BCMS APPROACH Implementing Business

Continuity for Organization

 BC INSTANCES
Flight EK521 arriving from Trivandrum, India crash-lands in Dubai
282 passengers and 18 crew on board including 24 Britons
One firefighter killed as he fought the blaze
All passengers and crew safely evacuated, no reports of injuries
All departure flights from Dubai International Airport delayed
The 1981 Bangalore circus fire occurred on 8 February 1981 at Venus Circus in Bangalore, India, where more than
92 lives were lost, the majority of them being children. The circus fire had some similarities to the Hartford circus
fire, which occurred on the afternoon of 6 July 1944.
A fire incident in 1983 at Majestic theatre, Bangalore resulted in a stampede, killing many women, children due
to panic
The explosions at a petroleum storage depot at Buncefield, near London, UK, on 11 December 2005 created the
biggest explosion and the biggest fire in Europe since the Second World War. It destroyed 5% of the UK’s petrol
stocks and impacted 600 businesses – 25 000 employees – though fortunately causing no deaths. Since the depot
supplied London Heathrow airport, it caused havoc to international flight schedules.
ELEMENTS OF BC
Scope
Policy and Objectives
Business Impact Analysis
Risk Assessment
Business continuity strategy/plan
Emergency Response Plan
Critical activity recovery plan
BC Test Plan
 SCOPE
Factors to consider
• Bangalore, UK, US
Location

Strategic

Business No data loss, zero customer impact

Ensure the welfare of its employees,
• Seismic zone, political instability,
natural disasters, epidemic
continuity visitors and contractors at all times Environment

Policy & Tactical

Deliver as per SLA, using a risk • Health care, E commerce, Hospitality
objectives based approach
Conduct a programme of testing and
exercising for the business continuity
Complexity • Customer Requirements

response

• Capability, Legal, Statutory, Cost

Sponsorship
 SOME TERMINOLOGIES…
business continuity
capability of the organization to continue delivery of products or
services at acceptable predefined levels following disruptive incident
business continuity management
holistic management process that identifies potential threats to an
organization and the impacts to business operations those threats, if
realized, might cause, and which provides a framework for building
organizational resilience with the capability of an effective response
that safeguards the interests of its key stakeholders, reputation, brand
and value-creating activities
business impact analysis
process of analyzing activities and the effect that a business disruption
might have upon them
[SOURCE: ISO 22300]
 BUSINESS CONTINUITY MANAGEMENT
Aim: Crisis Management EMERGENCY ACTIVITY
Incident RESPONSE RECOVERY
Urgent need to take rapid decisions TEAM (ERT) TEAM (ART)
Protecting life and welfare
Building resilience to disruption
Developing the capability for an effective
response that safeguards the interests of
its key stakeholders, reputation, brand and
value-creating activities.

Primary, Recovery Recovery time Recovery-Short

List ERT, ART Staff
Secondary team-roles and and resources Term, Long
members communication
strategies responsibilities required Term
 Input Risk Assessment Output

RISK ASSESSMENT STRATEGY Threat, Vulnerability,

Impact, Likely-hood
Control measures,
processes

Identifying
the threats

Identifying
and
evaluating Identifying
risk control vulnerabilities
or mitigation
options.

Assessing
Ranking the the risks –
risks Likelihood,
Impact
RISK ASSESSMENT STRATEGY
 Impact to organization for
activities not performed
BUSINESS IMPACT ANALYSIS (BIA) Input
Business Impact
Output
Analysis
Criticality, Sensitivity BC Strategy, Recovery
-Assets, Activities, Resources -RTO, RPO
Acts of nature – e.g. hurricane, flood, etc.

External man-made events – e.g. terrorism, Failure of an individual infrastructure element, including
evacuation, security intrusion, etc. single points of failure
Internal unintentional events – e.g. accidental loss Longer-term interruption of a critical information flow
of files, computer failure, etc.
Longer-term interruption of a critical business activity chain
Internal intentional events – e.g. strike, sabotage, Leads or business process
data deletion, financial wrong-doing, etc.
Legal, regulatory, compliance or governance Local longer-term business interruption
failure, which could be either intentional or
unintentional Complete business interruption
Business failure – e.g. caused by inappropriate and
unsuccessful business strategies or management.

Time scale for Resources-Minimum

Identify Functions, Disruption-1 Hr., Interviews, Internal, external recovery-SLA, Normal operating
Departments 4 Hrs., 1 Day, 1 discussions dependencies Customer condition, Back up
week etc.. requirements
 BIA

BCS
BUSINESS CONTINUITY STRATEGY (BCS) RA

allows an appropriate response to be chosen for each product or service, such that the
organization can continue to deliver those products and services:
at an acceptable level of operation; and within an acceptable timeframe
during and following a disruption. The choice made will take account of the resilience and
countermeasure options already present within the organization.

Emergency/Crisis response Incident management Business recovery

Immediate response-deal Reduce Damage, Aid recovery capability to recover Critical
with situation Communication-Internal, business activities before Activity
Safeguard life and property External crisis Recovery Plan
Less predictable and restore an acceptable level
planned of service
Business
Action with/without plan
continuity
Communicate to next stage
on progress
Plan
BUSINESS CONTINUITY PLAN (BCP)
 BC TESTING Pretest Test Post test Review
Type of Test When Process Participants Frequency Complexity
Full desktop simulation of a BC Incident led October 2010 Check the effectiveness of the ERT teams – UK and Bangalore Low High
by Independent consultants ITG. SUBEX ERT response
Senior Managers
Employees as appropriate
Walkthrough Activity Recovery Plans May 2011 Mon 16th May ERT teams – UK and Bangalore Medium Medium
UK Facilities Management Senior Managers
recovery plan
Employees as appropriate

Desktop Simulation May 2011 Wed 18th May Medium Medium

BD unavailability Project Manager
GS Bureau unavailability IT Manager
sub ledger unavailability
Desktop Simulation Exercises May 2011 Walkthrough Specific Plans Medium Medium
External Subex Client support IT Manager
Communications Plan
Remote working Plan Project Manager
BC TEST REPORT
Summary
Watch out for…
Methodology
 Purpose
 Exercise Deliverables The plan should reflect the changing business
 Situation environment
 Facilitator  People, System changes
 Participants  Evaluating threats, Keep it current

Results RTO, RPO alignment to business, Customer

 Observations on the Suitability of Team Member
 Ability to Recover from an Incident
 Documentation Improvements
 Issues Arising
 Recommendations
Adequacy of insurance coverage
Good communication channels
Information continuity Vs Business Continuity

Appendix A – Event Log

Appendix B – Communications Log
Business Continuity is no longer just about having a plan;
Evaluators’ notes on the exercise (summary) its about proving to examiners that they work
AREAS OF WEAKNESS
Process awareness
Internal Communication
Exercises and training
Vulnerability/risk analysis
Information technology resilience and disaster recovery
Planning
Business continuity.
The solution to the problem is in its history
QUESTIONS