Types of Business Continuity Planning

Types of Business
Continuity Planning
EMEIA Business Continuity Planning

Paris  1999
Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Agenda
• Introduction
• Objectives of BCP
• Approaches to BCP
• Dimensions of Scope
• Entry Points
• Q&A

Introduction
So…you’ve decided to embark on a BCP project

…but where do you start?
•Define the objectives

•Determine the dimensions of scope
•Select an appropriate approach
•Proceed from an entry point

Objectives
Four possible objectives of BCP:

• Satisfy audit or regulatory requirements
• Rebuild the infrastructure

• Resumption of business activities
• Continuity in customer service

Audit or regulatory requirements
If your focus is on
• pass an audit or get points cleared

• minimizing costs
then your objective is to satisfy audit or

regulatory requirements.

Rebuild the infrastructure
If your focus is on
• alternative facilities and sites, and

• on solutions to minimize downtime of key
infrastructure and systems,
then your objective is to rebuild the

infrastructure.

Resumption of business activities
If your focus is on
• setting up an organization and the required

facilities to enable key staff to resume their
activities,
then your objective is the resumption of

business activities.
Continuity in customer service
If your focus is on
• defining what level of customer service must be

maintained throughout a disaster, and
• what is required to achieve that level of customer
service,
then your objective is to ensure continuity

in customer service at an acceptable level.
Approaches to BCP
Approaches to BCP based on the objectives:
Objective Approach
• Satisfy audit or regulatory ---> Tick-box approach

requirements
• Rebuild the infrastructure ---> Infrastructure approach
• Resumption of business ---> Gradual / subplans approach
activities
• Continuity in customer ---> Business approach (holistic)
services

Scope
Event Interrupting Operations
Asset Protection BCP

Protection of assets Preparation of
(eg; people, building, critical elements for
…) business continuity

Scope
Enterprise-wide versus IT….
....be clear on the scope of your

BCP project

Dimensions of Scope
Infrastructure Business
Interruption
Office relocation Risks (BIR)
Dealing room Long term business viability
Brand image
Network Regulatory
Control room Client satisfaction
IT DRP Capacity
Network resilience Infrastructure risk
Server mirroring
i ons s s es i c es ts it
Equipment failures c t c e e rv ie n u n
un ro s cl ss
e s s f
ne s s p
uc t s /
it ic al
us i ne Business
u si n s i o d C r B
B Bu Pr
Infrastructure
…the identification and protection
of critical (IT) infrastructure required to maintain

an acceptable level of business,
...to ensure the survival of the organisation

in times of business disruption.

Infrastructure
Critical infrastructure can include
• Mainframe
• Networks
• Applications
• PCs and desktops
• Manufacturing infrastructure
• Logistical infrastructure
• Office locations
Business
of critical business processes required to maintain

an acceptable level of business,
...to ensure the survival of the organisation

in times of business disruption.

Business
Critical business processes can include
• Manufacturing
• Sales / order entry
• Payroll
• Dealing room activities
• Delivery
• Client communication
• Accounting and finance
Business Interruption Risk
against business risks resulting from a business

interruption jeopordizing
... the survival of the organisation in times

of business disruption.

Entry Points
There are four possible entry points depending on the

drivers of the approach.
If your approach is… Then your entry point is...
Event driven Evaluate threats

Business risk driven Assess risks from interruptions
Business driven Analyse critical processes
Applications or Dependency on (IT) infrastructure
systems driven
Threats
Classification of threats according to the type of event:

• Acts of nature - hurricane, flood, earthquake,…
• External man-made events - terrorism, evacuation,
security intrusion,…
• Internal unintentional events - accidental loss of
files, computer failure,…
• Internal intentional events - strike, sabotage, data
deletion,...

Risks
Business Risk ModelTM
E N V I R O N M E N T R I S K
Competitor Sensitivity Shareholder Relations Capital Availability
Catastrophic Loss Sovereign/Political Legal Regulatory Industry Financial Markets
P R O C E S S R I S K
OPERATIONS RISK EMPOWERMENT RISK FINANCIAL RISK
Customer Satisfaction Leadership Currency
Human Resources Authority Interest Rate
Product Development Limit Liquidity
Efficiency Performance Incentives Cash Transfer/Velocity
Capacity Communications Derivative
Performance Gap Settlement
Cycle Time INFORMATION PROCESSING/ Reinvestment/Rollover
Sourcing TECHNOLOGY RISK Credit
Commodity Pricing Access Collateral
Obsolesence/Shrinkage Counterparty
Compliance Integrity
Business Interruption Relevance
Product/Service Failure Availability
Environmental
Health and Safety INTEGRITY RISK
Management Fraud
Trademark/Brand Name Erosion
Employee Fraud
Illegal Acts
Unauthorized Use
Reputation
INFORMATION FOR DECISION MAKING RISK

OPERATIONAL FINANCIAL STRATEGIC
Pricing Budget and Planning Environmental Scan
Contract Commitment Completeness and Accuracy Business Portfolio
Measurement Accounting Information Valuation
Alignment Financial Reporting Evaluation Measurement
Completeness and Accuracy Taxation Organization Structure
Regulatory Reporting Pension Fund Resource Allocation
Investment Evaluation Planning
Regulatory Reporting Life Cycle

Entry point: infrastructure
Interruption
Dealing room • TraditionalLong
approach
term business viability
• Very often limited to IT, then extended to
Brand image
"departmental" infrastructure or office
Network Regulatory
infrastructure
Control room • Very
Client often the business perspective is used to
satisfaction
assess criticality of infrastructure elements, and to
IT DRP Capacityjustify the cost (business impact analysis)
Network resilience Infrastructure
• Therisk
risk scope is limited to infrastructure risks
Server mirroring through analysis of threats (potential events)
un ro s cl ss
e s s f
ne s s p
uc t s /
it ic al
us i ne Business
B Bu Pr
Entry point: business
Interruption
• Top-down approach
• Starting from a top-down analysis of the critical
Brand
business imageor processes.
domains
• For the critical business processes, assess the
Regulatory
Network
Control room dependencies and criticality.
Client satisfaction
• Often, the business interruption risk dimension is
IT DRP Capacityincluded into the business impact assessment,
Network resilience although
Infrastructure risk not always made explicit or limited to the
Server mirroring obvious business interruption risks.
un ro s cl ss
e s s f
ne s s p
uc t s /
it ic al
us i ne Business
B Bu Pr
Entry point: business risks
• Entering from looking at the business risks created by a
business interruption.
• Allows to include more than only the operational impact, for
instance product quality, brand image, health & safety, cash
flow, ... Infrastructure Business
• To manage these risks, next to BCP, other actions may be Interruption
included, for instance asset protection, supply chain
Office relocation
management, crisis management, media management,... Risks (BIR)
• Here we can provide the best added value
Brand image
Network Regulatory
Control room Client satisfaction
Capacity
IT DRP
Network resilience 2. Infrastructure risk 1.
Server mirroring
un ro s cl ss
e s s f
ne s s p
uc t s /
it ic al
us i ne Business
B Bu Pr
Risks
The “five As” of risk management :
 Assess risk
 Accept or reject risk
 Avoid risk, transfer risk or reduce risk to
acceptable level
 Analyse performance gaps
 Act to improve

Business processes
Key business drivers Identify key dependencies and

Business processes vulnerabilities within the
business organisation, top-down:
Information flows
• What does the company depend on to be
Infrastructure & resources successful?
• What are the key business processes
driving the business?
• What are the flows within these business
processes?
• What are the vulnerabilities and
dependencies within these flows and
business operations?
(IT) infrastructure
Achieved by :
• Obtaining an inventory of (IT) infrastructure

• Assessing the possible threats
• Analysing the potential business impact
• Select the critical infrastructure
• Identify recovery solutions

BCP Methodologies
Two main BCP methodologies :
Entry points BCP methodology

- Infrastructure Infrastructure-
- Threat oriented, threat-based
- Business Business-oriented,
- Risk risk-based

Q&A
Geert Vancoppenolle
Computer Risk Management
Brussels
+32 / 2 / 545.31.20
geert.vancoppenolle@be.arthurandersen.com

Types of Business Continuity Planning

Uploaded by

Copyright:

Available Formats

You might also like

Types of Business Continuity Planning

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Types of Business Continuity Planning

Uploaded by

Copyright:

Available Formats

Types of Business

EMEIA Business Continuity Planning

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

So…you’ve decided to embark on a BCP project

•Define the objectives

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Four possible objectives of BCP:

• Rebuild the infrastructure

• Continuity in customer service

• pass an audit or get points cleared

then your objective is to satisfy audit or

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

• alternative facilities and sites, and

then your objective is to rebuild the

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

• setting up an organization and the required

then your objective is the resumption of

• defining what level of customer service must be

then your objective is to ensure continuity

Approaches to BCP based on the objectives:

• Satisfy audit or regulatory ---> Tick-box approach

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Event Interrupting Operations

Asset Protection BCP

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Enterprise-wide versus IT….

....be clear on the scope of your

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

…the identification and protection

of critical (IT) infrastructure required to maintain

...to ensure the survival of the organisation

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Critical infrastructure can include

…the identification and protection

of critical business processes required to maintain

...to ensure the survival of the organisation

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Critical business processes can include

…the identification and protection

against business risks resulting from a business

... the survival of the organisation in times

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

There are four possible entry points depending on the

If your approach is… Then your entry point is...

Event driven Evaluate threats

Classification of threats according to the type of event:

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

INFORMATION FOR DECISION MAKING RISK

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

The “five As” of risk management :

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Key business drivers Identify key dependencies and

• Obtaining an inventory of (IT) infrastructure

Source: Protiviti KnowledgeLeader http://www.knowledgeleader.com

Two main BCP methodologies :

Entry points BCP methodology