Business Continuity Management (BCM)

✓ Business Continuity Management is an holistic management process that

identified potential impacts that threaten an organization and provides a
framework for building resilience and capability for an effective response
that safeguards the interest of its key stakeholders, reputation, brand and
value creating activities.
✓ Business continuity means maintaining the uninterrupted availability of
all key business resources required to support essential business
activities.
BC and DR - Definitions
✓ Business Continuity - Overall continuation of business functions during
an emergency event.
✓ Disaster Recovery – Recovery of the systems, applications and processing
capabilities
Why BCP and DRP?

DATA CORRUPTION COMPONENT FAILURE APPLICATION FAILURE

USER ERROR MAINTENANCE SITE OUTAGE

BCP and DRP
Fair amount of Confusion in terminology
Business Continuity Plan
✓ Prepared at Business level
✓ Includes IT
✓ Covers all relevant functions
✓ Considers all aspects such as :
▪ Communication to External agencies
▪ Communication to Customers, Suppliers
▪ Quick response to correct misinformation
▪ Handling increased vulnerability during emergencies
▪ Keep the controls , security , integrity
▪ Avoid making it worse than it is
BCP - Definition
A documented, tested, rehearsed plan to minimize financial losses to the
institution, serve customers with minimal disruptions, and mitigate the
negative effects of disruptions on business operations.

What is BCP for?

To continue the essential services to key stake-holders when the organization
faces :
▪ catastrophic events such as floods, earthquakes, or acts of terrorism
▪ accidents or sabotage
▪ outages due to an application error, hardware or network failures
BCP – Team structure

Business Continuity Committee

(Management Authorization)

Execution Teams

BCP Team Leader

BCP Spokesperson Internal Auditor

Damage Admin,
Emergency Relocation IT Operations
Asst. & Security &
Action Team Team Team Team
Salvage Team Support Team
BCP – Documentation
Documentation should
cover

Risk Management Environmental Management

Emergency Management Crisis Management

IT Disaster Recovery Knowledge Management

Facility Management Human Management

Supply Chain Management Security and Privacy

Health and Safety Communications PR

Enterprise business process, people and technology

BCP - Process
✓ Initiated and Supported by Top Management
✓ Assess risks and vulnerabilities
✓ Actions to protect people, environment, assets
✓ Actions to contain and prevent further damage
✓ Business Impact Analysis
✓ Identify the essential activities that must continue during emergencies
and level of service targeted
✓ Identify all resources needed to provide such services:
Place, People, Data, Facilities (Security, food, water, IT, communication,
transportation), Raw Materials and other equipment (as necessary), Prior Permission
from relevant authorities, Service Provider support, Contact lists, Authorisation,
access and escalation procedures, Budgets
BCP - Process
✓ Identify who among those available Top Management will invoke the BCP
to be implemented , during emergencies
✓ Communication process to stake-holders
✓ Arrange for the people , premises , IT Facilities etc to be available , when
needed
✓ Train people
✓ Test the facilities, remedy weaknesses
✓ Document the process in a brief document
✓ External audit of the document and complete audit actions
✓ A senior Business Person accountable for on-going preparedness of BCP
arrangements
BCM Compliance Standards
✓ Standards in Business Continuity ✓ Measure compliance in these BCM
✓ ISO 22301 dimensions
✓ FFIEC ✓ Program Administration
✓ NIST 800 ✓ Crisis Management
✓ NFPA 1600 ✓ Business Recovery
✓ SEC ✓ IT Disaster Recovery
✓ FISMA ✓ Fire & Life Safety
✓ FINRA ✓ Supply Chain Risk Management
✓ Supply Chain Resilience ✓ Third Party Management
Leadership Council
BCP & DRP - Differences
Business Continuity Plan (BCP) Disaster Recovery Plan (DRP)
✓ Focused on recovery of individual business ✓ Focused on recovery of Enterprise IT
processes, departments, functions, applications and supporting infrastructure
facilities etc. (revenue, production and (support the business)
operational management) ✓ Recovery Time Objective (RTO) is typically
✓ Recovery Time Objective (RTO) is typically measured in minutes or hours… sometimes
measured in days or weeks… sometimes days.
months ✓ Active IT participation with little to no business
✓ Active business and IT participation participation during an event.
✓ Recovery addresses people, process, and ✓ Recovery addresses enterprise data
support technologies required to continue center/computing, facility and support staff
the business needs.
✓ Continuity plans are usually by process ✓ Recovery plans are usually by application suite,
department, function and/or facility platform and/or data center facility