www.businessbeam.com
A business case for establishing Business Continuity Plan (BCP) Business Beam
Contents
2
1
What is Business Continuity?
2
Business Benefits
3
Implementation Roadmap Copyrights (C) 2004-2016 Business Beam. All rights reserved.
What is Business Continuity? A business case for establishing a Business Continuity Plan
9/11 for Pakistan
4
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Happened in Karachi (June 26, 09)
5
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Suicide Attack in Lahore (May 27, 09)
6
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Thanks to KESC
7
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Berger Paints
8
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Fire at Shahra-e-Faisal Building
9
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
The Reality of Business Continuity
43% of US companies never reopen after a disaster and 29% more close within 3 years.
20% of small to medium size businesses suffer a major disaster every 5 years.
78% of organizations which lacked contingency plans but suffered catastrophic loss were gone within 2 years…most had insurance, and many had business interruption coverage! (Sources: U.S. National Fire Protection Agency, U.S. Bureau of Labor, Richmond House Group and B2BContinuity.com)
10
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Is This An Effective Management Strategy In the Face of the KNOWN Risks!
YES!
NO!
Copyrights (C) 2004-2013 Business Beam (Pvt.) Limited. All rights reserved.
11
Effects of Effective Business Continuity The impact on shareholder value
Effective crisis response Ineffective crisis responses
25
50
75
100
125
150
175
200
225
Trading days after the event Source: “The Impact of Catastrophes on Shareholder Value,” Rory F. Knight & Deborah J. Pretty, Templeton College, University of Oxford, p. 3. 12
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
What is Business Continuity Management?
Business Continuity Management (BCM) is a holistic management process that:
13
Identifies potential impacts that threaten an organization, Provides a framework for building resilience and the capability for an effective response, Safeguards the interests of key stakeholders, reputation, brand and value creating activities.
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Success or Failure? Fully tested effective BCM
A
Level of business
B No BCM – lucky escape
C
No BCM – usual outcome
Critical recovery point
Time 14
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Business Benefits A business case for establishing a Business Continuity Plan
Key Benefits (1)
To Business
To Operations
Gain reputation as “Safe and Secure Organization” First mover advantage Cost effectiveness = Higher profitability Better compliance with laws and regulations Better continuity in case of any disaster
Better risk management & risk reduction Better cost control Defined SOPs
To IT
16
Identification and control of information assets Better risk management Defined SOPs IT Disaster management Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Key Benefits (2)
Better policies, procedures and working templates
17
Business continuity Information security Related roles and responsibilities Organization wide awareness SAP related and general IT infrastructure Use of network services Mobile computing
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Key Benefits (3)
Identification of Business Critical processes
Process identification Process ranking according to business criticality Continuity strategies for critical processes
Business Continuity planning
18
Business Impact Analysis (BIA) BCP for all areas under scope BCP awareness, testing and exercises
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Key Benefits (4)
Information Asset Management
Information Classification Information Asset Identification & Classification Employee Skill Management
Risk Management
19
Identification and Analysis of Risks Treatment of Risks Development of Risk Management Approach & Criteria
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Key Benefits (5)
Better Description of Roles & Responsibilities
Job description related to information security Pre-hiring controls During employment personnel development Post-employment controls
Physical Security
20
Identification of Secure Areas Equipment Security
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Key Benefits (6)
Communications & Operations Management
Documented SOPs Segregation of duties Third party service delivery management System planning & acceptance Data backup and recovery Network security Media handling e-Commerce
Access Control 21
Access control policy and procedures User, network and OS access control Application and mobile access control Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Key Benefits (7)
Regulatory compliance
All applicable laws Intellectual property rights
Framework for Continual Improvement
22
Regular Internal Audits Corrective & preventive actions
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
Implementation Roadmap A business case for establishing a Business Continuity Plan
23
Implementation Roadmap Phase 1: Scoping & Planning Phase 2: Understanding the Organization Phase 3: Risk Assessment and Control Phase 4: Implementation of Mitigation Strategies Phase 5 Training for Audit and Internal Audit 24
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
25
Establishing Management Steering Group Establishing working groups
Project Scoping
Awareness Sessions Implementer Trainings
Team Formation
Awareness
Phase 1: Scoping & Planning
Identification of geographical scope Identification of functional scope Documenting and agreeing the scope of the assignment
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
26
Identification of business impact if process does not work Prioritizing processes based on time criticality Presenting report to the management
Asset Registration
Identification of functions under scope Identification of processes under scope
BIA
Process Identification
Phase 2: Understanding the Organization
Identification & classification of information assets in the organization Asset value assessment Asset ownership identification
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
27
Calculating risk threshold Defining risk acceptance criteria
Development of SOA
Identification of application threats, and risks Analyzing probability and impact of risks
Risk Threshold
Risk Assessment
Phase 3: Risk Assessment and Control
Selection of right controls to handle the identified risks Implementing risk threshold and acceptance criteria Developing and presenting SOA
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
28
Identifying right mitigation strategies Planning for implementation
Business Continuity Plan
Developing processes and procedures for information security controls
Mitigation Planning
Security Controls
Phase 4: Implementation of Mitigation Strategies
Development of Business Continuity Plan Desktop exercise of BCP
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
29
Conducting first internal audit Developing Internal Audit report
Audit Findings
Hands-on internal audit trainings for selected individuals Internal audit trainings on both standards
Internal Audit
Internal Audit Training
Phase 5: Training for Internal Audit and Internal Audit
Detailed assistance in closure of audit findings Identification of corrective and preventive actions
Copyrights (C) 2004-2016 Business Beam. All rights reserved.
www.businessbeam.com
Thank You!
[email protected]