Page 1

Seminar on Operation Sustainability for Your Business

Thursday 10 May 2012 | 09:00 – 12:00hrs @ Silom Ballroom, Holiday Inn Silom Hotel


BCM introduction – Key Understanding towards Strategic Decision

Mr. Apichai Phongphotakul Director | Business Risk / Enterprise Risk Services Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.


Business Continuity Management Are you Prepared and Ready to Respond?

10 May 2012 Weerapong Krisadawat, CISA, CISM Partner & Business Unit Leader – Enterprise Risk Services Deloitte Touche Tohmatsu Jaiyos


Don’t get caught without a plan

2

Business Continuity Management (BCM)


Agenda

Introduction: Key understanding towards strategic decision

What’s on BCM? Understanding the Roadmap to BCM Certification

Deloitte BCM Methodology & Implementation: World class best practices BCM case studies & lessons learned from various business sectors

Š2012 Deloitte. All rights reserved.


Natural Disaster

[Clip: End of the World]


Natural Disasters around the world in 2010

Volcano Eruptions, Iceland, March 20 3

8

Rare Tornado, Queens, Sept. 16 6

5

Floods, China, May 10

7 1

Floods, Tennessee, April 30 9

Earthquake, Magnitude 7.0, Haiti, January 12

Floods, Pakistan, July 26

10

11

Typhoons, Myanmar, Oct.20-23

Landslide, Mexico, Sept. 28

Typhoons, Philippines, Oct.12-24

12

2 Earthquake, Magnitude 8.8 Chile, March 11

5 Business Continuity Management (BCM)

4 Floods, Rio de Janiero, April 5

Earthquake, Magnitude 7.7 Indonesia, Oct. 25

Š 2012 Deloitte Touche Tohmatsu Jaiyos


Natural Disasters around the world in 2011

Volcano Iceland, May 21 10

Tornado 47 Dead South Carolina , Apr 16 14

Tornado Massachusetts, June 1

11

9 13

Wild Fire Texas, Sep 11

Massive Flood Bangkok, Oct 27

Flood 35 Dead Brazil , Jan 6 Earthquake Magnitude 7.1 Chile , Jan 2

Tycoon Philippines, Dec 18

6 15

4

16

7 Earthquake Magnitude 6.7 Indonesia , Apr 3

3

1

6 Business Continuity Management (BCM)

8 5

Earthquake Magnitude 7.0 Burma , Mar 23

Hurricane Irene South East US, Aug 26

Earthquake Magnitude 7.4 Japan , Apr 7

Great Earthquake and Tsunami Magnitude 8.9 Japan , Mar 11

2 Earthquake Magnitude 7.0 Argentina , Jan 3

Major Flood Australia , Jan 3

12

Earthquake Magnitude 7.8 New Zealand, July 7 Š 2012 Deloitte Touche Tohmatsu Jaiyos


Disaster effect - Threats to Continuity Natural Disaster

Equipment / Environmental Utility Outage

Earthquake

Environmental Conditions

Tycoon Fire

Civil Disturbance Construction

Flood Water Leaks

Land Slides

Your Organization Human Intention

Human Unintentional

Equipment Failure

Terrorism Sabotage

Viruses

7 Business Continuity Management (BCM)

Hackers

Human Error

Š2012 Deloitte. All rights reserved.


“การดําเนินธุรกิจในปัจจุบนั BCM เป็ นสิง จําเป็ นต่อองค์กร”

“การบริหารจัดการ Crisis เป็ นการวัดศักยภาพของ Brand” Source: BrandAge Magazine

8 Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Brand Value Top Eight; the most value corporate brand in Thailand กลุ่ม ทรัพยากร/ พลังงาน

กลุ่ม สื:อสาร

กลุ่ม อสังหาริ ม ทรัพย์และ ก่อสร้าง

กลุ่ม การเงิ น

กลุ่ม บริ การ

กลุ่มสิ นค้า อาหารและ ผลิ ตภัณฑ์ การเกษตร

กลุ่ม อุตสาหกรรม

กลุ่มสิ นค้า อุปโภค บริ โภค

339,944 MB

172,798 MB

164,995 MB

154,118 MB

108,871 MB

40,211 MB

27,511 MB

5,311 MB

ผลจาก ดร.กุณฑลี รืน รมย์ และอาจารย์ศภุ กร ภัทรธนกุล อาจารย์ภาควิ ชาการตลาด คณะพาณิ ชยศาสตร์และการบัญชี จุฬาฯ

9

Business Continuity Management (BCM)

© 2012 Deloitte Touche Tohmatsu Jaiyos


What business continuity means today Business continuity has changed from a reactive, recovery-based practice to a proactive, risk-based one Factors that drove the evolution of business continuity The past (1980–2000) Reactive Technology-centric Focused on recovery Asset-based

Disaster Recovery (DR)

DR hit the corporate agenda in the mid 80s as businesses began to increasingly rely on mainframe computers. The enthusiasm for DR started to wane as it became evident that a more proactive approach to risk mitigation was required.

Business Continuity (BC) Planning

Business Continuity Management

Terrorist attacks of the early to mid 90s made firms realize that DR did not effectively mitigate risks. BC evolved as a result. With the technology boom and roaring economy of the late 90s, BC, although a standard business practice, was given little attention.

Global events have raised awareness that threats are not just physical; cyber, regulatory, and other threats have made BC a part of a risk management program

Mid 1990s

Late 1990s

Proactive Business-centric

Pressure to deliver 24x7x365 has resulted in robust threat detection and resource mobilization techniques for foreseeable emergencies. Handling disruptions now becomes part of normal capabilities.

Responsibility of IT Early 1990s

The future (2001 – )

Focused on mitigation

One-time project

Late 1980s

Enterprise Resilience

Early 2000s

Mid 2000s

Process-based Continuous monitoring Responsibility of board

Late 2000s

Why business continuity matters to your organization more than ever today A global economic recession has left your organization more vulnerable to shocks Global flashpoints now threaten your organization wherever it has operations Complex regulations demand that your business deliver ever-higher service levels Physical disasters, both natural and technological, can now cost your business billions Your business can no longer afford spiraling IT downtime costs

Given the challenges of a global 24x7 business environment, simply recovering your IT assets from a disaster is not enough for your business to even survive, let alone thrive. Today, business continuity is a complex, continuous organization-wide program that requires active support and involvement of top management.

How does your organization measure up? 10

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


What is BCM? Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value-creating activities.

BS25999 1

Preparedness/Preventive: Preparedness is how

we change behavior to limit the impact of disaster events. It is a continuous cycle of planning, managing, organizing, training, equipping, exercising, creating, evaluating, monitoring and improving activities 2

Incident Management Plan: Within minutes to

hours: staff and visitors accounted for casualties deal with damage containment / limitation damage assessment invocation of BCP 3 A Prevent and avoid damage - Take precautions and plan to minimize damage and impact B Rapidly resume operations following any interruption

to critical operations - Take steps to resume operations as rapidly as possible - Establish target restoration time for critical operations to ensure customers do not switch brands 11 Business Continuity Management (BCM)

BCP Response: Within minutes to days: contact

staff, customers, suppliers, etc. recovery of critical business process rebuild loss work-in-progress 4

Recovery / Resumption- Back-to-Normal:

Within weeks to months: damage repair / replacement relocation to permanent place of work recovery of costs from insurers. Š 2012 Deloitte Touche Tohmatsu Jaiyos


Key Business Continuity Objectives

Brand Protection

Health and Safety

Avoiding public embarrassment and loss of credibility

Protect health and safety of personnel

Business Continuity Objectives Continuing New Business

Viabilty Keeping the company in business

Preserving the ability to sell in the marketplace

Earnings/Profit Earnings/Profit Protection protection Protecting the  Keeping the enterprise’s financial company in business commitments

12 Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


What managements are looking for from BCM? CEO / COO / CTO

• • • • •

Reduce or avoid otherwise ruinous revenue losses Protect critical data by leveraging infrastructure and support services Ensuring the safety of employees and customers Maximizing the security of physical assets Protecting reputation and shareholder value

Risk Manager:

• • • • •

Improved threat awareness and mitigation control from time to time Accelerating effective coordination, communication , and decision-making in a crisis Meeting customer and regulatory demands Improving the ability to respond to major incidents effectively and safely Providing a better case when negotiating business interruption insurance premiums

Operation Manager

• • • •

Improving business supply chain resilience Determining and protecting time-critical business processes More quickly and cost-effectively resume business and employee activities Reduce downtime and increase employee productivity

13 Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Drivers for Business Continuity Management


Drivers for Business Continuity Management Business Continuity Management is not about - or at least not only about - disasters but rather the strategic requirement for continuity. While the number of natural and man-made disasters increases the regulations, expectations, and demands are driving entities to prepare for disruptions from every source.

Threats and Risks

Standards

Shareholder Value

Strategic Tactical

Laws and Regulations

Resilience, Recoverability & Availability

Customer Expectations

Strong Moderate Weak

Reliable Initiatives

15 Business Continuity Management (BCM)

Data and Information Availability

Enterprise Viability

Š2012 Deloitte. All rights reserved.


Why continuity matters today — a recessionary economy Recessionary trends heighten your exposure to risk. Does your business continuity plans reflect this?

Lowered risk profile due to risk mitigation

Lowered risk profile under normal conditions Heightened risk profile due to erosion of defenses

Original risk profile

Under normal economic conditions •

Visualize the risks faced by your organization as a threat landscape. The higher the peak, the greater the risk. The red line represents your organization's risk tolerance limit. The light grey landscape is your organization's original risk profile. The dark grey landscape is your risk profile lowered by implementation of risk mitigation controls. Most risks are now below your organization’s risk tolerance limit.

Tolerance level under normal conditions Lowered tolerance level – reduced resistance to shocks

Effect 1: Diversion of resources

Effect 2: Reduced tolerance level

A recession may cause resources to be diverted away from continuity to focus on organizational survival.

Your organization may need to deal with reduced workforce, shutdown of facilities, delayed maintenance or the loss of a vendor, supplier, or partner.

A recession may also reduce your organization's liquidity and earnings, reducing its ability to withstand shocks and disruptions.

Your risk tolerance level is therefore reduced. Risks that could be tolerated are now above your organization's new tolerance level.

This may cause an erosion of defenses, causing your organizational risk profile to increase, bringing several risks above the tolerance level.

Source: “Continuity in Recession,” Continuity Central (www.continuitycentral.com)

What does your organization need to do? With more to accomplish with fewer resources, your business continuity program must become more agile. Continuity plans must reflect the current state of the organization — its capabilities and risk tolerance. Use business continuity tools to automate continuity maintenance tasks and enhance both efficiency and effectiveness. Top management must understand the situation fully in order to act rapidly.

16 Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Two ways organizations should look at business continuity Your business continuity program is a means to survive — and to thrive Business continuity as a plan for survival •

Having a business continuity program in place is critical to the very survival of your company. Statistics unambiguously reveal that organizations which suffer a catastrophic loss and do not have a continuity plan in place are very likely to go out of business shortly after the disaster. Your continuity program needs to account for the possibility of crises affecting not just your own organization; your business’ survival could be jeopardized by a crisis that affect an important supplier, customer, vendor, utility, or community.

• 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. Of those companies, 50% filed for bankruptcy quickly. • Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later. • 75% of companies without business continuity plans fail within three years of a disaster Source: National Archives & Records Administration, Washington, D.C “Managing Your Risk: – The Smart Approach to Protecting Your Business”, The Hartford Loss Control Department “Blindsided: A Manager’s Guide to Catastrophic Incidents in the Workplace” by Bruce T. Blythe

A business continuity program is critical to your company’s very survival.

Do you have a program in place? Stock price performance after disaster

Business continuity as a source of competitive advantage 20

With a business continuity program in place, an organization can offer its customers a higher degree of surety about its level of service. In 2008, Vodafone UK achieved BS25999 certification (the British Standard Institute’s certificate for business continuity management). It used this to offer a formal assurance to its customers about its continuity capability, gaining significant competitive advantage over other operators (Source: Forrester Research). An effective response to a disaster has been shown to have a net positive impact on shareholder value. A study at Templeton College, Oxford, showed that companies that recovered rapidly from a disaster saw a net increase in their stock price (see right).

A business continuity program can be a marketplace differentiator. 17 Business Continuity Management (BCM)

15 Cumulative Returns (%)

10 5 0 Recoverers Nonrecoverers

-5 -10 -15 -20 1

51

101

151

201

251

Days after disaster Source: “The Impact of Catastrophes on Shareholder Value”, Rory F. Knight & Deborah J. Pretty

Does your program give you an edge? ©2012 Deloitte. All rights reserved.


Spiraling costs of downtime With dramatically high per-minute costs to business, can your organization afford IT downtime? Downtime costs regardless of industry are prohibitively high… Pressures of serving customers globally on a 24x7 basis. Integration with supplier and partner IT systems. Accelerating time-to-market for products. These factors mean that your business's mission-critical applications cannot be unavailable for even short time windows. This is especially true if your organization relies on the Internet to transact business.

How much does every minute of downtime cost? … but few organizations can estimate the losses to their business “Are you able to quantify the business loss from downtime incidents?”

Two in three organizations cannot quantify the loss to their business — either direct or indirect — to their business in case their mission-critical applications fail. Balancing the organization’s tolerance for risk with a hard dollar assessment of the level of mitigation provided by solutions helps to align business continuity investments to provide the right amount of coverage for the right price.

Source: Forrester Research Inc.

Can your organization quantify how much to spend to avoid downtime?

What does your organization need to do? To determine whether you are overspending (thus diverting resources from other IT projects) or under spending on continuity (continuing to put your critical applications at risk), you need to 1) assess the downtime costs for crucial business systems; 2) perform a risk assessment and a business impact analysis; 3) compare alternative business continuity strategies to determine benefits of each proposed solution. Recovery planning resources need to be appropriately distributed amongst enterprise application, technology infrastructure, data center, and data recovery needs. 18

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Relationship Between ERM & BCM ERM

BCM = Business Continuity Management

Identify Risks

DRP = Disaster Recovery Plan ERM = Enterprise Risk Management

Assess and Evaluate Risks

IMP

= Incident Management Plan

Integrate Risks Response Risks

Plans

BCM

IMP Crisis Management Plan BCP DRP

Media

Relocation

Clean up

‌

19

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


The Benefits of Business Continuity An effective business continuity program will  Improve threat awareness  Better protect of people  Protect regulation and shareholder value  Improve supply chain resilience  Determine and protect time-critical business processes  Meet customer and regulatory demands  Accelerate effective decision-making in a crisis  Improve the ability to respond to major incidents effectively and safely  Provide a better case when negotiating business interruption insurance premiums

20

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Key Success Factors

Key Success Factors  The cost of doing nothing is too high  Enterprises must thoroughly reassess their business continuity strategies and apply them to the distinctively different circumstances of situation  Plans need to be developed or revised to incorporate the effect of a significant – and sustained – absence of staff, including critical staff members , absence of premises and technology  Consideration must be made for different regulatory frameworks, cultural practices, and risk levels  Dependence on government organizations and third parties must be analyzed and the risks mitigated  Regular maintenance, review and testing of plans is not an option but a necessity

21

Business Continuity Management (BCM)

Š 2012 Deloitte Touche Tohmatsu Jaiyos


Common Disaster Recovery Pitfalls Deloitte has observed many common pitfalls as we have worked with 100+ organizations, we have aligned our efforts to mitigate against these common issues.

Common Pitfalls •

Companies often have an ineffective event escalation and declaration process in place Application acceptance criteria (testing checklists) is not adequately for application recovery plans Testing is often limited as a result of poor or insufficient level of detail within recovery procedures Recovery planning is typically seen as a discrete project or “point-intime” effort, quickly resulting in out of date processes and procedures.

Our Preventative Measures •

• These factors combined necessitate improvisation and trial-&-error recovery; adding confusion, stress, uncertainty and time to the overall recovery process 22

Business Continuity Management (BCM)

Deloitte will collaborate with you to establish a robust and effective Disaster Program processes, including event detection, escalation and activation. Deloitte will develop recovery procedures with direct input from your personnel in order to provide an appropriate level of detail. Application validation checklists and system acceptance criteria will be developed as part of system recovery procedures. Deloitte will provide guidance on how to sustain recovery plan viability as part of the overall Disaster Recovery program.

©2012 Deloitte. All rights reserved.


BCM Implementation: Lesson Learned

Recoverability and resilience are not built into Business as Usual

DR Professionals at MOST companies are not consulted during a crisis or event

Plans must be updated and tested frequently

Copies of plans should be stored at a secure off-site location

All types of threats must be included

Increased uncertainty (following high impact disruption) may lengthen time to normal operations

Business Continuity Lessons Learned Key personnel may be unavailable

Companies struggle to roll up requirements and activities

Telecommunications are essential

There are continued perceptions that BCM is a technology problem

Alternate sites for IT backup should not be situated close to the primary site

Business risk management is beyond a core competency and organizations have limited in-house expertise

There is a gap in many organizations between management expectations and the company's ability to continue business operations.

23

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Why struggling to implement an effective BCM / BCP? Many companies struggle implementing an effective BC plan because of the complex coordination between business and technology components Challenges – – – – –

Business processes have an increasingly greater dependence on applications and technology Business has aggressive recovery time and point objectives The complexity of the processes that need to be restarted have increased dramatically The lack of paper records has increased the impact, financial and other, of losing data Significant interdependencies between applications, systems, and business processes increase complexity of recovery Business Continuity Timeline Relocate or reroute business process

Manual processes

Business

Network

Normal processing and activity

IT

Service interruption

Potential data loss 24

Problem identification

Business Continuity Management (BCM)

Notification and communication

Restore voice and data network

Configure, Provision, and Restore Data

Resume and synchronize business

Recover applications

Time to recovery

©2012 Deloitte. All rights reserved.


Agenda

Introduction: Key understanding towards strategic decision

What’s on BCM? Understanding the Roadmap to BCM Certification

Deloitte BCM Methodology & Implementation: World class best practices BCM case studies & lessons learned from various business sectors

Š2012 Deloitte. All rights reserved.


What’s on BCMS? Understanding the road map to BCM Certification.

Mr. Teeradej Vibulpatanavong , ITMS/ ISMS/ BCMS Product Manager Bureau Veritas Certification (Thailand) Ltd.


What’s on BCMS? Understanding the road map to BCMS Certification. Venue: Holiday Inn, Silom, Bangkok Teeradej Vibulpatanavong Quality & IT Product Manager Date: 10 May 12

แนะนํา Bureau Veritas Certification

Copyright © Bureau Veritas Certification Thailand


Bureau Veritas at a Glance Broad Geographic Presence1 ► Created in 1828

Africa 5% Americas

► A global leader in conformity

assessment services in the areas of quality, health and safety, environment and social responsibility (QHSE) z

Network of more than 700 offices in 140 countries

z

Over 26,000 skilled employees

22%

France

33%

Europe

22%

► Eight global businesses providing

Eight Global Businesses1

a complete set of services z

18%

Asia Pacific & Middle East

Services include: Inspection, testing, audit, certification, classification, risk management, outsourcing, consulting and training services

Government Services

Marine 11%

8%

Consumer Products

Ind str Industry

14%

► Servicing 280,000 customers across a

13%

wide range of end markets Certification

Inspection & In-Service Verification

11%

13% Construction

HSE

20%

10%

1. 2006 revenue breakdown.

Understanding the road map to BCMS Certification

3

Our Profession : QHSE Compliance

Reference Standard

Action

Deliverable

Assessment

Full Independence from any Design / Manufacturing / Contracting / Insurance

© - Copyright Bureau Veritas

Understanding the road map to BCMS Certification

Copyright © Bureau Veritas Certification Thailand


A Balanced Portfolio of Activities

Marine

► Ship classification, ship and marine equipment certification, technical assistance and outsourcing services

► Conformity assessment of industrial equipment and installations to regulatory or client specifications from

feasibility stage to de-commissioning

Industry

► Services include design review, shop inspection, site inspection, asset integrity management, product

certification and related testing services such as non-destructive testing

Inspection & In-Service Verification (IVS) Health, Safety and Environment (HSE)

► Periodic inspection of equipment and installations to assess conformity with regulations or client-specific

requirements ► Services apply to electrical installations, fire safety systems, lifts, pressure and lifting equipment, and machinery ► Inspection, audit, measurement and testing services in the areas of environment and health and safety ► Technical assistance and consultancy services to help companies define their HSE management strategy and

improve their performances ► Conformity assessment of construction projects to local regulations and construction standards, from design

stage to completion

Construction

► Services include design review, code compliance, technical control, on-site safety coordination, testing

of construction materials, asset management and technical due diligence services ► Certification of management systems and processes in the areas of quality, health and safety, environment

Certification

and social responsibility based on public standards ► Second party auditing services based on customer-specific customer specific or Bureau Veritas standards ► Testing, inspection and certification of consumer goods including textile, hardlines, toys, electrical and

Consumer Products

electronics ► Factory audits, social responsibility audits and training services

Government Services and International Trade (GSIT)

► Government Services: Pre-Shipment Inspection, X-Ray Scanning, Verification of Conformity of imported

products ► International Trade: Commodity quantity/quality assurance, automotive services

Eight global businesses providing strong growth and cross-selling opportunities © - Copyright Bureau Veritas

Understanding the road map to BCMS Certification

Our Logo

Logo Change

From

To

Certification Mark Change

From

To

Effective since 17 January 2007 © - Copyright Bureau Veritas

Understanding the road map to BCMS Certification

Copyright © Bureau Veritas Certification Thailand


มาตรฐานเกี่ยวกับ BCM

Business Continuity Management System

Result

Business Continuity y

Proces s

Business Continuity Management Syste m

Business Continuity Management System

© - Copyright Bureau Veritas

Understanding the road map to BCMS Certification

Copyright © Bureau Veritas Certification Thailand


Business Continuity Management

BCM Important

Time-sensitive

Understanding the road map to BCMS Certification

9

Business Continuity Management System Standards ► BS 25999 Business Continuity Management z

Part 1 – Code of Practice – Published in November 2006 • Provides information about business continuity management and the key stages for implementation.

z

Part 2 – Specification S f – Published in November 2007 • An auditable standard to which organisations may be audited by Certification Bodies and become certified to. Includes all requirements for Management System implementation.

► ISO 22301 Societal security -- Preparedness and continuity management

systems -- Requirements z

z

Current Status is Final Draft International Standard (FDIS). It also has 2 parts. Expected to be published in June 2012.

► TIS 22301 - 2553 Business Continuity Management Systems – Requirements

มอก. 22301 – 2553 ระบบบริหารความตอเนือ ่ งทางธุรกิจ - ขอกําหนด

Understanding the road map to BCMS Certification

10

Copyright © Bureau Veritas Certification Thailand


Business Continuity Management System Standards BS 25999-1 Code of practice

11

BS 25999-2 Specification

1 Scope and applicability

1 Scope

2 Terms and definitions

2 Terms and definitions

3 Overview of business continuityy management (BCM)

3 Planning g the Business Continuity y Management System (BCMS)

4 The Business Continuity Management policy

4 Implementing and operating the BCMS

5 BCM Programme Management

5 Monitoring and reviewing the BCMS

6 Understanding the organization

6 Maintaining and improving the BCMS

7 Determining business continuity strategy

A Correspondence with ISO 9001, ISO 14001 and ISO 27001

8 Developing and implementing a BCM response 9 Exercising, maintaining and reviewing BCM arrangements

BCM S

1 Embedding BCM in the organization's 0 culture

BCM

Understanding the road map to BCMS Certification

11

ความสัมพันธกบ ั มาตรฐานระบบบริหารอื่นดาน IT ISO 31000 Risk Management Generic approach to developing, implementing and continuously improving a framework to integrate the process of managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture

ISO 20000 IT Service

ISO 27001 Information Security

BS 25999 Business Continuity

13 processes in IT Service Management Systems (Information Security Management included)

Process : Information Security Management Systems

Process : Business Continuity Management System

6. Service delivery process Service level management Service reporting Capacity management Information security management

1.Personnel Security 2.Physical and environmental security 3.Communications and operations 4.Access control 5.System development and maintenance to take in account security 6.Information Business continuity management

1.Planning the BCMS

Service continuity & availability management

2.Implementing and operating the BCMS 3.Monitoring and reviewing the BCMS 4.Maintaining and improving the BCMS

Budgeting and accounting for IT services 7 Relationship processes Business relationship management Supplier management 8 Resolution processes Incident management Problem management 9 Control processes Configuration management Change management 10 Release process Release management process

Understanding the road map to BCMS Certification

12

Copyright © Bureau Veritas Certification Thailand


มาตรฐานระบบบริหารอื่นที่มีขอกําหนดเกี่ยวของกับ BCM ► ISO/TS16949: 2009

6.3.2 Contingency plans z

prepare contingency plans to satisfy customer requirements in the event of an emergency such as utility interruptions, labour shortages, key equipment failure and field returns.

► ISO14001: 2004

4.4.7 Emergency preparedness and response z

z

z

to identify potential emergency situations and potential accidents that can have an impact(s) on the environment and how it will respond to them respond d to t actual t l emergency situations it ti and d accidents id t and d preventt or mitigate associated adverse environmental impacts. periodically review, periodically test

► OHSAS 18001: 2007

4.4.7 Emergency preparedness and response Understanding the road map to BCMS Certification

13

Business Continuity Management and Quality Management

Disrupted business circumstances!!!

Quality Management

Business Continuity Management

Normal business circumstances. BCM compliments Quality Management. Understanding the road map to BCMS Certification

14

Copyright © Bureau Veritas Certification Thailand


15

Relationships and Consideration on Part-1 & Part-2

Embedding BCM in the Organization’s Culture

Understanding the Organization

Determining BCM Exercising BCM Strategy Maintenance Programme Reviewing Management Developing and d Implementing BCM Response

Understanding the road map to BCMS Certification

15

ISO 22301 and its family ► ISO/FDIS 22301: 2012 Societal security -- Business continuity

management systems --- Requirements z

The international standard expected to be published within Q2 of 2012.

► ISO/FDIS 22300: 2012 Societal security -- Terminology z

Same as ISO22301

► ISO/DIS 22313 Societal security -- Business continuity management

systems – Guidance

► ISO/DIS 22398 Societal security -- Guidelines for exercises and testing ► ISO 22320: 2011 Societal security -- Emergency management --

Requirements for incident response

► ISO/PAS 22399: 2007 Societal security - Guideline for incident

preparedness and operational continuity management

► ISO/WD 22323 Organizational resilience management systems -

Requirements with guidance for use

Understanding the road map to BCMS Certification

16

Copyright © Bureau Veritas Certification Thailand


ISO 22301, its family, also other families ► ISO/TR 22312: 2011 Societal security -- Technological capabilities ► ISO/CD 22397 Societal security -- Public Private Partnership -- Guidelines to set

up partnership agreements

► ISO/CD 22322 Societal security -- Emergency management -- Public warning ► ISO/NP 22315 Societal security -- Mass evacuation ► ISO/NP 22351 Societal security -- Emergency management -- Shared situation

awareness

►… ► ISO/IEC 27031: 2011 Information technology -- Security techniques --

Guidelines for information and communication technology readiness for business continuity

► ISO 28000: 2007 Specification for security management systems for the supply

chain

REMARK: z

NP = New Work Item Proposal

z

CD = Committee Draft

z

FDIS = Final Draft International Standard

z

TR = Technical Report

Understanding the road map to BCMS Certification

17

ขั้นตอนในการกําหนดมาตรฐานของ ISO PWI NP WD

ISO

CD DIS FDIS Understanding the road map to BCMS Certification

18

Copyright © Bureau Veritas Certification Thailand


Transition Policy ► ยังไมมี Transition Policy ที่เปนทางการออกมา ► คาดวา ISO 22301 จะออกมาภายในไตรมาศที่ 2 ของปนี้ z

ISO 22301 ไดผานการลงมติแลว ในเดือนเมษายน และอยูระหวางการจัดพิมพ ซึ่งจะใช เวลาประมาณ ป 2 เดือ ื น นัับตง แตการผานมติิ

► คาดวากรอบเวลาในชวง transition จะอยูระหวาง 12 ถึง 18 เดือน หรืออาจจะ

เปน 3 ป

► การเปลี่ยนแปลงจาก BS25999-2 เปน ISO 22301: 2012 สามารถทําไดในชวง

รอบการตรวจติดตาม Surveillance Audit ในรอบการใหการรับรองเดิม

► อาจจะตองมีการตรวจประเมินเพิ่ม โดยเนนที่ z

ขอแตกตางของ BS25999-2 กับ ISO22301

z

ทั้งนี้ขึ้นอยูกับ ของเขต และ ขนาดขององคกร

Understanding the road map to BCMS Certification

19

ขอแตกตางหลักของ ISO 22301 และ BS 25999-2 ► ISO 22301 เปนมาตรฐานตัวแรกที่ใชโครงสรางขอกําหนดของมาตรฐานระบบ

บริหารแบบใหมของ ISO (ซึ่งมาตรฐานเดิมอืน ่ ๆ จะมีการเปลี่ยนโครงสรางตาม)

► แมวาโครงสรางของ Management System จะเปลี่ยนใหม แตผูเชีย ่ วชาญบาง

คนใหความเห็นวา เนื คนใหความเหนวา เนอแทแกนของ ้อแทแกนของ BCM ไมไดเปลยน ไมไดเปลี่ยน

► เนนบทบาทผูนําของผูบริหารระดับสูง มากขึ้น ► เนนการวัด performance มากขึ้น ► เปลี่ยน Preventive action เปน actions to address risks and opportunities

และยายไปอยูสวนตนของการวางระบบ

► เนนการสื่อสารทั้งภายในและภายนอกองคกรมากขึ้น ► ใหความสําคัญเกี่ยวกับการแจงเตือนมากขึ้น ► รวมขอกําหนดของ Document Control และ Record Control ไวดวยกัน

Understanding the road map to BCMS Certification

20

Copyright © Bureau Veritas Certification Thailand


โครงสรางใหมของขอกําหนดระบบบริหารใน ISO 22301 Introduction: ► Clause 1: Scope ► Clause 2: Normative reference ► Clause l 3: Terms and d definitions d f

Requirements: ► Clause 4: Context of the organization ► Clause 5: Leadership ► Clause 6: Planning ► Clause 7: Support ► Clause 8: Operations ► Clause 9: Performance Evaluation ► Clause 10: Improvement

Understanding the road map to BCMS Certification

21

กระบวนการใหการรับรอง

Copyright © Bureau Veritas Certification Thailand


Bureau Veritas Audit Process

„ Preliminary Audit・・・Optional

Certification Audit

„ Initial Audit

.

Re-certification Audit

Continual Improvement

►Verification

Certificate Issued

of BCMS Framework

„ Certification Audit

Management System Audit Cycle

Initial Audit

►BIA,

Risk Assessment, BCM Strategy, BCP/IMP, exercise, audit, MR etc, verification of implementation

Preliminary Audit Surveillance

„ Surveillance Audit, Re-certification Audit・・・Same as other standards

Audit

Contract

Inquiry Consultation Estimation

Understanding the road map to BCMS Certification

© - Copyright Bureau Veritas

Certification Process Certification Process Application

Contract Review: ƒ Scope ƒ Time-scale ƒ Audit team

Audit Stage 1

Audit Stage 2

Certification

Understanding the road map to BCMS Certification

Surveillance

24

Copyright © Bureau Veritas Certification Thailand


IBM:BS25999, ISO9001, ISO27001 Triple Certificate Business Continuity and Recovery Services - Italy division obtained its first triple certification ISO 9001, ISO 27001, BS 25999 Client:

IBM Business B i Continuity and Recovery Services - Italy division

Ali Dincmen, International Business Development Director – Bureau Veritas Certification France said “is one of the first IT Services companies in Europe to have obtained the two certifications BS 25 999 and ISO/IEC 27001:2005.” For IBM, these certifications have internal and external benefits: IBM clients and partners are assured of a commitment to quality and security IBM demonstrates best market practices in IT environments that are well managed and provide the highest level of quality services. One of the key factors that allowed the BCRS division to get certified in a very short time and with a minimum effort, has been the innovative approach to integrate his Information Security Management System (ISO/IEC 27001) and the IBM Global Management System (ISO 9001), already in place, with the new Business Continuity Management System (BS 25999).

Norberto Colombo Colombo, Italy Quality Program Manager of IBM said : “I’m very pleased to report that another strategic goal has been reached by “Business Continuity & Resiliency Services (BCRS) Italy" in order to offer our clients a service even more qualified. This is an effective reason to capture business opportunities and to get a strategic advantage regarding national and international competitors.”

© - Copyright Bureau Veritas

Understanding the road map to BCMS Certification

Certification Process Accreditation Body Function Accreditation Body ( JIPDEC )

ISO Guide 62 and ISO 17021

Certification/Registration Body (e.g. Bureau Veritas Certification)

BS 25999-2: 25999 2: 2007 ISO/IEC 22301: 2012

Organization to be certified (i.e. Client)

Understanding the road map to BCMS Certification

26

Copyright © Bureau Veritas Certification Thailand


Certification Process How do auditor find evidence ? • Reviewing documents • Looking at records • Interviewing people at all

levels

• Observing practices and

physical environment

NOTE: Can/should the auditor cover all people, documents and records during the audit? Understanding the road map to BCMS Certification

27

Initial documentation review (Adequacy, desktop, intent audit)

In many instances it will not be possible to assess whether MS1 requirements are satisfied in principle from looking only at tthe e docu documents. e ts

Auditors take holistic approach to assess the adequacy of MS documentation (not just procedures). procedures) Current practice is to conduct this activity on-site

=

BS25999-2 or ISO 220301

and other audit criteria

Use checklist

Understanding the road map to BCMS Certification

28

Copyright © Bureau Veritas Certification Thailand


Conformance or Implementation audit

=

Work practices Work practices might not be documented in “written” procedures or work instructions

Understanding the road map to BCMS Certification

29

Auditing activities ISO 19011: 2011

Initiating the audit

Initial document review

Preparing for on-site audit

On-site auditing activities

Audit follow-up

Audit completion

Reporting on the audit

Understanding the road map to BCMS Certification

30

Copyright © Bureau Veritas Certification Thailand


การประยุกตใช BCM

ขั้นตอนการจัดทํา BCM กําหนด Scope ระบุ Key Products / Services ระบุ Processes ที่สนันสนุน Key Products / Services Business Impact Analysis Risk Assessment Risk Treatment จัดทํา BCP / IMP Understanding the road map to BCMS Certification

ซอมทดสอบ

32

Copyright © Bureau Veritas Certification Thailand


Setting Scope(Example) Customer A

Customer B

Product A

Product B

Activity Activity 1 2

Activity Activity 3 4

Stakeholders

Service C

Outsourcer

Service D

Activity 5

Senior Management

Activity

Activity

Activity 6

BCM

Organization Source:Good Practice Guideline 2008

In the above diagram if it is decided that Product B and Service C are within scope of the programme then the shaded activities are necessarily fully or partly within the scope. Understanding the road map to BCMS Certification

33

4 คําถามงาย ๆ สําหรับ BCM Business Impact Analysis

1 อะไรตองรอด? 1. อะไรตองรอด? BCP / IMP

Continuity Requiremen t Analysis A l i

2. ตองใชทรัพยากรอะไร? 3. ตองเตรียมการอยางไร? 4 มันั่ ใจได 4. ใ ไ อยา งไรว ไ า จะรอด?? BCM Exercising

Understanding the road map to BCMS Certification

34

Copyright © Bureau Veritas Certification Thailand


หาจุดสมดุล

Understanding the road map to BCMS Certification

35

Understanding the road map to BCMS Certification

36

หาจุดสมดุล

Copyright © Bureau Veritas Certification Thailand


Exercising, maintaining and reviewing Cost Risk also !!!

Full

Large rehearsals and tests Medium rehearsals and tests Small rehearsals and tests Simulation Walkthrough Desk Check

Complexity Understanding the road map to BCMS Certification

37

การปรับปรุงความสามารถดาน BCM ขององคกร

Understanding the road map to BCMS Certification

38

Copyright © Bureau Veritas Certification Thailand


Thank you for your attention. Š - Copyright Bureau Veritas

Understanding the road map to BCMS Certification

39

Copyright Š Bureau Veritas Certification Thailand


Deloitte BCM Methodology & Implementation: World Class Best Practices

Mr. Supharerg Khemngern , Manager –BCM Services, ERS Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.


Agenda

Introduction: Key understanding towards strategic decision

What’s on BCM? Understanding the Roadmap to BCM Certification

Deloitte BCM Methodology & Implementation: World class best practices BCM case studies & lessons learned from various business sectors

Š2012 Deloitte. All rights reserved.


Deloitte Risk Intelligence – BCM Framework

Business Continuity Policy & Governance

Board of Directors

Policy & Governance

Executive Management

Roles & Responsibilities

Analysis Business Continuity Strategy

BCM Department Risk Assessment

Business Impact Analysis

Business Continuity Strategy

Plan Developmen t

Planning and Implementation Business Continuity Implementation

Enterprise level Organizational Crisis Management Plan

Business units level

Corporate BCM Plan

Department BCM Plans

IT DR Plans

BCM Department, Business Units and Corporate Support Functions

BCM Programme Maintenance Business Continuity Sustenance

Training

Testing

Maintenance

Sustain and continuously improve 27

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Deloitte Approach - BETH3 TAP Business Continuity Management/Continuity of Operations

1

4

7

5 2

Building (Facilities/Utilities)

Equipment

8 Technology (Application, Data, Infrastructure)

9

3 6

**Capabilities Assessment – Resiliency and Recoverability (CARR) Framework

28

Business Continuity Management (BCM)

Human Resources Third Parties (Vendors, Customers, Service Providers) Third Parties (Vendors, Customers, Service Providers)

Š2012 Deloitte. All rights reserved.


Deloitte BCM Methodology v.s. BS25999 Analyze Current State Assessment

Assure Continuous Improvement

Reassessment and Quality Assurance

Risk Assessment

Business Impact Analysis

Audit and certification

Develop Implement Resource acquisition & embedding

29

Training of key personnel

Testing of plans, procedures & assumptions

Business Continuity Management (BCM)

Governance Model

Resilience & Recoverability Strategy

BCM Plans Documentation

Š2012 Deloitte. All rights reserved.


Governance & Project Management


Governance & Project Management Description:

Create the governance model for a systematic program for the management and sustainment of business continuity processes, including emergency response, crisis management, business continuity, and disaster recovery.

Key Outcomes:

• BCM program mission statement & strategy • BCM organization including staffing model and roles & responsibilities for the program office, steering committee, and working team comprising members of the business committee • BCM policies, standard, guidelines, and terminology definitions • BCM integrated into organization and IT change management processes • BCM training & awareness strategy • BCM program audit & compliance strategy • BCM program metrics & reporting process • BCM continuous improvement process

Benefit:

• Executive oversight of the BCM capabilities • Mechanism to build and sustain BCM capabilities • Better understanding of BCM program roles & responsibilities

Dependencies:

• Funding for BCM initiative

Stakeholders:

• BCM program office • BCM executive steering committee • People & performance

● ● ●

Internal audit Legal BCM representatives from the business Policy and Standards

Leadership

Strategy

 What is the overall direction f or the business and related IT within the corporation?  What are the cultural values regarding risk management?  How should key stakeholders be represented?

Organization

Guidelines

 How should BCM program management be measured?

Training & Awareness Metrics & Reporting

Continuous Improvement & Quality Assurance

31

 What corrective action should be taken as key f indings are made?  How should the organization ensure corrections take place?

Planning  What should the corporate business recovery strategy include?  What should be the corporate IT recovery goals?

Change Management

Audit &Compliance

 Aligning BCM methodology and standards to industry standards such as: BS25999, NFPA1600, BCI, and DRII

Monitoring and Control  What qualitative benchmarking should be perf ormed?  How should periodic BCM progress reports be created and reviewed?

BCM Governance Decisions

Policies Standards

 What should the f undamental BCM operating principles be?  What internal BCM standards, rules and protocols are needed?

Coordination and Compliance

Allocating Capital  How should limited resources be ef f iciently allocated?  What capital is available f or investment?

 What process should be used to ensure compliance with BCM standards and obligations  How should corporate BCM coordinate recovery activities between organizational units?

 What criteria should be used to dictate BCM investment decisions?  What process should be used to review expenditures?

©2012 Deloitte. All rights reserved.


Governance & Project Management

32

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Deloittes’ point of view - BCM Organization Preparedness

Emergency Response

Continuity

Recovery / Back-to-normal

Timing Plan

Safety & Security

Incident Management

Crisis Management

Risk Management

Business Continuity Plan

Team

Crisis Management Team Incident Response

Facility Management & Recovery

Salvage Operations

Employee Safety

Loss Reporting

Crisis Communication

Business Continuity Team Business Process Recovery Workplace Relocation 33

Business Continuity Management (BCM)

Supply Chain Continuity Alternate Processing Disaster Recovery

Human Resources Š2012 Deloitte. All rights reserved.


Skill for BCM personnel

รอบรูใ้ นธุรกิจองค์กร เข้าใจใน โครงสร้างของการ สั HงการและการสือH สาร

ทักษะในการวิเคราะห์ และการจัดการปญั หา

BCM เข้าใจรายละเอียด ของเอกสารทีเH กียH วข้อง กับ BCM

ทักษะในการ ถ่ายทอดความรู้ ทักษะด้านการ บริหารจัดการโครงการ 34

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Business Impact Analysis (BIA)


Business Impact Analysis Description:

Conduct a business impact analysis of key business functions to measure the potential financial and operational impacts that could occur if a business process was unable to operate for an extended period of time for any reason. The business impact analysis will provide requirements for recovery and will prioritize business functions. After plans have been developed, validation of business impacts can occur to assess whether strategies and plans meet recovery objectives.

Key Outcomes:

• Validated list of prioritized business functions and impacts • Recovery requirements for business functions including resources and dependencies

Benefit:

• • • •

Dependencies:

• BCM governance

Stakeholders:

• BCM program office • BCM representatives from the business

Helps prioritize business continuity planning activities and allocate scarce resources Provides clearer understanding of business process priorities and expectations in the event of a disaster Ability to create business continuity plans with a clear understanding of business requirements Potentially identify cost saving opportunities in current operations

Sample BIA Interview Form

Change Management

36

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


MTPD / RTO / RPO

Process B

$50M Recovery Time Objective (RTO) $10M

Impacts ($)

Key Objectives • Business process review, interdependencies and priorities • Critical applications • Recovery Time Objective (RTO) • Recovery Point Objectives (RPO) • Minimum operating requirements

Process A

Financial Tolerance Limit (FTL)

$5M

Recovery Time Objective (RTO)

$1M

Data Synch

$0

Workarounds

RPO

Event

0

6

12

24 Time (Hours)

48

72+

RTO

Timeline 38

©2012 Deloitte. All rights reserved.


RTO vs RPO The business objectives for resilience are established when the tolerance for data loss and downtime become very short – seconds to minutes. These objectives become, in effect, SLAs for Information Technology. Years

Days

Hrs

Mins

Secs

Secs Mins

Protection Methods

Vaults

Disk Backups

Archival

Snapshots

Days

Downtime

Data Loss

Tape Backups Capture on Write

Hrs

Recovery Methods

Synthetic Backup Real Time Replication

Instant Recovery

Disk Restores Tape Restores

Point-in-Time Roll Back

Surgical Search & Retrieve

Enabling Technologies Tape & Automation

39

Business Continuity Management (BCM)

Continuous Data Protection

Deduplication

Remote Replication

Content Indexed Archival

Š2012 Deloitte. All rights reserved.


Risk Assessment (RA)


Risk Assessment Description:

Conduct a high-level risk assessment to identify major credible natural, man-made, and technological threats to the organization’s key resources, their likelihood and potential impact, and recommendations to mitigate risks to an acceptable level.

Key Outcomes:

• • • •

Benefit:

• Understanding of critical resources and key threats to the organization • Risk-based approach to allocating business continuity risk mitigation resources

Dependencies:

• BCM governance

Stakeholders:

• BCM program office • BCM representatives from the business

List of critical resources List of credible threats to those resources Likelihood and impact of those threats on critical resources Residual risks and recommendations to reduce residual risks to an acceptable level

Threats Natural Flooding Wind damage / tornado Man-made Explosion Hazardous waste Extortion Terrorism

Vulnerability Forewarning

Enterprise risk management

Duration

Low Yes Short Sample Threat Chart High Yes Short

Score

Risk

In Scope

3

Low

5

Moderate

No Yes

Vary High Medium Low Medium

No No No No

Short Short Intermediate Short

6 5 5 4

High Moderate Moderate Low

Yes Yes Yes No

Medium

No

Short

5

Moderate

Yes

Medium

No

Short

5

Moderate

Yes

Technical Change Malfunction Management

or failure of hardware Malfunction or failure of system software

41

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Risk Assessment - Tool 1. Collect Business Continuity Survey + Internal data + External data

3. Once Business Impact Analysis scoring tool will be finalized, the final score will be given on the Heat Map 42

Business Continuity Management (BCM)

Risk assessment score

2. Scoring tool for Risk assessment

5 4 3 2 1 1

2

3

4

5 Š2012 Deloitte. All rights reserved.


Availability & Recovery Strategies


Availability & Recovery Strategies Description:

Devise strategies based on various availability and recovery alternatives to meet business continuity requirements identified during the risk assessment and business impact analysis

Key Outcomes:

• Decisions on most risk and cost-effective availability and recovery strategy • Resource requirements and implementation needs to realize strategy

Benefit:

• Guide the organization in determining the appropriate measures and resource requirements to meet stated objectives

Dependencies:

• Risk assessment • Business impact analysis

Stakeholders:

• BCM teams from the business functions • BCM program office

Continuum of availability strategies

$$$

Cost of solution

Pre-staged workspace

Sample Availability Strategy Analysis

Commercial work area Dedicated workspace

Remote access

Mobile facility

Acquisition

Change Management

Time to functional availability Seconds

44

Business Continuity Management (BCM)

Minutes

Hours

Days

Weeks

©2012 Deloitte. All rights reserved.


Sample of selecting Strategy Process (Internal Recovery) When making a decision about internal recovery, the following systematic approach may be used to filter different alternatives. The picture on this slide is an illustrative example showing that options are gradually narrowed until the best option is determined.

45

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Sample IT Recovery Strategies Recovery Time Objective (RTO)

Possible Alternative Strategy

Actual Implementation

Nearly Immediate (Infrastructure)

• • • • •

100% resilient infrastructure Fully redundant, failsafe WAN/LAN technology Fully secured redundancy In-house developed/Outsourced Redundant Power

• Multi-path, multi-carrier communications providers • Real time rerouting of network • Alternate data center for highly critical applications

Less than 1 hour

• • • •

Clustering/Active-Active & Clustering/Active-Passive Redundant Power/NICs/HBA Data Replication/Data Mirroring or RAID Continuous Monitoring

• Develop/contract for alternative data center out of region (hot-site) • Full infrastructure redundancy • Data mirroring/Off-site Vaulting

1 - 24 hours

• • • •

Clustering/Active-Active Redundant Power/NICs/HBA Data Replication/Data Mirroring or RAID Continuous Monitoring

• Use alternate data center (hot-site) • No Active-Passive Clustering

25 -48 hours

• • • •

Clustering/Active-Passive Redundant Power/NICs/HBA Data Replication/Data Mirroring or RAID Continuous Monitoring

• • • •

2 – 7 Days

• Redundant Power/NICs/HBA • Data Replication/Data Mirroring or RAID • Continuous Monitoring

• Tape recovery – Dedicated tapes • Remote Tap Vault at 3rd party site • Remote Tape Vault at alternative location

7 – 14 Days

• Redundant Power/NICs/HBA • Data Replication/Data Mirroring or RAID • Continuous Monitoring

• Tape recovery – Shared tapes with drop ship for hardware

46

Business Continuity Management (BCM)

Specific Application Tape Recovery Asynch Tape Backup at Redundant Site Asynch Remote Vaulting Disk Mirroring of SAN Remote Vaulting to Tape (Avoid data corruption)


Business Continuity Plan (BCP)


Business Continuity Plans Description:

Create business continuity plans that describe the actions and resources necessary to achieve the objectives of the organization’s recovery strategy. These procedures are documented in formal plans and provide guidance through clearly-defined and action-oriented tasks.

Key Outcomes:

• • • • •

Benefit:

• Indicate what needs to be done during a disruption in order to minimize decision points at the time of the disruption

Dependencies:

• Availability & Recovery Strategies

Stakeholders:

• BCM teams from the business functions • BCM program office

Clearly-defined and action-oriented business continuity plans BETH3 resource requirements for business resumption Employee and third party notification procedures Manual workaround procedures Key dependencies

Sample Business Continuity Plan

Change Management

48

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Plan Documents Emergency Response Plan Focus on people and property. Includes escalation, notification, life safety, physical security, technology, and emergency operation center procedures. Addresses the immediate after-effects of the event.

Crisis Management Plan Focus on strategic leadership, executive protection and response, succession, public relations, legal, employee death or injury, major supply chain disruptions and other critical situations. The Crisis Management team takes responsibility from the Emergency Response team and becomes active prior to declaration of a “disaster”. The Crisis Management Team is responsible for “declaring the disaster”.

Business Continuity Plan Focus on critical process or business unit, core competencies, key personnel, RTOs & RPOs, alternative locations, command & control, vital records protection, data security and workarounds & interim operations.

Disaster Recovery Plan Focus on restoring technology & business infrastructure. It includes critical systems restoration, RTOs and RPOs, communications, data recovery, and recovery sites.

49

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Structure of BCM Documentation Facility BCM Binders contain recovery information Stored offsite and electronically Distributed at time of disaster Operation cards to be posted on boards to facilitate/track recovery

Facility Level

Facility BCM Binders

50

Business Continuity Management (BCM)

Overall BCM Plan

Damage Assessme nt Procedure s

Recovery Managem ent Procedure s

Return to Normal Procedure s

Process Level Process Recovery Coordinati on Cards

Operation Level

Operation Recovery Cards

Š2012 Deloitte. All rights reserved.


Crisis Event Timeline Business Continuity Plan (BCP) Crisis Management Plan (CMP) Incident Management Plan (IMP) Prevent / Preparedness

51

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Sample - Consequence of Documentation – Crisis Event Timeline

52

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Awareness & Training


General Awareness Description:

Raise general employee awareness about business continuity risks through internal communications campaigns via executive messages, intranet postings, etc. Lays the foundation for training about specific roles and procedures in the event of a disruption.

Key Outcomes:

• Business continuity awareness materials • Increased level of awareness about business continuity risks and importance of disaster preparedness

Benefit:

• Promote a corporate culture of disaster preparedness • Lays foundation for specific business continuity plan training

Dependencies:

• None

Stakeholders:

• BCM program office • Corporate communications General employee awareness is a component of the overall training and awareness strategy

General Employees Awareness

Training Specialized Roles

Change Management

54

Business Continuity Management (BCM)

Education

©2012 Deloitte. All rights reserved.


Business Continuity Plans Training Description:

Train everyone involved in the recovery and continuity processes so they are aware and equipped to fulfill their responsibilities.

Key Outcomes:

• Training materials • Trained resources prepared to execute the business continuity plan • Sufficient cross-training to allow business resumption even in the absence of specific key personnel

Benefit:

• Promote a corporate culture of disaster preparedness and provides detailed knowledge necessary to carry out business continuity activities

Dependencies:

• Implemented Business Continuity Plans

Stakeholders:

• • • •

BCM teams from the business functions All employees from the business functions BCM program office Training & development

Change Management

55

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Implement – Training & Awareness BCM Program Communications & Education Strategy

Compelling, Shared Vision

Articulation of a compelling, shared vision and business imperative for BCM communication & education

Key employees are enabled to perform their BCM roles and responsibilities Training & Performance Support

Stakeholders with authority, power and/or influence lead and visibly support the communication & education effort

Power & Politics

Business Continuity Management Organizational Infrastructure & Processes Development of a framework that supports ongoing BCM communication & education

Communications & Engagement

Measures, Milestones & Evaluation

Associates are well-informed about BCM

Establishment of short- and long-term measures of success

56

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


BCM Exercising


BCM Exercising Description:

Examine the validity of recovery and continuity plans through a testing exercises using rehearsals or other similarly rigorous testing techniques. IT disaster recovery should be incorporated into business continuity testing as possible. Third-parties may be involved in testing exercises as appropriate.

Key Outcomes:

• Test schedules, plans, and support materials • Testing result • Enhanced business continuity plans based on learnings from the test

Benefit:

• Identifies issues with the recovery and continuity plans during a test rather than during an actual disruption • Supports training and awareness objectives • Enhances coordination between business, IT, shared services, third-parties in advance of an actual disruption

Dependencies:

• Implemented Business Continuity Plans

Stakeholders:

• BCM teams from the business functions • Key employees from the business functions • BCM program office

Change Management

58

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Sample - Exercising & Testing Set KPI

Step

Frequency

Desk Check

Complexity & Cost

High

Low

Low

High

1

To consider frequency / number of practitioner / time for preparing or investment for define type of BCM plan testing

2

Define objectives of testing align with plan objectives

3

KPI in each category will be different by type of BCM plan testing

Walk-Through Simulation Exercise Critical Activities Exercise Full BCP

59

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Sample - BCM Implementation Plan

60

Business Continuity Management (BCM)


Weerapong Krisadawat Partner Tel: + 66 2676 5700 Ext. 6211 Email: wkrisadawat@deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network�) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication

Š 2012 Deloitte Touche Tohmatsu Jaiyos


BCM Case Studies & Lessons Learned

Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.


Agenda

Introduction: Key understanding towards strategic decision

What’s on BCM? Understanding the Roadmap to BCM Certification

Deloitte BCM Methodology & Implementation: World class best practices BCM case studies & lessons learned from various business sectors

Š2012 Deloitte. All rights reserved.


2011 BCM Survey Results Data Source: The 2011 BCM Survey: CMI

Perceived benefits of having BCM

Reason for not having BCM

Common elements of effective BCM

Products & Services used when developing BCM

62 Business Continuity Management (BCM)

Š 2012 Deloitte Touche Tohmatsu Jaiyos


2011 BCM Survey Results (Continued) Barrier of developing BCM in organization

Conflicting Priority

Lack of Time

Objectives of developing BCM Protect reputation

63 Business Continuity Management (BCM)

Š 2012 Deloitte Touche Tohmatsu Jaiyos


CFO Survey Japan 2011 3/11 Triple Disaster Impact - Crisis Management and Resilience

This survey is an initiative of the CFO Program Japan which focuses on foreign companies in Japan and was conducted between 29 March and 12 April 2011 (Version 2 includes data until 30 April 2011). Presently, around 110 companies are actively participating in the various program initiatives and were invited to partake in this survey. The majority are D300 and MFSC clients with subsidiaries in Japan. This survey summary will be used as input for a CFO Roundtable discussion on 20 May 2011. Detailed discussion topics to be finalized (potential topics can include: crisis preparation, crisis management, business continuity and recovery, impact of 3/11 on Japan). The discussion will be summarized and published after 20 May 2011.

64

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Impact on Business and Operations • Of those companies that were allowed to disclose their financial impact, TMT and Automotive companies report the highest negative impact on their revenues and profit for 2011 mainly due to supply chain disruptions and need for alternative suppliers • Many companies in these industries are still not in a position to assess the impacts at the time of closing this survey • Larger FSI companies (100M JYN and more annual revenue) and especially insurance companies report significant revenue impacts and even larger drops in profits • The Life Sciences companies are overall the least impacted and besides one, none of them faces any supply chain breakdowns • The participating energy company expects even revenue increase thanks to larger demands for their products • Some Consumer Businesses, especially the participating luxury retailer, still finalize their assessment of the overall impact however, their biggest worry is a possible change in consumer buying behavior partially due to mandated changes in opening hours and transportation availability • The biggest common headache expressed is the unclear power situation which will force companies to change their office hours, work places and shifts and have even some re-think their location

65

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


CFO Survey of foreign companies in Japan - Participants Foreign companies in Japan who are actively participating in the Deloitte CFO Program were invited to share their views on the triple disasters

Job titles

Revenue of foreign subsidiary in Japan

Job title “other”: Country Executive and Group Japan CFO Source: Deloitte Japan CFO survey 1H2011 (38 completed and 27 partially completed questionnaires)

66

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


CFO Survey of foreign companies in Japan – Industries • Financial Services and Life Sciences represent the largest share of participating companies • 35% are US based, followed by 14% German and 14% French companies

Industry segments

Headquarter Country

Source: Deloitte Japan CFO survey 1H2011 67

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Anticipated Impact of Triple Disasters on Japan Revenue for 2011 • Some participants are still assessing the impact and provided directional inputs only • 21% expect no impact on their revenue at all and 55% estimate declines between 1 and 10%, however still 13% expect drops up to 25% of their revenue

Expected Decline in Revenue

• The manufacturing and technology industry representatives report the highest expected impact • Some FSI companies can be found in the mid-range of 10-15% and most Life Sciences report very low or no impact

68

Business Continuity Management (BCM)

Survey Participant Comments “Other”: - FSI: - Top line may shrink by 10-15% due to slower economy - Small - Closed block, so no new revenue but continued inforce M&E fees impacted due to lower equity markets - Too early to estimate - Delay in executing selective transactions - TMT: - Too early to say since supply chain ripple effects not known yet - Short term negative, long term unclear based on possible rebuilding investment - Life Sciences: - Difficult to estimate right now - Consumer Business: - Currently being assessed

©2012 Deloitte. All rights reserved.


Financial Impact – Financial Services Industry Revenue Size of Participating FSI Companies

• 56% of the participating companies are considered large – revenue over 300 B JYN • Revenue impact – One half of the respondents expect a revenue drop between 10-15% – Other half expects no or only small impact on revenue

Profit Impact – rather different – About one half of the respondents expects their profits to drop between 0 and 10% – However, one third of the respondents estimates profit declines between 20 and 50% and these are mostly the large FSI companies

69

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Financial Impact – Life Sciences Revenue Size of Participating Life Sciences Companies

• Close to 60% of the participating life sciences companies have annual sales between 100 and 300 B JYN • Revenue impact – About one third of the participating companies do not expect any impact on their revenue at all – Around 60% expect some drop between 1 and 5% and around 15% estimate a decline closer to 10%, but nothing more

Profit Impact – similar to Revenue Impact – About 15% expect even an increase in profits this year – Around 60% expect a decline in profits between 1 and 8% which is very similar to their expected revenue decline – Around 15% estimate a profit decline closer to 10%

70

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Impact on Human Capital – Overall very limited Fortunately, 75% report no impacts on their personnel, however 10% have to cope with some loss

Impact on Human Capital

A potential longer term impact for foreign companies: •It will be increasingly more difficult to motivate and incentivize talent and staff from Headquarters or other subsidiaries to take on assignments in Japan due to uncertainties related to nuclear accident and power outages, among other •This can worsen the already existing shortage of talent in many areas of the operations, and especially in finance and accounting

71

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Impact on overall Operations – Limited Again fortunately 65% report no impacts on their operations, however 23% have been scaling back their operations and 3% even performed shut downs

Impact on Operations

“Other”: - One plant near Fukushima Daiichi abandoned - Few damages to retails stores - Nothing new, but cost is in using back up systems that were prepared

• Companies scaling back their operations can be found in several industries with manufacturing and retails outlets • These facilities can be damaged and ongoing face power shortages hinder regular operating hours

Note: Foreign companies with manufacturing sites could not always assess the impact of the triple disasters on their operations and therefore the largest group of participating companies in this survey do not have manufacturing sites in Japan.

Source: Deloitte Japan CFO survey 1H2011

72

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Impact on overall Supply Chain – Mainly Supplies and Suppliers The biggest supply chain disruptions are related to missing / delayed supplies and affected suppliers

Impact on Supply Chain

• The full extend of the impact on the supply chains are still to be sees, however the continued power black outs and shortages will prevent companies from business as usual • Changes to operating hours, shifts and work places are considered and partially already implemented to workaround the power issue

Input on “Other”: - Impacted but full extend of ripple will only be known in a few months - Find suppliers for discontinued own production - Delay in production process at supplier level - Primary concern is supply of electricity

73

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Impact on Infrastructure and Operations 75% report some impact of the triple disasters on their customers and intermediaries (e.g. agents, physicians, etc.) and most companies are actively support them as part of their recovery activities

Impact on Infrastructure and Operations

Comment: other Service Providers - General economic and currency impact possible

74

Business Continuity Management (BCM)

Note: the large portion of impacted customers and intermediaries can be due to the represented companies in the survey (e.g. relatively large number of Financial Services and Life Sciences companies).

Š2012 Deloitte. All rights reserved.


Expected Recovery 65% expect their subsidiaries to fully recover within the next 6 months, however this optimism is not shared for the Japanese economy Expected Recovery of Subsidiary vs. Japanese Economy

Japan Subsidiaries

Japan Economy

Source: Deloitte Japan CFO survey 1H2011

75

Business Continuity Management (BCM)

Š2012 Deloitte. All rights reserved.


Some reasons for fast recovery of subsidiaries

“Increased demand for our products due to the triple disasters” –French Construction Company “Limited impact – Kansai HQ and small sales in most affected region” – UK Life Sciences Company “Major business done ex-Osaka” – German Life Sciences Company

76

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Six key areas for improvement are identified:

Since less than half of the participating companies have business continuity plans in place, it is not surprising that this is a key area for improvement going forward

Business Continuity Plans

Tests and Exercises

77

Business Continuity Management (BCM)

Policies / Guidelines

Technology Upgrades

Location Reconsiderations

Emergency Supplies

Š2012 Deloitte. All rights reserved.


“This time we did a small pilot for moving a subset of a single operation to Osaka. We learned of a few challenges in this area in case we need to relocate more. … family challenges, constrained hotel capacity, etc. We have prepared stronger contingency plan for a relocation of HQ operations.” CFO of US TMT Company

78

Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.


Weerapong Krisadawat Partner Tel: + 66 2676 5700 Ext. 6211 Email: wkrisadawat@deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network�) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication

Š 2012 Deloitte Touche Tohmatsu Jaiyos

BCM Seminar 10 May 2012  

Seminar on Operation Sustainability for Your Business at Holiday Inn Silom Hotel, Bangkok

Advertisement