BCM Institute MTE Dr Goh Moh Heng - SS540 Safeguard

“SS540 Safeguards”
BCM Institute,
Meet-The-Experts, Singapore
21st January 2009

worldcontinuitycongress.com| bcm-institute.org

BCM STEERING COMMITTEE
Clause 8.4.1
This Committee shall consist of:
• Minimum of one member from the organisation’s executive
Management;
• Heads of the various units; and
• Organisation BCM coordinator.


PROCESS APPROACH
Figure 1 – PDCA Methodology
Requirements
Managed
and
business
PLAN
expectations
continuity
Establish the BCM
of
of the
business
organisation
continuity
ACT DO
by
Maintain and continual Implement and operate
stakeholders
improvement of the BCM
the BCM
and
interested
parties
CHECK
Monitor and check
the BCM

3


PROCESS APPROACH
Figure 2 – The BCM framework
BCM Components

Policies Processes People Infrastructure

Risk Analysis
and Review

Business Impact
Analysis

Strategy
BCM
Areas
BC Plan

Tests and
Exercises
Program
Management

4


RISK ANALYSIS AND REVIEW
RA can be conducted concurrently with BIA

1. Deliberate and select appropriate cost-effective risk treatments
Risk Treatment (5.2.3) Avoidance, Reduction, Transfer,
Acceptance

Risk Treatment
Recommended Recommended
Risk Zone
Treatment Review Timeline
High Avoidance / Reduction Quarterly
Med Reduction / Transfer Half-yearly

Low Acceptance Yearly


2. Select a probable disaster from the list of potential disaster for
subsequent BCM development efforts (5.2.4)

Identify immediate threat(s) faced by company
Think outside the box
• What can stop your employees from showing up?
• What can prevent your customers from buying your company’s products or
services
• What can prevent your on-time delivery? Your suppliers? Transportation?
• What can damage or impact the quality of your products or services?
• What happens if you and your employees are denied access to your
company’s premise?


3. Consistent risk analysis approach (5.2.5)
Corporate, Finance, Operations & Facilities, ISO 9001 etc

Probability
1 2 3 4 5
Unlikely Low likelihood Likely High likelihood Inevitable
1 in 100 years 1 in 10 years 1 per year 1 per 6 months 1 per month

Impact
1 2 3 4 5
Negligible Low Moderate Significant Catastrophic
Business disruption:
Business disruption: Business disruption: Business disruption: Business disruption:
> 8 hours to 1
1 to 2 hours > 2 to 4 hours > 4 to 8 hours > 1 to 3 days
day

Risk = Probability x Impact


BUSINESS IMPACT ANALYSIS
1. Minimum Business Continuity Objective (MBCO)
- Executive management to set organisation's MBCO (6.2.1)
- Each business unit shall identify the minimum level of services
and/or products that must be provided to support the
organisation’s MBCO
(6.3.1.2)


2. Critical business functions recovery time requirements (6.3.3)
- Recovery time objective (RTO)
The period of time within which systems, applications, or
functions must be recovered after a disruption has occurred.

- Recovery point objective (RPO)
The point in time at which systems and data must be recovered
after a disruption has occurred.


3. Prioritising critical business functions (6.3.4)
Also refer to Priority for analysing impact (6.2.5)

Sample
Category A – business units which have an impact on life safety
and health

Category B – business units which have no impact on life safety
and health but have RTOs less than or equal to 1 day

Category C – business units which have no impact on life safety
and heath and have RTOs greater than 1 day


STRATEGY
1. Strategy Formulation (7.2.2)
• Revert to alternate processing capability
• Arrange reciprocal arrangements
• Establish alternate site or business facility
• Arrange for alternate source of supply
• Outsource to external vendor
• Transfer of operation to subsidiary business units
• Rebuild from scratch after disaster
• Do not take any action


STRATEGY
2. Recovery time requirements
- Ensure selected strategy can achieve Recovery Time
Objective (RTO) of CBF.

3. The priority for allocation of resources for recovery
strategies shall be in
accordance to the prioritization of CBFs established
during BIA.


BC PLAN
1.Complement and gap all existing plans
- Crisis communications
- Emergency response
- Utility breakdown
- IT DR

BC Plan shall be reviewed in its entirely at least once a year
(10.2.5)
Saving and preservation of human lives shall overrule all other
considerations. (8.2.5)


BC PLAN
2. Disaster declaration officer (8.4.5)
- list of assessment criteria of incident versus disaster

Damage assessment team (DAT) (8.4.8)
The team shall produce within a stipulated time a report that
contains
disrupted operations, downtime estimates, and recommendation
for the
next course of action.

Also refer to Initial damage assessment (8.3.2)
- recommendation of disaster declaration.


BC PLAN
Criteria for activation (8.2.3)
Denied access or potential denied access of more than x hours
of Business Units’ primary operating sites.

The incidents under the consequence of denied of access of
primary operating site as a result of a disaster include, but are
not limited to, fire, bomb threat, explosion, anthrax threat, and
among others.


BC PLAN
3. Pre-incident preparation (8.3.1)
There shall be formal processes to ensure that pre-incident
measures are carried out to address each identified and its
impact on CBFs. These measures shall include the following
generic responses to identified risks:

• Risk avoidance;
• Risk reduction;
• Risk transfer; and
• Risk acceptance.


BC PLAN
4. Head of EOC (8.4.4)
- At least one senior staff member
- approved by the executive management
- absolute authority


TESTS AND EXERCISES
1. Level and frequency (9.2.2)
The BC plan shall be tested and exercised on a periodic and
systematic
basis at 2 levels:

a.Discrete level. Each CBF is tested or exercised individually,
independent of other CBFs. This shall be carried out at least
once a year.
b.Integrated level. In addition to the discrete level test, all CBFs
are tested or exercised together to access their
interdependencies and peak usage of resources. This shall be
carried out at least once every two years.


TESTS AND EXERCISES
2. Recommendations and corrective actions (9.3.4)
- Implemented and completed within the agreed time frame
- review and update the progress of outstanding items until
completion
- incorporated as part of the audit plan


PROGRAMME MANAGEMENT
1. Organisation BCM Policy (10.2.1)


2. BCM internal audit (10.2.8)
- Conducted annually
- Encompass external parties

Also refer to Vendor Contracts (10.2.9)
- Incorporate appropriate BCM requirement clause


In addition, selected government or
public agencies will consider the applicant’s
level of preparedness as part of the
procurement process, and companies
with business continuity management (BCM)
in place will be “viewed favorable”.

Source: Pg 9, Today, 8 Nov 08


3. BCM manual (10.2.11)
Also refer to Sample table of contents of a BCM manual (Annex A)

- Document control


4.BCM Culture
- Continuous “buy-in” and support from Senior Management
- part of processes and operational environment
- Invest $$


Contact Us
Singapore (Headquarter)
315 Outram Road #15-04,
Tan Boon Liat Building
Singapore 169074

Course info@bcm-institute.org
Certification certification@bcm-institute.org
Website www.bcm-institute.org
www.worldcontinuitycongress.com


BCM Institute MTE Dr Goh Moh Heng - SS540 Safeguard

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (16)

Mais de BCM Institute

Mais de BCM Institute (20)

Último

Último (20)

BCM Institute MTE Dr Goh Moh Heng - SS540 Safeguard