AN APPROACH TO BUSINESS CONTINUITY MANAGEMENT

(FOR THE PEOPLE WHO WORK FOR THE PEOPLE)

PREPARED BYSHIBASURJYA &TRIDEEP

What is BCM ?

WHAT ARE DISASTERS ?

TSUNAMI

TORNADOEARTHQUAKE

FLOOD

TERRORIST ATTACKFIREIMPACT OF DISASTER

1. Project Initiation and Planning2. Business impact analysis and risk analysis3. Business Continuity Planning

a. Preparing for possible emergencyb. Disaster recoveryc. Business recovery

4. Training and awareness5. Testing6. Maintenance and managing to keep it up to

date.

STEPS IN BCM

PROJECT INITIATION & PLANNING

In this phase an agreement is arrived upon by the senior management on the need of Business recovery and continuity planning.

Development of BCP should be driven from the board level and a proper budget and an assurance of cooperation is of prime importance.

Then this is followed by organization of planning team comprising of individuals of various departments and consultants to undertake detailed technical analysis and business recovery planning.

Then the scope and the aim of Business recovery plan is identified and an brief over view of the recovery program is defined.

BUSINESS IMPACT ANALYSIS & RISK

ANALYSIS

It involves understanding the business and identifying the key business functions.

Data from the middle management is very helpful for the understanding the criticality of the functions of the various departments.

Impacts on the business can be divided into qualitative and quantitative aspects.◦ Quantitative aspects include the financial

impacts.◦ Qualitative aspects is the operational impacts.

Risk analysis starts by documenting the threats to these processes, their internal vulnerabilities and the consequences of various failure scenarios.

At the end we estimate how to control the impact of the most serious ones.

Risk analysis can also b done by using software packages with the database of historical threats and vulnerabilities relevant to the organization’s environment and business.

CONT….

BUSINESS CONTINUITY PLANNING

PREPARING FOR POSSIBLE EMERGENCIES

IDENTIFYING WAYS TO PREVENT AN EMERGENCY FROM TURNING INTO A DISASTER.

PRIMARY FOCUS SHOULD BE ON KEY BUSINESS PRACTICES.

ORGANIZATIONS SHOULD BE PREPARED FOR POSSIBLE EMERGENCY SITUATIONS WITH BACK-UP AND PREVENTIVE STRATEGIES.

◦ ALTERNATIVE BUSINESS PROCESS HANDING STRATEGY.◦ IT SYSTEM BACKUP AND RECOVERY STRATEGY. ◦ PREMISES AND ESSENTIAL EQUIPMENT BACK-UP AND RECOVERY

STRATEGY.◦ CUSTOMER SERVICE BACK-UP AND RECOVERY STRATEGY.◦ ADMINISTRATION AND OPERATION BACK-UP AND RECOVERY

STRATEGY.◦ INFORMATION AND DOCUMENTATION BACK-UP AND RECOVERY

STRATEGY.◦ INSURANCE COVERAGE.

BACK-UP AND RECOVERY STRATEGIES

THERE ARE SOME KEY MEMBERS OF MANAGEMENT AND STAFF WHO WILL PROVIDE THE TECHNICAL AND MANAGEMENT SKILLS NECESSARY TO ACHIEVE A SMOOTH BUSINESS RECOVERY PROCESS.

THESE KEY MEMBERS SHOULD BE PICKED ACCORDING TO THE SITUATION TO AVOID A CHAOS AND WILL BE RESPONSIBLE FOR IMPLEMENTATION OF BCP.

◦ FUNCTIONAL ORGANIZATION CHART.◦ BCP PROJECT COORDINATOR AND DEPUTY FOR EACH KEY

FUNCTIONAL AREA.◦ KEY PERSONNEL, SUPPLIERS, VENDORS AND EMERGENCY CONTACT

INFORMATION.◦ MANPOWER RECOVERY STRATEGY.◦ THE DISASTER RECOVERY TEAM.

KEY BCP PERSONNEL AND SUPPLIES.

ALL ORGANIZATIONS HAVE DOCUMENTS, RECORDS AND PROCEDURES, WHICH ARE, CONSIDERED VITAL PART OF THEIR OPERATION.

◦ DOCUMENTS AND RECORDS VITAL TO BUSINESS PROCESSES.

◦ EMERGENCY STATIONARY AND OFFICE SUPPLIES.◦ MEDIA HANDLING PROCEDURES.◦ EMERGENCY AUTHORIZATION PROCEDURES.◦ BUDGET FOR BACK-UP AND RECOVERY PHASE.

KEY DOCUMENT AND PROCEDURES

THE PRIORITY OF DURING THE DISASTER RECOVERY PHASE ARE

◦ THE SAFETY AND WELL BEING OF THE EMPLOYEES AND OTHER INVOLVED PERSONS,

◦ COMPLETION OF DAMAGE ASSESSMENT FORM,◦ THE MINIMIZATION OF EMERGENCY ITSELF,◦ THE MINIMIZATION OF THE THREAT OF FURTHER

DAMAGE,◦ REESTABLISHMENT OF EXTERNAL SERVICES SUCH AS

POWER, COMMUNICATION, WATER ETC.

ASSESSMENT OF INITIAL EMERGENCY SITUATION.

MOBILIZING THE DISASTER RECOVERY TEAM AND ASSESSING THE SCALE OF EMERGENCY.

IDENTIFICATION OF POTENTIAL DISASTER STATUS.

INVOLVEMENT OF EMERGENCY SERVICES. ASSESSING THE POTENTIAL BUSINESS IMPACT

OF THE EMERGENCY.

HANDLING TE EMERGENCY SITUATION

COMMUNICATION IS ONE OF THE MOST IMPORTANT INGREDIENTS.◦ IT IS NECESSARY TO KEEP VARIOUS GROUPS INFORMED

LIKE: DISASTER RECOVERY TEAM, BUSINESS RECOVERY TEAM, SENIOR &MIDDLE MANAGEMENT, FAMILIES OF AFFECTED EMPLOYEES, MEDIA ETC.

MOBILIZING THE DISASTER RECOVERY TEAM. DISASTER RECOVERY PHASE REPORT.

NOTIFICATION AND REPORTING DURING DISASTER RECOVERY PHASE.

Business recovery

THE BUSINESS RECOVERY INVOLVES THE RESTORATION OF NORMAL BUSINESS OPERATION AFTER AN UNEXPECTED EVENT.

THE EFFICIENCY AND THE EFFECTIVENESS OF THE PROCEDURES COULD HAVE A DIRECT BEARING ON ORGANIZATION’S ABILITY TO SURVIVE THE EMERGENCY.

MOBILIZING THE BUSINESS RECOVERY TEAM. ASSESSING EXTENT OF DAMAGE AND BUSINESS IMPACT. PREPARING SPECIFIC RECOVERY PLAN. MONITORING PROGRESS. KEEPING EVERYONE INFORMED. HANDING BUSINESS OPERATION BACK TO REGULAR

MANAGEMENT. PREPARING BUSINESS RECOVERY PHASE REPORT.

MANAGING THE BUSINESS RECOVERY

TRAINING & AWARENESS

PLANDOCHECKACT

PDCA CYCLE

A documented BCP awareness Awareness program should embrace the

culture & language of the enterprise Train-the-Trainer sessions should be

provided

Key aspect

BCP TESTING ACTIVITIES

PLANNING THE TESTS CONDUCTING THE TESTS

Objective & scope of tests Simulating & setting the Test Environment Preparation of Test Data Identifying who is to conduct the Tests Identifying who is to control & Monitor the Tests Preparing Feedback Questionnaires Preparing Budget For Testing Phase Training the core Testing team for each Business

unit Preparing the testing Policy & Guidelines

TEST PLANNING

Test Each part of Business Recovery Process Test Accuracy of Employee & Vendor

Emergency Contact Numbers Assess test results

CONDUCTING THE TESTS

PLAN MAINTENANCE & KEEPING IT UP-TO-DATE

Maintaining & keeping the BCP up-to-date ensuring its effectiveness is a continuous process

Maintenance procedures & schedules should be established

A schedule for regular, systematic review of the content of the disaster recovery/business resumption plan should also be provided along with defining a procedure for making appropriate changes to plan

Getting management buy-in & commitment evidenced by the provision of adequate resources & budget with the responsibility of BCP resting with top executives

Clearly spelling out management’s objective BCF should be designed from start as a business

requirement “Whole-System” continuity should be planned Plans should be continuously tested It should be ensured that continuity plans are

accessible

Key Success factors

85% of large organization have some sort of disaster recovery plan, a broader business recovery plan, & only 10% to 15 % of those are up to date

2 of 5 business experiencing a disaster are likely to be gone in 5 years

GARTNER ESTIMATES

No one plans to fail, they just fail to plan.

There is an Old Saying…