You are on page 1of 21

BCM PRESENTATION

LOCATION : INTAN DATE : 30TH JUNE 2010

Agenda

Organization Chart

Overview Risk Assessment

ORGANIZATION CHARTS

Business Continuity Management Framework Mandate by Board / Top Management Management Operations Risk Committee (MORC), Board Risk Management Committee (BRMC) BCM Secretariat Role & BCM Team Role

Plan Readiness

Human Readiness

Infrastructure Readiness

Monitoring

BCM Framework

British Standard 25999 - 1: 2006

Risk Management Department , Organization
KETUA PEGAWAI EKSEKUTIF Board Risk Management Committee

PENGURUS BESAR KANAN

SEKSYEN MIS/ANALYTICS

SEKSYEN RISIKO PELABURAN

SEKSYEN RISIKO KREDIT

SEKSYEN RISIKO OPERASI

Unit Penilaian Bebas (Pembiayaan Korporat, Pelaburan Hartanah & Ekuiti Persendirian) Unit Polisi Risiko dan Pemodelan Unit Risiko Pasaran Unit ‘Corporate Risk Scorecard’ (CRS) Unit ‘Business Continuity Plan’ (BCP)

Currently reporting to ‘seksyen risiko pelaburan’
5

Development of BCM Programme in Organization

OVERVIEW RISK ASSESSMENT

Risk Assessment Overview

What ?
Risk Assessment can help us to: a) Have a list of threats that cause a disruption on Organization b) Identify a single points of failure c) Recommend an actions to be taken to reduce the threats – strategy development

Risk Management Process

ESTABLISH THE CONTEXT

Establish the Context: for strategic, organisational
and risk management and the criteria against which business risks will be evaluated. Identify Risk: that could ‘prevent, degrade, delay or enhance’ the achievement of an organisation’s business and strategic objectives. Analyse Risk: consider the range of potential consequences and the likelihood that those consequences could occur. Evaluate Risks: compare risks against the firm’s preestablished criteria and consider the balance between potential benefits and adverse outcomes. Treat Risks: develop and implement plans for increasing potential benefits and reducing potential costs of those risks identified as requiring to be ‘treated’. Monitor and Review: the performance and cost effectiveness of the entire risk management system and the progress of risk treatment plans with a view to continuous improvement through learning from performance failures and deficiencies. Communicate and Consult: with internal and external ‘stakeholders’ at each stage of the risk management process.

• •
MONITOR AND REVIEW RISK ASSESSMENT

COMMUNICATE AND CONSULT

IDENTIFY RISKS

• • •

ANALYSE RISKS

EVALUATE RISKS

TREAT RISKS

Extracted from ISO 31000:2009 Risk Management Standard

Note that: Identify, Analyse and Evaluate Risks

are collectively grouped as ‘Risk Assessment’.
9

Risk Management Process – Identify Risk

Organization BCM Methodology

Plan
Business Function

The development of the procedures / work flow

Human Work Place

Understanding of the procedures

The equipment and others to support the work

5-Jul-10

Risk Management Department

10

Risk Assessment Overview

Impact of Disaster on Organization Quantitative and Qualitative Impact
Quantitative Impact Qualitative Impact

RM143 MILLION*

1

Average contributions applications that cannot be processed per day Average withdrawals applications that cannot be processed per day Average potential investment earnings that may be lost per day

1

Non-adherence to customer charter
2

RM90 MILLION*

2

RM83 MILLION*
*Source: KWSP Annual Report 2008

3

Unable to fulfil national social responsibility

Risk Management Process – Analyze The Risk

Organization BCM Methodology

Plan

List of Causes • • • • • • Natural disaster Man made Disaster Health and Safety IT System Utility Failure etc

Business Function

Human Work Place

5-Jul-10

Risk Management Department

12

Risk Assessment – Evaluate the risk

Impact of Disaster on Organization Cause and Effects Matrix
EFFECTS CAUSES Natural Disaster Earthquake Flood Tsunami / Typhoon Health and Safety Haze Epidemic (SARS, Bird Flu) Epidemic (poisonous gas, canteen contamination, Antrax) Security Threats Explosion Riot & Civil Commotion Hostage / Key staff unavailable War Fire / Arson IT System IT System Failure IT Security Compromised Utility Failure Power Outage Water Outage Telecommunication Outage Others 25 November Terminated Outsource Party 2005
People Affected Building Affected IT Systems Affected Services Affected Reputation Affected

Page 13

Consulting Services for Business Continuity Plan

Risk Assessment – Evaluate The Risk

Impact of Disaster on Organization
Processes Location Registration Contribution Withdrawal Enforcement Fraud

Organization Disaster Organization Location Disaster

Organization is affected by the worst-case scenario whereby the disaster happens at the most inopportune time
Rship & Investments Channel Mgt Support Services Remarks

Disaster at EPF1, EPF 3 Headquarters and EPF4 Record Keeping

Form A Record Keeping

Deceased, Prosecutio Pension n

myEPF, Email enquiries

Disaster at IT Data Centre

Disaster at Processing Office Disaster at EPF Institute Disaster at a State Office Page 14 Disaster at a Branch

Call Centre

Consulting Services for Business Continuity Plan

EPF forms, legal docs 10 support destroyed, services Investment systems affected. IT Core Systems affected, key Key IT services at system services State / Branch affected. Reroute to other processing office. Services delayed and Training routed to other location Reroute to other state office 14 February 2006 Reroute to other branch

Risk Assessment Outcome

Disaster Disaster is defined into 2 categories:
Organization Disaster impacts Organization through widespread and overall total degradation of operations and service delivery Location Disaster impacts only the affected branch office but does not degrade the branch’s overall operations and service delivery

STEP- BY- STEP APPROACH

How To

Identify Causes & Consequences

Identify Primary Controls (preventive, detective and corrective) and Secondary Controls and Effectiveness

Identify actions plans to mitigate the risks

17

Risk Assessment

How often?
Evaluated if : a) There is a significant changes in the internal business process, locations or technology b) There is a significant changes in the external environment – eg regulatory changes c) Part of BCM annual programmes

Risk Assessment

Key success factors?

a) b) c) d) e) f)

Get support from the management Commitment from the various parties – staffs, Head of Department , suppliers etc Identify the scope of RA, BIA - all organization , some part of business Understand the key business process , so that we can identify the risk and respond to it. Document the risk for knowledge, training and audit trail Up to date and reflect the changes in the organization

How we know that we are ready

Organization BCM Methodology

BCM – Monitoring
Framework
Plan
• Action driven • Simple and concise • Checklist: • Generic • Worst nightmares • Roles & responsibilities • Team recovery • Reference material • Listings • Contact numbers • Review Strategy, Plan , MRR , BIA, RTO
5-Jul-10

Human
• Succession planning • Right nominations • Ability • Authority • Specialists • Clear roles • Trained personnel • BCM Awareness • Training programme – Call Tree, Walkthrough , Crisis Simulation , Tutorial

Infrastructure
• Command centre • Business facilities • Customer areas • Meeting rooms • Resources • Equipment • Furniture • Vendor agreements • Communications • Testing of Equipment • War chest update • Site Design

Monitoring
• Monthly Status from the Department / Branches • SLA • Customer Survey

20

Thank You
5-Jul-10 Jabatan Pengurusan Risiko 21