Scribd Logo
Upload

Welcome to Scribd!

  • 008a - GTAG 10 - Bussiness Continuity Management (January 2009)

    Uploaded by

    maniak drakor
    16 views20 pages

    Original Title

    008a_GTAG 10 - Bussiness Continuity Management (January 2009)

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    16 views20 pages

    008a - GTAG 10 - Bussiness Continuity Management (January 2009)

    Uploaded by

    maniak drakor

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 20

    Business Continuity

    Management

    Global Technology Audit Guide


    GTAG® 10

    www.theiia.org
    Objectives
    • How can business continuity planning can
    minimize business disruptions?
    • The components of an effective business
    continuity plan.
    • How can a business impact analysis can help
    identify which operations need to be recovered
    first following a business disruption?
    • Ways to maximize internal audit’s value in
    business continuity management audit and
    governance.

    www.theiia.org
    BCM Basics
    • Definition – NFPA 1600/ANZ 1600 (National
    Preparedness Standard for US and Canada)

    An ongoing process supported by senior


    management and funded to ensure that the
    necessary steps are taken to identify the
    impact of potential losses, maintain viable
    recovery strategies and recovery plans, and
    ensure continuity of services through
    personnel training, plan testing, and
    maintenance.

    www.theiia.org
    Can BCP minimize business
    disruptions?
    • It Should IF…

    Your plan, when executed,


    will deliver the expected
    results.

    www.theiia.org
    What Key Ingredients are Necessary to
    Ensure I Have an Effective Plan?

    1. Enterprise Priority
    2. Support for the Cause
    3. Someone to Drive
    4. Materials, Labor, and a Blueprint
    5. Certification
    6. Maintenance

    www.theiia.org
    Key Challenges
    • Getting Executive and Stakeholder Support
    • Funding
    • Getting all stakeholders to Agree on Risks and
    Impacts
    • Getting the Business to Participate and Deliver
    on Time
    • Performing Sufficient Testing
    • Keeping the plan maintained

    www.theiia.org
    BCP Components

    • Two ways to consider BCP


    Components
    – Separate but related disciplines
    – BCP Process/Lifecycle
    • Both aspects are good and
    complementary

    www.theiia.org
    Related Disciplines

    • Emergency Response
    • Crisis Management and
    Communications
    • Resumption of Business Functions

    www.theiia.org
    BCM Lifecycle
    Project Initiation Governance
    And Management

    Compliance Monitoring Risk Assessment


    & Auditing

    Culture

    Training & Awareness Continuity Business Impact


    Programs Life Cycle Analysis
    Analysis

    Business Continuity
    Business Continuity
    Strategy Design
    Plan Testing
    Solutions Deployment
    Execution and Enhancement

    www.theiia.org
    Management Commitment to BCM Program
    - Build a business case
    - Understand the value
    - Establish a BCM program GTAG
    Page 7
    Conduct a BC Risk Assessment & BC Mitigation
    - Assess the impact of disruptive events
    - Define BC disruptive ( credible ) events
    - Develop BC risk mitigation strategies

    Conduct a Business Impact Analysis ( BIA )


    - Identify business processes & define critical processes
    - Define RTO and RPO for processes , resources , etc .
    - Identify other parties and physical resources for recovery

    Define Business Recovery and Continuity Strategies


    - Define staffing alternatives needed for recovery Establish Disaster Recovery for IT
    - Define alternative sourcing of critical functions - Understand business recovery requirements
    - Define alternative offices needed for recovery - Select recovery solutions and recovery sites
    - Plan to transition back to normal operations

    Deploy , Verify , and Maintain BCM Program Capabilities


    - Deploy BCM program awareness and training
    - Maintain the BCM program and BC plans
    - Exercise business continuity capabilities
    - Establish crisis communications and align with crisis management
    - Align with emergency response and external agencies coordination

    www.theiia.org
    BIA Pre-requisite
    Risk Assessment
    • Identify potential risks to business
    – Disasters, major disruptions, etc.
    • Understand likely business impacts
    – Loss of People, Operations, facilities, IT
    – Region impact to suppliers, infrastructure
    • Ensure Risk Mitigation is deployed
    – Prevention: safety, maintenance,
    redundancies
    – Preparation: response, Org Capabilities,
    standard processes

    www.theiia.org
    BIA Overview

    1. Identifying business processes


    2. Determining RTO and RPO based
    on business impact
    3. Identifying the other parties and
    physical resources
    4. Obtaining Sponsor and Manager
    approval of BIA
    www.theiia.org
    BIA #1: Identifying business
    processes
    • Subject Matter Experts
    participate
    • Identify major work processes
    • Combine work processes when
    same staff, resources, suppliers
    • Separate work processes when
    they have different priorities
    www.theiia.org
    BIA# 2: Determining
    RTO and RPO
    • Understand type of impact
    – Health/safety, environmental, customer, financial,
    regulatory/legal, reputational
    • Identify likely consequences of different
    recovery times (RTO)
    • Understand consequences of data loss (RPO)
    • Discuss likely costs of each RTO and RPO
    • Select RTO and RPO based on business
    impact and costs

    www.theiia.org
    BIA #3: Identifying other
    parties and resources
    • Identify resources required to perform
    process
    – Resources that must be obtained to
    resume process
    • Identify other parties required to
    perform process
    – Other People who must be available to
    provide input and/or perform work

    www.theiia.org
    BIA# 4: Obtaining Sponsor
    and Manager approval
    • Review BIA results with
    leadership to verify:
    – All processes were identified
    – RTO and RPO are appropriate
    – Critical resources were identified
    – Next steps and strategies for
    creating recovery solutions

    www.theiia.org
    BIA: Business Recovery and
    Continuity Strategy
    • Identify recovery alternatives
    – Manual Work processes
    – Alternative/Out-sourcing
    – Disaster Recovery for IT
    – Alternative Staffing
    – Alternative Facilities

    www.theiia.org
    BIA Output is the
    BCP
    • Create BCP at individual team
    level that maintains ownership
    • Document recovery strategies,
    BCP solutions, recovery steps
    • Maintain a log of BCP changes
    • Link BCP to overall command
    structure & Crisis Management
    www.theiia.org
    The role of Internal Audit

    • Establish a framework
    • Add value to the BCP Process
    • Proven approaches to conducting
    the BCP audit

    www.theiia.org
    Maximize IA value in BCP
    process.
    • Work in a Collaborative Manner with the client.
    • Understand BCP and Management Objectives
    • Understand the Scope of Business Continuity
    • Approach From a Process Perspective, as Opposed to a
    Documentation Review
    • Focus on the Entire BCM Life-cycle, Ranging from
    Standards Assessments Through Plan Testing
    • Brainstorm Ideas for Improvement – Engage the
    Business Continuity Coordinator

    www.theiia.org

    You might also like