This document outlines the scope and purpose of a business continuity management (BCM) strategy report presented by Value Team S.p.A. It provides guidelines, benchmarking information, and a comparative analysis of different business continuity practices across industries, emphasizing the importance of resilience and preparedness against potential disruptions. The report serves as a high-level overview and does not replace specific assessments tailored to individual corporate needs.

1. The information contained in this document belongs to Value Team S.p.A and to the recipient of the document. The
information is strictly linked to the oral comments which were made at its presentation, and may only be used by
attendees of that presentation. Unauthorized copying, disclosure or distribution of the material in this document is
strictly forbidden and may be unlawful.
CONFIDENTIAL
For the conditions of use of this document please refer to the front page
Client - Place - dd.mm.yy - v.001 - Value Team - Presentation title (use Menu->View->Header and Footer) - P0
Business Continuity
Strategy
Milan, April 2009
Business Continuity Management:
General Approach and Benchmarking

2. 1For the conditions of use of this document please refer to the front page
Scope of the document
• The scope of the document is to provide our customer with some high level
benchmarking information and leading practice about Business Continuity
Management.
• The report provides a comparison about the Business Continuity Strategy
Stage and it has the purpose to provide a brief overview on current
practices, to leverage past experiences in future engagements.
• It provides some quantitative information on key area (i.e. RTO,..) as well
qualitative information about strategies and approach decided at corporate
level.
• This report does not intend to substitute any assessment and cannot be
considered as specific guideline: each corporate has its own business
characteristics, regulatory systems which should be considered.

3. 2For the conditions of use of this document please refer to the front page
Contents of this presentation
BCM: Focus of this document
BCM: Benchmarking
Annex
•
•
•

4. 3For the conditions of use of this document please refer to the front page
Business Continuity Management Definition and Scope
Focus of BCM
High
Low
Low HighLikelihood
BusinessImpacts
Catastrophic Event
Not Significant Event
Critical Event -
High Impacts
Critical Event -
Low Impacts
Sudden and total
interruption of one or more
business processes, with
massive impact, but very
low frequency
Event with high impact
and high frequency
causing high level of
damage
Event with impact
sufficient to interrupt an
effective process and with
high frequency.
Event with impact and
likelihood inadequate to
cause an effective
damage
Risk prioritization The scope of business continuity is on critical and
catastrophic events with high impacts: typically
BCM effort is focus on low and medium
likelihood.
According this kind prioritization the high business
impacts derives from a disruption in the
Corporate core process : in a Banking Industry
:Financial trading, Payment Mgt,…; in the TLC
Industry Operations, CRM, Sales and Billing,…. .
Business continuity management is a holistic management process that identifies potential impacts that
threaten an organisation and provides a framework for building resilience and the capability for an effective
response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities”
DefinitionScope
The focus of Incident Management is on
recurrent events (medium and high likelihood) in
order to prevent they become larger issues.
Incident Management is the process of
identifying, prioritize and resolving issues
in order to reduce the number, duration, and
severity of business disruptions
Focus of IM

5. 4For the conditions of use of this document please refer to the front page
Case
• BIA Methodology definition
• Product/services definition and evaluation
• Sales Channels Evaluation
• Technology mapping
Understanding the Business
• RTO
• RPO
• MTPD
Define BC Requirement
Area
Wireline TLC operatorCase 1
Mobile TLC OperatorCase 2
Wireline TLC operatorCase 3
Media service companyCase 6
Based on benchmarking we pointed out some areas of BCM
Understanding
the
Business
BCM
Guidelines
Define
BC
Requirement
Develop a
BCM
Response
Develop a
BCM
Culture
Exercise,
Maintenance
and Audit
1
2
3
4
5
6
BCM
Programme
Management
• Regulatory
• Main Guidelines
– International Standard & good
Practices
– Corporate Guidelines
BCM Guidelines1
2
3
Direct Insurance
Company
Leading Banking
Institution
Case 4
Case 5

6. 5For the conditions of use of this document please refer to the front page
Contents of this presentation
BCM: Focus of this document
BCM: Benchmarking
Annex
•
•
•

7. 6For the conditions of use of this document please refer to the front page
Benchmark: BCM Guidelines
Cases
BCM Guidelines
Regulatory
Environment
Regulatory
Compliance
TLC Authority
SOX 404
SOX 404
SOX 404
SOX 404
Authority
guidelines
Banking institution
regulations,
SOX 404,Basel II
BC Strategy
Managed at
group level
Guidelines at
group level
BC Managed
at enterprise
level, no group
strategy
Case 1
Case 2
Case 3
Case 4
Case 5
Case 6
Main Guidelines
Notes
BC Strategy
Managed at
group level
BC Strategy
Managed at
group level
BC Strategy
Managed at
group level
High Level
Low Level
–A dedicated Corporate Structure defines methodology, deploys
the first on field analysis for each business units and monitors
action plan implementations
–Each business unit, with its own reference, is responsible for
implementing and maintaining BC solutions
–Specific methodology assumption were added to Group
methodology according to the operational environment: cluster
by regional scale, Service Level traditional provided lower than
European Countries, High increase of new customer acquisition
rate, …
–A dedicated Corporate Structure defines methodology and
verifies its application
–Each Country implements analysis and BC solutions, reporting
to the holding about the perimeter covered
–Specific methodology assumption were added to Group
methodology according to the characteristics of business
–Business continuity solution are considered a pre-requisite for
operating media services in critical scenario (war zones, natural
disaster zones, etc…)
–Strong regulations about BC in Finance Sector
– Guideline developed at group level by dedicated Division within
the Security of the main legal entity but with operative execution
done at single enterprise level

8. 7For the conditions of use of this document please refer to the front page
Benchmark: Understanding the business
Cases
Understanding the Organization
P/S* definition P/S* evaluation
Provided by
Marketing Unit
Provided by
Marketing Unit
Provided by
Organizational
Unit
Defined at group
level
Simplified cost
accounting
reporting
Complex evaluation
based on scoring
model and financial
data
Case 1
Case 2
Case 3
Case 4
Case 5
Case 6
BIA method.
Internally
developed
Internally
developed
Internally
developed
Internally
developed
Technology Mapping
Channels
Analysis
Banking
association
methodology
revised at group
level
Simplified
BS25999



N/A
Provided by
operations and
aligned with
reporting
Not used
* Product and Services
Detailed cost
accounting
reporting by P/S
Detailed cost
accounting
reporting by P/S
Detailed cost
accounting
reporting by P/S


Performed
Not Performed
Detailed cost
accounting
reporting by P/S
Core Network ICT services / application
N/A
N/A
Selective approach
focusing on key
network element
(BSC, MSC,… )
Detailed mapping for each
application / ICT service
and related infrastructure
Detailed mapping for each
application / ICT service
and related infrastructure
Focused on network
elements with only
one redundancy
level
Focused on network
elements with only
one redundancy
level
Identification of
infrastructures hosting the
application involved on
critical processes and
supporting equipments
Focused on network
elements with only
one redundancy
level
Identification of
infrastructures hosting the
application involved on
critical processes and
supporting equipments



9. 8For the conditions of use of this document please refer to the front page
Benchmarking: Business Continuity Requirement
Processes Requirement Case 5Case 1 Case 2 Case 3 Case 4
RTO
Overall Aim
Vital
Processes
RPO
MTPD
RTO
RPO
MTPD
From 4 Hours
to
1 week
From 2 Days
to
8 Weeks
Case 6
Few minutes
-
From 5 Days
Up to
12 weeks
From 4 Hours
to
2 Days
2 Days
- 5 Days
Few minutes
Few minutes Few minutes
Not defined by
BCM analysis
Not defined by
BCM analysis
Not defined by
BCM analysis,
instead
economic impact
over time used
From few
minutes* to 30
Days
From 1 Day
to
60 Days
From few
minutes to 3
Days
1 Day
Not defined by
BCM analysis
Not defined by
BCM analysis
. -
Not defined by
BCM analysis
From1 day
to
30 Days
From 1 day to
3 Days
Not defined by
BCM analysis
-
Up to 5 days
Up to 2 days
-
Up to 2 days
Few minutes
Not defined by
BCM analysis,
instead
economic impact
over time used
Not defined by
BCM analysis,
instead economic
impact over time
used
Not defined by
BCM analysis,
instead
economic impact
over time used
* For TLC critical infrastructures only

10. 9For the conditions of use of this document please refer to the front page
Annexes

11. 10For the conditions of use of this document please refer to the front page
References
Term Definition
BIA • Process of analysing business functions and the effect that a business disruption might have upon them
Critical Processes • Those processes which have to be performed in order to deliver the key products and services which enable an
organization to meet its most important and time-sensitive objectives
Event • Situation that might be, or could lead to, a business disruption, loss, emergency or crisis
Likelihood • Chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of
general descriptors (such as rare, unlikely, almost certain), frequencies or mathematical probabilities
MTPD • Duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be
resumed
Risk Assessment • Process of identifying the risks & probabilities to an organization
• Review of potential risks to the business processes
• Review of Technical Infrastructure and data dependencies
Resilience • Ability of an organization to resist being affected by an accident
RPO • Amount of data loss that can be tolerated by a business. The RPO specifies the maximum amount of time at the
primary site for which work can be lost.
RTO • Target time set for resumption of product, service or activity delivery after and incident

12. 11For the conditions of use of this document please refer to the front page
Metrics
MTPD
RPO RTO Work Recovery Restoration Time
Business
continuity
protection
restored
Lost
transactions
Work backlog,
Workaround
procedures
Recover lost transactions,
Accomplish backlogged
work
Rebuild business continuity
systems
Business
process
meeting SLAs
Systems
recovered
Last backup
or data
replication
Disaster
event
BCM main metrics