business continuity planning (bcp) 101 - asia-pacific...
TRANSCRIPT
___________________________________________________________________________
2011/EPWG/WKSP/004 Intro 1
Business Continuity Planning (BCP) 101
Submitted by: Business Continuity Management Institute
Workshop on Private Sector Emergency PreparednessSendai, Japan
1-3 August 2011
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 1
APEC EPWG Workshop: Private Sector Emergency PreparednessBCP 101
August 2, 2011Hotel Monterey SendaiSendai, Japan
Dr Goh Moh Heng PhD BCCE DRCE BCCLA CBCP FBCI
P id tPresident
2
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 2
Introduction 1: Business Continuity Planning (BCP) 101
09:45- 11:10Overview, including benefits and challenges to implementation, practices for mitigating threats and risks, and examples of BCP
Dr Goh Moh Heng
• President– Business Continuity Management
(BCM) Institute(BCM) Institute– www.bcm-institute.org
• Managing Director– GMH Continuity Architects– Asia Pacific BCM Consulting Firm– www.GMHasia.com
• Professional BCM Appointments– Technical Advisor for TR19:2005 &
SS540:2008 BCM Standard (Management Council and Technical (Management Council and Technical Committee) www.ss540.org
– Project Director, Technical Working Group for SS507:2004
• ISO/IEC 24762 Guidelines for BC-DR Services
http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 3
Dr Goh Moh Heng
Prior Appointments• Government of Singapore Investment
Corporation (GIC)• Standard Chartered Bank
– Global Head for BCM• PriceWaterhouse (Coopers)
• Past Certification Broad Member for DRI International’s Certification BoardPast Executive Director for DRI Asia• Past Executive Director for DRI Asia
• Senior Technical Advisor, China Business Continuity Management Forum
http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
BCM Institute
• Started in January 2005.• Provide competency based BC-DR training to all levels.p y g• Certify BC-DR professionals globally.• Started Certification programme in April 2007.• Trained more than 3000 professionals from 850
organizations and 40 countries.
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 4
Agenda (Part 1 of BCM-101)
• Business Continuity Management– Overview and Fundamentals
• BCM Planning Methodology– Planning Process
• Comparison with BCM Standards– Flexibility and consistency in global compliance
• Process for implementing business continuity
CRISISITRECOVERY SECURITYBUSINESS
CONTINUITY
Incidents, Emergencies,
Events, Disasters
PlanSPECIFIC CRISIS
MANAGEMENTPLAN
IT DR PLAN SPECIFICPLANS SECURITY PLANBC PLAN
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 5
BCM Planning Methodology
http://www.bcmpedia.org/wiki/ BCM_Planning_Process_or_Methodology
Key International BCM Standards
BS 25999BS 25999SS 540SS 540
BS 25999BS 25999
NFPA 1600NFPA 1600ANZ 5050ANZ 5050
10
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 6
BCM Planning Methodology
Ste-by-Step Approachy p pp
Project Management
Objectives• Formulate a workable
project proposal.• Seek endorsement and
commitment on the project from management committee:
Objective
Tasks• BCM Steering Committee
& BCP Project Team• Review and understand
organisation environment.• Agree and formalise
project management
Deliverables• Project plan proposal
includes:– Definition– Scope– Objective
– Objective– Scope– Approach– Schedule– Manpower
• Establish project management structure and control.
project management structure and resource allocation.
• Establish project administration reporting and control mechanism.
– Roles & Responsibilities
• Project workplan.• Project reporting
mechanism.
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 7
Risk Analysis and Review
Objectives
• identify vulnerabilities• Establish reliable
recommendations for:
– Minimizing impact of
Tasks• Identify exposure to
internal & external threats and the likelihood of these threats occurring
• Recommend preventive responses and escalation
Deliverables• Comprehensive risk and
threat profile to the organization, with key disaster scenario
• Recommendation for:– Countermeasures
Immediate Response impact of identified threats
– Immediate and effective response to potential causes of disaster
responses and escalation procedures in conjunction with crisis management implementation
• Evaluate findings and prepare a status report & recommendation.
– Immediate Response Procedures
– Security Risk Review– to be implemented to
minimize the risks• Summary report of
recommendations agreed with senior management
Business Impact Analysis
Objectives
• Determine impact of unavailability/failure/ disaster on business functions.
• Determine critical business needs and
• Establish business criticality/ impact criteria using Business Impact Analysis Questionnaires (BIAQ).
• Prioritise the importance of each business unit vis-à-vis established criteria.
• Detailed report on findings (approved by management) containing:
– - tolerable limits;– classification of
criticality;– prioritised critical
business functions; business needs and tolerable limits.
established criteria.• Consolidate findings and
rankings.• Present results to
management committee to confirm critical classifications and priority listings.
;– minimum resources;– Critical applications and
systems; and– - restoration priority.
• Impact analysis of unavailability of business functions (quantitative and qualitative).
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 8
Recovery Strategy
Objectives• Establish business
functions & job priorities vis-à-vis business needs.
• Determine processing requirements for priority business functions.
• Identify and formalise b k f thi
Tasks• Analyse all division functions
to prioritise them based on business needs.
• Analyse hardware and software requirements to run high priority critical functions so that sufficient backup can be arranged.R i d t bli h b k
Deliverables• List of strategic plans for
recovering prioritised critical functions.
• List of critical functions requiring interim manual processing proceduresbackup for everything
needed to survive a disaster.
• Ensure that alternative processing procedure is available for continuity of critical business needs whilst recovery is in progress.
• Review and establish backup arrangements, if necessary.
• Identify necessary interim processing procedures for critical functions.
• Seek management’s review and endorsement of findings and recommendations.
processing procedures.• Recommend alternate
interim processing procedures.
Plan Development
Objectives• Train and equip users
with skill to complete the Microsoft Word plan template.
• Establish recovery procedures to fully
Tasks• Determine recovery teams
set-up and functional responsibilities.
• Identify members of each recovery team.
• Develop specific procedures
Deliverables• Propose:
– Recovery team structure;
– Staffing of the recovery teams with names of specific
restore normal business operations after a disaster, based on selected strategies.
• Ensure consistency and comprehensiveness of coverage.
for each recovery team.• Review and edit (based on
agreed structure) the plan component to ensure consistency and comprehensiveness of documentation.
staff members; and– List of action steps to
be taken by each member of respective recovery team.
• Completed Business Continuity Plan.
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 9
Testing and Exercising
Objectives
• Formulate an objective mechanism to validate the "workability" of the complete Business Continuity Plan.
Tasks• Design an overall program
for testing of plan.• Develop plans and
schedules for specific tests.
• Develop an evaluation
Deliverables• List of tests to be
conducted.• List of responsibilities of
parties involved: – Objectives, policies,
guidelines, responsibilities and test y • Develop an evaluation
mechanism.responsibilities and test specifications.
• Specific test plan: – Description, scenarios,
procedures and criteria.
• Evaluation forms/checklists for recovery plan tests.
Building Organizational Competency
Organization BCM Manager
BCM InternalAuditor
Business Unit Coordinator/
Representative BCM SteeringCommittee
Organization BCM Manager
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 10
BCMpedia: Common Language
www.bcmpedia.org
BCM Community ForumBuilding a Community
80% Asian and Middle Eastern BCM
and DR Professionals
bcmi.groupsite.com
3331
APEC EPWG Workshop: Private Sector Emergency Preparedness BCP 101
Copyright @ 2011 BCM Institute 11
THANK YOUDr Goh Moh Heng
PresidentPresident
Mobile: +65 96711022Tel: +65 63231500
Email: [email protected]