Post on 12-Apr-2017
transcript
NATIONAL BANK OF MALAWI
BUSINESS CONTINUITY PLAN (BCP) TRAINING
Risk Division
PRESENTATION OUTLINE• Introduction• Objectives of BCP• Business Continuity Management
Capabilities• BCP Minimum Standards• Critical Business Functions and
Business Impact Analysis• Recovery Strategies• BCP Testing
INTRODUCTION• Business Continuity-Ability of the Bank to
ensure continuity of service & support for its customers before, after & during a disastrous event
• Business Continuity Management Policies, Standards & Procedures that are put in place to ensure specified services & operations are maintained or recovered in a timely manner in case of disruption. Includes DRP + BCP. BCM Policy , Physical Security Policy, Fire Management Procedures & Business Continuity Plan
INTRODUCTION CONTINUED
• Business Continuity Plan-An action plan that outlines all procedures, processes, systems & key personnel that are necessary to resume/restore operations of the Bank in the event of a disruption
OBJECTIVES OF BCP• To set out roles & responsibilities in an effort to
minimize the effect of a disaster on the Bank due to inadequate preparation
• To provide seamless (non-stop) services to customers
• To effectively protect life and safety all personnel• To minimize number of decisions made in an
emergency situation
OBJECTIVES OF BCP CONTINUED• Minimize potential financial loss, legal liability &
brand damage• Decrease dependence on specific person/groups
during response, resumption & recovery phases• Minimize impact of serious interruptions to
business• Recover business in a planned & controlled
manner
BUSINESS CONTINUITY MANAGEMENT CAPABILITIES
1. Emergency Management2. Crisis Management3. Major Incident Handling
RECOVERY
1. Business Recovery2. IT Continuity/Disaster Recovery
EMERGENCY MANAGEMENT• Ability of the Bank to respond to a physical event
at a given site (BU/Service Centres)• The key focus is to prevent loss of life, minimize injuries &
damage to property• Procedures & Emergency Management Centre (EMC)
must be established, maintained & operational at Bank, Division & Service Centre levels
• Emergency Management Teams (EMTs), at Bank & Divisional/Service Centre Level-take control of decision-making processes & action management during a disaster
CRISIS MANAGEMENT• Involves Identification of Crisis Event, decision-
making & coordination for the implementation of business continuity response (e.g. mass resignations of senior management, civil unrest, riots, strikes, terrorist attacks and war)
• The Senior Management Team/Crisis Management Team of the Bank manages response to the event
• A crisis management framework must have the following:
CRISIS MANAGEMENT CONTINUED
• Crisis handling processes• Escalation procedure to move incidents between
processes• A crisis leadership team to set crisis response
strategy & coordinate activities• Crisis response teams to respond• Designate crisis meeting rooms
MAJOR INCIDENT HANDLING• Ability of the Bank to identify major
disruptions to services & escalate to management (e.g. loss of access to business premises & system downtimes)
• Fit for purpose major incident handling arrangements must have the following:
• Defined list of severity levels, incidents classified appropriately as part of process
• Level of Disruption(LoD) assessed through the level of disruption matrix on the next slide:
MAJOR INCIDENT HANDLING CONTINUEDLoD Description
1 Affect isolated areas of the business operations such as a service centre, division, and the situation is well contained within the area. Probability of exceeding MTD/RTO is Low.
2 Affect a number of Service Centres or Divisions.Probability of exceeding MTD/RTO is Moderate.
3 Affect head office business premises or the production data centre (single service centre)Probability of exceeding MTD/RTO is High.
4 Affect region or district where the Bank/Service Centre operates. May cause systemic impact.Probability of exceeding MTD/RTO is Very High.
5 Affect nationwide or regionalProbability of exceeding MTD/RTO is Extremely High.
MAJOR INCIDENT HANDLING CONTINUED
• This shall facilitate appropriate remedial actions + essential services rendered under various scenarios
• The Bank/Service Centre identify minimum essential services + recovery strategies for all critical business functions under LOD above
MAJOR INCIDENT HANDLING CONTINUEDLevel of Disruption (LoD) MatrixInstitution: National Bank of Malawi/BU/Service CentreCritical Business Function : <Name of Critical Business Function>Date: _______________LoD Minimum Essential Services Provided Business Continuity Strategy MTD
(Hour)RTO
(Hour)
1
2
3
4
5
MAJOR INCIDENT HANDLING CONTINUED
• The Bank/Business Unit/Service Centre should then carry out a post-incident review analysis of major incident(s) that have occurred
BUSINESS RECOVERY
• The Ability of line management to recover critical operations within business units following a major disruption
• The focus should be on the ability to relocate to alternative systems and locations for key businesses within stipulated recovery time objectives and maximum tolerable downtimes
IT CONTINUITY/DISASTER RECOVERY• Ability of the Bank to recover systems & IT
infrastructure to support business recovery process
• Focus is on restoration of all key IT services• Recovery Time Objective (RTO)-Time frame
required for IT systems & applications to be recovered & operationally ready to support business functions after an outage
• Maximum Tolerable Downtime (MTD)-Timeframe during which a recovery must become effective before an outage compromises the ability of the Bank to achieve its business objectives and survival.
BCP MINIMUM STANDARDS
• “Fit for Purpose” business continuity arrangements are those that do the following:
• Determine & validate business’ tolerance for business continuity risk(s) by carrying out a Threat & Risk Assessment
• Determine recovery objectives for each unit• Define response and recovery plans• Include processes to initiate business resumption
BCP MINIMUM STANDARDS CONTINUED
• Ensure employees know roles & responsibilities in respect to Business continuity
• BCPs reviewed & updated following changes to operations/risk profile
• Provide capabilities to reduce impact of & enhance recovery from short, medium & long term disruptions
FIT FOR PURPOSE MINIMUM STANDARDSThe following minimum standards must be adhered to• Education and awareness• Risk Assessment & Business Impact Analysis• Plan development, documentation & maintenance• Governance• Recovery Strategies• Plan Testing & Demonstrated Recovery (Testing &
Exercising)
EDUCATION AND AWARENESS
Ensure all management & staff (including third parties) understand roles & responsibilities
Provide crisis management trainingNew hire induction
RISK ASSESSMENT• Risk Assessment based on potential loss,
inaccessibility or unavailability of:• Key personnel, decision-makers & recovery
personnel• Office premises (service centres) • Critical business information & records• IT systems & infrastructure, network devices,
peripherals & support systems
BUSINESS IMPACT ANALYSIS (BIA)BIA-Business adequately assessed & identified risk interruption by: • Identifying critical staff, systems, facilities &
procedures, • Impact of not recovering them, their
dependencies & requirements for recovering them
BIA CONTINUED
Must include:• Key stakeholder details• Defined ownership• Management acceptance and approval• Review the adequacy of Risk Assessment at
annual intervals
RECOVERY STRATEGIES-BU PROCESSES
Recovery strategies must ensure: • All BU processes & staff are available to support
critical operations in the event of short, medium & long term:• data centre loss, • work area loss + • people unavailability
RECOVERY STRATEGIES-BU PROCESSESA recovery programme must contain processes to ensure:• Adequacy of IT resources• Adequacy of work area recovery locations• Adequacy of all non-IT resources• Adequacy of incident management facilities• Details of alternative working methods• Recovery strategies must be reviewed annually
RECOVERY STRATEGIES-ITRecovery strategies should ensure that all supporting systems, applications & facilities available to support critical operations by:• Including invocation procedures with roles &
responsibilities• System, network, telephony, data centre• Recovery strategy & objectives• Recovery plans & testing strategies• Must be reviewed annually
PLAN DEVELOPMENT, DOCUMENTATION AND MAINTENANCE On a quarterly basis• Review and update all contact details On an annual basis• Review and update the BIA• Review and update the BCP• Review and update dependencies e.g. internal & external, IT, etc• Other• Should do a post-mortem of lessons learnt completed for
invocation of the resumption plan within 30 days of incident/crisis response
Testing Levels High Criticality Medium Criticality
Low Criticality
Level 1 Checklist Test Mandatory Mandatory MandatoryLevel 2 Walkthrough
TestMandatory Mandatory Mandatory
Level 3 Component Test Mandatory Mandatory OptionalLevel 4 Simulation Test
on Production ITMandatory Optional Optional
Level 5 Planned DR Simulation
Mandatory Optional Optional
Level 6 Unplanned Full Simulation
Optional Optional Optional
PLAN TESTING AND DEMONSTRATED RECOVERYPLAN TESTING AND DEMONSTRATED RECOVERY CONSISTS OF LEVELS IN THE TABLE BELOW:
The END