This document provides an overview of business continuity management (BCM). It discusses the objectives and composition of the Technical Committee on BCM in Malaysia, which develops BCM standards. The goals of the committee are outlined. BCM is defined and its importance explained from the perspectives of corporate governance, regulations, and business requirements. Key differences between BCM and disaster recovery planning are highlighted. The document provides guidance on establishing a BCM program, including identifying roles and selecting team members. An 8-module methodology for developing a BCM plan is also presented.
2. 10/6/2020
OBJECTIVE
To provide a basic appreciation on the
importance of Business Continuity
Management in the Public Sector.
To provide an overview on implementing
BCM in a government organisation.
4. 10/6/2020
TC - BCM
The Technical Committee (TC) on Business Continuity
Management (BCM) was formed to develop business
continuity management standards for local consumption.
We also review Business Continuity related standards on
behalf of Department of Standards Malaysia
TC – BCM reports to Industrial Standards Committee “O”
( ISC-O) which looks at Society Risk
SIRIM is appointed by Department of Standards Malaysia
to develop Malaysian Standards.
5. 10/6/2020
Composition
1. Prabha Ramanathan – Chairman (BKI)
2. Roslina Harun – Secretary (SIRIM)
3. Wan Asriah Wan Adnan ( Bursa
Malaysia)
4. Sue Wing Hoong (CSC)
5. Johnny Choo Chin Chai (Alliance Bank)
6. Ros Aziah Mohd Ismail (IP-Secure)
7. Zahri Yunos (CyberSecurity Malaysia)
7. 10/6/2020
Goals of TC- BCM
BCM Framework – an overview of the
processes that must be followed when
developing BC Plans (completed MS 1970)
BCM Guidelines – a guide on how to
implement business continuity plans
BCM Checklist – a self assessment
checklist to gauge the level of
preparedness / readiness
8. 10/6/2020
Objective of BCM Standards
BCM is something that should be practice
by all organizations in all industries
immaterial of their size.
Hence the need for an acceptable
minimum level of practice i.e. a standard.
The standards developed by TC-BCM is
this minimum level of practice for all
sectors, private and public
9. 10/6/2020
Use of Standards
TC – BCM STAN DARDS
Banking
Health
Government
Insurance
Telecommunication
Manufacturing
Number
of Controls
12. 10/6/2020
The history of business
continuity
Disaster
Recovery
Planning
Business
Continuity
Planning
Business
Continuity
Management
Alternative
Planning /
Plan B
Fallback Plans ,
Contingency Plans
IT or Technical
Contingency Plans
Organization wide
Contingency Plans
Holistic
Contingency Plans
13. 10/6/2020
What is Business Continuity
Management?
Monitor
&
Response
Recover
&
Resume
Rectify
&
Restore
Migrate
&
Normalize
A holistic management process
that identifies potential impacts
that threaten an organisation
and provides a framework for
building resilience with the
capability for an effective
response that safeguards the
interests of its key stakeholders,
reputation, brand and value
creating activities
Source: Business Continuity
Institute (UK)
Disaster Management Phases (Execution)
Prevention Response
Continuityof
Service
(Recovery&
Resumption
Restoration Normalization
Risk
Management
Emergency
Response,
Crisis
Management,
Public Relations
Business
Resumption
Plans, Disaster
Recovery Plan
Damage
Restoration,
Includes
installation &
commissioning
Migration,
Restart of all
business
functions, Stand
Down
Pre- Incident Incident Post - Incident
PHASES
ACTIONS
14. 10/6/2020
BCM Framework
a structure that will design, develop, implement
and maintain infrastructures, resources,
processes, policies and strategies to respond,
recover, resume, restore and normalize the
mission critical operations of an organization in
an effective manner.
BCM
16. 10/6/2020
Why is BCP Needed?
Good Corporate Governance
Safeguarding assets and liabilities, stakeholder
interests
Business Requirements (Local / International) –
BNM, SC, SOX, Basel, ISO17799
Requirement by Business Partner and/or
Customer
17. 10/6/2020
Why we need BC Standards?
Suppliers
Regulators
Vendors
Your
Organization
Consumer /
Customers
Business
Partners
Infrastructure Dependence (power, voice, data,
logistics, food)
System Up Time (computing, data,networks, etc.)
Legal&FiduciaryDuties
Environment
18. 10/6/2020
Corporate Governance
Malaysian Code of Corporate Governance – it is a
requirement by Securities Commission that all listed
companies in Malaysia to comply with the Malaysian
Code of Corporate Governance
– Part of the Principle Responsibilities of the BOD are:-
Identify principal risk and ensure the implementation of
appropriate systems to manage these risks.
Reviewing the adequacy and the integrity of the company’s
internal control systems and management information
systems, including systems for compliance with applicable
laws, regulations, rules, directives and guidelines.
Succession Planning of Senior Management
19. 10/6/2020
Post-9/11 Surge in Regulations and
Standards
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
FFIEC BCP Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
Source: Marsh (c) 2004
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCP Handbook
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCP
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM
Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCP Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
Post 9-11
Pre 9-11
20
1991 - 2001 2002 - 2004
Source :
Fred.klapetzky@marsh.com
20. 10/6/2020
Business Requirements
It is foreseeable that in the near future,
the resiliency or continuity capability of an
organisation will be a yardstick in doing
business.
We have seen with the implementation of
Sarbanes Oxley Act in the US, many local
players who are supplies or business
partners were required to show BC plans
21. 10/6/2020
What BCM standards are
available?
BS 25999 – 1 : Business Continuity Management – Code
of Practice ( British Standard Institute, UK)
BS 25999 – 2 : Business Continuity Management –
Specification ( British Standard Institute)
HB 221: 2005 : Handbook on Business Continuity
Management ( Australian Standards, Australia)
NFPA 1600 : Standard on Disaster / Emergency and
Business Continuity Management Program (National Fire
Protection Association, USA)
TR 19 : Technical Reference for Business Continuity
Management (SPRING, Singapore)
MS 1970 : Business Continuity Management Framework
(Department of Standards, Malaysia)
22. 10/6/2020
Malaysian Examples
Major stock trading organisation
Major airport - early 90s
Shoe manufacturing company
Flooding of building basement in KL
Finance company software leading
to malfunctioning of ATMs
Flooding of electricity substation
National Power Grid failure
Fire at bank branch on the 1st day
of business at branch's new
premises. Substantial damage at
upper floor, ground floor also
damaged. Was able to resume
business on the same day at the
previous premise located nearby.
Power outage for 3 days at Bank’s
Headoffice. IT systems ran on gen
set, power was gradually restored by
floors. Impact: no A/C, significant
loss of productivity.
The automatic teller machine network
of a large local bank was disrupted
for 13 hours nationwide.
Lightning destroyed the main power
circuit board of a factory cause a 8
hour shut down of its plant and losses
in excess of RM5 million.
Data Center of a manufacturing
company was flooded damaging their
key servers
25. 10/6/2020
Definition - BCP
BUSINESS CONTINUITY PLANNING
(BCP): Process of developing advance
arrangements and procedures that enable
an organization to respond to an event in
such a manner that critical business
functions continue with planned levels of
interruption or essential change.
SIMILAR TERMS: Contingency Planning, Disaster
Recovery Planning.
26. 10/6/2020
Definition - DRP
DISASTER RECOVERY PLANNING
(DRP): The technological aspect of
business continuity planning.
– The advance planning and preparations that
are necessary to minimize loss and ensure
continuity of the critical business functions of
an organization in the event of disaster.
SIMILAR TERMS: Contingency Planning; Business
Resumption Planning; Corporate Contingency Planning;
Business Interruption Planning; Disaster Preparedness.
DRII
31. 10/6/2020
Brief Roles & Responsibilities
Crisis Management Director Authority who has the veto power.
Crisis Management
Committee
A group of senior management personnel who will manage the
situation from start to finish and provide the necessary
management support to the working teams
Incident Response Director Person who is responsible to manage the situation at ground
zero, to stabilize the situation and work with local authorities.
Reports back to the CMC on a regular basis
Business Continuity Director Person who is responsible to recover and resume critical
business operations at the alternate facilities
Damage Restoration
Director
Person who is responsible to prepare a permanent working
environment for business to return to normal
Public Relations &
Communication Director
Person who is responsible for all communication to stakeholders
and public during a time of emergency, crisis or disaster
Safety and Welfare Director Person who is responsible to ensure the safety and welfare of
the staff until operations is back to normal.
32. 10/6/2020
BCM Team Structure
BCM Director
Technical Recovery
Team
Support Recovery
Team
Customer Centric
Recovery Team
BCM Coordinator
Back Office
Recovery Team
33. 10/6/2020
Brief Roles & Responsibilities
Business Continuity Director Person who is responsible to recover and resume critical
business operations at the alternate facilities
Technical Recovery Team This is one or more teams responsible for preparing and
maintaining the technology used at the recovery site
Support Recovery Team This is one or more teams responsible for supporting the
recovery process such as administration, logistics, finance, etc
Customer Centric Recovery
Team
This is one or more teams responsible for recovering and
resuming critical functions which are directly dealing with
customer. i.e. front counters, call center, etc
Back Office Recovery Team This is one or more teams responsible for recovering and
resuming functions that support the critical functions. i.e.
application processing, etc
34. 10/6/2020
Selection Guidelines
Members of the BCM recovery team
should be on a voluntary basis
Members of the BCM recovery team must
be experienced and knowledgeable in
operations matters
Elderly or sickly people ( hypertension,
weak heart, high blood pressure, obese,
etc) should not be selected as team
members.
36. 10/6/2020
Note
The process of developing the plans,
either Business Continuity Plans for
Disaster Recovery Plans, is the same.
The difference is only in the scope of work
and area to be covered.
A disaster recovery plan must provide for
the ‘End Users’ needs
38. 10/6/2020
Module 1 - Initiate the Project
It is crucial that a BC Project is started in a
proper manner to ensure that it is completed in
a timely and effective manner
This stage involves study, discussions, analysis
leading to the deliverable – The Project Charter
In addition, there will be:
– Awareness sessions
– Kickoff meeting
39. 10/6/2020
Module 2 : Risk Assessment
The purpose of this module is to identify
the operational vulnerabilities of an
organisation.
The outcome of this module is a Risk
Assessment report which provides a
priority listing of vulnerabilities and a set
of recommendations to prevent / mitigate
it.
40. 10/6/2020
Module 3 : Business Impact
Analysis
BIA determines impact (financial & non-
financial) in the event business is disrupted for a
significant period of time. (The BIA process is somewhat
independent from the Risk Assessment process)
The Business Impact Analysis deliverable
includes a listing of critical business functions
and their
– Recovery Time Objectives,
– Recovery Point Objectives
– Minimum operating resources
– Internal and External Dependences
41. 10/6/2020
Module 4: Develop BC Strategies
This modules provides the BC planners
with a high-level specification of the plans.
In this module, high level BC Policies and
Procedures are documented
This module gets its input from the
previous BIA process
42. 10/6/2020
Module 5 : Establish Alternate
Facility
In the event the primary business
premises is destroyed or severely
damaged, critical business functions need
to operate at an alternate facility
This facility may be complete or partially
setup with furniture, fittings and
equipment
This facility may be owned or rented from
a commercial entity
43. 10/6/2020
Module 6 : Plan Development
Using the information from Module 4 & 5,
action steps which describe “what needs
to be done”, “when to do it” and “how to
do it” are documented.
Each team within the business continuity
structure will have a recovery plan.
44. 10/6/2020
Module 7: Education & Training
In this module, the respective players in
the organisation’s business continuity plan
will be given the appropriate education on
the principles of business continuity
planning as well as training in the use of
the recovery plans developed in the
previous module.
45. 10/6/2020
Module 8: Scenario Testing
Testing is a mechanism used to verify the
completeness of the recovery plan.
It also provides an avenue for team
members and management to practice
their recovery activities
The goals and complexity of testing should
increase over time
46. 10/6/2020
Module 9 : Plan Maintenance
The business continuity plan is a ‘LIVING
DOCUMENT’
Keeping it “current” is a major task which
takes effort and support from senior
management
It is necessary to implement a
Maintenance Program
47. 10/6/2020
Take Away Points
BCM is a process and not a project.
The initial development of a BC Plan is a tedious
and time consuming activity. It needs to be
given adequate attention to be successful (i.e.
workable)
Like Risk Management, the responsibility for
BCM rest on everyone’s shoulder and not just
the BCM Manager
BIA is an important process within BCM and
must be conducted on a regular basis
48. 10/6/2020
Take Away Points (con’t)
Top Management support and participation is
required.
A annual budget should be allocated for the
running & maintenance of the BCM program
Testing must be religiously conducted in a
manner that encourages improvement and
preparedness.
A maintenance program must be implemented
to ensure adequacy and completeness of the
BCM elements.