Embed Size (px)
Citation preview
Auditing Business Continuity Management
DHIRAJ LAL
Executive Director
+971 52 9263933 [email protected]
AgendaAgendaAgendaAgenda
• About us
• Relevance of Business Continuity in the UAE
• The UAE BCM Standard AE/SCNS/NCEMA 7000
• Need for BCM in the UAE
• NCEMA BCM Action Model
• Key BCM Concepts and Terminology
• Video
• Quick Tips on BCM Audits
• Auditing BCM per the ISO 22301 Standard
• Sample Audit (Exercise)
About COREAbout COREAbout COREAbout CORE
3
• Crisis Management
• Crisis Communications
• Business Continuity
• Disaster Recovery
• Sustainability
Country
• MiddleEast
• India
• USA
• Canada
• UK
• Europe
• Africa
Institutions
• British Continuity Institute (BCI) – UK for offering BCM Certification - CBCI
• British Computer Society (BCS) – UK for offering the Green IT Certification
Our Range of Specializations in Consultancy & Training cover:
Global Experience Our Partnerships
• Information Security
• IT Service Management
• Project Management
• Quality
Industry
• Financial Services
• Telecom
• Manufacturing
• Airlines
• Trading
• Oil and Gas
• Government
• FMCG, Nuclear, etc.
• Consulting
• Training
• Assessments
• Tools Advisory
• e-learning Support
• Nearly 3 decades of industry experience
• Over 1 decade in BCM and related domains
• FBCS and MBCI
• Lead Auditor – ISO 22301, ISO 27001
• Practitioner, trainer, consultant, assessor
• Asia’s first BSI appointed Technical
Expert for BS 25999 / ISO 22301
• Earlier experience with Agilent Technologies Limited, American Express Financial Center, Citibank NA, Standard Chartered Bank etc.
About Dhiraj LalAbout Dhiraj LalAbout Dhiraj LalAbout Dhiraj Lal
BCM in The UAEBCM in The UAEBCM in The UAEBCM in The UAE
•Mandatory by Royal Decree•NCEMA (National Emergency Crisis and Disasters Management Authority) has released two documents:
•AE SCNS NCEMA 7000 2015 (Specifications)•AE SCNS NCEMA 7001 2015 (Guidelines)
NCEMA provides a Business Continuity Management Standard to build an organization’s capability to continue functioning and delivering its prioritized activities when its operations are disrupted due to emergencies or crises.
The UAE Business Continuity Standard: NCEMA 7000
Hazza Bin Zayed Al Nahyan
“As our wise leadership endeavors to ensure the welfare and stability of our
great nation at all times, we spare no effort to empower all UAE
organizations, in all vital sectors, to perform their services and duties towards
the society. This should not be restricted to normal conditions but should
extend to include the capability to deal with sudden incidents by developing
well-rounded and pre-coordinated plans. In doing so, such organizations
would be able to continue performing their role and duties towards the
community, when a disaster occurs.”
NCEMA Standard Foreword byNCEMA Standard Foreword byNCEMA Standard Foreword byNCEMA Standard Foreword byH.H. The National Security AdvisorH.H. The National Security AdvisorH.H. The National Security AdvisorH.H. The National Security Advisor
Business ContinuityBusiness ContinuityBusiness ContinuityBusiness Continuity
• ..Holistic management process that identifies potential
threats to an organisation and the impacts to the business
operations those threats, if realised, might cause, and which
provides a framework for building organisational resilience
with the capability of an effective response that safeguards
the interests of its key stakeholders, reputation, brand and
value-creating activities
• ISO 22301, Clause 3.4
Benefits Of BCMBenefits Of BCMBenefits Of BCMBenefits Of BCM
TimeTimeTimeTime
Organisation
Organisation
Organisation
Organisation
Overall perform
ance
Overall perform
ance
Overall perform
ance
Overall perform
ance
Normal Normal Normal Normal OperationsOperationsOperationsOperations
Minimum Level of Minimum Level of Minimum Level of Minimum Level of OperationsOperationsOperationsOperations
BBBB Effective BCM Effective BCM Effective BCM Effective BCM ProgramProgramProgramProgram
No BCM No BCM No BCM No BCM ProgramProgramProgramProgram
AAAA
INCIDENT
Helps to • Recover fast urgent processes only….To pre-agreed levels…In reasonable timeframes…
• Maintain Stakeholder confidence and trust
• Framework
• Resilience
• Reputation
• Competitive advantage
• Business improvement
• Continuous improvement
• Compliance
• Win more contracts
• Cost savings
• Delivery
• Capability for managing a disruption
Benefits Of BCMBenefits Of BCMBenefits Of BCMBenefits Of BCM
Benefits Of BCMBenefits Of BCMBenefits Of BCMBenefits Of BCM
Recent Torrential rains
and waterlogging
Cyber Attacks Rita Terrorist attacks
Financial scams Floods EarthquakesVolcano eruptions
Civil unrestPower grid failures
Katrina Other IT failures
Global economic downturn
Falling oil prices
Fires (manmade, accidental, natural)
What’s next?
Helps to be prepared – because we are always one disaster behind
Benefits Of BCMBenefits Of BCMBenefits Of BCMBenefits Of BCM
BCI study
NCEMA Business Continuity NCEMA Business Continuity NCEMA Business Continuity NCEMA Business Continuity Management Action ModelManagement Action ModelManagement Action ModelManagement Action Model
Key BCM concepts
Business Impact Analysis (BIA)
Risk Assessment (RA)
Recovery Time Objective (RTO)
Maximum Tolerable Period of Disruption (MTPD)
Recovery Point Objective( RPO)
VideoVideoVideoVideo
ISO 22301 ISO 22301 ISO 22301 ISO 22301 –––– PDCA CyclePDCA CyclePDCA CyclePDCA Cycle
•Performance evaluation•(Clause 9)
•Improvement•(Clause 10)
•Operation•(Clause 8)
•Context of the organisation•Leadership•Planning•Support•(Clause 4-7)
Plan Do
CheckAct
Evidence if effectiveness related to :
•Interested Parties•Regulatory Requirements•Risk Appetite•Business Impact Analysis•Risk Assessment•Strategies Development•Plan Development
•Testing•Training•Audit•Management Review•Performance Evaluation•Communication•Continual Improvement
Auditing BCM per the ISO22301Auditing BCM per the ISO22301Auditing BCM per the ISO22301Auditing BCM per the ISO22301
Policy
Program Management Plan
Interested Parties
Risk Appetite
Regulatory Requirements
BIA(s)
Strategies
Plan(s) – incident/ emergency/disaster/ crisis/ continuity/ recovery
RA(s)
Mandatory DocumentsMandatory DocumentsMandatory DocumentsMandatory Documents
The following must exist:
Test Schedule, Plans, Reports
Maintenance Schedule, Reports
MR Schedule, Reports
Training Needs Analysis, Schedule, Competence Records
Audit Plan, Reports
Corrections, Corrective Actions and Preventive Actions Report
Performance Evaluation Report
Continual Improvement Report
Incident Reports
Communication Records (general, specifically from the top management)
Mandatory DocumentsMandatory DocumentsMandatory DocumentsMandatory Documents
“Today, business continuity management is being unquestionably
recognized as an increasingly important element in the emergency
and crisis management process. In this context, we call upon
everyone to cooperate and comply with this standard, so as to
ensure meeting the minimum technical, training, and administrative
requirements are satisfied, providing reassurance and stability for
the community at all times.”
Hazza Bin Zayed Al Nahyan
From the NCEMA From the NCEMA From the NCEMA From the NCEMA Standard Foreword Standard Foreword Standard Foreword Standard Foreword ––––By H.HBy H.HBy H.HBy H.H. The National Security Advisor. The National Security Advisor. The National Security Advisor. The National Security Advisor
Thank Thank Thank Thank YouYouYouYou
Continuity and Resilience (CORE)Continuity and Resilience (CORE)Continuity and Resilience (CORE)Continuity and Resilience (CORE)P.O. Box 127557,
Abu Dhabi, United Arab Emirates
Tel: 971 2 815 2831 Fax: 971 2 815 2888
Email: [email protected]
Website: www.continuityandresilience.com
