ISACA Singapore

Seminar and Networking Dinner

December 20, 2011

National Library Board Building

Level 5, Possibility Room

Auditing the Business Continuity Management Programme:

Challenges, Preparation and Competency

Dr Goh Moh Heng

President

Dr Goh Moh Heng

• President – Business Continuity Management (BCM)

Institute – www.bcm-institute.org

• Managing Director – GMH Continuity Architects – Asia Pacific BCM Consulting Firm – www.GMHasia.com

• Professional BCM Appointments – Technical Advisor for TR19:2005 &

SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org

– Project Director, Technical Working Group for SS507:2004 • ISO/IEC 24762 Guidelines for BC-DR

Services

http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng

Dr Goh Moh Heng

Prior Appointments

• Government of Singapore Investment Corporation (GIC)

• Standard Chartered Bank

– Global Head for BCM

• PriceWaterhouseCoopers

• Past Certification Broad Member for DRI International’s Certification Board

• Past Executive Director for DRI Asia

• Senior Technical Advisor, China Business Continuity Management Forum

http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng

Agenda

• Back to Basic

• Update on Global BCM Development

• Mandate BCM Competency

• Audit and Review Key BCM Components

• Learn from Recent Disaster

Business Continuity Management Fundamentals

CRISIS IT

RECOVERY SECURITY

BUSINESS CONTINUITY

Plan

SPECIFIC CRISIS MANAGEMENT

PLAN IT DR PLAN

SPECIFIC PLANS

SECURITY PLAN BC PLAN

Incidents, Emergencies,

Events, Disasters

Common Planning Methodology

http://www.bcmpedia.org/wiki/ BCM_Planning_Process_or_Methodology

Global BCM Development

BCM Standards and Regulations

National Standards for BCM

• UK

– BS25999 Pt 1 & 2

• Singapore

– SS:507:2008

– SS:540:2008

• Australia/ New Zealand

– ANZ 5050

– HB Series 221, 292, 293

• US

– NFPA 1600: 2011

– ASIS SPC.1-2010 Organizational Resilience

Standards and Guidelines

• Regulations and guidelines to organization

– Sarbanes-Oxley Act

– Basel III Capital Accord

– Central Bank’s BCM guidelines

– COSO; COBIT; SAS70

– OSHA

• New BCM Standards

– ISO 22301

• Societal security - Business continuity management systems

– ISO 22399

• Societal security - Guideline for incident preparedness and operational continuity management

BCM Planning Methodology and S540 for BCM

BCM Planning Methodology & BS25999

International BCM Standards

BS 25999

NFPA 1600 ANZ 5050

SS 540

ISO 22301 (2012)

Organizational BCM Competency

BCM Competency Level

http://www.bcm-institute.org/bcmi10/en/education

Auditable Components of BCM Programme

Audit Requirement for BCM

Key: Controls: BCM Competency

Key Controls: Approved Reports

Common Language (Online Dictionary)

www.bcmpedia.org

Audit Skillset and Upgrading

BCM Audit Process Compare with ISO 19011:2002

Audit Planning and Preparation

Audit Fieldwork

Audit Review and Reporting

Audit Follow-up Conducting Audit Follow-up

Completing the Audit

Preparing, Approving, Distributing Audit Report

Conducting On-site Activities

Preparing for On-site Activities

Conducting Document Review

Initiating the Audit

Training Competency for Auditors

• Business Continuity Management – BCM Body of Knowledge

– SS540:2008

• Audit BCM Programme (Walkthrough of a Live Implementation) – Quality Management

– Financial

– IT

• Lead Auditors – Course Code: BCM-8540

• Internal Auditor (Organization Quality Manager) – Course Code: BCM-8540

http://www.bcm-institute.org/bcmi10/en/bc-governance-and-compliance

Recent Disasters

Thailand Flooding

Japan Tsunami

Lessons from Recent Disasters

• Lack of understanding of what exactly is BCM?

• Review of key planning scenario (KPS)

– Single site, regional and multiple disasters

• Focus on:

– Low probability High Impact to

– High probability High Impact

• Definition of “BCP”

– Crisis management

– Business continuity

– Emergency response

• Supply chain considerations

• Coordination with public authority

• Welfare of staff and family members

BCM Framework

• Policy

– Strong governance

– Alignment with business mission

– Consistency in communication

• People

– Senior Management

– Key executive assign to the project or programme

– Involved by business heads and units

– BCM competency

• Process

– Common methodology for BCM, DR, CM, ER, etc

– Integration of plans within organization

0

People

Process

Policy

BCM Institute Forum Building a Community

80% Asian and Middle Eastern BCM

and DR Professionals

www.bcmi.groupsite.com

Web-based Activities

• Exchange of information and experiences

THANK YOU

Dr Goh Moh Heng President Mobile: +65 96711022 Tel: +65 63231500 Email: moh_heng@bcm-institute.org