The BCI GPG Presentation @ The BCI

Embed Size (px)



Text of The BCI GPG Presentation @ The BCI

  • 1. The Business Continuity InstituteThe Good Practice Guidelines Real life Implementations Muhammad GhazaliMBCI, CBCI, ISMS ISO 27001LA, BS25999 LA Associate Director Head of BCM Service Protiviti Member firm Middle East
  • 2. The Good Practice GuidelinesWhy Good Practice GuidelinesThe value of the GPG: Not Just What, but Why and how Baseline and common language Used for Entry examination Professional Reference document Stage-wise
  • 3. The Good Practice Guidelines1. BCM Program Management2. Understanding the Organization3. Determining BCM Strategies4. Developing and Implementing BCM Response5. Exercising Maintaining and Reviewing6. Embedding BCM into Organization Culture
  • 4. BCM Program Management What Why1. Develop the BCM Program Objectives, Mission, Vision, Key2. Identification of owner/member and Service, Product, future strategy, participants of Program acquisitions, geographical scale,3. Development of BCM Policy of the organization competitor strategy, regulatory4. Identification of inclusion and exclusion of the obligation etc. etc.. BCM Program How5. Define and approve the scope of the program Involve the Top ManagementExamples: team BCM Head Thats probably you Review documents produced by BCM Steering Committee -Management the organization BCM Roles Strategic, Tactical and Business plans Operational Strategic plans BCM Forum Selected team members Annual report Marketing report
  • 5. A Program Not a Project Set Objectives See ObligationsProgram Scope Acceptable level of risk Statutory, regulatory and contractual issues Top management commitment and approval Objectives of the business continuity and scope Communicated and reviewedOrganizational Policy Appropriate by nature, scale, complexity, geography and criticality of business activities Reflect culture, dependencies and operating environment Defined roles and responsibilitiesResources and Top management nominees / appointees Competence BCM competency
  • 6. Understanding the Organization What WhyKnow your Your Business depends on Process Operations Staff/skills Records/Data Assets People Voice/Data Communications Infrastructures Facilities & Infrastructure Equipment Environment Internal and external Suppliers How Threats to all requirement There are three main activities to Impact of those threats Understanding the Organization{if you know your enemies and know yourself, you Business Impact Analysis (BIA)will not be imperiled in a hundred battles} Sun Tzu Continuity Requirements Analysis (CRA) Risk Assessment (RA)
  • 7. Knowing Your Organization - Impact AnalysisBusiness Objectives Key BIA Inputs Recovery Requirements as Output Financial ImpactKey Business Areas Lost sales revenue Productivity loss Permanent customer loss Recovery Time Loss of interest income Objective (RTO) Operational Impacts Brand image Critical Processes Competitive advantage Customer satisfaction - Business Lines Increased regulatory oversight MTPOD Employee Morale - Support Lines Recovery Point Management Tolerances Objective (RPO) Intolerable/acceptable downtime Intolerable/acceptable data loss Resource Dependencies Operations Staff Minimum Records/Data Assets Operation Voice/Data Communications Facilities & Infrastructure Requirements Equipment
  • 8. Knowing Your Risks Risk Assessment (RA) Business Interviews Objectives Questionnaires Workshops BIA BIA of CriticalCritical Processes Dependency Processes Impact over time Business Business Continuity Continuity Strategy Plans Risk RegisterKey Risks / threats Risk Assessment Vulnerability Threats, Impact, Likelihood
  • 9. Determining BCM Strategies What Why Your Business requires to selectOn the basis of your RTO (Recovery Time Objective), Appropriate continuity options forRecovery Point Objective (RPO) and Maximum each activity that supports thetolerable period of disruption (MTPOD), identify deliverystrategies The faster you want it the more it will cost!Separation distance How Asses Continuity options for each How far away do you need to be critical activity to following levels: Accessible yet recoverable 1. Initial Continuity to an initial acceptable level 2. Recovery to a sustainable level 3. Resumption back to the normal level
  • 10. Determining BCM Strategies ConsiderationsContinuity Strategy Continuity Strategy Continuity Strategy for for for Key Processes Technology Facilities PhysicalAlternate processes IT Systems Location/Space Options to Core / Main Office Equipments/ Custome