Review of Internal Audit in RBS Exam

Business Continuity Planning (BCP)

A paper presented during NDIC Induction

Programme @XXXX Hotel, Lagos
by
J. T. Anifowose (DD, BED)
 Outline
 Table of Content

 Introduction

 Objectives of BCP

 Steps to Business Continuity Planning

 Business Continuity Planning in NDIC

 Conclusion
Introduction

Business Continuity Planning (BCP) is the process involved in

creating a system of prevention and recovery from potential threats
to an Organization.

The plan ensures that personnel and assets are protected and are
able to function quickly in the event of a disaster.

BCP involves defining any and all risks that can affect the
organization's operations, making it an important part of the
organization's risk management strategy. Risks may include natural
disasters like fire, flood, earthquakes and cyber-attacks etc.
Introduction Cont’d
• A Business Continuity Plan, often abbreviated to BCP, is a plan
that outlines the actions to be taken when one or more defined
events disrupt normal business operations. Having a plan will
help you to ensure business continuity.
• A key component of a Business Continuity Plan (BCP) is a
Disaster Recovery Plan that contains strategies for handling IT
disruptions to networks, servers, personal computers and mobile
devices etc.
• It’s more comprehensive than a disaster recovery plan and
contains contingencies for business processes, assets, human
resources and business partners – every aspect of the business
that might be affected.
Objectives of BCP
The core objectives of Business Continuity Planning include:
• Reducing the possibility of any interruption in regular business
processes using proper risk management.
• Minimizing the impact of interruption, if any.
• Teaching the staff their roles and responsibilities in such a
situation to safeguard their own security and other interests.
• Protecting the business from failure and negative publicity.
• Protecting critical data and maintaining stakeholder relationships.
• Fulfilling legislative and regulatory requirements.
Steps to Creating a Business Continuity Plan

While creating an effective BCP is a lot of work, it's a critical piece of operating a
resilient business. The steps to creating a BCP are:
• Step 1: Assemble a Business Continuity Management Team - The makeup of
your team depends on your continuity objectives and the size of your company.
A good BCP should detail what the staff needs to do in the event of a disaster,
what communication methods are required, and the timeframe in which critical
IT services need to be available.
• Step 2: Ensure the Safety and Wellbeing of Your Employees - When planning,
the safety of employees must be prioritize amid a crisis. Be proactive and
transparently address their concerns. 
Steps to Creating a Business Continuity Plan Cont’d

• Step 3: Understand the Risks to the Organization - Once the Business

Continuity Management Team is assembled, a Business Impact Analysis (BIA)
must be conducted. This type of analysis will help to identify specific threats to
financial performance, operations, supply chains, reputation, employees. It can
serve as a starting point when identifying risks.

• Step 4: Implement Recovery Strategies - Once a disaster occurs, and financial

losses begin to grow, it can be challenging to get back on track without a BCP
in place. 
Steps to Creating a Business Continuity Plan Cont’d

• Step 5: Test, Test Again and Make Improvements - No matter how long is
spent perfecting it, a Business Continuity Plan (BCP) is never truly finished.
Testing the Business Continuity Plan allows the organization to validate it as it
manages risks. The result of this testing is not "pass or fail," but continuous
improvement by identifying findings through a live exercise. The Business
Continuity team prepares the organization for success by ensuring continuous
business continuity testing.
Business Continuity Planning in NDIC
The Corporation had established a robust and tested Business Continuity
Management System (BCMS). Business Continuity Management System (BCMS)
is a Management System for Business Continuity Management (BCM). It
establishes, implements, operates, monitors, reviews, maintains and improves
business continuity.

BCMS Implementation Experience in NDIC

• On 16th May, 2015, Management engaged the services of
PricewaterhouseCoopers (PwC) to develop Business Continuity Management
and Disaster Recovery Framework for the Corporation.
• On the 4th August, 2015, Management approved the constitution of a nine-
member Project Team comprising of ETSD/PMSD, Legal, ERMD, IAD, HRD
and SDD.
BCMS Implementation Experience in NDIC Cont’d
• A Business Impact Analysis/Risk Assessment was conducted on all
Departments, Units and six Zonal Offices between 23rd November and 18th
December, 2015 to determine critical business processes.
• In February, 2016, a draft Business Continuity Management and Disaster
Recovery (BCM& DR) Framework for the Corporation was submitted to ERMD
by the PwC Consultant for review.
• The EXCO at its 469th meeting held on 20th May, 2016 considered and
approved the BCM Framework for the Corporation and directed for its
immediate implementation.
• Following the successful implementation of the Framework as directed by the
Management, the Corporation engaged the services Finesse Integrated &
Afenoid Enterprise Ltd to commence the process of ISO 22301 Certification.
BCMS Implementation Experience in NDIC Cont’d
• In 2017, the Corporation went through a rigorous Stage 1 audit on its BCMS by
the British Standards Institution [BSI] where 15 non-conformities were
identified.
• After the successful closure of the identified non-conformities by the
Corporation, The British Standards Institution [BSI] conducted the Stage 2 Audit
and recommended the Corporation for ISO 22301: BCMS Certification.
• After consideration, the British Standards Institution [BSI] awarded the
Corporation ISO 22301: BCMS Certification and two others.
• The Corporation in partnership with Consultants, successfully conducted
several trainings on BCMS. Presently, over 38 staff of the Corporation are ISO
22301: BCM Certified.
NDIC’s Incident Response Structure
• The first stage in Business Continuity planning is defining an appropriate
incident response structure: that is the team, or teams, who are responsible for
coordinating the Corporation’s response to a disruption.
• This plan provides guidance to the Head Office’s Crisis Management Team
(CMT) and Department/Unit Heads in coordinating their response to, and
recovery from an incident affecting the Head Office operations.
• In the event of a serious or critical incident, the Head Office CMT will need to
notify the Executive Management Team (EMT) and may need to seek direction
and strategic leadership from them
Team Roles and Responsibilities Cont’d
Executive Management Team (EMT)
• Provide overall strategic direction during an incident response
• Make decisions regarding the strategic response while considering the
implications on staff, stakeholders, operations and the Corporation’s reputation
• Ensure the Head Office CMT is invoked and appropriately staffed to tactically
manage the incident
• Ensure the proactive management of external factors and perceptions
• Monitor the progress made by the Head Office CMT in coordinating the tactical
response
• Work with the Crisis Communication Team (CCT) to ensure all internal and
external communications are appropriate and approved prior to dissemination
Crisis Management Team (CMT)
• Provide leadership for an effective, efficient and coordinated incident response.
Essentially, the Head Office CMT must ensure that the Corporation absorbs,
recovers and effectively responds to the incident.
• Conduct an assessment of the impact to the Corporation’s Head Office
• Review the overall strategies for recovery (e.g. relocation) and facilitate quick
escalation to the EMT and ensure the safety and well-being of all staff, at both
the incident and recovery site(s)
• Ensure all decisions consider the impacts on stakeholders and their
requirements as well as ensure the timely deployment of appropriate resources
(e.g. staffing, equipment) to priority areas.
• Provide updates on the Corporation’s response to events and also on staff
matters until such time that the Corporation has returned to acceptable
predefined levels.
Crisis Communication Team (CCT)
• With the approval from the EMT, the CCT issues initial and ongoing
communication to all staff on the status of the recovery and all other relevant
information
• Monitors all external media including social media and escalates to the Head
Office CMT and EMT, if need be.
• Provides liaison with external media, creates all press releases and ensures
regular updates to all stakeholders
• Manages the mass communication platform and oversees its proper use if
delegated to subordinate teams
• Takes steps to preserve the image and reputation of the Corporation by means
of a proactive media campaign.
Chief Security Officer (CSO)
• Coordination and administration of all security matters in the Corporation.
• Maintenance of vigilance and alertness and reporting of any suspicious
activities that may constitute threat to lives and property.
• Produce/ Review Fire Fighting Instructions and conduct periodic inspection of
fire detection and fire fighting equipment.
Department/Unit Recovery Teams
• Maintain the core activities of the Department/Unit in the event of a significant
disruption.
• Ensure dependencies (e.g. people, systems, properties, and Third Parties)
required to support the Department/Unit’s recovery are in place.
• Seek direction and keep the Head Office CMT appraised on the status of
service continuity and escalate any issue or decisions, as required.
• Inform the Head Office CMT of Department/Unit’s resource requirements if staff
cannot access the required systems or equipment from home/recovery site.
• Account for the safety and well-being of all Department/Unit staff, new staff and
Department/Unit’s visitors on site.
• Submit periodic reports on the recovery status to the Head Office CMT
• Ensure that this BCP is communicated to all staff of the Department/Unit/Office.
The Head Office Incident Response Structure
Head Office CMT structure
Abuja (Head) Office Incident Response and Recovery Process
BCMS Implementation Challenges in NDIC
• Capacity building for staff with BCM roles and responsibilities
• Inadequate awareness of staff on BCMS concepts
• Maintaining BCMS culture among staff of the Corporation
• Although, staff response to fire drill exercises has improved, however, meeting
the ‘’5 minutes’’ time limit as per the standard, still remains a challenge.
• Insufficient commitment of teams within the BCMS structure e.g, holding
regular meetings
• Inadequate infrastructure at the Disaster Recovery Site.
Conclusion
• The ultimate objective of BCMS is to ensure that in the event of any unplanned
or unpredicted interruption, the Corporation’s core business processes are
safeguarded by responding as fast as possible, recovered and returned to
normal business operations.
• This can only be achieved by properly embedding the Management System
into the culture of the Corporation and the DRTs/SIRTs have a critical role to
play.
• So, let us all put heads together and make this a Success!!!
Thank you for listening