930 likes | 1.24k Views
Business Continuity Planning Overview, Regulations and the Growing Significance of Automated BC Solutions. Presented by Steve Kokol, Vice President of International Sales Strohl Systems Group, Inc. skokol@strohlsystems.com September 2006. What is a Disaster?.
E N D
Business Continuity Planning Overview, Regulations and the Growing Significance of Automated BC Solutions Presented bySteve Kokol, Vice President of International Sales Strohl Systems Group, Inc. skokol@strohlsystems.com September 2006
What is a Disaster? • A disaster is a sudden, unplanned calamitous event that creates the inability on an organisation’s part to provide the critical business functions for some predetermined period of time and which results in great damage or loss. (DRI International) • The time factor which determines whether a service interruption is an inconvenience or a disaster will vary from organization to organization. • The type, timing and severity of any business disruption is unpredictable.
Business Continuity Planning – Defined • An ongoing programme to ensure prudent risk reduction and to resume key business operations before unacceptable impacts and losses are incurred. • Business continuity bridges the gap between disaster and recovery • Whatever the scenario, business continuity identifies weak links in the flow of information and builds systems and procedures to eliminate downtime.
Business Continuity Planning • BCP v. DR • BCP grew out of DR • Disaster Recovery tends to focus on data • BCP focuses on the entire Business and Business Units • BCP takes a more proactive stand • BCP programme elements include • Program authorization (a Business Impact Analysis and a commitment by executive management) • Business Continuity Plan development (response, resumption, recovery and crisis management) • Recovery Plan (and the regular maintenance of this plan) • Availability and survivability components such as UPS and redundant telecommunication systems.
Proactive v. Reactive • Business Continuity Planning • Proactive Process • By having a BCP, organisations seek to prevent interruption of mission critical services • BCPs generally cover most or all of an organization’s critical business processes and operations • Disaster Recovery Planning • Reactive Process • More technical plans that are developed for specific groups within an organization to allow them to recover a specific business application • Areas requiring specific DRP’s include IT, call centers, and distribution centers
A Business Continuity Programme is NOT: • A project • A one time task with a fixed duration • Just about data • BCP must be an on-going, living programme with commitment from Top Management.
BCP Acceptance Worldwide • What drives BCP Acceptance in a particular country versus another? • Country Culture • Risk Avoidance • Laissez-faire • To some extent - Technological Advancement
BCP Acceptance Worldwide • What drives BCP Acceptance in a particular country versus another? • Presence of BCI, DRII or other organisations promoting BCP Standards – BCI Country Representatives – www.thebci.org • http://www.thebci.org/worldwideoffices.htm • Both BCI and DRII offer BCP certification
BCP Acceptance Worldwide • What drives BCP Acceptance in a particular country versus another? • Propensity to experience frequent natural disasters • Typhoons • Earthquakes • Floods • Monsoons • Country Specific Regulations • Industry Regulations • Corporate Governance Laws • Avian Pandemic / SARS • War / Terrorism
Type of Threats • Acts of nature • Man-made disruptions/disasters • Failure of infrastructure or technology
Ability to Recover No Plan Documented Tested Trained Maintained Ability to Recover versus BCP Maturity
Four Elements of a Business Continuity Program Keep the plan up-to-date Assure strategy reflects the business’ needs On-going testing Trained recovery teams
EMERGENCY RESPONSE RISK MITIGATION CORPORATE RISK MGT CORPORATE CRISIS MGT BUSINESS RECOVERY TECHNOLOGY RECOVERY INFRASTRUCTURE RECOVERY CRISIS COMMUNICATIONS PLAN PROCESS RECOVERY Integrated Business Continuity Program
Business Continuity Planning Budget • BUDGET ELEMENTS: • Hot Site Contracts • Staff • Hardware • Education • Media Storage • Testing • Software FACTORS INFLUENCING THE PERCENTAGE OF BCP BUDGET • Executive Commitment • Geographical Disbursement • Industry Regulations • Industry • Revenues and Profits • RTO • Availability Goals - Protection of Data versus Operations
Which department in your organization is ultimately responsible for business continuity planning?
What is the title of the executive sponsor of your organization's BCP program?
Recovery Time Objective The RTO (Recovery Time Objective) is the Timeframe in which a Business Function must resume a Level of Service that will Prevent Unacceptable Financial and/or Operational Impacts from being Incurred by the Organization.
Protection of Data versus Protection of Operations Protect the Data: • Research and Development – Pharmaceutical • Downtime not as important as protection against lost data • Retesting to meet documented regulatory requirements • Isn’t the protection of data always most important ? • Maintaining Continuous Operations: • Manufacturing and Supply Chain • Cost of stopped product line can cost Millions per hour. • Also need to look “upstream” to ensure suppliers’ maintain continuous operations through a formal BCP. • Philips Electronics fire at Chip Plant • Nokia v. Ericsson (one did a better job than the other because of their tested BCP plan)
Define the Cost of an Outage Data – 99% availability = 88 hours each year that computing resources are unavailable Average Cost of an outage according to Gartner: USD $42,000 per hour for mission critical applications $3,600,000 lost each year due to unplanned downtime For companies that rely 100% on technology such as online brokers, e-commerce companies and traders, hourly downtime risks can be $1,000,000 or more !
Define the Cost of an Outage • It must be measured in more than just $$ • Why do I need a BCP programme if I have insurance? • Insurance only covers the financial considerations • Need a plan to stay in business • 50% of companies that experience a significant interruption or disruption in service who do not have tested, up-to-date BCP Plan go out of business within one year of this interruption or disaster • Can often recover from the financial impact, but can you recover from the lost of market share and customer confidence?
BCP Acceptance Worldwide • Regulations drive Acceptance • UK Financial Services Authority • Basel II Accord • European Central Bank • Bank of Russia • SAMA – Saudi Arabian Monetary Agency • De Nederlandsche Bank • Monetary Authority of Singapore • Hong Kong Monetary Authority • Bank of Thailand • NYSE Rule 446 • Quality Standards ISO 17799, BS 7799 • ISO Crisis Management Standards – ISO studying – May 2006 • BS 25999 – BCM Planning – In Progress – August 2006 • Australian Standards - AS 4444, AS/NZS 4360, HB 221 • British Standards – PAS 56 • UK Civil Contingencies Bill of 2005 • Insurance Regulations • Corporate Governance
BCP Acceptance Worldwide • UK Financial Services Authority (FSA) • Independent non-governmental body, given statutory powers by the UK Financial Services and Markets Act of 2000 (responsibility transferred to FSA from the Bank of England) • Her Majesty’s Treasury appoints the FSA Board • Banks, Financial Services, Securities and Futures • Combined Code – Directors must annually conduct a review of the group’s effectiveness system of internal controls and report to the shareholders that they have done so. (No requirement to publish this review)
BCP Acceptance Worldwide • UK Financial Services Authority (FSA) • Guidance on Business Continuity (SYSC 3.2.19 [G]): • “A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness” • www.fsa.gov.uk/
BCP Acceptance Worldwide • New Basel Capital Accord (Basel II) – issued by the Bank for International Settlements (BIS) www.bis.org • Originally issued the Basel Capital Accord (Basel I) in 1988 – applied minimum capital reserve standards to the banking industry (8%) • January 2001 – Proposal for new Basel Accord to replace 1988 standard • Initial goal was to finalise by 2004 – pushback from the banking community, fearful that they could not comply) • Implementation by year-end 2006, (or possibly later)
BCP Acceptance Worldwide – Basel II • New Basel Capital Accord (Basel II) • Three Pillars of Basel II • Capital Standards • Supervisory Review • Market Discipline • Operational Risk addressed in all three pillars
BCP Acceptance Worldwide – Basel II • New Basel Capital Accord (Basel II) • Banks that can demonstrate “sound practices for the management and supervision of operational risk” will be able to reduce their capital reserves, freeing up large amounts of additional funds for investment. • Sound Practices for the Management of Operational Risk • Operational Risk: “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” • Developing an Appropriate Risk Management Environment • Principle 7: Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption • Basel II places emphasis on internal controls and risk management
BCP Acceptance Worldwide • New Basel Capital Accord (Basel II) • Once finalised, each Nation may make amendments to their domestic versions of Basel II • Companies wanting to reduce their operational reserves must show a 5 year track record of compliance to be able to reduce these reserves. • Basel II should not simply be viewed as a compliance initiative, but as an opportunity for change! • www.bis.org/publ/bcbsca.htm
BCP Acceptance Worldwide • ECB – European Central Bank – June 2006 • Three-year deadline for the introduction of stricter business continuity planning and crisis management procedures • Payments system operators, key suppliers and participants - should have well-defined strategies and monitoring mechanisms for dealing with major outages aimed at the recovery and resumption of critical functions within the same settlement day. • Systems should also have a secondary, geographically separate site, capable of independent operation in the event of failure at the primary facility. • June 2009 compliance with revised standard • http://www.ecb.int/pub/pdf/other/businesscontinuitysips2006en.pdf
BCP Acceptance Worldwide • Standard of the Bank of Russia – January 2006 • Ensuring information security of the organizations of the banking system of Russian Federation • 9.6. Business continuity management and disaster recovery • Organization should develop and deploy the plan of business continuity management and disaster recovery. • The plan and corresponding business processes should be reviewed on the regular basis and updated (e.g. after significant changes in operational activities, organizational structure, business processes and information systems). • The effectiveness of documented procedures of recovery should be periodically checked and tested (at least twice per year). All staff involved into the plan execution and DR procedures should be familiarized with the plan • As a methodological basis for the plan development common international standards of Business continuity management (like BSI PAS-56) could be used.
BCP Acceptance Worldwide • SAMA – Saudi Arabian Monetary Agency • 2006 • Currently seeking guidance in setting BCP standards from their member banks • http://www.sama.gov.sa/
BCP Acceptance Worldwide • De Nederlandsche Bank • 2005 – Business Continuity Assessment Framework • Assist firms to benchmark their BCP activities • Framework will be introduced to other firms within the “Euro-zone” • Each firm must have a BCP plan approved by management board or senior management • Advisable to have the BCP plan assessed by by the internal audit department • The Assessment framework contains a total of 10 criteria
BCP Acceptance Worldwide • Monetary Authority of Singapore • June 2003 – Guidelines on Risk Management Practices – Business Continuity • The guidelines will serve as a standard for financial institutions and raise their awareness and preparedness by having in place effective and comprehensive BCP • Institutions are encouraged to adopt these principles and implement BCP that is commensurate with the institution’s nature, scale and complexity of business activities • MAS will, in the course of its supervision of institutions, review the BCP implementations • Board and Senior Management should be responsible for the BCP preparedness of their institution • Institutions should embed BCP into their business-as-usual operations, incorporating sound BCP practices
BCP Acceptance Worldwide • Monetary Authority of Singapore • June 2003 – Guidelines on Risk Management Practices – Business Continuity • Institutions should test their BCP regularly, completely and meaningfully • Institutions should develop recovery strategies and set recovery time objectives for critical business functions • Institutions should understand and appropriately mitigate interdependency risks of critical business functions • Institutions should plan for wide-area disruptions • Institutions should practice a separation policy to mitigate concentration risk of critical business functions • www.mas.gov.sg/regulations/download/BCMGuidelines.pdf
BCP Acceptance Worldwide • Hong Kong Monetary Authority • New BCP policy established in December 2002 • Sets out the HKMA’s supervisory approach to business continuity planning (BCP) • www.info.gov.hk/hkma/eng/bank/spma/index.htm
BCP Acceptance Worldwide • The Bank of Thailand – November 2005 • Requirement of an IT Contingency Plan – BOT Notification No 1953-2548 • Restore IT systems of Financial Institutions “within a suitable period” • Maintain customer and stakeholder confidence in financial institutions’ services • Board of Directors of each Financial Institution must establish a written policy statement and guide for preparing the IT Contingency plan • Functional and full scale tests must be conducted at least once per year • BOT recognized that IT plan is part of the BCP plan. BOT is in the process of issuing guidance for the preparation of business continuity plans. • www.bot.or.th
BCP Acceptance Worldwide • NASD 3500 Series-Emergency Preparedness (3510 and 3520) and NYSE-Rule 446 Business Continuity Rules • Approved by the US SEC - April 2004 • NASD and NYSE member organizations must develop and maintain a written business continuity and contingency plan • Must conduct, at minimum, and annual review…in light of changes to the organization’s operations, structure, business or location • Plan must address • Data back-up and recovery or mission critical systems • Alternate communications between customers and the firm • Alternate communications between the firm and its employees • Financial and operational risk • Alternate Physical location of employees • Communication with Regulators
BCP Acceptance Worldwide • NASD and NYSE Business Continuity Rules • NASD and NYSE member also required to disclose to its customers a summary of its business continuity plan that addresses how the member intends to respond to potential disruptions of varying scope • Must designate a senior officer to approve the Plan and be responsible for the annual review and emergency contact person(s) • NASD providing a template for small businesses and a repository to hold BCP plans: http://www.nasdr.com/business_continuity_planning.asp • http://www.sec.gov/news/press/2004-53.htm
BCP Acceptance Worldwide • Quality Standards ISO 17799, BS 7799-2:2002 • International Organization for Standardization (ISO) • British Standards Institute – Specification for Information Security Management • BS7799 is the most widely recognized security standard in the world. • Best practices in information security • Code of practices (ISO) • Specification for Information Security Management (BS)
BCP Acceptance Worldwide • Quality Standards ISO 17799, BS 7799-2:2002 • ISO17799 is organized into ten major sections, each covering a different topic or area: • 1. Business Continuity Planning - The objectives of this section are: To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters. • www.iso.org
BCP Acceptance Worldwide • ISO Crisis Management Standards • ISO Technical Committee (ISO/TC) studying – May 2006 • Mission of ISO/TC 223 is to develop International Standards or other ISO deliverables that will improve preparedness before a crisis, coordination during a crisis and reconstruction and remedial action afterwards. • Scope of crisis management is broad, spanning everything from preparation, analyses, forecasts and development of systems to education, drills and evaluation. • Next Meeting – November 2006 • www.iso.org
BCP Acceptance Worldwide • Quality Standards BS 25999 • Code of practice for business continuity management • Draft for public comment ended August 2006 • Part 1: Code of practice for business continuity management; • Part 2: Specification for business continuity management • Part 2 specifies the process for achieving certification that business continuity capability is appropriate to the size and complexity of an organization. • www.bsi-global.com/bs25999
BCP Acceptance Worldwide • Australian Standard - Security Standards - AS 4444 • Key Controls 1: • Information Security Policy document • Key Controls 2: • Business Continuity Planning • AS/NZS 4360 – Risk Management Standards • Business Continuity Management Handbook – HB 221:2003 • www.standards.com.au/catalogue/script/search.asp
British Standards – PAS 56 • Publicly Available Specification 56 • “Guide to Business Continuity Management” • March 2003 – Published by the British Standards Institute and sponsored by the BCI • Based on the BCI’s Good Practiced guide • Pre-Standard which may form the basis for an eventual standard • Envisioned that organizations who already have processes in place will be asked at some point by their stakeholders to confirm that they comply with PAS 56 • Provides a framework for incident anticipation and response evaluation techniques and criteria • Provides recommendations for good practice • www.thebci.org/pas56.html
UK Civil Contingencies Bill of 2005 • UK Drafted the Act in January 2004 • Became a UK Regulation in early 2005 • Addresses various natural and man-made threats, emergencies or disasters • Requires “Responders” to perform contingency planning, risk assessment and maintain plans that “…if an emergency occurs the person or body is able to continue to perform his or her functions” • Responders: • Category 1: County Councils, District Councils, Police, Fire Health, Environmental • Category 2: Utilities, Transport, Health and Safety • http://www.parliament.the-stationery-office.co.uk/pa/cm200304/cmbills/014/2004014.htm • Self Assessment tool: http://www.audit-commission.gov.uk/emergencyplanning/index.asp
BCP Acceptance Worldwide • Insurance Regulations • A documented and tested BCP plan is a requirement of many insurance firms • Precondition of Insurance • Premiums lower for sound, mature, tested BCP programs.
BCP Acceptance Worldwide • Other Factors • Have experienced a disaster in the past – have “felt the pain” • Power Outages Worldwide • Mandate for BCP plans from other corporations with whom you are doing business • Supply chain - diversify • Competitive Advantage • Avian Pandemic / SARS • Fear factor
BCP Acceptance Worldwide • Corporate Governance • WorldCom, Enron, Ansett Airlines, “dot-gones” • Directors being held directly responsible for Business Continuity Plans • USA: Sarbanes-Oxley Act of 2002 • Increased standards for corporate governance, transparency and accountability • Section 404 focuses on BCP and Operational risk • Executives must review internal controls and publish the results of the review • Section 409 focuses on prompt disclosure • Executives are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations • Only applies to publicly traded companies • Does apply to Non-USA companies that are listed in the USA • Effective for US companies 15 June 2004 and 15 April 2005, depending on the size of the business • Effective for non US companies in 2005 • http://www.soxlaw.com/s802.htm
BCP Acceptance Worldwide • Corporate Governance • The Turnbull Report – 1999 – Institute of Chartered Accountants in England and Wales (ICAEW) – provides guidance to Directors on the “Combined Code of the Committee on Corporate Governance” • Compliance is a prerequisite for being listed on the London Stock Exchange • Higgs Report – Role of the Board Proposed to be combined into the UK’s “Combined Code” • http://www.dti.gov.uk/cld/non_exec_review/pdfs/higgsreport.pdf • King Report on Corporate Governance (King 2): South Africa • Company must protect stakeholders from effects of the worst disasters • Places BCP responsibility at the Board of Directors level • Formal risk assessment at least once per year • Australian Stock Exchange – Principles of Good Corp Governance • Australia – AS 8000-2003 Principles of Corporate Governance • Upcoming Malaysia Regulations for listed companies