Upload
aqarooni
View
98
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
The Business Continuity Institute
The Good Practice Guidelines – Real life Implementations
Muhammad GhazaliMBCI, CBCI, ISMS ISO 27001LA, BS25999 LA
Associate Director – Head of BCM ServiceProtiviti Member firm Middle East
The Good Practice Guidelines
Why Good Practice Guidelines
The value of the GPG:
Not Just What, but “Why” and “how”
Baseline and common language
Used for Entry examination
Professional Reference document
Stage-wise
1. BCM Program Management
2. Understanding the Organization
3. Determining BCM Strategies
4. Developing and Implementing
BCM Response
5. Exercising Maintaining and
Reviewing
6. Embedding BCM into Organization
Culture
The Good Practice Guidelines
BCM Program Management
What
1. Develop the BCM Program
2. Identification of owner/member and
participants of Program
3. Development of BCM Policy of the organization
4. Identification of inclusion and exclusion of the
BCM Program
5. Define and approve the scope of the programExamples:
BCM Head – That’s probably you… BCM Steering Committee -Management BCM Roles – Strategic, Tactical and
Operational BCM Forum – Selected team members
HowInvolve the Top Management teamReview documents produced by the organization• Business plans• Strategic plans• Annual report• Marketing report
Why
Objectives, Mission, Vision, Key
Service, Product, future strategy,
acquisitions, geographical scale,
competitor strategy, regulatory
obligation etc. etc..
Program Scope
• Set Objectives• See Obligations• Acceptable level of risk• Statutory, regulatory and contractual issues
Organizational Policy
• Top management commitment and approval• Objectives of the business continuity and scope• Communicated and reviewed• Appropriate by nature, scale, complexity,
geography and criticality of business activities• Reflect culture, dependencies and operating
environment
Resources and Competence
• Defined roles and responsibilities • Top management nominees / appointees • BCM competency
A “Program” Not a “Project”
Understanding the Organization
What
Know your
Process
People
Infrastructures
Environment
Internal and external Suppliers
Threats to all requirement
Impact of those threats
{if you know your enemies and know yourself, you
will not be imperiled in a hundred battles} Sun Tzu
How
There are three main activities to
“Understanding the Organization”• Business Impact Analysis (BIA) • Continuity Requirements Analysis (CRA) • Risk Assessment (RA)
Why
Your Business depends on • Operations Staff/skills• Records/Data Assets• Voice/Data Communications• Facilities & Infrastructure• Equipment
Recovery Requirements as Output
Recovery Time Objective (RTO)
Key BIA Inputs
• Lost sales revenue• Productivity loss• Permanent customer loss• Loss of interest income
Financial Impact
• Brand image• Competitive advantage• Customer satisfaction• Increased regulatory oversight• Employee Morale
Operational Impacts
• Intolerable/acceptable downtime• Intolerable/acceptable data loss
Management Tolerances
• Operations Staff• Records/Data Assets• Voice/Data Communications• Facilities & Infrastructure• Equipment
Resource Dependencies
Recovery Point Objective (RPO)
MTPOD
Minimum Operation Requirements
Business Objectives
Critical Processes - Business Lines- Support Lines
Key Business Areas
Knowing Your Organization - Impact Analysis
Business Objectives
Interviews Questionnaires
Workshops
Key Risks / threats Risk Assessment
Risk RegisterVulnerability Threats, Impact,
Likelihood
Critical Processes BIA of Critical Processes
BIA Dependency
Impact over time
Business Continuity
Strategy
Business Continuity
Plans
Knowing Your Risks – Risk Assessment (RA)
Determining BCM Strategies
What
On the basis of your RTO (Recovery Time Objective),
Recovery Point Objective (RPO) and Maximum
tolerable period of disruption (MTPOD), identify
strategies
• The faster you want it – the more it will cost!
Separation distance
• How far away do you need to be
• Accessible yet recoverable
HowAsses Continuity options for each critical activity to following levels:1. Initial Continuity – to an initial
acceptable level2. Recovery – to a sustainable
level 3. Resumption – back to the
normal level
Why
Your Business requires to select
Appropriate continuity options for
each activity that supports the
delivery
Determining BCM Strategies – Considerations
Continuity Strategy for
Key Processes
Continuity Strategy for
Technology
Alternate processes
Options to Customers
Alternate Channels of Delivery
Alternate methods of communication
Support to Customers
Core / Main Application
User/Branch Data Processing
Info. security / Data Transfer
Data Center/Voice and Communication
IT Systems Physical Location/Space
Office Equipments/ Stationary
Power Supply
Transportation
Communication
Continuity Strategy for
Facilities
Developing & Implementing BCM Response
WhatThe GPG identifies the following stages of response:
• Emergency response – immediate actions • Incident management – management of the response to the incident • Business/ IT Continuity – the initial business response to the incident (essential activities at acceptable level) • Recovery – recovery of activities to sustainable level • Resumption – resuming operations to ‘normal’
HowThe Plan(s) developement include
Appoint an ownerDefine the objectives and scope
Create Teams for planning, responseAgree the responsibilities
Document actionable stepsPopulate the plan
Circulate and gather feedbackAgree and validate
Agree a program
WhyTo identify and document• Individual and Teams roles
Actions required for Invocation, Crisis, Incident,
Internal and External, Communication, call lists, etc. etc.
•Simple language
•Action Oriented – (Check list…)
•Easy to access, maintain and
Navigate
•Plans are tools / guidelines to use
or follow in case required, do not
allow them to restrict your thoughts
and responses.
Continuity Plans - Considerations
Exercising Maintaining and Reviewing
WhatExerciseVerifies your assumptions about IT / Buss. Continuity
Validates Effectiveness of your planResponse of your teamsEffectiveness of your strategies
Results offers Opportunities for improvement in PlansResponsesStrategies
HowAgree the Scope– what are your BCM priorities?Engage senior stakeholders Communicate thoroughly –particularly for senior staffPlan frequently - Normal Business is always BusyMake sure the exercise type fits the need
WhyTo Highlight doubtful assumptions Provides Hidden information about Gain confidence in exercice participantsRaise awareness of BCM Verify BCP/ IT Continuity Plans(s)
Embedding BCM into Organization Culture
WhatLet the organization know about BCMJust like
Human Resource Management (HRM)Management Information System (MIS)Financial Management System (FMS)Material / Supply Chain ManagementProcurement
Involve all members of the organization, because
Continuity is everyone Business
How•Employee Handbook - Guidelines•BCM Business Cases•Email messages •Intranet BCP Web Site•New Employee Induction Program•Interactive Presentations with Staff •Organize in-house Coaching Sessions
WhyManagement Understanding of Risk/ Impact/ Threat/Response
Transformation of understanding across the organizations
Thank YouQ&A
Sessions