BCM Institute MTE Series: http://www.worldcontinuitycongress.com/wcc08/mte.html
Find out more on what the major challenges in implementing TR19 (the standard prior to the newly launched SS540:2008 Singapore standard), and how to implement your BCM programme and also achieve your SS540 certification.
The launch of SS540 has raised many questions about how far a company must now go to meet the safeguards standards In the spirit of networking & dialogue amongst BCM & DRP professionals, BCM Institute continues the bi-monthly Meet-the-Experts sessions by inviting subject matter experts to provoke thought, debate issues on hand and take questions from the audience. BCM Institute provides the room & coffee, you bring your minds.
This event is organised and brought to you by BCM Institute.
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
BCM Institute MTE Dr Goh Moh Heng - SS540 Safeguard
1. “SS540 Safeguards”
BCM Institute,
Meet-The-Experts, Singapore
21st January 2009
worldcontinuitycongress.com| bcm-institute.org
2. BCM STEERING COMMITTEE
Clause 8.4.1
This Committee shall consist of:
• Minimum of one member from the organisation’s executive
Management;
• Heads of the various units; and
• Organisation BCM coordinator.
worldcontinuitycongress.com| bcm-institute.org
3. PROCESS APPROACH
Figure 1 – PDCA Methodology
Requirements
Managed
and
business
PLAN
expectations
continuity
Establish the BCM
of
of the
business
organisation
continuity
ACT DO
by
Maintain and continual Implement and operate
stakeholders
improvement of the BCM
the BCM
and
interested
parties
CHECK
Monitor and check
the BCM
3
worldcontinuitycongress.com| bcm-institute.org
4. PROCESS APPROACH
Figure 2 – The BCM framework
BCM Components
Policies Processes People Infrastructure
Risk Analysis
and Review
Business Impact
Analysis
Strategy
BCM
Areas
BC Plan
Tests and
Exercises
Program
Management
4
worldcontinuitycongress.com| bcm-institute.org
5. RISK ANALYSIS AND REVIEW
RA can be conducted concurrently with BIA
1. Deliberate and select appropriate cost-effective risk treatments
Risk Treatment (5.2.3) Avoidance, Reduction, Transfer,
Acceptance
Risk Treatment
Recommended Recommended
Risk Zone
Treatment Review Timeline
High Avoidance / Reduction Quarterly
Med Reduction / Transfer Half-yearly
Low Acceptance Yearly
worldcontinuitycongress.com| bcm-institute.org
6. RISK ANALYSIS AND REVIEW
2. Select a probable disaster from the list of potential disaster for
subsequent BCM development efforts (5.2.4)
Identify immediate threat(s) faced by company
Think outside the box
• What can stop your employees from showing up?
• What can prevent your customers from buying your company’s products or
services
• What can prevent your on-time delivery? Your suppliers? Transportation?
• What can damage or impact the quality of your products or services?
• What happens if you and your employees are denied access to your
company’s premise?
worldcontinuitycongress.com| bcm-institute.org
7. RISK ANALYSIS AND REVIEW
3. Consistent risk analysis approach (5.2.5)
Corporate, Finance, Operations & Facilities, ISO 9001 etc
Probability
1 2 3 4 5
Unlikely Low likelihood Likely High likelihood Inevitable
1 in 100 years 1 in 10 years 1 per year 1 per 6 months 1 per month
Impact
1 2 3 4 5
Negligible Low Moderate Significant Catastrophic
Business disruption:
Business disruption: Business disruption: Business disruption: Business disruption:
> 8 hours to 1
1 to 2 hours > 2 to 4 hours > 4 to 8 hours > 1 to 3 days
day
Risk = Probability x Impact
worldcontinuitycongress.com| bcm-institute.org
8. BUSINESS IMPACT ANALYSIS
1. Minimum Business Continuity Objective (MBCO)
- Executive management to set organisation's MBCO (6.2.1)
- Each business unit shall identify the minimum level of services
and/or products that must be provided to support the
organisation’s MBCO
(6.3.1.2)
worldcontinuitycongress.com| bcm-institute.org
9. BUSINESS IMPACT ANALYSIS
2. Critical business functions recovery time requirements (6.3.3)
- Recovery time objective (RTO)
The period of time within which systems, applications, or
functions must be recovered after a disruption has occurred.
- Recovery point objective (RPO)
The point in time at which systems and data must be recovered
after a disruption has occurred.
worldcontinuitycongress.com| bcm-institute.org
10. BUSINESS IMPACT ANALYSIS
3. Prioritising critical business functions (6.3.4)
Also refer to Priority for analysing impact (6.2.5)
Sample
Category A – business units which have an impact on life safety
and health
Category B – business units which have no impact on life safety
and health but have RTOs less than or equal to 1 day
Category C – business units which have no impact on life safety
and heath and have RTOs greater than 1 day
worldcontinuitycongress.com| bcm-institute.org
11. STRATEGY
1. Strategy Formulation (7.2.2)
• Revert to alternate processing capability
• Arrange reciprocal arrangements
• Establish alternate site or business facility
• Arrange for alternate source of supply
• Outsource to external vendor
• Transfer of operation to subsidiary business units
• Rebuild from scratch after disaster
• Do not take any action
worldcontinuitycongress.com| bcm-institute.org
12. STRATEGY
2. Recovery time requirements
- Ensure selected strategy can achieve Recovery Time
Objective (RTO) of CBF.
3. The priority for allocation of resources for recovery
strategies shall be in
accordance to the prioritization of CBFs established
during BIA.
worldcontinuitycongress.com| bcm-institute.org
13. BC PLAN
1.Complement and gap all existing plans
- Crisis communications
- Emergency response
- Utility breakdown
- IT DR
BC Plan shall be reviewed in its entirely at least once a year
(10.2.5)
Saving and preservation of human lives shall overrule all other
considerations. (8.2.5)
worldcontinuitycongress.com| bcm-institute.org
14. BC PLAN
2. Disaster declaration officer (8.4.5)
- list of assessment criteria of incident versus disaster
Damage assessment team (DAT) (8.4.8)
The team shall produce within a stipulated time a report that
contains
disrupted operations, downtime estimates, and recommendation
for the
next course of action.
Also refer to Initial damage assessment (8.3.2)
- recommendation of disaster declaration.
worldcontinuitycongress.com| bcm-institute.org
15. BC PLAN
Criteria for activation (8.2.3)
Denied access or potential denied access of more than x hours
of Business Units’ primary operating sites.
The incidents under the consequence of denied of access of
primary operating site as a result of a disaster include, but are
not limited to, fire, bomb threat, explosion, anthrax threat, and
among others.
worldcontinuitycongress.com| bcm-institute.org
16. BC PLAN
3. Pre-incident preparation (8.3.1)
There shall be formal processes to ensure that pre-incident
measures are carried out to address each identified and its
impact on CBFs. These measures shall include the following
generic responses to identified risks:
• Risk avoidance;
• Risk reduction;
• Risk transfer; and
• Risk acceptance.
worldcontinuitycongress.com| bcm-institute.org
17. BC PLAN
4. Head of EOC (8.4.4)
- At least one senior staff member
- approved by the executive management
- absolute authority
worldcontinuitycongress.com| bcm-institute.org
18. TESTS AND EXERCISES
1. Level and frequency (9.2.2)
The BC plan shall be tested and exercised on a periodic and
systematic
basis at 2 levels:
a.Discrete level. Each CBF is tested or exercised individually,
independent of other CBFs. This shall be carried out at least
once a year.
b.Integrated level. In addition to the discrete level test, all CBFs
are tested or exercised together to access their
interdependencies and peak usage of resources. This shall be
carried out at least once every two years.
worldcontinuitycongress.com| bcm-institute.org
19. TESTS AND EXERCISES
2. Recommendations and corrective actions (9.3.4)
- Implemented and completed within the agreed time frame
- review and update the progress of outstanding items until
completion
- incorporated as part of the audit plan
worldcontinuitycongress.com| bcm-institute.org
22. PROGRAMME MANAGEMENT
In addition, selected government or
public agencies will consider the applicant’s
level of preparedness as part of the
procurement process, and companies
with business continuity management (BCM)
in place will be “viewed favorable”.
Source: Pg 9, Today, 8 Nov 08
worldcontinuitycongress.com| bcm-institute.org
23. PROGRAMME MANAGEMENT
3. BCM manual (10.2.11)
Also refer to Sample table of contents of a BCM manual (Annex A)
- Document control
worldcontinuitycongress.com| bcm-institute.org
24. PROGRAMME MANAGEMENT
4.BCM Culture
- Continuous “buy-in” and support from Senior Management
- part of processes and operational environment
- Invest $$
worldcontinuitycongress.com| bcm-institute.org
25. Contact Us
Singapore (Headquarter)
315 Outram Road #15-04,
Tan Boon Liat Building
Singapore 169074
Course info@bcm-institute.org
Certification certification@bcm-institute.org
Website www.bcm-institute.org
www.worldcontinuitycongress.com
worldcontinuitycongress.com| bcm-institute.org