This document provides an overview of business continuity management (BCM). It discusses the objectives and composition of the Technical Committee on BCM in Malaysia, which develops BCM standards. The goals of the committee are outlined. BCM is defined and its importance explained from the perspectives of corporate governance, regulations, and business requirements. Key differences between BCM and disaster recovery planning are highlighted. The document provides guidance on establishing a BCM program, including identifying roles and selecting team members. An 8-module methodology for developing a BCM plan is also presented.

1. 10/6/2020
Business Continuity
Management
Awareness Presentation for
MAMPU
By Prabha Ramanathan
AUGUST 21st 2007

2. 10/6/2020
OBJECTIVE
 To provide a basic appreciation on the
importance of Business Continuity
Management in the Public Sector.
 To provide an overview on implementing
BCM in a government organisation.

3. 10/6/2020
BACKGROUND
INFORMATION
Technical Committee on Business
Continuity Management
TC - BCM

4. 10/6/2020
TC - BCM
The Technical Committee (TC) on Business Continuity
Management (BCM) was formed to develop business
continuity management standards for local consumption.
We also review Business Continuity related standards on
behalf of Department of Standards Malaysia
TC – BCM reports to Industrial Standards Committee “O”
( ISC-O) which looks at Society Risk
SIRIM is appointed by Department of Standards Malaysia
to develop Malaysian Standards.

5. 10/6/2020
Composition
1. Prabha Ramanathan – Chairman (BKI)
2. Roslina Harun – Secretary (SIRIM)
3. Wan Asriah Wan Adnan ( Bursa
Malaysia)
4. Sue Wing Hoong (CSC)
5. Johnny Choo Chin Chai (Alliance Bank)
6. Ros Aziah Mohd Ismail (IP-Secure)
7. Zahri Yunos (CyberSecurity Malaysia)

6. 10/6/2020
Composition
7. Sophia Hashim ( MAMPU)
8. Maslina Daud ( CyberSecurity Malaysia)
9. Bahyah Bakri (Bursa Malaysia)
10. Mohd Daud Dahar ( Bank Negara)
11. Aliza Nayan ( Securities Commission)
12. Stan Singh Jit ( PIKOM )
13. Shreedhar ( ASTRO )

7. 10/6/2020
Goals of TC- BCM
 BCM Framework – an overview of the
processes that must be followed when
developing BC Plans (completed MS 1970)
 BCM Guidelines – a guide on how to
implement business continuity plans
 BCM Checklist – a self assessment
checklist to gauge the level of
preparedness / readiness

8. 10/6/2020
Objective of BCM Standards
 BCM is something that should be practice
by all organizations in all industries
immaterial of their size.
 Hence the need for an acceptable
minimum level of practice i.e. a standard.
 The standards developed by TC-BCM is
this minimum level of practice for all
sectors, private and public

9. 10/6/2020
Use of Standards
TC – BCM STAN DARDS
Banking
Health
Government
Insurance
Telecommunication
Manufacturing
Number
of Controls

10. 10/6/2020
The Malaysian BCM Standard

11. 10/6/2020
BUSINESS CONTINUITY
MANAGEMENT
WHAT IS IT?

12. 10/6/2020
The history of business
continuity
Disaster
Recovery
Planning
Business
Continuity
Planning
Business
Continuity
Management
Alternative
Planning /
Plan B
Fallback Plans ,
Contingency Plans
IT or Technical
Contingency Plans
Organization wide
Contingency Plans
Holistic
Contingency Plans

13. 10/6/2020
What is Business Continuity
Management?
Monitor
&
Response
Recover
&
Resume
Rectify
&
Restore
Migrate
&
Normalize
A holistic management process
that identifies potential impacts
that threaten an organisation
and provides a framework for
building resilience with the
capability for an effective
response that safeguards the
interests of its key stakeholders,
reputation, brand and value
creating activities
Source: Business Continuity
Institute (UK)
Disaster Management Phases (Execution)
Prevention Response
Continuityof
Service
(Recovery&
Resumption
Restoration Normalization
Risk
Management
Emergency
Response,
Crisis
Management,
Public Relations
Business
Resumption
Plans, Disaster
Recovery Plan
Damage
Restoration,
Includes
installation &
commissioning
Migration,
Restart of all
business
functions, Stand
Down
Pre- Incident Incident Post - Incident
PHASES
ACTIONS

14. 10/6/2020
BCM Framework
 a structure that will design, develop, implement
and maintain infrastructures, resources,
processes, policies and strategies to respond,
recover, resume, restore and normalize the
mission critical operations of an organization in
an effective manner.
BCM

15. 10/6/2020
Business Continuity
Management
Why do you need it?

16. 10/6/2020
Why is BCP Needed?
 Good Corporate Governance
 Safeguarding assets and liabilities, stakeholder
interests
 Business Requirements (Local / International) –
BNM, SC, SOX, Basel, ISO17799
 Requirement by Business Partner and/or
Customer

17. 10/6/2020
Why we need BC Standards?
Suppliers
Regulators
Vendors
Your
Organization
Consumer /
Customers
Business
Partners
Infrastructure Dependence (power, voice, data,
logistics, food)
System Up Time (computing, data,networks, etc.)
Legal&FiduciaryDuties
Environment

18. 10/6/2020
Corporate Governance
 Malaysian Code of Corporate Governance – it is a
requirement by Securities Commission that all listed
companies in Malaysia to comply with the Malaysian
Code of Corporate Governance
– Part of the Principle Responsibilities of the BOD are:-
 Identify principal risk and ensure the implementation of
appropriate systems to manage these risks.
 Reviewing the adequacy and the integrity of the company’s
internal control systems and management information
systems, including systems for compliance with applicable
laws, regulations, rules, directives and guidelines.
 Succession Planning of Senior Management

19. 10/6/2020
Post-9/11 Surge in Regulations and
Standards
Consumer Credit Protection Act
OMB Circular A-130
FEMA Guidance Document
Paperwork Reduction Act
FFIEC BCP Handbook
Computer Security Act
12 CFR Part 18
Presidential Decision Directive 67
FDA Guidance on Computerized Systems
used in Clinical Trials
ANSI/NFPA Standard 1600
Turnbull Report (UK)
ANAO Best Practice Guide (Australia)
SEC Rule 17 a-4
Source: Marsh (c) 2004
Sarbanes-Oxley Act of 2002
HIPAA, Final Security Rule
FFIEC BCP Handbook
Fair Credit Reporting Act
NASD Rule 3510
NERC Security Guidelines
FERC Security Standards
NAIC Standard on BCP
NIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for
Strengthening the Resilience of US
Financial System
NYSE Rule 446
California SB 1386
Australia Standards BCM
Handbook
GAO Potential Terrorist Attacks
Guideline
Federal and Legislative BC
Requirements for IRS
Basel Capital Accord
MAS Proposed BCP Guidelines
(Singapore)
NFA Compliance Rule 2-38
FSA Handbook (UK)
BCI Standard, PAS 56 (UK)
Civil Contingencies Bill (UK)
Post 9-11
Pre 9-11
20
1991 - 2001 2002 - 2004
Source :
Fred.klapetzky@marsh.com

20. 10/6/2020
Business Requirements
 It is foreseeable that in the near future,
the resiliency or continuity capability of an
organisation will be a yardstick in doing
business.
 We have seen with the implementation of
Sarbanes Oxley Act in the US, many local
players who are supplies or business
partners were required to show BC plans

21. 10/6/2020
What BCM standards are
available?
 BS 25999 – 1 : Business Continuity Management – Code
of Practice ( British Standard Institute, UK)
 BS 25999 – 2 : Business Continuity Management –
Specification ( British Standard Institute)
 HB 221: 2005 : Handbook on Business Continuity
Management ( Australian Standards, Australia)
 NFPA 1600 : Standard on Disaster / Emergency and
Business Continuity Management Program (National Fire
Protection Association, USA)
 TR 19 : Technical Reference for Business Continuity
Management (SPRING, Singapore)
 MS 1970 : Business Continuity Management Framework
(Department of Standards, Malaysia)

22. 10/6/2020
Malaysian Examples
 Major stock trading organisation
 Major airport - early 90s
 Shoe manufacturing company
 Flooding of building basement in KL
 Finance company software leading
to malfunctioning of ATMs
 Flooding of electricity substation
 National Power Grid failure
 Fire at bank branch on the 1st day
of business at branch's new
premises. Substantial damage at
upper floor, ground floor also
damaged. Was able to resume
business on the same day at the
previous premise located nearby.
 Power outage for 3 days at Bank’s
Headoffice. IT systems ran on gen
set, power was gradually restored by
floors. Impact: no A/C, significant
loss of productivity.
 The automatic teller machine network
of a large local bank was disrupted
for 13 hours nationwide.
 Lightning destroyed the main power
circuit board of a factory cause a 8
hour shut down of its plant and losses
in excess of RM5 million.
 Data Center of a manufacturing
company was flooded damaging their
key servers

23. 10/6/2020
Business Continuity
Management
How is it different from Disaster
Recovery Planning

24. 10/6/2020
BCP - Composition
EmergencyManagement
CrisisManagement
ContingencyPlans
DisasterRecoveryPlans
BusinessResumptionPlans
Business Continuity Plans

25. 10/6/2020
Definition - BCP
 BUSINESS CONTINUITY PLANNING
(BCP): Process of developing advance
arrangements and procedures that enable
an organization to respond to an event in
such a manner that critical business
functions continue with planned levels of
interruption or essential change.
 SIMILAR TERMS: Contingency Planning, Disaster
Recovery Planning.

26. 10/6/2020
Definition - DRP
 DISASTER RECOVERY PLANNING
(DRP): The technological aspect of
business continuity planning.
– The advance planning and preparations that
are necessary to minimize loss and ensure
continuity of the critical business functions of
an organization in the event of disaster.
 SIMILAR TERMS: Contingency Planning; Business
Resumption Planning; Corporate Contingency Planning;
Business Interruption Planning; Disaster Preparedness.
DRII

27. 10/6/2020
DRP vs BCP
TIME
UTILIZATION
CRISIS DISASTER RESTORE
DISASTER
60%
100%
0%
75%

28. 10/6/2020
DRP vs BCP
REDUCTION RESPONSE RECOVERY RETURN
BCP
BRP
DRP
Major Plan Components
BCP = Business Continuity Planning
BRP = Business Resumption Planning
DRP = Disaster Recovery Planning

29. 10/6/2020
Business Continuity
Management
Who should be involved

30. 10/6/2020
Organisation Structure
Crisis Management
Director
Incident Response
Director
Business Continuity
Director
Damage
Restoration
Director
Public Relations &
Communication
Director
Safety & Welfare
Director
Crisis Management
Committee

31. 10/6/2020
Brief Roles & Responsibilities
Crisis Management Director Authority who has the veto power.
Crisis Management
Committee
A group of senior management personnel who will manage the
situation from start to finish and provide the necessary
management support to the working teams
Incident Response Director Person who is responsible to manage the situation at ground
zero, to stabilize the situation and work with local authorities.
Reports back to the CMC on a regular basis
Business Continuity Director Person who is responsible to recover and resume critical
business operations at the alternate facilities
Damage Restoration
Director
Person who is responsible to prepare a permanent working
environment for business to return to normal
Public Relations &
Communication Director
Person who is responsible for all communication to stakeholders
and public during a time of emergency, crisis or disaster
Safety and Welfare Director Person who is responsible to ensure the safety and welfare of
the staff until operations is back to normal.

32. 10/6/2020
BCM Team Structure
BCM Director
Technical Recovery
Team
Support Recovery
Team
Customer Centric
Recovery Team
BCM Coordinator
Back Office
Recovery Team

33. 10/6/2020
Brief Roles & Responsibilities
Business Continuity Director Person who is responsible to recover and resume critical
business operations at the alternate facilities
Technical Recovery Team This is one or more teams responsible for preparing and
maintaining the technology used at the recovery site
Support Recovery Team This is one or more teams responsible for supporting the
recovery process such as administration, logistics, finance, etc
Customer Centric Recovery
Team
This is one or more teams responsible for recovering and
resuming critical functions which are directly dealing with
customer. i.e. front counters, call center, etc
Back Office Recovery Team This is one or more teams responsible for recovering and
resuming functions that support the critical functions. i.e.
application processing, etc

34. 10/6/2020
Selection Guidelines
 Members of the BCM recovery team
should be on a voluntary basis
 Members of the BCM recovery team must
be experienced and knowledgeable in
operations matters
 Elderly or sickly people ( hypertension,
weak heart, high blood pressure, obese,
etc) should not be selected as team
members.

35. 10/6/2020
Business Continuity
Management
How do I start?

36. 10/6/2020
Note
 The process of developing the plans,
either Business Continuity Plans for
Disaster Recovery Plans, is the same.
 The difference is only in the scope of work
and area to be covered.
 A disaster recovery plan must provide for
the ‘End Users’ needs

37. 10/6/2020
1.
Project
Initiation
2.
Vulnerability
Study
3.
Business
Impact
Analysis
4.
Develop
BCP
Strategies
5.
Establish
Alternate
Facility
6.
Plan
Development
7.
Education and
Training
9.
Plan
Maintenance
Program
8.
Scenario
Testing
PROJECT MANAGEMENT & REPORTING
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
BKI’S METHODOLOGY

38. 10/6/2020
Module 1 - Initiate the Project
 It is crucial that a BC Project is started in a
proper manner to ensure that it is completed in
a timely and effective manner
 This stage involves study, discussions, analysis
leading to the deliverable – The Project Charter
 In addition, there will be:
– Awareness sessions
– Kickoff meeting

39. 10/6/2020
Module 2 : Risk Assessment
 The purpose of this module is to identify
the operational vulnerabilities of an
organisation.
 The outcome of this module is a Risk
Assessment report which provides a
priority listing of vulnerabilities and a set
of recommendations to prevent / mitigate
it.

40. 10/6/2020
Module 3 : Business Impact
Analysis
 BIA determines impact (financial & non-
financial) in the event business is disrupted for a
significant period of time. (The BIA process is somewhat
independent from the Risk Assessment process)
 The Business Impact Analysis deliverable
includes a listing of critical business functions
and their
– Recovery Time Objectives,
– Recovery Point Objectives
– Minimum operating resources
– Internal and External Dependences

41. 10/6/2020
Module 4: Develop BC Strategies
 This modules provides the BC planners
with a high-level specification of the plans.
 In this module, high level BC Policies and
Procedures are documented
 This module gets its input from the
previous BIA process

42. 10/6/2020
Module 5 : Establish Alternate
Facility
 In the event the primary business
premises is destroyed or severely
damaged, critical business functions need
to operate at an alternate facility
 This facility may be complete or partially
setup with furniture, fittings and
equipment
 This facility may be owned or rented from
a commercial entity

43. 10/6/2020
Module 6 : Plan Development
 Using the information from Module 4 & 5,
action steps which describe “what needs
to be done”, “when to do it” and “how to
do it” are documented.
 Each team within the business continuity
structure will have a recovery plan.

44. 10/6/2020
Module 7: Education & Training
 In this module, the respective players in
the organisation’s business continuity plan
will be given the appropriate education on
the principles of business continuity
planning as well as training in the use of
the recovery plans developed in the
previous module.

45. 10/6/2020
Module 8: Scenario Testing
 Testing is a mechanism used to verify the
completeness of the recovery plan.
 It also provides an avenue for team
members and management to practice
their recovery activities
 The goals and complexity of testing should
increase over time

46. 10/6/2020
Module 9 : Plan Maintenance
 The business continuity plan is a ‘LIVING
DOCUMENT’
 Keeping it “current” is a major task which
takes effort and support from senior
management
 It is necessary to implement a
Maintenance Program

47. 10/6/2020
Take Away Points
 BCM is a process and not a project.
 The initial development of a BC Plan is a tedious
and time consuming activity. It needs to be
given adequate attention to be successful (i.e.
workable)
 Like Risk Management, the responsibility for
BCM rest on everyone’s shoulder and not just
the BCM Manager
 BIA is an important process within BCM and
must be conducted on a regular basis

48. 10/6/2020
Take Away Points (con’t)
 Top Management support and participation is
required.
 A annual budget should be allocated for the
running & maintenance of the BCM program
 Testing must be religiously conducted in a
manner that encourages improvement and
preparedness.
 A maintenance program must be implemented
to ensure adequacy and completeness of the
BCM elements.

49. 10/6/2020
THANK YOU
CONTACT DETAILS
prabhar@bki.com.my
012 - 3160609