Workshop by linxiaoqin

VIEWS: 0 PAGES: 66

									With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks
                                                             Programme.
                                        European Commission-Directorate-General Home Affairs




                 EFFECTIVE BUSINESS
               CONTINUITY MANAGEMENT
        PROJECT: “DEVELOPMENT OF TOOLS NEEDED TO COORDINATE INTER-SEKTORAL POWER AND
     TRANSPORT CIP ACTIVITIES AT A SITUATION OF MULTILATERAL TERRORIST THREAT. INCREASE OF THE
                   CAPACITY OF KEY CIP OBJECTS IN BULGARIA - HOME/2010/CIPS/AG/019”


       WORKSHOP: “Business Continuity Management (BCM) of the Nuclear Power Plant (NPP) System. Modeling and Procedures Development of
                             Advanced System for Security and Water Channel Protection (ASSWCP) of the NPP”
                                                   KOZLODUY NPP, 05 of JUNE, 2012


                                             ASSOCIATED PROFESSOR KIRIL STOICHEV, PhD
Business Continuity Planning Life Cycle




                                          2
      The Evolution of
Business Continuity Planning




                               3
Business Continuity in the 1960’s
Batch Processing
   Mainframe computers began to automate
    routine manual functions
   Excessive downtime could create huge
    processing backlogs
   Regular system backups were critical
   Manual contingency procedures were also
    essential




                                              4
Business Continuity in the 1970’s
On-line Processing
   Users became connected to the mainframe via
    CRT’s, shortening the processing cycle
   Any downtime could immediately disrupt
    operations
   Manual contingency procedures were becoming
    impractical
   Maintaining ‘high availability’ networks was
    becoming critical




                                                   5
Business Continuity in the 1980’s
Distributed Processing
   Disaster Recovery Planning (DRP) for data
    centers became practical
   But processing began to move out of the
    data centers, onto mid-range computers and
    standalone PC’s
   Distributed processing, and the use of EDI
    (electronic data interchange), shortened
    business cycles further
   Disaster Recovery Planning became more
    complex and more critical




                                                 6
Business Continuity in the 1990’s
The Desk Top Revolution
   The proliferation of networked PC’s
    placed technology on everyone’s
    desk top
   High speed digital networks and the
    internet permitted global
    connectivity
   Tolerance for downtime diminished
    rapidly while vulnerability escalated
   Disaster Recovery Planning evolved
    into Business Continuity Planning




                                            7
Business Continuity in the 21st Century
e-COMMERCE
   As demonstrated by Y2K, dependence
    upon technology has become absolute
   e-Commerce has created new business
    opportunities and new risks
   The business impact of even minor
    disruptions can be disastrous
   24/7 availability of technology is now
    the accepted norm




                                             8
Business Continuity in the 21st Century
Heightened Threats
   Since 9/11, everyone knows that now even the
    unimaginable is possible
   SARS outbreaks in China, Hong Kong and
    Canada have raised the spectre of widespread
    employee illness or quarantine
   Major power blackouts in the US and Canada,
    Italy, and elsewhere have demonstrated the
    fragility of critical infrastructures
   The catastrophic tsunami of 2004 and the 2010
    earthquake in Haiti demonstrated the power and
    unpredictability of Mother Nature
   H1N1 caused international concern, and the
    threat of a Flu Pandemic still looms in the future



                                                         9
Business Continuity in the 21st Century
Heightened Expectations
   The catastrophic collapses of Enron,
    Arthur Andersen, Worldcom, etc.
    have resulted in higher standards for
    risk management and executive
    accountability
   Sarbanes-Oxley (SOX), HIPAA,
    Basel II, and a score of other
    regulations have made good
    governance and effective risk
    management a boardroom priority
   As an essential component of risk
    management and good governance,
    BCP can no longer be considered
    optional



                                            10
Towards a Business Continuity Standard

There are few business continuity standards around the world, mainly as it is
  still considered to be a relatively new concept. Due to this gap in the
  market, the British BS 25999 standard become very popular in the past
  few years.


However, within the standards/ legislation/ regulatory guidance that exists
  around the world, many make reference to business continuity
  management (BCM), although they do not necessarily use the same
  terminology.




                                                                                11
Business Continuity Standards
Some standards that exist are:
•NFPA 1600 – US National Fire Protection Association, developed from
   dealing with fire and looks at business continuity from a denial of access
   perspective
•ISO 17799 – a standard for information security management systems that
   manages and minimizes threats to information
•ISO 22399 – guidelines for incident awareness and operational continuity
   management
•AS/NZS 4360:2004 – shared by Australia/New Zealand, provides risk
   management guidelines
•SPRING TR 19 – Singapore technical reference to BCM, which mainly deals
   with the technical aspects of systems
•The King II report of Corporate Governance – these South African
   guidelines for risk management look at BCM from a governance
   perspective


                                                                                12
Business Continuity Standards
BS 25999 and ISO 22301
A standard approach to Business Continuity Management (BCM) has been
   suggested for decades. Prototype draft standards have been published, but
   never really quite gained the momentum to succeed.
This void has therefore been obvious and glaring for a long time. However,
   this landscape finally changed dramatically late in 2006, with the
   publication of the first part of BS 25999, a code of practice for business
   continuity management.
The concept of the standard itself has also been on the table for quite a long
  time. BSI published a draft standard known as PAS56 back in 2003. This
  was largely for public comment: the normal process adopted by BSI as
  part of the development of its major standards. In 2006 a draft version of
  BS25999-1 was published, again for public comment. Eventually, in
  November of that year, the standard was finally born, with a fanfare of
  announcements, conferences and podcasts.



                                                                                 13
Business Continuity Standards



A similar process followed in November 2007 when the second and final part
   of the standard was published.


ISO 22301
As with so many BSI standards, an ISO standard eventually began to emerge:
   ISO 22301. Although the influence of other standards is clear, the
   foundation is based upon BS25999-2. It is currently under development,
   with expected publication date late in 2011 or early in 2012.




                                                                             14
The Business
 Continuity
 Profession
               I still think cloning our employees would have
                                     worked.




                                                                15
The Business Continuity Profession
   Business Continuity has become a recognized professional discipline, with
    its own:
       Certification Bodies
          Disaster Recovery Institute International (DRII.org)
          Business Continuity Institute (TheBCI.org)
          National Inst. for Business Continuity Mgt. (NIBCM.org)


        Trade Journals
           Disaster Recovery Journal (DRJ.com)
           Contingency Planning & Management (ContingencyPlanning.com)
           Continuity Forum (ContinuityForum.com)
           Continuity Insights (ContinuityInsights.com)




                                                                                16
The Business Continuity Profession (cont)
   Disaster Recovery Institute International (DRII.org)
      ABCP (Associate Business Continuity Planner)
      CBCP (Certified Business Continuity Professional)
      MBCP (Master Business Continuity Professional)

   Business Continuity Institute (TheBCI.org)
      ABCI (Associate of the Business Continuity Institute)
      MBCI (Member of the Business Continuity Institute)
      FBCI (Fellow of the Business Continuity Institute)

   National Institute for Business Continuity Management (NIBCM.org)
      ACM (Associate Continuity Manager)
      CCM (Certified Continuity Manager)




                                                                        17
The Business Continuity Profession (cont)
   Websites of interest:
     ContinuityCentral.com
        Hundreds of free articles
     Disaster-Resource.com
        Free annual print magazine and articles
     DRJ.com - Disaster Recovery Journal
        Wide range of resources and links
        Annual Conferences – San Diego and Orlando

   Email Discussion Lists
        http://finance.groups.yahoo.com/group/continuity/
        http://finance.groups.yahoo.com/group/discussbusinesscontinuity/
        http://finance.groups.yahoo.com/group/bcconsultants/
        http://bcmix.collectivex.com
        http://www.linkedin.com



                                                                            18
The Business Continuity Profession (cont)


   Major BCP associations:
   USA – Association of Contingency Planners
          ACP-International.com

   Canada - Disaster Recovery Information Exchange
         DRIE.org

   Caribbean – Caribbean Association of Business Continuity Professionals
          CABCP.com




                                                                             19
The Business Continuity Profession (cont)
Conferences and Trade Journals
   Disaster Recovery Journal (DRJ.com)
      Wide range of resources and links
      Free, quarterly print magazine
      Semi-annual Conferences – San Diego and Orlando


   Contingency Planning & Management (ContingencyPlanning.com)
      CPM East and CPM West



   Continuity Insights (ContinuityInsights.com)
        Continuity Insights Management Conference




                                                                  20
Business Continuity Planning Life Cycle




                                          21
                             Activity Details
                            Activity Lists
   What is a             Off-site Materials
                        Team Members
   Business             Requirements
                    Strategy Overviews
Continuity Plan?   Your Organization

                      Business
                      Continuity
                        Plan




                                                22
What is a Business Continuity Plan?

   At a high level, a Business Continuity Plan is a combination of:
      defined strategies and detailed procedures for system recovery
      defined strategies and detailed procedures for business resumption
      a formal team structure for executing the applicable procedures
        and managing the crisis
      all advance arrangements required to support the above




                                                                            23
What is a Business Continuity Plan?

   At a detailed level, a Business Continuity Plan is:
        a documented series of activities (Business Resumption Plan) that
         may need to be performed by designated teams to recover systems
         and/or resume critical business functions following a disruptive
         incident




                                                                             24
What should the detailed plans contain?
   Each Team’s plan should contain:
                                                                 Activity Details

      Strategy overview for  each incident type                Activity Lists
       (or ‘disaster scenario’)                             Off-site Materials
      List   of minimum recovery requirements            Team Members

                                                     Recovery Requirements
      Team    membership and contact info.
                                                     Strategy Overviews

      Off-site materials list
                          and other                Your Organization
       supporting documentation
                                                      Business
      Activity lists
                   (organized by phase
                                                      Continuity
       and scenario)
                                                         Plan
      Activity details




                                                                                    25
What is an Activity?

   An activity is the ‘Operating Unit’ of the plan
   Each activity describes:
      What has to be done                Where it can be performed
                                           from
      How it can be done
                                          When it can start
      Who can do it
                                          How long it should last
      What is needed to do it
                                          When it should end


   Each activity represents a logical, self-contained unit of work that
    may need to be performed by a single team for a given scenario




                                                                           26
What is a Phase?


A phase is a grouping of                             Each phase represents a
activities used to provide a                         critical stage in the
logical structure for each                           Operations Resumption plan
team’s plan



                               There are typically
                                  five phases




                                                                                  27
Phase 1 – Initial Response & Assessment


Take any immediate actions                           Assess the impact of the event
warranted by the event                               on operations




                      1. Initial Response & Assessment




                                                                                      28
Phase 2 – Interim Contingency Measures


Implement short term                                       Such as transferring work to
measures to limit the impact                               staff at another location, or
of the event                                               having key staff work from
                                                           home




                      2. Interim Contingency Measures



                        1. Initial Response & Assessment




                                                                                           29
Phase 3 – Resource Provisioning


 Provide the minimum                             Such as desks, phones, PC’s,
 resources needed to resume                      printers, servers, system
 operations at an alternate                      connectivity, electronic data,
 location                                        etc.




                        3. Resource Provisioning



                     2. Interim Contingency Measures



                     1. Initial Response & Assessment




                                                                                  30
Phase 4 – Operations Resumption


 Resume an acceptable level                             May require relocation of
 of operations at the                                   staff, recreation of lost data,
 alternate location                                     processing of backlog, etc.

                              4. Operations
                               Resumption


                         3. Resource Provisioning



                     2. Interim Contingency Measures



                     1. Initial Response & Assessment




                                                                                          31
Phase 5 – Return to Normal


  Complete all actions                            Transfer staff back to original
  required to resolve the          5. Return      location and resume normal
  event                            To Normal      operations

                                 4. Operations
                                  Resumption


                            3. Resource Provisioning



                       2. Interim Contingency Measures



                       1. Initial Response & Assessment




                                                                                    32
Phases of an Operations Resumption Plan



                            5. Return
                            To Normal


          Note: Depending upon the nature and
          duration of the event, some or all of the
          departments may be able to return to
          normal without executing phase 3 & 4


                 2. Interim Contingency Measures



                 1. Initial Response & Assessment




                                                      33
The Keys to Success


   Plan development is not rocket science, but …
     – every department must follow a consistent methodology to ensure
       the plans will work, and work together, when required
     – plans must be documented in sufficient detail that they may be
       executed even in the absence of the primary expert
     – standard formats and terminology must be used to avoid
       misinterpretation and facilitate maintenance

   The use of templates or software tools alone will not ensure these
    goals are met




                                                                         34
The Keys to Success (cont)



The keys to successful plan development are:

        Commitment from all departments


        Selection of the right people to develop each team’s plan


        Practical training of those people in the plan development
        process




                                                                     35
BCP Definition
   “BCP,” or Business Continuity Planning, is an effort within a company to
    ensure that Critical Business Functions continue to be performed during a
    wide range of emergencies, including localized acts of nature, accidents,
    and technological or attack-related emergencies (the terms Business
    Continuity Planning and Business Continuity Management are generally
    used interchangeably)




                                                                            36
Business Continuity
BCP is defined as the activities of…

 individual companies and their business units…

 that ensure their critical business functions are performed…

 from primary or alternate operating sites…

 during any emergency or situation that may disrupt normal business
  operations.




                                                                       37
The Purpose of a Business Continuity Plan
When a company is faced with a continuity event, the BCP will:
   Provide for continuation of critical business functions
   Enable a rapid response to any emergency situation


 BCP is different from ordinary emergency plans.
 It goes a step further to ensure delivery of the most critical services even
  when personnel, equipment and resources are missing or not working.




                                                                                 38
BCP Overview: Planning Considerations
BCP plans must:
   Be capable of implementation anytime, with and without warning.
   Provide full operational capability for critical business functions not later
    than 12 hours after activation, often sooner.
   Be capable of sustaining operations for up to 30 days or longer.
   Include regularly scheduled Testing and Training.




                                                                                    39
Initiate the BCP Process
   The BCP Process starts with leadership’s serious consideration, then
    support, of the idea.




                                                                           40
Perform Risk Analysis/Capabilities Survey
   First, look at the types of hazards your company might face .... Floods,
    fires, severe weather, computer virus attacks, sabotage, pandemic?
   What are the likely results of those kinds of events?
     Power outages?
     Computer failures?
     Radio or telephone systems failures?
     Personnel who can’t reach key facilities?




                                                                               41
Identify Critical Business Functions
   This is the hardest part of the process. Not every business service you provide
    will be needed in certain emergencies. Your critical functions become the
    core of the plan. What you do from here on will support those critical
    functions…..


   Critical functions are the nuts and bolts of the BCP Plan
   They form the basis for determining resource requirements:
      Staff
      Vital information/critical systems
      Equipment
      Supplies and services
      Facilities




                                                                                  42
BCP Plan Development, Review, and Approval
   Identify work sites and plans that may have to change in an emergency
   Look at who will do what, and when those things will be done
   Develop procedures to use to make sure the plan works.
   Discuss how to protect vital information and property
   Decide who is responsible for what, and when they will be given authority
    to make decisions
   Create plans to provide backup support, called succession plans




                                                                                43
Train Personnel
   Check the knowledge, skills and abilities of all personnel
   Provide training so everyone is sure they are ready for emergencies
   Train on procedures for emergencies that occur with warning, and
    without warning
                         Training is a key to being ready




                                                                          44
Test the Plan
How ready are you?
   Test the equipment
   Exercise abilities to see if we can do what we said we could do
   Carry out drills to make sure that every individual, in all areas, is sure of
    personal capabilities and personal responsibilities in the event of an
    emergency




                                                                                    45
Keep the Plan Up-To-Date
   Conduct drills
   Evaluate drills
   Drills and evaluations will aid us in developing improvement plans and
    help us change our plan to make it better


All of this keeps your plan up-to-date and flexible to change, realizing that you
    are only as good as your next opportunity to show it




                                                                                    46
Plans and Procedures
BCP plans must:
   Be effective with and without warning.
   Take an all-hazard approach.
   Include alternate facilities.
   Have critical business functions operational within an acceptable amount
    of time.
   Be able to sustain operations for an extended timeframe.




                                                                     Plans and
                                                                    Procedures




                                                                                 47
What Happens During a BCP event?
During normal duty hours—
 Emergency Relocation Group (ERG) personnel will depart to their
  designated alternate sites
 Non-ERG personnel will be directed to proceed to their homes or to other
  facilities to await further guidance

After normal duty hours—
 Information on BCP activation will be accomplished through:
     News media announcements
     Management chain and phone trees
     Email
     Radio
     Company website




                                                                             48
Why do BCP?
   Disaster can strike without warning.
   Planning what to do in advance is an
    important part of being prepared.
   BCP planning means you might need to do
    fewer things.
   It means you might do things at a new
    location.
   It means you might do things with
    different personnel.
   What you get in the end is a real plan for
    keeping your people safe, your company
    still working and your recovery safe and
    effective as you resume normal operations.




                                                 49
Benefits of BCP Planning
     Reduce or mitigate disruptions that would have previously forced
      closures and the delay of client services.
     Ensure the provision of alternate facilities.




                                                                         50
       12 Steps to Developing an
          Effective BCP Plan
                         Initiating the Program

                                              Computer
              Business         Continuity                   Establish
   Risk                                       Recovery
               Impact           Strategy                      BCP
Assessment                                      Plan
              Analysis         Selection                     Teams
                                             Development


  Develop     Business
                                Testing       Maintenance   Awareness
   Crisis    Resumption
                                  And             and          And
Management      Plan
                               Exercising      Evaluation    Training
Framework    Development


                           Program Management




                                                                        51
Developing an Effective BCP Plan

  Effective BCP Planning is a suite of processes followed to ensure that a
  company does not experience unacceptable interruptions in any of its
  critical functions


          - no matter what !




                                                                             52
Developing an Effective BCP Plan
                      Initiating the Program



                 Initiate an on-going program:
                 •Appoint BCP Program Manager
                 •Select BCP Planning Team
                 •Identify resources required
                 •Establish objectives and milestones
                 •Determine procedures for information gathering and
                 decision-making




                                                                       53
Developing an Effective BCP Plan
                        Initiating the Program




     Risk
  Assessment




               Assess potential for interruption of
               operations due to:
               •Loss of facilities
               •Loss of computer systems
               •Loss of data
               •Loss of communications
               •Loss of key personnel, etc.




                                                      54
Developing an Effective BCP Plan
                          Initiating the Program




               Business
     Risk
               Impact
  Assessment
               Analysis




                  Identify time-dependent impacts of
                  business interruption, such as:
                  Loss of revenue
                  Loss of market share
                  Loss of reputation
                  Loss of productivity
                  Regulatory non-compliance, etc.




                                                       55
Developing an Effective BCP Plan
                          Initiating the Program




               Business        Continuity
     Risk
               Impact           Strategy
  Assessment
               Analysis         Selection




                    Select and implement
                    appropriate strategies for:
                    •Reducing risks
                    •Mitigating impacts
                    •Recovering systems and data
                    •Resuming operations




                                                   56
Developing an Effective BCP Plan
                           Initiating the Program



                                                     Computer
               Business         Continuity
     Risk                                            Recovery
               Impact            Strategy
  Assessment                                           Plan
               Analysis         Selection
                                                    Development



                  Develop plans for recovering critical
                  computer systems, which address:
                  •Alternate data center facilities
                  •Computer hardware replacement
                  •Software and data recovery
                  •System connectivity
                  •Physical and logical security, etc.




                                                                  57
Developing an Effective BCP Plan
                           Initiating the Program



                                                     Computer
               Business         Continuity                        Establish
     Risk                                            Recovery
               Impact            Strategy                           BCP
  Assessment                                           Plan
               Analysis          Selection                         Teams
                                                    Development



                Establish a BCP Team structure consisting
                of:
                •Crisis Management Team
                •Response Teams
                •Business Unit Teams
                •IT Teams
                •Support Teams




                                                                              58
Developing an Effective BCP Plan
                          Initiating the Program



                                                    Computer
               Business       Continuity                         Establish
     Risk                                           Recovery
               Impact         Strategy                             BCP
  Assessment                                          Plan
               Analysis       Selection                           Teams
                                                   Development



  Develop         Develop a framework for managing
   Crisis           an incident, including:
 Management       • Emergency response procedures
 Framework
                  • Communication procedures
                  • Decision-making criteria
                  • Management succession
                  • HR policies, etc.



                                                                             59
Developing an Effective BCP Plan
                             Initiating the Program



                                                       Computer
                Business          Continuity                              Establish
     Risk                                              Recovery
                Impact             Strategy                                 BCP
  Assessment                                             Plan
                Analysis           Selection                               Teams
                                                      Development


                                 Develop detailed plans for resuming critical
  Develop        Business          functions, which include:
   Crisis      Resumption        • Resource requirements definition
 Management       Plan           • Team member contact information
 Framework     Development       • Activity lists
                                 • Detailed activity documentation
                                 • Off-site materials list, etc.




                                                                                      60
Developing an Effective BCP Plan
                                       plans and
     Establish processes for testingInitiating the Program
       exercising teams such as:
     • Desk checks, peer reviews
     • Structured walkthroughs
     • Call tree tests, operational tests Continuity
                         Business
                                                            Computer
                                                                         Establish
     • Table
    Risk top and simulation exercises
                         Impact              Strategy
                                                            Recovery
                                                                           BCP
     • Operational exercises
 Assessment
                         Analysis            Selection
                                                              Plan
                                                                          Teams
     • Drills, mock disasters                              Development



  Develop            Business
                                        Testing
   Crisis          Resumption
                                          and
 Management           Plan
                                       Exercising
 Framework         Development




                                                                                     61
Developing an Effective BCP Plan
                                   Initiating the Program




           Establish on-going processes for:             Computer
                       Business          Continuity                       Establish
    Risk                                                 Recovery
           • Updating plan contents
                        Impact             Strategy                         BCP
 Assessment                                                Plan
           • Distributing plan updates Selection
                       Analysis                                            Teams
                                                        Development
           • Controlling plan access
           • Evaluating plan effectiveness
           • Auditing BCP processes
           •
   DevelopMaintaining contracts, etc.
                        Business
                                            Testing         Maintenance
    Crisis            Resumption
                                              and              and
 Management               Plan
                                           Exercising       Evaluation
  Framework          Development




                                                                                      62
Developing an Effective BCP Plan
                            Initiating the Program



                                                   Computer
               Business          Continuity                      Establish
    Risk                                           Recovery
                Impact Establish an on-going program
                                  Strategy                         BCP
 Assessment                                          Plan
               Analysis for:     Selection                        Teams
                       • Training BCP planners andDevelopment
                         BCP Team members
                       • Maintaining employee and
                         management awareness
   Develop     Business
                                   Testing        Maintenance   Awareness
    Crisis    Resumption
                                     And              and          And
 Management      Plan
                                 Exercising        Evaluation    Training
 Framework    Development




                                                                             63
Developing an Effective BCP Plan
                            Initiating the Program



                                                     Computer
               Business            Continuity                     Establish
    Risk            Establish a permanent frameworkRecovery
                                                       for
                Impact              Strategy                        BCP
 Assessment         managing the on-going program:       Plan
               Analysis             Selection                      Teams
                                                   Development
                    •Issue policies and standards
                    •Assign accountability
                    •Create a steering committee
                    •Set annual budgets and objectives
   Develop     Business
                    •Monitor and enforce compliance
                                     Testing        Maintenance   Awareness
    Crisis    Resumption
                                      And                 and        And
 Management      Plan
                                   Exercising        Evaluation    Training
 Framework    Development


                            Program Management




                                                                              64
Summary
   BCP Planning is not just a one-time event
   It is only one aspect of an on-going program to manage risk and maintain a
    company’s ability to withstand potentially disastrous incidents
   As such, it requires:
      permanent management commitment,
      the assignment of accountability,
      establishment of an annual budget
      the provision of adequate resources, and
      executive management support.




                                                                             65
          THANK YOU VERY MUCH FOR
             YOUR ATTENTION!




INSTITUTE OF METAL SCIENCE, EQUIPMENT AND TECHNOLOGIES WITH HYDROAERODYNAMICS CENTRE
     BULGARIA, SOFIA, 1574, 67, SHIPCHENSKI PROHOD blvd., TEL.: + 359 2 46 26 200, FAX: + 359 2 46 26 300

								
To top