arkan.ae

2

Business Continuity Management (BCM)

The Integration of Tactical Response and Strategic Business Recovery Overview

Frank HigginsGroup HSE ManagerArkan Building Materials Co. PJSC

6th September 2017

3

Are You Prepared?

4

Overview

Business Continuity &

Disaster Recovery

Definition

• Is the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.

(Source: ISO 22313/22301))

Business Continuity

• Overall continuation of business functions during an emergency event

Disaster Recovery

• Recovery of the systems, applications and processing capabilities

Proce s s

Availability & ResiliencyAp p l icat ion

Process

• A business process is functional, available, and remains available even during potential impacting events

Application

• Available for use by the organization based on requirements

• Remains available even during potential outage events

UAE BCM Culture

The United Arab Emirates (UAE) has rightly acknowledged the importance of BCM, and the National Emergency Crisis and Disasters Management Authority (NCEMA) has published the country’s Business Continuity Standard (NCEMA7001. The new UAE Business Continuity Management Standard aims to ensure all organizations across the country have a clear understanding of BCM.

This White Paper identifies:

• Key requirements in the Business Continuity Management Standard and Guide.

• How solutions can help UAE organization—public sector and commercial—achieve their business continuity planning objective.

• How can you meet the legislative demands of the Business Continuity Management Standard and Guide.

• How the organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period.

Why BCM

It is the right thing to do for our stakeholders, staff, customers and communities

It ensures compliance with our ever increasing regulatory requirements

It enhances our ability to avoid:

• Interruptions to operations & product delivery

• Financial losses

• Regulatory fines•

• Damage to equipment

• Demands From Customers

• Cost Of Insurance

• Identify New Threats & Risks

Consequences No BCM

• Loss Of Customers or Inability to Attract New Customers

• Loss Of Revenue

• Decrease In Stock Value

• Increase Of Insurance Premiums

• Loss Of Assets And Employees

• Regulatory Sanctions

10

Governance

Leadership & Outcomes

The organization’s senior management team is responsible for overseeing the business continuity planning process, which includes:

• Establishing policy by determining how the institution will manage and control identified risks;

• Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP;

• Ensuring that the BCP is reviewed and approved at least annually;

• Ensuring employees are trained and aware of their roles in the implementation of the BCP;

• Ensuring the BCP is regularly tested;

• Reviewing the BCP testing program and test results on a regular basis; and

• Ensuring the BCP is continually updated to reflect the current operating environment.

12

Methodology

Planning Cycle

Assess Risk & Analyze Business Impacts

Develop Mitigation Strategies

Implement Strategies

Document Strategies

Test Capabilities

Update & Maintain

Plans

Consistent Approach

• Identifying

• Analyzing

• Designing

• Executing

• Testing

Program Management

Process Mapping

Program Policies & Procedures Policy statement Management commitment Program procedures and resources Roles, responsibilities, and authorities

Implementation & Operations Controls Operational procedures Awareness and training Communications and warning Document and information control Resources and finances Incident management (procedures and controls for before, during and after a disruption including prevention, mitigation, response and recovery)

Checking and Evaluation Exercises and testing Nonconformity and problem analysis Internal audits (system)

Review, Maintenance, Improvement Corrective action process (acting on problems) Program revision and improvement

Planning Prioritization Objectives and targets Strategic and tactical plans for prevention, deterrence, readiness, mitigation, response, continuity, and recovery

Analysis Risk assessment Impact analysis Criticality analysis Resource analysis Analysis of legal and other requirements

16

Business Impact Analysis (BIA)

BIA

Effective Business Continuity Management (BCM) starts with identifying all functions within and services delivered by the organisation.

A business impact analysis (BIA) is the primary tool for gathering this information and then assigning each with a level of criticality.

OUR PEOPLE WI LL F I G URE I T OUT

BIA

What are your critical business functions?

What are functions you perform to support other department’s critical business functions?

Resources needed

Impact on Safety/Operations/Environment/Customers

Financial impact/Cashflow/Salaries/Accounts Payable/Accounts Receivable/Markets

Customer/Reputation impact

BIA

Objective TaskDeliverable

To determine recovery priority based on business objectives;

Identify critical business functions (CBF)

Define corporate & business units’ Minimal Business Continuity Objectives

Determine financial & non-financial impact on unavailability of business functions

Asses s business functions’ loss impact over time

Identify interdependencies & vital records

Consolidate quantitative & qualitative impacts due to unavailability of business

functions

Recovery Time Objective (RTO) for each business

function

Critical systems & applications , their

representative & Recovery Point Objective (RPO)

Business Impact Analysis

Activities that cannot tolerate any disruption

Activities which can tolerate very short periods of disruption

Activities which could be scaled down if necessary for short periods of time

Activities which could be suspended if necessary

Impact Analysis & BCM Planning

Process

Risk Analysis

Identification

Analysis

Evaluate

Treatment

Monitoring

Risk Treatment Strategies

Accept

Transfer

Reduce

AvoidanceBusiness Continuity

Planning

Treatment of risks that could potentially interrupt business operations

Business Impact Analysis

Recovery Strategy

Plan Development

Testing & Exercising

Program Management

Co

mm

un

icat

ion

& C

on

sult

atio

n

Mo

nit

ori

ng

& R

evie

w

BIA

23

Risk Response Choices

Response Choices

1. Tolerate: Accept the existing risk and impacts and do nothing

2. Transfer: Insurance, outsourcing (not all risks are transferable)

3. Terminate: Change, suspend, or terminate

4. Treat: Business Continuity – improve an organization’s resilience to the event

(prevention, mitigation, preparedness, monitoring, response and recovery

programs)

25

Questions

?

Where Are You

Risk

Resilience