Add to collection(s) Add to saved
  1. No category
Uploaded by mikhail.rabkin

BCP guide

advertisement 
BUSINESS
CONTINUITY
PLANNING
GUIDE
AGENDA
• Introduction
• Objectives of BCP
• Approaches to BCP
• Dimensions of Scope
• Entry Points
• Q&A
2
INTRODUCTION
So…you’ve decided to embark on a business continuity
planning (BCP) project
…but where do you start?
• Define the objectives
• Determine the dimensions of scope
• Select an appropriate approach
• Proceed from an entry point
3
OBJECTIVES (1/2)
Four possible objectives of BCP:
4
1
Satisfy audit or regulatory requirements
2
Rebuild the infrastructure
3
Resumption of business activities
4
Continuity in customer service
OBJECTIVES (2/2)
Audit or Regulatory
Requirements
• If your focus is on:
• If your focus is on:
– Passing an audit or getting points cleared
– Alternative facilities and sites
– Minimizing costs
– Solutions to minimize downtime of key
infrastructure and systems
• Then your objective is to satisfy audit or
regulatory requirements.
Resumption of Business
Activities
• If your focus is on:
– Setting up an organization and the required
facilities to enable key staff to resume their
activities
• Then your objective is the resumption of
business activities.
5
Rebuild the Infrastructure
• Then your objective is to rebuild the
infrastructure.
Continuity in Customer Service
• If your focus is on:
– Defining what level of customer service
must be maintained throughout a disaster
– What is required to achieve that level of
customer service
• Then your objective is to ensure continuity in
customer service at an acceptable level.
APPROACHES TO BCP
Approaches to BCP based on the objectives:
6
Objective
Approach
Satisfy audit or regulatory requirements
Tick-box approach
Rebuild the infrastructure
Infrastructure approach
Resumption of business activities
Gradual/subplans approach
Continuity in customer service
Business approach (holistic)
SCOPE
• Event Interrupting Operations
– Asset protection
Protection of assets (e.g., people, building, etc.)
– BCP
Preparation of critical elements for business continuity
• Enterprise-wide versus IT…
...be clear on the scope of your BCP project
7
DIMENSIONS OF SCOPE
Infrastructure
Business Interruption
Risks (BIR)
Office Relocation
Dealing Room
Network
Control Room
Long-Term Business Viability
Brand Image
Regulatory
IT DRP
Network Resilience
Server Mirroring
Client Satisfaction
Capacity
Infrastructure Risk
Equipment Failures
Business
8
INFRASTRUCTURE
• …the identification and protection
of critical (IT) infrastructure required to maintain an acceptable level of business,
• ...to ensure the survival of the organization in times of business disruption.
• Critical infrastructure can include:
– Mainframe
– Networks
– Applications
– PCs and desktops
– Manufacturing infrastructure
– Logistical infrastructure
– Office locations
9
BUSINESS
• …the identification and protection
of critical business processes required to maintain an acceptable level of business,
• ...to ensure the survival of the organization in times of business disruption.
• Critical business processes can include
– Manufacturing
– Sales/order entry
– Payroll
– Dealing room activities
– Delivery
– Client communication
– Accounting and finance
10
BUSINESS INTERRUPTION RISK
• …the identification and protection
against business risks resulting from a business interruption jeopardizing
• ... the survival of the organization in times of business disruption.
11
ENTRY POINTS
There are four possible entry points depending on the drivers of the approach.
12
If your approach is…
Then your entry point is...
Event driven
Evaluate threats
Business risk driven
Assess risks from interruptions
Business driven
Analyze critical processes
Applications or systems driven
Dependency on (IT) infrastructure
THREATS
Classification of threats according to the type of event:
• Acts of nature – hurricane, flood, earthquake, etc.
• External man-made events – terrorism, evacuation,
security intrusion, etc.
• Internal unintentional events – accidental loss of files,
computer failure, etc.
• Internal intentional events – strike, sabotage, data
deletion, etc.
13
RISKS
Business Risk Model
Environment Risk
Competitor
Catastrophic Loss
Sensitivity
Sovereign/Political
Operations Risk
Customer Satisfaction
Human Resources
Product Development
Efficiency
Capacity
Performance Gap
Cycle Time
Sourcing
Commodity Pricing
Obsolescence Shrinkage
Compliance
Business Interruption
Product Service Failure
Environmental
Health & Safety
Trademark/Brand Name Erosion
Shareholder Relations
Legal
Capital Availability
Industry
Process Risk
Empowerment Risk
Leadership
Authority
Limit
Performance Incentives
Communications
Information Processing/Technology Risk
Access
Integrity
Relevance
Availability
Financial Markets
Financial Risk
Currency
Interest Rate
Liquidity
Cash Transfer/Velocity
Derivative
Settlement
Reinvestment/Rollover
Credit
Collateral
Counterparty
Integrity Risk
Management Fraud
Employee Fraud
Illegal Acts
Unauthorized Use
Reputation
Information For Decision Making Risk
14
Operational
Financial
Strategic
Pricing
Contract Commitment
Measurement
Alignment
Completeness and Accuracy
Regulatory Reporting
Budget and Planning
Completeness and Accuracy
Accounting Information
Financial Reporting Evaluation
Taxation
Pension Fund
Investment Evaluation
Regulatory Reporting
Environmental Scan
Business Portfolio
Valuation
Measurement
Organization Structure
Resource Allocation
Planning
Life Cycle
ENTRY POINT: INFRASTRUCTURE
Infrastructure
Office Relocation
Dealing Room
Network
Control Room
IT DRP
Network Resilience
Server Mirroring
Business
Interruption Risks
(BIR)
Long-Term Business Viability
Brand Image
Regulatory
Client Satisfaction
Capacity
Infrastructure Risk
Equipment Failures
Business
• Traditional approach.
• Very often limited to IT, then extended to "departmental" infrastructure or office infrastructure.
• Very often the business perspective is used to assess criticality of infrastructure elements, and to justify the cost (business
impact analysis).
• The risk scope is limited to infrastructure risks through analysis of threats (potential events).
15
ENTRY POINT: BUSINESS
Infrastructure
Office Relocation
Dealing Room
Network
Control Room
IT DRP
Network Resilience
Server Mirroring
Business
Interruption Risks
(BIR)
Long-Term Business Viability
Brand Image
Regulatory
Client Satisfaction
Capacity
Infrastructure Risk
Equipment Failures
Business
•
•
•
•
16
Top-down approach.
Starting from a top-down analysis of the critical business domains or processes.
For the critical business processes, assess the dependencies and criticality.
Often, the business interruption risk dimension is included into the business impact assessment, although not always made
explicit or limited to the obvious business interruption risks.
ENTRY POINT: BUSINESS RISKS
Infrastructure
Business
Interruption Risks
(BIR)
Office Relocation
Dealing Room
Long-Term Business Viability
Brand Image
Regulatory
Network
Control Room
Client Satisfaction
Capacity
Infrastructure Risk
IT DRP
Network Resilience
Server Mirroring
1.
Equipment Failures
2.
Business
• Entering from looking at the business risks created by a business interruption.
• Allows to include more than only the operational impact, e.g., product quality, brand image, health & safety, cash flow, etc.
• To manage these risks, next to BCP, other actions may be included, e.g., asset protection, supply chain management, crisis
management, media management, etc.
• Here we can provide the best added value.
17
RISKS
The “five As” of risk management :
18
1
Assess Risk
2
Accept or reject risk
3
Avoid risk, transfer risk or reduce risk to an
acceptable level
4
Analyze performance gaps
5
Act to improve
BUSINESS PROCESSES
Key Business Drivers
Business Processes
Information Flows
Infrastructure & Resources
Identify key dependencies and
vulnerabilities within the business
organization, top-down:
• What does the company depend on to be
successful?
• What are the key business processes
driving the business?
• What are the flows within these business
processes?
• What are the vulnerabilities and
dependencies within these flows and
business operations?
19
(IT) INFRASTRUCTURE
Obtaining an inventory of (IT) infrastructure
Assessing the possible threats
Analyzing the potential business impact
Achieved by
Selecting the critical infrastructure
Identifying recovery solutions
20
BCP METHODOLOGIES
Two main BCP methodologies:
Entry Points
BCP Methodology
Infrastructure
Infrastructure-oriented, threat-based
Threat
Business
Business-oriented, risk-based
Risk
21
Related documents
Class Capture powerpoint presentation auditory version
Class Capture powerpoint presentation auditory version
Business Continuity Plan and Disaster Recovery Plan
Business Continuity Plan and Disaster Recovery Plan
Business Continuity Basics
Business Continuity Basics
Bitterroot College Program Steering Committee Meeting
Bitterroot College Program Steering Committee Meeting
BCP Assumptions - Government of Alberta
BCP Assumptions - Government of Alberta
Download
advertisement