BUSINESS
CONTINUITY
PLANNING
GUIDE
�AGENDA
• Introduction
• Objectives of BCP
• Approaches to BCP
• Dimensions of Scope
• Entry Points
• Q&A
2
�INTRODUCTION
So…you’ve decided to embark on a business continuity
planning (BCP) project
…but where do you start?
• Define the objectives
• Determine the dimensions of scope
• Select an appropriate approach
• Proceed from an entry point
3
�OBJECTIVES (1/2)
Four possible objectives of BCP:
1 Satisfy audit or regulatory requirements
2 Rebuild the infrastructure
3 Resumption of business activities
4 Continuity in customer service
4
�OBJECTIVES (2/2)
Audit or Regulatory
Rebuild the Infrastructure
Requirements
• If your focus is on: • If your focus is on:
– Passing an audit or getting points cleared – Alternative facilities and sites
– Minimizing costs – Solutions to minimize downtime of key
• Then your objective is to satisfy audit or infrastructure and systems
regulatory requirements. • Then your objective is to rebuild the
infrastructure.
Resumption of Business
Continuity in Customer Service
Activities
• If your focus is on: • If your focus is on:
– Setting up an organization and the required – Defining what level of customer service
facilities to enable key staff to resume their must be maintained throughout a disaster
activities – What is required to achieve that level of
• Then your objective is the resumption of customer service
business activities. • Then your objective is to ensure continuity in
customer service at an acceptable level.
5
�APPROACHES TO BCP
Approaches to BCP based on the objectives:
Objective Approach
Satisfy audit or regulatory requirements Tick-box approach
Rebuild the infrastructure Infrastructure approach
Resumption of business activities Gradual/subplans approach
Continuity in customer service Business approach (holistic)
6
�SCOPE
• Event Interrupting Operations
– Asset protection
Protection of assets (e.g., people, building, etc.)
– BCP
Preparation of critical elements for business continuity
• Enterprise-wide versus IT…
...be clear on the scope of your BCP project
7
�DIMENSIONS OF SCOPE
Infrastructure
Business Interruption
Office Relocation Risks (BIR)
Dealing Room
Network
Control Room Long-Term Business Viability
Brand Image
Regulatory
IT DRP Client Satisfaction
Network Resilience
Server Mirroring Capacity
Infrastructure Risk
Equipment Failures
Business
8
�INFRASTRUCTURE
• …the identification and protection
of critical (IT) infrastructure required to maintain an acceptable level of business,
• ...to ensure the survival of the organization in times of business disruption.
• Critical infrastructure can include:
– Mainframe
– Networks
– Applications
– PCs and desktops
– Manufacturing infrastructure
– Logistical infrastructure
– Office locations
9
�BUSINESS
• …the identification and protection
of critical business processes required to maintain an acceptable level of business,
• ...to ensure the survival of the organization in times of business disruption.
• Critical business processes can include
– Manufacturing
– Sales/order entry
– Payroll
– Dealing room activities
– Delivery
– Client communication
– Accounting and finance
10
�BUSINESS INTERRUPTION RISK
• …the identification and protection
against business risks resulting from a business interruption jeopardizing
• ... the survival of the organization in times of business disruption.
11
�ENTRY POINTS
There are four possible entry points depending on the drivers of the approach.
If your approach is… Then your entry point is...
Event driven Evaluate threats
Business risk driven Assess risks from interruptions
Business driven Analyze critical processes
Applications or systems driven Dependency on (IT) infrastructure
12
�THREATS
Classification of threats according to the type of event:
• Acts of nature – hurricane, flood, earthquake, etc.
• External man-made events – terrorism, evacuation,
security intrusion, etc.
• Internal unintentional events – accidental loss of files,
computer failure, etc.
• Internal intentional events – strike, sabotage, data
deletion, etc.
13
�RISKS
Business Risk Model
Environment Risk
Competitor Sensitivity Shareholder Relations Capital Availability Financial Markets
Catastrophic Loss Sovereign/Political Legal Industry
Operations Risk Process Risk Financial Risk
Customer Satisfaction Empowerment Risk Currency
Human Resources Leadership Interest Rate
Product Development Authority Liquidity
Limit
Efficiency Cash Transfer/Velocity
Performance Incentives
Capacity Communications Derivative
Performance Gap Settlement
Cycle Time Information Processing/Technology Risk Reinvestment/Rollover
Access
Sourcing Credit
Integrity
Commodity Pricing Relevance Collateral
Obsolescence Shrinkage Availability Counterparty
Compliance
Integrity Risk
Business Interruption
Management Fraud
Product Service Failure Employee Fraud
Environmental Illegal Acts
Health & Safety Unauthorized Use
Trademark/Brand Name Erosion Reputation
Information For Decision Making Risk
Operational Financial Strategic
Pricing Budget and Planning Environmental Scan
Contract Commitment Completeness and Accuracy Business Portfolio
Measurement Accounting Information Valuation
Alignment Financial Reporting Evaluation Measurement
Completeness and Accuracy Taxation Organization Structure
Regulatory Reporting Pension Fund Resource Allocation
Investment Evaluation Planning
Regulatory Reporting Life Cycle
14
�ENTRY POINT: INFRASTRUCTURE
Infrastructure
Business
Office Relocation Interruption Risks
(BIR)
Dealing Room Long-Term Business Viability
Brand Image
Network
Control Room Regulatory
Client Satisfaction
IT DRP Capacity
Network Resilience Infrastructure Risk
Server Mirroring
Equipment Failures
Business
• Traditional approach.
• Very often limited to IT, then extended to "departmental" infrastructure or office infrastructure.
• Very often the business perspective is used to assess criticality of infrastructure elements, and to justify the cost (business
impact analysis).
• The risk scope is limited to infrastructure risks through analysis of threats (potential events).
15
�ENTRY POINT: BUSINESS
Infrastructure
Business
Office Relocation Interruption Risks
(BIR)
Dealing Room Long-Term Business Viability
Brand Image
Network
Control Room Regulatory
Client Satisfaction
IT DRP Capacity
Network Resilience Infrastructure Risk
Server Mirroring
Equipment Failures
Business
• Top-down approach.
• Starting from a top-down analysis of the critical business domains or processes.
• For the critical business processes, assess the dependencies and criticality.
• Often, the business interruption risk dimension is included into the business impact assessment, although not always made
explicit or limited to the obvious business interruption risks.
16
�ENTRY POINT: BUSINESS RISKS
Infrastructure
Business
Office Relocation Interruption Risks
(BIR)
Dealing Room Long-Term Business Viability
Brand Image
Network
Control Room Regulatory
Client Satisfaction
IT DRP Capacity
Network Resilience Infrastructure Risk
Server Mirroring
1.
Equipment Failures 2.
Business
• Entering from looking at the business risks created by a business interruption.
• Allows to include more than only the operational impact, e.g., product quality, brand image, health & safety, cash flow, etc.
• To manage these risks, next to BCP, other actions may be included, e.g., asset protection, supply chain management, crisis
management, media management, etc.
• Here we can provide the best added value.
17
�RISKS
The “five As” of risk management :
1 Assess Risk
2 Accept or reject risk
Avoid risk, transfer risk or reduce risk to an
3 acceptable level
4 Analyze performance gaps
5 Act to improve
18
�BUSINESS PROCESSES
Identify key dependencies and
Key Business Drivers vulnerabilities within the business
organization, top-down:
Business Processes • What does the company depend on to be
successful?
Information Flows • What are the key business processes
driving the business?
Infrastructure & Resources
• What are the flows within these business
processes?
• What are the vulnerabilities and
dependencies within these flows and
business operations?
19
�(IT) INFRASTRUCTURE
Obtaining an inventory of (IT) infrastructure
Assessing the possible threats
Analyzing the potential business impact
Achieved by
Selecting the critical infrastructure
Identifying recovery solutions
20
�BCP METHODOLOGIES
Two main BCP methodologies:
Entry Points BCP Methodology
Infrastructure
Infrastructure-oriented, threat-based
Threat
Business
Business-oriented, risk-based
Risk
21
