BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html
Benchmarking of BCM in Action by Jeremy Wong, Senior Vice President, GMH Pte Ltd
• Designing and building an effective and efficient benchmarking roadmap encompassing all stakeholders
• Understanding BC Management programme versus BC Management System (BCMS)
• Preparing BC team on justifications of roadmap to management and major stakeholders
• Implementing self assessment process and performing gap analysis to your BC programme
• Sharing of learning, pitfalls and challenges in implementing organization BC Management System
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking in Action
1. Benchmarking of
BCM in Action
Jeremy Wong
Senior Vice President
GMH Continuity Architects
jeremy@gmhasia.com
2. GMH Continuity Architects
• A leading consultancy focusing on
business continuity, disaster recovery and
crisis management in Asia Pacific since
1999.
• Our core business is in safeguarding our
clients’ businesses through the sound
application of proven, business-oriented
methodologies.
GMH is an accredited partner of BCM Institute.
3. Proven BCM Consulting
Experience
All images are copyright and trademarks of its respective owners.
China & Hong Kong | Japan | Philippines
Taiwan | Malaysia | Singapore |Thailand
4. Agenda
• Benchmarking Your Organisation’s BCM Against
an Internationally Standards
• Getting Your Organisation Ready
• Certification Audit.
6. BS25999 In A Nutshell
BS 25999 is a Business Continuity Management (BCM) standard
in two parts:
1. BS 25999-1:2006 Business Continuity Management. Code
of Practice
Provides general guidance and seeks to establish processes,
principles and terminology for Business Continuity Management.
2. BS 25999-2:2007 Specification for Business Continuity
Management
Specifies requirements for implementing, operating and improving
a documented Business Continuity Management System (BCMS),
describing only requirements that can be objectively and
independently audited.
The BS25999 standard aims to provide a means of measurement
that is consistent and recognised.
7. Business Continuity
Management System
• A management system is the framework of
processes and procedures used to ensure that an
organization can fulfill all tasks required to
achieve a set of related business objectives
• Management systems connect business continuity
planning efforts to the most senior leaders in an
organization:
– requirements and strategies (“Plan”)
– resources, processes and procedures (“Do”),
– reviews and assessments (“Check”) in order to standardize
performance
– constantly improve (“Act”)
8. BS25999 PDCA Cycle
Plan
Establish the
BCM
Do
Implement
and operate
the BCM
Check
Monitor and
check the
BCM
Act
Maintain and
continual
improvement
of the BCM
Requirements &
Expectation
of BCM by
Stake-holders
and Interested
Parties
Managed
Business
Continuity
of the
Organisation
9. BS25999 - Benefits
• Provide a common framework based on
internationally accepted best practices for
implementing and managing business continuity
• Provide a framework for organization of any type,
size and location
• Bring a common understanding to all
stakeholders
• Provide customers with external assurances,
thereby increasing confidence
10. Challenges
• Administration for administration’s sake
• Competencies –us and them!
• Lack of clarity over terminology e.g. MTPD
• Integrated management systems –not quite!
• Awareness-raising
11. “There are risks and costs to a programme of
action…but they are far less than the long
ranging costs of comfortable inaction.”
- John F. Kennedy
12. Conclusion – the end of the
beginning?
• Positive experience
• Disciplined and structured
• Makes you think:
– What you do
– How you do it
– And why you do it
• Continual improvement Ongoing assessment
What does success look like?
14. Steps
• Establish the BCM Practices
• Assess state of BCMS
– Gap Analysis
• Ready for audit and beyond
– Identify auditees and audit schedule
– Produce evidence in standardized acceptable format
– Conduct internal audit
– Conduct external audit
– Operate BCM in accordance to the governance regime
– Continue improvement on BC capabilities
15. Competency Built-in
Implementation
Business Continuity Reports – BC Plan
Business
Impact
Analysis
Recovery
Strategy
Plan
Develop-
ment
Risk
Analysis
& Review
Program
Management
Fundamentals
of BCM
Session 3 Session 4 Session 5 Session 6
Each Session-Day is a minimum of 2 weeks apart
Session 2Session 1
Policy and
Framework
Risk
Assessment
Report
Business
Impact
Report
Recovery
Strategy
Report
Business
Continuity
Plans
Test Plan
Testing &
Exercising
16. BCM Roadmap
Business Continuity Reports – BC Plan
BC-DR Test / Exercise
External BS25999 Audit
Business
Impact
Analysis
Recovery
Strategy
Plan
Developme
nt
Test &
Exercises
Risk
Analysis &
Review
Internal Audit
Program
Manageme
nt
1
2
3
4
18. Project Management
Objectives
• Formulate a workable
project proposal.
• Seek endorsement and
commitment on the
project from
management
committee:
– Objective;
– Scope;
– Approach;
– Schedule; and
– Manpower.
• Establish project
management structure
and control.
Tasks
• BCM Steering Committee
& BCP Project Team
• Review and understand
organisation environment.
• Agree and formalise
project management
structure and resource
allocation.
• Establish project
administration reporting
and control mechanism.
Deliverables
• Project plan proposal
includes:
– Definition;
– Scope ;
– Objective;
– Roles &
Responsibilities.
• Project workplan.
• Project reporting
mechanism.
18
19. Risk Analysis and
Review
Objectives
• identify vulnerabilities
• Establish reliable
recommendations
for:
– Minimizing
impact of
identified threats
– Immediate and
effective
response to
potential causes
of disaster
Tasks
• Identify exposure to
internal & external threats
and the likelihood of these
threats occurring
• Recommend preventive
responses and escalation
procedures in conjunction
with crisis management
implementation
• Evaluate findings and
prepare a status report &
recommendation.
Deliverables
• Comprehensive risk and
threat profile to the
organization, with key
disaster scenario
• Recommendation for:
– Countermeasures
– Immediate Response
Procedures
– Security Risk Review
– to be implemented to
minimize the risks
• Summary report of
recommendations agreed
with senior management
20. Business Impact
Analysis
Objectives
• Determine impact of
unavailability/failure/
disaster on business
functions.
• Determine critical
business needs and
tolerable limits.
• Establish business
criticality/ impact criteria
using Business Impact
Analysis Questionnaires
(BIAQ).
• Prioritise the importance of
each business unit vis-à-vis
established criteria.
• Consolidate findings and
rankings.
• Present results to
management committee to
confirm critical
classifications and priority
listings.
• Detailed report on findings
(approved by management)
containing:
– - tolerable limits;
– classification of
criticality;
– prioritised critical
business functions;
– minimum resources;
– Critical applications and
systems; and
– - restoration priority.
• Impact analysis of
unavailability of business
functions (quantitative and
qualitative).
21. Recovery Strategy
Objectives
• Establish business
functions & job priorities
vis-à-vis business needs.
• Determine processing
requirements for priority
business functions.
• Identify and formalise
backup for everything
needed to survive a
disaster.
• Ensure that alternative
processing procedure is
available for continuity of
critical business needs
whilst recovery is in
progress.
Tasks
• Analyse all division functions
to prioritise them based on
business needs.
• Analyse hardware and
software requirements to run
high priority critical functions
so that sufficient backup can
be arranged.
• Review and establish backup
arrangements, if necessary.
• Identify necessary interim
processing procedures for
critical functions.
• Seek management’s review
and endorsement of findings
and recommendations.
Deliverables
• List of strategic plans for
recovering prioritised
critical functions.
• List of critical functions
requiring interim manual
processing procedures.
• Recommend alternate
interim processing
procedures.
22. Plan Development
Objectives
• Train and equip users
with skill to complete
the Microsoft Word
plan template.
• Establish recovery
procedures to fully
restore normal
business operations
after a disaster, based
on selected strategies.
• Ensure consistency and
comprehensiveness of
coverage.
Tasks
• Determine recovery teams
set-up and functional
responsibilities.
• Identify members of each
recovery team.
• Develop specific procedures
for each recovery team.
• Review and edit (based on
agreed structure) the plan
component to ensure
consistency and
comprehensiveness of
documentation.
Deliverables
• Propose:
– Recovery team
structure;
– Staffing of the
recovery teams with
names of specific
staff members; and
– List of action steps to
be taken by each
member of respective
recovery team.
• Completed Business
Continuity Plan.
23. Testing and
Exercising
Objectives
• Formulate an
objective mechanism
to validate the
"workability" of the
complete Business
Continuity Plan.
Tasks
• Design an overall program
for testing of plan.
• Develop plans and
schedules for specific
tests.
• Develop an evaluation
mechanism.
Deliverables
• List of tests to be
conducted.
• List of responsibilities of
parties involved:
– Objectives, policies,
guidelines,
responsibilities and test
specifications.
• Specific test plan:
– Description, scenarios,
procedures and
criteria.
• Evaluation forms/checklists
for recovery plan tests.
24. Assess State of BCM
- Gap Analysis
• Organisations with established BCM Programmes
could decide to do a gap analysis.
– Review BCM programme against an internationally recognised
standard
(e.g. BS25999)
– Identify gaps in compliance
– Make recommendations
– Prioritize and schedule implementation
– Chart roadmap to BCM success
26. Preparing for Certification
Audit
• BS25999 Internal Audit training
• Pre-Audit Gap Analysis
• Final Audit - Stage 1
• Final Audit - Stage 2
27. Pre-Audit Assessment – Our
Approach
• No special preparation ahead of the analysis
• Assessor given full site tour
– Services provided to customer & supporting processes /
activities
– Operational structure
– Key threats and impacts
• Used the day to confirm our understanding of
BS25999 requirements and how they applied to
the organization
• Findings summarised in written report with
identified issues recorded
28. Final Audit (External)
• Stage 1
– Formal desktop review to ensure all elements of the
proposed scope and the standard are addressed by the
BCM system
– Assesses readiness to proceed to Stage 2
– Primary focus on review of documented BCM system
– Interactive session
– Findings summarised in written report
29. Final Audit (External)
• Stage 2
– Evaluation of the effectiveness of the implementation of
the BCM system and conformance to the standard
– All elements of BCM system assessed
– Multiple audit methodologies –all interactive
– Departmental level review of BCM system
– Exercising, Maintaining & Review
– Closing Meeting
– Final close out of identified issues
30. The Audit Process
– Lessons Learnt
• Preparation
– You can’t take your BCM off the shelf a month before the audit,
blow the dust off it and expect to gain certification
• Scope
– Critical to certification but easy to get wrong
– Are all interdependencies of critical activities covered by your
system?
• BCM documentation
– Available & easy to access
– Attention to detail –Does it all hang together?
• People
– Available & aware of what to expect
• BCM culture
– Is BCM alive in the organisation?
• Don’t expect to be told if your plans will work
Good afternoon Ladies and Gentlemen. I am Jeremy Wong, Senior Vice President for GMH Continuity Architects. Prior to joining GMH, I was the Nomura Head of BCM for South Asia, and before that, the Head of BCM for UOB. I also worked at JPMorgan and Andersen Consulting before they changed their name to Accenture.
Today I would like to speak to you about how you can benchmark, or measure, your organisation’s BCM against an internationally recognised standard like BS25999. Before I start, a quick introduction about GMH.
We at GMH specialize in 3 areas – business continuity, disaster recovery and crisis management. Since 1999, we have been helping clients safeguard their businesses by providing professional consulting services and education. Here is a sample of the companies we have been helping.
We do a wide variety of projects, ranging from private investment banks to government agencies.
That said, let us now look at Benchmarking an organisation’s BCM against an International Standard – the BS25999 standard.
Now, an organisation chooses to do benchmarking for various reasons – maybe it is because the organisation wants to ensure it has implemented industry best practices for BCM, or it could be a mandate passed donw from Head Office, or it could be pressure from a valued client to demonstrate competency in BCM.
Whatever the reason, it is important that the organisation chooses a credible and recognised standard to benchmark itself against. The BS25999 standard is one such standard that organisations can use for benchmarking.
So what is BS25999? Essentially, it is a UK standard for BCM developed in 2006/2007, and it comes in two parts:
Part 1 of BS25999 is the code of practice that provides practitioners general guidance on BCM principles and processes.
Part 2, developed in 2007, contains the specifications for a Business Continuity Management System or BCMS. This is the part that auditors will use to scrutinize your organisation’s BCM.
So what is a Business Continuity Management System (BCMS)?
A BCMS is a management framework used to ensure that processes and procedures are in place and adhered to, so that the organisation’s BCM objectives can be achieved. Staff at different levels participate in implementing a BCMS and therefore it is a useful platform to engage senior management in business continuity planning.
A popular management system model used for business continuity is the PDCA model. “P” stands for PLAN, D for DO, C for CHECK, and A for ACT.
In BS25999, the PDCA cycle is also used. BCM requirements and expectations are fed into the PDCA cycle. Within this cycle, the organisation is systematically brought through the various stages of risk analysis and review, business impact analysis, recovery strategy and plan development, testing & exercising, and finally programme management. The end result is of course a well managed BCM function.
The reason many organisations choose to use the BS25999 standard for benchmarking is that the standard provides a common framework based on internationally accepted best practices for BCM. Companies would naturally want to benchmark themselves against a standard that is recognised all over the world, especially if they do business internationally.
BS25999 is also not prescriptive – it tells you want needs to be done but not how it must be done. Hence organisations of any size can use the standard by choosing how they want to implement their BCM.
Stakeholders are able to speak a common BCM language through the use of standardized terminology.
And lastly, organisations can increase the confidence of customers, regulators and external parties
Of course there are also challenges.
Organisations that go for BS25999 certification for the sake of just getting the certificate, will find the journey a struggle. Embarking on BS25999 is not a short 1-time exercise. The system requires on-going engagement and the organisation must be committed for them to be successful.
A 2nd challenge is that many auditors assume that auditing BCM is like doing a financial audit. Let me tell you that it is not. Auditors need to understand the spirit or the purpose behind the standard and audit accordingly. I have seen auditors who try to audit word for word in the standard without truly understanding what BCM is all about. If organisations want their internal auditors to be able to audit BCM, they should be properly trained so as to be competent enough on the subject matter.
A third challenge is about terminology. For example the concept of MTPD or Maximum Tolerable Period of Disruption has been widely debated. A quick check on the internet and you can find 4 different interpretations of the term.
Many organisations embarking on BS25999 have also be certified in other areas e.g. ISO 9000, 14000, etc.. Often they attempt to kill multiple birds with one stone and fit BS25999 into this system which often does not work out too well – like trying to fit a round peg into a square hole.
Finally, we find that organisations often have a tough time raising awareness within the company and keeping the momentum going.
At the end of the journey, many clients find the experience enriching. Other than making the grade and receiving the BS25999 certification, there is also the satisfaction of knowing that the organisation is prepared for a disaster.
The road to meeting the BS25999 standard, if done properly, is one that is disciplined and structured and more importantly, it leads management and staff through a thinking process that many find very valuable.
On-going assessment will keep organisations on their toes and ensure that the program and plans are kept alive.
Assuming you decide to use BS25999 as a benchmark, how do you go about getting your organisation ready ?
If your organisation is new to business continuity, the first order of day is to start a BC project quickly and implement BCM best practices.
However if the organisation already has a BCM programme, you may find conducting a gap analysis on the existing system a good starting point. We have helped a couple of Malaysian banks conduct this gap analysis and they are finding it useful in identifying areas of improvement.
Once the programme is set up and any identified gaps have been closed, the organisation is now ready for the certification audit. This is when you identify auditees, build the audit schedule and initiate both internal audit as well as external certification audit.
This slides shows how GMH goes about helping organisations build their BCM capability.
We recognise that it is next to impossible to round up people and lock them up in a room for 2 weeks to complete the project. Instead we conduct a 1-day fundamentals of BCM training followed by another 5 half-day workshops, conducted 2 weeks apart to complete the different stages of the project. The workshops achieve the maximum impact in the minimum time. That is why our approach is so popular with busy executives.