Business Continuity Management (BCM) - IIRSM September 2017.pdf · 2 Business Continuity Management...
Transcript of Business Continuity Management (BCM) - IIRSM September 2017.pdf · 2 Business Continuity Management...
arkan.ae
2
Business Continuity Management (BCM)
The Integration of Tactical Response and Strategic Business Recovery Overview
Frank HigginsGroup HSE ManagerArkan Building Materials Co. PJSC
6th September 2017
3
Are You Prepared?
4
Overview
Business Continuity &
Disaster Recovery
Definition
• Is the capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
(Source: ISO 22313/22301))
Business Continuity
• Overall continuation of business functions during an emergency event
Disaster Recovery
• Recovery of the systems, applications and processing capabilities
Proce s s
Availability & ResiliencyAp p l icat ion
Process
• A business process is functional, available, and remains available even during potential impacting events
Application
• Available for use by the organization based on requirements
• Remains available even during potential outage events
UAE BCM Culture
The United Arab Emirates (UAE) has rightly acknowledged the importance of BCM, and the National Emergency Crisis and Disasters Management Authority (NCEMA) has published the country’s Business Continuity Standard (NCEMA7001. The new UAE Business Continuity Management Standard aims to ensure all organizations across the country have a clear understanding of BCM.
This White Paper identifies:
• Key requirements in the Business Continuity Management Standard and Guide.
• How solutions can help UAE organization—public sector and commercial—achieve their business continuity planning objective.
• How can you meet the legislative demands of the Business Continuity Management Standard and Guide.
• How the organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period.
Why BCM
It is the right thing to do for our stakeholders, staff, customers and communities
It ensures compliance with our ever increasing regulatory requirements
It enhances our ability to avoid:
• Interruptions to operations & product delivery
• Financial losses
• Regulatory fines•
• Damage to equipment
• Demands From Customers
• Cost Of Insurance
• Identify New Threats & Risks
Consequences No BCM
• Loss Of Customers or Inability to Attract New Customers
• Loss Of Revenue
• Decrease In Stock Value
• Increase Of Insurance Premiums
• Loss Of Assets And Employees
• Regulatory Sanctions
10
Governance
Leadership & Outcomes
The organization’s senior management team is responsible for overseeing the business continuity planning process, which includes:
• Establishing policy by determining how the institution will manage and control identified risks;
• Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP;
• Ensuring that the BCP is reviewed and approved at least annually;
• Ensuring employees are trained and aware of their roles in the implementation of the BCP;
• Ensuring the BCP is regularly tested;
• Reviewing the BCP testing program and test results on a regular basis; and
• Ensuring the BCP is continually updated to reflect the current operating environment.
12
Methodology
Planning Cycle
Assess Risk & Analyze Business Impacts
Develop Mitigation Strategies
Implement Strategies
Document Strategies
Test Capabilities
Update & Maintain
Plans
Consistent Approach
• Identifying
• Analyzing
• Designing
• Executing
• Testing
Program Management
Process Mapping
Program Policies & Procedures Policy statement Management commitment Program procedures and resources Roles, responsibilities, and authorities
Implementation & Operations Controls Operational procedures Awareness and training Communications and warning Document and information control Resources and finances Incident management (procedures and controls for before, during and after a disruption including prevention, mitigation, response and recovery)
Checking and Evaluation Exercises and testing Nonconformity and problem analysis Internal audits (system)
Review, Maintenance, Improvement Corrective action process (acting on problems) Program revision and improvement
Planning Prioritization Objectives and targets Strategic and tactical plans for prevention, deterrence, readiness, mitigation, response, continuity, and recovery
Analysis Risk assessment Impact analysis Criticality analysis Resource analysis Analysis of legal and other requirements
16
Business Impact Analysis (BIA)
BIA
Effective Business Continuity Management (BCM) starts with identifying all functions within and services delivered by the organisation.
A business impact analysis (BIA) is the primary tool for gathering this information and then assigning each with a level of criticality.
OUR PEOPLE WI LL F I G URE I T OUT
BIA
What are your critical business functions?
What are functions you perform to support other department’s critical business functions?
Resources needed
Impact on Safety/Operations/Environment/Customers
Financial impact/Cashflow/Salaries/Accounts Payable/Accounts Receivable/Markets
Customer/Reputation impact
BIA
Objective TaskDeliverable
To determine recovery priority based on business objectives;
Identify critical business functions (CBF)
Define corporate & business units’ Minimal Business Continuity Objectives
Determine financial & non-financial impact on unavailability of business functions
Asses s business functions’ loss impact over time
Identify interdependencies & vital records
Consolidate quantitative & qualitative impacts due to unavailability of business
functions
Recovery Time Objective (RTO) for each business
function
Critical systems & applications , their
representative & Recovery Point Objective (RPO)
Business Impact Analysis
Activities that cannot tolerate any disruption
Activities which can tolerate very short periods of disruption
Activities which could be scaled down if necessary for short periods of time
Activities which could be suspended if necessary
Impact Analysis & BCM Planning
Process
Risk Analysis
Identification
Analysis
Evaluate
Treatment
Monitoring
Risk Treatment Strategies
Accept
Transfer
Reduce
AvoidanceBusiness Continuity
Planning
Treatment of risks that could potentially interrupt business operations
Business Impact Analysis
Recovery Strategy
Plan Development
Testing & Exercising
Program Management
Co
mm
un
icat
ion
& C
on
sult
atio
n
Mo
nit
ori
ng
& R
evie
w
BIA
23
Risk Response Choices
Response Choices
1. Tolerate: Accept the existing risk and impacts and do nothing
2. Transfer: Insurance, outsourcing (not all risks are transferable)
3. Terminate: Change, suspend, or terminate
4. Treat: Business Continuity – improve an organization’s resilience to the event
(prevention, mitigation, preparedness, monitoring, response and recovery
programs)
25
Questions
?
Where Are You
Risk
Resilience