Session 5: Business Continuity, with Business Impact Analysis

Similar documents
Global Statement of Business Continuity

TSC Business Continuity & Disaster Recovery Session

Building a BC/DR Control Library and Regulatory Response Program

WHITE PAPER OCTOBER 2017 VMWARE ENTERPRISE RESILIENCY. Integrating Resiliency into Our Culture and DNA

How to Derive Value from Business Continuity Planning

Business continuity management and cyber resiliency

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Driving Global Resilience

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

BUSINESS CONTINUITY MANAGEMENT (BCM) INITIATIVES OF THE BANGKO SENTRAL NG PILIPINAS

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

Turning Risk into Advantage

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

ROLE DESCRIPTION IT SPECIALIST

NERC Staff Organization Chart Budget 2019

Using ITIL to Measure Your BCP

Business Continuity and Disaster Recovery

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Implementing a Global Business

NERC Staff Organization Chart Budget 2019

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Disaster recovery strategic planning: How achievable will it be?

REPORT 2015/186 INTERNAL AUDIT DIVISION

INTELLIGENCE DRIVEN GRC FOR SECURITY

Risk Management. Continuity Management

Promoting accountability and transparency of multistakeholder partnerships for the implementation of the 2030 Agenda

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

NERC Staff Organization Chart Budget 2018

MHA Consulting BCM Metrics Resiliency Through Measurement

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

INTERNAL AUDIT DIVISION REPORT 2017/138

Resolution adopted by the General Assembly. [on the report of the Fifth Committee (A/61/592/Add.4)]

Information Technology Branch Organization of Cyber Security Technical Standard

Operational Risk Management: Major Processes and Assignments

CONCLUSIONS AND RECOMMENDATIONS

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Manchester Metropolitan University Information Security Strategy

Risk Advisory Academy Training Brochure

Implementing a BCM Programme

Private sector s engagement in the implementation of the Sendai Framework

Organization/Office: Secretariat of the United Nations System Chief Executives Board for Coordination (CEB)

Business Continuity Planning

ASEAN REGIONAL COOPERATION ON DISASTER MANAGEMENT

Continuity of Business

Enhancing synergies towards climate action and sustainable development on the ground

Enterprise resilience and the role of Standards

MassMutual Business Continuity Disclosure Statement

CEF e-invoicing. Presentation to the European Multi- Stakeholder Forum on e-invoicing. DIGIT Directorate-General for Informatics.

Security Director - VisionFund International

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

REPORT 2015/010 INTERNAL AUDIT DIVISION

Infocomm Professional Development Forum 2011

Memorandum APPENDIX 2. April 3, Audit Committee

Business Continuity Management Standards A Side-by-Side Comparison

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

The Office of Infrastructure Protection

Risk Management in Electronic Banking: Concepts and Best Practices

POST DISASTER NEEDS ASSESSMENT. A way of Mainstreaming Disaster Risk Reduction into Development

PECB Change Log Form

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Rejuvenating BCM - Infrastructure. Business Continuity Awareness Week March 2009

Business Continuity Management Program Overview

LEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD

Explore Resilience and Risk Management Around the World

Progress of the UAE Nuclear Power Program -Regulator s Perspective

Disaster Recovery and Business Continuity Planning (Mile2)

Principles for BCM requirements for the Dutch financial sector and its providers.

Certified Information Security Manager (CISM) Course Overview

B13: The Case for Integration Converting the BCM Silo into an Enterprise Risk Foundation

Business Continuity Policy

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

HOTEL RESILIENT Plan ahead stay ahead. With support from the German Government through

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Business Continuity Management

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

The NIS Directive and Cybersecurity in

Policy. Business Resilience MB2010.P.119

BCP At Bangkok Bank, Thailand

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Information Security Policy

RSA Advanced Cyber Defence Summit

NERC Staff Organization Chart Budget 2017

IT123: SABSA Foundation Training

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

What is IT Governance and Why is it Important?

BCP evolution at the Colombian Central Bank

Position Description IT Auditor

Member of the County or municipal emergency management organization

The Hyogo Framework for Action: an instrument to reduce the impact of disasters

TURNING STRATEGIES INTO ACTION DISASTER MANAGEMENT BUREAU STRATEGIC PLAN

NERC Staff Organization Chart Budget 2017

ISDR National Platforms for DRR - Guidelines

Financing resilience at the subnational 22 JUNE 2014 STANDING COMMITTEE ON FINANCE FORUM, MONTEGO BAY, JAMAICA

CCISO Blueprint v1. EC-Council

Transcription:

Session 5: Business Continuity, with Business Impact Analysis By: Tuncay Efendioglu, Acting Director Internal Oversight Division, WIPO Pierre-François Gadpaille, Audit Specialist (Information Systems), ADB 10 September 2015 1

Agenda Objectives Business Continuity Management Lifecycle WIPO and ADB: Organization Background Business Continuity Management (BCM) Journey Experience and challenges in creating/reviewing Business Continuity Management Systems Final Thoughts Questions 2

Objectives To provide an overview of BCMS structure in WIPO and ADB To share our respective organization s experience in implementing a BCMS To highlight focus areas and challenges in conducting BC-related audits 3

Business Continuity Management Lifecycle Analysis Validation Policy and Program Management & Embedding BC Design Implementation Source: Business Continuity Institute

World Intellectual Property Organization - WIPO Established in 1883 as BIRPI in Geneva Became UN Agency in 1974 1,250 staff from 114 countries 188 Member States 740m Swiss Francs Biennial Budget Custodian of 24 multilateral treaties Main Governance Bodies WIPO General Assembly, WIPO Coordination Committee WIPO Program and Budget Committee

WIPO - services Global forum for intellectual property policy, services, information and cooperation. Assists member states in developing international IP legal framework to meet society s evolving needs. Provides business services to obtain IP rights in multiple countries and resolving disputes. 94% of WIPO s expenditure is funded from income generated by fee-paid services (unique in the UN System) The users of these services largely consist of private commercial enterprises

BCMS in WIPO WIPO experience so far: Previous BCMS efforts were largely IT driven, Management buy-in takes time due to misunderstandings re ownership, responsibilities, process BCM implementation viewed as yet another project by stakeholders leading to lack of adequate involvement

BCMS in WIPO Part of a broader framework Organizational Resilience Management System (ORMS) ORMS policy is based on the UN Secretariat s policy ORMS includes business continuity, security support, crisis communications and incident response BC Coordinator (BCC) in post to oversee WIPO implementation of BCM

WIPO Aligning with ISO 22301 Easily used checklists Plan review and audit Business Impact Analysis - streamlined and efficient Timelined plan development in distinct packs Familiarisation training Plan exercising Rehearsal of staff roles

WIPO BCMS Current Focus Areas Framework development Business Impact Analysis (BIA) Incident Response Continuity recovery strategies Maintenance exercise review

WIPO BCMS Plan Development Incident Response, Crisis Management Department Recovery, Stakeholder Communication Integrated with IS DR plans

WIPO BCMS Implementation Challenges Multiple committees already exist All have a stake in implementation. Coordination among the stakeholder groups. Every function considers itself to be a critical function Sensitivities need to be managed Nature of information processed by certain functions makes sharing ideas and recovery plans inappropriate.

WIPO BCMS Audit Challenges Always in a state of implementation Never a suitable time for an audit Requires coordination with multiple internal functions Resistance to changes in terminology Divisional BCM awareness and maturity not consistent Need to balance expectations of multiple stakeholders when assessing the state of BCMS (member states, customers etc.)

Business Continuity & Internal Audit = Resilience! Board / Audit Committee Senior Management 1 st line of defence 2 nd line of defence 3 rd line of defence Management Resilience Strategy Infrastructure - Facilities Internal Audit Business Continuity Polices BC Coordination BC standardisation BIA / plans / training Infrastructure - Security Infrastructure Information Systems Critical department implementation Support department implementation Coordinated monitoring / testing / review Stakeholder engagement Business case planning Sample testing plans Recovery time evidence Training guidance Plan testing outcomes Employee preparedness Contractor readiness Impact of regulation changes External Audit Member States

Asian Development Bank 2,997 employees from 60 of its 67 members $22.93 billion in approved financing in 2014 provides loans, technical assistance and grants for a broad range of development activities Manila HQ 32 field offices www.adb.org 15

The Philippines 16

ADB Headquarters headquarters in Manila Most staff live within Metro Manila 28 Departments and Offices Relatively centralized Very near 2 active faults Probably in the best building in Metro Manila 17

ADB s BCM Journey (1) delivery of financial commitments; (2)protect triple-a rating; and (3)mitigate major risks to operations 2014: ISO 22301 Certification 2011: BIA update 2015: BIA Update 2002: first BIA 2006: Testing 2005: Board Paper on BC Strategy 2008: In-country & Offshore recovery site 18

Analysis Integrated Disaster Recovery Test Validation Policy and Program Management & Embedding BC Validation Design Actual exercise of the plan Implementation Testing in 2 recovery sites Involves critical user departments Shadowing exercise by IA Source: www.dreamstime.com

Integrated Disaster Recovery Testing from DR testing to BC testing Realistic scenario and clear test objectives Commissioning process and time objectives Contractors and 3 rd party providers Logistics Backup and catchup procedures Restitution 20

Analysis Business Impact Analysis Audit Validation Policy and Program Management & Embedding BC Design Implementation Heart of the BCMS Audit of BIA and Risk Assessment Benchmark against comparators Survey of users Source: www.tdvcloud.com

Business Impact Analysis Audit Operational Strategic Management involvement Risk appetite definition Wide area disaster scenario Products before processes Tactical Strategic Tactical Interdependencies between processes Process ownership Patterned: The Business Continuity Institute 22

Business Impact Analysis Audit Tactical Operational Strategic Operational concentration risk Volume of operations to recover Patterned: The Business Continuity Institute 23

Final Thoughts Organizational Resilience comes true through partnership between IA and BCM team IA should participate in BC drill and look closely at the BIA 24 Source: www.dreamstime.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback