Upload
anand-subramaniam
View
3.828
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Review your Business Continuity Management Processes
Citation preview
Business Continuity Management
Is your BCM Framework comprehensive & tested?
Anand Subramaniam
2
“People with opinions just go around bothering one another.”
- The Buddha
3
Highlights
BCP Overview Risk Management - AS/NZS 4360:99 Planning Consideration BCP Planning & Recovery Process Assessment / Questionnaire
BCM Overview
5
Business Continuity Management (BCM)
Business Continuity Planning:to maintain continuity of critical processes & functions, e.g.:• customer service• administration• billing
Crisis Management:Organisation & ability to manage any crisis or disaster
IT (Disaster) Recovery Planning:Recovery of critical systems and applications
6
Context - BCM, BCP & DRP
Business Continuity Management
Business Continuity Plans
IT Disaster Recovery Plans
Overall Approach to Business Continuity
Address Continuity of Processes
One Specific Type of Plan
7
BCM – Success Criteria
Commitment Organisation Communication Testing & training Plan maintenance & review
8
Example - Process Drivers
Supply Chain Network Risks Limited Redundancy in Operations Just in Time Operations- JIT, Lean Low Maximum Acceptable Downtime Single Points of Failure in Operations Financial, Reputation, Legal, Market
Risks Reliance Upon Technology to
Accomplish Job
9
Following a Crisis…Insurance won’t
Address Customer Migration Restore damage to company image Retain customer confidence and market
share Replace valuable employees or improve
employee morale Develop and bring new products into the
marketplace
10
Goals
Integrate Operational and Business Risk Reduction with Business Continuity
Create a Risk Reduction / Disaster Resistance Mentality
Cover all aspects of the Response / Recovery process from Emergency Response through Business Recovery
Integrate all key aspects of planning- Security, Crisis Management, Crisis Communications, Damage Assessment and Restoration, Business Resumption
11
Incident Overview
Is it an IT ‘disaster’?
BCPsBCPsConvene
CCT Convene
CCT
Invoke DRP: Convene DMT to coordinate
DRP
Incident
Restore Hardware & Communications
Applications & Data Recovery
Incident reporting &
escalation
Incident reporting &
escalation
Is it a ‘crisis’?Is it a
‘crisis’?
ManageSalvage & Repair
ManageSalvage & Repair
Process restoration & data catch-up
Process restoration & data catch-up
Business as usual
Implement BCPs for Business processes
Implement BCPs for Business processes
Off-site back-up
Business resumption& Cost recovery
Business resumption& Cost recovery
Manage HR &
PR Issues
Manage HR &
PR Issues
Resume normal IT operations
Resume normal IT operations
Yes
NoResume business as usual
Resume business as usual
Yes
No
12
Incident Management
Restore• Stabilise - CMT coordinate company wide response• Damage control• Short term restoration of operations & customer service• Work-around & BCPs• Manage indirect consequences, e.g. media coverage
Restore• Stabilise - CMT coordinate company wide response• Damage control• Short term restoration of operations & customer service• Work-around & BCPs• Manage indirect consequences, e.g. media coverage
Respond • Identify, report & assess Incident/Crisis• Emergency procedures• Escalate activate CMT• Isolate/contain damage
Respond • Identify, report & assess Incident/Crisis• Emergency procedures• Escalate activate CMT• Isolate/contain damage
Recover• Assess impact (cost) • Repair damage• Recover image & market share• Cost recovery, e.g. insurance
Recover• Assess impact (cost) • Repair damage• Recover image & market share• Cost recovery, e.g. insurance
Risk Management - AS/NZS 4360:99
14
Risk Management Process (AS/NZS 4360:99)
ASSESSMENT
ASSESSMENT
Establish contextEstablish context
Analyse risksAnalyse risks
Evaluate & prioritise risksEvaluate & prioritise risks
Treat risksTreat risks
Identify risksIdentify risks
Mon
itor
& R
evie
w
Co
ns
ult
ati
on
an
d
Co
mm
un
ica
tio
n
15
Risk Management Components
Business Continuity & Contingency Planning
(Reactive - Minimises impact or consequences)
Risk Control(Proactive - minimises
risk exposure and reduces likelihood,
e.g. Security)
Risk Transfer(Insurance & Contracts -
Manages Cost of Risk)
Planning Consideration
17
Set the Scene
BCM Team Business Unit - BCPs BCM Project / Program Business Impact Analysis Identify key business processes Incident/Crisis Management Organisation Risk identification, assessment &
treatment
18
Identify / Prioritise Key Business Processes
Vital
Not easily transferred or replaced; low
tolerance, high cost of
interruption; data may be
permanently damaged/lost
Deferrable
Can be interrupted for extended period; minor inconvenience
Important
Can be partially transferred for limited period;
moderate tolerance;
potentially high cost of
interruption
19
Business Impact Analysis
Key Resources
Examines dependency of Vital
& Important processes on Key
Resources
MTO
Determines Maximum Tolerable Outage (MTO); i.e.
the restoration timeframe, for each
resource
20
BCP Components
Objectives, scope, possible scenarios Organisation, responsibilities & communications Incident impact assessment, escalation & plan
invocation Procedures & checklists for phases:
Respond Restore: Vital & Important Processes Recover
Emergency contact lists Document control & maintenance
21
BCP – Planning Consideration
Emergency Response Planning Business Resumption Planning Crisis Management and Communication
Staff Public relations Continuity of Customer Service Information Technology & Services Salvage & restoration of documents (e.g.
licenses), records and artifacts
BCP Planning & Recovery Process
23
BCP – Operation Flow
Every operation is different… The response process is similar… Can be modeled to any operation Flowchart that follows depicts a
typical recovery sequence Identifies the key escalation points,
and plans that are activated
24
Key Factors
Each step in process can be defined and measured
Can form measurement grid for process
Provide an indication of the issues to be addressed at each step in the process
25
BCP Planning & Recovery ProcessPre-Incident Planning Process
EMERGENCYRESPONSE
CRISIS MANAGEMENT
STEP 1
Post-Incident Response Planning Process
INCIDENT
RISKIDENTIFICATION
RISK QUANTIFICATION
RISK MITIGATION
STEP 2 STEP 3
STEP 4 STEP 5 STEP 6
BusinessResumption
26
Step 1 - Risk Identification
Physical risks identified Operational risks identified Critical single source suppliers identified Revenue impact potential identified Contractual/Regulatory exposures
identified Process flow mapped
27
Step 2 – Risk Quantification
Physical risk controls identified and evaluated for effectiveness
Operational risk controls identified and evaluated for effectiveness
Residual risk identified and translated to outage and impact potential
Outage potential translated to revenue impact, regulatory impact, long term migration potential, etc.
Risk and impact quantification used to develop mitigation priorities
28
Step 3 – Risk Mitigation
Future mitigation priorities supported by risk ID, and quantification
Physical and Operational risk reduction from mitigation quantified
Mitigation issues assigned time frame and responsibility
Review process addresses mitigation issue resolution
29
Step 4 – Emergency Response
Emergency Response Team is in place and trained All potential hazard scenarios are considered Evacuation and Take Cover procedures are in place and
tested Employee gathering spots are defined Plan addresses notification and direction of police, fire,
EMS, and Utilities Restoration and Reconstruction contractors identified
and engaged Damage Assessment Team and Plan is developed
30
Step 5 – Crisis Management
Roles and Responsibilities are detailed CMT directs both Restoration and Resumption Disaster Declaration criteria / decision points are defined Facility Crisis Management Team identified and
complete Crisis Communications Plan is in place for all effected /
interested parties Damage Assessment reporting is linked with CMT
operations CMT is the focal point for local recovery and Corporate
liaison
31
Step 6 – Business Resumption
Restoration of Host Site is addressed Manufacturing Contingency Plans are in place Mitigation of customer impact is captured in the plan Alternative Production operations are defined in detail IT and Telecommunications recovery plan is identified Recovery teams are identified with detailed Roles and
Responsibilities Restoration of productive capacity and capability with
timeframes
32
Response - Key Elements
Emergency Response Team- Safety, Security, Medical, Line Management, Environmental
Crisis Management Team- Senior leadership, Operations Management
Damage Assessment Team- Facility and Utilities Engineering, Process Maintenance, Purchasing, Logistics, Security
Crisis Communications- HR / Communication Specialists
Business Resumption- Line Management and Staff
Assessment / Questionnaire
34
Management
Do you have a clearly defined, documented and approved management process to manage the BCM program?
Does your BCM program clearly identify and comply with regulatory, legal, policy and principle requirements?
Are there professionally qualified BCM practitioners involved in the implementation of this program?
Is there overall accountability and responsibilities for the management of the BCM program been clearly defined and documented?
Have you successfully demonstrated (including crisis management) competence and capability via exercising, rehearsal and testing or invocation?
Does your BCM program incorporate the allocation of dedicated resources and finance as a part of the annual budget development and management process?
Does your program provide assurance that suppliers (internal and/or outsourced providers) have an effective, up-to-date and fit-for-purpose BCM capability?
Do you have a Management Information System (MIS) to monitor and provide regular reports concerning the status of BCM?
35
Policy
Do you have a clearly defined, documented and approved BCM policy?
Does your BCM policy enable corporate governance, the discharge of its responsibilities and satisfaction of its legal and regulatory obligations?
Does the policy provide a clearly defined, documented and approved set of BCM guidelines and minimum standards?
Does your policy provide a clearly defined, documented and approved independent audit process including frequency and triggers of your BCM capability?
36
Assurance
Do you have a clearly defined, documented and approved BCM assurance management process and frequency?
Do you have clearly defined, documented and approved KPIs (objectives, targets and standards) for BCM?
Do you have a clearly defined and documented monitoring, evaluation and review process for your BCM KPIs?
Does the assurance process provide clearly defined, documented and approved management information assurance reports?
Does your assurance process provide clearly defined, approved, prioritised and documented remedial action plan(s) to implement the agreed recommendations?
37
Business Impact Analysis
Have you adopted a clearly defined and documented standard BIA process (insourcing and outsourcing)?
Was the current BIA completed within the last 12 months?
Does your BIA identify resource recovery requirements?
Do you have a process to ensure that a BIA is carried out as a part of all project and change management including new developments of (and major changes to) IT systems, services and their sourcing?
38
Risk Assessment
Do you have a clearly defined, documented and approved risk management strategy?
Do you have an approved standard process to carry out an operational risk assessment?
Do you have a clearly defined and documented process to ensure the approved risk methodology, tools, techniques and criteria are consistently applied?
Do you have a clearly defined, documented and approved organisation risk appetite benchmark, including the acceptance of residual risk?
Has a risk assessment been completed within the last 12 months? Have you identified areas of high risk concentration and introduced
risk management controls (an action plan) to eliminate, mitigate, reduce, transfer the effects of identified key threats, vulnerabilities, exposures or liabilities?
39
Organisation Process Strategy
Is your BCM strategy clearly aligned / linked to the overall strategic aims and business strategies?
Do you have a clearly defined, documented and approved BCM framework?
Have you identified key roles, responsibilities and authorities for the BCM strategy?
Has the selected process level BCM strategy(ies) been fully evaluated to ensure fit-for-purpose and capable of working within the required timescales?
40
Resource Recovery
Do you have a clearly defined, documented and approved resource recovery strategy?
Does the resource recovery strategy incorporate the resource recovery requirement from the BIA?
Have the key roles, accountabilities, responsibilities and authorities within the resource recovery BCM strategy been clearly defined and documented?
Have both technical (e.g. IT, telecommunications) and non-technical issues been considered within the resource recovery strategy?
Has the insourcing and outsourcing of your products and services been included within the resource recovery?
41
BCM Implementation
Human Resources Do you have mandatory instructions, advice,
process, procedure or guidelines concerning• casualties and fatalities• confidential staff counseling and staff welfare?
Communication Do you have instructions, advice, process,
procedure or guidelines concerning internal and external communications?
42
Implementation (Contd.)
Information Technology & Communication (ITC) Do you have ITC resumption and recovery strategies? Has this
been clearly documented? Have you identified a technical recovery site which is not to be
affected by the same incident? Have your business owners, technical and/or specialist third
party service providers successfully tested the resumption and/or recovery of the IT systems and software?
Is there an inventory of all IT systems software and a process for its restoration, including licensing arrangements?
Are there arrangements in place for specialist software in escrow?
Are there SLA’s in place and have they have tested in case of disaster?
43
Implementation (Contd.)
Security Have you tested the appropriate physical security and environmental
controls? Insurance
Are insurance policies and their coverage limits reviewed regularly for adequacy and cost benefit?
Checklist / Forms Is there an up-to-date task list that clearly identifies both mandatory and
discretionary tasks together with the individuals accountable or responsible for their completion within an allocated timeframe?
Do you provide an auditable process for tracking and recording the completion of the BCP task list after the plan has been invoked and any additional on-going tasks?
Is there an up-to-date (internal and external) contact lists of all stakeholders including key service providers / contactors?
Does the BCP provide a situation management and decision log template?
44
Implementation (Contd.)
Data Are there clearly defined backup procedures for all applications, hardware and
data (both electronic and paper, e.g. records, unique records or documents) and clearly defined recovery and restoration processes and procedures in place?
Can vital records (both electronic and paper) and their dependencies be recovered simultaneously at more than one disaster site if required?
Business Process Do you have a process for recovering work in progress and work backlog
processing? Do you have a process for the provision of manual operations and fallback
solutions and related activities wherever gaps exist between IT resumption and/or recovery capabilities and BCM needs?
Do you have clearly defined change control process to ensure BCM requirements and selected BCM solutions are maintained in an up-to-date and fit-for-purpose status?
Emergency Procedures. Do you have documented emergency evacuation procedures and when were
they last tested?
45
Training & Culture
Do you have a clearly defined, published and approved BCM vision and policy statement?
Are their training / cultural programs in place to achieve the outcomes? Has you BCM policy, principles and program been communicated? Does you executive or senior and middle management proactively
demonstrate its support and strong commitment to the BCM vision, policy and program?
Are the implementation and maintenance of the BCM policy and principles strictly monitored and evaluated?
Are BCM roles, accountabilities, responsibilities and authorities clearly defined and documented within job descriptions at all levels of the organisation?
Is your BCM integrated with the reward, recognition, performance management and appraisal system?
Do you have clearly defined and documented KPIs for BCM? Is there a formal BCM awareness or induction training program for all new
and existing managers and staff?
46
Current State Assessment
47
“Sometimes, the question is more important than the answer.”
- Plato