observations
5.1 Determine if adequate risk mitigation strategies have been considered for:
▪ Alternate locations and service provisioning capacity for:
▪ Data centers and computer operations
▪ Work locations for business functions
▪ Telecommunications
▪ Backup of:
- Data
- Operating systems
- Applications
- Utility programs
- Telecommunications and networking components
▪ Offsite storage of:
- Backup media
- Supplies
- Documentation of disaster recovery plans, standard operating procedures,
and other information deemed critical for business resumptions
▪ Alternate power supplies, including uninterruptible power supplies (UPS)
and backup generators in the data center
5.2 Determine if consideration has been given to geographic diversity for:
▪ Alternate processing locations
▪ Alternate locations for business processes and functions
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 47
49. Self Assessment Guide (Continued)
Review Steps Observations
▪ Off-site storage
5.3 Determine if appropriate policies, standards, and processes address business
continuity planning issues, including:
▪ Systems development lifecycle
▪ Change control process
▪ Data synchronization, back up, and recovery
▪ Employee training and awareness
▪ Insurance
▪ Customer relations, public relations and crisis communications
5.4 Evaluate if the business continuity strategy includes alternatives for
interdependent components and stakeholders, including:
▪ Utilities
▪ Telecommunications
▪ Third-party technology providers
▪ Key suppliers/business partners
▪ Customers/members
5.5 Determine if processes exist to ensure that BCPs remain accurate and current,
and that:
▪ Designated personnel are responsible for maintaining changes in processes,
personnel, and environment(s).
▪ Senior management reviews and approves the plan(s) annually and after
significant changes and up-dates.
▪ There is notification and distribution of revised plans to personnel and
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 48
50. Self Assessment Guide (Continued)
Review Steps Observations
recovery locations.
5.6 Evaluate the existence and adequacy of employee training and awareness
capabilities to:
▪ Familiarize employees with BCPs
▪ Provide key personnel with knowledge of their roles and responsibilities
▪ Monitor the effectiveness of employee knowledge, either as part of periodic
tests of BCPs or through other mechanisms
5.7 Determine if policies and controls exist, which ensure:
• Workstation, server and network device images are documented and
maintained as part of a configuration management library.
• Separate development, testing and production environments are
maintained.
• System, integration and user-acceptance testing is performed for all
production environment configuration changes prior to their release.
• Operational responsibility for production environment configuration items in
the IT environment is assigned and documented.
• Back-out plans are established for configuration changes, unless an
exception is authorized by an appropriate senior manager.
• Unplanned downtime is coordinated to minimize disruption of business
services.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 49
51. Self Assessment Guide (Continued)
Step 6. Determine whether disaster recovery and business continuity plans undergo periodic testing and exercises to
evaluate if the organization can recover from a disaster as planned.
Review Steps Observations
6.1 Determine if the BCP is tested at least annually.
6.2 Verify that all critical departments and business functions are included in BCP
tests and exercises.
6.3 Determine if BCP tests and exercises address the following:
• Setting goals and objectives in advance
• Realistic conditions and activity volumes
• Use of actual back-up system and data files while maintaining off-site
back-up copies for use in case of an event concurrent with the testing
• A post-test analysis report and re-view process that includes a comparison
of test results to the original goals
• Development of a corrective action plan(s) for all problems encountered
• Reviews by senior management and the board of directors
6.4 Verify the involvement of critical external service providers in testing of disaster
recovery and business continuity plans.
6.5 Evaluate if testing of disaster recovery plans for IT includes:
• Testing the operating systems, utilities and network connectivity
• Testing of transaction processing by all critical applications
• Testing data transfer between applications
• Testing customer access to critical applications
• Testing processing of interfaces to third parties or substitute workarounds
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 50
52. Self Assessment Guide (Continued)
Review Steps Observations
• Testing the environment and workload
6.6 Evaluate whether BCP tests and exercises rotate involvement of personnel from
technology areas and business functions
6.7 Evaluate if senior management has evaluated and/or approved testing and
exercising BCPs in collaboration with:
▪ External service providers
▪ Customers
▪ Affiliates and alliance partners
▪ Other business process stakeholders
6.8 Determine if BCP tests and exercises address crisis communications by:
• Reviewing the adequacy of customer contact procedures
• Verifying the accuracy of customer records
• Simulating customer contact in a crisis to assess the effectiveness of crisis
communications plans
6.9 Evaluate lessons learned follow-ups to BCP tests and exercises to determine if:
• Post mortem analysis and lessons learned review are defined milestones
• A standard process is employed to identify, capture and track lessons
learned
• Participant feedback is solicited through post-test meetings, focus groups,
surveys or other methods
• A lessons learned report is sent to senior management and other
stakeholders
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 51
53. Self Assessment Guide (Continued)
Step 7. Evaluate if data backup and recovery and vital records protection procedures are adequate to ensure the operating
effectiveness of disaster recovery plans.
Review Steps Observations
7.1 Determine if backup and recovery procedures are in place to ensure nightly
backup of critical application and business data
7.2 Evaluate if the frequency and scope of backups are adequate to ensure:
▪ The loss of any data caused by a system failure or outage does not surpass
tolerance for unplanned data loss
▪ Application, database and system data backups conform to internal or
vendor technical specifications
▪ Backup logs are reviewed for incomplete backups.
▪ Recoverability of data from tape backups is tested monthly or more often.
▪ Off-site tape inventory audits are conducted quarterly or more often.
▪ At a minimum, daily incremental backups are taken, and there is an
adequate inventory of tapes available for offsite rotation.
▪ At a minimum, full weekly backups are taken and there is an adequate
inventory of tapes available for offsite rotation.
▪ Desktop workstations are configured to require end users to save data to a
file server or periodically back up local hard drives.
▪ hEnd users with portable computers have procedures to follow for backing
up locally stored computer data onto a central file server.
7.3 Determine if procedures for protecting vital records in paper format are
documented and address all critical record types.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 52
54. Self Assessment Guide (Continued)
Step 8. Determine whether disaster recovery and business continuity plans address critical outsourced activities.
Review Steps Observations
8.1 Determine if BCPs address communications and connectivity with key business
partners and external service providers in the event of a disruption affecting the
organization or one of these third parties
8.2 Determine if there are documented procedures in place for accessing,
downloading, and uploading information with business partners and external
service providers, from primary and recovery locations, in the event of a
disruption
8.3 Determine if the organization has documentation describing disaster recovery
plans for its key business partners and external service providers and
incorporates this information, as appropriate, into its BCPs
8.4 Evaluate if the organization monitors its external service providers’ disaster
recovery and business continuity plans by requiring a SAS 70 report
Step 9. Evaluate environmental controls and physical security in the organization’s data center.
Review Steps Observations
9.1 Tour data center facilities and interview personnel evaluate physical security and
determine if:
▪ Security patrols of computing areas are periodically conducted.
▪ Doors to critical areas are kept locked at all times.
▪ There is a corporate company security officer.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 53
55. Self Assessment Guide (Continued)
Review Steps Observations
▪ Access pathways to computer facilities are subject to video surveillance.
▪ Access to data center and IT workspace is controlled by electronic keycards.
▪ Access to offsite storage is limited to authorized personnel.
▪ All visitors are required to sign in and out of the data center by authorized
personnel.
▪ Visitors are escorted at all times in the data center.
▪ Physical security logs are reviewed by an authorized security officer at least
quarterly.
9.2 Verify documentation of the organization’s UPS capabilities specifies that:
▪ UPS or backup power sources are tested quarterly or more often.
▪ Emergency lighting exists in data center and surrounding office areas.
▪ Emergency lighting is tested quarterly or more often.
▪ Emergency shutdown procedures are documented for computer equipment
in the event of a power
9.3 Tour the data center and verify that environmental controls and procedures
ensure that:
▪ Data center has 7x24 air temperature, humidity and air quality control.
▪ Heat and humidity recorder is available.
▪ Data center has backup system in place to provide for critical environmental
controls in the event of primary system failure.
▪ Shutdown alarms are installed.
▪ Shutdown alarms are tested at least quarterly.
▪ Emergency procedures are in place for IT personnel to contact facilities in
the event of a shutdown.
▪ Environmental control shutdown procedures are documented and available
to authorized personnel.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 54
56. Self Assessment Guide (Continued)
Step 10. Discuss, finalize and communicate observations from the review.
Review Steps Observations
10.1 After completing fieldwork, prepare workpapers to conform to the organization’s
internal audit documentation standards
10.2 Document a preliminary list of any exceptions, present the preliminary list to
the Internal Audit Department for its review and comment, and update the
list, as appropriate
10.3 Follow up with the appropriate manager(s) about any exceptions to:
▪ Bring the exception to their attention
▪ Verify the exception or identify clarifying information and facts
▪ Obtain management agreement with the exception or provide an opportunity
for follow up
10.4 After reviewing any preliminary exceptions with the appropriate manager(s),
finalize the list of exceptions and develop reportable observations
10.5 Working with the Internal Audit Department, develop a preliminary set of
reportable observations and recommendations, which will be reviewed with
management, edited and finalized for inclusion in an internal audit report
10.6 After finalizing reportable observations and recommendations, prepare a draft
report for review by the Internal Audit Department and finalize the report to
incorporate feedback and comments
10.7 Communicate final observations and recommendations to management
through a meeting to close out the review
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 55