15
The Business Continuity Institute The Good Practice Guidelines – Real life Implementations Muhammad Ghazali MBCI, CBCI, ISMS ISO 27001LA, BS25999 LA Associate Director – Head of BCM Service Protiviti Member firm Middle East

The BCI GPG Presentation @ The BCI

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: The BCI GPG Presentation @ The BCI

The Business Continuity Institute

The Good Practice Guidelines – Real life Implementations

Muhammad GhazaliMBCI, CBCI, ISMS ISO 27001LA, BS25999 LA

Associate Director – Head of BCM ServiceProtiviti Member firm Middle East

Page 2: The BCI GPG Presentation @ The BCI

The Good Practice Guidelines

Why Good Practice Guidelines

The value of the GPG:

Not Just What, but “Why” and “how”

Baseline and common language

Used for Entry examination

Professional Reference document

Stage-wise

Page 3: The BCI GPG Presentation @ The BCI

1. BCM Program Management

2. Understanding the Organization

3. Determining BCM Strategies

4. Developing and Implementing

BCM Response

5. Exercising Maintaining and

Reviewing

6. Embedding BCM into Organization

Culture

The Good Practice Guidelines

Page 4: The BCI GPG Presentation @ The BCI

BCM Program Management

What

1. Develop the BCM Program

2. Identification of owner/member and

participants of Program

3. Development of BCM Policy of the organization

4. Identification of inclusion and exclusion of the

BCM Program

5. Define and approve the scope of the programExamples:

BCM Head – That’s probably you… BCM Steering Committee -Management BCM Roles – Strategic, Tactical and

Operational BCM Forum – Selected team members

HowInvolve the Top Management teamReview documents produced by the organization• Business plans• Strategic plans• Annual report• Marketing report

Why

Objectives, Mission, Vision, Key

Service, Product, future strategy,

acquisitions, geographical scale,

competitor strategy, regulatory

obligation etc. etc..

Page 5: The BCI GPG Presentation @ The BCI

Program Scope

• Set Objectives• See Obligations• Acceptable level of risk• Statutory, regulatory and contractual issues

Organizational Policy

• Top management commitment and approval• Objectives of the business continuity and scope• Communicated and reviewed• Appropriate by nature, scale, complexity,

geography and criticality of business activities• Reflect culture, dependencies and operating

environment

Resources and Competence

• Defined roles and responsibilities • Top management nominees / appointees • BCM competency

A “Program” Not a “Project”

Page 6: The BCI GPG Presentation @ The BCI

Understanding the Organization

What

Know your

Process

People

Infrastructures

Environment

Internal and external Suppliers

Threats to all requirement

Impact of those threats

{if you know your enemies and know yourself, you

will not be imperiled in a hundred battles} Sun Tzu

How

There are three main activities to

“Understanding the Organization”• Business Impact Analysis (BIA) • Continuity Requirements Analysis (CRA) • Risk Assessment (RA)

Why

Your Business depends on • Operations Staff/skills• Records/Data Assets• Voice/Data Communications• Facilities & Infrastructure• Equipment

Page 7: The BCI GPG Presentation @ The BCI

Recovery Requirements as Output

Recovery Time Objective (RTO)

Key BIA Inputs

• Lost sales revenue• Productivity loss• Permanent customer loss• Loss of interest income

Financial Impact

• Brand image• Competitive advantage• Customer satisfaction• Increased regulatory oversight• Employee Morale

Operational Impacts

• Intolerable/acceptable downtime• Intolerable/acceptable data loss

Management Tolerances

• Operations Staff• Records/Data Assets• Voice/Data Communications• Facilities & Infrastructure• Equipment

Resource Dependencies

Recovery Point Objective (RPO)

MTPOD

Minimum Operation Requirements

Business Objectives

Critical Processes - Business Lines- Support Lines

Key Business Areas

Knowing Your Organization - Impact Analysis

Page 8: The BCI GPG Presentation @ The BCI

Business Objectives

Interviews Questionnaires

Workshops

Key Risks / threats Risk Assessment

Risk RegisterVulnerability Threats, Impact,

Likelihood

Critical Processes BIA of Critical Processes

BIA Dependency Impact

over time

Business Continuity

Strategy

Business Continuity Plans

Knowing Your Risks – Risk Assessment (RA)

Page 9: The BCI GPG Presentation @ The BCI

Determining BCM Strategies

What

On the basis of your RTO (Recovery Time Objective),

Recovery Point Objective (RPO) and Maximum

tolerable period of disruption (MTPOD), identify

strategies

• The faster you want it – the more it will cost!

Separation distance

• How far away do you need to be

• Accessible yet recoverable

HowAsses Continuity options for each critical activity to following levels:1. Initial Continuity – to an initial

acceptable level2. Recovery – to a sustainable

level 3. Resumption – back to the

normal level

Why

Your Business requires to select

Appropriate continuity options for

each activity that supports the

delivery

Page 10: The BCI GPG Presentation @ The BCI

Determining BCM Strategies – Considerations

Continuity Strategy for

Key Processes

Continuity Strategy for

Technology

Alternate processes

Options to Customers

Alternate Channels of Delivery

Alternate methods of communication

Support to Customers

Core / Main Application

User/Branch Data Processing

Info. security / Data Transfer

Data Center/Voice and Communication

IT Systems Physical Location/Space

Office Equipments/ Stationary

Power Supply

Transportation

Communication

Continuity Strategy for

Facilities

Page 11: The BCI GPG Presentation @ The BCI

Developing & Implementing BCM Response

WhatThe GPG identifies the following stages of response:

• Emergency response – immediate actions • Incident management – management of the response to the incident • Business/ IT Continuity – the initial business response to the incident (essential activities at acceptable level) • Recovery – recovery of activities to sustainable level • Resumption – resuming operations to ‘normal’

HowThe Plan(s) developement include

Appoint an ownerDefine the objectives and scope

Create Teams for planning, responseAgree the responsibilities

Document actionable stepsPopulate the plan

Circulate and gather feedbackAgree and validate

Agree a program

WhyTo identify and document• Individual and Teams roles

Actions required for Invocation, Crisis, Incident,

Internal and External, Communication, call lists, etc. etc.

Page 12: The BCI GPG Presentation @ The BCI

•Simple language

•Action Oriented – (Check list…)

•Easy to access, maintain and

Navigate

•Plans are tools / guidelines to use

or follow in case required, do not

allow them to restrict your thoughts

and responses.

Continuity Plans - Considerations

Page 13: The BCI GPG Presentation @ The BCI

Exercising Maintaining and Reviewing

WhatExerciseVerifies your assumptions about IT / Buss. Continuity

Validates Effectiveness of your planResponse of your teamsEffectiveness of your strategies

Results offers Opportunities for improvement in PlansResponsesStrategies

HowAgree the Scope– what are your BCM priorities?Engage senior stakeholders Communicate thoroughly –particularly for senior staffPlan frequently - Normal Business is always BusyMake sure the exercise type fits the need

WhyTo Highlight doubtful assumptions Provides Hidden information about Gain confidence in exercice participantsRaise awareness of BCM Verify BCP/ IT Continuity Plans(s)

Page 14: The BCI GPG Presentation @ The BCI

Embedding BCM into Organization Culture

WhatLet the organization know about BCMJust like

Human Resource Management (HRM)Management Information System (MIS)Financial Management System (FMS)Material / Supply Chain ManagementProcurement

Involve all members of the organization, because

Continuity is everyone Business

How•Employee Handbook - Guidelines•BCM Business Cases•Email messages •Intranet BCP Web Site•New Employee Induction Program•Interactive Presentations with Staff •Organize in-house Coaching Sessions

WhyManagement Understanding of Risk/ Impact/ Threat/Response

Transformation of understanding across the organizations

Page 15: The BCI GPG Presentation @ The BCI

Thank YouQ&A

Sessions