Professional Documents
Culture Documents
008a - GTAG 10 - Bussiness Continuity Management (January 2009)
008a - GTAG 10 - Bussiness Continuity Management (January 2009)
Management
www.theiia.org
Objectives
• How can business continuity planning can
minimize business disruptions?
• The components of an effective business
continuity plan.
• How can a business impact analysis can help
identify which operations need to be recovered
first following a business disruption?
• Ways to maximize internal audit’s value in
business continuity management audit and
governance.
www.theiia.org
BCM Basics
• Definition – NFPA 1600/ANZ 1600 (National
Preparedness Standard for US and Canada)
www.theiia.org
Can BCP minimize business
disruptions?
• It Should IF…
www.theiia.org
What Key Ingredients are Necessary to
Ensure I Have an Effective Plan?
1. Enterprise Priority
2. Support for the Cause
3. Someone to Drive
4. Materials, Labor, and a Blueprint
5. Certification
6. Maintenance
www.theiia.org
Key Challenges
• Getting Executive and Stakeholder Support
• Funding
• Getting all stakeholders to Agree on Risks and
Impacts
• Getting the Business to Participate and Deliver
on Time
• Performing Sufficient Testing
• Keeping the plan maintained
www.theiia.org
BCP Components
www.theiia.org
Related Disciplines
• Emergency Response
• Crisis Management and
Communications
• Resumption of Business Functions
www.theiia.org
BCM Lifecycle
Project Initiation Governance
And Management
Culture
Business Continuity
Business Continuity
Strategy Design
Plan Testing
Solutions Deployment
Execution and Enhancement
www.theiia.org
Management Commitment to BCM Program
- Build a business case
- Understand the value
- Establish a BCM program GTAG
Page 7
Conduct a BC Risk Assessment & BC Mitigation
- Assess the impact of disruptive events
- Define BC disruptive ( credible ) events
- Develop BC risk mitigation strategies
www.theiia.org
BIA Pre-requisite
Risk Assessment
• Identify potential risks to business
– Disasters, major disruptions, etc.
• Understand likely business impacts
– Loss of People, Operations, facilities, IT
– Region impact to suppliers, infrastructure
• Ensure Risk Mitigation is deployed
– Prevention: safety, maintenance,
redundancies
– Preparation: response, Org Capabilities,
standard processes
www.theiia.org
BIA Overview
www.theiia.org
BIA #3: Identifying other
parties and resources
• Identify resources required to perform
process
– Resources that must be obtained to
resume process
• Identify other parties required to
perform process
– Other People who must be available to
provide input and/or perform work
www.theiia.org
BIA# 4: Obtaining Sponsor
and Manager approval
• Review BIA results with
leadership to verify:
– All processes were identified
– RTO and RPO are appropriate
– Critical resources were identified
– Next steps and strategies for
creating recovery solutions
www.theiia.org
BIA: Business Recovery and
Continuity Strategy
• Identify recovery alternatives
– Manual Work processes
– Alternative/Out-sourcing
– Disaster Recovery for IT
– Alternative Staffing
– Alternative Facilities
www.theiia.org
BIA Output is the
BCP
• Create BCP at individual team
level that maintains ownership
• Document recovery strategies,
BCP solutions, recovery steps
• Maintain a log of BCP changes
• Link BCP to overall command
structure & Crisis Management
www.theiia.org
The role of Internal Audit
• Establish a framework
• Add value to the BCP Process
• Proven approaches to conducting
the BCP audit
www.theiia.org
Maximize IA value in BCP
process.
• Work in a Collaborative Manner with the client.
• Understand BCP and Management Objectives
• Understand the Scope of Business Continuity
• Approach From a Process Perspective, as Opposed to a
Documentation Review
• Focus on the Entire BCM Life-cycle, Ranging from
Standards Assessments Through Plan Testing
• Brainstorm Ideas for Improvement – Engage the
Business Continuity Coordinator
www.theiia.org