04/07/2304/07/23

Business Continuity Business Continuity ManagementManagement

Awareness Presentation Awareness Presentation for MAMPUfor MAMPU

By Prabha RamanathanAUGUST 21st 2007

04/07/2304/07/23

OBJECTIVEOBJECTIVE

To provide a basic appreciation on To provide a basic appreciation on the importance of Business the importance of Business Continuity Management in the Public Continuity Management in the Public Sector.Sector.

To provide an overview on To provide an overview on implementing BCM in a government implementing BCM in a government organisation.organisation.

04/07/2304/07/23

BACKGROUND BACKGROUND INFORMATIONINFORMATION

Technical Committee on Technical Committee on Business Continuity Business Continuity

ManagementManagement

TC - BCMTC - BCM

04/07/2304/07/23

TC - BCMTC - BCM

The Technical Committee (TC) on Business Continuity The Technical Committee (TC) on Business Continuity Management (BCM) was formed to develop business Management (BCM) was formed to develop business continuity management standards for local continuity management standards for local consumption.consumption.

We also review Business Continuity related standards We also review Business Continuity related standards on behalf of Department of Standards Malaysiaon behalf of Department of Standards Malaysia

TC – BCM reports to Industrial Standards Committee TC – BCM reports to Industrial Standards Committee “O” ( ISC-O) which looks at Society Risk“O” ( ISC-O) which looks at Society Risk

SIRIM is appointed by Department of Standards SIRIM is appointed by Department of Standards Malaysia to develop Malaysian Standards.Malaysia to develop Malaysian Standards.

04/07/2304/07/23

CompositionComposition

1.1. Prabha Ramanathan – Chairman (BKI)Prabha Ramanathan – Chairman (BKI)2.2. Roslina Harun – Secretary (SIRIM)Roslina Harun – Secretary (SIRIM)3.3. Wan Asriah Wan Adnan ( Bursa Wan Asriah Wan Adnan ( Bursa

Malaysia)Malaysia)4.4. Sue Wing Hoong (CSC)Sue Wing Hoong (CSC)5.5. Johnny Choo Chin Chai (Alliance Bank)Johnny Choo Chin Chai (Alliance Bank)6.6. Ros Aziah Mohd Ismail (IP-Secure)Ros Aziah Mohd Ismail (IP-Secure)7.7. Zahri Yunos (CyberSecurity Malaysia)Zahri Yunos (CyberSecurity Malaysia)

04/07/2304/07/23

CompositionComposition

7.7. Sophia Hashim ( MAMPU)Sophia Hashim ( MAMPU)

8.8. Maslina Daud ( CyberSecurity Maslina Daud ( CyberSecurity Malaysia)Malaysia)

9.9. Bahyah Bakri (Bursa Malaysia) Bahyah Bakri (Bursa Malaysia)

10.10. Mohd Daud Dahar ( Bank Negara)Mohd Daud Dahar ( Bank Negara)

11.11. Aliza Nayan ( Securities Commission)Aliza Nayan ( Securities Commission)

12.12. Stan Singh Jit ( PIKOM )Stan Singh Jit ( PIKOM )

13.13. Shreedhar ( ASTRO )Shreedhar ( ASTRO )

04/07/2304/07/23

Goals of TC- BCMGoals of TC- BCM

BCM FrameworkBCM Framework – an overview of the – an overview of the processes that must be followed when processes that must be followed when developing BC Plans developing BC Plans (completed MS (completed MS 1970)1970)

BCM GuidelinesBCM Guidelines – a guide on how to – a guide on how to implement business continuity plansimplement business continuity plans

BCM ChecklistBCM Checklist – a self assessment – a self assessment checklist to gauge the level of checklist to gauge the level of preparedness / readinesspreparedness / readiness

04/07/2304/07/23

Objective of BCM StandardsObjective of BCM Standards

BCM is something that should be BCM is something that should be practice by all organizations in all practice by all organizations in all industries immaterial of their size.industries immaterial of their size.

Hence the need for an acceptable Hence the need for an acceptable minimum level of practice i.e. a minimum level of practice i.e. a standard.standard.

The standards developed by TC-BCM The standards developed by TC-BCM is this minimum level of practice for is this minimum level of practice for all sectors, private and publicall sectors, private and public

04/07/2304/07/23

Use of StandardsUse of Standards

TC – BCM STAN DARDS

Banki

ng

Healt

h

Govern

ment

Insu

rance

Tele

com

munic

ati

on

Manufa

cturi

ng

Numberof Controls

04/07/2304/07/23

The Malaysian BCM The Malaysian BCM StandardStandard

04/07/2304/07/23

BUSINESS CONTINUITY BUSINESS CONTINUITY MANAGEMENTMANAGEMENT

WHAT IS IT?WHAT IS IT?

04/07/2304/07/23

The history of business The history of business continuitycontinuity

Disaster Disaster Recovery Recovery PlanningPlanning

Business Business Continuity Continuity PlanningPlanning

Business Business Continuity Continuity

ManagementManagement

Alternative Alternative Planning / Planning /

Plan BPlan B

Fallback Plans , Contingency Plans

IT or Technical Contingency Plans

Organization wide Contingency Plans

Holistic Contingency Plans

04/07/2304/07/23

What is Business Continuity What is Business Continuity Management?Management?

Monitor &

Response

Recover&

Resume

Rectify&

Restore

Migrate&

Normalize

A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities

Source: Business Continuity Institute (UK)

Disaster Management Phases (Execution)

PreventionPrevention ResponseResponse

Continuity of Service(Recovery

& Resumptio

n

Continuity of Service(Recovery

& Resumptio

n

RestorationRestoration NormalizationNormalization

Risk Management

Emergency Response,

Crisis Management,

Public Relations

Business Resumption

Plans, Disaster Recovery Plan

Damage Restoration,

Includes installation &

commissioning

Migration, Restart of all

business functions, Stand

Down

Pre - Incident Incident Post - Incident

PHASES

ACTIONS

04/07/2304/07/23

BCM FrameworkBCM Framework

a structure that will design, develop, a structure that will design, develop, implement and maintain infrastructures, implement and maintain infrastructures, resources, processes, policies and resources, processes, policies and strategies to respond, recover, resume, strategies to respond, recover, resume, restore and normalize the mission critical restore and normalize the mission critical operations of an organization in an operations of an organization in an effective manner.effective manner.

BCM

04/07/2304/07/23

Business Continuity Business Continuity ManagementManagement

Why do you need it?Why do you need it?

04/07/2304/07/23

Why is BCP Needed?Why is BCP Needed?

Good Corporate GovernanceGood Corporate Governance

Safeguarding assets and liabilities, Safeguarding assets and liabilities, stakeholder interestsstakeholder interests

Business Requirements (Local / Business Requirements (Local / International) – International) – BNM, SC, SOX, Basel, ISO17799BNM, SC, SOX, Basel, ISO17799

Requirement by Business Partner and/or Requirement by Business Partner and/or CustomerCustomer

04/07/2304/07/23

Why we need BC Why we need BC Standards?Standards?

Suppliers

Regulators

Vendors

Your

Organization

Consumer /

Customers

Business

Partners

Infrastructure Dependence (power, voice, data, logistics, food)

System Up Time (computing, data,networks, etc.)

Lega

l & F

iduc

iary

Dut

ies

Env

ironm

ent

04/07/2304/07/23

Corporate GovernanceCorporate Governance

Malaysian Code of Corporate Governance – it is a Malaysian Code of Corporate Governance – it is a requirement by Securities Commission that all requirement by Securities Commission that all listed companies in Malaysia to comply with the listed companies in Malaysia to comply with the Malaysian Code of Corporate GovernanceMalaysian Code of Corporate Governance– Part of the Principle Responsibilities of the BOD are:-Part of the Principle Responsibilities of the BOD are:-

Identify principal risk and ensure the implementation of appropriate systems to manage these risks.

Reviewing the adequacy and the integrity of the company’s internal control systems and management information systems, including systems for compliance with applicable laws, regulations, rules, directives and guidelines.

Succession Planning of Senior Management

04/07/2304/07/23

Post-9/11 Surge in Regulations Post-9/11 Surge in Regulations and Standardsand Standards

Consumer Credit Protection ActOMB Circular A-130FEMA Guidance DocumentPaperwork Reduction ActFFIEC BCP HandbookComputer Security Act12 CFR Part 18Presidential Decision Directive 67FDA Guidance on Computerized Systems used in Clinical TrialsANSI/NFPA Standard 1600Turnbull Report (UK)ANAO Best Practice Guide (Australia)SEC Rule 17 a-4

Source: Marsh (c) 2004

Sarbanes-Oxley Act of 2002HIPAA, Final Security RuleFFIEC BCP HandbookFair Credit Reporting ActNASD Rule 3510NERC Security GuidelinesFERC Security StandardsNAIC Standard on BCPNIST Contingency Planning GuideFRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial SystemNYSE Rule 446California SB 1386Australia Standards BCM HandbookGAO Potential Terrorist Attacks GuidelineFederal and Legislative BC Requirements for IRSBasel Capital AccordMAS Proposed BCP Guidelines (Singapore)NFA Compliance Rule 2-38FSA Handbook (UK)BCI Standard, PAS 56 (UK)Civil Contingencies Bill (UK)

Post 9-11

Pre 9-11

20

1991 - 2001 2002 - 2004

Source :Fred.klapetzky@marsh.com

04/07/2304/07/23

Business RequirementsBusiness Requirements

It is foreseeable that in the near It is foreseeable that in the near future, the resiliency or continuity future, the resiliency or continuity capability of an organisation will be a capability of an organisation will be a yardstick in doing business.yardstick in doing business.

We have seen with the We have seen with the implementation of Sarbanes Oxley Act implementation of Sarbanes Oxley Act in the US, many local players who are in the US, many local players who are supplies or business partners were supplies or business partners were required to show BC plansrequired to show BC plans

04/07/2304/07/23

What BCM standards are What BCM standards are available?available?

BS 25999 – 1 : Business Continuity Management – BS 25999 – 1 : Business Continuity Management – Code of Practice ( Code of Practice ( British Standard Institute, UKBritish Standard Institute, UK))

BS 25999 – 2 : Business Continuity Management – BS 25999 – 2 : Business Continuity Management – Specification ( Specification ( British Standard InstituteBritish Standard Institute))

HB 221: 2005 : Handbook on Business Continuity HB 221: 2005 : Handbook on Business Continuity Management ( Management ( Australian Standards, AustraliaAustralian Standards, Australia))

NFPA 1600 : Standard on Disaster / Emergency and NFPA 1600 : Standard on Disaster / Emergency and Business Continuity Management Program (Business Continuity Management Program (National National Fire Protection Association, USAFire Protection Association, USA))

TR 19 : Technical Reference for Business Continuity TR 19 : Technical Reference for Business Continuity Management (Management (SPRING, SingaporeSPRING, Singapore))

MS 1970 : Business Continuity Management MS 1970 : Business Continuity Management Framework (Framework (Department of Standards, MalaysiaDepartment of Standards, Malaysia))

04/07/2304/07/23

Malaysian ExamplesMalaysian Examples Major stock trading organisationMajor stock trading organisation

Major airport - early 90sMajor airport - early 90s

Shoe manufacturing companyShoe manufacturing company

Flooding of building basement in Flooding of building basement in KLKL

Finance company software leading Finance company software leading to malfunctioning of ATMsto malfunctioning of ATMs

Flooding of electricity substationFlooding of electricity substation

National Power Grid failureNational Power Grid failure

Fire at bank branch on the 1st day Fire at bank branch on the 1st day of business at branch's new of business at branch's new premises.  Substantial damage at premises.  Substantial damage at upper floor, ground floor also upper floor, ground floor also damaged.  Was able to resume damaged.  Was able to resume business on the same day at the business on the same day at the previous premise located nearby.previous premise located nearby.

Power outage for 3 days at Bank’s Power outage for 3 days at Bank’s Headoffice.  IT systems ran on gen Headoffice.  IT systems ran on gen set, power was gradually restored set, power was gradually restored by floors. Impact: no A/C, by floors. Impact: no A/C, significant loss of productivity.significant loss of productivity.

The automatic teller machine The automatic teller machine network of a large local bank was network of a large local bank was disrupted for 13 hours nationwide.disrupted for 13 hours nationwide.

Lightning destroyed the main Lightning destroyed the main power circuit board of a factory power circuit board of a factory cause a 8 hour shut down of its cause a 8 hour shut down of its plant and losses in excess of RM5 plant and losses in excess of RM5 million.million.

Data Center of a manufacturing Data Center of a manufacturing company was flooded damaging company was flooded damaging their key serverstheir key servers

04/07/2304/07/23

Business Continuity Business Continuity ManagementManagement

How is it different from How is it different from Disaster Recovery PlanningDisaster Recovery Planning

04/07/2304/07/23

BCP - CompositionBCP - Composition

Em

erge

ncy

Man

agem

ent

Cri

sis

Man

agem

ent

Con

tin

gen

cy P

lan

s

Dis

aste

r R

ecov

ery

Pla

ns

Bu

sin

ess

Res

um

pti

on P

lan

s

Business Continuity Plans

04/07/2304/07/23

Definition - BCPDefinition - BCP

BUSINESS CONTINUITY PLANNING (BCP): Process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change.

SIMILAR TERMS: Contingency Planning, Disaster Recovery Planning.

04/07/2304/07/23

Definition - DRPDefinition - DRP

DISASTER RECOVERY PLANNING (DRP): The technological aspect of business continuity planning.– The advance planning and preparations that

are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster.

SIMILAR TERMS: Contingency Planning; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster Preparedness.

DRII

04/07/2304/07/23

DRP vs BCPDRP vs BCP

TIME

UTILIZATION

CRISIS DISASTER RESTOREDISASTERDISASTER

60%

100%

0%

75%

04/07/2304/07/23

DRP vs BCPDRP vs BCP

REDUCTION RESPONSE RECOVERY RETURN

BCP

BRP

DRP

Major Plan Components

BCP = Business Continuity PlanningBRP = Business Resumption PlanningDRP = Disaster Recovery Planning

04/07/2304/07/23

Business Continuity Business Continuity ManagementManagement

Who should be involvedWho should be involved

04/07/2304/07/23

Organisation StructureOrganisation Structure

Crisis Management

Director

Incident Response Director

Business Continuity Director

Damage Restoration

Director

Public Relations &

Communication Director

Safety & Welfare Director

Crisis Management Committee

04/07/2304/07/23

Brief Roles & Brief Roles & ResponsibilitiesResponsibilities

Crisis Management Director

Authority who has the veto power.

Crisis Management Committee

A group of senior management personnel who will manage the situation from start to finish and provide the necessary management support to the working teams

Incident Response Director

Person who is responsible to manage the situation at ground zero, to stabilize the situation and work with local authorities. Reports back to the CMC on a regular basis

Business Continuity Director

Person who is responsible to recover and resume critical business operations at the alternate facilities

Damage Restoration Director

Person who is responsible to prepare a permanent working environment for business to return to normal

Public Relations & Communication Director

Person who is responsible for all communication to stakeholders and public during a time of emergency, crisis or disaster

Safety and Welfare Director

Person who is responsible to ensure the safety and welfare of the staff until operations is back to normal.

04/07/2304/07/23

BCM Team StructureBCM Team Structure

BCM Director

Technical Recovery Team

Support Recovery Team

Customer Centric Recovery Team

BCM Coordinator

Back Office Recovery Team

04/07/2304/07/23

Brief Roles & Brief Roles & ResponsibilitiesResponsibilities

Business Continuity Director

Person who is responsible to recover and resume critical business operations at the alternate facilities

Technical Recovery Team

This is one or more teams responsible for preparing and maintaining the technology used at the recovery site

Support Recovery Team This is one or more teams responsible for supporting the recovery process such as administration, logistics, finance, etc

Customer Centric Recovery Team

This is one or more teams responsible for recovering and resuming critical functions which are directly dealing with customer. i.e. front counters, call center, etc

Back Office Recovery Team

This is one or more teams responsible for recovering and resuming functions that support the critical functions. i.e. application processing, etc

04/07/2304/07/23

Selection GuidelinesSelection Guidelines

Members of the BCM recovery team Members of the BCM recovery team should be on a voluntary basisshould be on a voluntary basis

Members of the BCM recovery team Members of the BCM recovery team must be experienced and must be experienced and knowledgeable in operations mattersknowledgeable in operations matters

Elderly or sickly people Elderly or sickly people ( hypertension, weak heart, high ( hypertension, weak heart, high blood pressure, obese, etc) should blood pressure, obese, etc) should not be selected as team members.not be selected as team members.

04/07/2304/07/23

Business Continuity Business Continuity ManagementManagement

How do I start?How do I start?

04/07/2304/07/23

NoteNote

The process of developing the plans, The process of developing the plans, either Business Continuity Plans for either Business Continuity Plans for Disaster Recovery Plans, is the same.Disaster Recovery Plans, is the same.

The difference is only in the scope of The difference is only in the scope of work and area to be covered.work and area to be covered.

A disaster recovery plan must A disaster recovery plan must provide for the ‘End Users’ needsprovide for the ‘End Users’ needs

04/07/2304/07/23

1.Project Initiation

2.Vulnerability

Study

3.Business Impact

Analysis

4.Develop

BCPStrategies

5.Establish Alternate Facility

6.Plan

Development

7.Education and

Training

9.Plan

Maintenance Program

8.Scenario Testing

PROJECT MANAGEMENT & REPORTINGPROJECT MANAGEMENT & REPORTINGPROJECT MANAGEMENT & REPORTINGPROJECT MANAGEMENT & REPORTING

Phase 1 Phase 2 Phase 3 Phase 4 Phase 5BKI’S METHODOLOGYBKI’S METHODOLOGY

04/07/2304/07/23

Module 1 - Initiate the Module 1 - Initiate the ProjectProject

It is crucial that a BC Project is started in a It is crucial that a BC Project is started in a proper manner to ensure that it is proper manner to ensure that it is completed in a timely and effective completed in a timely and effective mannermanner

This stage involves study, discussions, This stage involves study, discussions, analysis leading to the deliverable – The analysis leading to the deliverable – The Project CharterProject Charter

In addition, there will be:In addition, there will be:– Awareness sessionsAwareness sessions– Kickoff meetingKickoff meeting

04/07/2304/07/23

Module 2 : Risk AssessmentModule 2 : Risk Assessment

The purpose of this module is to The purpose of this module is to identify the operational identify the operational vulnerabilities of an organisation.vulnerabilities of an organisation.

The outcome of this module is a Risk The outcome of this module is a Risk Assessment report which provides a Assessment report which provides a priority listing of vulnerabilities and a priority listing of vulnerabilities and a set of recommendations to prevent / set of recommendations to prevent / mitigate it.mitigate it.

04/07/2304/07/23

Module 3 : Business Impact Module 3 : Business Impact AnalysisAnalysis

BIA determines impact (financial & non-BIA determines impact (financial & non-financial) in the event business is disrupted for financial) in the event business is disrupted for a significant period of time. (a significant period of time. (The BIA process is The BIA process is

somewhat independent from the Risk Assessment processsomewhat independent from the Risk Assessment process))

The Business Impact Analysis deliverable The Business Impact Analysis deliverable includes a listing of critical business functions includes a listing of critical business functions and theirand their– Recovery Time Objectives,Recovery Time Objectives,– Recovery Point ObjectivesRecovery Point Objectives– Minimum operating resourcesMinimum operating resources– Internal and External DependencesInternal and External Dependences

04/07/2304/07/23

Module 4: Develop BC Module 4: Develop BC StrategiesStrategies

This modules provides the BC This modules provides the BC planners with a high-level planners with a high-level specification of the plans.specification of the plans.

In this module, high level BC Policies In this module, high level BC Policies and Procedures are documentedand Procedures are documented

This module gets its input from the This module gets its input from the previous BIA processprevious BIA process

04/07/2304/07/23

Module 5 : Establish Module 5 : Establish Alternate FacilityAlternate Facility

In the event the primary business In the event the primary business premises is destroyed or severely premises is destroyed or severely damaged, critical business functions damaged, critical business functions need to operate at an alternate need to operate at an alternate facilityfacility

This facility may be complete or This facility may be complete or partially setup with furniture, fittings partially setup with furniture, fittings and equipmentand equipment

This facility may be owned or rented This facility may be owned or rented from a commercial entityfrom a commercial entity

04/07/2304/07/23

Module 6 : Plan Module 6 : Plan DevelopmentDevelopment

Using the information from Module 4 Using the information from Module 4 & 5, action steps which describe & 5, action steps which describe “what needs to be done”, “when to do “what needs to be done”, “when to do it” and “how to do it” are it” and “how to do it” are documented.documented.

Each team within the business Each team within the business continuity structure will have a continuity structure will have a recovery plan. recovery plan.

04/07/2304/07/23

Module 7: Education & Module 7: Education & TrainingTraining

In this module, the respective players In this module, the respective players in the organisation’s business in the organisation’s business continuity plan will be given the continuity plan will be given the appropriate education on the appropriate education on the principles of business continuity principles of business continuity planning as well as training in the planning as well as training in the use of the recovery plans developed use of the recovery plans developed in the previous module.in the previous module.

04/07/2304/07/23

Module 8: Scenario TestingModule 8: Scenario Testing

Testing is a mechanism used to Testing is a mechanism used to verify the completeness of the verify the completeness of the recovery plan.recovery plan.

It also provides an avenue for team It also provides an avenue for team members and management to members and management to practice their recovery activitiespractice their recovery activities

The goals and complexity of testing The goals and complexity of testing should increase over timeshould increase over time

04/07/2304/07/23

Module 9 : Plan Module 9 : Plan MaintenanceMaintenance

The business continuity plan is a The business continuity plan is a ‘LIVING DOCUMENT’‘LIVING DOCUMENT’

Keeping it “current” is a major task Keeping it “current” is a major task which takes effort and support from which takes effort and support from senior managementsenior management

It is necessary to implement a It is necessary to implement a Maintenance ProgramMaintenance Program

04/07/2304/07/23

Take Away Points Take Away Points BCM is a process and not a project.BCM is a process and not a project. The initial development of a BC Plan is a The initial development of a BC Plan is a

tedious and time consuming activity. It tedious and time consuming activity. It needs to be given adequate attention to needs to be given adequate attention to be successful (i.e. workable)be successful (i.e. workable)

Like Risk Management, the responsibility Like Risk Management, the responsibility for BCM rest on everyone’s shoulder and for BCM rest on everyone’s shoulder and not just the BCM Managernot just the BCM Manager

BIA is an important process within BCM BIA is an important process within BCM and must be conducted on a regular basisand must be conducted on a regular basis

04/07/2304/07/23

Take Away Points (con’t)Take Away Points (con’t) Top Management support and Top Management support and

participation is required. participation is required. A annual budget should be allocated for A annual budget should be allocated for

the running & maintenance of the BCM the running & maintenance of the BCM programprogram

Testing must be religiously conducted in a Testing must be religiously conducted in a manner that encourages improvement and manner that encourages improvement and preparedness.preparedness.

A maintenance program must be A maintenance program must be implemented to ensure adequacy and implemented to ensure adequacy and completeness of the BCM elements.completeness of the BCM elements.

04/07/2304/07/23

THANK YOUTHANK YOU

CONTACT DETAILSCONTACT DETAILS

prabhar@bki.com.myprabhar@bki.com.my

012 - 3160609012 - 3160609