enhancing bcm effectiveness through challenges

1

Continuity and Resilience (CORE)

ISO 22301 BCM Consulting Firm

Presentations by speakers at the

1st KSA Business & IT Resilience Summit

16th Feb, 2017 at Four Seasons Hotel, Riyadh KSA

Our Contact Details:

INDIA UAE

Continuity and Resilience

Level 15,Eros Corporate Tower

Nehru Place ,New Delhi-110019

Tel: +91 11 41055534/ +91 11 41613033

Fax: ++91 11 41055535

Email: [email protected]

Continuity and Resilience

P. O. Box 127557

Abu Dhabi, United Arab Emirates

Mobile:+971 50 8460530

Tel: +971 2 8152831

Fax: +971 2 8152888

Email: [email protected]

Enhancing BCM Effectiveness through

challenges

16 Feb. 2017

Document Classification: PUBLIC


Content

Obtaining & Maintaining the Management Commitment

Building the sense of ownership and accountability

Embedding the BCM in the Corporate Culture

Practicality of the BCM arrangements

Coordination & Cooperation

Assuring the Continuity of the BCM

Multiple Vendors Management

Getting Standardized

Obtaining & Maintaining the Management Commitment

Obtaining the Management Support:

• First and most important step in any BCM Program

• PROS VS CONS of having BCM:

• Financial benefits, cost effective

• Competitive advantages

• Enhance the Business

• Kick off meeting, Workshops and Presentations

• Simulate a disaster.

Maintaining the Management Support:

• Maintaining is more difficult than obtaining

• Keeping the Management involved and updated

• Show the regular progress reports and the achievements

• Prove the effectiveness of your BCM arrangements


Ownership:

• Who is the BCP owner?

• If you own it, you‘ll care about it.

• Organization is too big and diverse for one

department to own all the BCPs

Accountability:

• Who is accountable for developing, updating,

exercising and invoking the BCP?

• No one knows my business better than I do.

• Any disruption in my business, will impact me

the most


BCM Champions:

• An ambassadors of the BCM in each department

• The champion must be senior to the organization

with an authority on his department

• Provide them with BCM training so they can

understand both sides (their department & BCM)

• Recognitions and awards

KPI’s & KRI’s:

• Add a BCM KPI on each department head

• Develop KRI on each department to monitor and

assure the BCM arrangements


Why important ?

• The employees are the first line of defense

• If you believe in something, you will do it right

• If its part of the culture, it will remain for a long time

Obstacles:

• Changes in big organizations is not easy

• Scattered infrastructure and employees are not

helping

• Raise the awareness is one thing, keeping it up is

another

• Employees turnover


Raise Awareness:

• Posters, Booklets, Emails and Intranet site.

• Regular Awareness Workshops

• General

• Directed

• Competitions and Office Gifts

• Induction Programs for new comers

Make it a culture:

• Permanent part of organization processes.

• Continues Monitoring of BCM effectiveness.

Practicality of the BCM arrangements

BCM level of participation :

• Are we looking at the trees of the forest? or at the

leaves of the tree?

• Define the scope:

• High level will not give the needed guarantee

• Deep detailed will require an army

• Define the roles and responsibilities, draw the

boundaries Developing the BCP:

• Table of content:

• Too big Hard to read

• Too small Not enough info

• Number of plans:

• Too much Confusing

• Too little Very high level

Coordination & Cooperation

Vertically & Horizontally:

• Between Departments:

• High dependencies between many departments

• Upstream and Downstream

• Different focus and interests

• With Management:

• So many levels

• Speed is of the essence

Peace & Crisis:

• Development Phase:

• It is a collaborative work

• Agreeing on the criticality

• Invocation Phase:

• Collecting the information for accurate impact

assessment and escalation

• Decision Making, Crisis Communication

Coordination & Cooperation (Cont.)

Creating a BCM

Management

Committee

Define the Crises

Triggers and the

Escalation matrix,

detailed Crisis

Communication Plan

Regular meetings

between the BCM

champions

Developing Incident

Management Process

with Incidents

Reporting Templates

Peace Crisis

Horizontally

Vertically

Time

Org. structure

It is a lifecycle not a project:

• There is no Finish Line.

• Maintain the focus

• Allocate the needed resources

• Assure the readiness at all times

• Manage all the new changes

Assuring the Continuity of the BCM

Compliance Programs:

• Review Program

• Exercise Program

• Audit Program

• Embedding Program

Maturity Level

Time

Do

Ch Act

Plan

Do

Ch Act

Plan

Do

Ch Act

Plan

Do

Ch Act

Plan

Continual Improvement

Multiple Vendors Management

Multiple Vendors:

• High dependency of vendors

• Big number of vendors

• Huge variety of services by the vendors

• Different SLA with each vendor

• Monitoring the vendors SLA’s

• Vendor operation is a black box

• Supply Chain Management

Partnership Concept:

• Share the pain, share the gain

• Cost Effective

• Partners are more involved and concerned

about your business than vendors

• Compliance Programs with partners more

effective than SLA with vendors

• More collaboration, more understanding

Organization

Vendor

Supplier

Getting Standardized

Difficulties:

• Different departments

• Different methods of implementing the

business

• Customized solutions

Benefits :

• Having the blue print of the house, before

start building it

• Speaking the same language

• Be able to compare

• Seeing the full picture

• Certification



Exercising, Maintaining &

Reviewing

Exercising, Maintaining & Reviewing

Types of Testing Scope &

Com

ple

xit

y

Low

High

Team Maturity Low High

Walk-through testing Basic and simple and it involve reviewing the

recovery procedures without real implementation

Integrated testing

Test a group of plans by actual

implementation of recovery

procedures

Standalone testing Test one plan or one component

of the plan by actual implementation of recovery

procedures

Simulation testing

Same as integrated testing plus

involving management (Crisis

Management team)


Benefits of testing the plans 6

Testing reveals missing

steps:

Testing reveals Plan

Errors

When the plan is written, we think about the services, product,

process, system and procedures. Based on that, the steps of the

BC/DR plan are developed on the basis of our understanding. In this

sense, the plan is a reflection of the experience of the plan author.

However, in a crisis, the people who will execute the recovery may

be a different people. Therefore, the plan will not be implemented

properly because of missing steps which assumed to be known by the

author and was not reflected in the plan. For example of missing

information/steps:

• IT Security Codes

• Recall & Communication Procedure amongst the recovery team.

• Location of disaster or business Recovery Site

Writing a plan sometimes introduce misleading, incorrect, or

unnecessary steps. testing the plan will uncover all of these

deficiencies.

.

18


Benefits of testing the plans (Cont.) 6

Testing uncover changes

in the process,

organization structure,

services, people… etc

since the recovery plan

was written:

For instance a plan may have written and stored in the shelf for a

period of time without review. Over time IT team change server

sizes or upgrade to a new software versions or business model

changed or key support people leave the organization. As result of

those changes the plan will ne be valid anymore.

Testing a Plan trains the

team:

After the plan is developed, exercising it will train each recovery

team member his role during the crisis. because reading the the steps

in the plan is totally different from actually implement it in reality.

Plus exercising the plan will give more confidence to the recovery

team to implement the plan during the crisis without any panic and

this will leads to less recovery time.

Validate the plan

accuracy to achieve

desired organization

objectives:

During planning stage of any recovery plan, we may override some

logistics issues such as transportation, physical access or alternative

location which will heavily impact the Recovery Time Objective

(RTO). And based on testing we will determine the true length of

recovery time, and ultimately the ability to achieve the desired

company RTO, especially if there are several plans involved in the

same time.



Thank You

Questions?

Nabil H. Aloufi, CBCP, CBCI

+971 50 8460530

[email protected]

enhancing bcm effectiveness through challenges

Leadership & Management