Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA
Learning Objectives 2 To understand the concept of Business Continuity Management To understand the key phases and components of a Business Continuity Plan To understand the key aspects of Business Continuity Plan implementation To learn about Back-up and Disaster Recovery Planning To learn how to audit a Business Continuity Plan
Topics Covered 3 PART-3 Overview of BCP/DRP 4.9 BCM - Strategy Process 4.10 BCM Development and Implementation Process 4.11 BCM Testing and Maintenance Process 4.12 BCM - Training Process
Overview of BCP/DRP Business Continuity Planning A Business Continuity Plan (BCP) is a statement of the actions to be taken, the resources to be used, the procedures to be followed before, during and after a disaster that has rendered a business function to be totally or partially unavailable. BCP is a business plan, wherein the goal is to minimise the loss to the enterprise in case of a disaster The BCP document reflects an organization's ability to maintain the continuity of critical operations across the business enterprise
Disaster Recovery Procedures DRP covers the immediate and temporary restoration of computing and network operations after a natural or man made disaster within defined timeframes DRP is the technological aspect of BCP DRP is a crucial component of enterprise risk management and business continuity planning. It is essential for ensuring continuity of operations Disaster recovery is the science of mitigating the impact of disasters, no matter what causes them
Need for BCP/DRP IT systems are expanding in complexity As well as in terms of throughput (transactions per second) And in terms of critical information that must be properly and securely handled and stored from start to finish. Real damage to a business can occur if the threat of catastrophic disruption is not recognized and not handled properly.
What is BCP and what a BCP does What is BCP An integrated set of procedures and resource information that is used to recover from a disaster that has caused a disruption to business operations. BCP is an ongoing process.. not a project. What a BCP does Upon the declaration of a disaster, it activates pre-approved policies and authorities. Restores the outflow of services with least possible cost to the organization
What is a Disaster? A sudden, unplanned calamitous event that interrupts an enterprise s ability to function. Disruption of Business operations that stops the organization from providing its critical & essential services caused by the absence of critical resources Facilities, Communications, Power, Access to Information or People
Causes of Disaster Condition Natural disasters Floods Cyclone Fires Earthquakes etc Utilities Electricity Water Communications etc Human Causes Strikes Sabotage Terrorism Viruses
Causes of Disaster Condition Equipment Failures Information Systems Data Communications & Networking Telecom Human Errors Programmer/Operator errors Lost or damaged backup Contamination Biological Virus (Plague, SARS)
Impact of Disasters Financial health Loss of revenue/cash flow, Large extraordinary expenses Service levels/ Customer Attitude Increased Competition, Key Differentiator is the Service Levels, Lost Customers don t return Human resources Fewer key people due to downsizing, Profound impact of loss of productive services Increasing use/dependence on Technology Liabilities for not providing services Next to impossible to operate in manual mode, More info & faster, LAN & WAN cannot be down Penalties, Management responsibility if DR is not adequately planned
Management Perception of BCP The BCP should Installed quickly Minimize the cost and disruption to the organization Be a quality, workable plan Implemented by Quality leadership Train and provide awareness to staff Be current and updated
BCP Phases Assessment Organize Risk Assessment Team Conduct Risk Assessment Risk Scoping & Prioritization Develop Scenarios Planning Develop Plans Identify Event Triggers Test Plans Train on Plans Execution Recovery Trigger Event Occurs Execute Plan Event Ends Activate Recovery Plan
4.9 BCM - Strategy Process 14 Establish procedures for backing up files and applications Establish contracts and agreements, if the contingency strategy calls for them Existing service contracts may need to be renegotiated to add contingency services Purchase equipment, especially to support a redundant capability
4.9 BCM - Strategy Process 15 Some activities have been defined as non-critical, are also included in the BCPs as they assist in allowing the critical activities to operate in a more efficient and effective manner. Enterprise may adopt any strategy but it should take into account the implementation of Measures to reduce the likelihood of incidents Measures to reduce the potential impact of those incidents Resilience and mitigation measures for both critical and non critical activities.
16 4.10 BCM Development and Implementation Process For an effective response and recovery from disruptions enterprise should have An exclusive organization structure An Incident Management Team In the event of any incident, there should be a structure to Confirm impact of incident (nature and extent) Control the situation Contain the incident Communicate with stakeholders, and Coordinate appropriate response.
The Incident Management Plan 17 Manage the initial phase of an incident Top management support with appropriate budget Flexible, feasible and relevant Easy to read and understand Provide the basis for managing all possible issues
The Business Continuity Plan 18 Invoked to support the critical activities required to deliver the enterprise s objectives Recovery strategies may be two-tiered Business and Technical Business - eg. logistics, accounting, human resources, etc Technical - eg. desktop, client-server, midrange, mainframe computers, data and voice networks, etc
19 4.11 BCM Testing and Maintenance Process BCM Testing BCM Maintenance Reviewing BCM Arrangements
BCM Testing 20 BCP testing program should include testing of Technical, logistical, administrative, procedural and other operational systems BCM arrangements and infrastructure (including roles, responsibilities, and any incident management locations and work areas, etc). Technology and telecommunications recovery, including the availability and relocation of staff.
BCM Testing 21 Practicing the enterprise s ability to recover from an incident Verifying that the BCP incorporates all enterprise critical activities and their dependencies and priorities Highlighting assumptions, which need to be questioned Instilling confidence amongst exercise participants
BCM Testing 22 Raising awareness of business continuity throughout the enterprise by publicizing the exercise Validating the effectiveness and timeliness of restoration of critical activities Demonstrating competence of the primary response teams and their alternatives.
Objectives of performing BCP tests 23 To ensure recovery procedures are complete and workable To evaluate competence of personnel in their performance of recovery procedures To ensure business processes, systems, personnel, facilities and data are obtainable and operational to perform recovery
Objectives of performing BCP tests 24 To ensure that the manual recovery procedures and IT backup system/s are current and can either be operational or restored To ensure that the success or failure of the business continuity training program is monitored
Implementation of BCP Tests 25 Defining the test purpose/approach Identifying test teams Structuring the test Conducting the test Analyzing test results Modifying the plans as appropriate
Testing Process 26 Setting objectives Defining the Boundaries Scenario Test Criteria Assumption Test Prerequisites Briefing session Checklists Analysing the test Debriefing session
Testing BCP 27 Verify completeness & precision of BCP Evaluate the performance of the personnel involved Appraise training & awareness of non BCP teams members Evaluate coordination among BCP team, external vendors & suppliers Measures ability & capacity of backup site to perform prescribed processing Assess vital records retrieval capability Measure overall performance of operational & IS processing activities
BCM Maintenance 28 BCM maintenance process demonstrates: Documented evidence of proactive management and governance of enterprise s BCP. Key people who are to implement the BCM strategy and plans are trained and competent. Monitoring and control of the BCM risks faced by the enterprise. Evidence that material changes to the enterprise s structure, products and services, activities, purpose, staff and objectives have been incorporated into the enterprise s BCPs and IMPs.
Maintenance tasks in BCP 29 Determine the ownership and responsibility for maintaining the various BCP strategies Identify the BCP maintenance triggers to ensure that any organizational, operational and structural changes are communicated Determine the maintenance regime to ensure the plan remains up-to-date
Maintenance tasks in BCP 30 Determine the maintenance processes to update the plan Implement version control procedures to ensure that the plan is maintained up-to-date
Reviewing BCM Arrangements 31 Verify that All key products and services and their supporting critical activities and resources have been identified and included. The enterprise s BCM policy, strategies, framework and plans accurately reflect its priorities and requirements. The enterprise BCM competence and capability are effective & fit-for-purpose, and will permit management, command, control and coordinate an incident. The enterprise s BCM solutions are effective, up-to-date and fit-for-purpose, and appropriate to the level of risk faced by the enterprise.
Reviewing BCM Arrangements 32 Verify that The enterprise s BCM maintenance and exercising programs have been effectively implemented BCM strategies and plans incorporate improvements identified during incidents and exercises and in the maintenance program The enterprise has an ongoing program for BCM training and awareness BCM procedures have been effectively communicated to relevant staff, who understand their roles and responsibilities Change control processes are in place and operate effectively
4.12 BCM Training Process 33 Training is used as a tool to initiate a culture of BCM in all the stakeholders by Developing a BCM program more efficiently Providing confidence in its stakeholders (especially staff and customers) in its ability to handle business disruptions Increasing its resiliency over time by ensuring BCM implications are considered in decisions at all levels Minimizing the likelihood and impact of disruptions.
BCM culture is supported by 34 Leadership from senior personnel in the enterprise Assignment of responsibilities Awareness raising Skills training Exercising plans
35 Training, Awareness and Competency Actively listens to others, their ideas, views and opinions Provides support in difficult or challenging circumstances Responds constructively to difficult circumstances Adapts leadership style appropriately to match the circumstances Promotes a positive culture of health, safety and the environment Recognizes and acknowledges the contribution of colleagues
36 Training, Awareness and Competency Encourages the taking of calculated risks Encourages and actively responds to new ideas Consults and involves team members to resolve problems Demonstrates personal integrity Challenges established ways of doing things to identify improvement opportunities
Summary 37 PART-3 4.9 BCM - Strategy Process 4.10 BCM Development and Implementation Process 4.11 BCM Testing and Maintenance Process 4.12 BCM - Training Process
38 Thank you!