BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html Benchmarking of BCM in Action by Jeremy Wong, Senior Vice President, GMH Pte Ltd • Designing and building an effective and efficient benchmarking roadmap encompassing all stakeholders • Understanding BC Management programme versus BC Management System (BCMS) • Preparing BC team on justifications of roadmap to management and major stakeholders • Implementing self assessment process and performing gap analysis to your BC programme • Sharing of learning, pitfalls and challenges in implementing organization BC Management System

1. Benchmarking of
BCM in Action
Jeremy Wong
Senior Vice President
GMH Continuity Architects
jeremy@gmhasia.com

2. GMH Continuity Architects
• A leading consultancy focusing on
business continuity, disaster recovery and
crisis management in Asia Pacific since
1999.
• Our core business is in safeguarding our
clients’ businesses through the sound
application of proven, business-oriented
methodologies.
GMH is an accredited partner of BCM Institute.

3. Proven BCM Consulting
Experience
All images are copyright and trademarks of its respective owners.
China & Hong Kong | Japan | Philippines
Taiwan | Malaysia | Singapore |Thailand

4. Agenda
• Benchmarking Your Organisation’s BCM Against
an Internationally Standards
• Getting Your Organisation Ready
• Certification Audit.

5. BS25999: Benchmarking Your
Organisation’s BCM Against
International Standards

6. BS25999 In A Nutshell
BS 25999 is a Business Continuity Management (BCM) standard
in two parts:
1. BS 25999-1:2006 Business Continuity Management. Code
of Practice
Provides general guidance and seeks to establish processes,
principles and terminology for Business Continuity Management.
2. BS 25999-2:2007 Specification for Business Continuity
Management
Specifies requirements for implementing, operating and improving
a documented Business Continuity Management System (BCMS),
describing only requirements that can be objectively and
independently audited.
The BS25999 standard aims to provide a means of measurement
that is consistent and recognised.

7. Business Continuity
Management System
• A management system is the framework of
processes and procedures used to ensure that an
organization can fulfill all tasks required to
achieve a set of related business objectives
• Management systems connect business continuity
planning efforts to the most senior leaders in an
organization:
– requirements and strategies (“Plan”)
– resources, processes and procedures (“Do”),
– reviews and assessments (“Check”) in order to standardize
performance
– constantly improve (“Act”)

8. BS25999 PDCA Cycle
Plan
Establish the
BCM
Do
Implement
and operate
the BCM
Check
Monitor and
check the
BCM
Act
Maintain and
continual
improvement
of the BCM
Requirements &
Expectation
of BCM by
Stake-holders
and Interested
Parties
Managed
Business
Continuity
of the
Organisation

9. BS25999 - Benefits
• Provide a common framework based on
internationally accepted best practices for
implementing and managing business continuity
• Provide a framework for organization of any type,
size and location
• Bring a common understanding to all
stakeholders
• Provide customers with external assurances,
thereby increasing confidence

10. Challenges
• Administration for administration’s sake
• Competencies –us and them!
• Lack of clarity over terminology e.g. MTPD
• Integrated management systems –not quite!
• Awareness-raising

11. “There are risks and costs to a programme of
action…but they are far less than the long
ranging costs of comfortable inaction.”
- John F. Kennedy

12. Conclusion – the end of the
beginning?
• Positive experience
• Disciplined and structured
• Makes you think:
– What you do
– How you do it
– And why you do it
• Continual improvement Ongoing assessment
What does success look like?

13. Getting Your Organisation
Ready

14. Steps
• Establish the BCM Practices
• Assess state of BCMS
– Gap Analysis
• Ready for audit and beyond
– Identify auditees and audit schedule
– Produce evidence in standardized acceptable format
– Conduct internal audit
– Conduct external audit
– Operate BCM in accordance to the governance regime
– Continue improvement on BC capabilities

15. Competency Built-in
Implementation
Business Continuity Reports – BC Plan
Business
Impact
Analysis
Recovery
Strategy
Plan
Develop-
ment
Risk
Analysis
& Review
Program
Management
Fundamentals
of BCM
Session 3 Session 4 Session 5 Session 6
Each Session-Day is a minimum of 2 weeks apart
Session 2Session 1
Policy and
Framework
Risk
Assessment
Report
Business
Impact
Report
Recovery
Strategy
Report
Business
Continuity
Plans
Test Plan
Testing &
Exercising

16. BCM Roadmap
Business Continuity Reports – BC Plan
BC-DR Test / Exercise
External BS25999 Audit
Business
Impact
Analysis
Recovery
Strategy
Plan
Developme
nt
Test &
Exercises
Risk
Analysis &
Review
Internal Audit
Program
Manageme
nt
1
2
3
4

17. BCP Planning Methodology
Source:
Goh, Moh Heng (2008): Managing Your Business Continuity
Planning Project 2nd Edition ISBN: 978-981-05-9767-2

18. Project Management
Objectives
• Formulate a workable
project proposal.
• Seek endorsement and
commitment on the
project from
management
committee:
– Objective;
– Scope;
– Approach;
– Schedule; and
– Manpower.
• Establish project
management structure
and control.
Tasks
• BCM Steering Committee
& BCP Project Team
• Review and understand
organisation environment.
• Agree and formalise
project management
structure and resource
allocation.
• Establish project
administration reporting
and control mechanism.
Deliverables
• Project plan proposal
includes:
– Definition;
– Scope ;
– Objective;
– Roles &
Responsibilities.
• Project workplan.
• Project reporting
mechanism.
18

19. Risk Analysis and
Review
Objectives
• identify vulnerabilities
• Establish reliable
recommendations
for:
– Minimizing
impact of
identified threats
– Immediate and
effective
response to
potential causes
of disaster
Tasks
• Identify exposure to
internal & external threats
and the likelihood of these
threats occurring
• Recommend preventive
responses and escalation
procedures in conjunction
with crisis management
implementation
• Evaluate findings and
prepare a status report &
recommendation.
Deliverables
• Comprehensive risk and
threat profile to the
organization, with key
disaster scenario
• Recommendation for:
– Countermeasures
– Immediate Response
Procedures
– Security Risk Review
– to be implemented to
minimize the risks
• Summary report of
recommendations agreed
with senior management

20. Business Impact
Analysis
Objectives
• Determine impact of
unavailability/failure/
disaster on business
functions.
• Determine critical
business needs and
tolerable limits.
• Establish business
criticality/ impact criteria
using Business Impact
Analysis Questionnaires
(BIAQ).
• Prioritise the importance of
each business unit vis-à-vis
established criteria.
• Consolidate findings and
rankings.
• Present results to
management committee to
confirm critical
classifications and priority
listings.
• Detailed report on findings
(approved by management)
containing:
– - tolerable limits;
– classification of
criticality;
– prioritised critical
business functions;
– minimum resources;
– Critical applications and
systems; and
– - restoration priority.
• Impact analysis of
unavailability of business
functions (quantitative and
qualitative).

21. Recovery Strategy
Objectives
• Establish business
functions & job priorities
vis-à-vis business needs.
• Determine processing
requirements for priority
business functions.
• Identify and formalise
backup for everything
needed to survive a
disaster.
• Ensure that alternative
processing procedure is
available for continuity of
critical business needs
whilst recovery is in
progress.
Tasks
• Analyse all division functions
to prioritise them based on
business needs.
• Analyse hardware and
software requirements to run
high priority critical functions
so that sufficient backup can
be arranged.
• Review and establish backup
arrangements, if necessary.
• Identify necessary interim
processing procedures for
critical functions.
• Seek management’s review
and endorsement of findings
and recommendations.
Deliverables
• List of strategic plans for
recovering prioritised
critical functions.
• List of critical functions
requiring interim manual
processing procedures.
• Recommend alternate
interim processing
procedures.

22. Plan Development
Objectives
• Train and equip users
with skill to complete
the Microsoft Word
plan template.
• Establish recovery
procedures to fully
restore normal
business operations
after a disaster, based
on selected strategies.
• Ensure consistency and
comprehensiveness of
coverage.
Tasks
• Determine recovery teams
set-up and functional
responsibilities.
• Identify members of each
recovery team.
• Develop specific procedures
for each recovery team.
• Review and edit (based on
agreed structure) the plan
component to ensure
consistency and
comprehensiveness of
documentation.
Deliverables
• Propose:
– Recovery team
structure;
– Staffing of the
recovery teams with
names of specific
staff members; and
– List of action steps to
be taken by each
member of respective
recovery team.
• Completed Business
Continuity Plan.

23. Testing and
Exercising
Objectives
• Formulate an
objective mechanism
to validate the
"workability" of the
complete Business
Continuity Plan.
Tasks
• Design an overall program
for testing of plan.
• Develop plans and
schedules for specific
tests.
• Develop an evaluation
mechanism.
Deliverables
• List of tests to be
conducted.
• List of responsibilities of
parties involved:
– Objectives, policies,
guidelines,
responsibilities and test
specifications.
• Specific test plan:
– Description, scenarios,
procedures and
criteria.
• Evaluation forms/checklists
for recovery plan tests.

24. Assess State of BCM
- Gap Analysis
• Organisations with established BCM Programmes
could decide to do a gap analysis.
– Review BCM programme against an internationally recognised
standard
(e.g. BS25999)
– Identify gaps in compliance
– Make recommendations
– Prioritize and schedule implementation
– Chart roadmap to BCM success

25. Certification Audit

26. Preparing for Certification
Audit
• BS25999 Internal Audit training
• Pre-Audit Gap Analysis
• Final Audit - Stage 1
• Final Audit - Stage 2

27. Pre-Audit Assessment – Our
Approach
• No special preparation ahead of the analysis
• Assessor given full site tour
– Services provided to customer & supporting processes /
activities
– Operational structure
– Key threats and impacts
• Used the day to confirm our understanding of
BS25999 requirements and how they applied to
the organization
• Findings summarised in written report with
identified issues recorded

28. Final Audit (External)
• Stage 1
– Formal desktop review to ensure all elements of the
proposed scope and the standard are addressed by the
BCM system
– Assesses readiness to proceed to Stage 2
– Primary focus on review of documented BCM system
– Interactive session
– Findings summarised in written report

29. Final Audit (External)
• Stage 2
– Evaluation of the effectiveness of the implementation of
the BCM system and conformance to the standard
– All elements of BCM system assessed
– Multiple audit methodologies –all interactive
– Departmental level review of BCM system
– Exercising, Maintaining & Review
– Closing Meeting
– Final close out of identified issues

30. The Audit Process
– Lessons Learnt
• Preparation
– You can’t take your BCM off the shelf a month before the audit,
blow the dust off it and expect to gain certification
• Scope
– Critical to certification but easy to get wrong
– Are all interdependencies of critical activities covered by your
system?
• BCM documentation
– Available & easy to access
– Attention to detail –Does it all hang together?
• People
– Available & aware of what to expect
• BCM culture
– Is BCM alive in the organisation?
• Don’t expect to be told if your plans will work

31. External Audits

32. Thank You