BCP and DR P K Patel AGM, MoF
Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management strategic thinking
Business Continuity Management BS 25999 Holistic management process that identifies potential impacts of the disruption of the activities that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. What is the benefit?- The main purpose of BCM is to ensure that the organization has a response to major disruptions that threaten its survival.
BCM Policy
BCMS Understanding the Organization- Business Impact Analysis- To identify the critical business processes, the resources needed to support them and impact measurement in time of their unavailability, Evaluating threats (Risk Assessment)- to understand the impact that would arise if an identified threat becomes an incident and causes a business disruption
Business Impact Analysis- Purpose To document the impacts over time that would result from its loss or disruption. Identify the Maximum Tolerable Period of Disruption (MTPD) Identify the dependencies (both internally and externally) that are required to enable the activity to operate effectively BIA is used to determine the impact of interruption in advance of major business change such as: Introduction of a new product, process or technology Office relocation or a change in the geographical spread of the business Significant change in business operations, structure or staffing levels A significant new supplier or outsourcing contract
BCMS- contd. Determining BCM Strategy- Identify suitable BCP arrangements to recover identified critical activities within their recovery time objective
Determining BCM Strategy
Data backup strategy Online backup at alternative recovery site Daily day end backup on tapes/floppies/dats/cds say cold backup Incremental backup, say warm backup Differential backup Weekly, monthly, yearend backup Full system backup Purge backup, trouble shooting backup Offsite storage of data backup in fire proof cabinet
Recovery Strategy Mirror site (duplicate processing facility)- for critical application, Backup of all the processing facilities are maintained. Restoration is readily possible. Hot site- backup of data files, application programs, stationeries and supplies Warm site- Some system software, some hardware, some networking facilities, Building with electrical connection Cold site- Building with electrical connections, air conditioners etc Mobile site- heavy vehicle containing some system software, some hardware and some networking facilities. Reciprocal agreement- to use each other s facilities at the incidence
Developing and implementing a BCM response
BCMS- Contd. Developing and Implementing a BCM response- Incident response structure Incident Management Plan Business Continuity Plan Activity Response Plan
Incident Response structure Identifying necessary actions Finding resources for performing the actions Clear procedure for escalation and control of an incident Communication with stakeholders Plan to resume interrupted activities
Incident Response Structure
Incident management plan Create an incident management planning team Decide structure, format, components and content of plan Gather required information for the plan Draft the plan Circulate the draft plan for consultation and review
Incident Management Plan What crisis could hit us? Who are the audience? How do we communicate with them? What are the messages? Who will form the Incident Team? What are resources and facilities? Does it work? What is the documentation needed?
Business Continuity Plan Making things work after they fail BCP should be modular in design so that each team can operate independently BCP needs to be comprehensive but simple
BCP vs DR Business Continuity Plan - Ongoing Process - Preparation in anticipation of an Incident - Arrangements to handle anticipated disturbances without disruption to business Disaster Recovery - Recovery forms an important part - A part of BCP Usually refers only to the recovery of certain key systems after a disaster Largely driven by IT departments
Contents of a sample business continuity plan document Section A: Introduction o Background o Objectives o Definitions o Organization for business continuity/ disaster recovery o Activation of the plan o Emergency Operation Center o Placements of documents 6/21/2013 28
Contd Section B: Business Continuity Plan Objective Scope Alternate site BCP scenarios Process-wise BCP procedures and BCP teams 6/21/2013 29
Contd Section C: Disaster recovery plan Introduction Purpose Threats considered/ not considered for the plan Disaster recovery team Emergency calls Disaster recovery procedures- non-it ( fire, power outage, flood etc) and IT related (failure of hardware/ system software/ application software/cyber intrusion and cyber crime) Contingency operations procedures Recovery and restoration 6/21/2013 30
Contd Section D: Emergency response plan Introduction Definition of crisis Emergency response team Emergency response activation Establishing an alert level Emergency response- Local escalation procedures Action consideration lists 6/21/2013 31
Contd Section E: Maintenance and testing of the plans Annexures 1- Constituents of the BCP,DRP, EMT committees 2- Employee call tree 3- List of branches and contact persons 4- Building site plan 5- Emergency contact nos of support services 6- Contact nos of third party service providers 7- Contact nos of Non-IT and IT vendors 6/21/2013 32
Contd Annexures- A- BCP procdures B- Format of documents used during business continuity C- Hardware/ Software (in-house and outsourced )list D- List of data files used E- Media used to store files F- Test preplanning checklist G- Format for test evaluation sheet H- Format for BCP/DRP test report 6/21/2013 33
Activity Response Plan BCP documents become unwieldy if all procedures are included Hence operational level documents are separated as Activity Response Plans e.g. - HR deals with personal issues in the incident - Business department plans to resume work - IT department plans on getting systems and data restored
Exercising, Maintaining and Reviewing BCM arrangement
Testing BCPs Table top testing Simulations Technical Recovery testing Testing recovery at alternate site Tests of supplier facilities and services Component testing Complete rehearsals
Embedding BCM in organization s Culture Embedding BCM in the organization's Culture- Assessing the level of BCM awareness and training Developing BCM within the organization's culture Monitoring Cultural Changes
Embedding BCM in organization's Culture
BCP Process Business impact analysis Risk Assessment Business Continuity Strategy Development Developing Emergency Response structure Developing Emergency Management Plan and Business Continuity Plan Testing of Business Continuity Plan Audit of BCP Preparedness Business Continuity Planning review
Report of the working group on Information Security, electronic banking, technology risk management and cyber fraud G. Gopalakrishna committee 2011 The Group delved into various issues arising out of the use of Information Technology in banks and made its recommendations in nine broad areas. These areas are IT overnance, Information Security, IS Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity Planning, Customer Awareness programmes and Legal issues. The Group felt that the recommendations are not one-size-fitsall and the implementation of these recommendations need to be based on the nature and scope of activities engaged by banks and the technology environment prevalent in the bank and the support rendered by technology to the business processes.
Regulatory Aspects- contd. Compliance Circular-DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011- to all scheduled commercial banks (excluding RRBs) Banks need to ensure implementation of basic organizational framework and put in place policies and procedures which do not required extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the circular. There are also a few provisions which are recommendatory in nature, implementation of which are left to the discretion of the banks.
BCP/DR Business Continuity Policy approved by Bank s Board Senior Official to head BCP Function BCP Committee consisting HR, IT, Legal, Business Officials BCP Framework based on BS25999 Business Impact Analysis for Critical Systems People aspect should be an integral part of a BCP BCP Testing consisting People, Processes & Tech. Internal Auditors to assess the effectiveness of BCP Conducting Planned and Unplanned Drills
Contd. No Movement of DC Staff to DR for Drills Annual Review and Updates for Continuity Plans Periodic Reviews and Updates for DR Infrastructure Perfect replicas for all critical applications & services Checks ensuring data & transaction integrity in DC & DR Near-DR Site Architecture Suitable methodology for drills closer to a real disaster An industry-wide alarm and crisis forum/organization
Basel guidelines on BCP Basel Committee on Banking Supervision constituted a joint forum International Commission for securities commissions and International Commission of Insurance Supervisors were other members Report published in 2006 with 7 high level Principles of BCP
7 High level Principles Principle 1 : Board and senior management responsibility Principle 2: Major operational disruptions Principle 3: Recovery Objectives Principle 4: Communications Principle 5: Cross border communications Principle 6: Testing Principle 7: BCM review by financial authorities
7 steps to implement BCP
Issues in implementing BCP/DR in Higher costs Banks Lack of viable alternatives Telecommunication risks Over dependence on vendors Outsourcing risks
Value Obtained BCM Creating the initial plan: Rs. X Annual updates and testing:rs. Y Annual infrastructure costs:rs. Z Peace of mind during a disaster:priceless The best insurance policy you will ever buy.
Thank You