the business continuity lifecycle...
TRANSCRIPT
1
The Business Continuity Lifecycle Belfius
17 december 2013ALM Antwerpen
Ludo Jappens MBCIOperational Risk Mgt. - Business Continuity & Crisis [email protected]
2
Gemeentekrediet België
Banque InternationaleLuxembourg
Crédit Local France
1860
1856
1966
Dexia BIL
Dexia CLF
group
1996
1924
Paribas België
BACOB België
Artesia
2001
2002
Dexia TechnologyServices
2007
Belfius in brief
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
InnovativeSolutionsFor Finance(IBM) 2013
3
Simple definition
“Business Continuity is dealing with the consequences of an incident or a crisis“
Comprehensive definition ISO 22301
“BCM is a holistic mgt. process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building resilienceand the capability for an effective responsethat safeguards the interest of its key stakeholders, reputation, brand and value creating activities”
Business Continuity Management
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ISO/IEC 27001 (chapter 9) ���� BS 25999 (2006) � ISO 22301 (2012)
BCM standards
Good Practice guidelines (2013)
BCM guidelines
4
The Business Continuity Lifecycle
Policy• ambitions, goals• scope• responsibilities, roles• resources
Programme Mgt.• Framework & roles
= back bone BCM
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ISO 22301
�
� Policy & Programme Mgt. (management practice)• organizational BC Policy• how it is implemented, controlled
and validated
5
Strategic
Tactical
CMT
What, Budget, Resources
Who, How, When, Where
DRP FCP BCP
HRRP CCPDRP BCP
Execute
Crisis Mgt. Team
Board of Directors (most concerned member)
Corporate Crisis Mgr.members (representing the impact domains)
CCM
��� �����
� (BoD)��
CCP
CrisisComm.Plan
ITincidents
Phys.incidents
Responseplans
Strikeresponse
Operational
Programme Mgt. – Crisis Mgt. Framework
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
6
BusinessContinuityTeam
BusinessContinuity Coordinator
Belfius Operational Services
BusinessRelocation Coordinator
Business Continuity
Correspondents
Technology
DisasterRecoveryCoordinator
Tactical
BusinessStrategicCrisisManagement Team
Outside world
CorporateCrisisMgr.
BelfiusMgt.
Strategic
B.o.D
Operational
Staff Critical Business Act.
Site & DeskRestorationTeam
Competence centers
2nd line
Programme Mgt. – Actor roles
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
• Action plans assigned to roles• Call list with candidates &
alternates for each role
7
The Business Continuity Lifecycle
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ISO 22301
�
�
� Embedding (management practice)
Integrate BC into• day-to-day business• organizational culture
Mgt. buy-in� success stories� enhance awareness
audits, real incidents (internal/external), near misses
� appropriate reportingdashboards, KPIs
8
The Business Continuity Lifecycle
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ISO 22301
�
�
�
� Analysis (technical practice)
Reviews & assesses the organization• Objectives• Functions• Environment constraints
9
Threat Analysis
to estimate the likelihood and impacton specific functions from known threats
Business Impact Analysis (BIA)
• assess the impact or effect of the loss, interruption, disruption of the key services or products
• estimate the resources and facilitiesand services that each activity will require at resumption
database based toolset: • Reusability, mutations steady• Adaptability• Quality & Integrity control• Overall reporting, styling• Integration external sources• Synchronisation lifecycle stages
800 separate sheetsBIA spreadsheets (2010)
Analysis - Methodology
Top-down approach (2003)
BIA-tool (2012) + business validation
Audit: “criticality not challenged”
New Assessment (2014)(ISO22301 – additional features &Requirements - dependencies)
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Good Practice guidelines (2013) tactical BIA (impacts) vs. operational BIA (resources)
History
Support
10
Losses
Impacts
Business Impact Analysis – Tactical level“Assess impact of a disruption”
sample
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
11
Validation BIAs
Business Impact Analysis – Operational level“required resources for continuity – recovery strategy”
sample
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
12
The Business Continuity Lifecycle
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ISO 22301
�
�
�
�
� Design (technical practice)
• Identifies & selects appropriate strategies
• How achieve continuity & recovery from disruption
13
Major options� Stop business� Transfer activities – Dual office� Remote Access – Homework
gateway bandwidth - digipass - desktop SW on Terminal Server (Citrix) embedded in business culture
� Internal relocation (Brussels buildings)Dedicated seats (specific desktop SW)
vs. free seating hosting (universal workstation)� External relocation (Business Relocation Centers vs. own property)
specific needs HW/SW/premisescoverage threat “unavailability Brussels”
Design – Recovery strategies
Success factors & constraints� ICT Technology
� industrialised solutions, but also single points of failure • Universal Workstations • Voice over IP (Power over Ethernet)• Virtual faxes• Capacity remote accesses
� Master plan buildings� Threat assessment – perception “Worst case scenario”� Cultural changes
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
14
ISO 22301
�
� Implementation (technical practice)
• Executes the agreed strategies & tactics
• Developing Business Continuity Plan (BCP)
�
�
�
�
The Business Continuity Lifecycle
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
15
MgtFunct
Staff
Actor
Procedure
subsuper
Location
Company
Organization
OrgUnitOnline documents
CritBusAct
Equipment
Documents
Hardware
DT Software
Assets
PersonSkill
Contact data
Features
SI
since 2002 DRPsince 2003 BCPMaster DB in OracleLocal versions in MS/Access
Desks
Implementation – Customised Data model
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
• Word – Excel• Own database• Tool
16
BCP DB
• RTO = Time to resume activity
• # desks (HQ/HW)• Homework constraints• Capacity forecasts• Staff (Candidates & alternates)
Catalog of Critical Business Activities Immediate response plans
� Pandemic response plan� Power outage response plan
assignment scarce nobreaks
� Strike response planaccess lists, endorsed by unions
But also� Assessment criticality IT services
from customers perspective
� ad hoc IT incident response plansBusiness impact failure IT componenton Critical Business Activities
Critical Business Activities Business Continuity Planworst case scenario “unavailability 1 building”
Design – BIA(all activities)
Implementation – Single definition of criticality
RTO (4 H, 2 days)
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
17
� Mgt. Reporting� Dashboards� Ad hoc queries� Compact call lists� Quality & Integrity controls
� Data model� Data entry� BCP reports� BCP handouts
BCP DB
HR DB
…master data
Config. Mgt. DB
IT
staff
BCP reportingBIAThreat AnalysisDependency AnalysisRegistration CenterVolunteers…
Home grown applications
Implementation – Extended BCP toolset
Belfius BCP toolkitMS/Access (rel DB)
object oriented
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ODBC
18
The Business Continuity Lifecycle
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
ISO 22301
�
�
�
�
�
Validation (technical practice)
Confirms• that the BCM Programme meets
objectives of the BC Policy• BC is fit for purpose
� Quality of the content� Efficiency & effectiveness
BC procedures� Skills actors
“Five minutes before the party is not the time to learn to dance !”
Snoopy 1964
“The proof of the pudding is in the eating ”.
19
Role assignment • Obsolete users, long-term absences• MutationsOrganisational changes• New of obsolete business units
Internal recovery streams + host location• Moves
Contact data Business• Office #, mobile office, digipass
Contact data privacy• E-mail, private GSM & phone#
HR DBmaster
data
Config. Mgt. DB
IT
staff
Privacy
The BC plan needs to reflect the reality Time to market Beware of derived reports, parallel call lists, …
Validation – Quality control of content
BCP DB
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
20
MgtFunct
Staff
Actor
Procedure
subsuper
Location
Company
Organization
OrgUnitOnline documents
CritBusAct
Equipment
Documents
Hardware
DT Software
Assets
PersonSkill
Contact data
Features
Desks
Locations• Critical Business activities, persons, relocation places
Actor roles• A sufficient number of assigned candidates ?• Candidates belong to same department ?
Critical Business Activities• Capacity requirements filled in ?• Homework constraints filled in ?• Type required workstation filled in ?• A sufficient number of assigned staff members on call list ?• Assigned candidates belong to same department ?• Contact data available for overnight activation ?• Digipass ownership, if telework is allowed.
Relocation places • Physical recovery locations defined ?• Critical business activities assigned to host workstations ?
Validation – Integrity control of content
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
21
BIAtool
� Analysis stage
� Implementation stage
All business functions
Very Critical (4 H) &Critical (2 Days)
Validation – Synchronization control of content
BCP DB
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
22
PrepareAlternateWork Area
Operate atAlternateWork Area
DeployCrisis/BCPOrg.
BCPinvocation
t
t0 t1 t2 t3
Cascade exercise(inside & outside working hours)
Call lists & call trees
All staff members
InventoriesWork lists Technical scenarios
restoration tasks(IT, organizational)
Continuity &IT staff
Operation filesBusiness guidelines
Live operations
Business staff
Crisis Mgt skills
Strategic & Tacticalactors
Crisis Simulations
what
how
who
Validation – Exercise plan stages
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
23
Business ContinuityCoordinator
BusinessRelocationCoordinator
Very Critical Business ActivitiesCandidates or Alternates
activate
Corporate crisis mgr. MembersMgt. Crisis Team
BCP invocation
info N-1Actors BCP
notify Mgt.
Business Unit
Additional cascade layers (optional)
AutomatedSMS alert
AutomatedSMS alert
Validation – Telephone cascade exercise
BCP DB
Call lists“overnight”
Assessefficiency & effectiveness
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Call tree“overnight”
Assess quality
24
Key Performance Indicators• Elapsed time
time needed for every active player in the cascade to complete his/her subset of the call list.
• Effectivenessthe percentage of roles that could be effectively filled in.
• Efficiencypercentage that indicate the numbers of calls needed to fill in all roles.
• Activation time time needed to activate the team. Only significant for teams that have to take immediate response actions.
Validation – Telephone cascade exercise
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Create competition between departments � accountability content call lists� enhanced awareness
25
Scope of operational exercises (considering costs, risks, goals, …)
� announced � unannounced� week day � bank holiday with reduced activity� start within the day � overnight� real operations � test transactions� close primary location � mixed activities (Primary & Secondary location)� duration (hours, 1/ day, day)
� HR: catering, transport, extra expenses, parking, overtime, …� Business: mail centre, customer notification, …
Organisational issues
“Exercise a plan” not “plan an exercise”
Exercising = “stretching the muscles”
Validation – Operational exercises - preparation
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Principle integrated exercises
� unannounced, linked to evacuation building (yearly)� emergency, PsychoSocial relief, medical support, registration center� Crisis mgt. � invocation BC plan for department in evacuated building
26
HR - Medical Services
IDPBW/SIPPT
HR - Social Services
IDPBW – SIPPT PsychoSocial prevention
Crisis CommunicationsCrisis Website
Emergency + Tactical level
Human
Facilities &Logistics
Communications
Responsible professional staff
Evacuation coordinator
“Flash point”
Impactdomain
Operational levelQualified volunteers
- Medical support (1st aid)
- PsychoSocial Relief
- PsychoSocial After Care
- Crisis Call Center operators
- First Intervention Evacuation team
Reception desk at evacuated building
Provisional (first period)
Validate – Integrated exercises – additional roles
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
27
�
“Flash point”
Evacuation Coord.
Medical Supervisor
Evac.bldg
Dispatching
�
Crisiscenter
� �Bus. Cont. Coord
� ��� �Business Relocation Coordinators
+ CORMs
Comm. (C) Human (H)Business (B) Facilities(F)
� �Human
Crisis CoordComm
Crisis Coord
Corp.Crisis Mgr.
Hostbldg 1
First Intervention
�PS
supersvisor.
�
Med.Support
Registr.supervisor
PSSupport
�DRP Coord.
Hostbldg 2
Crisis Call
center
Strategic
Tactical
OperationalRelocation
staff (Very) Critical Business Activities
RT
PA
GI
�CCC
Supervisor
�Crisis
Websitesupervisor
SCMT
B
H C
F
L
Crisis forum
Crisis websiteOper.
SMS
Emergency
��
�
Astrid
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Validate – Integrated exercise deployment
28
BCP DB
Critical Business ActivitiesBCP operatorsvolunteers
Access
HR DB
Staff membersOrganisation units
Registration
Physical accesses(badges)
import
Snapshots.
Reception Desks
Validation – When Business Continuity meets IT
Debriefing
Citrix
Open WS sessions
Remotely connectedusers.
Snapshots.
Registration Center
Support BCdeployment
KPIsSupport Human domain
Crisis Communications
site
• Call forwarding to private numbers
• Crisis Mgt.Collaboration tool(under construction)
• …
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
29
Eva-cuation
BCP PsychoSocial
Medical Crisis call center
Crisis communication
Crisis Mgt.
Activated at PA Deployment BCP Very Crit at / DT
Activated at PA Activated for PA Call list CCC operators at DT
Astrid, broadcasts, Crisissite, crisis mailbox
Tactical (BCP, human, comm) + strategical
3. average 3, average 4. good 4. good 4. good 4. good 4. good
1. Identification exercise Building Date Day Hour Period Type
minor
# persons SAP # persons In the building
% Occupation # BCP Business Units # wildcardsBCP Bus.Units
# wildcards others
2 Scope – assessment exercise components
3. Evacuation statistics
Detection Feedback EPI
Time alert "Building empty" Reset alarm Return Staff Provokedwork delay
4. Registration center # “non-registered persons”
- raw list ( %) reduced to ( %) with a post control 3 -
Average
sample
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Validation – Exercise KPIs (1)
30
5 Volunteers
First Intervention Team (FIT)
# assigned to building …: # available at evacuation PA/OM: of ( %)# floors without FIT: 4 ( PA 04 )
4 – good
Psycho-social Support
# present at PA/OM at evacuation time: of ( %)# active during evacuation exercise:
Sécouristes / EHBO
# present at PA/OM at evacuation time: of ( %)# active during evacuation exercise
4 - good
3 – Average
6. Business Continuity Plan statistics
Dept (floor) #persons Very CBApresent
# persons Very CBA
at relocation
# desks Very CBA
at relocation
Host BCP time to relocate Remarks / issues
%
target 4 H� �� ��
3 - average
sample
� # persons assigned tot Very Critical Business Activities (RTO 4H) present at evacuated building� # persons moved to the relocation place to start BCP� #desks filled in at relocation place� Time needed to resume activities
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Validation – Exercise KPIs (2)
31
Short description Assessors Target date
1
2
3
7. Major Issues
8. Strong Points
Short description Assessors Target date
1
2
3
Managed as audit recommendations
sample
17 Dec 2013 Business Meets IT Business Continuity Lifecycle Belfius
Validation – Exercise KPIs (3)
32
The Business Continuity Lifecycle Belfius
17 december 2013ALM Antwerpen
Ludo Jappens MBCIOperational Risk Mgt. - Business Continuity & Crisis [email protected]