a business case for establishing bcp
TRANSCRIPT
www.businessbeam.com
A business case for establishing
Business Continuity Plan (BCP)
Business Beam (Pvt.) Limited
Contents
2
What is Business Continuity? 1
Business Benefits 2
Implementation Roadmap 3
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
What is Business Continuity?
A business case for establishing a Business Continuity Plan
9/11 for Pakistan
4 Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Happened in Karachi (June 26, 09)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 5
Suicide Attack in Lahore (May 27, 09)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 6
Thanks to KESC
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 7
Berger Paints
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 8
Fire at Shahra-e-Faisal Building
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 9
The Reality of Business Continuity
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 10
43% of US companies never reopen after a disaster and 29%
more close within 3 years.
20% of small to medium size businesses suffer a major
disaster every 5 years.
78% of organizations which lacked contingency plans but
suffered catastrophic loss were gone within 2 years…most
had insurance, and many had business interruption
coverage!
(Sources: U.S. National Fire Protection Agency, U.S. Bureau of Labor, Richmond House Group
and B2BContinuity.com)
11
Is This An Effective Management Strategy In the Face of the
KNOWN Risks!
YES!
NO!
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Effects of Effective Business
Continuity
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 12
The impact on shareholder value
Source: “The Impact of Catastrophes on Shareholder Value,” Rory F. Knight & Deborah J. Pretty, Templeton College,
University of Oxford, p. 3.
Trading days after the event
25 50 75 100 125 150 175 200 225
Effective crisis response
Ineffective crisis responses
What is Business Continuity
Management?
13
Business Continuity Management (BCM) is a holistic
management process that:
Identifies potential impacts that threaten an organization,
Provides a framework for building resilience and the capability
for an effective response,
Safeguards the interests of key stakeholders, reputation, brand
and value creating activities.
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Success or Failure?
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 14
C No BCM –
usual outcome
B
No BCM – lucky
escape
Time
Leve
l of busi
ness
Critical recovery
point
A
Fully tested
effective BCM
Business Benefits
A business case for establishing a Business Continuity Plan
Key Benefits (1)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 16
To Business Gain reputation as “Safe and Secure Organization”
First mover advantage
Cost effectiveness = Higher profitability
Better compliance with laws and regulations
Better continuity in case of any disaster
To Operations Better risk management & risk reduction
Better cost control
Defined SOPs
To IT Identification and control of information assets
Better risk management
Defined SOPs
IT Disaster management
Key Benefits (2)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 17
Better policies, procedures and working templates
Business continuity
Information security
Related roles and responsibilities
Organization wide awareness
SAP related and general IT infrastructure
Use of network services
Mobile computing
Key Benefits (3)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 18
Identification of Business Critical processes
Process identification
Process ranking according to business criticality
Continuity strategies for critical processes
Business Continuity planning
Business Impact Analysis (BIA)
BCP for all areas under scope
BCP awareness, testing and exercises
Key Benefits (4)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 19
Information Asset Management
Information Classification
Information Asset Identification & Classification
Employee Skill Management
Risk Management
Identification and Analysis of Risks
Treatment of Risks
Development of Risk Management Approach & Criteria
Key Benefits (5)
Better Description of Roles & Responsibilities
Job description related to information security
Pre-hiring controls
During employment personnel development
Post-employment controls
Physical Security
Identification of Secure Areas
Equipment Security
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 20
Key Benefits (6)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 21
Communications & Operations Management
Documented SOPs
Segregation of duties
Third party service delivery management
System planning & acceptance
Data backup and recovery
Network security
Media handling
e-Commerce
Access Control
Access control policy and procedures
User, network and OS access control
Application and mobile access control
Key Benefits (7)
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 22
Regulatory compliance
All applicable laws
Intellectual property rights
Framework for Continual Improvement
Regular Internal Audits
Corrective & preventive actions
Implementation Roadmap
A business case for establishing a Business Continuity Plan
23
Implementation Roadmap
24
Phase 1: Scoping & Planning
Phase 2: Understanding the Organization
Phase 3: Risk Assessment and Control
Phase 4: Implementation of Mitigation Strategies
Phase 5 Training for Audit and Internal Audit
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Phase 1: Scoping & Planning
25
Aw
areness
Awareness Sessions
Implementer Trainings
Team
Form
atio
n
Establishing Management Steering Group
Establishing working groups
Pro
ject
Sco
pin
g Identification of geographical scope
Identification of functional scope
Documenting and agreeing the scope of the assignment
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Phase 2: Understanding the
Organization
26
Pro
cess
Identifica
tion
Identification of functions under scope
Identification of processes under scope
BIA
Identification of business impact if process does not work
Prioritizing processes based on time criticality
Presenting report to the management
Ass
et
Regi
stra
tion
Identification & classification of information assets in the organization
Asset value assessment
Asset ownership identification
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Phase 3: Risk Assessment and
Control
27
Ris
k A
ssess
ment Identification of
application threats, and risks
Analyzing probability and impact of risks R
isk T
hre
shold
Calculating risk threshold
Defining risk acceptance criteria
Deve
lopm
ent
of SO
A
Selection of right controls to handle the identified risks
Implementing risk threshold and acceptance criteria
Developing and presenting SOA
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
Phase 4: Implementation of Mitigation
Strategies
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 28
Secu
rity
Contr
ols
Developing processes and procedures for information security controls M
itig
atio
n P
lannin
g Identifying right mitigation strategies
Planning for implementation
Busi
ness
Conti
nuit
y Pla
n
Development of Business Continuity Plan
Desktop exercise of BCP
Phase 5: Training for Internal Audit
and Internal Audit
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved. 29
Inte
rnal
Audit T
rain
ing Hands-on
internal audit trainings for selected individuals
Internal audit trainings on both standards
Inte
rnal
Audit
Conducting first internal audit
Developing Internal Audit report A
udit F
indin
gs
Detailed assistance in closure of audit findings
Identification of corrective and preventive actions