Business Continuity Management or Risk Management? Aligning Expectations for Business Strategies by Dr Goh Moh Heng

1

Welcome

2

Navigating Through Uncertainties of Risk

Dr Goh Moh Heng PhD BCCE DRCE BCCLA

President

2

3

BCM Institute

• Started in January 2005.• Provide competency based BC-DR training

to all levels.• Certify BC-DR professionals globally.• Started Certification programme in April

2007.• More than 1500 professionals from 850

organizations and 40 countries.

4

Professional Certification

Business Continuity

IT Disaster Recovery

BCM Audit

Membership

5

22 Sep 2011 Kuala Lumpur, Malaysia

Business Continuity Management or Risk Management? Aligning Expectations for Business Strategies

Dr. Goh Moh Heng PhD BCCE DRCE BCCLA

President, BCM Institute and Managing Director, GMH Continuity Architects

6

Agenda

• BC Planning Methodology– Risk Analysis and Review

• Risk Assessment Process– Step-by-stepAchieving

Certification

7

Source: Goh, Moh Heng (2008): Analyzing and Review the Risk for Business Continuity Planning ISBN: 978-981-05-9215-8

BCM Planning Methodology

8

Risk Analysis & Review

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

9

Identify Assets & Threats

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

• Identify Organisational Assets

• Identify Threats

10

Identify Organisational Assets

• Assets essential to carry out mission• Examples:

– Facilities– People– Data– Software– Applications– Equipment

11

Identify Threats

Natural• Tornado (wind storm)• Thunderstorm and hail storm• Lightning and electrical storm• Snow and winter ice storm• Typhoon and hurricane• Flood and other water-based

incident• Earthquake• Mudslide• Volcanic eruption and ash

fallout• Tsunami• Large natural fire• Epidemic and pandemic

Man-Made• Toxic and radioactive contamination• Sabotage (both external and internal)• Riot, civil disorder and coup• Fraud and embezzlement• Accidental explosion (on and offsite)• Water leak and plumbing failure• Workplace violence• Terrorism• Aircraft crash• Vandalism• Arson• Physical asset theft• Misuse of resources• Building and physical security

weakness• Fire

12

Identify Threats

Business• Power outage• Labor dispute• Employee turnover and single

point of failure• Unavailability of key personnel• Human error• Gas outage• Water outage• Loss of transportation• Single source suppliers

Information Technology

• Voice and data telecommunication failure

• IT equipment failure• Human error from

programmers and users• Security vulnerability• Data and software

sabotage• In-house developed

application failure• HVAC failure• Defective software

13

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Analyse Risks

• Estimate the risk likelihood of occurrence

• Identify risk impact of the threat materializing

• Determine risk (rating) level

14

Risk Likelihood Risk Code Description

Rare 1

Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will.

May likely to occur once in 10 to 50 years.

Unlikely 2 Not expected, but there's a slight possibility it may

occur at some time. May likely to occur once in 5 to 10 years.

Moderate 3 The event might occur at some time as there is a

history of casual occurrence at the organization. Will occur once in 2 to 5 years.

Likely 4

There is a strong possibility the event will occur as there is a history of frequent occurrence at the organization.

Will occur at least once per year.

Certain 5

Very likely. The event is expected to occur in most circumstances as there is a history of regular occurrence at the organization.

Will occur at least once per year.

Descriptor: Risk Likelihood of Event

15

Severity Rating

Level Definition

Infrastructure OperationsLegal and Regulatory

Reputation & Image

Staff and Client Safety

1 InsignificantMinor disruptionUnavailable for

<___hrs

Minor errors in systems or processes requiring corrective action, No delay on overall schedule.

Internal ReviewNon-headline

exposure, not at fault; no impact

Injuries or ailments not

requiring medical

treatment

2 Minor Unavailable for >__hrs<__hrs

Critical equipment/ process breakdown.

Minor delay on overall schedule

Inability to fulfill contractual obligation

Non-headline exposure, clear

fault settled quickly; minor

impact

Minor injury or First Aid

Treatment

3 ModerateUnavailable for >__hrs<__ hrs

Critical equipment/ process breakdown. Able to subcontract

services but with major delay on overall

schedule

Investigation by external agencies

Headline exposure; slow

resolution

Serious injury causing

hospitalisation or multiple

medical treatment cases

4 MajorUnavailable for

>__hrs

Critical equipment/ process breakdown.

Strategies not consistent with

Corporate agenda. Trends show service is

degrading

Demand for government inquiry, legal

lawsuit.

Repeated headline

exposure; at fault or

unresolved complexities;

ministerial involvement

Life threatening injury or multiple serious injuries

causing hospitalisation

5 CatastrophicUnavailable for

>__ daysOr total loss

Total loss to critical system/ equipment. Business severely

affected.

Termination of operations.

Threat of boycott, legal

action and defection.

Intense political and media

scrutiny

Death or multiple life threatening

injuries

Descriptor: Risk Impact of Event

16

Risk Analysis Process

Risk ImpactRisk Impact

How does the threat affect

business operations?

What are the adverse events that can occur?

What is the likelihood that the threat will adversely affect


What is the effects on people, infrastructure,

facilities, and systems?



What is the potential loss exposures to

business?


business?

What is cost for the Controls to be implemented?


What Controls are in place?

What Controls are in place?

17

Risk Evaluation

• Assess Risk Rating and prioritized for further treatment

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

18

Risk Rating and Level Matrix

19

Ris

k E

valu

ati

on

: R

isk R

ati

ng

20

Evaluation Criteria

• Criteria Examples:– People– Processes– Infrastructure

• Weighting for different criteria

21

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Risk Treatment

• Explore Risk Treatment Strategies for risks deemed unacceptable

• Document reasons for selection of strategy for each risk treatment

22


Risk ImpactRisk Impact

How does the threat affect


What are the adverse events that can occur?

What is the likelihood that the threat will adversely affect







business?


business?



What Controls are in place? What risk treatment?

What Controls are in place? What risk treatment?

23

Risk Treatment Strategies

• Risk Acceptance

• Risk Avoidance

• Risk Transfer

• Risk Reduction

24


High

Impact Medium

Low

Low Medium High

Likelihood

Transfer

Accept

Reduce / Active Control

Reduce (if Cost Justifiable)

Avoid

25

Risk Reduction

High

Impact Medium

Low

Low Medium High

Likelihood

Fire

Pandemic

Business Continuity Plan (BCP)

26

Risk Analysis and Business Continuity Planning

Risk Analysis

Identification

Analysis

Evaluation

Treatment

Avoidance

Reduction BC Planning

Business Impact

Analysis

Recovery Strategy

Plan Development

Testing and Exercising

Program Management

Transfer

Acceptance

Monitoring

Treatment for risks that could potentially interrupt business operations


Process

27

Risk Treatment

2704-

ThreatRisk

TreatmentRemarks

Fire

Flood

Prolonged IT Failure

Power Failure (Building)

Power Failure (Area)

28

Implement & Monitor

• Present Recommendations to management for approval

• Implement recommendations

• Monitor results

• Adjust as necessary

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

29


Identify

Analyse

EvaluateTreat

Implement & Monitor

30

31

THANK YOU

Dr Goh Moh HengPresident

Mobile: +65 96711022Tel: +65 63231500Fax: +65 63230933

Email: [email protected]