Business Continuity Management BCM Experience Sharing

1
Business Continuity Management (BCM)Experience
Sharing

• February 17 2008

2
BCM planned for ?
3
BCM Reporting line
4
DR and BCM

• Disaster Recovery
• Disaster Recovery is perceived Just-In-Case,
• A necessity to doing business but counter
  productive.
• A cost with little investment return and,
  therefore, an unlikely market for advanced
  technology
• IT centric

• Business Continuity
• High Availability is A business necessity
• Availability is an investment.
• High Availability leads to the lowest cost of
  ownership by reducing defects and avoiding
  failures
• Procedures and arrangements to ensure critical
  business functions continuity available

5
Planning relationships
6
BCM-Risk Management Perspective

• Part of an organizational learning effort that
  helps reduce operational risk associated with lax
  information management controls.
• This process may be integrated with improving
  information security and corporate reputation
  risk management practices

7
Integration of BCM, ERM, and Strategic Planning
Strategic Planning
ERM
BCM
Vision
Risk
BCM Policy
Strategy Risk
Mission
BCM Objective
Business Risk
Objective
Operation Risk
IMPACT
Financial Risk
Strategy
Emergency Response
Mitigating action
KPI
Monitor and Control
Recover
8
Integration of BCM, ERM, and Strategic Planning
Uncertainty
Disaster
Business Condition
ABOVE Target
KPI
KPI
HIGH Likelihood
LOW Likelihood
BCM
BELOW Target
KPI
9
BCM Purposes

• To reduce adverse stakeholder impacts determined
  by both the disruption's scope (who and what it
  affects) and duration (how bad, implications last
  for hours, months etc).
• Quantify measurable business impact analysis
  (BIA) "zones" (areas in which hazards and threats
  reside) include civil, economic, natural,
  technical, secondary and subsequent.

10
Business Impact Analysis (Example)
Impact
Y
Z
A
Time
11
No Longer Have to Wait For a Catastrophe
Non-catastrophic events can cause significant
dollar losses
Business Processes Need Shorter Recovery Times
Crisis Time Zero
Roll Forward ReSync
Resume Business
Reload Data Base
Restore Operating System
Emergency Response
Time To Recover
Mobilize Resources
Relocate Backups
12
RTO and RPO
RECOVERY TIME OBJECTIVE (RTO)
RECOVERY POINT OBJECTIVE (RPO)
EVENT
Loss of Service Tolerance How long can the
business process / function be down?
How far back in time before the event must you
go to ensure that data is valid and
synchronized?
RECOVERY TIME OBJECTIVE (RTO) the time interval
between the loss and restoral of the business
function / process. This equates to the speed of
recovery and is directly linked to the class of
business function.
RECOVERY POINT OBJECTIVE (RPO) the point in
time from which the function / process must be
recovered (the last reliable point in time when
all data and information resources could be
valid). Sometimes the RPO must be synchronized
across multiple business processes / functions
using some / all of the same data. In planning,
select recovery points based on a synchronized,
coordinated backup schedule.
Rule of Thumb The quicker the recovery, the
more expensive it is likely to be.
13
Balancing Cost and Recovery
14
Balancing Cost and Recovery
15
BCM Lifecycle
Maintenance
Analysis
Testing
Design
Implementation
A completed BCP cycle results in a formal printed
manual available for reference before, during,
and after disruptions have occurred.
16
BCM Building Blocks
17
Key success factors

• Management support and commitment
• BCM Framework
• Policy, Organization, Process, Resource
• KIS rule Keep It Simple
• Tailored and flexible - all disasters are
  possible
• People are the most critical issue
• BCM is an iterative process
• Exercise, Exercise, Exercise!
• Maintain, Maintain, Maintain!

18
Final word


19

• QA