Business Continuity Planning (BCP) 101
Submitted by: Business Continuity Management Institute
Workshop on Private Sector Emergency
Preparedness
Sendai, Japan
APEC EPWG
Workshop: Private
Sector Emergency
Preparedness
BCP 101
August 2, 2011
Hotel Monterey Sendai
Sendai, Japan
Dr Goh Moh Heng
PhD BCCE DRCE BCCLA CBCP FBCI
P
id
t
Introduction 1: Business
Continuity Planning
(BCP) 101
09:45- 11:10
Overview, including benefits and
challenges to implementation, practices
for mitigating threats and risks, and
examples of BCP
Dr Goh Moh Heng
•
President
–
Business Continuity Management
(BCM) Institute
(BCM) Institute
–
www.bcm-institute.org
•
Managing Director
–
GMH Continuity Architects
–
Asia Pacific BCM Consulting Firm
–
www.GMHasia.com
•
Professional BCM Appointments
–
Technical Advisor for TR19:2005 &
SS540:2008 BCM Standard
(Management Council and Technical
(Management Council and Technical
Committee) www.ss540.org
–
Project Director, Technical Working
Group for SS507:2004
•
ISO/IEC 24762 Guidelines for BC-DR
Services
Dr Goh Moh Heng
Prior Appointments
•
Government of Singapore Investment
Corporation (GIC)
•
Standard Chartered Bank
–
Global Head for BCM
•
PriceWaterhouse (Coopers)
•
Past Certification Broad Member for
DRI International’s Certification Board
Past Executive Director for DRI Asia
•
Past Executive Director for DRI Asia
•
Senior Technical Advisor, China
Business Continuity Management
Forum
http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
BCM Institute
•
Started in January 2005.
•
Provide competency based BC-DR training to all levels.
p
y
g
•
Certify BC-DR professionals globally.
•
Started Certification programme in April 2007.
•
Trained more than 3000 professionals from 850
Agenda (Part 1 of BCM-101)
•
Business Continuity Management
–
Overview and Fundamentals
•
BCM Planning Methodology
–
Planning Process
•
Comparison with BCM Standards
–
Flexibility and consistency in global compliance
•
Process for implementing business continuity
CRISIS IT
RECOVERY CONTINUITYBUSINESS SECURITY
Incidents, Emergencies, Events, Disasters
Plan
SPECIFIC CRISIS MANAGEMENT PLAN IT DR PLAN BC PLAN SPECIFICPLANS SECURITY PLANBCM Planning Methodology
http://www.bcmpedia.org/wiki/ BCM_Planning_Process_or_Methodology
Key International BCM Standards
BS 25999
BS 25999
SS 540
SS 540
BS 25999
BS 25999
NFPA 1600
BCM Planning
Methodology
Ste-by-Step Approach
y
p pp
Project Management
Objectives
• Formulate a workable project proposal. • Seek endorsement andcommitment on the project from management committee: Objective
Tasks
• BCM Steering Committee & BCP Project Team • Review and understandorganisation environment. • Agree and formalise
project management
Deliverables
• Project plan proposal includes: – Definition – Scope – Objective – Objective – Scope – Approach – Schedule – Manpower • Establish project management structure and control. project management structure and resource allocation.
• Establish project administration reporting and control mechanism.
– Roles & Responsibilities • Project workplan. • Project reporting
Risk Analysis and
Review
Objectives
• identify vulnerabilities • Establish reliable recommendations for: – Minimizing impact ofTasks
• Identify exposure to internal & external threats and the likelihood of these threats occurring• Recommend preventive responses and escalation
Deliverables
• Comprehensive risk and threat profile to the organization, with key disaster scenario • Recommendation for: – Countermeasures Immediate Response impact of identified threats – Immediate and effective response to potential causes of disaster
responses and escalation procedures in conjunction with crisis management implementation • Evaluate findings and
prepare a status report & recommendation.
– Immediate Response Procedures
– Security Risk Review – to be implemented to
minimize the risks • Summary report of
recommendations agreed with senior management
Business Impact
Analysis
Objectives
• Determine impact of unavailability/failure/ disaster on business functions. • Determine critical business needs and• Establish business criticality/ impact criteria using Business Impact Analysis Questionnaires (BIAQ).
• Prioritise the importance of each business unit vis-à-vis established criteria.
• Detailed report on findings (approved by management) containing: – - tolerable limits; – classification of criticality; – prioritised critical business functions;
business needs and tolerable limits.
established criteria. • Consolidate findings and
rankings. • Present results to
management committee to confirm critical
classifications and priority listings.
; – minimum resources; – Critical applications and
systems; and – - restoration priority. • Impact analysis of
unavailability of business functions (quantitative and qualitative).
Recovery Strategy
Objectives
• Establish business functions & job priorities vis-à-vis business needs. • Determine processing
requirements for priority business functions. • Identify and formalise
b k f thi
Tasks
• Analyse all division functions to prioritise them based on business needs.
• Analyse hardware and software requirements to run high priority critical functions so that sufficient backup can be arranged.
R i d t bli h b k
Deliverables
• List of strategic plans for recovering prioritised critical functions. • List of critical functions
requiring interim manual processing procedures
backup for everything needed to survive a disaster.
• Ensure that alternative processing procedure is available for continuity of critical business needs whilst recovery is in progress.
• Review and establish backup arrangements, if necessary. • Identify necessary interim
processing procedures for critical functions.
• Seek management’s review and endorsement of findings and recommendations. processing procedures. • Recommend alternate interim processing procedures.
Plan Development
Objectives
• Train and equip users with skill to complete the Microsoft Word plan template. • Establish recovery
procedures to fully
Tasks
• Determine recovery teams set-up and functional responsibilities.
• Identify members of each recovery team.
• Develop specific procedures
Deliverables
• Propose:
– Recovery team structure; – Staffing of the
recovery teams with names of specific
restore normal business operations after a disaster, based on selected strategies. • Ensure consistency and
comprehensiveness of coverage.
for each recovery team. • Review and edit (based on
agreed structure) the plan component to ensure consistency and comprehensiveness of documentation.
staff members; and – List of action steps to
be taken by each member of respective recovery team. • Completed Business
Testing and
Exercising
Objectives
• Formulate an objective mechanism to validate the "workability" of the complete Business Continuity Plan.Tasks
• Design an overall program for testing of plan. • Develop plans and
schedules for specific tests. • Develop an evaluation
Deliverables
• List of tests to be conducted. • List of responsibilities of parties involved: – Objectives, policies, guidelines,responsibilities and test
y • Develop an evaluation mechanism.
responsibilities and test specifications.
• Specific test plan: – Description, scenarios,
procedures and criteria.
• Evaluation forms/checklists for recovery plan tests.
Building Organizational
Competency
Organization BCM Manager BCM Internal
Auditor Business Unit Coordinator/
Representative BCM Steering Committee
Organization BCM Manager
