1. The Business Continuity Institute
The Good Practice Guidelines – Real life
Implementations
Muhammad Ghazali
MBCI, CBCI, ISMS ISO 27001LA, BS25999 LA
Associate Director – Head of BCM Service
Protiviti Member firm Middle East

2. The Good Practice Guidelines
Why Good Practice Guidelines
The value of the GPG:
Not Just What, but “Why” and
“how”
Baseline and common language
Used for Entry examination
Professional Reference document
Stage-wise

3. The Good Practice Guidelines
1. BCM Program Management
2. Understanding the Organization
3. Determining BCM Strategies
4. Developing and Implementing
BCM Response
5. Exercising Maintaining and
Reviewing
6. Embedding BCM into Organization
Culture

4. BCM Program Management
What Why
1. Develop the BCM Program
Objectives, Mission, Vision, Key
2. Identification of owner/member and
Service, Product, future strategy,
participants of Program
acquisitions, geographical scale,
3. Development of BCM Policy of the organization
competitor strategy, regulatory
4. Identification of inclusion and exclusion of the
obligation etc. etc..
BCM Program
How
5. Define and approve the scope of the program
Involve the Top Management
Examples:
team
BCM Head – That’s probably you…
Review documents produced by
BCM Steering Committee -Management
the organization
BCM Roles – Strategic, Tactical and
• Business plans
Operational
• Strategic plans
BCM Forum – Selected team members
• Annual report
• Marketing report

5. A “Program” Not a “Project”
• Set Objectives
• See Obligations
Program Scope
• Acceptable level of risk
• Statutory, regulatory and contractual issues
• Top management commitment and approval
• Objectives of the business continuity and scope
• Communicated and reviewed
Organizational
Policy • Appropriate by nature, scale, complexity, geography
and criticality of business activities
• Reflect culture, dependencies and operating
environment
• Defined roles and responsibilities
Resources and
• Top management nominees / appointees
Competence
• BCM competency

6. Understanding the Organization
What Why
Know your Your Business depends on
Process • Operations Staff/skills
• Records/Data Assets
People • Voice/Data Communications
Infrastructures • Facilities & Infrastructure
• Equipment
Environment
Internal and external Suppliers
How
Threats to all requirement
There are three main activities to
Impact of those threats
“Understanding the Organization”
{if you know your enemies and know yourself, you • Business Impact Analysis (BIA)
will not be imperiled in a hundred battles} Sun Tzu • Continuity Requirements
Analysis (CRA)
• Risk Assessment (RA)

7. Knowing Your Organization - Impact Analysis
Business Objectives Key BIA Inputs Recovery Requirements as Output
Financial Impact
Key Business Areas • Lost sales revenue
• Productivity loss
• Permanent customer loss
Recovery Time
• Loss of interest income Objective (RTO)
Operational Impacts
• Brand image
Critical Processes • Competitive advantage
• Customer satisfaction
- Business Lines • Increased regulatory oversight MTPOD
• Employee Morale
- Support Lines Recovery Point
Management Tolerances Objective (RPO)
• Intolerable/acceptable downtime
• Intolerable/acceptable data loss
Resource Dependencies
• Operations Staff Minimum
• Records/Data Assets Operation
• Voice/Data Communications
• Facilities & Infrastructure
Requirements
• Equipment

8. Knowing Your Risks – Risk Assessment (RA)
Business Interviews
Objectives Questionnaires
Workshops
BIA
BIA of Critical
Critical Processes Dependency
Processes
Impact over time
Business Business
Continuity Continuity
Strategy Plans
Risk Register
Key Risks / threats Risk Assessment Vulnerability
Threats, Impact,
Likelihood

9. Determining BCM Strategies
What Why
Your Business requires to select
On the basis of your RTO (Recovery Time Objective),
Appropriate continuity options for
Recovery Point Objective (RPO) and Maximum
each activity that supports the
tolerable period of disruption (MTPOD), identify
delivery
strategies
• The faster you want it – the more it will cost!
Separation distance How
Asses Continuity options for each
• How far away do you need to be critical activity to following levels:
• Accessible yet recoverable 1. Initial Continuity – to an initial
acceptable level
2. Recovery – to a sustainable
level
3. Resumption – back to the
normal level

10. Determining BCM Strategies – Considerations
Continuity Strategy Continuity Strategy Continuity Strategy
for for for
Key Processes Technology Facilities
Physical
Alternate processes IT Systems
Location/Space
Options to Core / Main Office Equipments/
Customers Application Stationary
Alternate Channels User/Branch Data
Processing Power Supply
of Delivery
Alternate methods Data Center/Voice
and Communication Communication
of communication
Support to Info. security / Data
Transfer Transportation
Customers

11. Developing & Implementing BCM Response
What Why
The GPG identifies the following stages of response:
To identify and document
• Individual and Teams roles
• Emergency response – immediate actions
Actions required for
• Incident management – management of the
Invocation, Crisis, Incident,
response to the incident
Internal and External,
• Business/ IT Continuity – the initial business
Communication, call lists, etc. etc.
response to the
incident (essential activities at acceptable level)
How
• Recovery – recovery of activities to sustainable The Plan(s) developement include
level Appoint an owner
• Resumption – resuming operations to ‘normal’ Define the objectives and scope
Create Teams for planning, response
Agree the responsibilities
Document actionable steps
Populate the plan
Circulate and gather feedback
Agree and validate
Agree a program

12. Continuity Plans - Considerations
• Simple language
• Action Oriented – (Check list…)
• Easy to access, maintain and
Navigate
• Plans are tools / guidelines to
use or follow in case required, do
not allow them to restrict your
thoughts and responses.

13. Exercising Maintaining and Reviewing
What Why
Exercise To Highlight doubtful assumptions
Verifies your assumptions about IT / Buss. Provides Hidden information
Continuity about
Gain confidence in exercice
Validates participants
Effectiveness of your plan Raise awareness of BCM
Response of your teams Verify BCP/ IT Continuity Plans(s)
Effectiveness of your strategies
Results offers Opportunities for improvement in How
Agree the Scope– what are your BCM
Plans priorities?
Responses Engage senior stakeholders
Strategies Communicate thoroughly –particularly
for senior staff
Plan frequently - Normal Business is
always Busy
Make sure the exercise type fits the
need

14. Embedding BCM into Organization Culture
What Why
Let the organization know about BCM Management Understanding of
Just like Risk/ Impact/ Threat/Response
Human Resource Management (HRM)
Management Information System (MIS) Transformation of understanding
Financial Management System (FMS) across the organizations
Material / Supply Chain Management
Procurement
Involve all members of the organization, because
How
Continuity is everyone Business • Employee Handbook - Guidelines
• BCM Business Cases
• Email messages
• Intranet BCP Web Site
• New Employee Induction Program
• Interactive Presentations with
Staff
• Organize in-house Coaching
Sessions