Telkom - Integrated Management System Emergency Response - Exercise & Testing Procedures

1. Bandung, Maret 2016
Pengaturan Exercise and Testing
Penanggulangan Bencana
Emergency Response
ketentuan ISO/IEC 22301:2012 – BCMS
& Peraturan Perusahaan
Subdit Risk & Process Management
Direktorat Keuangan - TELKOM
I Nyoman Wisnu Wardhana
Senior Advisor II – PT. Telkom

2. O U T L I N E
Exercise and Testing Standard
Type of Exercise and Testing
Procedure Exercise and Testing
The way it conducted
Telkom’s Policies

3. Exercise and Testing Standard
The standard for Best Practices
Business Continuity – Best Practices, Standard and Guideline
1980s
1990s
2000s
2010s
IT – Disaster Recovery
Various
Definition
of BCM
NFPA
1600
BS
25999
HB
221
SPC-1
2009
HB
292
AS/NZS
5050 BS
2010
SS
ISO
22301
 NFPA 1600: United States
 BS 25999-1:2006: United Kingdom
 ASIS/ANSI SPC.1-2009: North America
 AS 5050:Australia
 HB 221:2001:Australia
 HB 292:2006:Australia
 ISO/PAS 22399
 BS 25777: United Kingdom (IT – DRP)
 BS ISO/IEC 17799:2005: United Kingdom (IT
Security)
 CSA Z1600: Canada
 ISO/IEC 22301:2012 BCMS
Y2K – Introduction new series

4. Exercise and Testing Standard
When an incident happens … (at high level)
Protect Life &
Assess Damage
Execute Require
Service/Function
Confirm
Strategy
Transfer to
Alternate Location
Prepare a New
Site
Restore Primary
Site
Transfer &
Execute at
New Site
Transfer &
Execute at
Primary Site
An incident
Return to
normal
operation
Assess
Effectiveness of
Strategies/Plans
Generate Change
Request
Critical Recovery Point TIME
LEVELOFBUSINESS
A
B
C
Fully Tested
Effective BCM
No BCM
Lucky Escape
No BCM
Usual Outcome
An incident

5. Exercise and Testing Standard
BCMS’ requirements:
 Have business continuity procedures been tested to
ensure they are consistent with your BC objectives?
 Do top management “actively engage” in testing and
exercising the BCMS?
 Are the test exercises clearly defined, consistent with
the scope of the BCMS and business continuity
objectives, and based on appropriate scenarios?
 Will the test exercises that have been conducted over
time validate the whole of the organization‟s business
continuity arrangements?
 Are the test exercises designed to minimize the risk of
disruption to operations?
 Have formal post-exercise reports been produced for
the conducted tests?
 Are the outcomes of exercises reviewed to ensure they
lead to improvement?
 Are test exercises undertaken at planned intervals, and
when significant changes occur is this process
documented within the BCMS?
 It tested  Simulasi dilakukan
 Top Management engagement  direction
 Defined  Ada scenario, berbasis objective
BCMS
 Continuous improvement  dilakukan berkala
dan periodik
 Berkaitan dengan risiko yang telah
teridentifikasi
 Report yang bersifat formal (terdokumentasi)
 Review terhadap pelaksanaan
 Terdapat lesson learnt yang ditindaklanjuti

6. All hazards approach and resource dependencies
Regardless of cause of disruption/crisis to the
physical facility, evaluate and understand the
impact of the following on the organization's
preparedness:
 Failure of critical, time-sensitive utility services
(or resource dependencies)
 Surge in service demand (especially during
emergency situation)
 Denial of access to premises (full/partial)
 Shortage of staff (e.g. 50% unavailable during a
pandemic)
 Failure of technology/system
 Failure of supply chain, key supplier/partner
Your BCM strategic options
include, but are not limited
to:
 Process transfer or
relocation
 Mutual aid
agreement/arrangement
for sharing resources
 Temporary/manual
workaround
 Change, suspend or
terminate services,
functions or processes
 Insurance for financial
compensation
Type of Exercise and Testing

7. Type of Exercise and Testing
Exercise & Testing activities Monthly Quarterly Half Annually
Call Tree Test √
Walk-through Test √
Desk Check Test √
Offsite Inventory and Back-up
Verification Test (Limited Rehearsal)
√
Activation of Recovery Teams Test √
Full Integrated Test:
 High Risk
 Medium Risk
 Low Risk
√
√
√
Simulation Test (Full Exercise) √
Exercise and Testing merupakan rangkaian dari aspek
‘kelangsungan bisnis’ perusahaan, dan
membutuhkan perhatian dan dukungan TOP
Management.
Hal Ideal yang
“PERLU” diadopsi
oleh Perusahaan
yang meng-
implementasikan
Business Continuity
… Exercise and
Testing

8. The way it conducted
Planning steps
Understand your
Business and Engage
the right people
Identify critical services,
dependencies,
capabilities, and capacities
Identify risks, weaknesses,
vulnerabilities, and
expectations.
Make and challenge
assumption (ask the right
questions)
Identify intuitive strategies
and response plans
Develop and implement
(realistic) plans,
governance structure
Communicate your plans,
staff, and community
training
Test, review, and improve
your plans
Right people have
right information
at right time

9. The way it conducted
Testing objectives
 A check to ensure completeness, accuracy, inter-
operability and currency, especially with respect to
dependencies and resource requirement
 Determining the feasibility and compatibility of
back-up facilities and procedures
 Identifying areas in the plan that requires
modification or enhancement
 Providing training to employees in their specific
responsibilities
 Demonstrating to internal and external
stakeholders your organization's ability to respond
and recover
 Maintaining organizational visibility of and support
for crisis management and business continuity
functions
 Dependencies and its
resources
 Back-up and Procedures
 Modification of the
back-up plan
 Training
 Communicated with
internal and external
 CMT ready

10. The way it conducted
Key task for exercise and testing plans
 Identify and correct business continuity plan inadequacies.
 Assess and confirm feasibility of business continuity plans
components, including defining requirements and desired
outcomes from the conduct of a plan test.
 Choose the appropriate testing strategy, documenting outputs from
the test, and identify key learning and potential improvement
actions.
 Clarify resource requirements.
 Improve confidence in the ability to manage a crisis or disaster.
 Provide auditors and insurers with documented proof of plan
adequacy.
 Conduct regular desktop reviews, desktop scenario tests, call-tree
communication tests, live scenario tests, and business continuity
test
 Document results, lessons learned
 Institute improvements and changes to the relevant documents,
especially the business continuity plans.
 Conduct a debrief with all of those involved in the testing, and
those with responsibility for business continuity plans maintenance
or future activation.
 BCP concern
 BC Feasibility
 Choose the strategy
 Clarify resource
 Documented
 Review
 Lesson learnt
 Improve
 Debrief

11. The way it conducted
Outcomes from testing the plans
 Confirmed business continuity strategies and plans
inadequacies
 Assessed and confirmed feasibility of the business
continuity plans components
 Clarified resource requirements
 Confidence in the ability to manage a disruption or
emergency
 Review the entire business continuity management
program to ensure that the overall objectives of the
program and organization are fulfilled
 Verify alignment with business continuity
management policies and procedures
 Verify alignment and consistency of recovery time
objectives, dependencies, inter-operability and
maximum acceptable outage
 Confirm BC Strategy?
 Confirm Feasibility?
 Clarify resources!
 Disruption manageable?
 Fulfilled the objective?
 Align with Policies &
Procedure?
 Meet the RTO?

12. The way it conducted
Flowchart for Exercise and Testing Plan
Decision to Test
BCP to Test
Decide on type or
testing
Secure resources for
testing
Rehearsal
required?
Test date, time, and
location decided
Brief and train test
participant
Rehearsal briefing and
training or test participant
Execute test plan
Document test
result
Evaluate test result
Update recovery
strategy and BCP
Test sign off
Rehearsal
required?
Develop new test
plan
yes
yes
no
no

13. The way it conducted
 The Exercise Scope
 Exercise Participants
and Stakeholder
Identification
 Aim and Objectives
 Scenario
 Communications
 Command and
Control
 Exercise Director
 Exercise Directing
Staff
 Observers and
Visitors
 Administration and
Logistics
 Exercise Delivery
 Principles
 Delivery - Time
Management
 Technical test
arrangements
 Starting the exercise
 Ending the exercise
 Debriefing after the
exercise
 Post Exercise
Arrangements
 Analysis and
reporting
 Continuous
Improvement cycle
Exercise - step 1 Exercise - step 2 Exercise - step 3

14. The way it conducted
Exercise - step 1
1. The Exercise Scope
2. Exercise
Participants and
Stakeholder
Identification
3. Aim and Objectives
4. Scenario
5. Communications
6. Command and
Control
7. Exercise Director
8. Exercise Directing
Staff
1. Identifying what is in and out of
scope will help ensure objectives
are met; improve fiscal planning
and limit project creep or
strategic drift in objectives.
2. Internal
 Players
 Facilitators
 Observers
 Exercise Director
 Command and Control
participants
 Scenario experts
 Stakeholders, are those
who may have a vested
interest as defined in
ISO 22301:2012
External
 Media
 Auditors
 Public bodies (Fire
Brigade, etc.)
 Industry
 MPs and / or
councilors
3. The aim of an exercise should
fit within the scope of the
program. It will define the overall
purpose and required outcomes.
The aim and objectives should be
endorsed by the project sponsor
or a senior manager.
4. A realistic scenario should
engage the participants and ensures
that the predetermined aim and
objectives of exercising are
achieved. A realistic scenario should
be progressive in its flow and not
based on speculative assumptions.
The
5. Communications plans linked to
each stakeholder group is essential
and such plans can cover three
distinct phases of the exercise
6. An appropriate command and control structure needs
to be considered for all exercises, however typically the
less complex the exercise the less complex the C2
needs to be.
7. The role of the exercise director is to ensure that the
exercise is delivered effectively so that the objectives are
achieved.
8. The Directing staff:
 Logistics Support
 Administrative support
 Security staff (If appropriate)
 Facilitators.
 Evaluators.
 Umpires.
 Technical support.
 Scenario cell.

15. The way it conducted
Exercise - step 2
1. Observers and
Visitors
2. Administration and
Logistics
3. Exercise Delivery
4. Principles
5. Delivery - Time
Management
6. Technical test
arrangements
7. Starting the
exercise
1. Observers typically are from related stakeholders and other interested parties who are
not taking a direct part in the exercise. Observers normally participate in the entire
exercise or specific, discreet, phases.
3. Delivery is about ensuring a pragmatic, challenging
and realistic event is captured in the minds and
actions of those participants. Exercise delivery is to
test procedures and planned activities and not to
catch people out.
4. Three principles:
 Player engagement: this is the core principle and the
exercise delivery should be judged by the way in which
it enables the players to gain the most value from the
exercise.
 Control, coordination and organization
 Logistics and technology support
5. Time delivery for:
 Identify potential problems
 Improve the credibility and quality of
inputs and outputs
 help to ensure the equal participation of
all players
 help achieve the core objectives in the
time specified for the exercise
6. The exercise delivery team should test the exercise
communications and practice their role before the
exercise.
2. Adm. & Logistic:
 Facilities - buildings
 Rooms
 Food and drink
 Computers (internet capabilities
and firewalls)
 Printers
 Stationery
 Projector and screen
 Travel and Accommodation
(including visas)
 Security clearance
7. It is important to have a controlled start to the exercise
so that players know that they are now „in play‟. The
exercise may start „hot‟, with little or no warning to the
players, „warm‟ in which the players receive a degree of
pre-briefing, or „cold‟ in which extensive briefing notes
are circulated prior to the exercise. There should be a
formal introduction immediately preceding the start of the
exercise.

16. The way it conducted
Exercise - step 3
1. Ending the exercise
2. Debriefing after the
exercise
3. Post Exercise
Arrangements
4. Analysis and
reporting
5. Continuous
Improvement cycle
1. The end of the exercise should be formally communicated to the players so that they
understand that they are now „out of role‟.
3. A single exercise although highly useful is not a
guarantee that resilience has been achieved
systemically across the organization and its critical
stakeholders.
4. The post exercise analysis report should document the
exercise materials used, participant feedback gained. All
exercise reports should:
 contain a clear indication of what and how the exercise
aims were achieved or not
 clearly identify any lessons that need to be considered
by the organization
 propose a time based work program for the
implementation of lessons throughout the organization
 identify who will monitor and or sign off lessons once
fully implemented
 suggest any clear improvements or considerations to
be noted for future exercises listed in the organizations
exercising schedule
5. Continuous improvement requires
organizations to demonstrate an
improvement based management
approach which is designed to upgrade
and enhance the organizations overall
BCM capability including the testing and
exercising of plans.
2. Exercises should conclude with an
immediate debrief (sometimes known
as a „wash up‟) to capture participants
views on its effectiveness. The use of
debriefing following the completion of
the exercise can include “hot” and
“cold” debriefs across a range of
areas including;
 Teams
 Incident Management, Business
Continuity and or Business
Recovery Plans
 Individual participant role

17. Procedure Exercise and Testing
Regional
Emergency
Response
Planning
Committee
Regional
Emergency
Recovery
Planning
Committee
Regional
Strategic Fire
Management
Planning
Committee
Municipal Emergency
Management Planning
Committees
Municipal Fire
Management
Planning
Committees
VEMC
CO-ORD Group
CO-ORDINATOR IN CHIEF OF
EMERGENCY MANAGEMENT
(Minister for Police & Emergency
Services)
Victoria Emergency
Management Council
State
Emergency
Mitigation
Committee
State
Emergency
Response
Planning
Committee
State
Emergency
Recovery
Planning
Committee
Specialist
Planning
Sub-Committees
Functional
Services
Sub-Committees
State Fire
Management
Planning
Committee
Municipal
E/M
Enhancement
Group
E/M
Training and
Exercising
Strategy
Group
State Flood
Policy
Committee
Victorian
Flood
Warning
Consultative
Committee
State E/M
Training
Steering
Committee
State E/M
Exercise
Steering
Committee
State Level
Regional Level
Municipal Level

18. Procedure Exercise and Testing
Planning considerations
BCMS
Considerations
Dependencies
IT & Infrastructures
People Stakeholders
Alternative Locations
Critical Services
Communications
Staff Emergency
Call Tree
Headcount
Safety/Security
Injury/Death
Communications
Client Call Centre
Media
supplier
Customer Services
Hal yang perlu diperhatikan dalam melakukan
Perencanaan Exercise & Testing (Simulasi)

19. Procedure Exercise and Testing
Planning the Exercise
Key questions
 What needs to happen now?
 Who needs to make that decision(s)?
 Who needs to be informed of what? (e.g. staff, regulators,
stakeholders)
 What means of communication will be used?
 What is the sequence of communication events?
 What about my staff members, visitors? (human safety is
vital!)
 Where do we work from in the short-term?
 How do we get there?
 What critical business processes/outputs do we need to
recover as a matter of urgency?
 How long do I have to resume critical processes?
 What do I need to have in place to do this?
DO THE
EXERCISE
& TEST!

20. Telkom’s Policies
Dasar Pelaksanaan Exercise and Testing di TELKOM:
 PD.616.00/r.00/HK.200/COO-D0030000/2015 tanggal 31 Desember 2015 tentang Sistem Pengelolaan
Kelangsungan Bisnis Perusahaan (Business Continuity Management System).
 KD.37/UM.400/COO-D0030000/2010 tentang Enterprise Security and Safety Governance.
 KR.01/UM.400/COP-D0030000/2011 tentang Pedoman Penanggulangan Bencana.
 SK.08/PS.170/COP-D0030000/ 2015 tanggal 22 Juli 2015 tentang Pembentukan Crisis Management
Team (CMT).
 Peraturan Pemerintah No. 50 tahun 2012 tentang Kebijakan Manajemen Keselamatan dan Kesehatan
Kerja
Exercise and Testing (Salah
satunya: Simulasi Tanggap
Darurat) Mutlak diperlukan dan
harus dilakukan!

21. Telkom’s Policies
CO-ORDINATOR
BUSINESS CONTINUITY
Koordinator
Tanggap
Darurat
PIMPINAN
CRISIS MANAGEMENT
TEAM
SECRETARY
Koordinator
Komunikasi
& PR.
Koordinator
Pemulihan
Infrastruktur
Koordinator
Pemulihan
Layanan
Koordinator
Pemulihan
SDM
Koordinator
Keuangan
& Asuransi
Koordinator
Logistik
Sub-Koordinator
Rescue
Sub-Koordinator
Bantuan Sosial
Sub-Koordinator
Bantuan Medis
Sub-Koordinator
Recovery Gedung &
Sarpen.
Sub-Koordinator
Recovery Network
Sub-Koordinator
Recovery IT & Billing
Sub-Koordinator
Subsidiaries
1
2
3
4 5 6 7 8 9 10
11
12
13
14
15
16
17
No. Organ National Regional Wilayah
1 Pimpinan CMT Dir. NITS EVP-Reg GM Witel
2 Co-Ord. BC VP. Sol Dep.EVP Dep. GM
3 Secretary Cont-4 SM. BPP M. Wroom
4 Co-Ord. T/D SGM. HCC SM. HC M. SAS
5 Co-Ord. Com. VP. CC SM. GA M. Log & GS
6 Co-Ord. Infra VP. ISG OSM. ROC M. N Area
7 Co-Ord. Serv. EVP-Reg GM. Witel M. Datel
8 Co-Ord. SDM SGM. HCC SM. HC M. HR-CDC
9 Co-Ord. Fin & Ins. SGM. FBCC SM. Fin M. Fin
10 Co-Ord. Log. SGM. CDD SM. GA M. Log & GS
11 Sub. Rescue VP. COS M. SAS M. SAS
12 Sub. B. Sos SGM. CDC M. CDC M. HR-CDC
13 Sub. B. Medis HCC-YAKES M.HC-YAKES M. SH-CDC
14 Sub. Gdg & CME SGM. FBCC - -
15 Sub. Net. EGM. DSO - -
16 Sub. IT & Bil. SGM. ISC - -
17 Sub. Subs. VP. ISG - -
Based on SK. CMT

22. Telkom’s Policies
Based on KR.01/2011
Secara garis besar, Pedoman Penanggulangan Bencana (Gangguan) adalah sebagai berikut:
 Penanggulangan bencana pertama kali dilaksanakan oleh
organisasi eksisting yang dipimpin oleh Pimpinan organisasi
eksisting.
 Penanggulangan bencana dapat dilaksanakan selanjutnya oleh
organisasi eksisting jika kerusakan yang terjadi di lokasi tersebut
tidak berdampak besar terhadap kehidupan sosial dan
perekonomian.
 Penanggulangan bencana dilakukan oleh organisasi Crisis
Management Team (CMT), apabila organisasi eksisting tidak
mampu menanggulangi bencana atau kerusakan yang terjadi
di lokasi tersebut, dan berdampak besar terhadap kehidupan
sosial serta perekonomian atau adanya pernyataan
pemerintah setempat telah terjadinya bencana.

23. Based on KR.01/2011
Telkom’s Policies
Penanggulangan bencana mempergunakan sumber daya
organisasi CMT.
Penanggulangan bencana oleh organisasi CMT dapat dilakukan
melalui tiga level yaitu:
 CMT Lokal (setingkat Wilayah);
 CMT Regional; dan
 CMT Nasional.
Aktivasi CMT dilakukan oleh Pimpinan CMT. Pengaktifan CMT
dilaksanakan secara proporsional sesuai dengan tingkatan
bencana:
 Jika bencana yang terjadi menimbulkan korban jiwa dan
merusak alat produksi T.I.M.E.S., maka CMT Lokal diaktifkan
secara penuh (full activation), dan untuk CMT Regional dan
CMT Nasional tergantung kebutuhan (full activation/limited
activation);
 Jika bencana yang terjadi menimbulkan korban jiwa akan
tetapi tidak merusak alat produksi T.I.M.E. atau sebaliknya,
maka CMT diaktifkan terbatas (limited activation).

24. Dalam pelaksanaan penanggulangan
bencana, terdapat hal-hal yang perlu
diperhatikan, antara lain:
 Penyelamatan terhadap
karyawan, keluarga
karyawan dan asset
Perusahaan;
 Pemulihan terhadap fungsi
infrastruktur dan layanan
bisnis Perusahaan;
 Penjagaan terhadap reputasi
Perusahaan.
Based on KR.01/2011
Telkom’s Policies

25. Based on KR.01/2011
Telkom’s Policies
Kolaborasi antara Telkom dengan
subsidiaries (anak perusahaan)
sangat dimungkinkan untuk alasan
percepatan, sinergi operasi
penanggulangan bencana,
pengalokasian sumber daya
material, sumber daya
manusia, efektifitas, dan
efisiensi.