ERMAN TAŞKIN

ERMAN TAŞKIN İş Sürekliliği Yönetim Süreci ve Karar Verme Metodolojisi

BC Decision Making Methodology AGENDA 1. BCM Organization Understanding 2. BCM Impact Analysis Process 3. BCM Strategy 4. BCM Implementation Methodology Documentation

ITIL(ITSCM) & BS25999

BCM Program Management Undertanding Organization Determining BCM strategy Developing BCM Implementing BCM Exercising, maintaining, reviewing BCM Based on BS2599

BCM Documentation BCM policy BIA (business impact analysis) Risk and threat assessment BCM strategy Awareness programme Training programme Incident managament plans BCM plans Business Recovery Plans Exercise schedule and reports SLA and contracts

Understanding the organization Objectives, obligations, statutory dutiesActivities, assets, resourcesInterdependenciesImpact of the failureThreats

BCM Decision Making Business Impact Analysis Identification of critical activities Determining Continuity Requirements Risk assessment Determining choices

BCM Decision Making Assess cirtical services impacts Establish maximum tolerable period of disruption Idenfity any inter-dependent activities Service Catalog investigation CMDB usage for relationships definition Business Impact Analysis Identification of critical activities Determining Continuity Requirements Risk assessment Determining choices

BCM Decision Making Assess operational processes Determine financial values of services and activities Consider SLA targets Use Availability Plan Use Availability Reports Business Impact Analysis Identification of critical activities Determining Continuity Requirements Risk assessment Determining choices

BCM Decision Making Staff resources Work site Supporting technology Provison of information External services and suppliers Business Impact Analysis Identification of critical activities Determining Continuity Requirements Risk assessment Determining choices

BCM Decision Making Level of risk should be understood specifically Choosing risk assessment approach Elements that risk assessment process include Determination of criteria for risk acceptance Identification of acceptable levels of risk Analysis of the risks Business Impact Analysis Identification of critical activities Determining Continuity Requirements Risk assessment Determining choices

BCM Decision Making Do nothing Manual Work-arounds Reciprocal arrangements Gradual Recovery (cold stand by) Intermediate Recovery (warm stand by) Immediate Recovery (hot stand by) Business Impact Analysis Identification of critical activities Determining Continuity Requirements Risk assessment Determining choices

Business Impact Analysis Process Step1 Set up an impact analysis project Step 2 Evaluate the effects of disruption and the impacts on operations Step 3 Business impact analysis - data collection Step 4 Define business functions and critical data Step 5 Determine the time and resources necessary for recovery Step 6 Identify business processes Step 7 Determine replacement times

Set up an impact analysis project Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt Identify a project coordinator to carry out the business impact analysis. Define the objectives and scope of the business impact analysis project. Choose an appropriate methodology or tool for carrying out BIA. Create a work schedule and project plan. Launch the business impact analysis project.

Evaluate the effects of disruption and the impacts on operations Effects of disruption Loss of assets Key personnel Physical assets Information assets Market share Disruption to the continuity of services and operations Violation of a law or regulation Negative public perception Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Effects of disruption on the company’s operations Financial Clients and suppliers Public relations Legal Regulatory considerations and requirements Environmental Operational Delays Credibility Other resources Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt Evaluate the effects of disruption and the impacts on operations

Determine loss exposure Quantitative Revenue loss Financial penalties Gross cash flow Accounts payable Legal liabilities Human resources Additional expenses Higher cost of work Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt Qualitative Human resources Morale Confidence Legal Social and corporate image Financial credibility Evaluate the effects of disruption and the impacts on operations

Business impact analysis - data collection Gathering data using a questionnaire Understand the importance of the questionnaire’s conception and distribution. Clearly explain the rationale for the questionnaire. Offer support to personnel while they complete the questionnaire. Review completed questionnaires. Conduct follow-up discussions to obtain clarifications Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Business impact analysis - data collection Gathering data through interviews Explain the purpose of the interview. Clearly establish the type of information that is being looked for. Compile a list of elements to cover during the interview Consult the list throughout the meeting to ensure none are omitted. Plan follow-up interviews Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Gathering data through workshops Set up a workshop schedule Compile a list of objectives to be met. Identify the appropriate level of participation from managers Identify an appropriate evaluation area, Identify the equipment needed and personnel availability. Interact with personnel during the workshops and discussions. Ensure that workshop objectives are met. Ensure that all possible impacts raised during workshops are written down. Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt Business impact analysis - data collection

Decide upon data analysis methods (manually or using a computer). Assess the potential financial and non-financial impacts of the risks compiled. Prepare business impact analysis report Prepare drafts of the business impact analysis report, including the list of impacts. Provide participating managers with a draft report and ask for their comments. Review the managers’ feedback Plan a meeting with participating managers to discuss the initial findings. Prepare and make formal presentations to colleagues and executives regarding the findings Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt Business impact analysis - data collection

Define business functions and critical data Establish a definition of what is “critical” for the organization With management, identify one or more critical levels. financial (loss of revenue, cost of recovery) recovery time. With these two criteria, it is possible to classify impacts as: critical & major & minor. Identify vital data for ensuring BC and the recovery of the organization’s operations. Identify support teams. Identify interdependencies Prioritize critical elements for the organization in the impact mitigation process. Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Determine the time and resources necessary for recovery Define recovery processes for critical business functions based on criticality criteria Determine the order of recovery for critical business functions Determine the minimum resource requirements for recovery Internal and external resources. Resources owned or not Existing and accessible resources. Evaluate the maximum period of time Evaluate the maximum period of time during which information can remain unavailable. Evaluate how long information can be allowed to “age” without being updated. Evaluate the amount of information that can be lost without causing major prejudice to the organization. Evaluate the limit beyond which the company’s operations will sustain major prejudice due to the disruption. Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Identify business processes Interrelation between business processes Processes dependencies Internal External In terms of technology Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Determine replacement times Equipment Sostwares Data Key personnel Raw material Setup Project Evaluate Effects Data Collection Define Criticals Time&Res ources Processes Replaceme nt

Determining BC Strategy People Locations Technology Information Supplies Stakeholders Civil emergencies

Determining BC Strategy People Documentation of the way in which critical activities are performed Multi-skill training of staff and contractors separation of core skills to reduce the concentration of risk use of third parties succession planning knowledge retention and management

Determining BC Strategy Locations alternative premises (locations) within the organizationMulti-skill training of staff and contractors alternative premises provided by other organizations use of third parties succession planning alternative premises provided by third-party specialists working from home or at remote sites other agreed suitable premises use of an alternative workforce in an established site

Determining BC Strategy Technology Technology strategies will depend on the nature of the technology employed and its relationship to critical activities, but will typically be one or a combination of the following: provision made within the organization; services delivered to the organization; and services provided externally by a third party

Determining BC Strategy Technology strategies may include: geographical spread of technology, i.e. maintaining the same technology at different locations that will not be affected by the same business disruption; holding older equipment as emergency replacement or spares; and additional risk mitigation for unique or long lead time equipment.

Determining BC Strategy Information technology (IT) services frequently need complex continuity strategies. "Where such strategies are required, consideration should be given to: recovery time objectives (RTOs) for systems and applications which support the key activities identified in the BIA; location and distance between technology sites; number of technology sites; remote access; the use of un-staffed (dark) sites as opposed to staffed sites; telecoms connectivity and redundant routing; the nature of "failover” third-party connectivity and external links.

Determining BC Strategy Information Any information required for enabling the delivery of the organization's critical activities should have appropriate: Confidentiality ; integrity; availability; currency. Information strategies should be documented for the recovery of information; Information strategies should extend to include: physical (hardcopy) formats; and virtual (electronic) formats, etc.

Determining BC Strategy Supplies The organization should identify and maintain an inventory of the core supplies; storage of supplies at another location; arrangements with third parties for delivery of s tock at short notice; diversion of just-in-time deliveries holding of materials at warehouses or shipping sites; transfer of sub-assembly operations to an alternative location which has supplies; identification of alternative/substitute supplies

Determining BC Strategy Where critical activities are dependent upon specialist supplies, the organization should identify the key suppliers and single sources of supply. Strategies to manage continuity of supply may include: increasing the number of suppliers; encouraging or requiring suppliers to have a validated business continuity capability; contractual and /or service level agreements with key suppliers; or the identification of alternative, capable suppliers.

Determining BC Strategy Stakeholders When determining appropriate BCM strategies. These strategies should take into account relevant social and cultural considerations. The organization should identify appropriate strategies to manage relationships with key stakeholders, business or service partners and contractors. The organization should identify a person or persons who will discharge responsibility for welfare issues following an incident.

Determining BC Strategy Civil emergencies Organizations seeking to determine, implement or validate strategies for incident management and business continuity management should become familiar with official local responder bodies at an early stage. Key responders will be instrumental in officially declaring that a civil emergency has occurred and in providing: pre- or post-incident advice (e.g. risk assessments); warning and informing procedures; and community recovery arrangements following a civil emergency.

BCM Implementation Methodology BCM implementation documentation