Business Continuity Management

Is your BCM Framework comprehensive & tested?

Anand Subramaniam

2

“People with opinions just go around bothering one another.”

- The Buddha

3

Highlights

BCP Overview Risk Management - AS/NZS 4360:99 Planning Consideration BCP Planning & Recovery Process Assessment / Questionnaire

BCM Overview

5

Business Continuity Management (BCM)

Business Continuity Planning:to maintain continuity of critical processes & functions, e.g.:• customer service• administration• billing

Crisis Management:Organisation & ability to manage any crisis or disaster

IT (Disaster) Recovery Planning:Recovery of critical systems and applications

6

Context - BCM, BCP & DRP

Business Continuity Management

Business Continuity Plans

IT Disaster Recovery Plans

Overall Approach to Business Continuity

Address Continuity of Processes

One Specific Type of Plan

7

BCM – Success Criteria

Commitment Organisation Communication Testing & training Plan maintenance & review

8

Example - Process Drivers

Supply Chain Network Risks Limited Redundancy in Operations Just in Time Operations- JIT, Lean Low Maximum Acceptable Downtime Single Points of Failure in Operations Financial, Reputation, Legal, Market

Risks Reliance Upon Technology to

Accomplish Job

9

Following a Crisis…Insurance won’t

Address Customer Migration Restore damage to company image Retain customer confidence and market

share Replace valuable employees or improve

employee morale Develop and bring new products into the

marketplace

10

Goals

Integrate Operational and Business Risk Reduction with Business Continuity

Create a Risk Reduction / Disaster Resistance Mentality

Cover all aspects of the Response / Recovery process from Emergency Response through Business Recovery

Integrate all key aspects of planning- Security, Crisis Management, Crisis Communications, Damage Assessment and Restoration, Business Resumption

11

Incident Overview

Is it an IT ‘disaster’?

BCPsBCPsConvene

CCT Convene

CCT

Invoke DRP: Convene DMT to coordinate

DRP

Incident

Restore Hardware & Communications

Applications & Data Recovery

Incident reporting &

escalation

Incident reporting &

escalation

Is it a ‘crisis’?Is it a

‘crisis’?

ManageSalvage & Repair

ManageSalvage & Repair

Process restoration & data catch-up

Process restoration & data catch-up

Business as usual

Implement BCPs for Business processes

Implement BCPs for Business processes

Off-site back-up

Business resumption& Cost recovery

Business resumption& Cost recovery

Manage HR &

PR Issues

Manage HR &

PR Issues

Resume normal IT operations

Resume normal IT operations

Yes

NoResume business as usual

Resume business as usual

Yes

No

12

Incident Management

Restore• Stabilise - CMT coordinate company wide response• Damage control• Short term restoration of operations & customer service• Work-around & BCPs• Manage indirect consequences, e.g. media coverage

Restore• Stabilise - CMT coordinate company wide response• Damage control• Short term restoration of operations & customer service• Work-around & BCPs• Manage indirect consequences, e.g. media coverage

Respond • Identify, report & assess Incident/Crisis• Emergency procedures• Escalate activate CMT• Isolate/contain damage

Respond • Identify, report & assess Incident/Crisis• Emergency procedures• Escalate activate CMT• Isolate/contain damage

Recover• Assess impact (cost) • Repair damage• Recover image & market share• Cost recovery, e.g. insurance

Recover• Assess impact (cost) • Repair damage• Recover image & market share• Cost recovery, e.g. insurance

Risk Management - AS/NZS 4360:99

14

Risk Management Process (AS/NZS 4360:99)

ASSESSMENT

ASSESSMENT

Establish contextEstablish context

Analyse risksAnalyse risks

Evaluate & prioritise risksEvaluate & prioritise risks

Treat risksTreat risks

Identify risksIdentify risks

Mon

itor

& R

evie

w

Co

ns

ult

ati

on

an

d

Co

mm

un

ica

tio

n

15

Risk Management Components

Business Continuity & Contingency Planning

(Reactive - Minimises impact or consequences)

Risk Control(Proactive - minimises

risk exposure and reduces likelihood,

e.g. Security)

Risk Transfer(Insurance & Contracts -

Manages Cost of Risk)

Planning Consideration

17

Set the Scene

BCM Team Business Unit - BCPs BCM Project / Program Business Impact Analysis Identify key business processes Incident/Crisis Management Organisation Risk identification, assessment &

treatment

18

Identify / Prioritise Key Business Processes

Vital

Not easily transferred or replaced; low

tolerance, high cost of

interruption; data may be

permanently damaged/lost

Deferrable

Can be interrupted for extended period; minor inconvenience

Important

Can be partially transferred for limited period;

moderate tolerance;

potentially high cost of

interruption

19

Business Impact Analysis

Key Resources

Examines dependency of Vital

& Important processes on Key

Resources

MTO

Determines Maximum Tolerable Outage (MTO); i.e.

the restoration timeframe, for each

resource

20

BCP Components

Objectives, scope, possible scenarios Organisation, responsibilities & communications Incident impact assessment, escalation & plan

invocation Procedures & checklists for phases:

Respond Restore: Vital & Important Processes Recover

Emergency contact lists Document control & maintenance

21

BCP – Planning Consideration

Emergency Response Planning Business Resumption Planning Crisis Management and Communication

Staff Public relations Continuity of Customer Service Information Technology & Services Salvage & restoration of documents (e.g.

licenses), records and artifacts

BCP Planning & Recovery Process

23

BCP – Operation Flow

Every operation is different… The response process is similar… Can be modeled to any operation Flowchart that follows depicts a

typical recovery sequence Identifies the key escalation points,

and plans that are activated

24

Key Factors

Each step in process can be defined and measured

Can form measurement grid for process

Provide an indication of the issues to be addressed at each step in the process

25

BCP Planning & Recovery ProcessPre-Incident Planning Process

EMERGENCYRESPONSE

CRISIS MANAGEMENT

STEP 1

Post-Incident Response Planning Process

INCIDENT

RISKIDENTIFICATION

RISK QUANTIFICATION

RISK MITIGATION

STEP 2 STEP 3

STEP 4 STEP 5 STEP 6

BusinessResumption

26

Step 1 - Risk Identification

Physical risks identified Operational risks identified Critical single source suppliers identified Revenue impact potential identified Contractual/Regulatory exposures

identified Process flow mapped

27

Step 2 – Risk Quantification

Physical risk controls identified and evaluated for effectiveness

Operational risk controls identified and evaluated for effectiveness

Residual risk identified and translated to outage and impact potential

Outage potential translated to revenue impact, regulatory impact, long term migration potential, etc.

Risk and impact quantification used to develop mitigation priorities

28

Step 3 – Risk Mitigation

Future mitigation priorities supported by risk ID, and quantification

Physical and Operational risk reduction from mitigation quantified

Mitigation issues assigned time frame and responsibility

Review process addresses mitigation issue resolution

29

Step 4 – Emergency Response

Emergency Response Team is in place and trained All potential hazard scenarios are considered Evacuation and Take Cover procedures are in place and

tested Employee gathering spots are defined Plan addresses notification and direction of police, fire,

EMS, and Utilities Restoration and Reconstruction contractors identified

and engaged Damage Assessment Team and Plan is developed

30

Step 5 – Crisis Management

Roles and Responsibilities are detailed CMT directs both Restoration and Resumption Disaster Declaration criteria / decision points are defined Facility Crisis Management Team identified and

complete Crisis Communications Plan is in place for all effected /

interested parties Damage Assessment reporting is linked with CMT

operations CMT is the focal point for local recovery and Corporate

liaison

31

Step 6 – Business Resumption

Restoration of Host Site is addressed Manufacturing Contingency Plans are in place Mitigation of customer impact is captured in the plan Alternative Production operations are defined in detail IT and Telecommunications recovery plan is identified Recovery teams are identified with detailed Roles and

Responsibilities Restoration of productive capacity and capability with

timeframes

32

Response - Key Elements

Emergency Response Team- Safety, Security, Medical, Line Management, Environmental

Crisis Management Team- Senior leadership, Operations Management

Damage Assessment Team- Facility and Utilities Engineering, Process Maintenance, Purchasing, Logistics, Security

Crisis Communications- HR / Communication Specialists

Business Resumption- Line Management and Staff

Assessment / Questionnaire

34

Management

Do you have a clearly defined, documented and approved management process to manage the BCM program?

Does your BCM program clearly identify and comply with regulatory, legal, policy and principle requirements?

Are there professionally qualified BCM practitioners involved in the implementation of this program?

Is there overall accountability and responsibilities for the management of the BCM program been clearly defined and documented?

Have you successfully demonstrated (including crisis management) competence and capability via exercising, rehearsal and testing or invocation?

Does your BCM program incorporate the allocation of dedicated resources and finance as a part of the annual budget development and management process?

Does your program provide assurance that suppliers (internal and/or outsourced providers) have an effective, up-to-date and fit-for-purpose BCM capability?

Do you have a Management Information System (MIS) to monitor and provide regular reports concerning the status of BCM?

35

Policy

Do you have a clearly defined, documented and approved BCM policy?

Does your BCM policy enable corporate governance, the discharge of its responsibilities and satisfaction of its legal and regulatory obligations?

Does the policy provide a clearly defined, documented and approved set of BCM guidelines and minimum standards?

Does your policy provide a clearly defined, documented and approved independent audit process including frequency and triggers of your BCM capability?

36

Assurance

Do you have a clearly defined, documented and approved BCM assurance management process and frequency?

Do you have clearly defined, documented and approved KPIs (objectives, targets and standards) for BCM?

Do you have a clearly defined and documented monitoring, evaluation and review process for your BCM KPIs?

Does the assurance process provide clearly defined, documented and approved management information assurance reports?

Does your assurance process provide clearly defined, approved, prioritised and documented remedial action plan(s) to implement the agreed recommendations?

37

Business Impact Analysis

Have you adopted a clearly defined and documented standard BIA process (insourcing and outsourcing)?

Was the current BIA completed within the last 12 months?

Does your BIA identify resource recovery requirements?

Do you have a process to ensure that a BIA is carried out as a part of all project and change management including new developments of (and major changes to) IT systems, services and their sourcing?

38

Risk Assessment

Do you have a clearly defined, documented and approved risk management strategy?

Do you have an approved standard process to carry out an operational risk assessment?

Do you have a clearly defined and documented process to ensure the approved risk methodology, tools, techniques and criteria are consistently applied?

Do you have a clearly defined, documented and approved organisation risk appetite benchmark, including the acceptance of residual risk?

Has a risk assessment been completed within the last 12 months? Have you identified areas of high risk concentration and introduced

risk management controls (an action plan) to eliminate, mitigate, reduce, transfer the effects of identified key threats, vulnerabilities, exposures or liabilities?

39

Organisation Process Strategy

Is your BCM strategy clearly aligned / linked to the overall strategic aims and business strategies?

Do you have a clearly defined, documented and approved BCM framework?

Have you identified key roles, responsibilities and authorities for the BCM strategy?

Has the selected process level BCM strategy(ies) been fully evaluated to ensure fit-for-purpose and capable of working within the required timescales?

40

Resource Recovery

Do you have a clearly defined, documented and approved resource recovery strategy?

Does the resource recovery strategy incorporate the resource recovery requirement from the BIA?

Have the key roles, accountabilities, responsibilities and authorities within the resource recovery BCM strategy been clearly defined and documented?

Have both technical (e.g. IT, telecommunications) and non-technical issues been considered within the resource recovery strategy?

Has the insourcing and outsourcing of your products and services been included within the resource recovery?

41

BCM Implementation

Human Resources Do you have mandatory instructions, advice,

process, procedure or guidelines concerning• casualties and fatalities• confidential staff counseling and staff welfare?

Communication Do you have instructions, advice, process,

procedure or guidelines concerning internal and external communications?

42

Implementation (Contd.)

Information Technology & Communication (ITC) Do you have ITC resumption and recovery strategies? Has this

been clearly documented? Have you identified a technical recovery site which is not to be

affected by the same incident? Have your business owners, technical and/or specialist third

party service providers successfully tested the resumption and/or recovery of the IT systems and software?

Is there an inventory of all IT systems software and a process for its restoration, including licensing arrangements?

Are there arrangements in place for specialist software in escrow?

Are there SLA’s in place and have they have tested in case of disaster?

43

Implementation (Contd.)

Security Have you tested the appropriate physical security and environmental

controls? Insurance

Are insurance policies and their coverage limits reviewed regularly for adequacy and cost benefit?

Checklist / Forms Is there an up-to-date task list that clearly identifies both mandatory and

discretionary tasks together with the individuals accountable or responsible for their completion within an allocated timeframe?

Do you provide an auditable process for tracking and recording the completion of the BCP task list after the plan has been invoked and any additional on-going tasks?

Is there an up-to-date (internal and external) contact lists of all stakeholders including key service providers / contactors?

Does the BCP provide a situation management and decision log template?

44

Implementation (Contd.)

Data Are there clearly defined backup procedures for all applications, hardware and

data (both electronic and paper, e.g. records, unique records or documents) and clearly defined recovery and restoration processes and procedures in place?

Can vital records (both electronic and paper) and their dependencies be recovered simultaneously at more than one disaster site if required?

Business Process Do you have a process for recovering work in progress and work backlog

processing? Do you have a process for the provision of manual operations and fallback

solutions and related activities wherever gaps exist between IT resumption and/or recovery capabilities and BCM needs?

Do you have clearly defined change control process to ensure BCM requirements and selected BCM solutions are maintained in an up-to-date and fit-for-purpose status?

Emergency Procedures. Do you have documented emergency evacuation procedures and when were

they last tested?

45

Training & Culture

Do you have a clearly defined, published and approved BCM vision and policy statement?

Are their training / cultural programs in place to achieve the outcomes? Has you BCM policy, principles and program been communicated? Does you executive or senior and middle management proactively

demonstrate its support and strong commitment to the BCM vision, policy and program?

Are the implementation and maintenance of the BCM policy and principles strictly monitored and evaluated?

Are BCM roles, accountabilities, responsibilities and authorities clearly defined and documented within job descriptions at all levels of the organisation?

Is your BCM integrated with the reward, recognition, performance management and appraisal system?

Do you have clearly defined and documented KPIs for BCM? Is there a formal BCM awareness or induction training program for all new

and existing managers and staff?

46

Current State Assessment

47

“Sometimes, the question is more important than the answer.”

- Plato

48

Good Luckhttp://www.linkedin.com/in/anandsubramaniam