2011/EPWG/WKSP/004 Intro 1 Business Continuity Planning (BCP) 101 Submitted by: Business Continuity Management Institute Workshop on Private Sector Emergency Preparedness Sendai, Japan 1-3 August 2011
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101 August 2, 2011 Hotel Monterey Sendai Sendai, Japan Dr Goh Moh Heng PhD BCCE DRCE BCCLA CBCP FBCI President 2 Copyright @ 2011 BCM Institute 1
Introduction 1: Business Continuity Planning (BCP) 101 09:45-11:10 Overview, including benefits and challenges to implementation, practices for mitigating threats and risks, and examples of BCP Dr Goh Moh Heng President Business Continuity Management (BCM) Institute www.bcm-institute.org Managing Director GMH Continuity Architects Asia Pacific BCM Consulting Firm www.gmhasia.com Professional BCM Appointments Technical Advisor for TR19:2005 & SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org Project Director, Technical Working Group for SS507:2004 ISO/IEC 24762 Guidelines for BC-DR Services http://www.bcmpedia.org/wiki/dr_goh_moh_heng Copyright @ 2011 BCM Institute 2
Dr Goh Moh Heng Prior Appointments Government of Singapore Investment Corporation (GIC) Standard Chartered Bank Global Head for BCM PriceWaterhouse (Coopers) Past Certification Broad Member for DRI International s Certification Board Past Executive Director for DRI Asia Senior Technical Advisor, China Business Continuity Management Forum http://www.bcmpedia.org/wiki/dr_goh_moh_heng BCM Institute Started in January 2005. Provide competency based BC-DR training to all levels. p y g Certify BC-DR professionals globally. Started Certification programme in April 2007. Trained more than 3000 professionals from 850 organizations and 40 countries. Copyright @ 2011 BCM Institute 3
Agenda (Part 1 of BCM-101) Business Continuity Management Overview and Fundamentals BCM Planning Methodology Planning Process Comparison with BCM Standards Flexibility and consistency in global compliance Process for implementing business continuity IT RECOVERY BUSINESS CONTINUITY Incidents, Emergencies, Events, Disasters SECURITY CRISIS Plan IT DR PLAN BC PLAN SPECIFIC PLANS SECURITY PLAN SPECIFIC CRISIS MANAGEMENT PLAN Copyright @ 2011 BCM Institute 4
BCM Planning Methodology http://www.bcmpedia.org/wiki/ BCM_Planning_Process_or_Methodology Key International BCM Standards BS 25999 SS 540 NFPA 1600 ANZ 5050 10 Copyright @ 2011 BCM Institute 5
BCM Planning Methodology Ste-by-Step Approach Project Management Objectives Formulate a workable project proposal. Seek endorsement and commitment on the project from management committee: Objective Scope Approach Schedule Manpower Establish project management structure and control. Tasks BCM Steering Committee & BCP Project Team Review and understand organisation environment. Agree and formalise project management structure and resource allocation. Establish project administration reporting and control mechanism. Deliverables Project plan proposal includes: Definition Scope Objective Roles & Responsibilities Project workplan. Project reporting mechanism. Copyright @ 2011 BCM Institute 6
Risk Analysis and Review Objectives identify vulnerabilities Establish reliable recommendations for: Minimizing impact of identified threats Immediate and effective response to potential causes of disaster Tasks Identify exposure to internal & external threats and the likelihood of these threats occurring Recommend preventive responses and escalation procedures in conjunction with crisis management implementation Evaluate findings and prepare a status report & recommendation. Deliverables Comprehensive risk and threat profile to the organization, with key disaster scenario Recommendation for: Countermeasures Immediate Response Procedures Security Risk Review to be implemented to minimize the risks Summary report of recommendations agreed with senior management Business Impact Analysis Objectives Determine impact of unavailability/failure/ disaster on business functions. Determine critical business needs and tolerable limits. Establish business criticality/ impact criteria using Business Impact Analysis Questionnaires (BIAQ). Prioritise the importance of each business unit vis-à-vis established criteria. Consolidate findings and rankings. Present results to management committee to confirm critical classifications and priority listings. Detailed report on findings (approved by management) containing: - tolerable limits; classification of criticality; prioritised critical business functions; minimum resources; Critical applications and systems; and - restoration priority. Impact analysis of unavailability of business functions (quantitative and qualitative). Copyright @ 2011 BCM Institute 7
Recovery Strategy Objectives Establish business functions & job priorities vis-à-vis business needs. Determine processing requirements for priority business functions. Identify and formalise backup for everything needed to survive a disaster. Ensure that alternative processing procedure is available for continuity of critical business needs whilst recovery is in progress. Tasks Analyse all division functions to prioritise them based on business needs. Analyse hardware and software requirements to run high priority critical functions so that sufficient backup can be arranged. Review and establish backup arrangements, if necessary. Identify necessary interim processing procedures for critical functions. Seek management s review and endorsement of findings and recommendations. Deliverables List of strategic plans for recovering prioritised critical functions. List of critical functions requiring interim manual processing procedures. Recommend alternate interim processing procedures. Plan Development Objectives Train and equip users with skill to complete the Microsoft Word plan template. Establish recovery procedures to fully restore normal business operations after a disaster, based on selected strategies. Ensure consistency and comprehensiveness of coverage. Tasks Determine recovery teams set-up and functional responsibilities. Identify members of each recovery team. Develop specific procedures for each recovery team. Review and edit (based on agreed structure) the plan component to ensure consistency and comprehensiveness of documentation. Deliverables Propose: Recovery team structure; Staffing of the recovery teams with names of specific staff members; and List of action steps to be taken by each member of respective recovery team. Completed Business Continuity Plan. Copyright @ 2011 BCM Institute 8
Testing and Exercising Objectives Formulate an objective mechanism to validate the "workability" of the complete Business Continuity Plan. Tasks Design an overall program for testing of plan. Develop plans and schedules for specific tests. Develop an evaluation mechanism. Deliverables List of tests to be conducted. List of responsibilities of parties involved: Objectives, policies, guidelines, responsibilities and test specifications. Specific test plan: Description, scenarios, procedures and criteria. Evaluation forms/checklists for recovery plan tests. Building Organizational Competency BCM Internal Auditor Organization BCM Manager Business Unit Coordinator/ Representative BCM Steering Committee Organization BCM Manager Copyright @ 2011 BCM Institute 9
BCMpedia: Common Language www.bcmpedia.org BCM Community Forum Building a Community 80% Asian and Middle Eastern BCM and DR Professionals 3331 bcmi.groupsite.com Copyright @ 2011 BCM Institute 10
THANK YOU Dr Goh Moh Heng President Mobile: +65 96711022 Tel: +65 63231500 Email: moh_heng@bcm-institute.org Copyright @ 2011 BCM Institute 11