business-continuity-management- (1).pptx

Aim and Objectives 1 | Aim To develop an understanding of how to implement a BCMS within your organisation. Objectives To develop an understanding of business continuity. To understand how to use the business continuity toolkit. To understand how to undertake a business impact analysis for your organisation To understand how to develop a business continuity plan for your organisation

Definitions – ISO 22301:2019 Business Continuity The capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business Continuity Management A holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value- creating activities. Business continuity management system Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. 2 |

Business Continuity Management System ISO 22301/22313 3 | A business continuity management system emphasises the importance of Understanding the organisation’s needs and the necessity for establishing a business continuity management policy and objectives Implementing and operating controls and measures for managing an organisation’s overall capability to manage disruptive incidents Monitoring and reviewing the performance and effectiveness of BCMS, and Continual improvement based on management of objectives

Elements of Business Continuity Management 4 | Op e r a ti o nal planning and control Business impact a n alysis a n d risk assessment Business Continuity Strategy/ Leaders h ip Establish and im p le m ent BC procedures Ex ercis in g a n d Testing ISO22313

Plan, Do, Check, Act Cycle The ISO 22301 and 22313 uses a ‘Plan, Do, Check, Act’ cycle in planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organisations business continuity management system 5 |

Plan, Do, Check, Act Cycle 6 |

Activity 1 7 | In your groups discuss what the legal and/or regulatory responsibilities for business continuity are for your organisation

Activity 1- Summary 8 | Civil Contingencies Act 2004 and Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 ISO 22313:2020 and ISO 22301: 2019 NHS England Emergency Preparedness, Resilience and Response Framework last revised 2022 NHS England Business Continuity Framework last revised 2022 Health and Safety at Work etc. Act 1974 NHS Standard Contract

Activity 1 – Summary Continued 9 | Apart from the legal side – common sense prevails for the: Public we serve The staff we employ Our partners we work with And those who commission our organisation

Interested Parties 10 | Adapted for the NHS from ISO22313

Elements of Business Continuity Management 1 11 | Op e r a ti o nal planning and control Business impact a n alysis a n d risk assessment Business C o n ti nu ity Strategy Establish and im p le m ent BC procedures Exercising and Testing ISO22313

Business Impact Analysis 12 | The BIA identifies business continuity requirements, providing information to determine the most appropriate business continuity solutions. The BIA also identifies the urgency of each activity undertaken by the organisation by assessing the impact over time caused by any potential or actual disruption to this activity on the delivery of products and services.

Understanding the Organisation 13 | Understanding the Organisation Purpose of Organisation Products & Services Products & Services Activity Dependencies and supporting activities Assets and resources Products & Services Activity Supporting activity Assets and resources Suppliers & Partner O r gan i s a t i on s I n t e r na l Con t e x t Ex t e r na l Context Patients & Clients Ac t i v i t y Ac t i v i t y Ac t i v i t y Ac t i v i t y Adapted for the NHS from ISO22313

Business Impact Analysis Template 14 | Risk assessment and treatment Prioritisation of activities including recovery time objectives (RTO) and maximum tolerable period of disruption (MTPoD) Identify resources required for maintenance of priority services

Business Impact Analysis 15 | Activities that cannot tolerate any disruption Activities which can tolerate very short periods of disruption Activities which could be scaled down if necessary for short periods of time Activities which could be suspended if necessary Source: ISO 22313

Activity 2 16 | In your groups: Identify your organisation’s/department’s essential activity/service Also identify your organisations legislative requirements. What are the resources required to deliver these? Are there any apparent risks to maintaining these prioritised activities? How will you reorganise to maintain these prioritised activities in the event of a disruptive incident?

Element of Business Continuity Management 2 17 | Op e r a ti o nal planning and control Business impact a n alysis a n d risk assessment Business C o n ti nu ity Strategy Establish and im p leme n t BC procedures Exercising and Testing ISO22313

Business Continuity Strategy Options 18 | P eople P r e m i ses T e c hno l ogy I n f o r m a ti on Suppliers Stakeholders Adapted from PAS 2015

Activity 3 19 | In your groups discuss: Does your organisation have a business continuity strategy? What do you think a business continuity strategy should contain and why? Who is the organisation’s senior business continuity champion? Does your organisation have an agreed essential/priority service list?

Elements of Business Continuity Management 3 20 | O pe r a tional planning and control Business impact a n al y si s a n d risk assessment Business Conti n ui t y Strategy E s t ablish and implement BC procedures Exercising a n d T e s ti n g

Activity 4 Continuity Requirements 21 | P eople P r emises Technology I n f orm a tion S uppl i e r s and Partners

Activity 4 Continuity Requirements 22 | People What number of staff do you require to carry out critical activities? What is the minimum s t af fi ng level you will need to deliver these? What skills/level of expertise are required to under t a k e these activities? Premises What locations do your prioritised activities o pe r at e from? What alternative premises do you have? What machinery, equipment and other facilities are essential? Technology Is the service dependant on electrical medical equipment? What IT is essential to carry out your prioritised activities? What systems and means of c ommu ni c a tion are required to carry out your prioritised activities Information What Information is essential to carry out your prioritised activities? How is this in f o rm a ti on stored? Su ppl i e r s and Partners Who are your priority suppliers? Are key services contracted out? Do both you and your suppliers/ partners have mutual aid arrangements in please?

Definitions 23 | Recovery Time Objective (RTO) A period of time following an incident within which a product or service must be resumed, or activity must be resumed, or resources must be recovered. Maximum Tolerable Period of Disruption (MTPoD) The time it would take for adverse impacts, which might arise as a result of not providing a product/service of performing an activity, to become unacceptable. Source: ISO 22301

Mitigating Impacts Through Effective Business Continuity: Sudden Disruption 24 | IS O 2 2 3 1 3

Mitigating Impacts through effective business continuity: Gradual disruption 25 | IS O 2 2 3 1 3

Incident Timeline 26 | What mechanism could be used to ensure that during and following an incident the matter is escalated to the appropriate level in the organisation? What are your organisational command and control arrangements?

Activity 5 27 | List as many examples as you can of measures which could be considered in the context of flooding due to failure of internal plumbing systems to: Reduce the likelihood of a disruption Shorten any period of disruption Limit the impact of a disruption

Business Continuity Incident Examples 28 |

Example – NHS staff strikes 29 | NHS staff strikes in 2013 and 2014, Junior Doctors in 2016 Disputes over staff pay The strikes were the first by NHS staff over pay in more than 30 years

Example – Severe Weather (Storms) 30 | During the winter of 2021/22 the UK had experienced 5 storms. Storm Malik – 28/01/22 Storm Corrie – 29/01/22 Storm Dudley – 14/02/22 Storm Eunice – 18/02/22 Storm Franklin – 21/02/22 The NHS experienced various business continuity issues throughout this period, some of which are mentioned below: Travel disruptions Structural damage impacted NHS Buildings across the country. Outpatient appointments being rescheduled as a result of the severe weather. Roads, bridges and railway lines closed, with delays and cancellations to transport.

Example – Royal Marsden 2008 31 | More than 100 firefighters in 25 fire engines were deployed on the blaze Between 80-90 patients were helped onto the streets whilst the hospital was filled with thick smoke The fire could be seen across the London skyline Further information: http://www.webarchive.org.uk/wayback/archive/20 130304124419/ http://www.london.nhs.uk/webfiles /Corporate/NHSL_FIRE_LR_2.pdf

Example – WannaCry – Cyber Attack 32 | On Friday 12th May 2017, the NHS, was affected by the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland. Although the NHS was not specifically targeted, the global cyber-attack highlighted security vulnerabilities and resulted in the cancellation of thousands of appointments and operations, together with the frantic relocation of emergency patients from stricken emergency centres. Staff were also forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones. The WannaCry ransomware exposed a specific Microsoft Windows vulnerability, not an attack on unsupported software. Most of the NHS devices infected with the ransomware, were found to have been running the supported, but unpatched, Microsoft Windows 7 operating system, hence the extremities of the cyber-attack. The ransomware also spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), but fortunately, there were no instances of the ransomware spreading via NHSmail (the NHS email system). NHS England reported at least 80 out of the 236 trusts were affected in addition to 603 primary care and other NHS organisations, including 595 GP practices.

Example – BT Flood and Fire March 2010 33 | ‘...tens of thousands of customers in parts of North and West London may be experiencing a loss of broadband and/or telephone service [...] as this is a complex incident we cannot accurately predict when all services will be restored. We will issue further updates as the situation changes. Any customers needing to make calls to the emergency services who have a problem using their phones are advised to do so by using their mobile phone, or alternatively by using a friend or neighbour's working phone

Example – Coronavirus (COVID 19) 34 | What is Coronavirus? Coronavirus, also called COVID-19, is part of a family of viruses that includes the common cold and more serious respiratory illnesses such as SARS. It affects your lungs and airways. For many people, it causes mild symptoms, while for others it can be much more serious and require hospital treatment. Coronavirus is very infectious, which means it spreads very easily. It spreads in much the same way as the common cold or flu – through infected respiratory droplets like coughs and sneezes – and passes from person to person. On Wednesday 29 2020 the UK’s first two patients The average ‘incubation period’ – the time between coming into contact with the virus and experiencing symptoms – is 5 days, but it could be anything between 1 and 14 days. As of 21/04/22 there have been over 22 million cases of COVID in the UK and over 173,000 deaths. As of 15/04/22 there have been a total of 831,579 patients who have been admitted to hospital with COVID-19. NHS Impacts Additional pressures in conjunction with winter pressures on emergency departments Staff shortages due to sickness Impact on the availability of PPE Supply Chain disruption Shortage of equipment Mental and physical trauma

Example – Chase Farm Hospital 2010 35 | Loss of water supply due to burst water main in Enfield. Bowsers (water tanks) are still on site to ensure the main patient areas continue to receive water [...] Bottled water is available for staff and patients. The A&E department is open to all walk-in patients however all other emergencies are being transferred to Barnet Hospital. Once the water has res u med A & E s erv i c e s will return to no r mal.

Example – Grenfell Tower 36 | 14 th June 2017 is when a high rise fire broke out in the 24-storey Grenfell Tower block of flats in North Kensington, West London, at 00:54 BST due to an electrical fault in a refrigerator. 74 people died, 70+ People Injured and 223 escaped. Escalated to the external cladding of the building. Mutual aid was in place over a period of time. There was a multi-agency response. NHS Impacts More than 100 London Ambulance Service Crews were on site. At l east 20 A m bul a nces pr e sen t . London hazardous area response team took part in the response. Casualties were taken to 5 different hospitals. Mental and physical trauma for responding NHS colleagues. Additional pressures on surrounding NHS trusts e.g. Kings College Hospital, Chelsea and Westminster, Royal Free, Guys and St Thomas’, St Marys and Charing Cross in conjunction with undertaking BAU activities. Building inspections around cladding for NHS buildings across the country..

Activity 6: Business Continuity Strategy Options Discussion 37 | What strategies might be needed for maintaining core skills and knowledge? What elements should your premises strategy consider to reduce the impact of the unavailability of one or more worksites? What technology strategies for business continuity could your organisation adopt in the event of a disruption to the main area of your building following a fire, with an recovery time objective of three months?

Business Continuity Response Plans 38 | Organisations may have numerous plans. These may include: Strategic organisational incident response plan Department/service response plans Building or site response plans Technical response plans for IT or clinical systems

Business Continuity Response Plan Content 39 | Document control Purpose and scope Document owner and reviewer Roles and responsibilities Plan activation Contact details Incident management structure and plan Action cards Appendences Training and Exercising

Business Continuity Response Plan Content 40 | The plan should: set out the prioritised activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed detail the resources available at different points in time to deliver the prioritised activities outline the process for mobilising the necessary resources include actions and tasks needed to ensure the continuity and recovery of prioritised activities be stored in a place that’s easily accessible e.g. storing on a shared drive or hard copies

Elements of Business Continuity Management 41 | Op e r a ti o nal planning and control Business impact a n alysis a n d risk assessment Business C o n ti nu ity Strategy Establish and im p le m ent BC procedures Ex ercis in g a n d Testing

Exercising and Testing 42 | Exercises provide an opportunity to test plans in order to assess how our plans would stand up in a disruption Ensures that plans are fit for purpose Identify gaps and learning actions Continuous updating of core information i.e. contact lists

Types of Business Continuity Exercises 43 | It is important for those who are responsible for business continuity to determine which type of business continuity exercise is appropriate based on the desired outcomes. This is because exercises vary in levels and resources required. There are five main types of exercise: Discussion based exercise - These exercises are considered to be the most cost effective and the least time consuming of exercise types. They are commonly structured events where participants can explore relevant issues and walk through plans in an unpressurised environment. This type of exercise can focus on a specific area for improvement that has been identified with the aim being to find a possible solution. Table top exercise - These are commonly used where the discussion is based on a relevant scenario with a time line which may run in ‘real time’ or may include ‘time jumps’ to allow different phases of the scenario to be exercised. Participants are expected to be familiar with the plans being exercised and are required to demonstrate how these plans work as the scenario unfolds Command post exercise - These typically involve management teams at a strategic, tactical or operational level. Participants can be located across the whole organization (and could potentially involve willing interested parties), all working from their usual day to day locations. In these exercises, participants are given information in a way that simulates a real incident. Participants can be invited to respond as they would for real, they are expected to deal with the situations that they encounter, linking in to others as necessary Live exercise - These exercises can range from a small scale rehearsal of one component of the response, for example evacuation, through to a full scale rehearsal of the whole organization and potentially participating interested parties. Live exercises are designed to include everyone likely to be involved in that part of the response. Test - A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. It is usually applied to equipment, recovery procedures or technology, not to individuals.

Why undertake A Business Continuity Exercise? 44 | Exercises are undertaken with three main purposes: Validation - to validate and identify improvement opportunities in existing arrangements Training - to develop staff competencies and confidence by giving them practice in carrying out their roles in an incident Testing - to test existing procedures, plans and systems to ensure they function correctly and offer the degree of protection expected

Business Continuity Off The Shelf Exercise 45 | UK Health Security Agency have developed a business continuity off the shelf exercise. The business continuity off the shelf exercise uses three short scenarios to facilitate the review of local business continuity preparedness plans and enhance organisational resilience in case of disruption to the organisations core functions. To request an off the shelf exercise email [email protected]

Embedding Your Business Continuity Plan 46 | To embed business continuity within your organisation you must ensure that business continuity plans are: Communicated to staff, as well as the staff having the appropriate experience and skills to deliver their roles. Have buy in and owned by the senior management team. Continually exercised. Version controlled, so the correct plan is being followed.

Reviewing Business Continuity 47 | Plans should be reviewed and updated when: Changes to key staff or partners take place The organisation is restructured Prioritised activity is delivered differently Change to the external environment e.g.. statutory change, NHS England requirement Following lessons identified from an incident or exercise As a result of a debrief. At agreed periodic intervals.

Maintaining Business Continuity 48 | A clearly defined and documented maintenance programme for business continuity management should be established. This programme should: ensure that there is an on-going programme for business continuity training and awareness ensure that any changes that impact on business continuity are reviewed identify any new products and services, and their dependent activities that need to be included in the business continuity management system ensure that the business continuity plans remains effective, fit for purpose and up to date enable existing exercise schedules to be modified when there has been a significant change in any of the business continuity processes

Record Keeping 49 | When responding you need to keep records, but why is record keeping so important?

Record Keeping 50 | Why is record keeping so important? Details of casualties or near misses that occur Legal follow up Documents decisions made Documents decisions not made and why Undertake record keeping training

Questions 51 |

Next Steps…… 52 |

Business Continuity Planning (BCP) - Best Practices and Challenges June 24, 2020

About the Speaker – Dhiraj Lal Over 32 years in the industry. Ex BCM Sponsor and Head of American Express. Mix of experience as Practitioner, Trainer, and Consultant . BCI Approved Instructor. Over 15 years in BCM and related domains. Contributing Autho r to : The Encyclopaedia of Business Continuity, 3 rd Edition Author of: Step by Step guide AE/SCNS/NCEMA 7000:2015. Implement BCM the UAE Way! Dhiraj Lal , E XECUTIVE DIRECTOR, CONTINUITY & RESILIENCE (CORE) MBCI, CBCP, CBCI, ISO 22301 Technical Expert, CISA, ITIL, ISO 31000, ISO 27001 Lead Auditor A Chemical Engineer from IIT Delhi and MBA from IIM Calcutta, , Dhiraj Lal has over 20 years BCM experience and 32 years overall. He has worked with Citibank, Standard Chartered, Agilent and American Express, where he was the Program Sponsor and BCM Head. He is Asia’s first BSI appointed Technical Expert for BS25999/ ISO 22301, and assessed 2 of the top 10 certified organizations globally. He teaches and consults in BCM (NCEMA 7000/ ISO 22301) and related domains. He has been invited to present at the BCI Annul conference in the UK, DRI US, BCMI Singapore, itSMF UK, DRI Asia in Malaysia, ISACA UAE, KSA and India, and also various Middle East Crisis, BCM and IT Resilience Summits in Abu Dhabi, Dubai, KSA and India

About Continuity & Resilience ISO 22301 Certified Management Consulting Firm Business Continuity Management Crisis Management IT Disaster Recovery Information Security Cyber Security Risk Management We Consult / Train / Assess and Certify in these domains We provide advisory services Automation tools – BCM/ ITDR/ Mass Communication Workplace recovery E-Learning

Agenda Business Continuity Planning Business Continuity Implementation Roadmap BCP in times of COVID-19 Challenges and Best Practices

Business Continuity Planning “Planning to to continue the Business” Not a new concept. A fancy name for common sense. In reality, we have been performing Business Continuity Planning for centuries But still, many organizations struggled to restart operations during COVID-19 So we need more than just common sense. We need a structured and formal implementation of common sense.

What we do not fully do in BAU common sense Agree timelines, worst case and best case (MTPD and RTO) Base it fully on facts and data (consequences of downtime) Consultative process involving all interested parties Comprehensive, documented and signed off Communicate to all who need to know, including relevant third parties and service providers Practice, Test & exercise. Review. Maintain & continually Improve Amazingly, this works…!!

Challenges for cyber professionals An uneven battle against an unknown enemy who has nothing better to do Y ou have other matters to focus on but they have a single point agenda – to damage Y ou constantly focus on getting better and better - but so do they By the sheer law of averages, once in a while they will succeed At those times, your best best is to be able to restart fast and within minimum loss. So you need the world’s best Business Continuity readiness Have you formally put in place the 6 Rs (Reduce, Respond, Recover, Resume, Restore Return)? When did you last practice them?

Challenges for cyber professionals Economic Times, June 24 2020

Some reasons for Outages (Global data) 61

Business Continuity is a wise investment Minimize business disruptions and quickly recover Retain business model and increase market share and profits Protect the organization’s value and reputation Corporate governance and shareholder commitment National requirements Contractual commitments, Legal and regulatory compliance Moral and social responsibilities Demonstrate “best practice” Reduce insurance liabilities 62 Lack of BCP is self goal

Typical steps Business Continuity Implementation Roadmap

International BCM Standard – ISO 22301 64 Clause 1 : Scope Clause 2 : Normative references Clause 3 : Terms and definitions Clause 4 : Context of the organisation Clause 5 : Leadership Clause 6 : Planning Clause 7 : Support Clause 8 : Operation Clause 9 : Performance evaluation Clause 10 : Improvement

Please implement a BCMS – not just BCM “Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity”– ISO 22301 Ensure continual improvement via the PDCA cycle

BCP in times of COVID-19 COVID-19 is different from a typical Business Continuity situation Much longer duration No clarity on final resolution Triggered not by damage to resources Entire ecosystem is impacted SOME POSITIVES Realization by all Even the PM asked entities to implement Business Continuity Tolerance – “It’s Ok” Permanent mindset changes

Suggestions for professionals Don’t stop now – complete the journey Protect yourself against other new threats - implement the full BCM cycle Use this opportunity to create permanent BCM readiness and awareness across all segments Get your people ISO22301 trained and your organization ISO22301 compliant – or even ISO22301 certified

Implement the full BCM lifecycle Choose the right people Provide effective training in advance of the implementation Best Practices

Customers Citizens Distributors Shareholders Investors Owners Insurers Government Regulators Recovery Services Suppliers Competitors Media Commentators Trade Groups Neighbours Pressure Groups Emergency Services Transport Services Other Response Agencies Dependents of staff THE ORGANIZATION Top Management Those who establish policies and objectives for the BCMS Those who set up & manage BC Those who maintain BC Procedures Owners of business continuity procedures Incident Response Personnel Those with authority to invoke Appropriate spokespeople Response Teams Other Staff Contractors Build culture across all Interested Parties ..

Group/ Audience Training Top Management Awareness, Crisis Management, Crisis Communication Core BCM Team CBCI/ Lead Implementer, Lead Auditor Core BCM Team Specialised courses (BIA, RA, Plan Writing, Testing etc.) Department Coordinator/ BC Champions Implementer, Internal Auditor Audit Team Internal Auditor, Lead Auditor All Employees Awareness Build Culture via Training and Awareness

Graph not to scale Cost Complexity Risk Assurance Frequency Build Culture via tests and exercises

Ensure Review, Maintenance and Improvement Maintenance Advanced Testing and Exercising Ongoing Awareness and Training Internal Audit and Self Assessment Management review Supplier Review Corrections and Corrective actions Benchmarking Continual Improvement Instilling a BCM mindset 72

Way Forward=> Organizational Resilience Way Forward=> Organizational Resilience The ability of an organisation to absorb and adapt in a changing environment (BCI GPG 2018/ ISO 22316:2017)

Questions?

75 LETS KEEP IN TOUCH!! Dhiraj Lal, Executive Director +91 99101 10240 [email protected] Thank You!

Phases of Business Continuity Planning Business Impact Analysis BIA 76

Phases of Business Continuity Planning BC Planning typically includes five Phases : 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment process 77

1- BCP Governance To establish control The governance structure is often in the form of a steering committee and a list of appropriate committees , working groups and teams to develop and execute the plan (s) / documents Team members should be selected from trained and experienced personnel who are knowledgeable about their responsibilities. The number and scope of the teams will vary depending on organization's size, function and structure 78

It may be necessary to be multitask teams and provide cross-team training. The teams data shall be documented in the plans/ Documents Consider decentralization as a way to provide better resiliency 79

Examples : An alternate site coordination team Contracting and procurement team Damage assessment team Crisis Management team Finance and accounting team Hazardous materials team Insurance team Legal issues team Telecommunications / alternate communications team Equipment team Public and media relations team Transport coordination team Records management team 80

The duties and responsibilities for each team must be defined, and include identifying: The team leader The team members Identifying the specific team tasks Member's authority, and responsibilities Identifying possible alternate members. Creation of contact list 81

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 82

2- Business Impact Analysis (BIA) Process of analyzing the activities & the effect that the business disruption might have upon them (Source: ISO 22301:2019) BIA is all about data analysis to identify The organization's mandate and critical services or products The priority of services or products for continuous delivery or rapid recovery The possible Internal and external threats and The impact of the threats: . 83

Information of the organization's mandate and critical services or products can be obtained from the Mission statement of the organization Legal requirements for delivering specific services and products. Contracts and other obligations Critical services or products must be prioritized based on minimum acceptable delivery levels and the maximum period of time without delivery Identify impacts of disruptions to determine How long the organization could function without the service / product provision , and How long clients would accept its services or products unavail ability. 85

86

BIA Related activities Supply chain analysis Assessment of the most critical business components IT continuity analysis Identify areas of potential revenue loss Identify any additional expenses Identify intangible losses Identify insurance requirements Identify dependencies Analyze current recovery capabilities 87

1- Supply Chain Analysis 88

Conduct supply chain impact analysis to The evaluation metrics may include the following : Revenue impact Reputation impact Operational impact Production impact Delivery impact Research and development impact Delay impact Staffing impact Find out if these members in the supply chain have BC/DR plans and if you can review them / share with them. Identify & Evaluate each link in terms of business impact to find the high-impact link(s) 89

2- Assessment of the most critical business components To create a complete business continuity plan, you need to assess the impact of interruption on four components: People (Key persons - Key Competencies ) Physical Property (Equipment – Storage- Alternate facilities -………) Systems (Hardware, Software, Email, Phone Systems ,Communication Stations,……..) Data (critical to run your business) Both data and systems are IT Systems ( IT continuity ) 90

3- Conduct IT Continuity Analysis Is to decide about which of the organization's IT Functions / Assets are essential for business continuity. Is to decide about how to manage the technology systems in the event of a major disruption. The existence and suitability of IS Policies / Procedures / IT Continuity Plans Review computer Data Backups – Cabling – IT Service Providers Capabilities -…………. 91

4- Identify Areas of Potential Revenue Loss Determine which processes and functions that support service or product delivery are involved with the creation of revenue . If these processes and functions are not performed, is revenue lost ? How much? and for what length of time? If clients cannot access certain services or products would they then need to go to another provider, resulting in further loss of revenue ? 92

5- Identify additional expenses If a business function or process is inoperable How long would it take before additional expenses would start to add up? How long could the function be unavailable before extra personnel would have to be hired? Would penalties from breaches of legal responsibilities, agreements, or governmental regulations be an issue, and if so, What are the penalties ? 93

6- Identify intangible losses Estimates are required to determine the approximate cost of The loss of consumer Investor confidence Damage to reputation Loss of competitiveness Reduced market share Violation of laws and regulations Business relationships with vendors 94

Increased insurance cost Loss of employees Loss of financial support and cash flow Loss of community support Cost of equipment and facilities used during recovery Replacement, restoration, recovery costs not adjusted for inflation Increased cost when operations resume 95

7- Identify insurance requirements What needs insurance The existing insurance The level of coverage. What aspects may have over or under insurance . Is there a policy/ document in place related the insurance 96

8- Identify dependencies Identify the internal and external dependencies of critical services or products, Identify the expected impacts from a disruption to those dependencies. Internal dependencies include Employee ( availability – competencies) Corporate assets such as Equipment, Facilities, Computer Applications, Data, Tools, Vehicles. Support services such as Finance, Human Resources, Security ,and IT Support. 97

External dependencies include : Suppliers Any external corporate assets such as Equipment, Facilities, Computer Applications, Data, Tools, and Vehicles. Any external support services such as Facility management Utilities Communications Transportation Finance institutions Insurance providers Government services Legal services Health and safety service. 98

9- Analyze Current Recovery Capabilities Analyze current recovery capabilities the organization already has in place, and their continued applicability Try to answer the following questions Can employees work from home or another location? Do I need a pre-determined alternate facility? Do I have enough spare parts / IT equipment ? Do critical vendors and suppliers have their business continuity plans/document? 99

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 100

3. Documents , Controls , Measures, and Arrangements for BC This step consists of the preparation of the management system documentation including: Detailed Response Plans / Recovery Plans Policies / objectives Arrangements Consider the critical vendors and suppliers business continuity plans. Focus on three categories of protection / Safety to help survive a disaster: Human Resources Physical Resources Business Operations. 101

1- Human Resources Consider the possible impact a disaster may have on your employees’ ability to return to work Alternate staffing plans (to ensure your business stays functional when a large percent of your staff is unable to come to work) Consider how your customers can reach you or receive your goods / services Create evacuation plans Develop and post evacuation routes / assembly locations / Create a phone-tree / Consider having an employee emergency number 102

2- Physical Resources Building (Maintenance - Fire System -……………) Interior, exterior components ( Equipment – Hard Ware /Soft Ware) Materials / Spare Parts Alternate Facilities ( three types ) 1- Cold site (the least expensive option) 2- Warm site (more expensive than cold sites) 3- Hot site (the most expensive option) 103

3- Business Operations / Processes Critical Inputs – things needed to do your job Critical Outputs – things you produce that others want or need to do their job Outsourced processes 104

Examples for resiliency plans / documents and arrangements : An alternate telecommunication provider Emergency backup generator in case of a power outage Agreements with fuel provider Alternate work site and equipment . Annually Meeting with critical vendors to discuss their recovery operations and locations Develop the relationships with Contractors / Vendors Create manual processes to be used in case of the computers are unavailable Mitigating the different threats 105

The Response preparation procedures to answer “What to do before a disruption occurs?” ( Proactive Activities ) “What to do when a disruption occurs?” ( Response – Recovery – Continuity ) “What to do after a disruption occurs?” ( Learned Lessons / Change Management ) 106

107

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 108

4- Readiness Activities Awareness Individual and team – Task Training Procedures Exercises – Testing Post-Exercise evaluation 109

Goals of Procedures Exercises – Testing Test all components of the plan , including hardware, software, personnel, data and voice communications, etc. Ensure the understanding and workability of documented recovery procedures. Adapt and update existing plans to encompass new requirements. Train team leaders and members in the procedures of executing the continuity plan. Obtain information about recovery strategy implementation. Verify that recovery strategies are viable. Demonstrate that output performance of the backup systems and networks are consistent with production systems and networks. 110

Business Continuity Planning 1. BCP Governance 2. Business Impact Analysis (BIA) 3. Documents , Controls , Measures, and Arrangements for BC 4. Readiness activities 5. Assessment 111

5- Assessment How to assess the plan's accuracy, and effectiveness How to conduct the Internal or external audit (BC Readiness Audit) Identify needed improvement 112

How to Perform BC Readiness Audit Check for the existence of the following documents / information : Emergency Procedures Evacuation Plan Fire Protection Plan Environmental Policies Safety and Health Program Security Procedures Finance / Purchasing Procedures Facility Closing Policy Process Safety Assessment Risk Management Plan Records and information Management 113

Mutual Aid Agreements Hot / cold site Agreements Capital Improvement Program Hazard Materials / Waste Disposal Alternative or Manual Procedures Disaster Recovery Plans for Information Resources 114

Based on the review, ask the following questions How would your organization resume operations after loss of access to your facility loss of access to your information resources (IR), or loss of key personnel? Have any audit findings been reported from internal or external auditors? Would most individuals know how to report or respond to an event? If policies relative to recovery efforts are in place, who knows about them? Do people know if they have recovery responsibilities ? Are program managers aware of their owner and user security responsibilities? 115

Has testing been done to see how people would react during a recovery effort in the following areas: Senior Management Management Information Systems/ Security Information Technology Risk Management Internal Departments Auditing Vendors Telecommunications 116

12. Check to see if Computer backups (PC, LAN, mainframe) are being taken off-site according to policy Alternate work locations are available; Items required to be off-site are really there; Security measures are being followed; Emergency equipment (generally UPS, batteries, etc.) is working correctly; Emergency lighting is in good working order and in the correct places. 117

8.2.3 Risk Assessment The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization. NOTE This process could be made in accordance with ISO 31000. 118

The Organization Shall a) Identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them, b) Systematically analyse risk, c) Evaluate which disruption related risks require treatment, and; d) Identify treatments commensurate (مناسبة) with business continuity objectives and in accordance with the organization’s risk appetite. 119

120

Risk Criteria Reference against which the significance of a risk is evaluated to determine the level of risk Risk criteria can be derived from Standards Laws Policies Any other requirements (interested parties). Risk criteria are based on organizational objectives, and context Level of risk is the magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood 121

The risk criteria includes : Risk Evaluation Criteria Risk Impact Criteria Risk Acceptance Criteria . 122

Consequences Moderate UNIMPORTANT RISK ACCEPTABLE RISK UNCONTROLLED RISK UNCONTROLLED RISK IMPORTANT RISK UNACCEPTA RISK Likelihood Slightly High Low Unimportant Uncontrolled Risk Medium Acceptable Risk High Important Risk Unacceptable Risk Acceptable Risk Uncontrolled Risk Uncontrolled Risk Important Risk 123

Risk Matrix Control Plan 124 Risk Level Action and Timescale Unimportant No action is required and no document ed records needed to be kept. Acceptable risk No additional controls are required. Consideration may be given to a more cost-effective solution or improvement that imposes no additional cost burden. Monitoring is required to ensure that the controls are maintained . Uncontrolled risk Efforts should be made to reduce the risk, but the costs of prevention should be carefully measured and limited. Risk reduction measures should be implemented within a defined time period. Where the moderate risk is associated with extremely harmful consequences, further assessment may be necessary to establish more precisely the likelihood of harm as a basis for determining the need for improved control measures. Important risk Work should not be started until the risk has been reduced. Considerable resources may have to be allocated to reduce the risk. Where the risk involves work in progress, urgent action should be taken. Unacceptable risk Work should not be started or continued until the risk has been reduced. If it is not possible to reduce risk even with unlimited resources , work has to remain prohibited .

P r o b a b i l i t y 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 1 2 3 4 5 1 2 3 4 5 Consequence Legend ≥20 E: Extreme risk - immediate action required >10& <20 H: High risk - urgent management attention needed >5 & ≤10 M: Medium risk - management attention as soon as possible < 5 L: Low Risk – periodical evaluation 125

Impact / Consequences Rank Financial loss Strategic directions and objectives Customer Legal OHS Env. InfSec. 5 Very High >1M Negative Impact on strategic directions execution Contract termination Closure Fatality / Catastrophe / Fatal Occupational Illness Permanent damage Permanent loss of the service 4 High 250K to 1M Negative Impact on execution 2 objectives Major product /Service recall Non-renewal of one of legal documents Partial / Complete Incapacity Long time damage Long time non-availability of the service 3 Moderate 50K to 250K Negative Impact on execution 1 objective Minor Product / Service recall Formal Violations Lost Working Days / Work Related Illness Limited damage / Kills fauna , flora, Concerns global issues, Temporary non-availability of the service 2 Low 1K to 50K Slight negative impact on one the objectives Complaint from customer Notice / Warning Medical Treatment Case / Restricted Work Case / Work Related Illness Aspect causes slight impact on fauna or flora, Slight impact on the service 1 Very Low <1K No impact over the objectives Verbal communication from customer Verbal communication from regulatory parties First Aid / Near Miss / Health Complaint Aspect that can be treated simply / causes Nuisance Negligible impact; easy to recover from the loss 126

Impact Reputation Financial (Corporate) Financial (Site) Legal Customer Very High Regional media coverage over multiple days Or Global media coverage More than $100 M More than $10 M closure notice Ending the contract High National media coverage over multiple days Or Single regional media coverage $10 - $100M $1 - $10M no renewal of operating permit Major product recall Moderate Local media coverage over multiple days Or Single national media coverage $1 - $10M $100K - $1M violation notice payment partial product recall Low Single local media coverage $100K - $1M $10K - $100K violation notice explanation product price concession Very Low Only internal communications Less than $100K Less than $10K Verbal communication from a regulatory body one complaint from customer 127

business-continuity-management- (1).pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

business-continuity-management- (1).pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

7-10. STP + Branding and Product & Services Strategies.pptx