Effectiveness of BCM through Exercising

Effectiveness of BCM through Exercising By Wan Asriah Wan Adnan Head Business Continuity & Disaster Recovery Bursa Malaysia Berhad wan_asriah@bursamalaysia.com 31 October 2007 Bursa Malaysia and its Group of Companies ( the Company ) reserve all proprietary rights to the contents of this Presentation. No part of this Presentation may be used or reproduced in any form without the Company s prior written permission. This Presentation is provided for information purposes only. Neither the Company nor the Presenter make any warranty, express or implied, nor assume any legal liability or responsibility for the accuracy, completeness or currency of the contents of this Presentation 1

AGENDA BURSA BC OVERVIEW WHY EXERCISE BC EXERCISE : OUR APPROACH IMPLEMENTATION OF BC EXERCISE SUMMARY 2

BACKGROUND BURSA Business Continuity Plan (BCP) was implemented since 1994 BCP Development: 1994 - First BCP exercise conducted 1997 - Relocation to Bursa owned Disaster Recovery Site 1998 - Inclusion of MSRS 1999 - Establishment of BCP2000 software to support BCP database 2001 - Inclusion of KLOFFE within Bursa BCP 2002 Inclusion of COMMEX / MDEX within Bursa BCP 2003 Inclusion of MDCH within Bursa BCP 2004 Major restructuring overhaul BCP Manual - Removal of MSRS from Bursa BCP 2005 Establishment of BCP Intranet 2006 - Inclusion of Circuit Breaker 2007 - Inclusion of Pandemic - Inclusion of LFX Major activities since its establishment: - 40 plan revisions - more than 40 major exercises 3

Threat Bomb Threat Risk Loss of Life / Unavailability of Key Personnel No access to the building Disruption of critical facility Disruption to computing facility Bomb Explosion* Fire* Riot* Earthquake Hostile Attack* Hurricane Toxic Threat* Flood* Haze Loss of critical data Critical System Halt TNB Power Failure Cyber Threat* Pandemic Bursa Risk / Threat Analysis -A threat is a man-made or natural situation or condition that can cause disruption to an organisation s operations or services - Risk is the potential of exposure to disruption due to threat which affects business continuity. Threat that we have experienced before Our previous simulated exercise scenario 4

ENTITIES DEPENDENT ON BURSA Investors Brokers > 4 million CDS account holder Government Authorities 35 Participating Organisations 15 Trading participants BURSA MALAYSIA Information Vendor Dealer Representative RM 2 billion trading per day Public Listed Companies about 7,000 Dealer Representative > 1,000 PLCs 5

BURSA BUSINESS CONTINUITY PRACTICE METHODOLOGY: OVERVIEW Plan & Requirement Study Design & Develop Implement & Enhance I. PROJECT INITIATION I. PROJECT INITIATION & MANAGEMENT & MANAGEMENT V. EMERGENCY V. RESPONSE EMERGENCY RESPONSE & OPERATION & OPERATION VII. AWARENESS VII. AWARENESS & TRAINING & PROGRAMS TRAINING PROGRAMS II. RISK EVALUATION & CONTROL VI. DEVELOPING VI. DEVELOPING & IMPLEMENTING & IMPLEMENTING BCP BCP VIII. EXERCISING VIII. EXERCISING BCP BCP Integration with other plan III. BUSINESS III. IMPACT BUSINESS ANALYSIS IMPACT ANALYSIS IV. DEVELOPING IV. BUSINESS DEVELOPING CONTINUITY BUSINESS STRATEGIES CONTINUITY STRATEGIES IX. DRC SITE PROBLEM IX. DRC SITE & MANAGEMENT PROBLEM & MANAGEMENT XI. COORDINATION XI. COORDINATION WITH PUBLIC WITH AUTHORITIES PUBLIC AUTHORITIES X. PLAN REVIEW & MAINTENANCE 6 BCPM (June 2003) - 1

ANNUAL BC OPERATIONS/ ACTIVITIES New Members Training Refresher Workshop Site Familiarisation BC Briefing to BusinessPartner BC Briefing to General Staff Risk Assessment Escalation Test IT Integrated Test IT Component Test Receptionist Training Security Training Training & Awareness Exercising & Testing Call Test Full Physical Simulation Business Impact Analysis BC Survey Call Card & Contact No Recovery Organisation Review & Revision Plan Maintenance Documentation Maintenance Command Centre & DRC Information Update Intranet Maintenance DR Site problem & Management Weekly Problem Reporting Quarterly Management Meeting Weekly Site Inspection Service Maintenance Facilities Upgrade Full Alternate Site Testing Business Continuity Plan 7

WHY EXERCISE? 8

TESTING the plan - Procedures - Facilities - People -Data WHY EXERCISE TRAINING - Plan familiarisation - Integrated decision-making OBTAINING SUPPORT - Especially top management - External parties 9

OUR APPROACH 10

BURSA BUSINESS CONTINUITY PRACTICE METHODOLOGY: Exercise BCP Testing of the plan to ensure that the procedures are complete and workable and weakness identified can be rectified TASK PLAN FOR THE EXERCISE COORDINATE THE EXERCISE WITH VARIOUS PARTIES DEVELOP REALISTIC SCENARIO EXECUTE THE EXERCISE A C T I V I T I E S Review level of BCP state of readiness Determine objective & scope of exercise Select probable date of the exercise Obtain approval to conduct exercise Form test working committee Define the test approach Determine test participant Notify the respective parties involved Develop exercise scenario Determine expected sequence of test activities Prepare related visual/ audio aids to describe about the scenario Identify expected outcome of the exercise Prepare feedback form Prepare facilitator checklist Conduct exercise Record observation Analyse participant feedback Prepare Test report DELIVERABLES BCP readiness status Test objective & scope Test approval List of parties involve Minutes of meeting Test critical success factor Unit test plan CIRCULAR TO EXTERNAL PARTIES Facilitator checklist Test feedback Form Disaster scenario Sequence of test activities BCP DRILL Sequence of events List of contingency measure BCP TEST REPORT BCPM 11

Checklist : Plan for Exercise PLAN for Exercise Select probable date and time of the exercise Review level of BCP state of readiness Determine objective & scope of exercise Key personnel availability Time taken to get all component ready Clashes with major external events Clashed with major internal events Completion date of initiatives and projects Risk assessment recent events / exercise Status of major projects Documented plan readiness DRC facilities readiness Recovery Team readiness Annual BC exercise programme Outcome of previous BC exercise Exercise type Exercise approach Resource requirement Obtain approval to conduct exercise Management buy-in Formal approval 12

CHECKLIST : Coordinate with Various Parties Form working committee Internal parties involve External participation Determine scope of involvement Get reps nomination from Senior Management Formalise the committee Brief on TOR and roles & responsibilities COORDINATE THE EXERCISE WITH VARIOUS PARTIES Determine test participant Define the test approach Internal key personnel List of organisations List of organisations office/site Scope of organisation participation Risk assessment BC components tested Table top vs physical simulation Live data vs simulated data Surprise vs well informed Working hour vs non-working hour Notify the respective parties involved Mode of correspondence Internal approval Exercise scope and instruction 13

CHECKLIST : Develop Realistic Scenario Develop exercise scenario Recent threat Previous exercise simulated scenario Scope of test BC plan assumption Impact to the plan component Assumption DEVELOP REALISTIC SCENARIO Determine expected sequence to exercise activities Simulated scenario impact BC plan and procedures Scenario update Scenario - presentation Target audience Prepare related audio/ visual aid on the scenario Test approach Resources & skills Available news / visual Determine expected outcome Acceptable timing What can goes wrong Fall back plan 14

CHECKLIST : Execute the Exercise Prepare Feedback Form & Handout Conduct Exercise Record Observation Based on exercise Objective Logistic and administrative Exercise Instruction List of scenario update Briefing to participants Distribution / play of simulated scenario Comparison with expected activities Document observation Concentrate on problem areas Ready for fall-back plan Prepare facilitator Checklist Facilitators list Facilitator roles & responsibilities Facilitator briefing Facilitators back-up plan Analyse Participant Feedback Record participants feedback Analyse what goes well Analyse issues/ problems Follow-up Analyse weakness identified EXECUTE THE EXERCISE Prepare Report Post mortem feedback Meeting exercise objective Lesson learned Findings Commitment on action plan to overcome weakness 15

IMPLEMENTATION OF BUSINESS CONTINUITY EXERCISE 16

ANNUAL BC PORGRAM & ACTIVITIES Seq / priority Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec BC Operations BCP Document Update 6X Call Test/ Call Card Issuance 4X Escalation Test 2X System Component Test IT Integrated Test 4X 1X Full Physical Simulation 1X Refresher Workshop 2X BCP Organisation Review Ad-hoc Site Familiarisation 1X BC Projects Disaster Declaration Review Brokers BCP Survey & Briefing 1 5 Feasibility on DRC Options 6 ETP-BIA 4 Inclusion of LFX & IVs Bursa Trade BIA & Strategy 2 3 17

KEY PERFORMANCE INDICATOR & PERFORMANCE APPRAISAL Successfully conduct of exercise that meet test objective Enhance Readiness of BC by having effective BC maintenance - To have up-to-date BCM doc - Enhance Readiness of DRC Expansion of BCP scope Improvements to Disaster Recovery effectiveness and cost efficiency 1. Implement Pandemic BCP 2. Inclusion of LFX in BURSA BCP 3. Inclusion of IVs within scope of DRC system test 4. Broker survey and awareness 5. Inclusion of e-rapid (communications tools) 18

LEVEL 1 EXERCISE: e.g. CALL TEST Purpose: - To validate accuracy of contact details as documented in BCP Call Card Test Frequency: Quarterly No. of Participants: - Recovery members and management personnel as listed in the BCP call card - External parties as listed in the BCP call card - Site contact details as listed in the BCP call card Testing Method: Making calls to numbers as specified in the BCP call card Planning Effort: 1 man week Duration of Test: 4-7 hours 19

LEVEL 2 EXERCISE: e.g BCP ESCALATION & MOBILISATION EXERCISE Purpose: - Test the ability to mobilise recovery team under surprise condition - To validate Disaster Recovery Management (DRMT) decision making procedures and to ensure that they are workable Test Frequency: Once - twice a year No. of Exercise Participants: About 90 recovery members Testing Method: Under surprise condition with a simulated scenario Planning Effort: 1 man month Duration of Test: 4-7 hours 20

LEVEL 3 BC EXERCISE e.g. FULL PHYSICAL SIMULATION Purpose: Test Frequency: No. of Test Participants: Testing Method: Planning Effort: Duration of Test: To validate all components of the plan - people (management, recovery teams, external parties) - procedures - alternate facilities - data and vital record Once - twice a year 250-300 staff from Bursa Malaysia > 200 brokers trading offices > 50 clearing members and settlement banks > critical vendors > regulatory bodies All recovery teams and computer operations are activated based on a given scenario 6 man month 2 days. Practically to be conducted on Saturday and Sunday 21

EXERCISE PARTICIPANTS TAKE HOME POINTS Some level of confidence that plan is workable Comfort and clear on roles and responsibilities I have important roles to play in a disaster Importance of commitments and teamwork by all parties Confidence on site and facilities readiness I depend on other function / parties to perform my task Failure to recover my function will affect other critical functions Require additional effort and resources to enhance plan effectiveness 22

COMMON WEAKNESS IDENTIFIED Facilities: People: Procedures: Out-dated facilities facilities performance not at par with primary Need dedicated facilities New support function and personnel should be included Cannot be contacted Not aware of dedicated work area Support personnel should be trained - Need more templates - to ensure report / media release and circulars can be issued timely - Function taken over by another business unit Data and vital record: Other Comments: Wrong contact number / moving house Need daily data that is kept in PCs Food Ramadhan not good time for BC exercise Should give incentives to participants 23

SUMMARY 24

BCP PHILOSOPHY We cannot totally avoid disaster but we can minimise business impact caused by the disaster 25

Thank You www.bursamalaysia.com 26