Upload
continuity-and-resilience
View
12
Download
0
Embed Size (px)
Citation preview
1
Continuity and Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by speakers at the
1st KSA Business & IT Resilience Summit
16th Feb, 2017 at Four Seasons Hotel, Riyadh KSA
Our Contact Details:
INDIA UAE
Continuity and Resilience
Level 15,Eros Corporate Tower
Nehru Place ,New Delhi-110019
Tel: +91 11 41055534/ +91 11 41613033
Fax: ++91 11 41055535
Email: [email protected]
Continuity and Resilience
P. O. Box 127557
Abu Dhabi, United Arab Emirates
Mobile:+971 50 8460530
Tel: +971 2 8152831
Fax: +971 2 8152888
Email: [email protected]
Document Classification: PUBLIC
Document Classification: PUBLIC
Content
Obtaining & Maintaining the Management Commitment
Building the sense of ownership and accountability
Embedding the BCM in the Corporate Culture
Practicality of the BCM arrangements
Coordination & Cooperation
Assuring the Continuity of the BCM
Multiple Vendors Management
Getting Standardized
Obtaining & Maintaining the Management Commitment
Obtaining the Management Support:
• First and most important step in any BCM Program
• PROS VS CONS of having BCM:
• Financial benefits, cost effective
• Competitive advantages
• Enhance the Business
• Kick off meeting, Workshops and Presentations
• Simulate a disaster.
Maintaining the Management Support:
• Maintaining is more difficult than obtaining
• Keeping the Management involved and updated
• Show the regular progress reports and the achievements
• Prove the effectiveness of your BCM arrangements
Building the sense of ownership and accountability
Ownership:
• Who is the BCP owner?
• If you own it, you‘ll care about it.
• Organization is too big and diverse for one
department to own all the BCPs
Accountability:
• Who is accountable for developing, updating,
exercising and invoking the BCP?
• No one knows my business better than I do.
• Any disruption in my business, will impact me
the most
Building the sense of ownership and accountability
BCM Champions:
• An ambassadors of the BCM in each department
• The champion must be senior to the organization
with an authority on his department
• Provide them with BCM training so they can
understand both sides (their department & BCM)
• Recognitions and awards
KPI’s & KRI’s:
• Add a BCM KPI on each department head
• Develop KRI on each department to monitor and
assure the BCM arrangements
Embedding the BCM in the Corporate Culture
Why important ?
• The employees are the first line of defense
• If you believe in something, you will do it right
• If its part of the culture, it will remain for a long time
Obstacles:
• Changes in big organizations is not easy
• Scattered infrastructure and employees are not
helping
• Raise the awareness is one thing, keeping it up is
another
• Employees turnover
Embedding the BCM in the Corporate Culture
Raise Awareness:
• Posters, Booklets, Emails and Intranet site.
• Regular Awareness Workshops
• General
• Directed
• Competitions and Office Gifts
• Induction Programs for new comers
Make it a culture:
• Permanent part of organization processes.
• Continues Monitoring of BCM effectiveness.
Practicality of the BCM arrangements
BCM level of participation :
• Are we looking at the trees of the forest? or at the
leaves of the tree?
• Define the scope:
• High level will not give the needed guarantee
• Deep detailed will require an army
• Define the roles and responsibilities, draw the
boundaries Developing the BCP:
• Table of content:
• Too big Hard to read
• Too small Not enough info
• Number of plans:
• Too much Confusing
• Too little Very high level
Coordination & Cooperation
Vertically & Horizontally:
• Between Departments:
• High dependencies between many departments
• Upstream and Downstream
• Different focus and interests
• With Management:
• So many levels
• Speed is of the essence
Peace & Crisis:
• Development Phase:
• It is a collaborative work
• Agreeing on the criticality
• Invocation Phase:
• Collecting the information for accurate impact
assessment and escalation
• Decision Making, Crisis Communication
Coordination & Cooperation (Cont.)
Creating a BCM
Management
Committee
Define the Crises
Triggers and the
Escalation matrix,
detailed Crisis
Communication Plan
Regular meetings
between the BCM
champions
Developing Incident
Management Process
with Incidents
Reporting Templates
Peace Crisis
Horizontally
Vertically
Time
Org. structure
It is a lifecycle not a project:
• There is no Finish Line.
• Maintain the focus
• Allocate the needed resources
• Assure the readiness at all times
• Manage all the new changes
Assuring the Continuity of the BCM
Compliance Programs:
• Review Program
• Exercise Program
• Audit Program
• Embedding Program
Maturity Level
Time
Do
Ch Act
Plan
Do
Ch Act
Plan
Do
Ch Act
Plan
Do
Ch Act
Plan
Continual Improvement
Multiple Vendors Management
Multiple Vendors:
• High dependency of vendors
• Big number of vendors
• Huge variety of services by the vendors
• Different SLA with each vendor
• Monitoring the vendors SLA’s
• Vendor operation is a black box
• Supply Chain Management
Partnership Concept:
• Share the pain, share the gain
• Cost Effective
• Partners are more involved and concerned
about your business than vendors
• Compliance Programs with partners more
effective than SLA with vendors
• More collaboration, more understanding
Organization
Vendor
Supplier
Getting Standardized
Difficulties:
• Different departments
• Different methods of implementing the
business
• Customized solutions
Benefits :
• Having the blue print of the house, before
start building it
• Speaking the same language
• Be able to compare
• Seeing the full picture
• Certification
Exercising, Maintaining & Reviewing
Types of Testing Scope &
Com
ple
xit
y
Low
High
Team Maturity Low High
Walk-through testing Basic and simple and it involve reviewing the
recovery procedures without real implementation
Integrated testing
Test a group of plans by actual
implementation of recovery
procedures
Standalone testing Test one plan or one component
of the plan by actual implementation of recovery
procedures
Simulation testing
Same as integrated testing plus
involving management (Crisis
Management team)
Exercising, Maintaining & Reviewing
Benefits of testing the plans 6
Testing reveals missing
steps:
Testing reveals Plan
Errors
When the plan is written, we think about the services, product,
process, system and procedures. Based on that, the steps of the
BC/DR plan are developed on the basis of our understanding. In this
sense, the plan is a reflection of the experience of the plan author.
However, in a crisis, the people who will execute the recovery may
be a different people. Therefore, the plan will not be implemented
properly because of missing steps which assumed to be known by the
author and was not reflected in the plan. For example of missing
information/steps:
• IT Security Codes
• Recall & Communication Procedure amongst the recovery team.
• Location of disaster or business Recovery Site
Writing a plan sometimes introduce misleading, incorrect, or
unnecessary steps. testing the plan will uncover all of these
deficiencies.
.
18
Exercising, Maintaining & Reviewing
Benefits of testing the plans (Cont.) 6
Testing uncover changes
in the process,
organization structure,
services, people… etc
since the recovery plan
was written:
For instance a plan may have written and stored in the shelf for a
period of time without review. Over time IT team change server
sizes or upgrade to a new software versions or business model
changed or key support people leave the organization. As result of
those changes the plan will ne be valid anymore.
Testing a Plan trains the
team:
After the plan is developed, exercising it will train each recovery
team member his role during the crisis. because reading the the steps
in the plan is totally different from actually implement it in reality.
Plus exercising the plan will give more confidence to the recovery
team to implement the plan during the crisis without any panic and
this will leads to less recovery time.
Validate the plan
accuracy to achieve
desired organization
objectives:
During planning stage of any recovery plan, we may override some
logistics issues such as transportation, physical access or alternative
location which will heavily impact the Recovery Time Objective
(RTO). And based on testing we will determine the true length of
recovery time, and ultimately the ability to achieve the desired
company RTO, especially if there are several plans involved in the
same time.
Document Classification: PUBLIC
Document Classification: PUBLIC
Thank You
Questions?
Nabil H. Aloufi, CBCP, CBCI
+971 50 8460530