Business Continuity Planning Guide

Esta é uma pré-visualização de arquivo. Entre para ver o arquivo original

BUSINESS
CONTINUITY
GUIDE
PLANNING
AGENDA
• Introduction
• Objectives of BCP
• Approaches to BCP
• Dimensions of Scope
• Entry Points
2
• Q&A
INTRODUCTION
So…you’ve decided to embark on a business continuity 
planning (BCP) project
…but where do you start?
• Define the objectives
• Determine the dimensions of scope
• Select an appropriate approach
• Proceed from an entry point 
3
OBJECTIVES (1/2)
Satisfy audit or regulatory requirements1
Rebuild the infrastructure2
Resumption of business activities3
Continuity in customer service4
Four possible objectives of BCP:
4
OBJECTIVES (2/2)
5
Audit or Regulatory 
Requirements
• If your focus is on:
– Passing an audit or getting points cleared
– Minimizing costs 
• Then your objective is to satisfy audit or 
regulatory requirements.
Rebuild the Infrastructure
• If your focus is on:
– Alternative facilities and sites
– Solutions to minimize downtime of key 
infrastructure and systems
• Then your objective is to rebuild the 
infrastructure.
Resumption of Business 
Activities
• If your focus is on:
– Setting up an organization and the required 
facilities to enable key staff to resume their 
activities
• Then your objective is the resumption of 
business activities.
Continuity in Customer Service
• If your focus is on:
– Defining what level of customer service 
must be maintained throughout a disaster
– What is required to achieve that level of 
customer service
• Then your objective is to ensure continuity in 
customer service at an acceptable level.
APPROACHES TO BCP
6
Approaches to BCP based on the objectives:
Objective Approach
Satisfy audit or regulatory requirements Tick-box approach
Rebuild the infrastructure Infrastructure approach
Resumption of business activities Gradual/subplans approach
Continuity in customer service Business approach (holistic) 
SCOPE
7
• Event Interrupting Operations
– Asset protection
Protection of assets (e.g., people, building, etc.)
– BCP
Preparation of critical elements for business continuity
• Enterprise-wide versus IT…
...be clear on the scope of your BCP project
8
DIMENSIONS OF SCOPE
Business
Network
Control Room
IT DRP 
Network Resilience
Server Mirroring
Dealing Room
Office Relocation
Equipment Failures
Infrastructure
Business Interruption 
Risks (BIR)
Infrastructure Risk
Long-Term Business Viability
Brand Image
Client Satisfaction
Capacity
Regulatory
INFRASTRUCTURE
9
• …the identification and protection
of critical (IT) infrastructure required to maintain an acceptable level of business,
• ...to ensure the survival of the organization in times of business disruption.
• Critical infrastructure can include:
– Mainframe
– Networks
– Applications
– PCs and desktops
– Manufacturing infrastructure
– Logistical infrastructure
– Office locations
BUSINESS
10
• …the identification and protection
of critical business processes required to maintain an acceptable level of business, 
• ...to ensure the survival of the organization in times of business disruption.
• Critical business processes can include
– Manufacturing
– Sales/order entry
– Payroll
– Dealing room activities
– Delivery
– Client communication
– Accounting and finance
BUSINESS INTERRUPTION RISK
11
• …the identification and protection
against business risks resulting from a business interruption jeopardizing
• ... the survival of the organization in times of business disruption.
ENTRY POINTS
12
There are four possible entry points depending on the drivers of the approach.
If your approach is… Then your entry point is...
Event driven Evaluate threats
Business risk driven Assess risks from interruptions
Business driven Analyze critical processes
Applications or systems driven Dependency on (IT) infrastructure
THREATS
13
Classification of threats according to the type of event:
• Acts of nature – hurricane, flood, earthquake, etc.
• External man-made events – terrorism, evacuation, 
security intrusion, etc.
• Internal unintentional events – accidental loss of files, 
computer failure, etc.
• Internal intentional events – strike, sabotage, data 
deletion, etc.
RISKS
14
Competitor
Catastrophic Loss
Sensitivity
Sovereign/Political
Shareholder Relations
Legal
Capital Availability
Industry
Financial Markets
Information For Decision Making Risk
Operational 
Pricing
Contract Commitment
Measurement
Alignment
Completeness and Accuracy
Regulatory Reporting
Financial
Budget and Planning
Completeness and Accuracy
Accounting Information
Financial Reporting Evaluation
Taxation
Pension Fund
Investment Evaluation
Regulatory Reporting
Strategic
Environmental Scan
Business Portfolio
Valuation
Measurement
Organization Structure
Resource Allocation
Planning
Life Cycle
Operations Risk
Customer Satisfaction
Human Resources
Product Development
Efficiency
Capacity
Performance Gap
Cycle Time
Sourcing
Commodity Pricing
Obsolescence Shrinkage
Compliance
Business Interruption
Product Service Failure
Environmental
Health & Safety
Trademark/Brand Name Erosion
Empowerment Risk
Leadership
Authority
Limit
Performance Incentives
Communications
Information Processing/Technology Risk
Access
Integrity
Relevance
Availability
Integrity Risk
Management Fraud
Employee Fraud
Illegal Acts
Unauthorized Use
Reputation
Financial Risk
Currency
Interest Rate
Liquidity
Cash Transfer/Velocity
Derivative
Settlement
Reinvestment/Rollover
Credit
Collateral
Counterparty
Process Risk
Environment Risk
Business Risk Model
15
ENTRY POINT: INFRASTRUCTURE
Business
Network
Control Room
IT DRP 
Network Resilience
Server Mirroring
Dealing Room
Office Relocation
Equipment Failures
Infrastructure
Business 
Interruption Risks 
(BIR)
• Traditional approach.
• Very often limited to IT, then extended to "departmental" infrastructure or office infrastructure.
• Very often the business perspective is used to assess criticality of infrastructure elements, and to justify the cost (business 
impact analysis).
• The risk scope is limited to infrastructure risks through analysis of threats (potential events).
Infrastructure Risk
Long-Term Business Viability
Brand Image
Client Satisfaction
Capacity
Regulatory
16
ENTRY POINT: BUSINESS
Business
Infrastructure
Business 
Interruption Risks 
(BIR)
Network
Control Room
IT DRP 
Network Resilience
Server Mirroring
Dealing Room
Office Relocation
Equipment Failures
• Top-down approach.
• Starting from a top-down analysis of the critical business domains or processes.
• For the critical business processes, assess the dependencies and criticality.
• Often, the business interruption risk dimension is included into the business impact assessment, although not always made 
explicit or limited to the obvious business interruption risks.
Infrastructure Risk
Long-Term Business Viability
Brand Image
Client Satisfaction
Capacity
Regulatory
17
ENTRY POINT: BUSINESS RISKS
Business
Infrastructure
Business 
Interruption Risks 
(BIR)
1.
2.
Network
Control Room
IT DRP 
Network Resilience
Server Mirroring
Dealing Room
Office Relocation
Equipment Failures
• Entering from looking at the business risks created by a business interruption.
• Allows to include more than only the operational impact, e.g., product quality, brand image, health & safety, cash flow, etc.
• To manage these risks, next to BCP, other actions may be included, e.g., asset protection, supply chain management, crisis 
management, media management, etc.
• Here we can provide the best added value.
Infrastructure Risk
Long-Term Business Viability
Brand Image
Client Satisfaction
Capacity
Regulatory
RISKS
The “five As” of risk management :
Assess Risk1
Accept or reject risk2
Avoid risk, transfer risk or reduce risk to an 
acceptable level
3
Analyze performance gaps4
Act to improve5
18
Business Processes
Information Flows
Infrastructure
& Resources
19
Identify key dependencies and 
vulnerabilities within the business 
organization, top-down:
• What does the company depend on to be 
successful?
• What are the key business processes 
driving the business?
• What are the flows within these business 
processes?
• What are the vulnerabilities and 
dependencies within these flows and 
business operations?
BUSINESS PROCESSES
Key Business Drivers
(IT) INFRASTRUCTURE
20
Identifying recovery solutions
Assessing the possible threats
Selecting the critical infrastructure
Analyzing the potential business impact
Obtaining an inventory of (IT) infrastructure
Achieved by
BCP METHODOLOGIES
21
Two main BCP methodologies:
Entry Points BCP Methodology
Infrastructure
Infrastructure-oriented, threat-based
Threat
Business
Business-oriented, risk-based
Risk