Upload
dk
View
225
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Seminar on Operation Sustainability for Your Business at Holiday Inn Silom Hotel, Bangkok
Citation preview
Seminar on Operation Sustainability for Your Business
Thursday 10 May 2012 | 09:00 – 12:00hrs @ Silom Ballroom, Holiday Inn Silom Hotel
BCM introduction – Key Understanding towards Strategic Decision
Mr. Apichai Phongphotakul Director | Business Risk / Enterprise Risk Services Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Business Continuity Management
10 May 2012
Weerapong Krisadawat, CISA, CISMPartner & Business Unit Leader – Enterprise Risk ServicesDeloitte Touche Tohmatsu Jaiyos
Are you Prepared and Ready to Respond?
Don’t get caught without a plan
2 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Agenda
What’s on BCM? Understanding the Roadmap to BCM Certification
Deloitte BCM Methodology & Implementation: World class best practices
Introduction: Key understanding towards strategic decision
BCM case studies & lessons learned from various business sectors
Natural Disaster
[Clip: End of the World]
© 2012 Deloitte Touche Tohmatsu Jaiyos
Natural Disasters around the world in 2010
1Earthquake,
Magnitude 7.0, Haiti, January 12
2Earthquake,
Magnitude 8.8 Chile, March 11
3
Volcano Eruptions, Iceland, March 20
4
Floods, Rio de Janiero, April 5
5
Floods, Tennessee, April 30
6Floods, China,
May 107
Floods, Pakistan, July 26
8
Rare Tornado, Queens, Sept. 16
9
Landslide, Mexico, Sept. 28
10 Typhoons, Philippines, Oct.12-24
11
Typhoons, Myanmar, Oct.20-23
12
Earthquake, Magnitude 7.7
Indonesia, Oct. 25
5 Business Continuity Management (BCM)
© 2012 Deloitte Touche Tohmatsu Jaiyos
Natural Disasters around the world in 2011
Earthquake Magnitude 7.1Chile , Jan 2
1
Earthquake Magnitude 7.0
Argentina , Jan 3
2 Major FloodAustralia , Jan 3
33
Flood 35 DeadBrazil , Jan 6
4
Great Earthquake and Tsunami
Magnitude 8.9Japan , Mar 11
5
Earthquake Magnitude 7.0
Burma , Mar 23 66
Earthquake Magnitude 6.7
Indonesia , Apr 3
7
Earthquake Magnitude 7.4Japan , Apr 7
8Tornado 47 Dead South Carolina ,
Apr 169
Volcano Iceland, May 21
1010
TornadoMassachusetts,
June 1
1111
EarthquakeMagnitude 7.8
New Zealand, July 7
1212
TycoonPhilippines, Dec 18
1616
Wild FireTexas, Sep 11
1414
Massive FloodBangkok, Oct 27
1515
Hurricane IreneSouth East US, Aug 26
1313
6 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Your Organization
Disaster effect - Threats to Continuity
Utility Outage
Civil Disturbance
Fire
Construction
Water Leaks
Viruses
EnvironmentalConditions
Flood
TerrorismSabotage
EarthquakeTycoon
HackersHuman Error
EquipmentFailure
Land Slides
Natural Disaster
Human Intention Human Unintentional
Equipment / Environmental
7 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
“การดาํเนินธรุกิจในปัจจบุนั BCM เป็นสิ�งจาํเป็นต่อองคก์ร”
“การบริหารจดัการ Crisis เป็นการวดัศกัยภาพของ Brand”Source: BrandAge Magazine
8 Business Continuity Management (BCM)
© 2012 Deloitte Touche Tohmatsu Jaiyos
Brand Value
Top Eight; the most value corporate brand in Thailand
กลุ่มทรพัยากร/พลงังาน
กลุ่มอตุสาหกรรม
กลุ่มสื:อสาร
กลุ่มการเงิน
กลุ่มสินค้าอปุโภคบริโภค
กลุ่มบริการ
กลุ่มอสงัหาริม ทรพัยแ์ละก่อสร้าง
กลุ่มสินค้าอาหารและผลิตภณัฑ์การเกษตร
339,944 MB
27,511 MB
172,798 MB
154,118 MB
5,311 MB
108,871 MB
164,995 MB
40,211 MB
ผลจาก ดร.กณุฑลี รื �นรมย ์และอาจารยศ์ภุกร ภทัรธนกลุ อาจารยภ์าควิชาการตลาด คณะพาณิชยศาสตรแ์ละการบญัชี จฬุาฯ
9 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
What business continuity means today
Business continuity has changed from a reactive, re covery-based practice to a proactive, risk-based on e
How does your organization measure up?
The future (2001 – )
Proactive
Business-centric
Focused on mitigation
Process-based
Continuous monitoring
Responsibility of board
The past (1980–2000)
Reactive
Technology-centric
Focused on recovery
Asset-based
One-time project
Responsibility of IT
Late 1980s Early 1990s Mid 1990s Late 1990s Mid 2000sEarly 2000s Late 2000s
Factors that drove the evolution of business contin uity
DR hit the corporate agenda in the mid 80s as businesses began to increasingly rely on mainframe computers.
The enthusiasm for DR started to wane as it became evident that a more proactive approach to risk mitigation was required.
Terrorist attacks of the early to mid 90s made firms realize that DR did not effectively mitigate risks. BC evolved as a result.With the technology boom and roaring economy of the late 90s, BC, although a standard business practice, was given little attention.
Global events have raised awareness that threats are not just physical; cyber, regulatory, and other threats have made BC a part of a risk management program
Business Continuity (BC) Planning Business Continuity ManagementDisaster Recovery (DR) Enterprise Resilience
Why business continuity matters to your organization more than ever today
Given the challenges of a global 24x7 business environment,
simply recovering your IT assets from a disaster is not enough
for your business to even survive, let alone thrive.
Today, business continuity is a complex, continuous
organization-wide program that requires active support and
involvement of top management.
A global economic recession has left your organization more vulnerable to shocks
Global flashpoints now threaten your organization wherever it has operations
Complex regulations demand that your business deliver ever-higher service levels
Physical disasters, both natural and technological, can now cost your business billions
Your business can no longer afford spiraling IT downtime costs
Pressure to deliver 24x7x365 has resulted in robust threat detection and resource mobilization techniques for foreseeable emergencies. Handling disruptions now becomes part of normal capabilities.
10 Business Continuity Management (BCM)
© 2012 Deloitte Touche Tohmatsu Jaiyos
What is BCM?
Preparedness/Preventive: Preparedness is how we change behavior to limit the impact of disaster events. It is a continuous cycle of planning, managing, organizing, training, equipping, exercising, creating, evaluating, monitoring and improving activities
invocation of BCP
Incident Management Plan: Within minutes to hours: staff and visitors accounted for casualties deal with damage containment / limitation damage assessment invocation of BCP
BCP Response: Within minutes to days: contact staff, customers, suppliers, etc. recovery of critical business process rebuild loss work-in-progress
Recovery / Resumption- Back-to-Normal: Within weeks to months: damage repair / replacement relocation to permanent place of work recovery of costs from insurers.
1
2
3
4
Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value-creating activities.
BS25999
Establish target restoration time for critical operations to ensure
Prevent and avoid damage- Take precautions and plan to minimize damage and impact
Rapidly resume operations following any interruptio n to critical operations
- Take steps to resume operations as rapidly as possible - Establish target restoration time for critical operations to ensure
customers do not switch brands
A
B
11 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Key Business Continuity Objectives
Business Continuity Objectives
Earnings/Profit protection
� Keeping the company in business
Earnings/Profit Protection
Protecting the enterprise’s financial commitments
Health and Safety
Protect health and safety of personnel
Viabilty
Keeping the company in business
Brand Protection
Avoiding public embarrassment and loss of credibility
Continuing New Business
Preserving the ability to sell in the marketplace
12 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
What managements are looking for from BCM?
CEO / COO / CTO • Reduce or avoid otherwise ruinous revenue losses• Protect critical data by leveraging infrastructure and support services• Ensuring the safety of employees and customers• Maximizing the security of physical assets • Protecting reputation and shareholder value
Risk Manager: • Improved threat awareness and mitigation control from time to time• Accelerating effective coordination, communication , and decision-making in a crisis• Meeting customer and regulatory demands• Improving the ability to respond to major incidents effectively and safely• Providing a better case when negotiating business interruption insurance premiums
Operation Manager • Improving business supply chain resilience• Determining and protecting time-critical business processes• More quickly and cost-effectively resume business and employee activities• Reduce downtime and increase employee productivity
13 Business Continuity Management (BCM)
Drivers for Business Continuity Management
©2012 Deloitte. All rights reserved.
Drivers for Business Continuity Management
Threats andRisks
Threats andRisks
Business Continuity Management is not about - or at least not only about - disasters but rather the strategic requirement for continuity. While the number of natural and man-made disasters increases the regulations, expectations, and demands are driving entities to prepare for disruptions from every source.
Resilience, Recoverability &
Availability
CustomerExpectations
CustomerExpectations
Laws and RegulationsLaws and
Regulations
Data andInformationAvailability
Data andInformationAvailability
Strong
Moderate
Weak
ShareholderValue
ShareholderValue
Reliable InitiativesReliable Initiatives
EnterpriseViability
EnterpriseViability
StandardsStandards
Strategic
Tactical
15 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Why continuity matters today — a recessionary econom y
Recessionary trends heighten your exposure to risk. Does your business continuity plans reflect this?
Original risk profile
Lowered risk profile due to risk mitigation Lowered risk profile under normal conditions
Heightened risk profile due to erosion of defenses Lowered tolerance level – reduced resistance to shocksTolerance level under normal conditions
• Visualize the risks faced by your organization as a threat landscape. The higher the peak, the greater the risk. The red line represents your organization's risk tolerance limit.
• The light grey landscape is your organization's original risk profile. The dark grey landscape is your risk profile lowered by implementation of risk mitigation controls.
• Most risks are now below your organization’s risk tolerance limit.
• A recession may cause resources to be diverted away from continuity to focus on organizational survival.
• Your organization may need to deal with reduced workforce, shutdown of facilities, delayed maintenance or the loss of a vendor, supplier, or partner.
• This may cause an erosion of defenses, causing your organizational risk profile to increase, bringing several risks above the tolerance level.
• A recession may also reduce your organization's liquidity and earnings, reducing its ability to withstand shocks and disruptions.
• Your risk tolerance level is therefore reduced. Risks that could be tolerated are now above your organization's new tolerance level.
Under normal economic conditions Effect 1: Diversion of resources Effect 2: Reduced tolerance level
What does your organization need to do?
Source: “Continuity in Recession,” Continuity Central (www.continuitycentral.com)
With more to accomplish with fewer resources, your business continuity program must become more agile. Continuity plans must reflect the current state of the organization — its capabilities and risk tolerance. Use business continuity tools to automate continuity maintenance tasks and enhance both efficiency and effectiveness. Top management must understand the situation fully in order to act rapidly.
16 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Two ways organizations should look at business cont inuity
• With a business continuity program in place, an organization can offer its customers a higher degree of surety about its level of service.
• In 2008, Vodafone UK achieved BS25999 certification (the British Standard Institute’s certificate for business continuity management). It used this to offer a formal assurance to its customers about its continuity capability, gaining significant competitive advantage over other operators (Source: Forrester Research).
• An effective response to a disaster has been shown to have a net positive impact on shareholder value. A study at Templeton College, Oxford, showed that companies that recovered rapidly from a disaster saw a net increase in their stock price (see right).
Business continuity as a plan for survival
Business continuity as a source of competitive adva ntage
Source: “The Impact of Catastrophes on Shareholder Value”, Rory F. Knight & Deborah J. Pretty
Your business continuity program is a means to surv ive — and to thrive
-20
-15
-10
-5
0
5
10
15
20
1 51 101 151 201 251
Days after disaster
Stock price performance after disaster
Cum
ulat
ive
Ret
urns
(%
)
RecoverersNonrecoverers
Do you have a program in place?A business continuity program is critical to your c ompany’s very survival.
Does your program give you an edge?A business continuity program can be a marketplace differentiator.
• 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. Of those companies, 50% filed for bankruptcy quickly.
• Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later.
• 75% of companies without business continuity plans fail within three years of a disaster
• Having a business continuity program in place is critical to the very survival of your company. Statistics unambiguously reveal that organizations which suffer a catastrophic loss and do not have a continuity plan in place are very likely to go out of business shortly after the disaster.
• Your continuity program needs to account for the possibility of crises affecting not just your own organization; your business’ survival could be jeopardized by a crisis that affect an important supplier, customer, vendor, utility, or community. Source: National Archives & Records Administration, Washington, D.C
“Managing Your Risk: – The Smart Approach to Protecting Your Business”, The Hartford Loss Control Department“Blindsided: A Manager’s Guide to Catastrophic Incidents in the Workplace” by Bruce T. Blythe
17 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Spiraling costs of downtime
With dramatically high per-minute costs to business , can your organization afford IT downtime?
“Are you able to quantify the business loss from downtime incidents?”
What does your organization need to do?
To determine whether you are overspending (thus diverting resources from other IT projects) or under spending on continuity (continuing to put your critical applications at risk), you need to 1) assess the downtime costs for crucial business systems; 2) perform a risk assessment and a business impact analysis; 3) compare alternative business continuity strategies to determine benefits of each proposed solution.
Recovery planning resources need to be appropriately distributed amongst enterprise application, technology infrastructure, data center, and data recovery needs.
Source: Forrester Research Inc.
Pressures of serving customers globally on a 24x7 basis. Integration with supplier and partner IT systems. Accelerating time-to-market for products.
These factors mean that your business's mission-critical applications cannot be unavailable for even short time windows. This is especially true if your organization relies on the Internet to transact business.
Two in three organizations cannot quantify the loss to their business — either direct or indirect — to their business in case their mission-critical applications fail.
Balancing the organization’s tolerance for risk with a hard dollar assessment of the level of mitigation provided by solutions helps to align business continuity investments to provide the right amount of coverage for the right price.
Downtime costs regardless of industry are prohibiti vely high…
… but few organizations can estimate the losses to th eir business
How much does every minute of downtime cost?
Can your organization quantify how much to spend to avoid downtime?
Business Continuity Management (BCM)18
©2012 Deloitte. All rights reserved.
Relationship Between ERM & BCM
BCM
ERM
Identify Risks
Assess and Evaluate Risks
Integrate Risks
Response Risks Plans
IMP
Crisis Management Plan
BCP
DRP
Relocation
Media
Clean up
…
BCM = Business Continuity Management
DRP = Disaster Recovery Plan
ERM = Enterprise Risk Management
IMP = Incident Management Plan
19 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
The Benefits of Business Continuity
� Improve threat awareness
� Better protect of people
� Protect regulation and shareholder value
� Improve supply chain resilience
� Determine and protect time-critical business processes
� Meet customer and regulatory demands
� Accelerate effective decision-making in a crisis
� Improve the ability to respond to major incidents effectively and safely
� Provide a better case when negotiating business interruption insurance premiums
An effective business continuity program will
20 Business Continuity Management (BCM)
© 2012 Deloitte Touche Tohmatsu Jaiyos
Key Success Factors
� The cost of doing nothing is too high� Enterprises must thoroughly reassess their
business continuity strategies and apply them to the distinctively different circumstances of situation
� Plans need to be developed or revised to incorporate the effect of a significant – and sustained – absence of staff, including critical staff members , absence of premises and technology
� Consideration must be made for different regulatory frameworks, cultural practices, and risk levels
� Dependence on government organizations and third parties must be analyzed and the risks mitigated
� Regular maintenance, review and testing of plans is not an option but a necessity
Key Success FactorsKey Success FactorsKey Success FactorsKey Success Factors
21 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Deloitte has observed many common pitfalls as we have worked with 100+ organizations, we have aligned our efforts to mitigate against these common issues.
Common PitfallsCommon Pitfalls
• Companies often have an ineffective event escalation and declaration process in place
• Application acceptance criteria (testing checklists) is not adequately for application recovery plans
• Testing is often limited as a result of poor or insufficient level of detail within recovery procedures
• Recovery planning is typically seen as a discrete project or “point-in-time” effort, quickly resulting in out of date processes and procedures.
These factors combined necessitateimprovisation and trial-&-error recovery;
adding confusion, stress, uncertainty and time to the overall recovery process
Our Preventative MeasuresOur Preventative Measures
• Deloitte will collaborate with you to establish a robust and effective Disaster Program processes , including event detection, escalation and activation.
• Deloitte will develop recovery procedures with direct input from your personnel in order to provide an appropriate level of detail.
• Application validation checklists and system acceptance criteria will be developed as part of system recovery procedures.
• Deloitte will provide guidance on how to sustain recovery plan viability as part of the overall Disaster Recovery program.
Common Disaster Recovery Pitfalls
22 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
BCM Implementation: Lesson Learned
Recoverability and resilience are not built intoBusiness as UsualRecoverability and resilience are not built intoBusiness as Usual
DR Professionals at MOST companies are not consulted during a crisis or eventDR Professionals at MOST companies are not consulted during a crisis or event
Business ContinuityLessons Learned
All types of threats must be includedAll types of threats must be included
Copies of plans should be stored at a secure off-site locationCopies of plans should be stored at a secure off-site location
Increased uncertainty (following high impact disruption) may lengthen time to normal operations
Increased uncertainty (following high impact disruption) may lengthen time to normal operations
Companies struggle to roll up requirements and activitiesCompanies struggle to roll up requirements and activities
There are continued perceptions that BCM is a technology problemThere are continued perceptions that BCM is a technology problem
Business risk management is beyond a core competency and organizations have limited in-house expertise
Business risk management is beyond a core competency and organizations have limited in-house expertise
Alternate sites for IT backup should not be situated close to the primary siteAlternate sites for IT backup should not be situated close to the primary site
Telecommunications are essentialTelecommunications are essential
Key personnel may be unavailableKey personnel may be unavailable
Plans must be updated and tested frequentlyPlans must be updated and tested frequently
There is a gap in many organizations between manage ment expectations and the company's ability to continue business operations.
23 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Why struggling to implement an effective BCM / BCP?
Challenges– Business processes have an increasingly greater dependence on applications and technology– Business has aggressive recovery time and point objectives– The complexity of the processes that need to be restarted have increased dramatically– The lack of paper records has increased the impact, financial and other, of losing data– Significant interdependencies between applications, systems, and business processes increase complexity of
recovery
Business Continuity Timeline
Serviceinterruption
Problemidentification
Normal processing and activity
Notification andcommunication
Relocate orreroutebusiness process
Manualprocesses
Restore voiceand data network
Configure, Provision, and Restore Data
Recoverapplications
Resumeand synchronizebusiness
Business
IT
Network
Potential dataloss
Time to recovery
Many companies struggle implementing an effective BC plan because of the complex coordination between business and technology components
24 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Agenda
What’s on BCM? Understanding the Roadmap to BCM Certification
Deloitte BCM Methodology & Implementation: World class best practices
Introduction: Key understanding towards strategic decision
BCM case studies & lessons learned from various business sectors
What’s on BCMS? Understanding the road map to BCM Certification.
Mr. Teeradej Vibulpatanavong , ITMS/ ISMS/ BCMS Product Manager Bureau Veritas Certification (Thailand) Ltd.
Copyright © Bureau Veritas Certification Thailand
What’s on BCMS? Understanding the road map to BCMS Certification.
Venue: Holiday Inn, Silom, Bangkok
Teeradej VibulpatanavongTeeradej VibulpatanavongQuality & IT Product Manager
Date: 10 May 12
แนะนํา Bureau Veritas Certification
Copyright © Bureau Veritas Certification Thailand
Bureau Veritas at a Glance
►Created in 1828
►A global leader in conformity assessment services in the areas of
Asia Pacific & Middle East
22%
Americas18%
Africa 5%
Broad Geographic Presence1
assessment services in the areas of quality, health and safety, environment and social responsibility (QHSE)
Network of more than 700 offices in 140 countries
Over 26,000 skilled employees
►Eight global businesses providing a complete set of services
Services include: Inspection, testing, audit, certification, classification, risk management, outsourcing, consulting and training services
Marine 11%
Ind str
Government Services 8%
Consumer Products
22%
Europe22%
France33%
Eight Global Businesses1
3Understanding the road map to BCMS Certification
►Servicing 280,000 customers across a wide range of end markets
Inspection & In-Service
Verification13%
Certification 11%
HSE10%
Industry13%
Consumer Products14%
Construction20%
1. 2006 revenue breakdown.
Our Profession : QHSE Compliance
Reference Standard Action Deliverable
Assessment
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas
Full Independencefrom any
Design / Manufacturing / Contracting / Insurance
Copyright © Bureau Veritas Certification Thailand
A Balanced Portfolio of Activities
Marine ► Ship classification, ship and marine equipment certification, technical assistance and outsourcing services
Industry► Conformity assessment of industrial equipment and installations to regulatory or client specifications from
feasibility stage to de-commissioning► Services include design review, shop inspection, site inspection, asset integrity management, product
certification and related testing services such as non-destructive testing
Inspection & In-Service Verification (IVS)
► Periodic inspection of equipment and installations to assess conformity with regulations or client-specific requirements
► Services apply to electrical installations, fire safety systems, lifts, pressure and lifting equipment, and machinery
Construction► Conformity assessment of construction projects to local regulations and construction standards, from design
stage to completion► Services include design review, code compliance, technical control, on-site safety coordination, testing
of construction materials, asset management and technical due diligence services
Health, Safety and Environment (HSE)
► Inspection, audit, measurement and testing services in the areas of environment and health and safety ► Technical assistance and consultancy services to help companies define their HSE management strategy and
improve their performances
Certification► Certification of management systems and processes in the areas of quality, health and safety, environment
and social responsibility based on public standards► Second party auditing services based on customer-specific or Bureau Veritas standards
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas
► Second party auditing services based on customer specific or Bureau Veritas standards
Consumer Products► Testing, inspection and certification of consumer goods including textile, hardlines, toys, electrical and
electronics► Factory audits, social responsibility audits and training services
Government Services and International Trade(GSIT)
► Government Services: Pre-Shipment Inspection, X-Ray Scanning, Verification of Conformity of imported products
► International Trade: Commodity quantity/quality assurance, automotive services
Eight global businesses providing strong growth and cross-selling opportunities
Our Logo
Logo Change
From To
Certification Mark Change
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas
From To
Effective since 17 January 2007
Copyright © Bureau Veritas Certification Thailand
มาตรฐานเก่ียวกับ BCM
Business Continuity Management System
Business Continuity
Result
Business Continuity Management
y
System
Process
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas
Business Continuity Management System
Copyright © Bureau Veritas Certification Thailand
Business Continuity Management
BCMBCM
Important Time-sensitive
9Understanding the road map to BCMS Certification
Important Time-sensitive
Business Continuity Management System Standards
► BS 25999 Business Continuity Management Part 1 – Code of Practice – Published in November 2006
• Provides information about business continuity management and the key stages for implementation.
S fPart 2 – Specification – Published in November 2007
• An auditable standard to which organisations may be audited by Certification Bodies and become certified to. Includes all requirements for Management System implementation.
► ISO 22301 Societal security -- Preparedness and continuity management systems -- Requirements
Current Status is Final Draft International Standard (FDIS). It also has 2 parts.
10Understanding the road map to BCMS Certification
Expected to be published in June 2012.
► TIS 22301 - 2553 Business Continuity Management Systems – Requirementsมอก. 22301 – 2553 ระบบบริหารความตอเน่ืองทางธุรกิจ - ขอกําหนด
Copyright © Bureau Veritas Certification Thailand
BS 25999-1 Code of practice1 Scope and applicability
2 Terms and definitions
3 Overview of business continuity
11
1 Scope
2 Terms and definitions
3 Planning the Business Continuity
BS 25999-2 Specification
Business Continuity Management System Standards
ymanagement (BCM)
4 The Business Continuity Management policy
5 BCM Programme Management
6 Understanding the organization
7 Determining business continuity strategy
g yManagement System (BCMS)
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
A Correspondence with ISO 9001, ISO 14001 and ISO 27001
11Understanding the road map to BCMS Certification
8 Developing and implementing a BCM response
9 Exercising, maintaining and reviewing BCM arrangements
10
Embedding BCM in the organization's culture
BCMS
BCM
ความสัมพันธกับมาตรฐานระบบบริหารอ่ืนดาน IT
ISO 20000 IT Service ISO 27001 Information Security BS 25999 Business Continuity
ISO 31000 Risk ManagementGeneric approach to developing, implementing and continuously improving a framework to integrate
the process of managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture
13 processes in IT Service Management Systems (Information Security Management included)
Process : Information Security Management Systems
Process : Business Continuity Management System
6. Service delivery process 1.Personnel Security 1.Planning the BCMS
Service level management 2.Physical and environmental security 2.Implementing and operating the BCMS
Service reporting 3.Communications and operations 3.Monitoring and reviewing the BCMS
Capacity management 4.Access control 4.Maintaining and improving the BCMS
Information security management 5.System development and maintenance to take in account security
Service continuity & availability management 6.Information Business continuity management
Budgeting and accounting for IT services7 Relationship processes
12Understanding the road map to BCMS Certification
Business relationship management Supplier management 8 Resolution processes Incident management
Problem management 9 Control processes Configuration management Change management10 Release process Release management process
Copyright © Bureau Veritas Certification Thailand
มาตรฐานระบบบริหารอื่นท่ีมีขอกําหนดเก่ียวของกับ BCM
► ISO/TS16949: 20096.3.2 Contingency plans
prepare contingency plans to satisfy customer requirements in the event of an emergency such as utility interruptions, labour shortages,event of an emergency such as utility interruptions, labour shortages, key equipment failure and field returns.
► ISO14001: 2004 4.4.7 Emergency preparedness and response
to identify potential emergency situations and potential accidents that can have an impact(s) on the environment and how it will respond to them
d t t l it ti d id t d t
13Understanding the road map to BCMS Certification
respond to actual emergency situations and accidents and prevent or mitigate associated adverse environmental impacts.
periodically review, periodically test
►OHSAS 18001: 2007 4.4.7 Emergency preparedness and response
Business Continuity Management and Quality Management
Disrupted business
QualityManagement Business
Continuity Management
Disrupted business circumstances!!!
14Understanding the road map to BCMS Certification
Normal business circumstances.
BCM compliments Quality Management.
Copyright © Bureau Veritas Certification Thailand
15
Relationships and Consideration on Part-1 & Part-2
Embedding BCM in the Organization’s Culture
ExercisingMaintenance
Understanding the Organization
BCMProgrammeManagementReviewing
Developing d
DeterminingBCM Strategy
15Understanding the road map to BCMS Certification
andImplementing BCM
Response
ISO 22301 and its family
► ISO/FDIS 22301: 2012 Societal security -- Business continuity management systems --- Requirements
The international standard expected to be published within Q2 of 2012.
► ISO/FDIS 22300: 2012 Societal security -- Terminology
Same as ISO22301
► ISO/DIS 22313 Societal security -- Business continuity management systems – Guidance
► ISO/DIS 22398 Societal security -- Guidelines for exercises and testing
► ISO 22320: 2011 Societal security Emergency management
16Understanding the road map to BCMS Certification
► ISO 22320: 2011 Societal security -- Emergency management --Requirements for incident response
► ISO/PAS 22399: 2007 Societal security - Guideline for incident preparedness and operational continuity management
► ISO/WD 22323 Organizational resilience management systems -Requirements with guidance for use
Copyright © Bureau Veritas Certification Thailand
ISO 22301, its family, also other families
► ISO/TR 22312: 2011 Societal security -- Technological capabilities
► ISO/CD 22397 Societal security -- Public Private Partnership -- Guidelines to set up partnership agreements
► ISO/CD 22322 Societal security -- Emergency management -- Public warning
► ISO/NP 22315 Societal security -- Mass evacuation
► ISO/NP 22351 Societal security -- Emergency management -- Shared situation awareness
► …
► ISO/IEC 27031: 2011 Information technology -- Security techniques --Guidelines for information and communication technology readiness for business continuity
► ISO 28000: 2007 Specification for security management systems for the supply
17Understanding the road map to BCMS Certification
► ISO 28000: 2007 Specification for security management systems for the supply chain
► REMARK: NP = New Work Item Proposal
CD = Committee Draft
FDIS = Final Draft International Standard
TR = Technical Report
ขั้นตอนในการกําหนดมาตรฐานของ ISO
NP
PWI
NP
CD
ISOWD
18Understanding the road map to BCMS Certification
DIS
FDIS
Copyright © Bureau Veritas Certification Thailand
Transition Policy
► ยังไมมี Transition Policy ที่เปนทางการออกมา
► คาดวา ISO 22301 จะออกมาภายในไตรมาศที่ 2 ของปน้ี
ISO 22301 ไดผานการลงมติแลว ในเดือนเมษายน และอยูระหวางการจัดพิมพ ซ่ึงจะใชป 2 ื ั ิเวลาประมาณ 2 เดือน นับตงแตการผานมติ
► คาดวากรอบเวลาในชวง transition จะอยูระหวาง 12 ถึง 18 เดือน หรืออาจจะเปน 3 ป
► การเปลี่ยนแปลงจาก BS25999-2 เปน ISO 22301: 2012 สามารถทําไดในชวงรอบการตรวจตดิตาม Surveillance Audit ในรอบการใหการรับรองเดิม
► อาจจะตองมีการตรวจประเมินเพ่ิม โดยเนนที่
19Understanding the road map to BCMS Certification
ขอแตกตางของ BS25999-2 กับ ISO22301
ท้ังนี้ขึ้นอยูกับ ของเขต และ ขนาดขององคกร
ขอแตกตางหลักของ ISO 22301 และ BS 25999-2
► ISO 22301 เปนมาตรฐานตัวแรกที่ใชโครงสรางขอกําหนดของมาตรฐานระบบบริหารแบบใหมของ ISO (ซึ่งมาตรฐานเดิมอ่ืน ๆ จะมีการเปลี่ยนโครงสรางตาม)
► แมวาโครงสรางของ Management System จะเปลี่ยนใหม แตผูเชีย่วชาญบางคนใหความเห็นวา เน้ือแทแกนของ BCM ไมไดเปลี่ยนคนใหความเหนวา เนอแทแกนของ BCM ไมไดเปลยน
► เนนบทบาทผูนําของผูบริหารระดับสูง มากข้ึน
► เนนการวัด performance มากข้ึน
► เปลี่ยน Preventive action เปน actions to address risks and opportunities และยายไปอยูสวนตนของการวางระบบ
► เนนการสื่อสารทั้งภายในและภายนอกองคกรมากข้ึน
20Understanding the road map to BCMS Certification
► ใหความสําคัญเก่ียวกับการแจงเตือนมากข้ึน
► รวมขอกําหนดของ Document Control และ Record Control ไวดวยกัน
Copyright © Bureau Veritas Certification Thailand
โครงสรางใหมของขอกําหนดระบบบริหารใน ISO 22301
Introduction:
► Clause 1: Scope
► Clause 2: Normative reference
l d d f► Clause 3: Terms and definitions
Requirements:
► Clause 4: Context of the organization
► Clause 5: Leadership
► Clause 6: Planning
► Clause 7: Support
21Understanding the road map to BCMS Certification
► Clause 7: Support
► Clause 8: Operations
► Clause 9: Performance Evaluation
► Clause 10: Improvement
กระบวนการใหการรับรอง
Copyright © Bureau Veritas Certification Thailand
Bureau Veritas Audit Process
Preliminary Audit・・・Optional
Initial Audit
►Verification of BCMS Framework
Certification Audit
CertificateIssuedContinual Improvement
Re-certification Audit.
►Verification of BCMS Framework
Certification Audit
►BIA, Risk Assessment, BCM Strategy, BCP/IMP, exercise, audit, MR etc, verification of implementation
InitialAudit
Surveillance Audit
Preliminary Audit
Management System Audit Cycle
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas
Surveillance Audit, Re-certification Audit・・・Same as other standards
Inquiry Consultation Estimation
ContractAudit
Certification Process
Application
Certification Process
Application
Audit Stage 1
Audit Stage 2
Contract Review:ScopeTime-scaleAudit team
24Understanding the road map to BCMS Certification
Certification Surveillance
Copyright © Bureau Veritas Certification Thailand
IBM:BS25999, ISO9001, ISO27001 Triple Certificate
Ali Dincmen, International Business Development Director – Bureau Veritas Certification France said “is one of the first IT Services companies in Europe to have obtained the two certifications BS 25 999 and ISO/IEC 27001:2005.”
Business Continuity and Recovery Services - Italy division obtained its first triple certification ISO 9001, ISO 27001, BS 25999
Client:
IBM B i
Norberto Colombo Italy Quality Program Manager of
For IBM, these certifications have internal and external benefits:
IBM clients and partners are assured of a commitment to quality and security
IBM demonstrates best market practices in IT environments that are well managed and provide the highest level of quality services.
One of the key factors that allowed the BCRS division to get certified in a very short time and with a minimum effort, has been the innovative approach to integrate his Information Security Management System (ISO/IEC 27001) and the IBM Global Management System (ISO 9001), already in place, with the new Business Continuity Management System (BS 25999).
IBM Business Continuity and Recovery Services - Italy division
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas
Norberto Colombo, Italy Quality Program Manager of IBM said :
“I’m very pleased to report that another strategic goal has been reached by “Business Continuity & Resiliency Services (BCRS) Italy" in order to offer our clients a service even more qualified. This is an effective reason to capture business opportunities and to get a strategic advantage regarding national and international competitors.”
Accreditation Body Function
Accreditation Body ( JIPDEC )
Certification Process
( JIPDEC )
Certification/Registration Body
(e.g. Bureau Veritas Certification)
ISO Guide 62 and ISO 17021
BS 25999 2: 2007
26Understanding the road map to BCMS Certification
BS 25999-2: 2007
ISO/IEC 22301: 2012Organization to be certified
(i.e. Client)
Copyright © Bureau Veritas Certification Thailand
How do auditor find evidence ?
Certification Process
• Reviewing documents
• Looking at records
• Interviewing people at all levels
Observing practices and
27Understanding the road map to BCMS Certification
• Observing practices and physical environment
NOTE: Can/should the auditor cover all people, documents and records during the audit?
Initial documentation review
(Adequacy, desktop, intent audit)In many instances it will not be possible to assess whether MS1
requirements are satisfied in principle from looking only at
the documents.
Auditors take holistic approach to assess the adequacy of MS
documentation (not just procedures)
=and other
BS25999-2 or
ISO 220301
t e docu e ts documentation (not just procedures). Current practice is to conduct this
activity on-site
28Understanding the road map to BCMS Certification
audit criteria
Use checklist
Copyright © Bureau Veritas Certification Thailand
Conformance or Implementation audit
=
29Understanding the road map to BCMS Certification
Work practices
Work practices might not be documented in “written”
procedures or work instructions
Auditing activities
ISO 19011: 2011
Initiating Initialdocument Preparing for
the audit documentreview on-site audit
On-site auditing activities
30Understanding the road map to BCMS Certification
Reportingon the audit
Auditcompletion
Auditfollow-up
Copyright © Bureau Veritas Certification Thailand
การประยุกตใช BCM
ขั้นตอนการจัดทํา BCM
กําหนด Scope
ระบุ Key Products / Services
ระบุ Processes ท่ีสนันสนุน Key Products / Services
Business Impact Analysis
Risk Assessment
32Understanding the road map to BCMS Certification
Risk Assessment
Risk Treatment
ซอมทดสอบจัดทํา BCP / IMP
Copyright © Bureau Veritas Certification Thailand
Setting Scope(Example)
Service
Customer BCustomer A
Activity3
Activity4
Outsourcer
CProduct BProduct A
Activity1
Activity2
Activity5
ServiceD
Activity
Activity
Stakeholders
Senior Management
33Understanding the road map to BCMS Certification
Activity6
Organization
Source:Good Practice Guideline 2008In the above diagram if it is decided that Product B and Service C are within scope of the programme then the shaded activities are necessarily fully or partly within the scope.
BCM
4 คําถามงาย ๆ สําหรับ BCM
1 อะไรตองรอด?
Business Impact
AnalysisContinuity
Requirement A l i1. อะไรตองรอด?
2. ตองใชทรัพยากรอะไร?3. ตองเตรียมการอยางไร?4 ั่ ใ ไ ไ ?
BCP / IMP
t Analysis
34Understanding the road map to BCMS Certification
4. มันใจไดอยางไรวาจะรอด?
BCM Exercising
Copyright © Bureau Veritas Certification Thailand
หาจุดสมดุล
35Understanding the road map to BCMS Certification
หาจุดสมดุล
36Understanding the road map to BCMS Certification
Copyright © Bureau Veritas Certification Thailand
Exercising, maintaining and reviewing
Full
Cost
Risk also !!!
Small rehearsals and tests
Medium rehearsals and tests
Large rehearsals and tests
37Understanding the road map to BCMS Certification
Desk Check
Walkthrough
Simulation
and tests
Complexity
การปรับปรุงความสามารถดาน BCM ขององคกร
38Understanding the road map to BCMS Certification
Copyright © Bureau Veritas Certification Thailand
Understanding the road map to BCMS Certification© - Copyright Bureau Veritas 39
Thank you for your attention.
Deloitte BCM Methodology & Implementation: World Class Best Practices
Mr. Supharerg Khemngern , Manager –BCM Services, ERS Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
©2012 Deloitte. All rights reserved.
Agenda
What’s on BCM? Understanding the Roadmap to BCM Certification
Deloitte BCM Methodology & Implementation: World class best practices
Introduction: Key understanding towards strategic decision
BCM case studies & lessons learned from various business sectors
©2012 Deloitte. All rights reserved.
Deloitte Risk Intelligence – BCM Framework
Sustain and continuously improve
Policy & Governance
Analysis
Planning and Implementation
BCM Programme Maintenance
Roles & Responsibilities
Risk Assessment
Business Impact
Analysis
Business Continuity Strategy
Plan Developmen
t
Organizational Crisis
Management Plan
Corporate BCM Plan
Department BCM Plans
IT DR Plans
Training Testing Maintenance
Enterprise level Business units level
Business Continuity Policy & Governance
Business Continuity Strategy
Business Continuity Implementation
Business Continuity Sustenance
Board of Directors
Executive Management
BCM Department, Business Units and Corporate Support Functions
BCM Department
27 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Deloitte Approach - BETH3 TAPBusiness Continuity Management/Continuity of Operat ions
1
2
3
4
5
7
6
8
9
Third Parties(Vendors, Customers, Service
Providers)
Third Parties(Vendors, Customers, Service
Providers)
Human Resources
Technology(Application, Data, Infrastructure)
Equipment
Building(Facilities/Utilities)
**Capabilities Assessment – Resiliency and Recoverab ility (CARR) Framework
28 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Deloitte BCM Methodology v.s. BS25999
Analyze
CurrentState
Assessment
RiskAssessment
BusinessImpact
Analysis
Develop
GovernanceModel
Resilience &Recoverability
Strategy
BCMPlans
Documentation
Implement
Resourceacquisition &embedding
Training ofkey personnel
Testing of plans,procedures &assumptions
Assure
ContinuousImprovement
Reassessmentand Quality Assurance
Audit andcertification
29 Business Continuity Management (BCM)
Governance & Project Management
©2012 Deloitte. All rights reserved.
Governance & Project Management
Description: Create the governance model for a systematic program for the management and sustainment of business continuity processes, including emergency response, crisis management, business continuity, and disaster recovery.
Key Outcomes: • BCM program mission statement & strategy• BCM organization including staffing model and roles & responsibilities for the program office, steering committee,
and working team comprising members of the business committee• BCM policies, standard, guidelines, and terminology definitions• BCM integrated into organization and IT change management processes• BCM training & awareness strategy• BCM program audit & compliance strategy• BCM program metrics & reporting process• BCM continuous improvement process
Benefit: • Executive oversight of the BCM capabilities• Mechanism to build and sustain BCM capabilities• Better understanding of BCM program roles & responsibilities
Dependencies: • Funding for BCM initiative
Stakeholders: • BCM program office ● Internal audit• BCM executive steering committee ● Legal• People & performance ● BCM representatives from the business
Monitoring and Control
� What qualitative benchmarking should be performed?
� How should periodic BCM progress reports be created and reviewed?
� What corrective action should be taken as key f indings are made?
� How should the organization ensure corrections take place?
Coordination and Compliance
� What process should be used to ensure compliance with BCM standards and obligations
� How should corporate BCM coordinate recovery activities between organizational units?
Allocating Capital
� How should limited resources be ef f iciently allocated?
� What capital is available for investment?
� What criteria should be used to dictate BCM investment decisions?
� What process should be used to review expenditures?
Leadership
� What is the overall direction for the business and related IT within the corporation?
� What are the cultural values regarding risk management?
� How should key stakeholders be represented?
BCM GovernanceDecisions
� What should the fundamental BCM operating principles be?
� What internal BCM standards, rules and protocols are needed?
� Aligning BCM methodology and standards to industry standards such as: BS25999, NFPA1600, BCI, and DRII
Policy and Standards
� What should the corporate business recovery strategy include?
� What should be the corporate IT recovery goals?
� How should BCM program management be measured?
Planning
Training & Awareness
Continuous Improvement & Quality Assurance
Standards Guidelines
Strategy
Policies
Audit&Compliance
Metrics & Reporting
Organization
Change Management
31
©2012 Deloitte. All rights reserved.
Governance & Project Management
32 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Deloittes’ point of view - BCM Organization
33 Business Continuity Management (BCM)
Preparedness Emergency Response Continuity Recovery / Back-to-normal
Safety & Security
Plan
Team
Timing
Incident Management
Crisis Management
Business Continuity Plan
Crisis Management Team
Incident ResponseFacility Management &
RecoverySalvage Operations
Employee Safety Loss Reporting Crisis Communication
Business Continuity Team
Business Process Recovery
Supply Chain Continuity Alternate Processing
Workplace Relocation Disaster Recovery Human Resources
Risk Management
©2012 Deloitte. All rights reserved.
Skill for BCM personnel
รอบรูใ้นธุรกจิองคก์ร
ทกัษะดา้นการบรหิารจดัการโครงการ
BCM
ทกัษะในการวเิคราะห ์และการจดัการปญัหา
ทกัษะในการถ่ายทอดความรู้
เขา้ใจในโครงสรา้งของการ
สั HงการและการสืHอสาร
เขา้ใจรายละเอยีดของเอกสารทีHเกีHยวขอ้ง
กบั BCM
34 Business Continuity Management (BCM)
Business Impact Analysis (BIA)
©2012 Deloitte. All rights reserved.
Business Impact Analysis
Change Management
Sample BIA Interview Form
Description: Conduct a business impact analysis of key business functions to measure the potential financial and operational impacts that could occur if a business process was unable to operate for an extended period of time for any reason. The business impact analysis will provide requirements for recovery and will prioritize business functions. After plans have been developed, validation of business impacts can occur to assess whether strategies and plans meet recovery objectives.
Key Outcomes: • Validated list of prioritized business functions and impacts• Recovery requirements for business functions including resources and dependencies
Benefit: • Helps prioritize business continuity planning activities and allocate scarce resources• Provides clearer understanding of business process priorities and expectations in the event of a disaster • Ability to create business continuity plans with a clear understanding of business requirements• Potentially identify cost saving opportunities in current operations
Dependencies: • BCM governance
Stakeholders: • BCM program office• BCM representatives from the business
36 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Impa
cts
($)
Time (Hours)
$10M
$50M
Event RTORPO
Workarounds
Data Synch
0 72+4824126
$0
$1M
$5MFinancial Tolerance Limit (FTL)
Recovery Time
Objective (RTO)
Recovery Time
Objective (RTO)
Process A
Process B
Timeline
MTPD / RTO / RPO
Key Objectives• Business process review,
interdependencies and priorities• Critical applications• Recovery Time Objective (RTO)• Recovery Point Objectives (RPO)• Minimum operating requirements
38
©2012 Deloitte. All rights reserved.
RTO vs RPO
SecsMinsHrsDays Secs Mins Hrs
Data Loss Downtime
Years Days
Capture on Write
Disk Backups
Synthetic Backup Real Time
Replication
Tape Backups
Vaults
Protection Methods
Archival Snapshots
Recovery Methods
Tape Restores
Roll Back
Instant Recovery Disk Restores
Surgical Search & Retrieve
Enabling Technologies
Tape & Automation
Continuous Data
Protection
De-duplication
Remote Replication
Content Indexed Archival
Point-in-Time
The business objectives for resilience are established when the tolerance for data loss and downtime become very short – seconds to minutes. These objectives become, in effect, SLAs for Information Technology.
39 Business Continuity Management (BCM)
Risk Assessment (RA)
©2012 Deloitte. All rights reserved.
Risk Assessment
Description: Conduct a high-level risk assessment to identify major credible natural, man-made, and technological threats to the organization’s key resources, their likelihood and potential impact, and recommendations to mitigate risks to an acceptable level.
Key Outcomes: • List of critical resources• List of credible threats to those resources• Likelihood and impact of those threats on critical resources• Residual risks and recommendations to reduce residual risks to an acceptable level
Benefit: • Understanding of critical resources and key threats to the organization• Risk-based approach to allocating business continuity risk mitigation resources
Dependencies: • BCM governance
Stakeholders: • BCM program office ● Enterprise risk management• BCM representatives from the business
Change Management
Threats Vulnerability Forewarning Duration Score Risk In Scope
Natural Flooding Low Yes Short 3 Low No Wind damage / tornado High Yes Short 5 Moderate Yes
Man-made Explosion Vary High No Short 6 High Yes Hazardous waste Medium No Short 5 Moderate Yes Extortion Low No Intermediate 5 Moderate Yes
Terrorism Medium No Short 4 Low No Technical Malfunction or failure of hardware Medium No Short 5 Moderate Yes
Malfunction or failure of system software
Medium No Short 5 Moderate Yes
Sample Threat Chart
41 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Risk Assessment - Tool
1. Collect Business Continuity Survey + Internal data + External data
2. Scoring tool for Risk assessment
3. Once Business Impact Analysis scoring tool will be finalized, the final score will be given on the Heat Map
5
4
3
2
11 2 3 4 5
Ris
k as
sess
men
t sco
re
42 Business Continuity Management (BCM)
Availability & Recovery Strategies
©2012 Deloitte. All rights reserved.
Availability & Recovery Strategies
Change Management
Cos
t of s
olut
ion
Time to functional availability
Mobilefacility
Remoteaccess
Dedicated workspace
Acquisition
Commercialwork area
Pre-stagedworkspace
Continuum ofavailability strategies
WeeksMinutes HoursSeconds Days
$$$
Sample Availability Strategy Analysis
44 Business Continuity Management (BCM)
Description: Devise strategies based on various availability and recovery alternatives to meet business continuity requirements identified during the risk assessment and business impact analysis
Key Outcomes: • Decisions on most risk and cost-effective availability and recovery strategy• Resource requirements and implementation needs to realize strategy
Benefit: • Guide the organization in determining the appropriate measures and resource requirements to meet stated objectives
Dependencies: • Risk assessment• Business impact analysis
Stakeholders: • BCM teams from the business functions• BCM program office
©2012 Deloitte. All rights reserved.
Sample of selecting Strategy Process (Internal Reco very)
When making a decision about internal recovery, the following systematic approach may be used to filter different alternatives. The picture on this slide is an illustrative example showing that options are gradually narrowed until the best option is determined.
45 Business Continuity Management (BCM)
Sample IT Recovery Strategies
Recovery Time Objective (RTO)
Possible Alternative Strategy Actual Implementation
Nearly Immediate (Infrastructure)
• 100% resilient infrastructure
• Fully redundant, failsafe WAN/LAN technology
• Fully secured redundancy
• In-house developed/Outsourced
• Redundant Power
• Multi-path, multi-carrier communications providers
• Real time rerouting of network
• Alternate data center for highly critical applications
Less than 1 hour • Clustering/Active-Active & Clustering/Active-Passive
• Redundant Power/NICs/HBA
• Data Replication/Data Mirroring or RAID
• Continuous Monitoring
• Develop/contract for alternative data center out of region (hot-site)
• Full infrastructure redundancy
• Data mirroring/Off-site Vaulting
1 - 24 hours • Clustering/Active-Active
• Redundant Power/NICs/HBA
• Data Replication/Data Mirroring or RAID
• Continuous Monitoring
• Use alternate data center (hot-site)
• No Active-Passive Clustering
25 -48 hours • Clustering/Active-Passive
• Redundant Power/NICs/HBA
• Data Replication/Data Mirroring or RAID
• Continuous Monitoring
• Specific Application Tape Recovery
• Asynch Tape Backup at Redundant Site
• Asynch Remote Vaulting Disk
• Mirroring of SAN Remote Vaulting to Tape (Avoid data corruption)
2 – 7 Days • Redundant Power/NICs/HBA
• Data Replication/Data Mirroring or RAID
• Continuous Monitoring
• Tape recovery – Dedicated tapes
• Remote Tap Vault at 3rd party site
• Remote Tape Vault at alternative location
7 – 14 Days • Redundant Power/NICs/HBA
• Data Replication/Data Mirroring or RAID
• Continuous Monitoring
• Tape recovery – Shared tapes with drop ship for hardware
46 Business Continuity Management (BCM)
Business Continuity Plan (BCP)
©2012 Deloitte. All rights reserved.
Business Continuity Plans
Change Management
Sample Business Continuity Plan
48 Business Continuity Management (BCM)
Description: Create business continuity plans that describe the actions and resources necessary to achieve the objectives of the organization’s recovery strategy. These procedures are documented in formal plans and provide guidance through clearly-defined and action-oriented tasks.
Key Outcomes: • Clearly-defined and action-oriented business continuity plans• BETH3 resource requirements for business resumption• Employee and third party notification procedures• Manual workaround procedures• Key dependencies
Benefit: • Indicate what needs to be done during a disruption in order to minimize decision points at the time of the disruption
Dependencies: • Availability & Recovery Strategies
Stakeholders: • BCM teams from the business functions• BCM program office
©2012 Deloitte. All rights reserved.
Plan Documents
Emergency Response PlanFocus on people and property. Includes escalation, notification, life safety, physical security, technology, and emergency operation center procedures. Addresses the immediate after-effects of the event.
Crisis Management PlanFocus on strategic leadership, executive protection and response, succession, public relations, legal, employee death or injury, major supply chain disruptions and other critical situations. The Crisis Management team takes responsibility from the Emergency Response team and becomes active prior to declaration of a “disaster”. The Crisis Management Team is responsible for “declaring the disaster”.
Business Continuity PlanFocus on critical process or business unit, core competencies, key personnel, RTOs & RPOs, alternative locations, command & control, vital records protection, data security and workarounds & interim operations.
Disaster Recovery PlanFocus on restoring technology & business infrastructure. It includes critical systems restoration, RTOs and RPOs, communications, data recovery, and recovery sites.
49 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Structure of BCM Documentation
Facility BCM Binders contain recovery information
Stored offsite and electronically
Distributed at time of disaster
Operation cards to be posted on boards to facilitate/track recovery
Facility BCMBinders
Recovery Managem
ent Procedure
s
Facility Level Process Level
Operation Level
Damage Assessme
nt Procedure
s
Overall BCMPlan
Process Recovery
Coordination Cards
Operation Recovery
Cards
Return to Normal
Procedures
50 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Crisis Event Timeline
51 Business Continuity Management (BCM)
Prevent / Preparedness
Incident Management Plan (IMP)
Crisis Management Plan (CMP)
Business Continuity Plan (BCP)
©2012 Deloitte. All rights reserved.
Sample - Consequence of Documentation – Crisis Event Timeline
52 Business Continuity Management (BCM)
Awareness & Training
©2012 Deloitte. All rights reserved.
General Awareness
Change Management
Training
Education
Awareness
General Employees
SpecializedRoles
General employee awareness is a component of the ov erall training and awareness strategy
54 Business Continuity Management (BCM)
Description: Raise general employee awareness about business continuity risks through internal communications campaigns via executive messages, intranet postings, etc. Lays the foundation for training about specific roles and procedures in the event of a disruption.
Key Outcomes: • Business continuity awareness materials• Increased level of awareness about business continuity risks and importance of disaster preparedness
Benefit: • Promote a corporate culture of disaster preparedness • Lays foundation for specific business continuity plan training
Dependencies: • None
Stakeholders: • BCM program office• Corporate communications
©2012 Deloitte. All rights reserved.
Business Continuity Plans Training
Change Management
Description: Train everyone involved in the recovery and continuity processes so they are aware and equipped to fulfill their responsibilities.
Key Outcomes: • Training materials• Trained resources prepared to execute the business continuity plan • Sufficient cross-training to allow business resumption even in the absence of specific key personnel
Benefit: • Promote a corporate culture of disaster preparedness and provides detailed knowledge necessary to carry out business continuity activities
Dependencies: • Implemented Business Continuity Plans
Stakeholders: • BCM teams from the business functions• All employees from the business functions• BCM program office• Training & development
55 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Implement – Training & Awareness
Business Continuity
Management
Compelling, Shared Vision
Measures,Milestones
& Evaluation
Power & Politics
Communications& Engagement
Training& Performance
Support
OrganizationalInfrastructure& Processes
Stakeholders with authority, power and/or influence lead and visibly support the communication & education effort
Articulation of a compelling, shared vision and business imperative for BCM communication & education
Associates are well-informed about BCM
Establishment of short- and long-term measures of success
Development of a framework that supports ongoing BCM communication & education
Key employees are enabled to perform their BCM roles and responsibilities
BCM Program Communications & Education Strategy
56 Business Continuity Management (BCM)
BCM Exercising
©2012 Deloitte. All rights reserved.
BCM Exercising
Change Management
Description: Examine the validity of recovery and continuity plans through a testing exercises using rehearsals or other similarly rigorous testing techniques. IT disaster recovery should be incorporated into business continuity testing as possible. Third-parties may be involved in testing exercises as appropriate.
Key Outcomes: • Test schedules, plans, and support materials• Testing result• Enhanced business continuity plans based on learnings from the test
Benefit: • Identifies issues with the recovery and continuity plans during a test rather than during an actual disruption • Supports training and awareness objectives• Enhances coordination between business, IT, shared services, third-parties in advance of an actual disruption
Dependencies: • Implemented Business Continuity Plans
Stakeholders: • BCM teams from the business functions• Key employees from the business functions• BCM program office
58 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Sample - Exercising & Testing
Desk Check
Walk-Through
Simulation
Exercise Critical Activities
Exercise Full BCP
Frequency Complexity & Cost
High
High
Low
Low
1
2
3
Step
Set KPI
To consider frequency / number of practitioner / time for preparing or investment for define type of BCM plan testing
Define objectives of testing align with plan objectives
KPI in each category will be different by type of BCM plan testing
59 Business Continuity Management (BCM)
Sample - BCM Implementation Plan
60 Business Continuity Management (BCM)
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication
© 2012 Deloitte Touche Tohmatsu Jaiyos
Weerapong Krisadawat
Partner
Tel: + 66 2676 5700 Ext. 6211
Email: [email protected]
BCM Case Studies & Lessons Learned
Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
©2012 Deloitte. All rights reserved.
Agenda
What’s on BCM? Understanding the Roadmap to BCM Certification
Deloitte BCM Methodology & Implementation: World class best
practices
Introduction: Key understanding towards strategic decision
BCM case studies & lessons learned from various business sectors
© 2012 Deloitte Touche Tohmatsu Jaiyos
2011 BCM Survey Results
Perceived benefits of having BCM Reason for not having BCM
Data Source: The 2011 BCM Survey: CMI
Common elements of effective BCM Products & Services used when developing BCM
62 Business Continuity Management (BCM)
© 2012 Deloitte Touche Tohmatsu Jaiyos
2011 BCM Survey Results (Continued)
Barrier of developing BCM in organization
Objectives of developing BCM
Conflicting Priority
Protect reputation
Lack of Time
63 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
CFO Survey Japan 20113/11 Triple Disaster Impact - Crisis Management and Resilience
This survey is an initiative of the CFO Program Japan which focuses on foreign companies in Japan and was conducted between 29 March and 12 April 2011 (Version 2 includes data until 30 April 2011).
Presently, around 110 companies are actively participating in the various program initiatives and were invited to partake in this survey. The majority are D300 and MFSC clients with subsidiaries in Japan.
This survey summary will be used as input for a CFO Roundtable discussion on 20 May 2011. Detailed discussion topics to be finalized (potential topics can include: crisis preparation, crisis management, business continuity and recovery, impact of 3/11 on Japan). The discussion will be summarized and published after 20 May 2011.
64 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Impact on Business and Operations
• Of those companies that were allowed to disclose their financial impact, TMT and Automotive companies report the highest negative impact on their revenues and profit for 2011 mainly due to supply chain disruptions and need for alternative suppliers
• Many companies in these industries are still not in a position to assess the impacts at the time of closing this survey
• Larger FSI companies (100M JYN and more annual revenue) and especially insurance companies report significant revenue impacts and even larger drops in profits
• The Life Sciences companies are overall the least impacted and besides one, none of them faces any supply chain breakdowns
• The participating energy company expects even revenue increase thanks to larger demands for their products
• Some Consumer Businesses, especially the participating luxury retailer, still finalize their assessment of the overall impact however, their biggest worry is a possible change in consumer buying behavior partially due to mandated changes in opening hours and transportation availability
• The biggest common headache expressed is the unclear power situation which will force companies to change their office hours, work places and shifts and have even some re-think their location
65 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
CFO Survey of foreign companies in Japan - Participa nts
Job titles Revenue of foreign subsidiary in Japan
Job title “other”: Country Executive and Group Japan CFO
Foreign companies in Japan who are actively participating in the Deloitte CFO Program were invited to share their views on the triple disasters
Source: Deloitte Japan CFO survey 1H2011 (38 completed and 27 partially completed questionnaires)
66 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
CFO Survey of foreign companies in Japan – Industrie s
Industry segments
• Financial Services and Life Sciences represent the largest share of participating companies • 35% are US based, followed by 14% German and 14% French companies
Headquarter Country
Source: Deloitte Japan CFO survey 1H2011
67 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Anticipated Impact of Triple Disasters on Japan Rev enue for 2011
Expected Decline in Revenue
• Some participants are still assessing the impact and provided directional inputs only • 21% expect no impact on their revenue at all and 55% estimate declines between 1 and 10%, however
still 13% expect drops up to 25% of their revenue
• The manufacturing and technology industry representatives report the highest expected impact
• Some FSI companies can be found in the mid-range of 10-15% and most Life Sciences report very low or no impact
Survey Participant Comments “Other”: - FSI:
- Top line may shrink by 10-15% due to slower economy
- Small- Closed block, so no new revenue but continued in-
force M&E fees impacted due to lower equity markets- Too early to estimate - Delay in executing selective transactions
- TMT: - Too early to say since supply chain ripple effects not
known yet- Short term negative, long term unclear based on
possible rebuilding investment- Life Sciences:
- Difficult to estimate right now- Consumer Business:
- Currently being assessed
68 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Financial Impact – Financial Services Industry
Profit Impact – rather different
– About one half of the respondents expects their profits to drop between 0 and 10%
– However, one third of the respondents estimates profit declines between 20 and 50% and these are mostly the large FSI companies
Revenue Size of Participating FSI Companies
• 56% of the participating companies are considered large – revenue over 300 B JYN
• Revenue impact
– One half of the respondents expect a revenue drop between 10-15%
– Other half expects no or only small impact on revenue
69 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Financial Impact – Life Sciences
Profit Impact – similar to Revenue Impact
– About 15% expect even an increase in profits this year
– Around 60% expect a decline in profits between 1 and 8% which is very similar to their expected revenue decline
– Around 15% estimate a profit decline closer to 10%
Revenue Size of Participating Life Sciences Companie s
• Close to 60% of the participating life sciences companies have annual sales between 100 and 300 B JYN
• Revenue impact
– About one third of the participating companies do not expect any impact on their revenue at all
– Around 60% expect some drop between 1 and 5% and around 15% estimate a decline closer to 10%, but nothing more
70 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Impact on Human Capital – Overall very limited
Impact on Human Capital
Fortunately, 75% report no impacts on their personnel, however 10% have to cope with some loss
A potential longer term impact for foreign companies:
•It will be increasingly more difficult to motivate and incentivize talent and staff from Headquarters or other subsidiaries to take on assignments in Japan due to uncertainties related to nuclear accident and power outages, among other
•This can worsen the already existing shortage of talent in many areas of the operations, and especially in finance and accounting
71 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Impact on overall Operations – Limited
Impact on Operations
Again fortunately 65% report no impacts on their operations, however 23% have been scaling back their operations and 3% even performed shut downs
“Other”:- One plant near Fukushima Daiichi abandoned- Few damages to retails stores - Nothing new, but cost is in using back up systems that were
prepared
Source: Deloitte Japan CFO survey 1H2011
• Companies scaling back their operations can be found in several industries with manufacturing and retails outlets
• These facilities can be damaged and ongoing face power shortages hinder regular operating hours
Note: Foreign companies with manufacturing sites could not always assess the impact of the triple disasters on their operations and therefore the largest group of participating companies in this survey do not have manufacturing sites in Japan.
72 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Impact on overall Supply Chain – Mainly Supplies and Suppliers
Impact on Supply Chain
The biggest supply chain disruptions are related to missing / delayed supplies and affected suppliers
Input on “Other”:- Impacted but full extend of ripple will only be known in a few months- Find suppliers for discontinued own production- Delay in production process at supplier level - Primary concern is supply of electricity
• The full extend of the impact on the supply chains are still to be sees, however the continued power black outs and shortages will prevent companies from business as usual
• Changes to operating hours, shifts and work places are considered and partially already implemented to workaround the power issue
73 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Impact on Infrastructure and Operations
Impact on Infrastructure and Operations
75% report some impact of the triple disasters on their customers and intermediaries (e.g. agents, physicians, etc.) and most companies are actively support them as part of their recovery activities
Note: the large portion of impacted customers and intermediaries can be due to the represented companies in the survey (e.g. relatively large number of Financial Services and Life Sciences companies).
Comment: other Service Providers- General economic and currency impact possible
74 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Expected Recovery
65% expect their subsidiaries to fully recover within the next 6 months, however this optimism is not shared for the Japanese economy
Japan Subsidiaries
Japan Economy
Expected Recovery of Subsidiary vs. Japanese Econom y
Source: Deloitte Japan CFO survey 1H2011
75 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Some reasons for fast recovery of subsidiaries
“Increased demand for our products due to the triple
disasters” –French Construction Company
“Limited impact – Kansai HQ and small sales in most
affected region”– UK Life Sciences Company
“Major business done ex-Osaka” – German Life Sciences Company
76 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
Six key areas for improvement are identified:
Business Continuity Plans
Tests and Exercises
Policies / Guidelines
Technology Upgrades
Location Re-considerations
Emergency Supplies
Since less than half of the participating companies have business continuity plans in place, it is not surprising that this is a key area for improvement going forward
77 Business Continuity Management (BCM)
©2012 Deloitte. All rights reserved.
“This time we did a small pilot for moving a subset of a single operation to Osaka. We learned of a few challenges in this area in case we need to relocate more. … family challenges, constrained hotel capacity, etc. We have prepared stronger contingency plan for a relocation of HQ operations.”CFO of US TMT Company
78 Business Continuity Management (BCM)
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication
© 2012 Deloitte Touche Tohmatsu Jaiyos
Weerapong Krisadawat
Partner
Tel: + 66 2676 5700 Ext. 6211
Email: [email protected]