Business Continuity Management

1
Business Continuity Management

• Awareness Presentation for MAMPU

By Prabha Ramanathan AUGUST 21st 2007
2
OBJECTIVE

• To provide a basic appreciation on the importance
  of Business Continuity Management in the Public
  Sector.
• To provide an overview on implementing BCM in a
  government organisation.

3
BACKGROUND INFORMATION

• Technical Committee on Business Continuity
  Management
• TC - BCM

4
TC - BCM

• The Technical Committee (TC) on Business
  Continuity Management (BCM) was formed to develop
  business continuity management standards for
  local consumption.
• We also review Business Continuity related
  standards on behalf of Department of Standards
  Malaysia
• TC BCM reports to Industrial Standards
  Committee O ( ISC-O) which looks at Society
  Risk
• SIRIM is appointed by Department of Standards
  Malaysia to develop Malaysian Standards.

5
Composition

• Prabha Ramanathan Chairman (BKI)
• Roslina Harun Secretary (SIRIM)
• Wan Asriah Wan Adnan ( Bursa Malaysia)
• Sue Wing Hoong (CSC)
• Johnny Choo Chin Chai (Alliance Bank)
• Ros Aziah Mohd Ismail (IP-Secure)
• Zahri Yunos (CyberSecurity Malaysia)

6
Composition

• Sophia Hashim ( MAMPU)
• Maslina Daud ( CyberSecurity Malaysia)
• Bahyah Bakri (Bursa Malaysia)
• Mohd Daud Dahar ( Bank Negara)
• Aliza Nayan ( Securities Commission)
• Stan Singh Jit ( PIKOM )
• Shreedhar ( ASTRO )

7
Goals of TC- BCM

• BCM Framework an overview of the processes that
  must be followed when developing BC Plans
  (completed MS 1970)
• BCM Guidelines a guide on how to implement
  business continuity plans
• BCM Checklist a self assessment checklist to
  gauge the level of preparedness / readiness

8
Objective of BCM Standards

• BCM is something that should be practice by all
  organizations in all industries immaterial of
  their size.
• Hence the need for an acceptable minimum level of
  practice i.e. a standard.
• The standards developed by TC-BCM is this minimum
  level of practice for all sectors, private and
  public

9
Use of Standards
Number of Controls
Banking
Insurance
Telecommunication
Health
Government
Manufacturing
TC BCM STAN DARDS
10
The Malaysian BCM Standard
11
BUSINESS CONTINUITY MANAGEMENT

• WHAT IS IT?

12
The history of business continuity
Holistic Contingency Plans
Business Continuity Management
Organization wide Contingency Plans
Business Continuity Planning
IT or Technical Contingency Plans
Disaster Recovery Planning
Fallback Plans , Contingency Plans
Alternative Planning / Plan B
13
What is Business Continuity Management?
A holistic management process that identifies
potential impacts that threaten an organisation
and provides a framework for building resilience
with the capability for an effective response
that safeguards the interests of its key
stakeholders, reputation, brand and value
creating activities Source Business
Continuity Institute (UK)
Disaster Management Phases (Execution)
Monitor Response
Recover Resume
Rectify Restore
Migrate Normalize
14
BCM Framework

• a structure that will design, develop, implement
  and maintain infrastructures, resources,
  processes, policies and strategies to respond,
  recover, resume, restore and normalize the
  mission critical operations of an organization in
  an effective manner.

BCM
15
Business Continuity Management

• Why do you need it?

16
Why is BCP Needed?

• Good Corporate Governance
• Safeguarding assets and liabilities, stakeholder
  interests
• Business Requirements (Local / International)
  BNM, SC, SOX, Basel, ISO17799
• Requirement by Business Partner and/or Customer

17
Why we need BC Standards?
Infrastructure Dependence (power, voice, data,
logistics, food)
Environment
Legal Fiduciary Duties
System Up Time (computing, data,networks, etc.)
18
Corporate Governance

• Malaysian Code of Corporate Governance it is a
  requirement by Securities Commission that all
  listed companies in Malaysia to comply with the
  Malaysian Code of Corporate Governance
• Part of the Principle Responsibilities of the BOD
  are-
• Identify principal risk and ensure the
  implementation of appropriate systems to manage
  these risks.
• Reviewing the adequacy and the integrity of the
  companys internal control systems and management
  information systems, including systems for
  compliance with applicable laws, regulations,
  rules, directives and guidelines.
• Succession Planning of Senior Management

19
Post-9/11 Surge in Regulations and Standards
Post 9-11
Source Fred.klapetzky_at_marsh.com
Sarbanes-Oxley Act of 2002 HIPAA, Final Security
Rule FFIEC BCP Handbook Fair Credit Reporting
Act NASD Rule 3510 NERC Security Guidelines FERC
Security Standards NAIC Standard on BCP NIST
Contingency Planning Guide FRB-OCC-SEC Guidelines
for Strengthening the Resilience of US
Financial System NYSE Rule 446 California SB
1386 Australia Standards BCM Handbook GAO
Potential Terrorist Attacks Guideline Federal
and Legislative BC Requirements for IRS Basel
Capital Accord MAS Proposed BCP Guidelines
(Singapore) NFA Compliance Rule 2-38 FSA Handbook
(UK) BCI Standard, PAS 56 (UK) Civil
Contingencies Bill (UK)
20
Pre 9-11
Consumer Credit Protection Act OMB Circular
A-130 FEMA Guidance Document Paperwork Reduction
Act FFIEC BCP Handbook Computer Security Act 12
CFR Part 18 Presidential Decision Directive
67 FDA Guidance on Computerized Systems used in
Clinical Trials ANSI/NFPA Standard 1600 Turnbull
Report (UK) ANAO Best Practice Guide
(Australia) SEC Rule 17 a-4 Source Marsh (c)
2004
1991 - 2001
2002 - 2004
20
Business Requirements

• It is foreseeable that in the near future, the
  resiliency or continuity capability of an
  organisation will be a yardstick in doing
  business.
• We have seen with the implementation of Sarbanes
  Oxley Act in the US, many local players who are
  supplies or business partners were required to
  show BC plans

21
What BCM standards are available?

• BS 25999 1 Business Continuity Management
  Code of Practice ( British Standard Institute,
  UK)
• BS 25999 2 Business Continuity Management
  Specification ( British Standard Institute)
• HB 221 2005 Handbook on Business Continuity
  Management ( Australian Standards, Australia)
• NFPA 1600 Standard on Disaster / Emergency and
  Business Continuity Management Program (National
  Fire Protection Association, USA)
• TR 19 Technical Reference for Business
  Continuity Management (SPRING, Singapore)
• MS 1970 Business Continuity Management
  Framework (Department of Standards, Malaysia)

22
Malaysian Examples

• Major stock trading organisation
• Major airport - early 90s
• Shoe manufacturing company
• Flooding of building basement in KL
• Finance company software leading to
  malfunctioning of ATMs
• Flooding of electricity substation
• National Power Grid failure
• Fire at bank branch on the 1st day of business at
  branch's new premises.  Substantial damage at
  upper floor, ground floor also damaged.  Was able
  to resume business on the same day at the
  previous premise located nearby.

• Power outage for 3 days at Banks Headoffice.  IT
  systems ran on gen set, power was gradually
  restored by floors. Impact no A/C, significant
  loss of productivity.
• The automatic teller machine network of a large
  local bank was disrupted for 13 hours nationwide.
• Lightning destroyed the main power circuit board
  of a factory cause a 8 hour shut down of its
  plant and losses in excess of RM5 million.
• Data Center of a manufacturing company was
  flooded damaging their key servers

23
Business Continuity Management

• How is it different from Disaster Recovery
  Planning

24
BCP - Composition
Business Continuity Plans
Emergency Management
Crisis Management
Contingency Plans
Disaster Recovery Plans
Business Resumption Plans
25
Definition - BCP

• BUSINESS CONTINUITY PLANNING (BCP) Process of
  developing advance arrangements and procedures
  that enable an organization to respond to an
  event in such a manner that critical business
  functions continue with planned levels of
  interruption or essential change.
• SIMILAR TERMS Contingency Planning, Disaster
  Recovery Planning.

26
Definition - DRP

• DISASTER RECOVERY PLANNING (DRP) The
  technological aspect of business continuity
  planning.
• The advance planning and preparations that are
  necessary to minimize loss and ensure continuity
  of the critical business functions of an
  organization in the event of disaster.
• SIMILAR TERMS Contingency Planning Business
  Resumption Planning Corporate Contingency
  Planning Business Interruption Planning
  Disaster Preparedness.

DRII
27
DRP vs BCP
UTILIZATION
100
75
60
TIME
0
DISASTER
CRISIS
DISASTER
RESTORE
28
DRP vs BCP
Major Plan Components
BCP Business Continuity Planning BRP Business
Resumption Planning DRP Disaster Recovery
Planning
29
Business Continuity Management

• Who should be involved

30
Organisation Structure
31
Brief Roles Responsibilities
32
BCM Team Structure
33
Brief Roles Responsibilities
34
Selection Guidelines

• Members of the BCM recovery team should be on a
  voluntary basis
• Members of the BCM recovery team must be
  experienced and knowledgeable in operations
  matters
• Elderly or sickly people ( hypertension, weak
  heart, high blood pressure, obese, etc) should
  not be selected as team members.

35
Business Continuity Management

• How do I start?

36
Note

• The process of developing the plans, either
  Business Continuity Plans for Disaster Recovery
  Plans, is the same.
• The difference is only in the scope of work and
  area to be covered.
• A disaster recovery plan must provide for the
  End Users needs

37
BKIS METHODOLOGY
38
Module 1 - Initiate the Project

• It is crucial that a BC Project is started in a
  proper manner to ensure that it is completed in a
  timely and effective manner
• This stage involves study, discussions, analysis
  leading to the deliverable The Project Charter
• In addition, there will be
• Awareness sessions
• Kickoff meeting

39
Module 2 Risk Assessment

• The purpose of this module is to identify the
  operational vulnerabilities of an organisation.
• The outcome of this module is a Risk Assessment
  report which provides a priority listing of
  vulnerabilities and a set of recommendations to
  prevent / mitigate it.

40
Module 3 Business Impact Analysis

• BIA determines impact (financial non-financial)
  in the event business is disrupted for a
  significant period of time. (The BIA process is
  somewhat independent from the Risk Assessment
  process)
• The Business Impact Analysis deliverable includes
  a listing of critical business functions and
  their
• Recovery Time Objectives,
• Recovery Point Objectives
• Minimum operating resources
• Internal and External Dependences

41
Module 4 Develop BC Strategies

• This modules provides the BC planners with a
  high-level specification of the plans.
• In this module, high level BC Policies and
  Procedures are documented
• This module gets its input from the previous BIA
  process

42
Module 5 Establish Alternate Facility

• In the event the primary business premises is
  destroyed or severely damaged, critical business
  functions need to operate at an alternate
  facility
• This facility may be complete or partially setup
  with furniture, fittings and equipment
• This facility may be owned or rented from a
  commercial entity

43
Module 6 Plan Development

• Using the information from Module 4 5, action
  steps which describe what needs to be done,
  when to do it and how to do it are
  documented.
• Each team within the business continuity
  structure will have a recovery plan.

44
Module 7 Education Training

• In this module, the respective players in the
  organisations business continuity plan will be
  given the appropriate education on the principles
  of business continuity planning as well as
  training in the use of the recovery plans
  developed in the previous module.

45
Module 8 Scenario Testing

• Testing is a mechanism used to verify the
  completeness of the recovery plan.
• It also provides an avenue for team members and
  management to practice their recovery activities
• The goals and complexity of testing should
  increase over time

46
Module 9 Plan Maintenance

• The business continuity plan is a LIVING
  DOCUMENT
• Keeping it current is a major task which takes
  effort and support from senior management
• It is necessary to implement a Maintenance
  Program

47
Take Away Points

• BCM is a process and not a project.
• The initial development of a BC Plan is a tedious
  and time consuming activity. It needs to be given
  adequate attention to be successful (i.e.
  workable)
• Like Risk Management, the responsibility for BCM
  rest on everyones shoulder and not just the BCM
  Manager
• BIA is an important process within BCM and must
  be conducted on a regular basis

48
Take Away Points (cont)

• Top Management support and participation is
  required.
• A annual budget should be allocated for the
  running maintenance of the BCM program
• Testing must be religiously conducted in a manner
  that encourages improvement and preparedness.
• A maintenance program must be implemented to
  ensure adequacy and completeness of the BCM
  elements.

49
THANK YOU

• CONTACT DETAILS
• prabhar_at_bki.com.my
• 012 - 3160609