Session 5: Business Continuity, with Business Impact Analysis By: Tuncay Efendioglu, Acting Director Internal Oversight Division, WIPO Pierre-François Gadpaille, Audit Specialist (Information Systems), ADB 10 September 2015 1
Agenda Objectives Business Continuity Management Lifecycle WIPO and ADB: Organization Background Business Continuity Management (BCM) Journey Experience and challenges in creating/reviewing Business Continuity Management Systems Final Thoughts Questions 2
Objectives To provide an overview of BCMS structure in WIPO and ADB To share our respective organization s experience in implementing a BCMS To highlight focus areas and challenges in conducting BC-related audits 3
Business Continuity Management Lifecycle Analysis Validation Policy and Program Management & Embedding BC Design Implementation Source: Business Continuity Institute
World Intellectual Property Organization - WIPO Established in 1883 as BIRPI in Geneva Became UN Agency in 1974 1,250 staff from 114 countries 188 Member States 740m Swiss Francs Biennial Budget Custodian of 24 multilateral treaties Main Governance Bodies WIPO General Assembly, WIPO Coordination Committee WIPO Program and Budget Committee
WIPO - services Global forum for intellectual property policy, services, information and cooperation. Assists member states in developing international IP legal framework to meet society s evolving needs. Provides business services to obtain IP rights in multiple countries and resolving disputes. 94% of WIPO s expenditure is funded from income generated by fee-paid services (unique in the UN System) The users of these services largely consist of private commercial enterprises
BCMS in WIPO WIPO experience so far: Previous BCMS efforts were largely IT driven, Management buy-in takes time due to misunderstandings re ownership, responsibilities, process BCM implementation viewed as yet another project by stakeholders leading to lack of adequate involvement
BCMS in WIPO Part of a broader framework Organizational Resilience Management System (ORMS) ORMS policy is based on the UN Secretariat s policy ORMS includes business continuity, security support, crisis communications and incident response BC Coordinator (BCC) in post to oversee WIPO implementation of BCM
WIPO Aligning with ISO 22301 Easily used checklists Plan review and audit Business Impact Analysis - streamlined and efficient Timelined plan development in distinct packs Familiarisation training Plan exercising Rehearsal of staff roles
WIPO BCMS Current Focus Areas Framework development Business Impact Analysis (BIA) Incident Response Continuity recovery strategies Maintenance exercise review
WIPO BCMS Plan Development Incident Response, Crisis Management Department Recovery, Stakeholder Communication Integrated with IS DR plans
WIPO BCMS Implementation Challenges Multiple committees already exist All have a stake in implementation. Coordination among the stakeholder groups. Every function considers itself to be a critical function Sensitivities need to be managed Nature of information processed by certain functions makes sharing ideas and recovery plans inappropriate.
WIPO BCMS Audit Challenges Always in a state of implementation Never a suitable time for an audit Requires coordination with multiple internal functions Resistance to changes in terminology Divisional BCM awareness and maturity not consistent Need to balance expectations of multiple stakeholders when assessing the state of BCMS (member states, customers etc.)
Business Continuity & Internal Audit = Resilience! Board / Audit Committee Senior Management 1 st line of defence 2 nd line of defence 3 rd line of defence Management Resilience Strategy Infrastructure - Facilities Internal Audit Business Continuity Polices BC Coordination BC standardisation BIA / plans / training Infrastructure - Security Infrastructure Information Systems Critical department implementation Support department implementation Coordinated monitoring / testing / review Stakeholder engagement Business case planning Sample testing plans Recovery time evidence Training guidance Plan testing outcomes Employee preparedness Contractor readiness Impact of regulation changes External Audit Member States
Asian Development Bank 2,997 employees from 60 of its 67 members $22.93 billion in approved financing in 2014 provides loans, technical assistance and grants for a broad range of development activities Manila HQ 32 field offices www.adb.org 15
The Philippines 16
ADB Headquarters headquarters in Manila Most staff live within Metro Manila 28 Departments and Offices Relatively centralized Very near 2 active faults Probably in the best building in Metro Manila 17
ADB s BCM Journey (1) delivery of financial commitments; (2)protect triple-a rating; and (3)mitigate major risks to operations 2014: ISO 22301 Certification 2011: BIA update 2015: BIA Update 2002: first BIA 2006: Testing 2005: Board Paper on BC Strategy 2008: In-country & Offshore recovery site 18
Analysis Integrated Disaster Recovery Test Validation Policy and Program Management & Embedding BC Validation Design Actual exercise of the plan Implementation Testing in 2 recovery sites Involves critical user departments Shadowing exercise by IA Source: www.dreamstime.com
Integrated Disaster Recovery Testing from DR testing to BC testing Realistic scenario and clear test objectives Commissioning process and time objectives Contractors and 3 rd party providers Logistics Backup and catchup procedures Restitution 20
Analysis Business Impact Analysis Audit Validation Policy and Program Management & Embedding BC Design Implementation Heart of the BCMS Audit of BIA and Risk Assessment Benchmark against comparators Survey of users Source: www.tdvcloud.com
Business Impact Analysis Audit Operational Strategic Management involvement Risk appetite definition Wide area disaster scenario Products before processes Tactical Strategic Tactical Interdependencies between processes Process ownership Patterned: The Business Continuity Institute 22
Business Impact Analysis Audit Tactical Operational Strategic Operational concentration risk Volume of operations to recover Patterned: The Business Continuity Institute 23
Final Thoughts Organizational Resilience comes true through partnership between IA and BCM team IA should participate in BC drill and look closely at the BIA 24 Source: www.dreamstime.com