business continuity management : reducing operational risk dhiraj lal country manager, bcmi india
DESCRIPTION
Business Continuity Management : Reducing Operational Risk DHIRAJ LAL Country Manager, BCMI India Risk and Compliance Annual Summit 2007 Mumbai - March 9, 2007. Introduction to Dhiraj Lal. Professional Certifications Certified Business Continuity Professional (CBCP) - PowerPoint PPT PresentationTRANSCRIPT
Business Continuity Management : Reducing Operational Risk
DHIRAJ LAL
Country Manager, BCMI India
Risk and Compliance Annual Summit 2007
Mumbai - March 9, 2007
Introduction to Dhiraj Lal
Professional Certifications – Certified Business Continuity Professional
(CBCP)– Certified Information Security Auditor (CISA)– ITIL Foundation Certified– Certified Six Sigma Green Belt
• Prior Corporate Appointments– Agilent Technologies International – American Express– Citibank NA– Standard Chartered Bank
BCMI Objectives
Promote awareness in disaster recovery planning and business continuity management
– Deliver Courses & Exams– Organizing Conferences & Seminar Events– Publishing Technical & Research Papers
To be Asia’s premier professional service provider of training for Business Continuity and Disaster Recovery practitioners.
To create a common body of knowledge for business continuity and disaster recovery professionals in Asia.
BCM and Operational Risk
“Business Continuity planning is a key pre-requisite for minimising the adverse effects of one of the important areas of operational risk – business disruption and system failures…It is imperative that all banks have BCP's in place to be in readiness to tackle serious business disruptions”
Source - RBI Circular Ref.RBI/2004-05/420 dated April 15, 2005 entitled “Operational Risk Management - Business Continuity Planning”
What is Business Continuity?
A holistic management and governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through exercising, rehearsal, testing, training, maintenance and assurance
BCM vs. DR….
The term “Disaster Recovery” usually refers to the technology recovery effort. Disaster Recovery is a component of the Business Continuity Management Program.
Other than restoration of Technology, Business Continuity also requires the presence of people who perform critical functions, and the restoration of critical infrastructure and processes to ensure minimum assured level of service
Why BCM - Regulations and standards
• RBI mandate to banks• IBA Working Group - Guideline Notes on Business
Continuity & Disaster Recovery Plan• SEBI Circular to Mutual Fund Industry • Basel II regulations – 7 Principles for Business
Continuity• BS25999 – First globally acceptable standard for
Business Continuity
Learn from others’ mistakes• Around 40% of businesses experiencing a
disaster never re-open, and almost 30% of those that do close within 2 years
• Of around 930 companies in the WTC towers on Sept 11, over 550 had failed 18 months later
• Companies can lose 75% of their business after a disaster
• Businesses can be destroyed by the loss of a critical resource for more than 10 days
• Would loss of e-mail access for even one day significantly damage your business ?
Why BCM - Survival
• Loss of Business and Revenues• Embarrassment and non-value add• Fines and penalties• “Non-professional” image• Question mark on your reliability and judgement• Customer and employee attrition • Gradual erosion of market share• Eventual closure of Business
Myths
• It will never happen to me
• Things have been fine so far
• We are covered by insurance
• The risk is negligible
• Our customers will understand
• These things are OK in India
• We will manage
RealityReality
• For a listed company, a critical incident can be expected once every 2.4 years
• 88% experience ‘disaster’ on non contract systems or in unplanned areas
• 43% stated that it took them 2 months or longer to recover fully from the event
• 82% substantially upgrade their ‘capability’ after an event
• An effective Business Continuity Plan can reduce the total loss by 90% +
Wake-up calls
• Cloudbursts, Flooding in Mumbai and Chennai• Strikes & bandhs in Bangalore and Kolkatta,
transportation bottlenecks• Sealing drive in Delhi• Mumbai train bombings, Terrorism• AIDS time-bomb, Dengue• Internet based Viruses or worms/Denial-of-Service• Data issues – privacy, inappropriate backup,
corruption, accidental or malicious deletion• People issues – lack of backup, lack of training,
absence, attrition, malicious conduct
BCP – per IBA Working Committee
“…IT infrastructure, Power and Communication networks in some of the banks were severely damaged and the customer services in the banks were greatly affected. Even the physical records and documents were damaged….
To protect the critical infrastructure in the banks
from natural and man made disasters/events and to ensure business continuity of the branches, it is necessary that a Business Continuity Plan is in place which identifies the course of action in case of such eventualities”
RBI Expectations
• Responsibility in respect of BCP rests with the Board of directors and the top management.
• The Board fulfils its responsibilities by approving policy on BCP, prioritizing critical business functions, allocating sufficient resources, reviewing BCP test results and ensuring maintenance and periodic updation of BCP.
• The top management should annually review the adequacy of the institution's business recovery, contingency plans and the test results and put up the same to the Board….including periodic testing by service providers whenever critical operations are outsourced.
Risk Analysis
Business Impact
Analysis
RecoveryStrategy
Business Continuity
Plan
Impl. Business Continuity
Plan
Impl. IT Recovery
Plan
Current Recoverability
Analysis
Analyse
Implement
Design
Business Continuity Cycle
10 Professional Practices for BCP Practitioners (Source – DRI Intl.)
1. Project Initiation and Management 2. Risk Evaluation and Control
3. Business Impact Analysis 4. Developing Business Continuity Management Strategies 5. Emergency Response and Operations 6. Developing and Implementing Business Continuity Plans 7. Awareness and Training Programs 8. Exercising and Maintaining Business Continuity Plans 9. Crisis Communications 10. Coordination with External Agencies
BIA – per IBA Working Committee
1. INSIGNIFICANT – Direct loss up to INR 100,00
2. MINOR – Direct loss up to INR 25,00,000
3. MODERATE – Direct loss up to INR 250,00,000
4. MAJOR – Direct loss - up to INR 10,00,00,000
5. MASSIVE – Direct loss > INR 10,00,00,000
Other parameters – reputational loss, loss of confidence by customers and the public, Media and Public outcry, staff confidence and morale, Regulatory and political repercussions, Share price crash
BCMI Service Offerings
Offers in India DRI International’s certification courses – leading to the ABCP, CFCP, CBCP and MBCP certifications (www.drii.org)
Also offers non-certification courses such as:
– BCM Best Practices Workshops– BCM Disaster Simulation Exercise– BCM Pandemic Flu Workshop– BCM Walkthru workshops
– Specialised workshops on BIA etc– Auditing of BCM
Competence
DRI Asia Certified Instructors (Minimum CBCP qualified)
A network of 50+ instructors across Asia. “Hands on”, with practical experience in
the IndustryHighly experienced, with International
exposureAn exposure to Global Standards and
Best Practices A thorough understanding of the 10
Professional Practices for Business Continuity Professionals, the common body of knowledge for BCM practitioners
What we offer – via our sister Companies
The ability to help you to create your Business Continuity Plan – or enhance it via BCM Best Practices
Specialised assistance for specific stages of the BCM cycle, such as BIA, Exercising and Maintenance etc
Auditing or review of BCM. Also preparedness for BS25999
