enterprise risk management and business continuity · what is coso what is iso 31000 coso stands...

0© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights

reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

April, 2019

KPMG Lower Gulf Limited

kpmg.com/ae

kpmg.com/om

IIA conference UAE

Enterprise Risk

Business ContinuityManagement

Management and

Introduction toRiskManagement (RM)



What is risk management?

Risk

management

is a mere

compliance

requirement

Risk

management

does not

provide any

benefits

Risk

management

is only for

senior

management

Risk

management

is an audit

requirement

Today, we are surrounded by so many questions and doubts about risk

management

?

© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.

All rights reserved.


reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 4

© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.


a process, effected by an entity’s

board of directors, management

and other personnel designed

to identify potential events that

may affect the entity, and manage

risk to be within its risk appetite,

to provide reasonable assurance

regarding the achievement of entity

objectives.

Risk Management is…

”

“



© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights


.

5

Risk vs Opportunity

Risks

v/s

Opportunities

Events can have a negative impact,

positive impact, or both. Events with a

negative impact represent risks, which

can prevent value creation or

erode existing value. Events with positive

impact may offset negative impacts or

represent opportunities.





Make yourself aware



COSO

ISO 31000



Global standards What is COSO

What is ISO 31000

COSO stands for the Committee of

Sponsoring Organizations of the Treadway

Commission (COSO) and a joint initiative of

the five private sector organizations.

— American Accounting Association (AAA);

— American Institute of Certified Public

Accountants (AICPA);

— Financial Executives International (FEI);

— Institute of Management Accountants

(IMA); and

— The Institute of Internal Auditors (IIA).



ISO is an independent, non-governmental

international organization with a

membership of 162 national standards

bodies.

— It is the International Standard which

provides principles and generic

guidelines on risk management;

— It can be used by any public, private or

community enterprise, association,

group or individual. Therefore, this

International Standard is not specific to

any industry or sector; and

— It can be applied throughout the life of an

organization.



Component of ERM frameworkRisk Strategy &

Appetite

Risk

GovernanceRisk Culture

Risk

Assessment &

Measurement

Risk

Management &

Monitoring

Risk Reporting

& Insights

Data &

Technology

Linkage to

Corporate

Strategy

Board Oversight

& Committee

Knowledge &

Understanding

Risk Definition &

Taxonomy

Risk Mitigation,

Response &

Action Plans

Risk ReportingData Quality

& Governance

Risk Strategy

Company Risk

Operating

Structure

Company Risk

Operating

Structure

Risk

Identification

Testing,

Validation &

Management’s

Assurance

Business/

Operational

Requirements

Risk Analytics

Risk Appetite

& Tolerance

Risk

Guidance

Competencies &

Context

Assessment &

PrioritizationMonitoring

Board & Senior

Management

Requirements

Technology

Enablement

Roles &

Responsibilities

Action &

Determination

Quantitative

Methods &

Modeling

Risk in Projects/

Initiatives

External

Requirements

Decision

Support

Risk

Aggregation,

Correlation &

Concentration

Scenario

Analysis & Stress

Testing

Capital &

Performance

Management



Traditions vs Next generation approachWith passing time, risk management has shown some distinct transitions.

Traditional

Vs

Next

generation

approach

Risk appetite are aligned with the

organization’s vision, mission, and

objectives

Risk movement and

assessment is

performed based on

advanced and predictive

data analytics

Risk management is a

dynamic process and

integral part of every

decision making

Opportunity management is evolution

of risk management approach

directed towards exploiting

opportunities

Risk management was seen as mere

compliance requirement

Highly administrative

processes involving lot of

documentations

Risk assessment was an

annual exercise, typically

performed during the

Audit Committee and/or

Board meetings

Risk management was considered

to be the senior management and

board’s responsibility only

Risk Strategy andAppetite



Risk Universe

- Risk Universe is the integration of all the risks an

organization might face;

- Risk Universe forms the basis from which an

organization is able to construct a risk profile.

Understanding organization’s thresholds

Ris

k U

niv

erse

Ris

k C

ap

acit

y

Risk Capacity

- Risk Capacity is the maximum amount of risk that

an entity is able to absorb in the pursuit of strategy

and business objectives.

Ris

k A

pp

etite

Risk Appetite

- Risk Appetite is the types and amount of risk, on a

broad level, an organization is willing to accept in

pursuit of value;

- Risk Appetite needs to be measurable;

- Risk Appetite are established by the Board as the

board is responsible for determining the nature and

extent of the significant risks it is willing to take in

achieving its strategic objectives.





High vs LowDepending upon the nature of the organization and the willingness of the board

the organization’s risk appetite may vary

Very high risk appetite

- The organization is wiling to

take high risks in pursuit of

its objectives

- Risk taking organizations

such as private equity (PE)

and new ventures.



Very low risk appetite

- The organization is willing to

take minimal risk in pursuit

of its objectives

- Risk avers organizations

such as NGOs, charitable

organizations, and

government entities.

Balanced risk appetite

- The organization is willing to

take balanced and informed

risks in pursuit of its

objectives



Building risk appetiteThe stages involved in developing risk appetite statements are as follows :



1 2 3

4 5

Identify stakeholders and

their expectations, together

with an analysis of the risks

to strategy, tactics,

operations and compliance,

as set out in the risk

register

Establish the desired level

of risk exposure that will

lead to a risk appetite

statement that provides a

set of qualitative and

quantitative statements

Define the range of

acceptable volatility or

uncertainty around each of

the types of risks leading to

a statement of acceptable

risk tolerances.

Reconcile the risk appetite,

risk tolerances with the

current level of risk

exposure and plan actions

to bring current risk

exposures into line with risk

appetite

Formalize and ratify a risk

appetite statement(s),

communicate the

statement with

stakeholders and implement

accordingly



Categories of risk appetite



Financial sustainability

Reputation and image

Health, safety and environment

Operational continuity

Compliance to laws and regulations

Professional ethics & anti-bribery

Low High

Low High

Low High

Low High

Low High

Low High



Test of risk appetite statementBelow are the four tests that organizations should apply while reviewing their risk

appetite framework

Do the managers

who make decisions

understand the

degree to which they

(individually) are

permitted to expose

the organization to the

consequences of an

event or situation?

Do the executives

understand their

aggregated and

interlinked level of risk

so they can determine

whether it is

acceptable or not?

Are both managers

and executives clear

that the risk appetite

is not constant?

Does the board and

executive leadership

understand the

aggregated and

interlinked level of risk

for the organization as

a whole?

Anything approved

by the board must

have some flexibility

built in.

Are risk decisions

made with full

consideration of

reward?

The risk appetite

framework needs to

help managers and

executives take an

appropriate level of

risk for the business,

given the potential for

reward.

16© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affi liated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights


Defining risk appetite and risk toleranceObjective statement: Ensure safety of People & Environment

Objective of the organization

1 Ensure safety of People & Environment

Appetite Statement

The organization ABC is committed to create a clean, safe, and healthy working environment for all its employees; including the staff and

workers working on behalf of the Company. All operations; including the investments shall be based on the principles of sustainability to meet

the needs of the present; without, compromising the ability of the future generations to meet their own needs.

The Company shall perform its operations strictly in compliance with the applicable Health, Safety, and Environmental (HSE) regulations. Any

operation which possesses the potential to cause permanent damage to the environment above the allowable limits or lead to fatality shall be

terminated. ABC will strive to be in the Top Quartile performer in the relevant industry

ABC will operate its businesses with zero tolerance on violation of health, safety and environment standards set by Omani laws and

regulations.

# Tolerance ExamplesTarget Acceptable Barely Tolerable Intolerable

1Compliance to Occupational Safety

regulations

100% compliance with the

applicable safety regulations

without any concession


applicable safety regulations with

concession / dispensation

One or more non-compliance with

the applicable safety regulations

leading to 1 or more LTIs / yr


the applicable safety regulations;

leading to 1 or more fatalities / yr

2 Compliance to Sustainability regulations


applicable sustainability

regulations without any

concession


applicable sustainability regulations

with concession / dispensation


the applicable sustainability

regulations; but, recoverable in

nature


the applicable sustainability

regulations; which are irrecoverable

in nature

3 Impact on Environment No environmental damageLocal environmental damage which

is fully recoverable

Material environmental damage

which is fully recoverable

Material environmental damage

which is irrecoverable

4Compliance to Occupational Safety

regulations


applicable safety regulations

without any concession


applicable safety regulations with

concession / dispensation


the applicable safety regulations

leading to 1 or more LTIs / yr


the applicable safety regulations;

leading to 1 or more fatalities / yr

5 Impact on people / workersNo adverse impact on the

employee

First aid case or medical treatment

case, not affecting work

performance or causing disability

1 or more LTI(s) /year; resulting in

permanent disability1 or more fatalities

Risk Governance



The three lines of defense (3LoD)Having robust three lines of defense within the organization’s control framework is

the cornerstone of good governance philosophy.

The Board / Shareholders

Senior Management

1st

Line of Defense

Operational

Management

Develop and implement

policy, procedure,

manuals, & other

internal control

elements

2nd

Line of Defense 3rd

Line of Defense

Internal Audit

Ex

tern

al A

ud

ito

rs

Reg

ulato

rs

Risk Management

(RM)

Legal

Compliance & Ethics

Quality, HSE, Asset

Integrity

Risk Culture



Understanding risk culture

Risk Culture: The norms of behavior for an individual or group within the organization

that determine the collective ability to understand, discuss, report and act on the

organization’s current and the future risks.

Risk leadership

Ability to deal with

bad news

Accountability

Transparency Risk skills

Risk resources

Reward

Informed risk

decisions

De

cisio

nC

om

pe

te

ncy

Go

ve

rn

an

ce

To

ne

a

t th

e T

op





10 questions every board should answer

1

2

3

5

4

6

7

8

10

9

What tone do we set from the top? Are we

providing consistent, coherent, sustained and

visible leadership in terms of how we expect

people to behave when dealing with risk?

How do we establish sufficiently clear

accountabilities for those managing risks and hold

them to their accountabilities?

What risks does our current corporate culture

create for the organization? Can people talk

openly without fear of consequences or being

ignored?

How do we acknowledge and live our stated

corporate values when addressing and resolving

risk dilemmas?

How do the organization's structure, processes

and reward systems support or detract from the

development of our desired risk culture?

Do we have practice to look at ourselves from the

perspective of the stakeholders and not just

assume we’re getting it right?

How do we respond to whistleblowers and

others raising genuine concerns? When was the

last time this happened?

How do we reward and encourage appropriate

risk taking behaviors and challenge unbalanced

risk behaviors (either overly risk averse or risk

seeking)?

How do we satisfy ourselves that new joiners

will quickly absorb our desired cultural values and

that established staff continue to demonstrate

attitudes consistent with our expectations?

How do we support learning and development

associated with raising awareness and

competence in managing risk at all levels? What

training have we as a board had in risk?

Risk Assessmentand Measurement



Phases of risk assessmentRisk Assessment is a structured processes which is split into seven distinct steps



1

2

3

4

5

6

7

Establishing the internal context

- The risk management process should be

aligned with the organization's culture,

processes, structure and strategy;

- It includes culture, governance, structure,

policies, procedures, and objectives; and

- The context of risk management vary

according to the needs of an organization.

Defining risk criteria

– An organization should define criteria to

evaluate the significance of risk;

– The criteria may consist; but not limited

to probability of occurrence, financial and

non-financial impact, velocity, etc.; and

– Criteria should be aligned with the

organization’s nature of business

Risk Identification

– Comprehensive identification is critical,

because a risk that is not identified at this

stage will not be included in further

analysis

Risk Analysis

- It involves developing an understanding of the risk

and provides input to risk evaluation and to

decisions on whether risks need to be treated, and

on the most appropriate risk treatment strategies;

Risk Evaluation

- It involves comparing the level of identified risk

against the criteria established for risk acceptance;

- Accordingly, need for risk responses is determined

and actions are taken, as required.

Risk Response

- It involves selecting one or more options for

modifying risks, and implementing those options.

Once implemented, responses provide or modify

the controls.

Monitoring and Review

- Organization's monitoring and review processes

should encompass all aspects of the risk

management process



Small things can make big impactGenerally, all organizations follow 80/20 rule…



20%

Risk Managementand Monitoring



Risk responseRisk responses comprises the actions taken by the organization to reduce the risk

within the acceptable appetite of the organization.

Transfer

This can be achieved

through the use of

various forms of

insurance, or the

payment to third

parties who are

prepared to take the

risk on be half of the

organization.

Treat

This is a method of

controlling risk through

actions that reduce the

likelihood of the risk

occurring or minimize

its impact prior to its

occurrence.

Terminate

This is the simplest and

most often ignored

method of dealing with

risk. This can be done by

altering an inherently

risky process or practice

to remove the risk.

Tolerate

This is where no action

is can be taken to

reduce a risk. This may

be because the cost of

instituting risk reduction

or mitigation activity is

not cost-effective or

impact are so low that

they are deemed

acceptable to the

business.



Risk Reportingand Insights



Key playersEvery individual within the organization has its unique role to play in the risk

management process.



The board / CEO

– Accountable for the ultimate success of RM;

– Oversight on the functioning of risk management;

– Establish and roll-out risk appetite; and

– Own / respond to the strategic / high priority risks.

Business unit manager

– Get actively involve in risk management process;

– Identify, assess, and analyze risks;

– Recommend suitable risk response strategies; and

– Ensure implementation of risk responses.

Individual employee

– Ensure clear and transparent information flow;

– Report any incident which may possibly trigger risk;

– Participate in risk work-shops / discussion; and

– Embed risk management in routine operations.

Chief risk officer / Risk manager

– Responsible to implement risk management program;

– Coordinate risk management activities;

– Consolidate and present risk movement to the board;

– Promote / communicate benefits of risk management.

Risk champion

– Function as a link between risk manager / risk owner;

– Facilitate periodic risk-workshops / challenge sessions;

– Gather and report progress on risk response; and

– Ensure that risk information is updated periodically.

Audit committee

– Review critical / high priority risks;

– Challenge risks, their assessment / analysis; and

– Perform assessment of RM program and provide

independent and objective feedback to the board.

Data & Technology



Use of technologyThe GRC tools (RSA Archer, Metricstream, BWise, ARM, Thomson Reuters) can

facilitate integrated approach to internal controls as illustrated below:

Internal ControlInternal Audit

ComplianceRisk Management

Introduction toBusiness ContinuityManagement (BCM)



What is business continuity management (BCM)?There are some misconceptions about Business Continuity Management (BCM).



Business Continuity

Management (BCM)

is same as IT

Disaster Recovery

Management

We don’t require

Business

Continuity

Management.

BCM is not

applicable for us.



Origin of business continuityMany BCM programs can trace their origin to single source



A crisis event close call increased awareness that

BCM capabilities were needed

A regulatory obligation requires a formal

BCM program

Key customers insisting on BCM

evidence

Cyber risks threaten operational

resilience





Defining business continuity management (BCM)

A comprehensive management

process, which focuses on those

threats which possess an ability

to disturb continuity of

organization’s operations.

Identification of such threats

enable organization to develop

resilience which would protect

itself; including, the interest of

the stakeholders, brand, and

reputation.

Business continuity management

is…

”

“



What is business continuityBusiness continuity is the ability of the organization to continue deliver product

or services at the desired level following a disruptive event.- ISO 22301: Social Security – Business Continuity

Management (BCM)

Time

Se

rvic

e leve

l

Disaster

Crisis

Without BCM

With BCM

Business continuity management (BCM)

– is an holistic process that identifies potential threats to an organization and the impact on continuity of

the organization’s operations; and

– provides a framework for building organizational resilience with the ability for an effective response that

safeguards the interests of key stakeholders, reputation, brand and value-creating activities.





Benefits of business continuity management (BCM)Business continuity management (BCM) enables an organization to...

Create value for organization by promising uninterrupted

services to its client / customers.

Enable organization to gain compliance with the local

regulatory standards

Preserves brand value and reputation of the organization

Develop resilience against the risks which can threaten the

continuity of organization’s operations

Improve stakeholder confidence – employee, community,

customers, suppliers, and the regulators

Business ContinuityManagement (BCM)Standards





Make yourself aware

ISO 22301

NCEMA



Global standards What is ISO 22301 What is NCEMA

ISO 22301: Business continuity

management systems specifies

requirements to plan, establish, implement,

operate, monitor, review, maintain and

continually improve a documented

management system to protect against,

reduce the likelihood of occurrence, prepare

for, respond to, and recover from disruptive

incidents when they arise.

– The requirements specified in ISO 22301

are generic and intended to be applicable

to all organizations, or parts thereof,

regardless of type, size and nature of the

organization; and

– The extent of application of these

requirements depends on the

organization's operating environment and

complexity.



National Emergency Crisis and Disaster

Management Authority (NCEMA) 7000 is

developed to help entities systematically

build their business continuity capability

before, during and after an emergency,

disaster or crisis.

– In both the public and private sectors all

initiatives are aimed at ensuring ongoing

performance of prioritized functions and

services for the purpose of enhancing the

UAE’s national stability;

– United Arab Emirates is a leading nation

in this field since there is no BCM

standard in Arabic in the region; and

– Legislative and licensing bodies may

establish further specifications in addition

to those defined in NCEMA this standard

to ensure community safety, and

security.

Business ContinuityManagement (BCM)Framework



Elements of the framework

Overview

— BCM comprises development of strategies, plans,

and actions which provide entity projection and/or

alternate modes of operations during (and after)

crisis situation; thus, ensure that the stakeholders

needs are fulfilled without interruption.

Building resilience

— BCM helps organizations to enhance their

operational resilience; thereby, effectively

enabling them to respond to threats which

otherwise would disturb the sustainable

operations of the organization.

Alignment with RM

— RM and BCM share common goals to identify,

assess, and manage high impact threats which would

serve to prevent achievement of the organization’s

strategic objectives.

Decoding NCEMA



Nation’s Objectives…The organization shall

establish, implement and

maintain a methodology for

identifying the business

impact of disruptions of

prioritized activities. BIA lays

the foundation for the

organizations BCM program

by quantifying and qualifying

the impact of disruption over

time on the delivery of

product and services.



Business Continuity

Management (BCM) refers to

building the organization’s

capability to continue

performing essential

functions and services (at a

minimum) in and after an

emergency, crisis or disaster

that could have resulted in a

business disruption.

The Business Continuity

Management (BCM)

objectives of the UAE

government or local

governments of each emirate

and the entities under their

jurisdiction in both public

and private sectors.

Maintain continuity of prioritized

activities in both public and private

sectors

Set up effective business continuity plan

for delivering prioritized activities, when

an emergency occurs, in a planned and

controlled manner

Develop proactive business continuity

at all federal and local entities in the

UAE, and the entities under their

jurisdiction in both public and private

sectors

Secure supply chain required for

business continuity



NCEMA framework



– Today, business continuity

management is being

unquestionably recognized

as an increasingly important

element in the emergency

and crisis management

process;

– NCEMA provides a Business

Continuity Management

Standard to build an

organization’s capability to

continue functioning and

delivering its prioritized

activities when its

operations are disrupted due

to emergencies or crises.

Understanding

the organization

Top Management

Commitment

Incident

Response Plan

Business

Continuity Plan

Media Response

Plan

Annual Review /

Internal Audit

Management

Review

Test and Exercise

Awareness and

Trainings

Business Continuity

Strategy

Risk Assessment

Business Impact

Analysis

Establish

Operate

Revie

w

Co

ntin

uo

us Im

pro

ve

me

nt



Overview of Business impact analysis (BIA)



The organization shall




impact of disruptions in








Section title

Business

Impact

Analysis

Understand

And study

entity’s

functions

accurately Determine

the normal and

minimal level

of resource

requirements

Study activities

and define RTO

and MAO for

critical

services

Determine

Internal /

external

dependency

among

departments

Determine

the level of

business

disruption and

BC objectives

Confirm and

prioritize critical

and essential

functions of the

entity



Types of business impact analysis (BIA)There are three main phases of Business Impact Analysis



Strategic Tactical Operational

Identify and prioritize the most

urgent products and services

and determine the

organization’s Recovery

timescales and disruption

tolerance levels at a strategic

level.

Determine the process or

processes required for delivery

of the organization’s most

urgent products and services

and assess the impact of a

disruption on them at a tactical

level.

Identify and prioritize the

activities at an operational

level which contribute to the

identified process or

processes that deliver the

most urgent products and

services and to determine the

required continuity and

recovery resources.



Requirements of business impact analysis (BIA)







impact of disruptions of








The organization shall:

– Identify its prioritized functions, activities and services and define

impact categories that are fit to the nature of the organization;

– Identify disruption impacts on the organization based on

predefined impact categories;

– Identify Recovery Time Objective (RTO) of each activity disruption

and the Maximum Acceptable Outage (MAO);

– Identify actions required to support prioritized functions, activities

and services;

– Identify activities deemed paramount to the continuity of

prioritized activities;

– Prioritize activities and services according to their recoverability

priority, as per the BIA;

– Identify internal and external bodies, which an organization relies

on for continual performance of main/essential activities and

services, including support by suppliers and service providers;

– Verify the capability of vendors, suppliers and service providers to

support and maintain minimum service levels for prioritized

activities during disruptive incidents; and

– Identify the indispensable resources for each activity, function or

service to ensure business continuity.



Overview risk assessment and BC strategy




establish a methodology for

risk assessment to identify,

analyze and evaluate the

risks which may disrupt

continuity of activities. The

risk assessment process

should be carried out in a

structured manner as per pre-

defined procedure.


– Identify and approve risk parameters;

– Identify the risks that can disrupt the performance of prioritized

activities;

– Analyze the risks against predefined evaluation criteria;

– Evaluate the impact of the addressed risk; and

– Take into account interdependencies related to the performance

of prioritized activities.

Business continuity strategy

Risk assessment

BCM strategies should

enable organization to

continue performing its

prioritized activities following

a business disruption. The

organization should also

analyze the BCM capability of

suppliers to service the

minimum requirement to

continue prioritized activities.


– The organization shall implement strategies to achieve defined

RTO’s for the prioritized activities and allocate resources required

to achieve RTO’s; and

– The organization shall protect its supply chain dependency by

having in place appropriate agreements covering aspect of

“service levels” during business as usual and crisis or

emergencies.



Overview of incident response plan

© 20189KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.




maintain an incident

response plan and its

procedures to respond to an

event that may cause a

disruption to the

organizational activities.

Incident response plan shall

ensure life safety of

personnel as a priority, along

with the assets of the

organization to restrict and

reduce loss or damage.

The incident response plan shall include :

– Incident response structure;

– Assigned roles and responsibilities;

– Incident detecting and warning procedures;

– Activation criteria;

– Escalation process;

– Recovery procedures; and

– Communication to the interested parties.

A response mechanism shall be embedded that can monitor

incidents on a regular basis, enable early detection of any incident

causing disruption, its impact, criterion for invoking business

continuity response along with clarity on roles and responsibilities of

personnel.



Overview of media response plan and awareness




establish a media response

plan that has clear-cut

communication procedures

to enable personnel and

mass media to communicate

to get better acquainted with

the incidents that impacted

organization’s business

continuity.


– Assign a spokesperson to receive, acknowledge and, respond to

queries related to the organization;

– Integrate its communication procedures/systems with national /

regional / global communication systems; and

– Test the communication capabilities as part of the regular testing

and exercising of BCM program.

Media response plan

Awareness



maintain a training and

awareness program that is

developed and implemented

to effectively support the

BCM objectives by

developing required

competence


– The organization shall develop a training program to ensure that

the training provided for personnel and teams matches their roles

and responsibilities in the BCM program; and

– The internal and external interested parties shall be aware of their

roles and responsibilities during disruptive incidents, to achieve

BCM requirement within agreed timelines maintaining the

approved agreements.



Overview of test, exercise, and review




conduct tests and exercises

at regular intervals to ensure

that the plan remain fit – for -

purpose and effective, and

shall establish, implement

and maintain a ‘Test and

Exercise Plan’.

– Tests shall be conducted to assess readiness, usability and

adequacy of the tools, technology, facilities, and infrastructure

required to implement the organization’s BCM plans. Post-Test

reports shall be developed, reviewed and corrective action takes,

when necessary; and

– Exercises shall be conducted to ensure BCM effectiveness and

meet its objectives. Subsequently, post-exercise report should be

developed to document results of exercises.

Test and exercise

Review

Management shall

periodically or when

significant changes occur,

review the organization’s BC

capability to ensure it

remains fit-for-purpose and

continues to meet BCM

objectives.


– The organization shall establish, implement and maintain an

internal audit program;

– Assess supplier capability through joint tests and exercises or

through compliance review of the extent of supplier; and

– The Management Review shall be carried out annually.



Overview of business continuity plan




implement and maintain

plans detailing its business

disruption to maintain

continuity of its prioritized

activities at the

predetermined performance

levels following a business

disruption.

The organization shall ensure

that risks identified are

addressed to continue the

prioritized activities.

The business continuity plan shall :

– Be consistent with the BCM strategy and incident response plan,

capabilities and requirements of interested parties;

– Define the criteria for invoking the plan and the method whereby

the plan is invoked;

– Identify people who are assigned the authority to invoke the plan

under any given circumstances;

– Define roles and responsibilities of personnel teams during and

following an incident;

– Include prioritized objectives in terms of prioritized activities to be

recovered, recovery timescale and recovery levels needed for

each main activity;

– Recovery procedures to be followed to return to normal post

emergency, and after minimum business continuity objectives

have been met;

– "Stand down procedure" once incident is over and organization

personnel need to return to their normal duties.

– Be accessible to and understood by interested parties upon

implementation; and

– Be communicated to all personnel who needs to be aware of it.



kpmg.com/socialmedia kpmg.com/app

For further details, please contact :

Our AwardsMENA

Insurance awards

Best Audit Service 2018

International

Association of

Outsourcing

Professional's

World's Best Outsourcing Advisors 2017

Working Mother

Top 5 Best Companies for Multicultural

Women 2017

The Times

Top 50 Employer for Women 2017

IDC | UAE

Leader in Business Consulting 2017

The Accountant &

International

Accounting Bulletin

Awards

Global CEO Outlook wins Thought Leadership of the

Year 2016

Adviser Rankings

Preferred auditor for stock market clients 2017

New York Law

Journal

Best Business Accounting Provider 2016

Partnerships

Bulletin Awards

Global Financial Adviser 2016

Tolley’s

Taxation Awards | UK

Best Tax Team in a Big Four Firm 2016

WorldatWork

| US

Innovative Excellence Engagement Award

2016

MENA Fund manager

awards

Best Audit Service 2016

The Forbes Middle East

Vijay Malhotra features in the Top 10 of

Forbes Middle East's Top Indian Business

Leaders in The Arab World 2016

Karim Yahfoufi

Associate Director | Risk Consulting


T: +971 24014814

E: [email protected]

http://kpmg.com/socialmedia


kpmg.com/social media kpmg.com/app

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we

endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will

continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the

particular situation.

© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated

with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Arab Emirates.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Thank you

Kindly use the following code to receive the CPE hours via the mobile application: 14567

Karim Yahfoufi

Associate Director | Risk Consulting


T: +971 24014814

E: [email protected]



enterprise risk management and business continuity · what is coso what is iso 31000 coso stands...

Documents