BCMS APPROACH. Implementing Business Continuity for Organization

Transcription

1 BCMS APPROACH Implementing Business Continuity for Organization

2 BC INSTANCES Flight EK521 arriving from Trivandrum, India crash-lands in Dubai 282 passengers and 18 crew on board including 24 Britons One firefighter killed as he fought the blaze All passengers and crew safely evacuated, no reports of injuries All departure flights from Dubai International Airport delayed The 1981 Bangalore circus fire occurred on 8 February 1981 at Venus Circus in Bangalore, India, where more than 92 lives were lost, the majority of them being children. The circus fire had some similarities to the Hartford circus fire, which occurred on the afternoon of 6 July A fire incident in 1983 at Majestic theatre, Bangalore resulted in a stampede, killing many women, children due to panic The explosions at a petroleum storage depot at Buncefield, near London, UK, on 11 December 2005 created the biggest explosion and the biggest fire in Europe since the Second World War. It destroyed 5% of the UK s petrol stocks and impacted 600 businesses employees though fortunately causing no deaths. Since the depot supplied London Heathrow airport, it caused havoc to international flight schedules.

3 ELEMENTS OF BC Scope Policy and Objectives Business Impact Analysis Risk Assessment Business continuity strategy/plan Emergency Response Plan Critical activity recovery plan BC Test Plan

4 SCOPE Factors to consider Location Bangalore, UK, US Business continuity Policy & objectives Strategic No data loss, zero customer impact Ensure the welfare of its employees, visitors and contractors at all times Tactical Deliver as per SLA, using a risk based approach Conduct a programme of testing and exercising for the business continuity response Environment Complexity Seismic zone, political instability, natural disasters, epidemic Health care, E commerce, Hospitality Customer Requirements Sponsorship Capability, Legal, Statutory, Cost

5 SOME TERMINOLOGIES business continuity capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident business continuity management holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities business impact analysis process of analyzing activities and the effect that a business disruption might have upon them [SOURCE: ISO 22300]

6 BUSINESS CONTINUITY MANAGEMENT Aim: Protecting life and welfare Crisis Management Urgent need to take rapid decisions Incident EMERGENCY RESPONSE TEAM (ERT) ACTIVITY RECOVERY TEAM (ART) Building resilience to disruption Developing the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. List ERT, ART members Primary, Secondary strategies Recovery team-roles and responsibilities Staff communication Recovery time and resources required Recovery-Short Term, Long Term

7 Input Risk Assessment Output RISK ASSESSMENT STRATEGY Threat, Vulnerability, Impact, Likely-hood Control measures, processes Identifying the threats Identifying and evaluating risk control or mitigation options. Identifying vulnerabilities Ranking the risks Assessing the risks Likelihood, Impact

8 RISK ASSESSMENT STRATEGY

9 BUSINESS IMPACT ANALYSIS (BIA) Acts of nature e.g. hurricane, flood, etc. Input Criticality, Sensitivity -Assets, Activities, Resources Impact to organization for activities not performed Business Impact Analysis Output BC Strategy, Recovery -RTO, RPO External man-made events e.g. terrorism, evacuation, security intrusion, etc. Internal unintentional events e.g. accidental loss of files, computer failure, etc. Internal intentional events e.g. strike, sabotage, data deletion, financial wrong-doing, etc. Legal, regulatory, compliance or governance failure, which could be either intentional or unintentional Business failure e.g. caused by inappropriate and unsuccessful business strategies or management. Leads Failure of an individual infrastructure element, including single points of failure Longer-term interruption of a critical information flow Longer-term interruption of a critical business activity chain or business process Local longer-term business interruption Complete business interruption Identify Functions, Departments Time scale for Disruption-1 Hr., 4 Hrs., 1 Day, 1 week etc.. Interviews, discussions Internal, external dependencies Resources-Minimum recovery-sla, Customer requirements Normal operating condition, Back up

10 BUSINESS CONTINUITY STRATEGY (BCS) BIA RA BCS allows an appropriate response to be chosen for each product or service, such that the organization can continue to deliver those products and services: at an acceptable level of operation; and within an acceptable timeframe during and following a disruption. The choice made will take account of the resilience and countermeasure options already present within the organization. Emergency/Crisis response Incident management Business recovery Immediate response-deal with situation Safeguard life and property Less predictable and planned Action with/without plan Communicate to next stage on progress Reduce Damage, Aid recovery Communication-Internal, External capability to recover business activities before crisis restore an acceptable level of service Critical Activity Recovery Plan Business continuity Plan

11 BUSINESS CONTINUITY PLAN (BCP)

12 BC TESTING Pretest Test Post test Review Type of Test When Process Participants Frequency Complexity Full desktop simulation of a BC Incident led October 2010 Check the effectiveness of the ERT teams UK and Bangalore Low High by Independent consultants ITG. SUBEX ERT response Senior Managers Walkthrough Activity Recovery Plans May 2011 Mon 16 th May UK Facilities Management recovery plan Employees as appropriate ERT teams UK and Bangalore Senior Managers Employees as appropriate Medium Medium Desktop Simulation May 2011 Wed 18th May BD unavailability GS Bureau unavailability sub ledger unavailability Desktop Simulation Exercises May 2011 Walkthrough Specific Plans External Subex Client support Communications Plan Remote working Plan Project Manager IT Manager IT Manager Project Manager Medium Medium Medium Medium

13 BC TEST REPORT Summary Methodology Purpose Exercise Deliverables Situation Facilitator Participants Results Observations on the Suitability of Team Member Ability to Recover from an Incident Documentation Improvements Issues Arising Recommendations Watch out for The plan should reflect the changing business environment People, System changes Evaluating threats, Keep it current RTO, RPO alignment to business, Customer Adequacy of insurance coverage Good communication channels Information continuity Vs Business Continuity Appendix A Event Log Appendix B Communications Log Evaluators notes on the exercise (summary) Business Continuity is no longer just about having a plan; its about proving to examiners that they work

14 AREAS OF WEAKNESS Process awareness Internal Communication Exercises and training Vulnerability/risk analysis Information technology resilience and disaster recovery Planning Business continuity. The solution to the problem is in its history

15 QUESTIONS