Business

Continuity
Planning
(SI201428)
M. GILVY LANGGAWAN
PUTRA,S.KOM.,M.MT

INFORMATION SYSTEMS
 Outlin
e
• Introduction
• Project initiation
• Risk Assessment
• Business Impact Analysis
• Risk Mitigation Strategy Development
• Business Continuity/Disaster Recovery Plan Development
• Emergency Response & Recovery
• Training, Testing, & Auditing
• BC/DR Maintenance Plan

INFORMATION SYSTEMS
 Pustak
a
• Susan Snedaker. Business Continuity & Disaster Recovery for IT
Professionals.
• Tony Drewitt. A manager's guide to ISO22301: A practical guide to
developing and implementing a business continuity management
system
• Kelley Okolita-Building an Enterprise-Wide Business Continuity
Program
• James C. Barnes-A Guide to Business Continuity Planning
• A Gilbert-Business continuity & disaster recovery for dummies
• www.thebci.org

INFORMATION SYSTEMS
But first…
let’s learn about
Risk
Management

INFORMATION SYSTEMS
Organizatio
n
…a group of two or more people working together
to achieve a common set of goals.

Organization Objectives Risks

INFORMATION SYSTEMS
 Objectiv
e
• Objective: something to achieve, goal

Time-
Specific Measurable Achievable Relevant
• What: What do I want • How much? • How can the goal be • Does this seem bound
• When?
to accomplish? • How many? accomplished? worthwhile? • Timeline
• Why: Specific reasons, • Indicators should be • How realistic is the • Is this the right
purpose or benefits of quantifiable goal based on other time?
accomplishing the goal. constraints? • Does this match our
• Who: Who is involved? other efforts/needs?
• Where: Identify a
location.

We have to sell 1.000 cars by the end of this year

INFORMATION SYSTEMS
 Ris
k
• Risk is the possibility that an event will occur, which will impact an
organization's achievement of objectives.
• Risk is the effect of uncertainty on objectives (ISO 31000). Uncertainty
presents both risk and opportunity, with the potential to erode or
enhance value.

Threat (Ancaman) Uncertainty(Ketidakpastian) Loss Opportunity

INFORMATION SYSTEMS
 Example:
We have to sell 1.000 cars by the end of this year

THREAT :
1. Suppliers cannot fulfill our demand
2. More competitive (cheaper or more desirable) car from
competitors

UNCERTAINTY :
1. Economical issue, IDR exchange rate
Risks 2. Regulation (progressive tax, vehicle tax)

LOSS OPPORTUNITY :
1. The waiting time is too long
2. Ineffective customer relationship management
3. Limited product information for customers

INFORMATION SYSTEMS
 Ris
k
• Risk is the possibility that an event will occur (uncertainty) and
adversely affect the achievement of an objective
• Opportunity is the possibility that an event will occur (uncertainty)
and positively affect the achievement of an objective

INFORMATION SYSTEMS
Business
Risk
Uncertainties regarding threats to the achievement of business objectives
are considered business risk

INFORMATION SYSTEMS
 Typical IT
Risks
• Selection Risk
• Development/Acquisition and Deployment Risk
• Availability Risk
• Hardware/Software Risk
• Access Risk
• System Reliability and Information Integrity Risk
• Confidentiality and Privacy Risk
• Fraud and Malicious Acts Risk

INFORMATION SYSTEMS
Risk Management Process
(ISO27000)

INFORMATION SYSTEMS
 Risk
Evaluation/Assessment
• typically assessed in terms of impact and likelihood
◦Impact (or consequence) refers to the extent to which a risk event might affect
the enterprise, may include financial, reputational, regulatory, health, security,
environmental, employee, customer, and operational impacts.
◦Likelihood represents the possibility that a given event will occur. Likelihood can
be expressed using qualitative terms (frequent, likely, possible, unlikely, rare), as
a percent probability, or as a frequency.

INFORMATION SYSTEMS
Risk
Criteria

INFORMATION SYSTEMS
 Risk
Treatment
Risk treatment options should
be selected based on the
outcome of the risk
assessment, the expected cost
for implementing these options
and the expected benefits from
these options.

INFORMATION SYSTEMS
 Risk
Response
Risk
Response
Description

Avoidance Exiting or divesting of the activities giving rise to the risk. Risk
avoidance may involve exiting a product line, declining expansion to a
new geographical market, or selling a division
Reduction Action is taken to reduce risk likelihood or impact, or both. This
typically involves any of myriad of everyday business decisions (such
as implementing controls)
Sharing Reducing risk likelihood or impact by transferring or ortherwise
sharing a portion of the risk. Common techniques include purchasing
insurance products, engaging in hedging transactions, or outsourcing
an activity

Acceptanc No action is taken to affect risk likelihood or impact. In effect, the

e organization is willing to accept the risk at the current level rater than
spend valuable resources deploying one of the other risk response
options

INFORMATION SYSTEMS
Risk Response
Strategies

INFORMATION SYSTEMS
INFORMATION SYSTEMS
 Risk
Register
• The Risk Register records details of all the risks identified in the
organization, their grading in terms of likelihood of occurring and
seriousness of impact on the project, initial plans for mitigating each
high level risk, the costs and responsibilities of the prescribed
mitigation strategies and subsequent results.

INFORMATION SYSTEMS
 Risk
Register
• a unique identifier for each risk;
• a description of each risk and how it will affect the objective’s
achievement;
• an assessment of the likelihood it will occur and the possible
seriousness/impact if it does occur (low, medium, high);
• a grading of each risk according to a risk assessment criteria
• who is responsible for managing the risk;
• an outline of proposed mitigation actions (preventative and
contingency)

INFORMATION SYSTEMS
Risk
Register

INFORMATION SYSTEMS
Risk
Profile

INFORMATION SYSTEMS
 Practic
e
• Objective: All of 2016 students will graduate in 3.5 years with average
GPA 3.5, TOEFL min 500, and min 2 student’s activity
◦Identify inherent risk
◦Event resulting the risk (cause)
◦Risk Impact (description)
◦Likelihood Level
◦Impact Level
◦Risk Level
◦Risk Treatment

N SYSTEMS
Business
Continuity
Planning

INFORMATION SYSTEMS
 Disaster
s
• Powerful Earthquake Triggers Tsunami in Pacific.
• Hurricane Katrina Makes Landfall in the Gulf Coast.
• Avalanche Buries Highway in Denver.
• Tornado Touches Down in Georgia
• Heavy rains cause widespread flooding in Jakarta

Disasters are inevitable

INFORMATION SYSTEMS
 Fac
t• A study released by Harris Interactive, Inc. in September 2006
indicated that 39% of CIOs who participated in the survey lacked
confidence in their disaster readiness
• Business Insider (2011) said that Businesses Fail 20% Of The Time Due
To Natural Disasters.
• In the late 1990s, BCP came to the forefront as businesses tried to
assess the likelihood of business systems failure on or after January 1,
2000 (the now infamous “Y2K” issue).

INFORMATION SYSTEMS
Business Continuity
and Disaster Recovery
• Business continuity planning (BCP) is a methodology used to create
and validate a plan for maintaining continuous business
operations before, during, and after disasters and disruptive
events.
◦ BCP has to do with managing the operational elements that allow a business to
function normally in order to generate revenues.
◦ Business continuity has to do with keeping the company running, regardless of
the
potential risk, threat, or cause of an outage.

• Disaster recovery is part of business continuity, and deals with the

immediate impact of an event, including recovering from a server
outage, security breach, or hurricane.
◦ Disaster recovery involves stopping the effects of the disaster as quickly as possible
and addressing the immediate aftermath. This might include shutting down systems
that have been breached, evaluating which systems are impacted by a flood or
earthquake, and determining the best way to proceed.
◦ At some point during disaster recovery, business continuity activities begin to
overlap INFORMATION SYSTEMS
Business Continuity
and Disaster Recovery

INFORMATION SYSTEMS
Things to
consider

INFORMATION SYSTEMS
 Why
BCP?
• The cost of planning the BC & DR vs the cost of failure

https://www.drj.com/articles/online-exclusive/the-future-of-disaster-recovery-as-a-service.html

INFORMATION SYSTEMS
Types of Disasters to
Consider
• Threats or hazards come in three basic categories:
◦Natural hazards
◦Human-caused hazards
◦Accidents and technological hazards

INFORMATION SYSTEMS
 Natural
•
Hazards
Warm Weather Related Hazards
◦ Severe or prolonged rain
◦ Heavy rain and/or flooding
◦ Floods
◦ Flash flood
◦ River flood
◦ Urban flood
◦ Drought (can impact urban, rural, and agricultural areas)
◦Fire
◦ Forest fire
◦ Wild fire—urban, rural, agricultural
◦ Urban fire
◦Tropical storms
◦Hurricanes, cyclones, typhoons (name depends on location of event)
◦Tornado
◦Wind storm

INFORMATION SYSTEMS
 Natural
•
Hazards
Cold Weather Related Hazards
◦ Avalanche
◦ Severe snow
◦ Ice storm, hail storm
◦ Severe or prolonged wind
• Geological Hazards
◦ Earthquake
◦ Tsunami
◦ Volcanic eruption
◦ Volcanic ash
◦ Lava flow
◦ Mudflow (called a lahar)
◦ Landslide (often caused by severe or prolonged rain)
◦ Land shifting (subsidence and uplift) caused by changes to the water table, man-
made elements (tunnels, underground building), geological faulting, extraction of
natural gas, and so on

INFORMATION SYSTEMS
 Human-Caused
Hazards
• Terrorism
◦Bombs
◦Armed attacks
◦Hazardous material release (biohazard, radioactive)
◦Cyber attack
◦Biological attack (air, water, food)
◦Transportation attack (airports, water ports, railways)
◦Infrastructure attack (airports, government buildings, military bases, utilities,
water supply)
◦Kidnapping (nonterrorist)

• Bomb
◦Bomb threat
◦Explosive device found
◦Bomb explosion

INFORMATION SYSTEMS
 Human-Caused
Hazards
• Explosion
• Fire
◦Arson
◦Accidental

• Cyber attack
◦Threat or boasting
◦Minor intrusion
◦Major intrusion
◦Total outage
◦Broader network infrastructure impaired (Internet, backbone, etc.)

• Civil disorder, rioting, unrest

INFORMATION SYSTEMS
 Human-Caused
Hazards
• Protests
◦Broad political protests
◦Targeted protests (specifically targeting your company, for example)

• Product tampering
• Radioactive contamination
• Embezzlement, larceny, theft
• Kidnapping
• Extortion
• Subsidence (shifting of land due to natural or man-made changes
causing building or infrastructure failure)

INFORMATION SYSTEMS
 Accidents and Technological
Hazards
• Transportation accidents and failures
◦ Highway collapse or major accident
◦ Airport collapse, air collision, or accident
◦ Rail collapse or accident
◦ Water accident, port closure
◦ Pipeline collapse or accident
• Power grid or substation failure
• Nuclear power facility incident
• Dam failure
• Hazardous material incident
◦ Local, stationary source
◦ Nonlocal or in-transit source (e.g., truck hauling radioactive or chemical waste
crashes)
• Building collapse (various causes)

INFORMATION SYSTEMS
Accidents and Technological
Hazards
• Infrastructure accidents and failures
◦Electricity—power outage, brown-outs, rolling outages, failure of
infrastructure
◦Gas—outage, explosion, evacuation, collapse of system
◦Water—outage, contamination, shortage, collapse of system
◦Sewer—stoppage, backflow, contamination, collapse of system

• Information system infrastructure

◦Internet infrastructure outage
◦Communication infrastructure outage (undersea cables, satellites,
etc.)
◦Major service provider outage (Internet, communications, etc.)
◦Systems failures

INFORMATION SYSTEMS
 Electronic Data
Threats
• Personal Privacy
• Privacy Standards and Legislation
• Social Engineering
• Fraud and Theft
• Access Management

INFORMATION SYSTEMS
Business Continuity and
Disaster Recovery Planning
Basics
• Project Initiation
• Risk Assessment
• Business Impact Analysis
• Mitigation Strategy Development
• Plan Development
• Training, Testing, Auditing
• Plan Maintenance

INFORMATION SYSTEMS
Questions?

INFORMATION SYSTEMS
 Assignmen
t• Find an example of a collapsed company due to a disaster
• Create a summary in a presentation
◦Identify the disaster
◦Did the company ever recover from the disaster?
◦What did they do to recover?
◦Why did their business collapse? What did go wrong?
◦What could be done in order to prevent such undesirable event?

• Submit in google classroom before Feb 11th 07.00

• Don’t forget to put your references/sources in the slides

INFORMATION SYSTEMS
End of
Slides

INFORMATION SYSTEMS