Embed Size (px)
Citation preview
Business Continuity ManagementKathrin Kersten & Franziska Hain
PricewaterhouseCoopers Germany
INTRODUCTION
• Head of Internal Audit
• Deep knowledge in consulting the Internal Audit function of national and international SME’s
• Experience in implementation, realignment and quality assessment of Internal Audit functions
• More than 17 years of experience covering the area governance, risk and compliance for national and multinational companies
Kathrin KerstenPartner, Internal Audit Services PwCChartered Accountant, CISA, CRMA
Phone +49 69 9585-1201Mobil + 49 175 9365760
• ISO22301 Lead Auditor
• Auditing and Implementation of Business Continuity Management Systems according to ISO 22301 (telecommunication, insurance, Defense)
• 3.5 years consulting in an auditing company at KPMG and PwC
• Over 8 years professional experience in IT outsourcing (IBM) being responsible for compliance, risk and information security management
Franziska HainSenior Manager, Risk Assurance Solutions (RAS) PwCBusiness Continuity & ResilienceManagement Expert
Phone +49 211 2084-273Mobil + 49 151 57893115
Business Continuity Management
INTERNAL AUDIT – WHY FOCUSING ON BCM?
B B A A
C B B A
C C B B
C C C B
Probability of occurrence
Impact
Critical damage
Business Continuity Management
Legend
A high risk
B medium risk
C low risk0% 5%
BCM as part of risk management:
•Audit’s objectiveEvaluate and improve the effectiveness of governance, risk management and control processes.
•ScopeAll categories of risk, their manage-ment, including reporting on them.
•Senior management needs assurance in regards to the treatment of operational risk based on low probability and high impact caused by disruptive events.
ISO22301 – BUSINESS CONTINUITY MANAGEMENT
Published in 2012 by the International Organization for Standardization (ISO)
Predecessor of BS 25999 of the British Standards Institution
International standard
Describes requirements of a business continuity management system
Standard is subject to licence
PWC ASSESSMENT APPROACH (1/3)
BCM-Elements BCM-Subelements Maturity LevelsCertifiability
Functionality0 1 2 3 4 5
Fu
nc
tio
na
lity
1 Governance Scope of BCM
BCM-policy
Roles & responsibilities
Interfaces
Reporting
Provider management
Communication
2 Business Impact Analysis Concept
Process
Implementation
3 Contingency Plan Risk analysis for scenarios
Development of continuity strategy
Risk analysis for critical resources
Contingency plans
Implementation of continuity strategy
4 Crisis Management Crisis organization
Alarm & crisis alert
Control & monitoring
Crisis communication
Tests & exercises
Ce
rti
fia
bil
ity
5 PDCA/Management System Analysis of business environment
Stakeholder analysis
Leadership
BC-objectives
Resources
Competence
Awareness
DMS
Management Review
Internal Audit
Improvement
The assessment model maps two key requirements of clients. Firstly, the maturity level in relation to the functionality of a BCM and, secondly, the maturity level in relation to the certifiability of a business continuity management system can be mapped.
The certifiability requires the entire fulfillment of all ISO22301:2012 demands.
For functionality, four maturity levels from 0 to 3 and subject areas I to IV are considered. For certifiability, in addition to fulfilling maturity level 3, two further maturity levels 4 and 5 and the additional subject area V are considered (see chart).
Explanation
PWC ASSESSMENT APPROACH (2/3)
Each maturity level must be at least 75% fulfilled, so that, for example, if there are four requirements for a maturity level, at least three requirements must be met by the client being audited. This does not apply to maturity level 0.
To reach maturity level 3 level 1 and 2 have to be fulfilled.
Explanation1 The BIA concept defines the scope of application of the business impact analysis.
The BIA concept defines relevant criticality features for determining critical business processes.
The BIA concept defines the risk tolerance limit/damage limit.
The BIA concept defines damage periods.
achieved
2 The BIA concept defines the scope of application of the business impact analysis.
The BIA concept differentiates between business processes and support functions.
The BIA concept defines how dependencies between business processes should be taken into account.
The BIA concept defines the process granularity to be considered.
The BIA concept defines resource categories which should be relevant during the BIA survey.
The BIA concept defines relevant criticality features for determining critical business processes.
The BIA concept defines rating scales for criticality features.
The BIA concept defines the risk tolerance limit/damage limit.
The BIA concept contains a damage calculation model to determine the maximum downtime/maximum tolerable period of disruption (MTPD).
The BIA concept defines damage periods.
The BIA concept is documented and is approved by the management.
The BIA concept is accessible and known to relevant interest groups.
not achieved
PWC ASSESSMENT APPROACH (2/3)
1. Governance
• Inadequate definition of the BCMS scope
• incomplete BCM-Policy
• unclear distribution of rolls & responsibilities
2. Business Impact Analysis
• lack of coordination between the BIA-methodology and Senior Management
• unclear criticality features
3. Emergency concept
• missing documentation of the Risk method
• non-compliance during the conduction of the risk process
• missing scenario consideration
• outdated emergency concept
4. Crisis management
• insufficient delimitation incident/crisis
• crisis alert system not functional
• insufficient Documentation of test results
5. PDCA/Management system
missing DMS
• insufficient monitoring
Exemplary summary of identified weaknesses
BCM CLUSTER - OVERVIEW
BCM Cycle
BCM CLUSTER 1- GOVERNANCE (1/4)
• Purpose and scope need to be described
• relevant stakeholders/interest groups are reflected
• roles & responsibilities of the BCM organization are defined
• key requirements of BCM are reflected (e. g. cycle)
• availability for relevant stakeholders in an appropriate form
• reviewed and updated according to a defined cycle or according to need
Audit Experience
The BCM policy is an internal guideline document published by the organization’s senior management establishing the framework of business continuity management.
Policy
Provider Management
Interfaces
Policy
Reporting
Scope
Communi-cation
Roles & Responsi-
bilites
1.Governance
BCM CLUSTER 1- GOVERNANCE (2/4)
The BCM organization defines the roles and responsibilities to establish, manage and control the management system for BCM.
Roles & Responsibilities
• BCM-relevant roles/functions exist
• the area of responsibility and tasks of BCM roles are defined and documented
• BCM roles are communicated within the company
• BCM roles are vested with necessary authorities/competencies
Audit Experience
Provider Management
Interfaces
Policy
Reporting
Scope
Communi-cation
Roles & Responsi-
bilites
1.Governance
The BCM organization shall be differentiating from the crisis organization!
BCM CLUSTER 1- GOVERNANCE (3/4)
Interfaces are required to integrate the BCM into the organization.
Interfaces
• legal & regulatory requirements (Legal)
• scenario assessment (Risk Management)
• resilience of critical resources (Risk Management)
• Information security integrated in contingency planning and crisis management (Chief Information Security Officer)
Audit Experience
Provider Management
Interfaces
Policy
Reporting
Scope
Communi-cation
Roles & Responsi-
bilites
1.Governance
Insufficient interfaces lead to missing acceptance of BIA-data and emergency planning within the organization.
BCM CLUSTER 1- GOVERNANCE (3/4)
Outsourced business processes require integration into the organization’s BCM strategy and process.
Provider Management
• BCM-criteria during provider selection process
• technical (e. g. service level agreements) and organizational (e. g. crisis management procedure) requirements are contracted
• audit of contractual fulfilment
• involvement of provider during testing (and vice versa)
• contingency planning responses to the outage of provider
Audit Experience
Provider Management
Interfaces
Policy
Reporting
Scope
Communi-cation
Roles & Responsi-
bilites
1.Governance
BCM CLUSTER 2- BUSINESS IMPACT ANALYSIS (1/2)
The business impact analysis parameter definition, attribute determination and calculation method in advance is key to an economic and efficient BIA-execution.
BIA-Concept
• Differentiation between business and supporting processes
• criticality attributes (financial, reputational, compliance, etc.)
• risk tolerances define tolerable limits regarding damage
• interdependencies of processes
• time periods to assess the damage trend
• method of ascertain the MTPD (Maximum Tolerable Period of Disruption)
Audit Experience
Implementation
Concept Process2.
Business Impact Analysis
BCM CLUSTER 2- BUSINESS IMPACT ANALYSIS (2/2)
The collection and processing of BIA-data depends on scope, organization’s size and diversity across business units.
BIA-Concept
• assurance of objectiveness through composition of BIA-template
• consolidation format to structure and priorities BIA-data
• kick of and briefing sessions for business units
Audit Experience
Implementation
Concept Process2.
Business Impact Analysis
Ensure overall understanding and meaning of BIA-data across all business units in scope to avoid comparing apples and oranges!
BCM CLUSTER 3 – CONTINGENCY PLANNING (1/4)
The organization needs to identify the most likely scenarios to assure by the means of contingency planning.
Risk Analysis for Scenarios
• risk evaluation methodology
• taking into account threats and vulnerabilities
• potential risks evaluation includes likelihood of occurrence and impact
• crisis scenarios are prioritized based on risk assessment
Audit Experience
Pareto-Principle: The choice of 20% scenarios based on risk assessment and subsequenting contingency strategies should cover 80% of possible/impossible disruptive events.
Contingency Planning
Imple-menting
contingency strategy
Scenarios
Critical Resources
Emergency Planning
III –
Contingency Planning
3.Contingency
Planning
BCM CLUSTER 3 – CONTINGENCY PLANNING (2/4)
Based on BIA-results and assessed crisis scenarios contingency planning takes place.
Development of the Continuity Strategy
• contingency planning covers key phases of a disruptive event: immediate reaction, recovery to emergency operation, emergency operation, recovery to normal operation
• alternative continuity strategies assessed by a cost-benefit-analysis
• synchronization of continuity strategies of supporting processes (IT, personal, infrastructure, etc.) and of business processes
Audit Experience
Contingency Planning
Imple-menting
contingency strategy
Scenarios
Critical Resources
Emergency Planning
III –
Contingency Planning
3.Contingency
Planning
BCM CLUSTER 3 – CONTINGENCY PLANNING (3/4)
Identified critical resources required during a disruptive event necessitate resilience.
Risk Analysis for Critical Resources
• risk assessment according to organizations risk methodology
• execution of risk treatment plan
Audit Experience
Contingency Planning
Imple-menting
contingency strategy
Scenarios
Critical Resources
Emergency Planning
III –
Contingency Planning
3.Contingency
Planning
Building resilience for critical resources is key to function during a crisis situation and to activate emergency plans.
BCM CLUSTER 3 – CONTINGENCY PLANNING (4/4)
Identified critical resources required during a disruptive event necessitate resilience.
Emergency Plans
• up-to-dateness of emergency plans and procedure to ensure actuality
• role-based plans
• checklist character
Audit Experience
Contingency Planning
Imple-menting
contingency strategy
Scenarios
Critical Resources
Emergency Planning
III –
Contingency Planning
3.Contingency
Planning
During a disruptive event there is no time to read emergency plans consisting of a huge amount of pages and including conceptual information.
BCM CLUSTER 4 – CRISIS MANAGEMENT (1/4)
The crisis organization takes over during a disruptive event.
Crisis Organization
• roles & responsibilities for crisis organization are defined
• crisis leader is vested with required authorities/competences
• enhanced crisis team consists of subject matter experts
Audit Experience
Alarm & Crisis alert
Test & exercise
Crisis organization
Control & monitoring
Crisis communication
III –
Contingency Planning
4.Crisis
Management
Authority to give directives are „replaced“ by crisis organization in case of a disruptive event.
BCM CLUSTER 4 – CRISIS MANAGEMENT (2/4)
The proclamation of a crisis represents the entrepreneurial decision to have a dedicated team (crisis organization) take over the lead and facilitate the investment to activate emergency plans.
Alarm & Crisis Alert
• incident sources and alarm channels are combined within a alarm system
• business units hold criteria for alarming senior management
• criteria describe the condition under which to proclaim a crisis/emergency
• the crisis proclamation is limited to the competence of senior management
Audit Experience
Alarm & Crisis alert
Test & exercise
Crisis organization
Control & monitoring
Crisis communication
III –
Contingency Planning
4.Crisis
Management
BCM CLUSTER 4 – CRISIS MANAGEMENT (3/4)
Crisis communication is a major part of preparing pro-actively for a disruptive event.
Crisis Communication
• internal and external stakeholders are integrated into a communication strategy
• press management and social media are in focus
• communication with authorities
• media portfolio
• means of communication are tested
• escalation and reporting structure
Audit Experience
Alarm & Crisis alert
Test & exercise
Crisis organization
Control & monitoring
Crisis communication
III –
Contingency Planning
4.Crisis
Management
Unprepared communication in a crisis is time consuming and fault-prone to a high extend.
BCM CLUSTER 4 – CRISIS MANAGEMENT (4/4)
Test & Exercise proof the functionality of emergency plans and the crisis management process.
Test & Exercise
• testing of contingency plans (continuity strategies) and emergency plans based on crisis scenarios
• Test objectives are functionality and consistency
• recommendations and improvement measures
Audit Experience
Alarm & Crisis alert
Test & exercise
Crisis organization
Control & monitoring
Crisis communication
III –
Contingency Planning
4.Crisis
Management
Evacuation testing is a health and safety requirement in a first step, whereas BCM testing focuses on business process interruption based on a defined scenario.
BCM CLUSTER 5 – MANAGEMENT SYSTEM
The management system combines all elements to cover the PDCA-cycle.
Management System
• stakeholder analysis identifies intentions of contribution and benefits in regards to the BCM
• the contribution of senior management, resource allocation and awareness features combine the baseline for an effective BCM
• documentation management servesas a major tool
• regular reviews (management and internal audit) identify improvement
Audit Experience
OUR BCM SERVICE PORTFOLIO
Assessment
Implemen-tation
Simulation
Assessment
• Assessment according to ISO 22301:2012 Business Continuity Management
• Development of implementation roadmaps
Implementation
• BCM Policy & Governance
• Business Impact Analysis
• Contingency and Recovery Planning
• Risk Management
• Crisis process and structures
Simulation
• Development of scenario based simulation trainings
• Execution of testing and simulation
Business ContinuityServices
THANK YOU
![Finale 2003 - [Ronda.MUS] - secult.ce.gov.br€¦ · ã bb b b b b b b b b b b b bb bbb bb bb b c c c c c c c c c c c c c c c c c c c c c c c c c..... Flauta (C) Requinta (Eb) 1º](https://img.pdfslide.net/doc/110x75/5b07518a7f8b9a5c308e2e77/finale-2003-rondamus-bb-b-b-b-b-b-b-b-b-b-b-b-bb-bbb-bb-bb-b-c-c-c-c-c-c.jpg)
