Upload
bcm-institute
View
1.330
Download
0
Embed Size (px)
Citation preview
1
Welcome
2
Navigating Through Uncertainties of Risk
Dr Goh Moh Heng PhD BCCE DRCE BCCLA
President
2
3
BCM Institute
• Started in January 2005.• Provide competency based BC-DR training
to all levels.• Certify BC-DR professionals globally.• Started Certification programme in April
2007.• More than 1500 professionals from 850
organizations and 40 countries.
4
Professional Certification
Business Continuity
IT Disaster Recovery
BCM Audit
Membership
5
22 Sep 2011 Kuala Lumpur, Malaysia
Business Continuity Management or Risk Management? Aligning Expectations for Business Strategies
Dr. Goh Moh Heng PhD BCCE DRCE BCCLA
President, BCM Institute and Managing Director, GMH Continuity Architects
6
Agenda
• BC Planning Methodology– Risk Analysis and Review
• Risk Assessment Process– Step-by-stepAchieving
Certification
7
Source: Goh, Moh Heng (2008): Analyzing and Review the Risk for Business Continuity Planning ISBN: 978-981-05-9215-8
BCM Planning Methodology
8
Risk Analysis & Review
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
9
Identify Assets & Threats
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
• Identify Organisational Assets
• Identify Threats
10
Identify Organisational Assets
• Assets essential to carry out mission• Examples:
– Facilities– People– Data– Software– Applications– Equipment
11
Identify Threats
Natural• Tornado (wind storm)• Thunderstorm and hail storm• Lightning and electrical storm• Snow and winter ice storm• Typhoon and hurricane• Flood and other water-based
incident• Earthquake• Mudslide• Volcanic eruption and ash
fallout• Tsunami• Large natural fire• Epidemic and pandemic
Man-Made• Toxic and radioactive contamination• Sabotage (both external and internal)• Riot, civil disorder and coup• Fraud and embezzlement• Accidental explosion (on and offsite)• Water leak and plumbing failure• Workplace violence• Terrorism• Aircraft crash• Vandalism• Arson• Physical asset theft• Misuse of resources• Building and physical security
weakness• Fire
12
Identify Threats
Business• Power outage• Labor dispute• Employee turnover and single
point of failure• Unavailability of key personnel• Human error• Gas outage• Water outage• Loss of transportation• Single source suppliers
Information Technology
• Voice and data telecommunication failure
• IT equipment failure• Human error from
programmers and users• Security vulnerability• Data and software
sabotage• In-house developed
application failure• HVAC failure• Defective software
13
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Analyse Risks
• Estimate the risk likelihood of occurrence
• Identify risk impact of the threat materializing
• Determine risk (rating) level
14
Risk Likelihood Risk Code Description
Rare 1
Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will.
May likely to occur once in 10 to 50 years.
Unlikely 2 Not expected, but there's a slight possibility it may
occur at some time. May likely to occur once in 5 to 10 years.
Moderate 3 The event might occur at some time as there is a
history of casual occurrence at the organization. Will occur once in 2 to 5 years.
Likely 4
There is a strong possibility the event will occur as there is a history of frequent occurrence at the organization.
Will occur at least once per year.
Certain 5
Very likely. The event is expected to occur in most circumstances as there is a history of regular occurrence at the organization.
Will occur at least once per year.
Descriptor: Risk Likelihood of Event
15
Severity Rating
Level Definition
Infrastructure OperationsLegal and Regulatory
Reputation & Image
Staff and Client Safety
1 InsignificantMinor disruptionUnavailable for
<___hrs
Minor errors in systems or processes requiring corrective action, No delay on overall schedule.
Internal ReviewNon-headline
exposure, not at fault; no impact
Injuries or ailments not
requiring medical
treatment
2 Minor Unavailable for >__hrs<__hrs
Critical equipment/ process breakdown.
Minor delay on overall schedule
Inability to fulfill contractual obligation
Non-headline exposure, clear
fault settled quickly; minor
impact
Minor injury or First Aid
Treatment
3 ModerateUnavailable for >__hrs<__ hrs
Critical equipment/ process breakdown. Able to subcontract
services but with major delay on overall
schedule
Investigation by external agencies
Headline exposure; slow
resolution
Serious injury causing
hospitalisation or multiple
medical treatment cases
4 MajorUnavailable for
>__hrs
Critical equipment/ process breakdown.
Strategies not consistent with
Corporate agenda. Trends show service is
degrading
Demand for government inquiry, legal
lawsuit.
Repeated headline
exposure; at fault or
unresolved complexities;
ministerial involvement
Life threatening injury or multiple serious injuries
causing hospitalisation
5 CatastrophicUnavailable for
>__ daysOr total loss
Total loss to critical system/ equipment. Business severely
affected.
Termination of operations.
Threat of boycott, legal
action and defection.
Intense political and media
scrutiny
Death or multiple life threatening
injuries
Descriptor: Risk Impact of Event
16
Risk Analysis Process
Risk ImpactRisk Impact
How does the threat affect
business operations?
What are the adverse events that can occur?
What is the likelihood that the threat will adversely affect
business operations?
What is the effects on people, infrastructure,
facilities, and systems?
What is the effects on people, infrastructure,
facilities, and systems?
What is the potential loss exposures to
business?
What is the potential loss exposures to
business?
What is cost for the Controls to be implemented?
What is cost for the Controls to be implemented?
What Controls are in place?
What Controls are in place?
17
Risk Evaluation
• Assess Risk Rating and prioritized for further treatment
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
18
Risk Rating and Level Matrix
19
Ris
k E
valu
ati
on
: R
isk R
ati
ng
20
Evaluation Criteria
• Criteria Examples:– People– Processes– Infrastructure
• Weighting for different criteria
21
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Risk Treatment
• Explore Risk Treatment Strategies for risks deemed unacceptable
• Document reasons for selection of strategy for each risk treatment
22
Risk Analysis Process
Risk ImpactRisk Impact
How does the threat affect
business operations?
What are the adverse events that can occur?
What is the likelihood that the threat will adversely affect
business operations?
What is the effects on people, infrastructure,
facilities, and systems?
What is the effects on people, infrastructure,
facilities, and systems?
What is the potential loss exposures to
business?
What is the potential loss exposures to
business?
What is cost for the Controls to be implemented?
What is cost for the Controls to be implemented?
What Controls are in place? What risk treatment?
What Controls are in place? What risk treatment?
23
Risk Treatment Strategies
• Risk Acceptance
• Risk Avoidance
• Risk Transfer
• Risk Reduction
24
Risk Treatment Strategies
High
Impact Medium
Low
Low Medium High
Likelihood
Transfer
Accept
Reduce / Active Control
Reduce (if Cost Justifiable)
Avoid
25
Risk Reduction
High
Impact Medium
Low
Low Medium High
Likelihood
Fire
Pandemic
Business Continuity Plan (BCP)
26
Risk Analysis and Business Continuity Planning
Risk Analysis
Identification
Analysis
Evaluation
Treatment
Avoidance
Reduction BC Planning
Business Impact
Analysis
Recovery Strategy
Plan Development
Testing and Exercising
Program Management
Transfer
Acceptance
Monitoring
Treatment for risks that could potentially interrupt business operations
Risk Treatment Strategies
Process
27
Risk Treatment
2704-
ThreatRisk
TreatmentRemarks
Fire
Flood
Prolonged IT Failure
Power Failure (Building)
Power Failure (Area)
28
Implement & Monitor
• Present Recommendations to management for approval
• Implement recommendations
• Monitor results
• Adjust as necessary
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
29
Risk Analysis Process
Identify
Analyse
EvaluateTreat
Implement & Monitor
30
31
THANK YOU
Dr Goh Moh HengPresident
Mobile: +65 96711022Tel: +65 63231500Fax: +65 63230933
Email: [email protected]