The BCI GPG Presentation @ The BCI

  • Published on

  • View

  • Download




<ul><li> 1. The Business Continuity InstituteThe Good Practice Guidelines Real life Implementations Muhammad GhazaliMBCI, CBCI, ISMS ISO 27001LA, BS25999 LA Associate Director Head of BCM Service Protiviti Member firm Middle East </li> <li> 2. The Good Practice GuidelinesWhy Good Practice GuidelinesThe value of the GPG: Not Just What, but Why and how Baseline and common language Used for Entry examination Professional Reference document Stage-wise </li> <li> 3. The Good Practice Guidelines1. BCM Program Management2. Understanding the Organization3. Determining BCM Strategies4. Developing and Implementing BCM Response5. Exercising Maintaining and Reviewing6. Embedding BCM into Organization Culture </li> <li> 4. BCM Program Management What Why1. Develop the BCM Program Objectives, Mission, Vision, Key2. Identification of owner/member and Service, Product, future strategy, participants of Program acquisitions, geographical scale,3. Development of BCM Policy of the organization competitor strategy, regulatory4. Identification of inclusion and exclusion of the obligation etc. etc.. BCM Program How5. Define and approve the scope of the program Involve the Top ManagementExamples: team BCM Head Thats probably you Review documents produced by BCM Steering Committee -Management the organization BCM Roles Strategic, Tactical and Business plans Operational Strategic plans BCM Forum Selected team members Annual report Marketing report </li> <li> 5. A Program Not a Project Set Objectives See ObligationsProgram Scope Acceptable level of risk Statutory, regulatory and contractual issues Top management commitment and approval Objectives of the business continuity and scope Communicated and reviewedOrganizational Policy Appropriate by nature, scale, complexity, geography and criticality of business activities Reflect culture, dependencies and operating environment Defined roles and responsibilitiesResources and Top management nominees / appointees Competence BCM competency </li> <li> 6. Understanding the Organization What WhyKnow your Your Business depends on Process Operations Staff/skills Records/Data Assets People Voice/Data Communications Infrastructures Facilities &amp; Infrastructure Equipment Environment Internal and external Suppliers How Threats to all requirement There are three main activities to Impact of those threats Understanding the Organization{if you know your enemies and know yourself, you Business Impact Analysis (BIA)will not be imperiled in a hundred battles} Sun Tzu Continuity Requirements Analysis (CRA) Risk Assessment (RA) </li> <li> 7. Knowing Your Organization - Impact AnalysisBusiness Objectives Key BIA Inputs Recovery Requirements as Output Financial ImpactKey Business Areas Lost sales revenue Productivity loss Permanent customer loss Recovery Time Loss of interest income Objective (RTO) Operational Impacts Brand image Critical Processes Competitive advantage Customer satisfaction - Business Lines Increased regulatory oversight MTPOD Employee Morale - Support Lines Recovery Point Management Tolerances Objective (RPO) Intolerable/acceptable downtime Intolerable/acceptable data loss Resource Dependencies Operations Staff Minimum Records/Data Assets Operation Voice/Data Communications Facilities &amp; Infrastructure Requirements Equipment </li> <li> 8. Knowing Your Risks Risk Assessment (RA) Business Interviews Objectives Questionnaires Workshops BIA BIA of CriticalCritical Processes Dependency Processes Impact over time Business Business Continuity Continuity Strategy Plans Risk RegisterKey Risks / threats Risk Assessment Vulnerability Threats, Impact, Likelihood </li> <li> 9. Determining BCM Strategies What Why Your Business requires to selectOn the basis of your RTO (Recovery Time Objective), Appropriate continuity options forRecovery Point Objective (RPO) and Maximum each activity that supports thetolerable period of disruption (MTPOD), identify deliverystrategies The faster you want it the more it will cost!Separation distance How Asses Continuity options for each How far away do you need to be critical activity to following levels: Accessible yet recoverable 1. Initial Continuity to an initial acceptable level 2. Recovery to a sustainable level 3. Resumption back to the normal level </li> <li> 10. Determining BCM Strategies ConsiderationsContinuity Strategy Continuity Strategy Continuity Strategy for for for Key Processes Technology Facilities PhysicalAlternate processes IT Systems Location/Space Options to Core / Main Office Equipments/ Customers Application StationaryAlternate Channels User/Branch Data Processing Power Supply of DeliveryAlternate methods Data Center/Voice and Communication Communicationof communication Support to Info. security / Data Transfer Transportation Customers </li> <li> 11. Developing &amp; Implementing BCM Response What WhyThe GPG identifies the following stages of response: To identify and document Individual and Teams roles Emergency response immediate actions Actions required for Incident management management of the Invocation, Crisis, Incident, response to the incident Internal and Business/ IT Continuity the initial business External, Communication, call response to the lists, etc. etc. incident (essential activities at acceptable level) How Recovery recovery of activities to sustainable The Plan(s) developement include level Appoint an owner Resumption resuming operations to normal Define the objectives and scope Create Teams for planning, response Agree the responsibilities Document actionable steps Populate the plan Circulate and gather feedback Agree and validate Agree a program </li> <li> 12. Continuity Plans - Considerations Simple language Action Oriented (Check list) Easy to access, maintain and Navigate Plans are tools / guidelines touse or follow in case required, donot allow them to restrict yourthoughts and responses. </li> <li> 13. Exercising Maintaining and Reviewing What WhyExercise To Highlight doubtful assumptionsVerifies your assumptions about IT / Buss. Provides Hidden informationContinuity about Gain confidence in exerciceValidates participants Effectiveness of your plan Raise awareness of BCM Response of your teams Verify BCP/ IT Continuity Plans(s) Effectiveness of your strategiesResults offers Opportunities for improvement in How Agree the Scope what are your BCM Plans priorities? Responses Engage senior stakeholders Strategies Communicate thoroughly particularly for senior staff Plan frequently - Normal Business is always Busy Make sure the exercise type fits the need </li> <li> 14. Embedding BCM into Organization Culture What WhyLet the organization know about BCM Management Understanding ofJust like Risk/ Impact/ Threat/Response Human Resource Management (HRM) Management Information System (MIS) Transformation of understanding Financial Management System (FM...</li></ul>


View more >