Stats SA Business Continuity Management:

Strategy, Plan & Policy

Annette Myburgh
Acting COO
February 2020
 What is business continuity & resilience?

• Business continuity & resilience planning is the design & coordination of

activities to enable government services to be resilient & to ensure
continuation of services after a disruptive incident / event

• It enables a Department to -
• prepare for,
• respond effectively to, &
• recover from
any disruptive incidents / events thereby ensuring sustainability &
achievement of the Constitutional imperatives i.e. service delivery in the
event of disruptions

2
3
Acts governing Business Continuity Management

Occupational Health & Safety (OHS)

Act 1995 – People

Public Finance Management Act

Acts (PFMA) – Processes

Disaster Recovery Act 2002,

amended 2015

4
Other guidelines & standards on Business Continuity Management

King IV Report

Minimum Information Security Standard

(MISS)

Guidelines /
standards
Minimum Physical Security Standard

ISO 22301 &

Good Practice Guidelines 2018 (by
Business Continuity Institute)
5
Resilience Management Framework

6
 Operational Risks & Business Continuity
Business Continuity Management (BCM) addresses a subset of Operational Risks
that are outside the organisation’s control

Risks

Operational
Risks
Financial
Risks
BCM
Risks

Should be an integral part of the overall risk management programme of Stats

7 SA
Business Continuity Management (BCM) Lifecycle

1
Environ-
ment &
business
analysis
4 2
Exercise,
6 Determine
Embed a BCM
maintain & BCM
review culture strategy
3
Develop
BCM
response /
plan

5 Policy & Programme

Management 8
1
Environ-
ment &
business
analysis

1.1 Environment analysis, & disruptive incidents & risks

identification

9
 Nine major incident / threat categories

IT infra-
Natural Health
structure &
incidents incidents
equipment

Failed
Physical & Labour /
internal &
information political
external infra-
security unrest
structure

Fraud & Suppliers / Stakeholder

corrupt service perception &
practices providers satisfaction

10
 Risk identification

Loss / unavailability of staff

Inability to Loss of premises, facilities & assets

do
business Damage or loss of infrastructure
after
disruptive
incident Disruption / loss of production & service delivery

Inability to access & process data, & loss of data

Inaccurate data

Unauthorised & irregular expenditure

11
 Risk identification: Impact

Inability to
do deliver Damage to
on Stats Stats SA’s
SA’s reputation
mandate

12
1
Environ-
ment &
business
analysis

1.2 Business impact assessment & analysis

13
1.2.1 Recovery Point & Time Objective & Maximum Tolerable Time of Disruption
Time of disruptive
incident / disaster

Last viable
restore point /
last point All
where data is in functionality /
usable format / systems
last backup recovered

How far back?

Definite data
loss
How long will it Buffer for recovering Reputation of
Recovery take to recover? Stats SA at stake
Point Reaction / (Functionality / Maximum Tolerable
immediate Time of Disruption The disruption
Objective system down time)
response impact becomes
(RPO) (MTTD)
Recovery Time intolerable for
Objective (RTO) the organisation

Normal Operations

Time
RPO Hours? RTO MTTD
14
1.2.2 Critical Product/Process Priority List as determined during business impact
analysis

S S S
D D D
D D D
S S S

CPI GDP PPI

RPO = 1 RPO = 5 RPO = 1

day days day
RTO = 8 RTO = 2 RTO = 8
hours days hours

15
1.2.2 Critical Product/Process Priority List as determined during business impact
analysis

M Electricity M Mining
QLFS Production &
Sales
M
Manufacturing
QES Production &
Sales

M Building
QFS
Municipalities
GDP Plans Passed

QFS Private M Wholesale

Sector Trade Sales

M Land M Retail Trade

Transport M Motor Sales
Trade Sales
16
1.2.2 Critical Product/Process Priority List as determined during business impact
analysis

S
D
D
S

Annual Population
Mid-year Census (&
Population PES) -
Estimates periodically

17
 1.2.3 Critical Product/Process Priority List:
Critical dissemination period

S S S
D D D
D D D
S S S

Q GDP: M PPI:
M CPI:
1st week Last
3rd week
3rd week of
of month
month month

18
 1.2.3 Critical Product/Process Priority List:
Critical dissemination period

QLFS: Last M Electricity:

week 1st 1st week M Mining:
month/1st week 2nd week
2nd month
M
QES: Last Manufacturing:
week 3rd month 2nd week

QFS M Building
Municipalities:
Last week 3rd
GDP Plans Passed:
3rd week
month

QFS Private M Wholesale

Sector: Last Trade Sales: 3rd
week 3rd month week

M Land M Retail Trade

Transport: 3rd M Motor Sales: 3rd
week Trade Sales: week
3rd week 19
1.2.3 Critical Product/Process Priority List:
Critical dissemination period

S
D
D
S

Annual Mid-
Population
year
Population Census (&
Estimates: PES) –
July (April to periodically
July) (2022)

20
 1.2.4 Critical Product/Process Priority List:
Systems / applications & databases

S S S
D D D
D D D
S S S

CPI: PPI:
CPI GDP: PPI
capturing SNAPS capturing
application (MS Excel) application
& database & database

21
 1.2.4 Critical Product/Process Priority List:
Systems / applications & databases

M Electricity:
QLFS: Capturing Capturing M Mining
& scanning / application & Production &
CAPI system & database Sales: Capturing
database application &
M Manufacturing
database
Production &
QES: Capturing Sales: Capturing
application & application &
database database
QFS M Building Plans
Municipalities: Passed:
Capturing GDP Capturing
application &
application &
database database
QFS Private M Wholesale
Sector: Trade Sales:
Capturing Capturing
application & application &
database database
M Land Transport: M Retail Trade
Capturing M Motor Sales: Capturing
application & Trade Sales: application &
database Capturing database
application &
database 22
1.2.4 Critical Product/Process Priority List:
Systems / applications & databases

S
D
D
S

Annual Mid- Population

year Census (&
Population PES) –
Estimates:
System/ System/
application & application &
database database

23
 1.2.5 Critical Product/Process Priority List:
Generic Systems

BFrame including Survey Management System

(Economic Statistics Surveys)

Geographic / Spatial Information Frame / Master

Generic Sample Systems
systems
Instrument Tracking System (ITS) (Household
Surveys – QLFS) / CAPI collection & processing
system

Stats SA website

24
 1.2.6 Critical Product/Process Priority List:
Generic Software

Eyes & Hands from ReadSoft (Household Surveys -

QLFS)
CSPro / Survey Solutions / In-house Tools for
household surveys & Census

SAS
Generic
software
MS Excel

MS Word

MS PowerPoint
25
 1.2.7 Critical Product/Process Priority List:
Corporate Services: Systems

PERSAL BAS LOGIS

Provided Provided Provided

by SITA by SITA by SITA

26
 1.2.8 Stats SA ICT Disaster Recovery Plan

Key ICT systems & databases that need to be restored

to support the business systems:
No System & database RPO RTO
1. Radikopantsha (for contact info) 1 day 1 hour
2. Email (GroupWise) 1 day 4 hours
3. Data Directory (F) 1 day 5 hours
4. BAS (J) – Transversal systems N/A 2 hours
5. Stats SA Website 1 day 3 hours
6. Sybase database 1 day 2 hours
7. Microsoft SQL Database 1 day 5 hours
8. SAS Application Servers 1 day 3 hours
9. SAS Data Servers 1 day 3 hours 27
Recovery Point & Time Objective & Maximum Tolerable Time of Disruption
Time of disruptive
incident / disaster

Last viable
restore point /
last point All
where data is in functionality /
usable format / systems
last backup recovered

How far back?

Definite data
loss
How long will it Buffer for recovering Reputation of
Recovery take to recover? Stats SA at stake
Point (Functionality / Maximum Tolerable
Reaction Time of Disruption The disruption
Objective system down time)
impact becomes
(RPO) (MTTD)
Recovery Time intolerable for
Objective (RTO) the organisation

Normal Operations

Time
-1 day 2 hours 8 hours 1 day
28
RPO RTO MTTD
2
Determine
BCM
strategy

BCM Strategy

29
2
Determine
BCM
strategy

2.1 BCM goal & objectives

30
 2.1 BCM goal
To protect Stats SA’s reputation through safeguarding Stats SA’s:
1 2 3

Premises, Business
Personnel facilities, processes &
assets products

4 5 6
Technology i.e.
Infrastructure, Information Stakeholders
systems & e.g. data interest
databases

to ensure Stats SA can continue critical operations, & deliver critical products &
services according to its mandate when a disruptive incident occurs 31
 2.1 BCM objectives

To instil a Stats SA wide To manage disruptive To ensure recovery within the

Business Continuity (BC) incidents without calling for Maximum Tolerable Time of
culture recovery invocation Disruption (MTTD)

To ensure risk practitioners To ensure recovery of systems

are suitably certified in BCM within the required Recovery
Time Objective (RTO)

To ensure recovery of systems

within the required Recovery
Point Objective (RPO)

Pre-incident Response to incident Recover from incident

32
2
Determine
BCM
strategy

2.2 BCM mitigating strategies

33
2.2 BCM mitigating strategies to prepare for, respond to & recover from disruptive
incidents

Pre-incident Response Recover

34
2.2 Recovery Point & Time Objective & Maximum Tolerable Time of Disruption
Time of disruptive
incident / disaster

Last viable
restore point /
last point All
where data is in functionality /
usable format / systems
last backup recovered

Reaction How long will it

How far back? take to recover?
Definite data (Functionality /
loss system down time) Buffer for
Recovery Time recovering Reputation of
Recovery Stats SA at stake
Objective (RTO) Maximum
Point
Tolerable Time of The disruption
Objective
Disruption impact becomes
(RPO) intolerable for
(MTTD) the organisation

Normal Operations

Time
-1 day 2 hours 8 hours 1 day
35
RPO RTO MTTD
 2.2 BCM mitigating strategies to safeguard each of the following areas

1 2 3

Premises, Business
Personnel facilities, processes &
assets products

4 5 6
Technology i.e.
Infrastructure, Information Stakeholders
systems & e.g. data interest
databases

36
 2.2 BCM mitigating strategies
Pre-incident
Develop / arrange:
• Incident Mgt/Response
Plan
• Emergency Evacuation
Plans & Guidelines
• Emergency procedures
& processes
• Alternative exit routes
• Electricity & Water
Outage Preparedness
& Response Plans
• HRM - Injury on Duty
Plan, EAP Plan etc.
• Crisis Communication Plan
• Business Continuity Plans
• ICT DR Plan
• Alternative recovery sites
• Training staff, practitioners
Response to incident Recover from incident
Inform: Invoke:
• Control Room, BCC & JOC • Crisis Communication Plan
Invoke: • Business Continuity Plans
• Incident Mgt/Response • ICT DR Plan
Plan • Alternative recovery sites
• Emergency Evacuation
Plans & Guidelines
• Emergency procedures
& processes
• Alternative exit routes
• Electricity & Water
Outage Preparedness
& Response Plans
• HRM - Injury on Duty
Plan, EAP Plan etc.
• Crisis Communication Plan
• Business Continuity Plans
• ICT DR Plan
3
Develop
BCM
response /
plan

BCM response / plan

38
 BCM Plan

Overarching
BCM Plan

1 2 3 4
Incident Mgt Crisis Branch / CD /
& Response Communi- Directorate ICT DR Plan
Plan cation Plan BCM Plans

1.1 1.2 1.3 1.4 1.5

Emergency Electricity Water Outage
Emergency
Response Outage Preparedness HRM - Injury
Evacuation
Procedures & Preparedness & Response on Duty Plan,
Plans &
Processes & Response Plans EAP Plan etc.
Guide
Plans
39
2.2 Recovery Point & Time Objective & Maximum Tolerable Time of Disruption
Time of disruptive
incident / disaster

Last viable
restore point /
last point All
where data is in functionality /
usable format / systems
last backup recovered

Reaction How long will it

How far back? take to recover?
Definite data (Functionality /
loss system down time) Buffer for
Recovery Time recovering Reputation of
Recovery Stats SA at stake
Objective (RTO) Maximum
Point
Tolerable Time of The disruption
Objective
Disruption impact becomes
(RPO) intolerable for
(MTTD) the organisation

Normal Operations

Time
-1 day 2 hours 8 hours 1 day
40
RPO RTO MTTD
1. Primary contact in case of an emergency / disruptive incident
1.1

Emergency
Evacuation
Plans &
Guide

Stats SA Security Control Room:

012 310 2900 /
Director: Security (SHERQ)

41
 1. Stats SA Head Office alternative escape routes
1.1

Emergency
Evacuation
1. Freedom Park Plans &
Guide

2. Voortrekker Monument

42
1.1 Stats SA Emergency Guide
1.1

Emergency
Evacuation
Plans &
Guide

43
1.2 Stats SA Emergency Response Procedure
1.2

Emergency
Response
Procedures &
Processes

44
 1.2 Stats SA Emergency Response Procedures & Processes
1.2

Emergency
Response
1. Evacuate the building Procedures &
Processes

2. Duck & cover

3. Move to the centre of the building

4. Stay away from the windows

5. Do not attempt to access the building

45
 1.2 Stats SA Emergency Response Procedures & Processes
1.2

1. Evacuate the building Emergency

Response
Procedures &
Processes

46
 2. Crisis Communication
2
Staff contact information Crisis
Communi-
cation Plan

External communication
Internal communication
47
 3. & 4. Stats SA recovery sites
3 4
Head Office: Branch / CD /
Directorate ICT DR Plan
BCM Plans
1. SITA for HRM & Finance

2. ICT Disaster Recovery Site

3. Gauteng & North West District Offices

Provincial & District Offices – depending on distance

48
4
Exercise,
maintain &
review

BCM exercises & maintenance

49
 BCM exercises & maintenance

1 Desktop scenario

1.1 Walk-through scenarios 1.2 Call tree scenario 1.3 Simulation scenario

2 Live recovery exercise

(Test entire BCM process)

3 Hybrid exercise
(Test with one Branch / CD)

50
5
Policy &
Programme
Mgt

Policy & Programme Management

51
5
Policy &
Programme
Mgt

5.1 BCM structure

52
 5.1 BCM Structure National
Key Point

Business
Joint Planning
EXCO - Strategic Continuity
Committee
Committee

Damage Crisis
Tactical Assessment Communication
Committee Committee

SHERQ
Operations Management Committee and Business System
and staff Incident Recovery Recovery (ICT
Identification Committee DR) Committee
Committee
 5.1.1 Business Continuity Committee (BCC)
Also Chairperson of
Chairperson of Section 16.2 JPC, SHERQ,
BCM delegation
BRC Coordina- DAC
from OHS Act
tor: Chair- 1995 official:
BCM FMLS: CD
person CD: FMLS
Manager/ (Acting Security:
subject COO) Director
matter
expert
Security
Risk Mgt: Coordina-
Director tor:
Dipalopalo
BCC
EPS: CD Reps from
Branches

Finance:
BM: CD CFO
Communi-
cation &
ICT: CD
Chairperson of Marketing: Chairperson of
HRM: CD CD
ICT DRC CCC
54
 5.1.2 Stats SA Contingency Teams (CT)

SHERQ &
Incident
Mgt
Committee
Fire Evacuation
Marshalls Officers

First Aiders

55
 5.1.3 Stats SA ICT Disaster Recovery Team

ICT Risk
Mgt:
Director ICT Risk
ICT: CD
Mgt: DD1
Business ICT Risk
Moderni- Mgt: DD2
sation: CD

Business ICT Server

Moderni- Environ-
sation: ment:
Director ICT Director
ICT End DRT
User ICT SAN &
Support: Backup
DD Specialist
ICT End ICT
User Networ-
Support: ICT king:
Director ICT Director
Specialist
Network ICT Network
Admini- Network Admini-
strator2 Admini- strator
strator1
56
5
Policy &
Programme
Mgt

5.2 BCM policy

57
See attached BCM policy outlining the different BCM
Committees & responsibilities

58
6
Embed a
BCM
culture

Embed a BCM culture

59
 6.1 BCM awareness creation & training plan

1 2 3
BCM awareness creation BCM awareness creation Formal BCM training
products workshops / meetings

60
 6.1 BCM awareness creation & training plan

1 BCM awareness creation products

• BCM procedures e.g. • Banners & posters on • BCM articles in Pulse and
emergency guide pamphlet evacuation routes and on Intranet
& process maps assembly points

• Emergency contact • Multimedia awareness • BCM information on

information printed on campaign e.g. WhatsApp, corporate desktop &
consumables electronic notice boards presentation templates
 6.1 BCM awareness creation & training plan

2 BCM awareness creation workshops / meetings

• BCM & SHERQ awareness • CDF meeting • Exco meeting

workshops at Head Office,
Provincial Offices & District
Offices
 6.1 BCM awareness creation & training plan

3 Formal BCM training

• Training for Stats SA Contingency Teams • Training for Stats SA BCM practitioners,
(SHERQ Marshalls) at Head Office, Provincial Auditors, & representatives from Exco &
Offices & District Offices i.e.- CDF

• First Aid

• Fire

• Evacuation
5
Policy &
Programme
Mgt

5.3 BCM budget

64
 5.3 BCM Budget

Item CD Budget

R 70 000 per annum

RAIM
BCM awareness creation products

RAIM
Contingencies in case of disruptive event R 200 000 per annum

R2 000 000 every two years

FTSM
Training: Contingency Teams (SHERQ Marshalls) - all offices:
R 2 million every two years

Training: BCM practitioners, Auditors, & reps from Exco & CDF R 75 000 per annum

HRD
ICT disaster recovery contract & site – replicating 25 servers & R 2 500 000 per annum

ICT
hosting it

TOTAL R4 845 000 – first year

R 2 845 000 – second year
Summary

66
The way forward

67
 Continuous improvement (P-D-C-A cycle)

1
PLAN –
(Stakeholder A. Risk identification period
requirements&
BIA)

4 2
ACT – (Analyse INCREASED DO (Implement
D. Critical information
to improve & RESILIENCE BCM Strategy & B. Proactive period
gathering period maintain) Plan)

3
CHECK,
(Monitor,
validate &
C. Reactive period
review – is
delivery as
required?)
68
Team that contributed to the development of BCM for Stats SA

CD: FMLS:
BCM Thulani
Coordinator: Ntshangase,
Pravin Director:
Acting COO /
Kaylaser & HRM:
Programme
Fazel Shah Francois
Office:
Massyn
Annette
ProgrammeMyburgh
Office: CFO: Bheki
Annegret Mathunjwa
Mphahlele
BCM
CD:
Programme team / Corporate
Office:
Development
contri- Governance:
Bruce Jooste
of process
flows
butors and Thapelo
Matsapola
CD:
Casper vd Communi-
Westhuizen: Director: cation:
Designing Director: ICT Trevor
Corporate
awareness Risk Mgt: Oosterwyk
Services and
materials Sibongiseni and Tracy
Security
Ndlangisa Daniels
staff,
and Vincent
Provincial
Mokonyane
Offices 69
 This has been an interesting journey!

As from 1 April 2020 the responsibility for BCM will move to its
rightful place i.e.

Risk, Anti-corruption & Integrity Management (RAIM)

70
THANK YOU
71