BUSINESS
CONTINUITY
PROGRAMME
AN INTEGRATED RISK
MANAGEMENT
APPROACH
Bord Gais Eireann
Martin Dunlea Chief Information Officer
November 2005
Agenda



Overview of Business Continuity Programme
Migrating from “cold site recovery” to business
resilience
The Strategic values of Business Continuity
Business Continuity - Key
Objectives


Core Objective: Put in place the mechanism to facilitate the
continued operation of critical company processes in the event of a
disaster
Supporting objectives:
 Identify the critical company processes
 Put in place Enterprise response plans
 Assist units in developing process level procedures
 Maintain the system
 Enhance available technology
Business Continuity Provides



A coordinated response to cater for disaster events affecting
business
A special organisation structure tasked to deal with the eventualities
Locations and specialist assistance where business operations can
be relocated to.

A dual approach to all business units

A common template for the identification of BCP requirements

A cohesive company wide strategy developed to BCI guidelines

Single source for continuity partnership
Business Continuity Programme

Commenced as an IT Contingency Programme

Massive dependency on IT resources in business response plans

Apply IT programme discipline to BCP

Identified 3 phases and 3 stages in BCP
 Cold site to hot site
 Hot site to high availability
 High availability to business resilience

Challenge to integrate into operational risk model and day-to-day activities

Establish special organisation structure tasked to deal with the eventualities
Business Continuity Programme

Continuity of business operations

Compliance with Regulatory Requirements

Maintain Market Systems

Incorporate evolving security model

Integrate into operational risk model and day-to-day activities
Business Continuity Orientation
PROCESS
Change Management
Education
Testing
Review
Phase 3
Recovery Strategy
Phase 2
Group Plans
and Procedures
Risk Identification
Business Impact
Planning for Requirements – the project
Phase 1
Impact Coordinators
Analysis
BusinessBusiness
Unit Continuity
Policy
Organisation
Resources
Business Continuity Planning Initiation
Scope
BCP Community Organisation Structure
Process Recovery Requirements
matched with IT Systems
Time Requirement for Activation
12
A few minutes
10
30 Minutes
4 Hours
8
1 Day
2 Days
6
3 Days
4 Days
4
5 Days
1 Week(+)
2
0
1
9
17
25
33
41
49
57
65
73
81
89
97 105 113 121 129
128
Total No Of Processes
IT Contingency Infrastructure Pre requirements
identification
ATM
Connection
Dial-up
Backup
ATM
Connection
Internet
Internet
Connection
IT Contingency Provisions - Post requirements identification
Network
Network
IBM Dublin
User Desks
Dedicated Equipment
Site
ATM
Connection
IBM Cork User Desks
Dial-up
Backup
ATM
Connection
ATM
Connection
Internet
Connection
Internet
Internet
Connection
Remote TMS Site
IT Contingency & BCP Provisions
Provisions made based on IT Contingency & Business Continuity Requirements





Dedicated location for critical systems
Dedicated & Syndicated Servers for
Business Systems
Dedicated ATM links to Data centers
Syndicated hot-site desk and associated
support facilities
Specialist Personnel for recovery
Assistance
BCP – Evolving a business resilience approach
Recovery
Time
72 hr line
Cold Site
Recovery
Hot Site
Recovery
15 MCS
78 BPS
Business
Resilience
1 MCS
22 BPS
2003
2004
2005
2006
2007
Strategic Value of the Business Continuity
Programme

Mapping Organisation Processes

Project Management

Supply Chain Management

Corporate Governance

Regulatory

Operational Risk

Financials
Approaches to Operational Risk
Management

Cost of reactive policies is high

Diverting to disaster recovery sites takes time


Put in place preventative measures to minimise chances that DR or Incident
Management procedures need to be invoked.
With BCP
 anticipate events
 Devise procedures to minimise the impact
Approaches to Operational Risk
Management

Understand the dependencies of the business and the impact of their failure

List the risks of failure to each dependency

Determine and implement effective countermeasures to those risks

Continuously review the dependency model, the risks and the adequacy and
quality of the countermeasures.
Approaches to Operational Risk
Management
“ It is usual to find that countermeasures are in place
anticipating most risks. What is unusual is to
find a structured approach that covers all
identifiable risk”
Summary






Provide transparency for senior management on appropriate use of
organisation assets
Establishes a formal programme for the management and mitigation of risk
Establishes risk aversion & business continuity as a strategic goal of the
organisation
Establishes a structured approach to identifying and managing operational
risk
Improves standing & rating of the organisation
Programme for frequent evaluation of BCR and IT contingency plan (3 in
2005)
QUESTIONS