BCM

Business Continuity Management (BCM):
Reducing Corporate Risk And Exposure Through

Effective Processes And Controls
Implementations

Marlin Ness, CGEIT, CRISC
North America ISRM/ITGRC 2012
14-16 November 2012

Marlin Ness is an Executive Director in Ernst & Youngs Strategic Technology
Advisory Services practice. He has over 25 years of enterprise IT processes and
systems experience serving all service line clients in IT strategy, architectures,
project management, IT effectiveness, IT process improvements, systems
lifecycles, and operations. Over the last 15 years he has been responsible for the
successful implementation or audit of over 50 command centers, data centers,
and IT projects. His expertise lies in the planning, architecture, design, testing,
implementation, and operations of multimillion dollar data centers including
facilities, networking, telephony, voice, servers, systems, storage, backup and
recovery, databases, and security functional areas.

His current focus areas are in IT process effectiveness and efficiency
improvements in the financial services, healthcare, credit card, insurance, and
pharmaceutical industries. He is Department of Defense CIO certified, is a Project
Management Professional (PMP), is Certified in the Governance of Enterprise IT
(CGEIT), is CRISC certified, is a Certified Information Systems Security Professional
(CISSP), and is ITIL foundation level certified.
Speaker Biography
SESSION OVERVIEW
Business Continuity Management
Session One Overview
Purpose, Background and Observations
Industry Standards and Guidance
Business Continuity Framework and Program
Design and Implementation
Leading Practice Examples
Session Two Overview
Operations and Testing
COBIT 5 and Controls
Auditing Business Continuity and Disaster Recovery
Case Study Examples
Session One Overview
Objectives
Identify and understand the relevant standards and
leading practices, e.g., BS, ISO, ITIL, Disaster Recovery
Institute, and COBIT
Use the relevant standards
Understand the overall risks, governance, roles,
responsibilities, processes and controls to implement a
pragmatic and effective BCM program
Identify and outline the major components of an
effective BCM program
Practically implement a BCM program that includes
leading practices standards and manages risk through
effective controls

PURPOSE AND BACKGROUND
Purpose the Business of
Protecting the Business

BCM is an ongoing management and governance process
supported by senior management and resourced to
ensure that the necessary steps are taken to identify the
impact of potential losses, manage risk, develop
resiliency, maintain viable recovery strategies and plans
and ensure continuity of products or services through
exercising, rehearsal, testing, training, maintenance and
assurance.
Background Business Continuity Definition

Focuses on keeping the business operating
A process of developing and documenting arrangements and procedures
that enable an organization to respond to an event that lasts for an
unacceptable period of time and return to performing its critical functions
after an interruption.

Business
Continuity
Disaster
Recovery
Crisis
Management
Focuses on getting the technical infrastructure up and running in the event
of a disaster
The technical (e.g., application, network, platform, storage, external
dependency) component of business continuity planning to recover a data
center, service or application.
Focuses on managing the disaster event
The overall coordination of an organizations response to a crisis, in an
effective, timely manner, with the goal to maximizing employee safety and
avoiding or minimizing damage to the organizations profitability, reputation
and ability to operate.

OBSERVATIONS CURRENT TRENDS
AND THEMES
Background Trends,
Challenges, Risks and Issues
As organizations grow in size and complexity, the impact of non-availability of resources has
become more significant. In the current world of the extended enterprise, there is a visibly
cascading impact of the inability of any part of the organizational value chain to deliver on its
commitments.
The importance of BCM has risen in recent years, and is now at or near the top of risk
concern for most major organizations. Industry trends indicate:
Organizations are investing in technology to improve their business continuity posture
The availability of skilled resources remains a challenge
To keep in step with changing regulatory expectations, stakeholder interaction is key
Simplicity, adaptability and reporting capabilities are top requirements for BCM software
Conducting live exercises involves risks which must be carefully managed
Non-alignment between IT and business recovery objectives potentially compromises
successful business continuity efforts
What is Changing in the Industry?

Regulations
Federal and state requirements
Disparate international requirements
Organizational Changes
Many organizations have a newly
appointed a senior-level position for the
Enterprise Business Continuity Program
Point of Reference
Focusing on both internal/external risks
and view considering entire geographic
area, not just single site
Human Resources
Focusing on multi-contact points for
employees and the transportability of
personnel skill sets
Centralized/Decentralized
Organizations are reviewing their
operational strategies from a people,
process and technology perspective

Multiple Platforms
Multiple platforms used to support risk
framework, creating barriers to
management and reporting of risk
Resilience
Increasing system complexity,
dependency/ interdependency in
financial systems
Due Diligence Expectations: Board of
Directors and Audit Committee
Increasingly accountable for identifying
and mitigating risks
Diversification of Business Partners
and Service Providers
Organizations are assessing their risks
with all the external relationships:
Telecommunications
Hot site, warm site, cold site
Business partners
Vendors and suppliers, etc.

INDUSTRY STANDARDS AND
GUIDELINES
Business Continuity Plan
From the Business Continuity Management Audit/Assurance
copyright ISACA 2011, the business continuity plan must ensure
that:
Risks are appropriately identified and evaluated by focusing on
the impact of known and potential risks on business processes
The costs of implementing and managing continuity assurance
are less than the expected losses and within managements risk
tolerance
The business priorities are addressed: critical applications,
interim processes, restoration activities and mandated deadlines
Manual interfaces to automated processes are identified,
personnel are trained and practice drills are conducted
Expectations are managed with realistic goals
* Copyright ISACA 2011, Business Continuity Management Audit/Assurance Program, page 10
Business Continuity Planning
Considerations
Business
Continuity
Planning
Guidelines: Guidelines published as good (or
best) practice by various authoritative
organizations either locally or internationally.
Guidelines provide no mandated rules but are
used and recognized as credible by BCM
professionals. e.g., Ten Professional Practices
for Business Continuity Professionals
by DRII (Disaster Recovery Institute
International).
Standards: Official
standards from national
(and international) accredited standards
bodies which relate to Business Continuity
as a whole or specific related subset such
as IT Service Continuity, e.g., ISO 22301,
BS25999-1/2 Code of Practice for Business
Continuity management by British
Standards Institution (BSI).
Legislation: Government laws which
include aspects of Business Continuity
Management by name or are sufficiently
similar in nature. These must be passed by
a national, federal, state or provincial
government depending upon the legal
structure in each particular country or
region, e.g., South Koreas Disaster
Mitigation Act.

Regulation: Mandatory rules or
audited guidance documents from official
regulatory bodies in industry sectors such as
Financial Services, Energy, Oil and Gas,
which could reasonably be construed as
having some implications on an
organizations BCM provisions, e.g., High
Level Principles for Business Continuity by
Basel Joint Forum.
BCM and DR Standards
Today industry standards and leading practices are assisting
organizations in improving operational effectiveness and
providing a foundational construct for industry maturity. The
adoption of leveraging industry standards and leading
practices have proven to have numerous benefits:
Industry guidance and enablers
Ease of adoption
Certification/training
Benchmarking/comparative analysis
Collaboration/lessons learned
QA/completeness check
Industry standardization

Evolving BCP Focus and
Awareness

Source: Disaster Resource Guide - Executive Issue, Volume 12, Issue 3, Page 15
A proliferation of regulations, standards and frameworks has occurred post 9/11. Commonalities exist between different laws,
regulations, standards etc. but at the same time differences also need to be identified to ensure that organizations are complying
with required legislation and regulations for each geography/region/country and industry sector. We expect the landscape to
continue to evolve and require analysis and interpretation.
Updates
2
0
0
8

-

2
0
1
2

ISO/IEC 2762
BS2777

ASIS/BSI Continuity
Management Standard

PD25111
PD25666

PAS 200
ISO/IEC27301

ISO 22301

ISO 22313 (Pending)

The introduction of a new international standard holds the promise of global standardization and simplification
Supplemental BCP Focus and
Awareness
What is best for your organization?
A multitude of laws and regulations
specify or imply requirements for
business continuity planning. These
requirements vary among industry
sectors, geography/region, and
country, affecting the development,
focus and execution of business
continuity plans.
While compliance requires
satisfying the letter of the
law/regulation, business continuity
requires going beyond the
minimum requirements to ensure
that an organization is prepared for
a varied set of circumstances; thats
where standards and guidelines are
utilized as a foundation.
Due to the lack of a single business
continuity model internationally and
multiple regulatory requirements,
organizations need to review a
number of existing models, and
modify their models based on
appropriate industry and country
legislation, regulations, guidelines
and standards.
As part of an ongoing BCP program
regulatory requirements and
changes need to be reviewed and
updated on a frequent basis to
ensure that they continue to comply
with required legislation and
regulations.
Representative Legislation
Title Authority Scope Purpose/Description
Disaster Preparedness and
Response Act 2006
Emergency Relief Guarantee
Fund Act 1999
National Emergency
Management Agency
(NEMA)
Country:
Bahamas
NEMA is the government agency of the Commonwealth of The
Bahamas. It is responsible for all disaster planning and related
legislation and guidance, particularly related to hurricanes.
Personal Data (Privacy)
Ordinance
Office of the Privacy
Commissioner for
Personal Data Hong
Kong
Country:
China and
Hong Kong
The purpose of the Ordinance is to protect the privacy interests
of living individuals in relation to personal data. It also
contributes to Hong Kongs continued economic well-being by
safeguarding the free flow of personal data.
Gramm-Leach-Bliley Act of
1999, section 501 (b)
(PL 106-102 1999 S 900)
Public Law Country:
USA
Guidelines in this section address standards for developing and
implementing administrative, technical and physical safeguards
to protect the security, confidentiality and integrity of customer
information .
Disaster Mitigation Act NEMA Country:
South Korea

To promote BCP and disaster management for local companies.

European Union

EU Commission,
Brussels
European
Union
The European Program for Critical Infrastructure Protection
(EPCIP) has been laid out in EU Directives by the Commission. It
has proposed a list of European critical infrastructures based
upon inputs by its Member States.
Representative Regulations
FFIEC: Business
Continuity Planning
Booklet (2008)
FFIEC Country:
USA
The FFIEC is responsible for establishing standards
to which financial institutions are held. It applies
to the US banks and their service providers.

High Level Principles for
Business Continuity

Basel Joint Forum:
Basel Committee on Banking
Supervision
International Organization of Securities
Commissions (IOSCO)
International Association of Insurance
Supervisors
Global
Financial
Sector
The principles that should be used internationally
by financial regulators to assess competence of
financial organizations within their jurisdiction.
GFAO Supplier
Requirements
GAO (Government Accountability Office)

Country:
USA
Requirements for federal agencies to include the
requirement for contingency plans in contracts
with private sector organizations providing data
processing services
NYSE Rule 446: Business
Continuity and
Contingency Planning
NYSE (New York Stock Exchange)

Country:
USA/NYSE
Members
Members and member organizations must
develop and maintain a written business
continuity and contingency plan establishing
procedures to be followed in the event of an
emergency or disruption.
Yearly review must be conducted of the plan.
Representative Standards
BS 25999-1/2: Business
Continuity Management
(2007)
British
Standards
Institution
Global BS 25999 provides end-to-end business continuity management guidance
to organizations with aggressive risk management demands or
international business interests by focusing on risk treatment, response
and recovery. Superceded by ISO 22301.
BS 25777: Information and
Communications Technology
Continuity Management
(2008)
British
Standards
Institution
Global BS 25777 helps organizations plan and implement an information and
communication technology strategy, demonstrate they are prepared for
an IT disaster, and show that they have an effective strategy to manage
the loss of internet, email or company information, providing reassurance
to business partners.
ISO/IEC TR 18044:
Information Technology
Incident Management (2004)
ISO Global ISO/IEC TR 18044 provides guidance on information security incident
management.
ISO/TC 223: Societal Security -
Preparedness and Continuity
Management Systems (2008)
ISO Global ISO 223 addresses the challenges an organization, group of organizations,
or society may face before, during and after a disruptive event.
ASIS SPC.1 ASIS
International
Global ASIS SPC.1 provides a comprehensive approach for security, preparedness,
response, mitigation, business/operational continuity, and recovery for
disruptive incidents resulting in an emergency, crisis or disaster.
ISO 22301:2012 ISO Global Societal security - Business continuity management systems
Requirements
Representative Guidelines
Business Continuity
Management
Audit/Assurance Program
ISACA (2011) Global Tool and template for the completion of a specific assurance
process. It was developed to assist the audit and assurance
professional in designing and executing a review.
Ten Professional Practices for
Business Continuity
Professionals
DRII (Disaster Recovery
Institute International)

Global Professional practice including developing business continuity
management strategies and other contingency planning measures.
BCI GPG 2010 BCI (Business
Continuity Institute)
Global Global best practice.
Post 9-11 Crisis
Communications, Best
Practices for Crisis Planning,
Prevention and Continuous
Improvement (June 2002)
Business Roundtable
(The Southwestern
Area Commerce &
Industry Association of
Connecticut)
Global,
primarily
USA
This document is a toolkit to enable companies to develop a crisis
communications plan that includes crisis planning, prevention and
continuous improvement.
COSO Enterprise Risk
Management Framework
(September 2004)

COSO Global Defines essential enterprise risk management components,
discusses key ERM principles and concepts, suggests a common
ERM language and provides clear direction and guidance for
enterprise risk management.
Risk Management Standard,
AIRMIC, ALARM, IRM: 2002
AIRMIC
ALARM
Global
primarily
UK
Establishes guidelines for Risk Management including:
Risk assessment
Risk reporting
Risk treatment
Annual Business Continuity Program
Region/Location
Legislative/Regulatory
BCM Guidance
Requirements
Business Products and
Business Requirements
Business
Impact/Criticality
Non-Technical and
Technical
Dependencies
Business Continuity
Policy, Risk
Management
Standards
Variance
Analysis/Interpretation
BCP/DR/Crisis
Management Plan
Testing and Validation
United States
Canada
Japan
Singapore
Australia
Europe
China
Korea
Emerging and
Developing Countries
FFIEC BCP
MAS BCP Guidelines
GBLA
SOX
SEC 17 CFR 240
Basel II
HIPAA
IRS Procedure 86-19
ISO 22301
Data Privacy
Data Protection
Data Availability
Reporting and
Notification
Business Resiliency

BS25999-1/2
NIST 800-30/34
ISO/IEC 24762
ISO 20000/ITIL
ISO 27002
ISO 22301
COBIT 5
Business Continuity Alignment
Representative Approach for Alignment

Key Considerations
The geography and type of business require interpretation for
modification to a business continuity plan. Understanding business
process and the regulations specific to that process need to be
identified during business impact analysis and the mapping of
technical and non-technical dependencies to align with the
business and support legal and regulatory requirements.
Utilization of published standards and guidelines provides a
common platform for a consistent approach across regions and
allows for customization of the business continuity plan by
region/geography as required by local government and the types
of business products sold.
Management and review of business continuity plans regularly
provide the opportunity to maintain compliance with changing
legal and regulatory requirements and dynamic business needs.

BUSINESS CONTINUITY
FRAMEWORK AND PROGRAM
BCM Framework
A Business Continuity Management (BCM) program
includes resilience strategies, recovery objectives,
business continuity, operational risk management
considerations and crisis management plans. The
prerequisites within this effort include obtaining
management support and organizing and managing the
formulation of the functions or processes required to
construct the BCM framework.
Source: Disaster Recovery Institute.
Major Components of BCM Framework

Program initiation and management
Risk evaluation and control
Business impact assessment
Develop business continuity strategies
Emergency preparedness and response
Developing and implementing business continuity plans
Awareness and training programs
Business continuity plan exercise, audit and maintenance
Crisis communications
Coordination with external agencies

BCM Methodology
Lifecycle Overview
S
t
r
a
t
e
g
y

i
m
p
l
e
m
e
n
t
a
t
i
o
n

R
i
s
k
-
b
a
s
e
d

p
r
i
o
r
i
t
i
z
a
t
i
o
n

Assess
Phase
(Risk-based
prioritization)
Mitigation
Phase
(Progress against
plan)

Site Risk Assessment
Gap Analysis Continuity Strategies
Exercise and test results
Maintain,
Exercise and Test
Business Impact Analysis
Plan Development
1
2
3
4
5
6
Crisis management
plan
Reporting Out
Business continuity
plan
Business impact
analysis
Dependency
analysis
Business process
identification
DR and resiliency
plan
Executive assess
phase summary
Strategy
development
Assessment
Metrics and
Scorecards
Note: The Governance and BCM Framework should be built prior to initiating the Assess Phase.


Source: Disaster Recovery Institute
Foster clean linkages between articulated business strategy and ITs
objective
Ensure continuous support of core business processes and align
business resiliency plans with strategic goals
Benchmark IT spend thresholds with respect to industry peers
Prioritize investments in areas that directly impact firm performance
Institutionalize performance reporting criteria to measure end-to-end
performance
Provide a holistic view of crisis and continuity planning
Ensure adequate attention and awareness of business resiliency by the
CEO and the Board
Embedded ROI accountability into operation rhythm
Translate corporate objectives into functional and operational goals
Create architectural blueprints to bridge technology choices with
business capabilities
CEO
Board
CFO
CRO
CIO
Where does BCM reside?
Business Resiliency and Why They Care



Systemic Risk
Risks faced by your business
Risks your business presents to customers
Risks others (suppliers, vendors, key partners, etc.)
present to you
Identify what is required to keep the business
functional and implement strategies to prevent or
reduce systemic risk
Nature of the problem is not as important as the
impact the problem will have on the company, and
your reaction to the problem
Impact financial (direct and indirect),
reputation, legal, etc.
Understand and Assess Systemic
Risk
Fully understand and evaluate the nature of your
systemic risk
Determine key third-party service providers and
suppliers, and evaluate them
Review third-party disaster recovery and business
continuity plans
Ensure they meet your minimum BCP standards
Insist that mitigation measures be taken
Negotiate right to audit or comparable clauses in all
outsourcing agreements
Where does BCM reside?
Business Resiliency and Why They Care
Increased scrutiny by all stakeholders to ensure continuous
availability
Due diligence expectations
Board of Directors
Customers
Third Parties
Increasing use and diversification of business partners and service
providers
Telecommunications
Hot-site, warm site, cold site
Business partners
Vendors and suppliers, etc.
Increased regulations
Federal and state requirements; other regulatory oversight
Systemic Risk
Measures Organizations are Taking to Address
Protect critical business paths
Leverage best practices
Incorporate BCP into risk assessment and business
planning activities
Deploy as marketing/competitive advantage
Protect your brand
Build business case
Obtain and maintain plan support


Business Impact Assessment (BIA)
BIA and the Impact Criteria
The BIA is a systematic, repeatable and substantially defensible analysis that
quantifies and qualifies financial, operational, service, legal/regulatory and brand
impacts to the enterprise, in the event key business processes cannot be
performed
A standard criterion will enable all processes to evaluate impacts consistently
across the company
By utilizing an impact criteria in the BIA, assumptions and guesswork relating to
the criticality of business processes and technology are minimized
Sample Impact Criteria (see next slide for further breakdown):
Financial Impact
Shareholder Value/Reputational/Brand Image Impact
Workforce Impact
Legal/Regulatory/Compliance Impact
Third-Party Agreement Impact
Impact criteria and ratings are developed and approved by Senior Management

Business Impact Assessment (BIA)
Definition
Lost Data
Last Backup or
Replication
Systems and
Resources
Unavailable
Recover from Last
Backup and Backlog
(if any)
System and
Resources
Recovery
RTO
Disruptive
Event
RPO
Back to
Operation
Acceptable
Operation
Data Loss Service Loss
Recovery Point Objective (RPO)
Represents the maximum amount of data loss
(from time perspective) that the business can
sustain during an event.
Quantify and qualify the financial cost, customer experience, legal/regulatory obligations, brand image and
workforce impacts to the firm in the event key business processes cannot be performed.
Recovery Time Objective (RTO)
Represents the maximum amount of time that the
business can withstand the loss of a critical
process, function or resource before a serious
adverse business impact would result.
BIA Challenges
Common Challenges
Companies that perform BIAs do not
refresh them often enough
Lack of business participation because
BIAs are too long and complicated
Lack of understanding among the
business regarding BIA benefits
BIAs can be too tactical
BIA findings are not validated by
Executive Management
Challenge Resolution/Leading Practices
Simplify the BIA Approach/Use
Enablers:
Group Workshops
Build annual BIA refresh requirements
into the BCP policy and standards
Educate business owners/management
on additional benefits of the BIA (i.e.,
process documentation and
improvement)
Identify critical path of enterprise for
executive discussion and approval
Present BIA findings to Governance
Committee for approval

BIA Workshop
Advantages:
Provides awareness and education to management
Helps prioritize business areas and locations, as well as business
processes
Reduces time and resources required to conduct BIA/BIA refresh
Facilitates in capturing consistent data (which may not always be
possible using surveys or multiple rounds of interviews)
Challenges the business function owners/management on
potential impacts, risks and business process recovery from a
holistic perspective
Captures critical business function interdependencies so that
the recovery priorities consider any predecessor
functions/processes
Link the business process to the underlying application and technical infrastructure dependencies
Server pool Network pool Storage pool
This diagram represents the critical path to recover mission critical, critical and essential business processes during a disruption. This is one way to
syndicate the risk prioritization and recovery strategy to executive management based on the design of the business continuity program.
Mission Critical
Zero <=24 hours
Critical
>24 hours & <=120 hours
Client Wires
Corporate Wires
Cash Settlements
Check Voids/Stops
Roll Wires
Client ACH File
Verification
A&F: Treasury
Trade Extension Filing
Margin Call Resolution
Check and Wire Approval
Insite Reporting
Margin
Processing checks, wires,
ACH and journals from
retirement accounts
Qualified Plan Document
Generation
Imaging
Incoming Advisor Calls
Business Processing
Responding to emails
Service Center
Advisory Performance
Advisory Account
Advisory Fee Billing
Manager Select Account
Termination
Advisory Operations
Advisory
Surveillance
FACS Supervision
HOS
Registration
AML

Compliance
Statement Production
Confirmation Production
Quarterly Performance
Production
Letter Production
Client Reporting
Statement Production
BranchNet Cost Basis
Update File
ADP Transporter
Tax Reporting
Stock Record
Reconciliation
Stock Record
Essential
>120 hours
B U S I N E S S C R I T I C A L P A T H
D
i
s
a
s
t
e
r

C
o
n
t
i
n
u
i
t
y

Business Critical Path Diagram
Illustrative Example
Non-Technical Dependency
Analysis
Identifies both internal and external interdependencies (upstream and downstream
business processes), application, vital records and resources (workforce) required in order
for a process to function.

List what needs to happen and/or needs to be available in order for a process to
function completely
Identify both internal and external interdependencies of the processes
Determine applications Recovery Time Capability (RTC)
Use as a basis for the Recovery Gap Analysis

Upstream
Business Process

Downstream
Workforce
Vital
Records
Applications


DESIGN AND IMPLEMENTATION
Critical Success Factors
Maintain an enterprise-wide perspective
Obtain executive commitment and sponsorship
Design business process-based approach
Understand systemic risk
Align with business strategies
Validate through exercises with the business and information
technology
Keep it simple easy to maintain

Continuity Strategy Development
Overview
What is to be recovered:
People, business processes, application critical paths and technical services
How will it be recovered:
Technology and technical solution options
Where will it be recovered:
Technologies facilities (e.g., data center, data rooms), workplace
and/or service provider(s)
When will it be planned:
Execute short-term and long-term roadmap
How much will it cost:
High-level budget requirements

The outcomes of the strategy may have more than one solution to fulfill
an organizations recovery and continuity in the face of a business
disruption.
Sourcing alternatives
Technology
constraints
Business strategy
and impact
Disaster recovery
strategy
High-level
investment
Roadmap and
timeline
Current strategy gaps
Total cost of
ownership
Infrastructure
strategy
Guiding
principles
People
constraints
Technical
dependency
In-source
Co-location
Outsourcing
Managed hosting
Cloud services

Enterprise risk
Business
constraints
Continuity Strategy Development
Approach
Crisis Management

Ensure that crisis management plans can be adapted to cover a wide
range of issues and disruptions to business processes.
Include all entities within crisis management planning to provide a
balanced approach to crisis management and recovery efforts across the
group.
Group crisis management should be more influential in testing crisis
management plans with the relevant local entities. Although plans may be
derived individually, these should be tested in line with other entities to
identify key differences in approach and challenges with coordinating
efforts.
Run IT crisis management plans and tests alongside tests of other business
entity crisis management plans on a regular basis.
Ensure the capability to manage a crisis is tested and exercised frequently
and crisis management plans adapted/updated where necessary.

Critical Steps to Effective
Response
1. Account for everyone

2. Leverage agreed to recovery plan

3. Protect most crucial assets

4. Assemble the team

5. Assign resources to respond

Critical Steps to Effective
Response
6. Communicate early and often
7. Mitigate the loss
8. Involve the insurance and claims team
9. Document everything
Insurance/Regulatory/Compliance
10. Manage public relations

Long-Term Business and Financial
Recovery
1. Manage expectations internal and external
2. Read the policy understand your recovery options
3. Involve all areas of the business
4. Communicate, communicate, communicate
5. Drive the insurance recovery process
6. Review and update the current plans how did you do?
Coordination With External
Agencies

Coordinating with external agencies includes establishing
the applicable procedures and policies for coordinating
continuity and restoration activities with external
agencies (local, regional, national, emergency responders,
defense, etc.) while ensuring compliance with applicable
statutes and regulations.
Coordination With External
Agencies

Identify the representatives and establish an open dialog with
the external agencies
Identify the objectives for the emergency management
program and align them with specific external agencies
Assist in the development of the exercise requirements of the
external agencies as appropriate
Coordinate and execute the exercise
Debrief and report on the exercise results
LEADING PRACTICES EXAMPLES
Leading Practices
Implement a BCM governance model and an enterprise BCM framework
BCM programs should be based upon a clearly defined governance model,
supported by a single, common framework that defines a methodology, a set of
policies and roles.

The overall BCM governance focuses on:
How the BCM program should be operationalized within the business and IT by
setting well-defined policies and principles;
Who makes what decisions by defining roles and responsibilities for clear
accountability; and
What mechanisms are in place to ensure that decisions are made, acted upon
and complied with in relation to the companys overall direction. BCM
governance should steer and respond to decision requests that emerge from
the business continuity assessment process whereby senior management can
make informed decisions in order to reduce enterprise risk.
1
Leading Practices
Integrate business impact analysis (BIA) and risk assessment
BIAs and risk assessments are two long-standing components of any business
continuity standard and methodology. They remain two of the most critical
inputs toward any BCM program, as major strategy and funding decisions will be
made based on their results and how critical they are to the enterprise.

Leverage emerging technologies such as cloud computing and virtualization
Disaster recovery as a service (DRaaS) provides several levels of protection to
help companies recover from downtime in a potentially more cost-effective and
timely manner. Workload can be replicated from virtual or physical environments
to high-availability cloud infrastructure and then hosted in standby mode. Also,
the cloud approach can provide companies the ability to replicate across multiple
storage platforms to a cloud infrastructure or elsewhere. Systems (e.g., VMware)
can be registered on the cloud in standby mode ready to activate and keep the
business up and running should the need arise.
2
3
Leading Practices
Build for a resilient environment vs. a reactive recovery
Most companies are looking to enhance their ability to rapidly adapt and respond
to business disruptions and to maintain continuous business operations, be a
more trusted partner and enable growth. However, many companies have
delayed investing in or updating their disaster recovery infrastructure and plans
due to the lack of funding for disaster recovery over the past five years.
Companies should focus 70% to 80% of their disaster recovery spending on
supporting the realization of the recovery time objective (RTO) and recovery
point objective (RPO) targets for the top 20% to 30% mission-critical applications.

4
Leading Practices
Understand the true application dependency for recovery assurance
It is essential to completely understand cross-application, data and underlying
infrastructure dependency relationships for both disaster recovery planning and
as a quality assurance validation that dependent parts have been identified for
recovery. This becomes especially critical if an operation is planning to
implement (or has already implemented) one or more application services based
on service-oriented architecture (SOA), or whose application services are multi-
sourced.
5
Leading Practices
Increase the complexity of testing
Leading practice organizations are including more complex integrated exercises in
their annual test plan. While most do not advocate a pull the plug scenario yet,
integrated testing between business units and IT is the right way to truly develop
confidence in an organizations capability to recover. In these scenarios, the
business units may actually deploy to their alternate site and use their IT
workaround procedures during the period that the IT systems are being
recovered. This type of testing will prove the viability of the alternate site, the
viability of the workaround procedures and that the IT systems that the business
unit needs can be recovered within its stated RTO. All of these measures will
start to establish a validated recovery time capability (RTC) for an organization,
while the best tabletop testing can only provide a recovery time estimate (RTE).
6
Leading Practices
Adapt crisis management and communications strategies
The premise regarding communication during a crisis is still the same: it is
important for companies to be proactive and transparent with their
communications. Likewise, customers and stakeholders expectations remain
the same: they want to know that the companies are taking ownership and
accountability and that there is a resolution plan to get the services stabilized and
restored. What has changed is the approach to disseminating this information,
which can reduce the negative impacts to brand image and customer satisfaction
during a disaster. As companies begin to understand the evolution of mass
communication, they adapt their crisis communication strategies to leverage the
various media outlets to their advantage. This way, they are able to manage their
messaging in a timely manner and prevent incorrect information from spreading.
7
Leading Practices
Exercise an integrated ERM program
Leading companies have implemented integrated ERM programs that bring all
types of organizational risk under a single risk universe, regardless of whether a
particular risk is classified as a security risk, a health and safety risk, an insurance
risk, an environmental management risk or a business continuity risk.

Solicit support from the Board of Directors and the Audit Committee
It is much more common for companies to develop and implement company-
wide business continuity management programs when there is pressure from the
Board or Audit Committee.

Seek certification and achieve regulatory compliance
The variety of certifications and regulatory compliance approvals related to
business continuity does two things: allows companies to better market their
business continuity prowess and maturity to customers and prospects; and allows
them to better differentiate themselves in a competitive market.

8
9
10
Current State Assessment Objectives
Assess current business continuity documentation and
processes against leading practices to evaluate the quality
of program and measure acceptance by the organization
Provide baseline for determining gaps and determining future
state initiatives
Use Proprietary Maturity Model to assess and score BCP
capabilities.

BC and DR Maturity Model
Commitment
Business Impact Assessment
Threat and Risk Assessment
BCP/DRP/Crisis
Management
Development
Testing,
Maintenance,
Administration
Company has received commitment from all levels
of the organization and individual lines of
business.
Risk Assessments and BIA are integrated. Financial decisions to
mitigate risk are based upon the potential business impacts to
operations at an examined facility.
Testing has been consistently implemented over time with all appropriate protocols including
documentation of findings and improvements to the plan. Business Continuity team tests coincide
with IT tests in which business personnel test operations on the recovered equipment.
Leading practices
All BCP components (including IT components) are developed according to the
organizations BCM framework and are fully integrated with each other (BCPs, DR plans
and Crisis Management plans) and span all processes within the organization. Plan
updates are both event- and schedule-driven.
The BIA process is firmly in place within the organization. While a planned
BIA update schedule exists, team members are more proactive about
updating the BIA more frequently whenever there are major business
changes.
Company has deployed cost-effective continuity strategies that align with business
requirements. It has factored technical, physical, people and financial resources into
continuity efforts. It has also documented manual and semi-automated
procedures where appropriate.
Develop Continuity Strategies
Policies and Procedures
Company has developed policies to detail responsibilities of
management to ensure timely resumption of critical
business functions following a major interruption.
Sample Future State Roadmap
# Initiative Component Resources* Duration** Dependencies
Recommended
Starting Quarter
T-1
Establish an ABC Bank continuity
management oversight committee
Commitment Low Low None 1Q2007
T-2
Review the current Business Impact
Analysis and Business Recovery Plan with
the committee
Commitment High Low T-1
1Q2007

T-3
Identify a champion to lead the Banks CM
Program
Commitment Low Low T-1
1Q2007

T-4
Adapt ABC Enterprise CM policies and
procedures for use in the Bank
Policies and
Procedures
Medium Medium None
1Q2007

T-5
Publish those policies and procedures to
inform all Bank employees
Policies and
Procedures
Low Low T-1, T-4
1Q2007

Note: Duration is the estimated time required to take the action indicated, not an estimate of ongoing operational time.
* Low = Less than 1 FTE, Medium = Between 1 and 3 FTEs, High = Greater than 3 FTEs
** Low = Less than 2 Weeks, Medium = Between 2 Weeks and 1 Month, High = More than 1 Month
SESSION ONE RECAP
Q&A
AUDIENCE PARTICIPATION
(WHO HAS THE BEST DISASTER EXAMPLE?)

SESSION TWO
Business Continuity Management
Operations and Testing
COBIT 5 and Controls
Auditing Business Continuity and Disaster
Recovery
Case Study Examples
SESSION TWO OVERVIEW
Objectives
Understand and describe leading practices in BCM
and DR
Understand and describe the most significant risks
associated with a BCM and DR program
Understand and describe the application of standards
used in BCM and DR
Understand and describe the COBIT objectives and
controls that support managing risk in BCM and DR
Understand, describe and implement a BCM and DR
audit program
Audit the business continuity management process

OPERATIONS AND TESTING
Typical BCM Program Phases
Implement Strategy and Develop Continuity Plans
This activity involves performing all tasks necessary to implement the strategy and the development of the
Business Continuity Plans (BCPs), IT Services resiliency and architecture recovery plans and an enterprise
Crisis Management Program.
Sustain and Maintain BCM Program
This activity involves implementing processes designed to sustain and mature the BCM program. Key
processes include:
Plan Maintenance
Regular updates to the documented BCPs, dictated by period or business changes.
Training
Developing a training program for personnel to prepare and educate them on their roles and
responsibilities.
Awareness
Awareness includes both internal awareness making internal personnel aware of their business
continuity roles, responsibilities and expectations.
Reporting
Developing scorecards and Key Performance Indicators (KPIs) Key Performance Indicators are the
measurements that will be used to evaluate the success of the BCM program.
Change Management
Change management procedures need to be enforced to ensure that the BCP and its processes are
kept up-to-date and give the best possible chance of surviving a major business disruption.
Exercise and Test
This activity involves the development of a testing program and schedule to maximize plan accuracy and
team preparation to respond to an event.
Sustain and Maintain BCM Program
What is the Sustain and Maintain Activity?
Once the Assess and Mitigate Phases are completed, the BCM program must enter a phase of
sustainability and maintenance. For many companies, this is the most difficult part of
operationalizing a business continuity program.
This may be accomplished through some of the following activities:
Reporting: development of scorecards and key performance indicators (KPIs) key performance
indicators are measurements used to evaluate the success of the program.
Plan maintenance: regular updates to the documented BCM plans dictated by period or business
changes.
Training and awareness: development of a training program for personnel to prepare and educate
them on their roles and responsibilities. Awareness includes both internal awareness making
internal personnel aware of their business continuity roles, responsibilities and expectations; as well
as external awareness marketing the organizations program as a differentiator and competitive
advantage.
Change management: change management procedures needed to be enhanced and enforced to
ensure that essential BCM plans and its processes are kept up-to-date and give the best possible
chance of surviving a major business disruption.
Training and Awareness Programs

They support the mission of the organization
They demonstrate organizational commitment
Human error accounts for a significant degree of loss
Training employees shows that the organization has
taken due care
They remind people of the basic security practices

Training and Awareness Programs

Knowledge of the vulnerabilities and risks will allow the
employees to:
Implement better procedures
Demonstrate accountability
They raise the awareness of the risks of downtime
They make people aware of who the business continuity
team members are and what their function is
They orient new employees to the BCM program

Exercise and Test
What is the Exercise and Test Activity?
This activity involves the development and execution of an exercise and testing program and
schedule to maximize plan accuracy and team preparedness to respond to an event. The
exercise or the tests can include all or part of the business continuity plan or specific critical
component.
How is the Exercise and Test executed?
There are multiple types of plan exercises that can be executed. These could include: table
top exercises, functional exercises across business units, functional exercises with public
sector, integrated business and IT exercises, etc.
Output
Post-exercise results
Updated/enhanced plans
Testing Framework
Purpose:
Provide structure, formality and a common nomenclature to the BCM Exercise and Test Program
Establish the roles, responsibilities, accountabilities and organizational structure for the BCM PMO and business units
Provide consistent methods, tools and processes that will maximize the business units compliance with the BCM policies and
standards for the maintenance of BCPs and DRPs

Compliance and alignment:
The testing framework is aligned with existing BCM and IT policies.
All BCPs and DRPs supporting critical processes and applications should undergo a test at least annually.

Test phases and tasks

Managing the exercise and test program for the BCPs of
critical processes and DRPs of critical applications
Developing the test plan
Executing the test
Debriefing following the test
Test Stages

High

Scope and
Complexity

Low
1 5 9
Table-top Recovery Full-Scale
Walk-through Site Production

Test Stage
Plan Execute Debrief
Coordination and oversight
Program Scorecard
Example

Common Mistakes in Business
Continuity
Outdated and incomplete business continuity plan
Lack of testing
Lack of back-up utility for critical operations
Insufficient verification and validation of systems
Insufficient recovery resources available
Common Mistakes in Business
Continuity
Underestimating or miscalculating risk
Misunderstanding roles and responsibilities
Slow to react and gather information
Failure to understand the insurance contract
Balancing business requirements and insurance
recovery
COBIT 5 AND CONTROLS
Example ISACA mapping between
COSO and COBIT 4.1
PLAN TESTING
Plan Testing
Audit/Assurance Objective: The plan should be tested regularly, and the tests should include a comprehensive verification of
continuity processes and situational drills to test the assumptions and alternate procedures within the plan.
DS4.5
DS4.6
X
Testing Policies
Control: Testing policies define test frequency, types of tests, use of situational drills and other recognized processes.
Obtain testing policies document.
Determine that the following policies are stated and documented:
Minimum test frequency
Conditions requiring more frequent testing
Types of scenarios to be tested
Testing Methods
Control: Testing includes both walkthroughs and full-scale drills of the interim process and recovery plans.
Determine that walkthrough tests are performed regularly and include all facets of the plan.
Determine that full-scale tests are performed regularly and include higher risks events.
Determine if an after-hours call list exists and is current.
Determine if a program of continuity awareness exists and is executed regularly.
Analysis of Test Results
Control: The results from the plan tests are analyzed to identify issues that require BCP revision, additional training or
additional resources.
DS4.10 X X X
Verify that changes to recovery plans have been made as a result of testing and lessons learned.
Determine if the results have been communicated to management.
Determine that stakeholders and assurance functions monitor and receive post-test analysis.
* Copyright ISACA 2011, Business Continuity Management Audit/Assurance Program
Audit/Assurance Program Step
COBIT
Cross-
reference
COSO
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t

R
i
s
k

A
s
s
e
s
s
m
e
n
t

C
o
n
t
r
o
l
A
c
t
i
v
i
t
i
e
s

I
n
f
o
r
m
a
t
i
o
n
a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n

M
o
n
i
t
o
r
i
n
g

Process Domain
and Practice
Process Name Consideration for Design and Audit of
Business Continuity Disaster Recovery
Governance
Evaluate, Direct
and Monitor
EDM01 Ensure Governance Framework Setting and Maintenance Y N
EDM02 Ensure Benefits Delivery Y N
EDM03 Ensure Risk Optimization Y Y
EDM04 Ensure Resource Optimization Y N
EDM05 Ensure Stakeholder Transparency Y N
Management
Align, Plan and
Organize
AP001 Manage the IT Management Framework Y Y
AP002 Manage Strategy Y Y
AP003 Manage Enterprise Architecture Y Y
AP004 Manage Innovation N N
AP005 Manage Portfolio Y N
AP006 Manage Budget and Costs Y N
AP007 Manage Human Resources Y N
AP008 Manage Relationships Y N
AP009 Manage Service Agreements Y Y
AP010 Manage Suppliers Y Y
AP011 Manage Quality Y Y
AP012 Manage Risk Y Y
AP013 Manage Security Y Y
COBIT 5 Mapping
Process Domain
and Practice

Process Name Consideration for Design and Audit of
Business Continuity Disaster Recovery
Management
Build, Acquire and
Implement

BAI01 Manage Programs and Projects Y Y
BAI02 Manage Requirements Definition Y Y
BAI03 Manage Solutions Identification and Build N Y
BAI04 Manage Availability and Capacity N Y
BAI05 Manage Organizational Change Enablement Y Y
BAI06 Manage Changes Y Y
BAI07 Manage Change Acceptance and Transitioning Y Y
BAI08 Manage Knowledge Y Y
BAI09 Manage Assets Y Y
BAI10 Manage Configuration Y Y
Management
Deliver, Service
and Support

DSS01 Manage Operations Y Y
DSS02 Manage Service Requests and Incidents Y Y
DSS03 Manage Problems Y Y
DSS04 Manage Continuity Y Y
DSS05 Manage Security Services Y Y
DSS06 Manage Business Process Controls Y Y
Management
Monitor, Evaluate
and Assess

MEA01 Monitor, Evaluate and Assess Performance and
Conformance
Y Y
MEA02 Monitor, Evaluate and Assess the System of Internal
Control
Y Y
MEA03 Monitor, Evaluate and Assess Compliance with External
Requirements
Y Y
COBIT 5 Mapping
COBIT 5 Supplemental Material
DSS04
Manage
Continuity
DSS04.01 Define
the business
continuity policy,
objectives and
scope
Y
01 Alignment of IT and business
strategy
04 Managed IT-related business risk
07 Delivery of IT services in line with
business requirements
14 Availability of reliable and useful
information for decision making
Identify internal and outsourced business processes and service
activities that are critical to the enterprise operations or necessary to
meet legal and/or contractual obligations
Identify key stakeholders and roles and responsibilities for defining
and agreeing on continuity policy and scope
Define and document the agreed on minimum policy objectives and
scope for business continuity and embed the need for continuity
planning in the enterprise culture
Identify essential supporting business processes and related IT
services
DSS04.02
Maintain a
continuity strategy
Y
strategy
04 Managed IT-related business risk
Identify potential scenarios likely to give rise to events that could
cause significant disruptive incidents
Conduct a business impact analysis to evaluate the impact over time
of a disruption to critical business functions and the effect that a
disruption would have on them
Establish the minimum time required to recover a business process
and supporting IT based on an acceptable length of business
interruption and maximum tolerable outage
Assess the likelihood of threats that could cause loss of business
continuity and identify measures that will reduce the likelihood and
impact through improved prevention and increased resilience
Analyze continuity requirements to identify the possible strategic
business and technical options
Identify potential scenarios likely to give rise to events that could
cause significant disruptive incidents
Determine the conditions and owners of key decisions that will cause
the continuity plans to be invoked
Identify resource requirements and cost for each strategic technical
option and make strategic recommendations
Obtain executive business approval for selected strategic options
DSS04
Manage
Continuity
DSS04.03 Develop
and implement a
business continuity
response
Y
strategy
04 Managed IT-related business
risk
Define the incident response actions and communications to be taken in the
event of disruption. Define related roles and responsibilities including
accountability for policy and implementation
Develop and maintain operational BCPs containing the procedures to be
followed to enable continued operation of critical business processes and/or
temporary processing arrangements, including links to plans of outsourced
service providers
Ensure that key suppliers and outsource partners have effective continuity
plans in place. Obtain audited evidence as required.
Define the conditions and recovery procedures that would enable resumption
of business processing, including updating and reconciliations of information
databases to preserve information integrity
Define and document the resources required to support the continuity and
recovery procedures, considering people, facilities, and IT infrastructure
Define and document the information backup requirements required to
support the plans, including plans and paper documents as well as data files,
and consider the need for security and off-site storage
Determine required skills for individuals involved in executing the plan and
procedures
Distribute the plans and supporting documentation securely to appropriately
authorized interested parties and make sure they are accessible under all
disaster scenarios
DSS04.04 Exercise,
test and review the
BCP
Y
strategy
risk
Define objectives for exercising and testing the business, technical, logistical,
administrative, procedural and operational systems of the plan to verify
completeness of the BCP in meeting business risk
Define and agree on with stakeholders exercises that are realistic, validate
continuity procedures, and include roles and responsibilities and data
retention arrangements that cause minimum disruption to business
processes
Assign roles and responsibilities for performing continuity plan exercises and
tests
Schedule exercises and test activities as defined in the continuity plan
Conduct a post-exercise debriefing and analysis to consider the achievement
Develop recommendations for improving the current continuity plan based on
the results of the review

DSS04 Manage
Continuity
DSS04.05 Review,
maintain and
improve the
continuity plan
Y
strategy
risk
Review the continuity plan and capability on a regular basis against
any assumptions made and current business operational and strategic
objectives
Consider whether a revised business impact assessment may be
required, depending on the nature of the change
Recommend and communicate changes in policy, plans, procedures,
infrastructure, and roles and responsibilities for management approval
and processing via the change management process
Review the continuity plan on a regular basis to consider the impact of
new or major changes to: enterprise organization, business
processes, outsourcing arrangements, technologies, infrastructure,
operating systems and application systems
DSS04.06
Conduct continuity
plan training
Y
strategy
risk
Define and maintain training requirements and plans for those
performing continuity planning, impact assessments, risk
assessments, media communication and incident response. Ensure
that the training plans consider frequency of training and training
delivery mechanisms
Develop competencies based on practical training including
participation in exercises and tests
Monitor skills and competencies based on the exercise and test
results
DSS04.07 Manage
backup
arrangements
Y
strategy
risk
Back up systems, applications, data and documentation according to
a defined schedule
Ensure that systems, applications, data and documentation
maintained or processed by third parties are adequately backed up or
otherwise secured. Consider requiring return of backups from third
parties. Consider escrow or deposit arrangements
Define requirements for on-site and off-site storage of backup data
that meet the business requirements. Consider the accessibility
required to back up data
Roll out BCP awareness and training
Periodically test and refresh archived and backup data

DSS04.08
Conduct post-
resumption review
Y
strategy
risk
Assess adherence to the documented BCP
Determine the effectiveness of the plan, continuity capabilities, roles
and responsibilities, skills and competencies, resilience to the incident,
technical infrastructure, and organizational structures and
relationships
Identify weaknesses or omissions in the plan and capabilities and
make recommendations for improvement
Obtain management approval for any changes to the plan and apply
via the enterprise change control process
AUDITING BUSINESS CONTINUITY
AND DISASTER RECOVERY
Background and Objective
Background
The purpose is to ensure the objective, scope, policy,
standards, approach and budget for business continuity
and disaster recovery are controlled.
Audit Objective
Our objective in this review is to confirm the existence
of appropriately designed controls within the areas of
disaster recovery and business continuity.

ISACA BCM
Audit/Assurance Program
Objective and Scope
ObjectiveThe continuity planning audit/assurance review will:
Provide management with an evaluation of the enterprises preparedness in the
event of a major business disruption
Identify issues that may limit interim business processing and restoration of same
Provide management with an independent assessment of the effectiveness of the
business continuity plan and its alignment with subordinate continuity plans

ScopeThe review will focus on the enterprise business continuity plan, policies,
standards, guidelines, procedures, laws and regulations that address maintaining
continuous business services. This will include:
Development, maintenance and testing of the business continuity plan
Ability to provide interim business services and the effective and timely restoration
of same
Risk management and costs related to the business continuity plan*
Copyright ISACA 2011
Auditing BCM
Benefits of auditing the BCM plan
Audit scope and objective considerations
Key audit areas
Common issues stemming from plan audits
Benefits of Auditing the Plan
Provides assurance to executive management and the
board that plans are robust, complete and up-to-date
Identifies weaknesses in the plan
Motivates personnel to maintain their plans
Helps justify allocation of resources
Helps justify costs associated with business continuity

Audit Considerations
Scope and Objective Considerations
Controls to be reviewed and tested
Methodology used to develop plans
Consistency between business unit business continuity
plans and enterprise disaster recovery plans
Application of common planning standards
External suppliers and service providers
Plan Development
Established planning standards
Methodology and standards used to develop the plans,
enterprise-wide
Purpose, objective, scope and assumptions to be used in
developing and executing plans
Roles, accountabilities, and responsibilities
Senior management
Business unit management and personnel
Business continuity coordinator
Information security personnel
Plan Development
Assess Phase
Plan development requirements
Risk assessment
Risk avoidance measures

Mitigate Phase
System restoration and recovery procedures
Vendor management
Manual processing/downtime procedures
Maintenance, testing and administration requirements
Training and communication
Building the Audit
Scope Considerations
Identify the scope of the audit:
Disaster recovery
Business continuity
Crisis management
Building the Audit Scope
Options
Business Continuity
Area 3-4 Weeks 5-8 Weeks
Policy, Scope and
Objectives
Review of the policy and scope of the business
continuity program
Detailed review of the policy and scope of the
business continuity program
Risk Assessment Review the procedures from a risk assessment
and the results
Detailed review of the risk assessment
procedures and results
Business Impact
Analysis
Review business impact analysis (BIA) and
associated assessment criteria and results
High-level review of the recovery time/point
objectives
Detailed review of BIA results and validation of
recovery time and point objectives in BCPs to
meet business needs
Validation with DRP
Business Continuity
Strategies
Review current strategies to address various
interruptions and/or disasters using multiple
scenarios
Detailed review of business continuity recovery
strategies to meet highly probable disaster
scenarios
Business Continuity
Plan
Review current business continuity plan to
ensure core components are addressed
Detailed review of the business continuity plan
assessed against RTOs/RPOs
Work Area Recovery Review processes for managing workforce for
critical business processing
Detailed review of managing workforce at
alternate facility/site
Business Continuity
Plan Testing
Review of the testing procedures for the
Business Continuity Program (BCP)
Detailed review of the testing program
(procedures, processes), testing scenarios and
test plans
Business Continuity
Plan Maintenance
Review of the maintenance and change
management procedures for the BCP
Detailed review of the BCPs maintenance to
ensure the plan stays current; review feedback
from testing/training incorporated into plan
updates
Business Continuity
Program
Governance
Review managements policies and procedures
regarding the BCP
Detailed review of Business Continuity
Management Program and governance
policies/procedures
Building the Audit Scope Options
Business Continuity
Physical Security Review of physical security to manage access to data
center
Detailed review of physical security
through assessment, monitoring and
review of procedures
Backup and
Recovery
Review current backup and recovery procedures to
ensure data is appropriately backed up and protected
Detailed review of backup and
recovery procedures, validation to
ensure B&R meets recovery objectives
Recovery
Procedures
Review the procedures that will recover critical
infrastructure
Detailed review of the procedures for
recovery of critical infrastructure
Disaster Recovery
Strategy
Review strategies to address service interruptions
and/or disasters
Component level
Data center
Site
Regional
Detailed review of the DR strategies to
ensure recovery objectives and SLAs
are met, review to identify single
points of failure (SPOF), multiple
strategies based on varying scenarios
Disaster Recovery
Plan
Review the current disaster recovery plan to ensure
core components are included
Detailed review of the contents of the
DRP
Disaster Recovery
Business Recovery Review that the DR strategies and plans will meet the
needs of the business for recovery
Detailed review of the DR strategies
and plans to meet the needs of the
business, review and validation of the
BIA to ensure consistency
Disaster Recovery
Plan Testing
Review of the testing procedures of the DRP Detailed review of the testing program
(procedures, processes), review of
testing scenarios and test plans
Disaster Recovery
Plan
Maintenance,
Reviews, Updates
Review of the maintenance procedures of the DRP Detailed review of the DRPs
maintenance to ensure the plan stays
current; review feedback from
testing/training incorporated into plan
updates
Disaster Recovery
Plan Training
Review training procedures for DRP Detailed review of the training agenda
and materials to ensure end users
understand their role and how to
utilize DRP
Disaster Recovery
Audit Approach
Inspection of Key Documentation
Planning standards, mission statement and governance
Business impact analysis and risk assessment results
Identification of critical business processes/operations
Identification of critical business path
Minimum recovery timeframes and resources are defined
Timeframes established based on the financial and operational impact to the
organization
Policies and procedures
Business continuity
Disaster recovery
Emergency preparedness
Crisis management
Backup and restoration
Audit Approach
Inspection of Key Documentation
Employee/vendor contact lists
Verify accuracy and completeness of contact lists
Off-site inventories
Plan testing and results
Contractual agreements
SAS 70 reports and disaster recovery plans of critical
third-party service providers
Employee education and communication protocols

Audit Approach
Observations of Key Activities

Plan test activities
Documentation review and update activities
Alternate power and generator tests
Telecommunications failover tests
Virtual department enablement
Common Plan Risks
Emergency preparedness
Emergency/evacuation procedures
Team structure
Crisis management
Employee, patient, student, etc. communication protocol
(business and non-business hours)
Marketing/media communication protocol

Common Plan Risks
Physical plan documentation location(s)
Control/versioning of plans
Use of automated tools
Staff training and awareness
Roles and responsibilities
Security of primary facility
Unauthorized access
Protection from fire and other environmental threats
Storage of sensitive information

Common Plan Risks
Backup process
Backup tapes
Adequacy of backup procedures
How often are systems backed up?
When is media transferred off-site?
How often are backups rotated?
Are backups properly inventoried?
Software and data
Testing of backup media (periodic restoration)
Hardware and support facilities
Alternate processing facility
Proximity to primary facility
Security of site
Vendor contracts (if any)

Common Plan Risks
Identification and storage of vital records
Off-site storage
Backup tapes
Supporting documentation
Security of off-site storage facility
Authorized personnel
Accessibility and level of response for off-site storage facility
Internal work-flow dependencies
Relocation dependency?
Do recovery time frames coincide?
External dependencies
Adequacy of third-party business continuity plans
Do recovery time frames coincide?

Common Plan Risks
Adequacy of detailed recovery procedures
Alternate site activation
Network
System recovery and start-up
Application
Testing
Test schedule
Does test judge adequacy of the plan?
Staff rotated?
Surprise testing
Written report of results
Common Plan Risks
Plan maintenance
Schedules
Adequacy of scheduled maintenance
Sufficiency of testing coverage
Documentation updates
Approval
Accountability
Employee education and awareness
Overall: Does the plan make sense?
Example Assessment Results
0
1
2
3
4
5
Business Continuity
Plan Management
BCM Policy,
Standards, and
Procedures
Business Impact
Assessment
Risk Assessment
Documentation
Plan Testing
Assessment
Target
This spider graph is
an example of the
assessment results
and maturity target
for a specific
enterprise.
Key Takeaways
Management and boards are becoming increasingly
aware of the need for BCM
Funding and resources are becoming available
Think about BCM when processes or technology
change
Effective planning (BIA, risk assessment, etc.) and
testing ensures focus, program optimization and helps
minimize costs
Resources are at your disposal
Find a way to audit plan components at least annually
CASE STUDY EXAMPLES
Case Study 1
Client: A global financial services organization
Problem Statement:
Maintenance and financial overheads: Multiple primary and DR data centers in the US and the rest of the
world
Risk to business some of the primary and DR data centers were geographically close
Compliance risk some of the consumer finance applications DR environments were hosted in externally
managed datacenter facilities to mitigate DR risk, due to geographically close data centers
Unorganized IT environment portfolio businesses have IT environments in multiple data centers
Excessive network usage due to primary-DR site replication
Identified Solution:
Devised a strategy to pair the US data centers two primary and two DR in the Southwest and Midwest US
Move all the externally hosted application environments to internal DR data centers
Revalidated applications availability SLAs for DR, with business
Implemented guidance principles for businesses to host IT environments in a set of datacenters
Tactical and Strategic Benefits Achieved:
Regional disaster risks for businesses were mitigated
Strategic cost and effort savings exercised from consolidation and newer technology data centers
Achieved organized portfolio of IT environments by rearranging and optimizing

Case Study 2
Client: A global financial services client Banking and Capital Markets, Wealth
Management
Problem Statement:
Compliance, operational and business risk three MRAs for Business Continuity in ecommerce and
Online Banking
Multiple data centers in the US and worldwide. The business continuity requirements still needed
attention.
MRA remediation actions were identified to provide three fully redundant data centers to support the
services. Each data center had 100%+ redundancy and could meet N-2 data centre failure
Supported remediation of the MRAs, including governance development architecture reviews, and BCP/DR
remediation support for ecommerce and online Banking
MRA remediation was achieved
Business, operational and compliance risks were mitigated

Case Study 3
Client: Global Financial Services Client Industry Leading Insurance Company
Problem Statement:
The client recently began an integration of its offices and operations in over 40 countries. Regional and local country offices have evolved
independently over the last 15 years, which has been adding to the firm's technology footprint through Merger and Acquisition activity.
A foundational global technology integration program has started the consolidation of international Active Directory Domains and selected
local country corporate applications into a centrally hosted, third-party managed, data center service provider.
Several countries have indicated that they currently have their own local country DR/BCP services, processes and support providers, and
that the Global AD consolidation program will disconnect connectivity to their local DR sites and disrupt current BCP processes and plans.
Due to variances in independent country infrastructures and technology hosting/DR strategies, intermediate approaches on a
country-by-country basis needed to be developed to ensure DR and BCP continuity as the global technology consolidation
program continues.
Through the program/country relationship management framework Ernst & Young has implemented across 40 countries, it has
the visibility and access to help the client facilitate intermediate-step DR solution design and implementation activities across
multiple technical, compliance and country organizations to resolve DR connectivity and continuity issues, while it continues
with its global technology consolidation program. Initial regional and country discussions have started and will continue along
the life of the program.
Tactical local country DR strategies and solutions can maintain local country continuity and connectivity, while the global
technology consolidations program completes.
More strategic DR strategies and programs can be developed and implemented worldwide at a time when organizations and
infrastructure are at a higher level of globally integrated maturity.

SESSION TWO RECAP
Q&A
AUDIENCE PARTICIPATION EXERCISE
(WHO HAS THE BEST BC OR DR AUDIT FINDING?)
For More Information
Dan Stavola
Executive Director, Ernst & Young LLP
PMP, ITIL

dan.stavola@ey.com
+1 212 773 5767

Marlin Ness
Executive Director, Ernst & Young LLP
PMP, CGEIT, CRISC, CISSP
DoD CIO Certified

marlin.ness@ey.com
+1 312 879 3312

The views expressed herein are those of the presenters and do not necessarily reflect the views of Ernst & Young LLP.
Asheesh Bajaj
Manager, Ernst & Young LLP
ITILv3, BCPP, Quality

asheesh.bajaj@ey.com
+1 980 422 2955

Collaborate Contribute Connect
The Knowledge Center is a collection of
resources and online communities that
connect ISACA members globally, across
industries and by professional focus - under
one umbrella. Add or reply to a discussion,
post a document or link, connect with other
ISACA members, or create a wiki by
participating in a community today!
http://www.isaca.org/Knowledge-Center

BCM

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

BCM

Încărcat de

Drepturi de autor:

Formate disponibile

Business Continuity Management (BCM):

Reducing Corporate Risk And Exposure Through

S-ar putea să vă placă și