Business Continuity Risk Management
-
Upload
thilakpathirage -
Category
Documents
-
view
221 -
download
1
Transcript of Business Continuity Risk Management
-
8/2/2019 Business Continuity Risk Management
1/38
-
8/2/2019 Business Continuity Risk Management
2/38
7 March 2012SBK BCP Strategy 2
Presentation Outline
The Need for Business ContinuityManagement (BCM)
BCM Strategy
Project Governance and structures
Progress as of Today
Implementation
Critical Success Factors
-
8/2/2019 Business Continuity Risk Management
3/38
7 March 2012SBK BCP Strategy 3
Life is not a matter of having good
cards, but of playing a poor hand well.
Robert Louis Stevenson
-
8/2/2019 Business Continuity Risk Management
4/38
7 March 2012SBK BCP Strategy 4
Why we need BCM?
Business Survival
Integrated Risk Management in Bank Good governance
Regulatory pressure
Sound capital adequacy requirements
Mission achievement
Business Continuity and resilience
BCM Standards/Regulations NFPA 1600, British Standard 25999, SOX,BS ISO/IEC
27001:2005, HB 221:2004,HB 292-2006, HIPAA and so on.
-
8/2/2019 Business Continuity Risk Management
5/387 March 2012SBK BCP Strategy 5
Vision Leading the way to secure the
Banks information assets to
provide continuous customer
services. Mission
To manage Business Continuityand operational recovery risks
by providing Bank-wide directionand leadership.
BCM Strategy
-
8/2/2019 Business Continuity Risk Management
6/387 March 2012SBK BCP Strategy 6
BCP is a process designed to reduce the organizations
business risk arising from an unexpected disruption ofthe critical functions / operations (manual or automated)necessary for the survival of the organization
This includes the critical functions / operations andsupporting resources (human / material) and theassurance of the continuity of critical operations at theminimum level.
BCP team was formulated and project waslaunched on march 2008
Definition
-
8/2/2019 Business Continuity Risk Management
7/387 March 2012SBK BCP Strategy 7
LandscapeArchitecture
ProcessOptimization
Local
Planning
Activity
Prioritization
Deployment
Planning
ResourceManagement
Technology
Processes
Organization
Business Strategy
Best ResultsCome FromAlignment &Optimization
BCM Strategy
Process
Technology
People
Business Continuity Components
-
8/2/2019 Business Continuity Risk Management
8/387 March 2012SBK BCP Strategy 8
Prevent React
Building Resilience
Not Just React and Recovery
BCM Strategy
-
8/2/2019 Business Continuity Risk Management
9/387 March 2012
SBK BCP Strategy 9
BCM Project Governance
Intergraded Risk Management BCM Policy BCM Steering Committee BCM Role and Responsibilities BCP Project Team BCM Methodology Project Plan Best Practice and standards
-
8/2/2019 Business Continuity Risk Management
10/387 March 2012
SBK BCP Strategy 10
BCM Steering Committee
Business RecoveryProgramme Manager (RPM)
For each Business Unit
Business Unit RecoveryCoordinator (URC)
Technical
Management
Business Continuity
Planning Coordinator
(BCPC)
BCM ProjectManagerRisk Manager
BCP ProjectGovernance
Board Appointed RM Committee
-
8/2/2019 Business Continuity Risk Management
11/387 March 2012
SBK BCP Strategy 11
BCM Policy
Provides the strategic directions and operationalframework for the Bank
Implementing BCM Policy is a strategic decisionwhich must be considered for the long term survivalof the Bank.
BCM Role and Responsibilities
Business units heads are responsible for businessrecovery and ensure the detailed Business ContinuityPlans are in place in their areas of business
Ownership by the senior Management
Sponsorship- Board of directors and Risk
Management Committee
-
8/2/2019 Business Continuity Risk Management
12/38
7 March 2012SBK BCP Strategy 12
ProjectPlanning
IdentifyBusinessActivities
Vulnerability
(Risk)Assessment& BIA
RecoveryStrategies
BusinessContinuity
PlanTraining and
Implementation
Six Phases of BCP Project
Project Management and Reporting
1
2
34
5
6
-
8/2/2019 Business Continuity Risk Management
13/38
7 March 2012SBK BCP Strategy 13
ProjectPlanning
BusinessImpactAnalysis
StrategyDevelopment
RiskAssessment &
Mitigation
PlanImplementation
& Approval
MaintenanceProcedures
Development
Training
Plan Testand
Validation
BCP is a Process and Journey
DevelopBusiness
Continuity Plan
BCP Project Progress
Project Management and Reporting
Completed
In progress
-
8/2/2019 Business Continuity Risk Management
14/38
7 March 2012SBK BCP Strategy 14
Branch BCP
3 Model Branches
Model BCP will be provided to all
Conduct BIA
Conduct Risk Assessment
Design Recovery Strategy
BC Plan Development
Exercising
Update and Maintenance
Will provide a monitoring tool throughintranet Yet to decide
-
8/2/2019 Business Continuity Risk Management
15/38
7 March 2012SBK BCP Strategy 15
Aligning to the Business and CostJustification
Cost, Time and Resources (Rs. 5.3)
Tools Used
Business Impact Analysis
Risk Assessment
-
8/2/2019 Business Continuity Risk Management
16/38
7 March 2012SBK BCP Strategy 16
BIABusiness Impact Analysis
Primary Objective - Identify the time criticality of eachbusiness process of each business unit
Identify the degree of criticality of each businessprocess over time, based on the respective impactsthe organization could suffer due to an interruption toa given business process
-
8/2/2019 Business Continuity Risk Management
17/38
7 March 2012SBK BCP Strategy 17
BIA- Business Impact Analysis
Identify and/or validated 29 SBUs
business functions and prioritized
Mission Critical Business
Identify Inter-dependencies
Establish Mission and Service Priorities
Quantify impacts on business functions interms of
Financial - cost and loss of disruption
Operational - maximum down time for eachprocess
-
8/2/2019 Business Continuity Risk Management
18/38
7 March 2012SBK BCP Strategy 18
Determined Recovery Time Objective (RTO) Maximum Tolerable Down Time:
-Maximum number of hours/days each business processcan afford to take for recovery, following aninterruption.
It also involves the identification of which businessfunctions need to be given priority, when resumingbusiness operations
Recovery Point Objective (RPO)
Amount of data that each business function is willing tolose if a disruption occurs
BIAResults
-
8/2/2019 Business Continuity Risk Management
19/38
7 March 2012SBK BCP Strategy 19
RTO Calculation
RTO of the businessunit
FinancialImpact
Operational
Impact
Dependent units
RTO
Final RTO
of theBusinessUnit
Final RTO
-
8/2/2019 Business Continuity Risk Management
20/38
7 March 2012SBK BCP Strategy 20
24
24
24
24
24
24
24
4
4
4
4
4
4
4
4
4
4
4
4
4
3
1
0.5
0.5
0
0
0
0 6 12 18 24
ACT
Export
Import
Millenium Credits
Region IV
SAU
SVS
HR
e-banking
IFS (SCD)
SLI
BRL(SWIFT )
FCC
RRC
CRC
BOR
KPY
TSV
IT - PSD
IT C ASD
GAMP
FCBU
CCL
IT ENG
SCC
TRY
IT C ESD
Tim e
Business Unit RTO
Please not that we have excluded CCH & OPS frothe graph to improve the clarity.
Final RTO of OPS 7 DaysFinal RTO of CCH 7 Days
RTO Range(Hours)
No. of BusinessUnits
0-1 6
2-4 14
24< 9
Wh t O B i R N d ?
-
8/2/2019 Business Continuity Risk Management
21/38
7 March 2012SBK BCP Strategy 21
Im up and running in
seconds, but Ivelost a days data
I lost no data but ittook me a week
to get back up and
running
hrs days wks mthssecs minsZero Downtim
secs
mins
hrs
days
wks
mths
Freshness
RPO
RTO
What are ourBusiness Recovery
needs?
What are Our Business Recovery Needs?
Aligning the Recovery Strategy to Business
-
8/2/2019 Business Continuity Risk Management
22/38
7 March 2012SBK BCP Strategy 22
Recovery Strategy Development
R St t D l t
-
8/2/2019 Business Continuity Risk Management
23/38
7 March 2012SBK BCP Strategy 23
Risk AssessmentIdentified the risksand possiblemitigation actions
BIA- Identified the
recovery prioritiesof business units- Identified the
RTOs of businessunits
- Identified theRTOs of business
functions ofbusiness units
Recover Businessunits and businessfunctions
Meet RTOsCost effectivePracticalSimple
Strategy
Recovery Strategy Development
What was Our Methodology?
-
8/2/2019 Business Continuity Risk Management
24/38
7 March 2012SBK BCP Strategy 24
Project PlanningIdentifying criticalbusiness activities
Distribution of Questionnairesto Business Unit Heads tocarry out Business ImpactAnalysis & Risk Assessment(BIA & RA)
Discussion & QualityReview with Busines
Unit Heads on BIA &Questionnaires
Business Impact Analy& Risk Assessment
Calculation of Recovery TimeObjective (RTO) & RecoveryPoint Objective (RPO)
Recovery Strategy
Development
Approved BCP Documentdelivered to BusinessUnits
Testing & Training(In Progress)
What was Our Methodology?
-
8/2/2019 Business Continuity Risk Management
25/38
7 March 2012SBK BCP Strategy 25
Key Components of the Strategy
Policy Location Personnel Electrical & Communication equipment /
services Computer Equipment Furniture and office equipment Vital Records Power Requirements Office Technology
-
8/2/2019 Business Continuity Risk Management
26/38
7 March 2012SBK BCP Strategy 26
Core Areas of the Recovery Strategies
Decisions been made
Alternative Site options for BusinessRecovery
People already identified by thebusiness units
Vital Documents- decided by unit level
IT Recovery Strategy- Cost approved byBoard LKR 3.0 Mio.
Business Recovery Strategy
-
8/2/2019 Business Continuity Risk Management
27/38
7 March 2012SBK BCP Strategy 27
y gy
Strategic LocationOptions
Business Units to move
(a) Seylan BankBranchNetwork
Consumer Finance Unit (CFU), International Imports Dept. (IMP),Settlement & Collection Dept. (SCD), Foreign Currency Centre (FCC),
Retail Remittance Centre (RRC), Seylan Remittance Centre (SRC),Region IV Credits Dept (R IV Credits), Millennium Credits Dept. (MLN Credits),Kollupitiya Branch (KPY), Boralesgamuwa Branch (BOR) andGampola Branch (GMP).
(b) First City OfficeTraining Centre
Treasury Dept. (TRY), Accounts Dept. (ACT), Foreign Currency Banking Unit (FCBU),Human Resources Dept. (HRD), Staff Advances Unit (SAU),Central Cash Dept(CCH), and International Exports Dept. (EXP)
(c) Ceylinco SeylanTowers Technical Services Dept. (TSV) and Services Dept. (SVS)(d) Disaster
Recovery (DR)Site Borella
IT Depts., Business Relations Dept. (BRL) and Central Clearing Dept. (CCL)
(e) Building spaceavailable at
Moratuwa.(2ndFloor)
Units to be identified to relocate at Moratuwa.* Seylan Card Centre (SCC), Electronic Banking (ECM),
Operations Dept. (OPS), Business Continuity PlanningCommand Centre , Human Resources Dept. (HRD),Foreign Currency Banking Unit (FCBU), Technical Services Dept. (TSV),Services Dept. (SVS).
IT R St t I l t ti
-
8/2/2019 Business Continuity Risk Management
28/38
7 March 2012SBK BCP Strategy 28
Existing capability
Kapiti System - Core Banking System Kastle System - Treasury Operations
Cashier System - Front Office system
SWIFT - Society for Worldwide Inter Bank FinancialTelecommunication
ITM System - Credit/Debit Card system and ATMs SLIPS- Sri Lanka Inter Bank Payment System
Seylan Clearing - Seylan Inter Branch Cheque Clearing System
Firewall - Security System
Active Directory - User Domain Controller
IT Recovery Strategy Implementation
-
8/2/2019 Business Continuity Risk Management
29/38
7 March 2012SBK BCP Strategy 29
New capability : To be built VAP (VISA Access Point) - VISA Debit/Credit card
MS ISA (proxy - Access for Internet BankingServices and Remittances
Trend Micro- Internet Content Filtering System
MS Exchange- E mail facility Eximbills /Citrix - International Trade Finance
Pawning System
Cheque Imaging and Truncation- CIT
Payment gateway!!
IT Recovery Strategy Implementation
-
8/2/2019 Business Continuity Risk Management
30/38
7 March 2012SBK BCP Strategy 30
BCP awareness and training-Completed
Test Plan for Scenario SimulationSubmitted by E and Y
BCP Testing and Training
-
8/2/2019 Business Continuity Risk Management
31/38
7 March 2012SBK BCP Strategy 31
BCP Testing Strategy and Plans1. Structured Walkthrough
Completed
2. Simulation Test Scenario To be implemented(Seek Board approval)
E & Y is planning for 3 Units to be completed by 30 June 2010
All unit have to be doneScenarios
Data and communication FailureRestriction of Access RoutesPandemic disaster
3. Functional Drill testing To be implemented with Board ApprovaE and Y is planning
4. Full Operational testing - To be implemented with Board ApprovaE and Y is planning
-
8/2/2019 Business Continuity Risk Management
32/38
7 March 2012SBK BCP Strategy 32
Key Decisions
Approval of BCM Policy BIA Results and BC Plan- Approved by the
Board in principle
Appointment of DR Coordination from ITC-
A senior person to be nominated Board approval for the IT Recovery Strategy
Approved by Board
Approval for Testing- in progress
-
8/2/2019 Business Continuity Risk Management
33/38
7 March 2012SBK BCP Strategy 33
BCM Maturity Assessment
-
8/2/2019 Business Continuity Risk Management
34/38
7 March 2012SBK BCP Strategy 34
BCM Maturity Model
Where is your organization on thematurity spectrum?
Where do you want your organization tobe?
How can IT lead the way, involve
others, without bearing all theresponsibility and cost?
-
8/2/2019 Business Continuity Risk Management
35/38
7 March 2012SBK BCP Strategy 35
BCM Maturity Model
S F t
-
8/2/2019 Business Continuity Risk Management
36/38
7 March 2012SBK BCP Strategy 36
Board Sponsorship
Top Management support and participation
A annual budget allocation for running and maintenance ofthe BCM program
Testing must be consistently conducted in a manner thatencourages improvement and preparedness.
A maintenance program must be implemented to ensureadequacy and completeness of the BCM elements.
Objective Annual Review
Success Factors
-
8/2/2019 Business Continuity Risk Management
37/38
7 March 2012SBK BCP Strategy 37
We are Prepared
-
8/2/2019 Business Continuity Risk Management
38/38
7 March 2012SBK BCP Strategy 38
Thank you