effective testing of your business continuity plan to ensure you pass the ultimate test

©2016 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no services to clients. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

116 August 2016

KPMG.co.za

Business Continuity ManagementBCI KZN Forum

TOPIC:

Effective testing of your BCP to ensure you pass the

ultimate test


2

Agenda• Can it happen?• Background to BCM• Types of testing• Before, During and After a test• Conclusion• Questions


3

We never thought it would happen to us…


4



5



6



7



8



9



10



11



12

The BCM SystemEmergency Response

BCM

Crisis Management

Business Recovery .

IT D

R

IT Emergency Response System Recovery

TIMELINE

LEVE

L O

F AC

TIVI

TY

Incident


13

What are RTO’s and RPO’sRecovery Time Objective (“RTO”): The RTO is the time taken to recover the in-scope services for an operation from disaster declaration to the point where the equipment is handed over to the operations' business units.

Recovery Point Objective (“RPO”): The RPO is the worst data loss that an operation is willing to accept. In other words, this is the point from which recovery of lost data must take place.


14

BCM ApproachesTop Down Approach• Top management understanding (workshops)• Prioritising operations based on importance• Testing prior to development

Bottom Up Approach• Business user understanding• Considering all operations• Testing at the end of development

Oh no!!What do I do??

The number you have dialled is no

longer in service…


15

Types of BCM TestingDiscussion Based Exercise: These exercises are commonly structured events where participants can explore relevant issues and walk through plans in an unpressurised environment. This type of exercise can focus on a specific area for improvement that has been identified with the aim being to find a possible solution (Good Practice Guidelines 2013).


16

Types of BCM TestingDesktop Walkthrough/Table-top Exercise: A Table-top exercise is a type commonly used where the discussion is based on a relevant scenario with a time line which may run in ‘real time’ or may include ‘timejumps’ to allow different phases of the scenario to be exercised. Participants are expected to be familiar with the plans being exercised and are required to demonstrate how these plans work as the scenario unfolds(Good Practice Guidelines 2013).


17

Types of BCM TestingCrisis Simulation: Typically involve management teams at a strategic, tactical or operational level. Participants can be located in a boardroom or across the whole organisation (and could potentially involve willing interested parties). In these exercises, participants are given information in a way that simulates a real incident. (Good Practice Guidelines 2013).


18

Types of BCM TestingLive Exercise (eg: IT DR Test): Live exercises can range from a small scale rehearsal of one component of the response, for example evacuation, through to a full scale rehearsal of the whole organisation and potentially participating interested parties. (Good Practice Guidelines 2013).


19

Preparing for a Crisis Simulation Exercise


20

Before the test• Scope and objectives• Type• Budget• Attendee availability and their understanding• Third party attendance• Detail and scenario planning• Final approvals


21

Before the test – player handbook• Invite attendees• Expectations and agenda• Sending content in advance• Creating hype about the activity• Communicating the importance

Why are we doing this exercise?

What is going to happen?

What is expected of me and the

team?

How will the exercise be run?


22

Before the test – scenario planning• What do you want to achieve?• Realistic:

• Videos• Sound Clips• Props• Actors• Images• Movement• Templates and forms

• Avoiding clichéd scenarios• Do not involve sensitive or sore issues

HigherWagesImprove

Facilities

Better Opportunities


23

Before the test – scenario planning• Scenarios leading to discussions, actions and solutions• Knock on effect • Venue/seating• Contain the test• Resources• Right people in the room


24

Before the test - introductionNow

Briefing

10:00

EXERCISE

11:30

HotDebrief

12:00

CLO

SE

END

EX


25

Before the test


26

During the test • Engagement• Note taking• Facilitate – ask questions• Assess against the plans


27

After the test• Debrief• Red team/ Blue team• Reporting• Updating plans• Approvals• Next test

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2016 KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no services to clients. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Nashikta Authar (AMBCI)National BCM LeadAssociate DirectorM: +27 (0)82 719 1368E: [email protected]

Natasha HarrilallBCM SpecialistManagerM: +27 (0) 82 727 0162E: [email protected]