Business Continuity Management BCM

1
Business Continuity Management(BCM)

• Best Practices
• 25 August 2008
• By Ros Yusoff
• NUBE

2
OVERALL IMPLEMENTATION APPROACH
Understanding Your Business
Initiation
Continual Improvement
Maturity Assessment
Testing Review
Program Management
Testing
Project Statement
Review
Timeline
Update
Requirements Strategy
Assurance
Business Impact
Policies
Risk Assessment
Preventive Measures
Continuity Strategies
Building Your Team Capabilities
Organizational Roles
Incorporate RR into JDs
Defining Roles Responsibilities
Defining the Committees Teams
Staff / Management Awareness Training
Training Matrix Master Plan
Short Training Sessions
Workshops / Awareness Sessions
3
Building the Team Capabilities

• Identify the Champion
• Must be a person who has the overall view of all
  the processes involved
• Identify the key personnel the backup personnel
  for each critical process
• Incorporate BC roles responsibilities into JDs
• Make them as part of KPIs
• Develop a skill matrix that your organization
  needs
• Draft annual training plan
• Hold lots and lots of awareness sessions
• Focus on specific skills required for the
  different team members

4
Understanding Your Business

• Initiation stage
• In-house vs. Outsource (make the decision)
• In-house Get well-trained get the experience
  required
• Outsource Never outsource fully
• Perform a maturity assessment (gap analysis)
• Should be brief and simple
• Develop the project/program based on the results
  of the maturity assessment
• Do not rush to get it done. Get it done right

5
Understanding Your Business

• Requirements strategy
• Define the policies
• The policies must be implementable during
  disasters
• Perform risk assessment BIA
• Only high-level risk assessment to determine
  critical threats in relation to Availability
• BIA - to determine the criticality of systems
• Identify preventive measures that exist already
• Propose recovery strategies
• Go back to the manual way when possible
• Minimally, should have off-site storage for
  critical data
• Go back and review BIA

6
Implementation

• Emergency response
• Life and safety first
• Identify an alternate place to work at
• Determine requirements at the alternate place
  (voice communications is crucial during disaster)
• Notification escalation procedures must be
  simple
• Ensure that contact information is accurate
  (requires frequent updates)
• Determine documents records required to recover
  critical business
• War chest

7
Implementation

• Plan development
• Recovery plans
• When possible, only use checklists
• Should be developed by the team members that
  would be involved in the recovery activities
• The goal is never to recover 100 of the
  business, but to an acceptable level
• Use simple, straight forward sentences
• Incorporate information security requirements
  into your plans
• Do not forget to draft the restoration plans
• Back to the original site
• Do not forget to develop plans for the
  mobilization of staff to the alternate site
• Transportation, office supply, food,
  accommodation

8
Continual Improvement

• Testing (exercising) review

9
Continual Improvement

• Compliance Audit
• Must have a thorough understanding of the
  business, individual functions, and
  interdependent relationships
• Challenge management related to potential risk
• Participate in BIA workshops
• Challenge recovery strategies
• Participate during testing
• Involve the right people as Subject Matter
  Experts

10
Hallmarks of a World-class BCP

• Centralized at the enterprise level
• Identify a Control Champion
• Committed and visible support from management
• Buy-in at all levels, even non-key personnel
• Use generally accepted standards
• Perform constant review and testing
• MTDs are reviewed against Client Charters
• Must be cost effective strategies must be lean
  mean