BUSINESS CONTINUITY MANAGEMENT TRAINING

BUSINESS CONTINUITY MANAGEMENT 

MAIN OBJECTIVES OF THE TRAINING

COURSE OBJECTIVES

This course is designed for all Noor Takaful (NT) staff

Main objectives includes : - 

  1. To understand why NT needs a Business Continuity Management (BCM) system and plan & how do they benefit ? 
  2. Overview of the main concepts of BCM approach 
  3. Steps /Procedures to be followed during the event of a business continuity incident


Knowing what to do in the event of a crisis , emergency or disaster can help protect you, your colleagues and the business . 

NEED & BENEFITS OF A BCM & PLAN

Need 

  • Vulnerability to uncertain events
  • Proactive plan to avoid and mitigate risks associated with disruption of events. 
  • Steps to be taken before ; during and after an event to maintain the viability of the organization. 

Benefits 

  • Minimize the impact of major disruption to critical operations. 
  • Minimize financial loss. 
  • Continue to serve stakeholders and customers. 
  • Enable restoration of critical assets. 
  • Restore normalcy as soon as possible after a crisis, emergency or disaster. 
  • Recovery of information technology resources; 
  • Meet all legal, regulatory, contractual and statutory requirements 
  • Mitigate the negative effects disruption can have on strategic plans, reputation, operations, liquidity and market position.

BUSINESS CONTINUITY MANAGEMENT (BCM) STRATEGY

BCM

  • BCM is a holistic management process which identifies potential events regarding operating disrupts that threaten an organization. 
  • Purpose of the BCM is to ensure that all Company business activities can be kept at normal or near - normal performance following an incident that has the potential to disrupt or destroy the Company and related stakeholders. 
  • BCM includes disaster recovery, business recovery, crisis management, incident management, emergency management and contingency planning. 
  • BCM emphasizes on implementing operating controls and measures for managing an organization’s overall continuity risks.

The methodology depicted below works on PDCA ( Plan , Do, Check , & Act) cycle

BCM ORGANIZATION STRUCTURE - BCP TEAM


BCM requires a  Crisis Management Team (CMT) to be in place which is responsible to activate BCP in the event of a contingency scenario. CMT to ensure that a plan is put together for managing staff security and evacuation to a safe site in case of a disaster. 

Q.1 : Why should a business create a BCM or BCP ?

  • Having a plan means that if a disaster occurs, the people impacted will come to know what to do to keep business running.
  • The company needs to decide in advance who will be in charge of the company if CEO quits.
  • A disaster could cause the business to drop, which would decrease the value of the Company

Q: 2 Which team is responsible for activating the BCP in event of contingency ?

  • Risk Management Team
  • Incident Management Team
  • Crisis Management Team

BUSINESS CONTINUITY PLAN

BCP


BCP is designed to help enable critical business areas to respond to potential disaster events and emergency situations and recover within a pre - determined Recovery Time Objective (RTO). 

BCP includes the tactics employed, procedures, critical contacts and requirements for recovery of critical business activities. 


BCP PLAN INCLUDES : -

  • Critical processes and business functions to be continued/ recovered
  • Defined roles, responsibilities and contact details for people and teams having authority during and following a disruptive event. 
  • Process for invoking and escalating the response ( Call tree in the BCP Plan) 
  • Resources required to support the response 
  • A communication matrix 
  • Inter-dependency relationship details
  • Critical supplier/ vendor details and alternate arrangements 
  • A list of relevant vital records, storage and access details. 

Q.3 : There are several reasons why a company would develop and implement a business continuity plan. Which of the following properly describes the best reason ?

  • To increase liability
  • The continuation of a company
  • Compliance with regulations
  • Properly react to disasters

Q.4 : Which is NOT a goal of business continuity planning ?

  • An alternate location to conduct business.
  • Access to key items needed to run your business
  • Selection of a new Function Head , in case something happens to the current one
  • A plan to resume normal operations as quickly as possible

BUSINESS CONTINUITY PLAN - WHERE BUSINESS CONTINUITY FITS

Disaster Recovery

Disaster Recovery ensures you have back up plans for your organisation’s computer and other systems.

Business Continuity

Business Continuity ensures you have plans for your organisation that ensure you can continue to offer a level of service to your customers during an emergency and return to full service as quickly as possible.

Emergency Planning

Emergency Planning is undertaken alongside the emergency services to ensure that assistance is provided during an emergency.

REVIEW OF THE PLAN

  • BCM Sponsor & Heads shall review and update the BCP plan as and when there is a change in the process 
  • Or at least on an annual basis to ensure that plan is accurate and effective . 
  • Risk Management team will ensure the compliance of the plan on an annual basis. 

BCP – PLAN ACTIVATION & DE ACTIVATION

Authority to invoke the BCP and the requirements of the business continuity strategy must come from the CEO or nominated deputy.

Plan Activation

  • In the CEOs absence, authority passes to the Chief Risk Officer as the lead for the Business Continuity Manager Heads (BCMH).
  • If they are not available, invocation will be considered and agreed by one or all of the BCMH. 
  • The Business Continuity Plan Coordinators (BCPC) shall follow department call tree to call critical staff. BCP activation decision will be communicated to the Crisis Management Team (CMT). CMT will mobilise resources.

Plan De-Activation

  • Deactivation decision shall be taken by the CEO (or relevant deputy) and BCMH. 
  • BCMHs and BCMCs shall prepare an incident report along with root cause analysis after the deactivation decision has taken place. 

ASSUMPTIONS

The following assumptions have been made in BCP

DISRUPTION SCENARIOS & STRATEGIES

FEW EXAMPLES OF DISRUPTION SCENARIOS & STRATEGIES TO BE FOLLOWED IN NT

MAXIMUM TOLERABLE PERIOD OF DISRUPTION (MTPD) & RTO

RTO is a the span of time after an occurrence, incident or disruption in which NT's priority activities need to be restarted and resourced in order for the business to keep going.  

  • The MTPDs for Noor Takaful range from under 2.5 hrs to under 4 days. 
  • Managers have assessed the risk as part of the business impact analysis and have considered the RTO's accordingly.

Q.5 : The term RTO means

  • Return to order
  • Resumption time order
  • Recovery Time Objective

What is the expected recovery time of any disruption ?

  • 1 hour
  • 2.5 hours to 4 days
  • With in 10 days

KEY STEPS TO BCP

KEY STEPS TO BCP

UNDERSTAND THE BUSINESS

  • Impact – Potential impact of internal/external events on the business processes? 
  • Risks – what are the main threats that are likely to cause disruption? 
  • Resources – if the worst happens what resources will be needed to enable a short term response and full recovery?
  •  Key Information – if you have to respond who are the key people you may need? 
  • Incident Management – if you have to respond who will do what?

BUSINESS IMPACT ANALYSIS

BUSINESS IMPACT ANALYSIS

The business impact analysis will include : 

  • Identification of core functional areas, critical processes, assets and exposure to interruption
  • Appropriate responses to disaster and emergency threats 
  • Maximum Tolerable Period of Disruption (MTPD), Recovery Time Objective , Level of Impact & Prioritized processes.
  • Impact includes income loss, damage to reputation, inability to conduct business , penalties, missed opportunities, adverse action from clients.

Q.6 : Business Impact Analysis is performed to identify

  • The impacts of a threat to the business operations
  • The exposures to loss of the organization
  • The impacts of a risk on the company
  • The way to eliminate threats

Q.7 : Which of the following statements most accurately describes business impact analysis ?

  • A business impact analysis calculates the probability of disruptions to the organization
  • A business impact analysis is critical for the development of a business continuity plan
  • A business impact analysis establishes the effect of disruptions on the organization

RISK ASSESSMENT & KEY RISK AREAS

WHAT TO PROTECT AGAINST & WHAT TO PROTECT

WHAT TO PROTECT AGAINST 

A business disruption / threat can originate from a host of hazard sources and contents such as : - 

  • Cyber attack/malware 
  • Information technology network system failure 
  • Natural events & forces
  • International incident 
  • Utility failure

WHAT TO PROTECT 

  • People 
  • Property
  • Processes 
  • Platform 
  • Providers

Business continuity management plan explains the causes of a disruptive event and areas for protection including critical business processes. 

RISK ASSESSMENT

  • Helps in determining the potential disruptions based on the severity and likelihood of occurrence.
  • Response and recovery strategies shall be framed based on the understanding of threats and their potential impact on business operations.

COMMON THREATS FOR NT

Common threats for NT  includes but not limited to:

  1. Natural disasters 
  2. Manmade or technological events: Fires & explosions , communications & utility outages, systems disruptions etc. 
  3. Malicious attacks 
  4. Cyber attacks such as denial of service attacks, computer viruses, worms, Trojan horses etc. 
  5. Human error

Q.8 : The reason to implement additional controls or safeguards is to

  • Deter or remove the risk
  • Remove the risk & eliminate the threat
  • Reduce the impact of the threat
  • Identify the risk and the threat.

BCP - OCCURRENCE OF EMERGENCY, CRISIS OR DISASTER

BCP NOTIFICATION PROCEDURE ( CALL TREE)

CALL TREE 

  • Call tree is a critical communication tool in the event of crisis and/unplanned disruption. 
  • Procedure defines the call flow pattern for all the departments of NT along with the timelines to complete the communication channel at each level. 
  • All staff members of NT are requested to stay on stand by in the event of a crisis and await instructions. 

  • First call will be initiated by the CEO or nominated deputy in their role as the lead of CMT and cascaded down to the respective departments. 
  • Once Section heads have been contacted, informing them that the BCP is invoked, they shall contact their respective subordinates, if any. 
  • CMT will ensure that the message is simple and to the point so that there shall be no ambiguity in the message when the last person in the tree receives the call. 
  • As per the agreed timelines, the entire process shall take no longer than 15 minutes. 

  • In the event of any staff failing to answer the call on their registered contact details ; the call should be initiated to the next level to ensure that process continues. 
  • A note should be made of any staff members that have not been contacted. 

Q.9 : The maximum time for a BCP notification procedure shall  be with in  : -

  • 30 minutes
  • 15 minutes
  • 5 minutes
  • 1 hour

RESOURCE REQUIREMENTS & DEPENDENCIES

RESOURCE REQUIREMENTS & DEPENDENCIES

During an incident, relevant data and resources should be available for the following areas, to ensure that Recovery Time Objective’s (RTO) can be met & that departments are aware of any dependency requirements.

CRISIS COMMUNICATION & RESPONSE PLAN

PLAN OBJECTIVES – INITIAL RESPONSE ACTIVITY

Q.10 : Any employee can make a response to the external parties such as media about the disruption activity/BCP Plan

  • True
  • False

INCIDENT OR EMERGENCY RESPONSE PLAN (IERP)

INCIDENT/ EMERGENCY RESPONSE PLAN (IERP)

  • IERP is the aspect of ensuring business can continue whilst moving forward to recovery.
  • Method to manage and mitigate risks triggered by a disruption.
  • Each plan recipient will maintain two copies, stored at office and home
  • Senior managers should also have copies of the BCM Policy, BCM Strategy, BCM Plan, and BCM – Crisis Communication and Response Plan

IERP PLAN ACTIVATION CONSIDERATIONS

ASSESSMENT

Q.11 : When should the BCP be reviewed ?

  • Whenever encountering a disaster
  • At least annually or whenever a significant changes occur
  • Whenever the company gets audited
  • Whenever the legal department declares its time

Q.12 : Which of the following should NOT be released in a publicly released BCP ?

  • Process flows
  • Contact Lists
  • BIA Results
  • All of the above

Q.13 : Which phrase best defines a business continuity / disaster recovery plan ?

  • A set of plans for preventing disaster
  • An approved set of preparations and sufficient procedures for responding to a disaster
  • A set of preparations and procedures for responding to a disaster without management approval
  • The adequate preparations and procedures for the continuation of all business functions

Q.14 : What is the critical communication tool in the event of a crisis and/ or unplanned disruption ?

  • Call Tree
  • CMT
  • Communication Matrix

Q.15 : Which of the following actions should be taken in case of loss of  access to place of work ?

  • Invoke NT BC plan & invoke mutual aid agreements if applicable
  • Alert critical resources to get ready for moving to back up site.
  • Instruct non critical resources to stay at home/ safe place and be ready to receive next instructions.
  • Move critical resources to backup site
  • All of the above