Business Continuity Planning

(1)

Business Continuity Planning

Presenter

Carolyn Bell-Wisdom, CIA, FCCA, FCA, CISA, CFE,

Director, Internal Audit Outsourcing, Risk & Business Continuity Services at PwC Jamaica

(2)

AGENDA

Welcome and introduction of presenter Introduction and expectations of participants What is a business interruption

BCP Maturity Index BCP Challenges Why BCP?

BCP Planning Stages

(3)

WHAT IS A BUSINESS INTERRUPTION?

A definition:

Procedures that are instituted to continue the operations of your business despite a significant interruption (to its buildings, IT systems or employees) with the ultimate

objective of restoring the business to pre-disaster levels.

This BCP definition is restricted to the categories above, and does not consider other threats that an enterprise wide risk management program would capture; BCP risk is one arm on an ERM program

(4)

PwC

BUSINESS CONTINUITY PLANNING LIFE CYCLE

Business Continuity Planning Life Cycle

Normal Operations DRP Activities: 1. Prevention 2. Preparedness Training Emergency Response DRP Activities: 1. Organized Response 2. Damage Containment Interim Processing DRP Activities: 1. Use Alternate Equipment 2. Use Alternate Procedures Restoration

DRP Activities: 1. Restore Facilities 2. Resume Normal Operations

(5)

BCP MATURITY INDEX

1 • Immature: No formal BCP activities and plans

2

• Somewhat mature: BCP is often discussed and limited activities are executed but no formal BCP roles and responsibilities have been assigned and no plans in place

3

• Fairly mature: BCP Coordinator has been identified, with outdated plans and no BCP committee

4

• Good maturity: BCP Coordinator and BCP committee exist with BCP budget, plans and high levels of BCP awareness across the company

(6)

1. A belief that nothing will happen – so no need to spend 2. A belief that once an IT plan is in place, all is well

3. Lack of a good understanding of what is required

4. Same people doing all the work – staff are overwhelmed 5. A belief that BCP is not a priority item

(7)

WHY BCP?

BCP Investments should be treated like other investments i.e., a business case should be made along the following lines:

 Competitive advantage

> Major customers / stakeholders who depend heavily on their suppliers for critical services are now requiring these suppliers / stakeholders to have a robust BCP capability

> Compliance with regulatory requirements e.g. in Bahamas, USA, Europe

> Protection of people (most important)

– Protection of the life and safety of employees and customers

> Commitment to client service delivery

 Especially providers of financial services – the cost of being down would be too significant, even if the chances of being down is low

(8)

PwC

BCP IS FOR ALL COMPANIES

1. Both large and SMEs need business continuity plans

2. The key factor is the ability to continue serving customers and other stakeholders despite an interruption

3. Larger companies may have more complex plans , than SMEs – but a plan is still required for

SMEs and should be proportionate to the level of complexity

8 © Dr. Mark D. Yates. E: [email protected] W: www.businessconsultancyonestopshop.com

8

(9)

STANDARDS ON BUSINESS CONTINUITY MANAGEMENT

• No established ISO is out as yet – only guidelines Issued under : ISO/PAS 22399:2007

• Disaster Recovery Institute International Professional Standards used by its practitioners

• The British Standard on Business Continuity Management (BCM), BS25999

• Establishes 6 BCM Elements (BCM programme mgt, Understanding the organization, Determine business continuity strategies, Develop and implement BCM responses, exercise and maintain the plans and embed the plans in the organization)

(10)

PwC

APPROACH TO DEVELOPING A BCP CAPABILITY

Recovery capability

Cost

Risk & Impact Analyses & Extensive Documentation

Testing Rewrite plan

Traditional

(11)

RISK ASSESSMENT

1. Purpose: To identify threats that could lead to disasters

2. Do threat assessment e.g. fire, flood, earthquake, electrical,

environmental, people protection, hurricane, virus attack etc

– Can be done via Interviews or questionnaire

– Rank threats – High, Med or Low risk

– Risk accept, prevent, mitigate or transfer

– Do Report (e.g. See Sample Facilities & IT Risk Report &

(12)

PwC

BUSINESS IMPACT ANALYSIS

Purpose:

To identify impact of a disaster and resources required to continue the business at an acceptable level after a disaster

(13)

BUSINESS IMPACT ANALYSIS

1. Do business impact analysis (BIA) which identifies:

– Key business processes and recovery time objectives (RTOs)

– E.g. For an Accounts Dept: Payroll, Statutory Reporting, Bank Reconciliations, Loan Payments

– IT application RTOs

– Minimum resource requirements (people, technology etc)

– Assess impact on the company (financial, reputational & legal)

– Internal and external dependencies

– BIAs can be done via interviews, workshops or questionnaires

(14)

PwC

STRATEGY SELECTION

1. Purpose: To select the most cost effective recovery strategy

2. Do a short list of the possible recovery options

1. Do nothing

2. Replicate everything

3. Choose strategy between do nothing and replicate everything

3. Identify recovery strategies that meet RTOs

4. Ensure that the minimum resource requirements are met by the chosen

strategy

5. Highlight the advantages and disadvantages of each strategy

6. Estimate the cost (one time and recurring for each)

7. Select the most cost efficient recovery strategy – use your creativity!

(15)

STRATEGY SELECTION 1 • Hot Site. Replica of primary location 2 • Cold Site Only a building with wiring 3 • Reciprocal arrangemen tsAgreement s to go to a supplier or third party Which of the strategies above

would be most likely for SMEs and why?

(16)

PwC

STRATEGY SELECTION

Strategy Assumptions

–

You must make some assumptions:

– That most of the key persons will be available – Data has been backed up

– The disaster lasts up to 30 days (no access to the building that is affected)

– All equipment, records, and resources within the building are not available

(17)

PLAN DOCUMENTATION & TESTING

Purpose:

To record a set of procedures, based primarily on predetermined decisions that will guide the recovery of the business despite a disaster

(18)

PwC

TESTING AND MAINTENANCE

Purpose:

To test the existing ability to resume the business in the event of a disaster.

(19)

BCP IMPLEMENTATION AND EMBEDDING

1. Training and awareness

1. Recovery teams

2. Members of staff

3. Directors, senior managers and owners

2. BCP Organisation

1. BCP Committee (membership) – nothing elaborate

2. BCP Coordinator (not a full time job)

3. BCP Champions

4. Leveraging aspects of a company’s natural structure

(20)

PwC

BCP IMPLEMENTATION AND EMBEDDING

4. Testing: call test and walkthroughs

5. BCP Prerequisites: Vital records management, system backups

6. BCP Budget (one time and recurring costs)

– Plan development costs

– Cost to build in redundancies and resilience

– Cost to implement the recovery strategy

– Cost to maintain the plan (telecom cost, rental of alternate

site, additional software license)

(21)

GENERAL TOPICS

1. Supply Chain & the Need for BCP in

Procurement

• Try and ensure that goods can be sourced from different suppliers (possibly in different countries)

• Contracts should require key suppliers to have robust BCP programs e.g. IT service bureaus

• Ensure that contracts with Landlords state Landlords BCP requirements such as fire drills etc

• Insurance of goods in transit and shipping terms

• Include the right to inspect and audit key

suppliers facilities or to review internal auditors’ reports

General Topics

1. Need for BCP in

Procurement Process

2. Linkage of Climate Change & BCM

(22)

PwC

GENERAL TOPICS

2. Linkage of Climate Change & BCM

• Definition of Climate Change:

A regional change in temperature and weather patterns. Current science indicates a discernible link between climate change over the last century

and human activity, specifically the burning of fossil fuels.

79

General Topics

(23)

GENERAL TOPICS

2. Linkage of Climate Change & BCM (cont’d) • Caribbean has seen a greater

number of systems being developed in recent years

• This means increased probability of hurricanes making landfall and hence affecting various islands

• Planning must therefore anticipate being hit by more than one system in a season

• This means bigger budgets and greater planning for private, SMEs and public sector entities

General Topics

(24)

Creating a culture of risk awarenessTM

Global Association of Risk Professionals 111 Town Square Place Suite 1215

Jersey City, New Jersey 07310 USA

+ 1 201.719.7210 2nd Floor Bengal Wing 9A Devonshire Square London, EC2M 4YN UK

+ 44 (0) 20 7397 9630 www.garp.org

About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®_{) and the Energy Risk Professional (ERP}®₎ exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for professionals of all levels. www.garp.org.