1、Business Continuity ManagementCourse for Advanced Professionals Introduction1Subject Area 8:Maintaining&Exercising Business Continuity Plans2Lesson OverviewnElements of a testing&exercise programnTypes of tests and exercisesnBCM program maintenancenThe plan review and audit methodology nMaintaining
2、the plan nChange factors nPlan document control proceduresnBCM program maintenance3Professional Practices forBusiness Continuity Professionals1.Project Initiation and Management2.Risk Evaluation and Control3.Business Impact Analysis4.Developing Business Continuity Strategies5.Emergency Response and
3、Operations6.Developing and Implementing Business Continuity Plans7.Awareness and Training Programs8.Maintaining&Exercising Business Continuity Plans9.Crisis Communications10.Coordination with External Agencies4ObjectivesnPre-plan and coordinate plan exercises,and evaluate and document plan exercise
4、results.Develop processes to maintain the currency of continuity capabilities and the Plan documents in accordance with the organization.s strategic direction.Verify that the Plans will prove effective by comparison with a suitable standard,and report results in a clear and concise manner.5The Profe
5、ssionals Role(1/2)1.Pre-plan and Coordinate the Exercises2.Facilitate the Exercises3.Evaluate and Document the Exercise Results4.Update the Plan6The Professionals Role(2/2)1.Report Results/Evaluation to Management2.Coordinate Ongoing Plan Maintenance3.Assist in Establishing Audit Program for the Bus
6、iness Continuity Plan7The Planning ProcessRiskAssessment&AnalysisPlanDevelopmentProjectPlanningStrategyDevelopmentBusiness Impact AnalysisAwareness&TrainingObjective Subject the plan to tests and exercises to ensure that it is operationalSome key tasks Establish objectives,scope and types of tests&e
7、xercises Conduct the tests&exercisesSome key deliverables Post-test/exercise results,evaluations,&reports Plan revisionsTesting&Exercising8“The safety policy and procedures were in place:the practice was deficient.”extract from Lord Cullens report into the Piper Alpha disasterhttp:/news.bbc.co.uk/1/
8、hi/uk/127335.stm9Definitions TestingnEquipmentnTechnologiesnDurable goods Server UPS device Generator Telecommunications ExercisingnPeople Evacuation procedures Call trees Familiarity with alternate locations Interim procedures Manual processes Self Assessment10Testing&Exercising Goal“The goal of te
9、sting and exercising your plan is not to find out if it works,but to determine how it doesnt.”11Benefits of Testing&ExercisingnAssesses viability of plannPractice procedures before disasternSatisfies legal and internal audit requirementsnIdentifies areas that need modificationnEnables BCM program to
10、 remain active,up-to-date,understood,and usable nDemonstrates the ability to recovernProvides a mechanism for maintaining and updating the plan12Benefits of Testing&Exercising I hear.I forget.I see.I rememberI do.I understandChinese Proverb13Commitment&MotivationnSenior management needs to understan
11、d An untested/unexercised plan is unlikely to succeed in an actual disaster situation Program maintenance and plan review,updating and exercising is an integral part of the plan development and implementation process An untested/unexercised plan could,in an actual disruption be dangerousnSenior mana
12、gement should support program by Reading reports Providing direction Allocating resources14Testing&Exercising MethodologynThe plans are tested to the fullest extent possiblenThe costs are not prohibitivenService disruptions are minimalnThe results provide a high degree of assurance in recovery capab
13、ilitynEvaluation provides quality input to plan review and updates15Test&Exercise Program DesignnUse the scenario to design emergency situations that:Promote preparedness Improve response capability Validate plans,policies,procedures,and systems Determine effectiveness of command,control,and communi
14、cation functions16Test&Exercise PrioritizationnPhased approach to exercising Start simple Build upon mastery Add complexity Target a comprehensive exercise17Test&Exercise PrioritizationnFunctional area criticality Those with roles&responsibilities in plannEarly participants can serve as valuable rol
15、e models&advocates to other participantsnManagers who are“On the fence”18Testing/Exercising as part of Plan Life CycleFullcapabilityexercisedMinor elements testedExtent ofTest/ExerciseDuring plandesignPlan issuedPlan beingmaintained19Types of TestsnQuarterly evaluations of alert and notification pro
16、cedures and systemsnEvaluate the ability to access current vital records,systems,and data management software and equipmentnEvaluate the logical support,services,and infrastructurenEvaluate communications20Types of TestsnStatic Essential components in placenDynamic Equipment satisfies operational re
17、quirementsnFunctional Procedures for operating equipment are correct21How would you design a test to cover the different levels and functions?AccountsEmailCRMWeb serverfor salesApplicationDatabaseSystem&NetworkHardware22“This has been a test.In the eventof an actual emergency,Im outta here!”23Types
18、of ExercisesnScheduled or surprisenPlan reviewnTabletop/desktopnWalk through/hands-onnModular/componentnFunctional/LOBnSimulation/mocknComprehensive/full-scale24Exercise Best PracticesnExercise public/private partnerships Emergency evacuations Shelter-in-place Hazardous materials drills Community Em
19、ergency Response Teams(CERT)25Exercise Best PracticesnUse real-life situations to test emergency procedures Emergency Situation26Testing&Exercise ProgramBusiness Continuity PlanTesting/Exercise ProgramComprehensivePlan ReviewTabletopFunctionalModularWalkthroughSimulationSelf-Assessment27Confidential
20、itynEstablish ground rules to address confidentialitynEnsure that confidential test data is protected after exercise28Test/Exercise FrequencynAt least annually or as significant changes occurnShould be ongoing and increase in complexitynDocument and budget BCM testing&exercising as an ongoing,multi-
21、year program29Define Test&Exercise RequirementsnObjectives and levels of successnIdentify types of tests&exercisesnEstablish and document scopenProvide a schedule nLogistics and pre-planning componentsnPlan and reporting structure30Planning Test&Exercise ObjectivesnTo see if plan can be executednTo
22、familiarize participants with plan nTo demonstrate plan is accurate and completenTo validate plans assumptionsnTo confirm that the plan will help to recover the organization31Planning&Coordinating ExercisesnDetermine scope of exercise What will be exercise?Elements of the worst-case scenario Who wil
23、l be involved?Those with plan roles and responsibilities When will exercise occur and under what timeframe?Why will exercise occur?Where will the exercise occur?32Facilitating Tests&ExercisenFacilitation during tests&exercisesnPersonnelnMaterialsnProcedures in the test/exercise should be consistent
24、with those required in an actual event33Evaluating Test/Exercise&ResultsnBC planning team and audit department might work together to evaluate a test or exercisenObservation or qualitative methodnDocumentation or quantitative method Use quantifiable criteria Compare timelines from previous exercises
25、 Benchmark comparisons Measurable objectives Incident logs Legal,contractual,or regulatory requirementsnProvide feedback on results to participants 34Documenting Test/Exercise ResultsnPart of the permanent record of the organization Demonstrate due diligence Prudent business practices Chronicle the
26、organizational BCM program commitment over time.Materials and reports generated during test/exercise Action items and issues logs Plan updates and changes Lessons learned Next steps35Analyzing ResultsnUse the forms provided nCompare expected performance to actual resultsnCompare exercise to prior te
27、sts/exercisesnReference key recovery documents BIAnAnalyze information gathered36Analyzing ResultsnAnalyze and compare recovery timesnValidate that procedures are documented and up to datenValidate specific aspects of organizations BCM programnIs key scenario still valid?nIs overall recovery possibl
28、e?Puzzle37Professional Practices forBusiness Continuity Professionals1.Project Initiation and Management2.Risk Evaluation and Control3.Business Impact Analysis4.Developing Business Continuity Strategies5.Emergency Response and Operations6.Developing and Implementing Business Continuity Plans 7.Aware
29、ness and Training Programs8.Maintaining&Exercising Business Continuity Plans9.Crisis Communications10.Coordination with External Agencies38The Planning ProcessRiskAssessment&AnalysisPlanDevelopmentProjectPlanningStrategyDevelopmentBusiness ImpactAnalysisAwareness&TrainingObjective Update the Plan(s)
30、constantly to reflect changed conditions in the organizationSome key tasks Perform periodic review and update at least annually Update when there are changes to the organizationSome key deliverables A current and actionable plan A change management processTesting&ExercisingBCM PlanMaintenance&Updati
31、ng39BCM Maintenance ActivitiesExercisePlan Review&UpdatesTrainingAwarenessTechnologyProgramBusinessProject40Maintenance ObjectivenTo evaluate consistency within the plan,between the plan and other aspects of the overall program,and between the plans and the current characteristics of the organizatio
32、n41Why Conduct a Plan Review and Audit?nOrganize,manage,and coordinate effects of changenEstablish standards to incorporate change on routine schedulenReduce negotiations on Who/How/When/Why/Where maintenance is donenClarify effects of change on interdependent recovery functions42Plan Review&Audit M
33、ethodologynCreate goals&methods for conducting review Specific,measurable statements that elicit conclusions about whether the plan satisfies the objective(s)Should define how the team will go about collecting the necessary information43Plan Review&Audit MethodologynCritique organization and plans i
34、nternal consistency to determine usabilitynDoes the plan incorporate RTO?nGain an understanding of functional requirements Check internal documents Review of service agreements44Plan Review&Audit MethodologynAddresses consistency Within plan Between plan and BCM program Between plan and current char
35、acteristics of the organization Structure Business processes Outsourcing relationships45Plan Review&Audit MethodologynAuditsn Business continuity planner responsibilities1.Assist auditorn Auditor responsibilities1.Set audit objectives and scope 2.Assess and select audit method 3.Audit administrative
36、 aspects of the BCM program4.Audit plan structure,content,and action sections5.Audit plan documentation control procedures46Plan Review&Audit MethodologynA plan review should involven Key staff of that plann Participants becoming familiar with the plan document n Participants validate that the plan
37、represents strategies and objectivesn Participants revealing gaps,oversights,and mistakes47Plan Review&Audit MethodologynShould address(minimum)n Personnel and assigned recovery tasksn Personnel and contact numbers n Text(recovery procedure)changesn Back-up process and what is included n Periodic re
38、views with known deadlines n Where input can be made to review process48GoalsnEfficient or effective?n Is your goal to be efficient?Maintaining the plan by doing the job on time and as expectedn Is your goal to be effective?Doing the right thing vs.doing the job rightnBe careful not to make changes
39、that invalidate senior management and business unit approvals!49ObjectivesnDoes your plan measure up?n Is it accurate,thorough,and complete?n Is it logical and make suitable assumptions?n Does it support the resumption of necessary information systems and business processes within appropriate timefr
40、ames?n Are management,personnel,and other stakeholders capable of executing plan?50Audit ObjectivesnIs the structure of plan correct?nIs plan and supporting documentation valid?nDo the assumptions and scope match the contents?nIs the team structure and members current?nAre the roles,responsibilities
41、,and tasks current and executable?nIs the plan integrated and does it support any dependent plans and the overall organizational objectives?51Maintenance ResponsibilitiesnWho should review plan?n Business continuity staff n Auditors n Plan owners/dept.chairn Teams n Senior management n Other52Mainte
42、nance ResponsibilitiesnExamples BCM planner directs and controls plan maintenance Team members are responsible for team sections Department heads are responsible for detail relating to their department BoD and senior management review and approve plan Internal audit examines plan to determine if it
43、satisfies recovery objectives of organization,is accurate,and up-to-date Self Assessment53Maintenance SchedulenDevelop plan maintenance schedule Scheduled Time-driven Scheduled at decided time intervals at last annually Unscheduled Event-driven Result of major changes to organization Personnel Chang
44、es to team member responsibilities Equipment54Maintaining PlansnMaintain the plan Select tools Monitor activities Establish update process Audit and control55Sources of change InformationnExercise resultsnOrganization directives,announcements,internal messages,strategic business meetingsnRegularly s
45、cheduled meetings with recovery team leaders nChange management meetings56Change FactorsnChange in Procedure Organizational structure Personnel Physical Technology Recovery requirements Testing issues 57Change FactorsnTracking changes helps to Carry out more effective reviews Hold more effective exe
46、rcises Point to areas of plan that need closer attention Develop scenarios for exercises58Documenting ReviewnDocument how review is carried out nWhat issues are encounterednConclusions reachednReview after plan is revisednEvaluate all versions of the plan nParticipation of individuals not on testing
47、 team59Plan Component and Impact of ChangesChangeStrategiesRecoveryInstructionsRelocation InstructionsRequiredResourcesAdd/delete a business function or new line of businessMediumHighMediumMediumAdd/delete applicationsLowHighMediumMediumAdd/lose/change key staffLowLow MediumHighChange to the busines
48、s functions recovery time objectives(RTOs)or recovery point objectives(RPOs)HighHighHighMediumChange of the business functions back-up strategies or the back-up/recovery technologyLow MediumMediumMedium60Plan Component and Impact of ChangesChangePlan1Plan2Plan3Plan4Add/delete a business function or
49、new line of businessHighLowHighMediumAdd/delete applicationsMediumMediumLowHighAdd/lose/change key staffLowHighMediumLowChange to the business functions recovery time objectives(RTOs)or recovery point objectives(RPOs)MediumHighMediumLowChange of the business functions back-up strategies or the back-
50、up/recovery technologyMediumLowHighMedium61Plan Maintenance LogBusiness Continuity PlanMaintenance DateSection NumberProcedureNumberReason forUpdateCommentsApproved By62Program Change&ImpactnExecutive sponsor Recognize and communicate organizational changesnSteering Committee Communicate between tea
