ISO22301 BCM Framework

for Managing Disaster

Presented by : Surjandy, S.Kom, MM

Surjandy, S.Kom, MM

(Surjandy@gmail.com)

Educational background
1995 STMIK Bina Nusantara (S.Kom)
2007 University Bina Nusantara (BiNus Business School MM
Executive)

Professional Certification
2010 BCCS (Business Continuity Certified Specialist)
2009 BSMR Level 1 (Badan Sertifikasi Manajemen Resiko)

My Background

Surjandy, S.Kom, MM
1990 Bank Harapan Sentosa
1992 Senior System Analyst & Programmer (UniBank)
1994 IT Auditor (Dipo International Bank)
1994 Head of Application Development & Support
(Bank Arya Panduarta/Nova Scotia Bank of Canada)
1999 Technology Risk Management ABN Amro Bank N.v
2006 Head of Business Continuity Management
ABN Amro Bank N.V/The Royal Bank of Scotland
2010 2013 - IT Consultant PT Santech Innovation
2010 Now FM BiNus University
2014 Now PT Navan Artha Cakra
2015 Now Professional BCM Consultant

My Background

Risk management is the identification, assessment, and

prioritization of risks (defined in ISO 31000 as the effect of
uncertainty on objectives) followed by coordinated and
economical application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate events [1] or
to maximize the realization of opportunities. Risk managements
objective is to assure uncertaintydoes not deflect the endeavor
from the business goals

Risk Management
- Controlable/manageable

example : Leasing, Loan, Credit Card, etc

- UnControlable/UnManageable
Business Continuity Management

What is Risk Management ?

Risk Management
* Proactive
* Before the fact
Audit
* Reactive
* After the fact

Audit vs Risk Management ?

Understand and prioritize the threats to

your business with the international
standard for business continuity.
ISO 22301 specifies the requirements for a
management system to protect against,
reduce the likelihood of, and ensure your
business recovers from disruptive incidents.

Business Continuity Management ?

Business Continuity Management ?

Project
Project Plan
Plan

.
Document
Document
Validation
Validation /Update
/Update
/Review
/Review

Risk
Risk Assessment
Assessment

Business
Business Continuity
Continuity
Management
Management

Testing
Testing
Simulation
Simulation &
&
Awareness
Awareness
Training
Training

Business
Business Impact
Impact
analysis
analysis &
& Continuity
Continuity
Requirement
Requirement Analysis
Analysis

Recovery
Recovery Strategy
Strategy
&
Plan
Development
& Plan Development

Business Continuity Management

FRAMEWORK ?

PROTECT

People
Information
Process
Assets

Purposes of BCM ?

Incident

Accident

Disaster

Incident -> No financial lost

Accident -> Low to Med Financial Lost
Disaster -> high to unexpected financial lost
Risk Reduction
& Mitigation

Response

Stages of Disaster

Recovery

Return

Disaster is an event that might happen

Anytime
Suddenly
Destructive
Unplan

What is Disaster ?

Can we avoid Disaster ?

NO.
What can we do with disaster ?
Minimize impact of the disaster
HOW ?

What is Disaster ?

Major disasters require a different form of

management because of the extreme
conditions .
(Extreme Management in Disaster Recovery, P S Brandon, Procedia Engineering (2011,
84-94)

Disaster Management

More than 5000 people

killed by technological
disasters

Disaster Impact to human &

business

The use of Mobile phones to spread information that is no

only unverified but can also be manipulated ad hoc

Technology has also facilitated new forms of abuse,

videoconferencing has been used by people traffickers

How Technology create a disaster ?

2011 Japan EQ Economic Impact

most of the 337 private firms that had to

close down and of these 90% went
bankrupt within 6 months

Why EQ impact to economic ?

System Outage Nightmare Example: Virgin Blue's Reservation

Desk
Customers of Virgin Blue were really upset when they couldn't board their
scheduled flights, during an outage that lasted up to 11 long days. The
outage fired up a lot of negative press, as well costing the company
millions in profits.

In September 2010, Virgin Blue's airline's check-in and online booking

systems went down. Virgin Blue suffered a hardware failure, on
September 26, and subsequent outage of the airline's internet booking,
reservations, check-in and boarding systems. The outage severely
interrupted the Virgin Blue business for a period of 11 days, affecting
around 50,000 passengers and 400 flights, and was restored to normal on
October 6. (Virgin Blue IT outage hit profit by up to $20M)
The Results: Virgin Blue's reservations management company, Navitaire,
ended up compensating Virgin Blue for up to $20 million. (Navitaire
booking glitch earns Virgin $20M in Compo)

Financial Impact of IT Service

Distribution

Misconfigurations

Have Major Impact on Performance

The IT Process Institute's Visible Ops Handbook reports that "80% of unplanned
outages are due to ill-planned changes made by administrators ("operations
staff") or developers." (Visible Ops). Getting to the bottom of the matter, the Enterprise
Management Association reports that 60% of availability and performance errors are
the result of misconfigurations. The little changes that are implemented to the
environment and system configuration parameters all the time.
A recent Gartner study projected that "Through 2015, 80% of outages impacting
mission-critical services will be caused by people and process issues, and more than
50% of those outages will be caused by change/configuration/release integration and
hand-off issues." (Ronni J. Colville and George Spafford
Configuration Management for Virtual and Cloud Infrastructures )
Manual configuration errors can cost companies up to $72,000 per hour in Web
application downtime. While application maintenance costs are increasing at a rate of
20% annually, 35% of those polled said at least one-quarter of their downtime was
caused by configuration errors. (
How much will you spend on application downtime this year? )

Source : http://www.evolven.com/blog/2011-devastating-outages-major-brands.html

Financial Impact of IT Service

Distrubtion

BCM Awareness Training

* ABN Amro/RBS Disaster
* Flood & FIRE Disaster

Bali Branch Disaster

Use improper AC type

Fire Disaster

Financial Impact of Disaster

Video

Facebook Data Center

Data Center - Introduction

Fire, will we lose our job ?

Where should we work now ?

Data Center Disaster

Video 1(Server Room Flooding)
Video 2 (Vodavone DC Flooding)

Data Center Disaster

Does IT has strategy to deal with it ?

YES

IT Disaster & Recovery Strategy

Place - Disaster & Recovery Center (DRC)
Procedure - Disaster & Recovery Procedure
(DRP)

The strategy ?

There are 3 strategies in making IT DRP

Hot (The shortest Recovery Time
Objective & Recovery Point Objective)
90% percent h/w, s/w, network & dB same,
between Data Center and Data Recovery Center
(we can say 2 Data Center at difference
Locations)

How to make IT Disaster Recovery

There are 3 strategies in making IT DRP

Warm (50% ready)
H/W, S/W exist but need to update, IT team
require longer time (RTO & RPO) to activate the
Data Recovery Center
COLD

RPO)

(25% ready - The longest RTO &

How to make IT Disaster Recovery

IT DR Strategy

Video

CA

Ilustration of IT DR

After

having DRP, do we ready deal with

disaster ?
.NO

IT DRP should be maintained

Update regularly especially if there is Critical
changes (system, organisation, application
etc)
Test regularly

Does IT DR ready ?

Testing

Strategies

People (Call Tree/Escalation Tree)

(Do simulation if possible in the class room)

Table Top (Discustion)

System & aplication testing
Partial (O/S -> Infrastructure -> Aplication & dB)
Full Testing

How to test ?

Show Time

(15 mins)

Video ABN Amro Bank of Lassale

Question ?

Thank You