BCM

PRESENTATION
LOCATION : INTAN
DATE : 30TH JUNE 2010
Agenda

Organization Chart

Overview Risk Assessment

ORGANIZATION CHARTS
Business Continuity Management Framework

Mandate by Board / Top Management

Management Operations Risk Committee (MORC), Board Risk Management Committee

(BRMC)

BCM Secretariat Role & BCM Team Role

Plan Human Infrastructure

Monitoring
Readiness Readiness Readiness

BCM
British Standard
Framework 25999 - 1: 2006
Risk Management Department , Organization

Board Risk Management

KETUA PEGAWAI EKSEKUTIF Committee

PENGURUS BESAR
KANAN

SEKSYEN SEKSYEN SEKSYEN SEKSYEN

MIS/ANALYTICS RISIKO RISIKO KREDIT RISIKO OPERASI
PELABURAN

Unit Penilaian Bebas

(Pembiayaan Korporat,
Pelaburan Hartanah &
Ekuiti Persendirian)
Unit Polisi Unit
Risiko dan Unit Unit
Risiko
Pemodelan ‘Corporate Risk ‘Business Continuity
Pasaran
Scorecard’ Plan’
(CRS) (BCP)

Currently reporting to ‘seksyen risiko pelaburan’

5
Development of BCM Programme in Organization
OVERVIEW RISK ASSESSMENT
Risk Assessment Overview

What ?

Risk Assessment can help us to:

a) Have a list of threats that cause a disruption
on Organization
b) Identify a single points of failure
c) Recommend an actions to be taken to reduce
the threats – strategy development
Risk Management Process

• Establish the Context: for strategic, organisational

and risk management and the criteria against which
business risks will be evaluated.
ESTABLISH THE CONTEXT
• Identify Risk: that could ‘prevent, degrade, delay or
enhance’ the achievement of an organisation’s business
and strategic objectives.
COMMUNICATE AND CONSULT

• Analyse Risk: consider the range of potential

IDENTIFY RISKS

MONITOR AND REVIEW

consequences and the likelihood that those

RISK ASSESSMENT
consequences could occur.
• Evaluate Risks: compare risks against the firm’s pre-
established criteria and consider the balance between
ANALYSE RISKS potential benefits and adverse outcomes.
• Treat Risks: develop and implement plans for
increasing potential benefits and reducing potential
costs of those risks identified as requiring to be ‘treated’.
EVALUATE RISKS • Monitor and Review: the performance and cost
effectiveness of the entire risk management system and
the progress of risk treatment plans with a view to
continuous improvement through learning from
performance failures and deficiencies.
• Communicate and Consult: with internal and
TREAT RISKS external ‘stakeholders’ at each stage of the risk
management process.

Extracted from ISO 31000:2009 Note that: Identify, Analyse and Evaluate Risks
Risk Management Standard are collectively grouped as ‘Risk Assessment’.

9
 Organization BCM Methodology
Risk Management Process – Identify Risk

The development
Plan of the procedures
/ work flow

Business Human Understanding of

the procedures
Function
Work The equipment
and others to
Place support the work

5-Jul-10 Risk Management Department 10

 Risk Assessment Overview

Impact of Disaster on Organization

Quantitative and Qualitative Impact
Qualitative
Quantitative Impact
Impact

Average contributions
1
RM143 MILLION* 1 applications that cannot be
processed per day Non-adherence
to customer
charter
2 Average withdrawals applications
RM90 MILLION* that cannot be processed per day 2
Unable to fulfil
Average potential investment national social
3 earnings that may be lost per responsibility
RM83 MILLION*
day
*Source: KWSP Annual Report 2008
 Organization BCM Methodology
Risk Management Process – Analyze The Risk

List of Causes
Plan
• Natural disaster
• Man made Disaster
Business Human
• Health and Safety
• IT System
Function • Utility Failure
• etc
Work
Place

5-Jul-10 Risk Management Department 12

Risk Assessment – Evaluate the risk
Impact of Disaster on Organization
Cause and Effects Matrix
EFFECTS
CAUSES Building IT Systems Services Reputation
People Affected
Affected Affected Affected Affected
Natural Disaster
Earthquake





Flood





Tsunami / Typhoon





Health and Safety
Haze


Epidemic (SARS, Bird Flu)



Epidemic (poisonous gas, canteen
contamination, Antrax)



Security Threats
Explosion





Riot & Civil Commotion





Hostage / Key staff unavailable



War





Fire / Arson





IT System
IT System Failure



IT Security Compromised



Utility Failure
Power Outage




Water Outage




Telecommunication Outage



Others
Consulting Services for
25 November
Party 2005 Page 13


Outsource Terminated
Business Continuity

Plan
Risk Assessment – Evaluate The Risk
Organization Disaster
Impact of Disaster on Organization
Organization Location Disaster
Organization is affected by the worst-case scenario whereby the disaster happens at the most inopportune
time
Processes
Rship & Support
Location Registration Contribution Withdrawal Enforcement Fraud Investments Remarks
Channel Mgt Services

EPF forms,



legal docs
myEPF,
Disaster at EPF1, EPF 3 Form A Deceased, Prosecutio

Email

10 support destroyed,
Headquarters and EPF4 Record Pension n services Investment
Record Keeping enquiries systems
Keeping affected.
IT Core

Systems
Disaster at IT Key IT affected, key
Data Centre





system services at
services State / Branch
affected.
Reroute to
Disaster at
other
Processing

processing
Office
office.


Services
Disaster at delayed and
EPF Institute Call Centre Training routed to
other location
Reroute to
Disaster at a
State Office





other state
Consulting Services for Business Continuity office
Page 14 14 February 2006
Disaster at a Plan Reroute to
Branch





other branch
Risk Assessment Outcome

Disaster
Disaster is defined into 2 categories:

Organization Disaster
impacts Organization through widespread
and overall total degradation of
operations and service delivery

Location Disaster
impacts only the affected branch office
but does not degrade the branch’s overall
operations and service delivery
STEP- BY- STEP APPROACH
How To

Identify Causes & Consequences

Identify Primary Controls (preventive, detective and

corrective) and Secondary Controls and Effectiveness

Identify actions plans to mitigate the risks

17
Risk Assessment

How often?

Evaluated if :
a) There is a significant changes in the internal
business process, locations or technology
b) There is a significant changes in the external
environment – eg regulatory changes
c) Part of BCM annual programmes
Risk Assessment

Key success
factors?

a) Get support from the management

b) Commitment from the various parties – staffs, Head of Department ,
suppliers etc
c) Identify the scope of RA, BIA - all organization , some part of business
d) Understand the key business process , so that we can identify the risk and
respond to it.
e) Document the risk for knowledge, training and audit trail
f) Up to date and reflect the changes in the organization
 Organization BCM Methodology
How we know that we are ready

BCM – Monitoring
Framework
Plan Human Infrastructure Monitoring
• Action driven • Succession planning • Command centre • Monthly Status from
• Simple and concise • Right nominations • Business facilities the Department /
• Checklist: • Ability • Customer areas Branches
• Generic • Authority • Meeting rooms • SLA
• Worst nightmares • Specialists • Resources • Customer Survey
• Roles & • Clear roles • Equipment
responsibilities • Trained personnel • Furniture
• Team recovery • BCM Awareness • Vendor agreements
• Reference material • Training programme • Communications
• Listings – Call Tree, • Testing of
• Contact numbers Walkthrough , Crisis Equipment
• Review Strategy, Simulation , Tutorial • War chest update
Plan , MRR , BIA, • Site Design
RTO

5-Jul-10 20
 Thank You

5-Jul-10 Jabatan Pengurusan Risiko 21