Business Continuity Management Forum

This blog was started after BCLE2000 course conducted by DRI-Asia(Singapore), it provides a platform for business continuity planners around the world to share information and brainstorm ideas.

Mission of this site: Build Resiliency, Ensure Viability

Disclaimer: All information in this site is purely for informational purposes. Authors accept no responsibility of the contents herein. Views expressed and articles posted do not represent any organization or whatsoever.

Friday, December 08, 2006

Source: Economic Times - India Times

The tough get going - RAVI PARWAN, TIMES NEWS NETWORK
[ MONDAY, DECEMBER 04, 2006 02:41:58 AM]

BCP is a constant requirement for all organisations that is probably why they have chosen me as the moderator for this event. So that mankind is least affected in case some calamity occurs here. I must be their BCP."

This was how Ambarish Das Gupta, head TAS, PwC, started off the ETIG Knowledge Forum on business continuity planning in Mumbai. Also, "I am a consultant and I only know how to ask questions."

On a more serious note, he said that BCP holds special significance for all organisations since the threats to a business are continuously evolving and changing. There is an inverse correlation between the probability and the scale of a disaster.

“We need to have a methodology of assessing the same and devising the amount of investment to mitigate that risk. We were not even aware of any threat to business from terrorism till a few years ago. That changed with 9/11. Now, it is part of any BCP,” he added.

Bimal Basak, executive advisor, TCS, added that 9/11 was a watershed event, which prompted TCS to revamp their BCP data recovery program (DRP). They quickly realised that with a multiple site and multi product network their DRP was very cumbersome and expensive. The conditions in the service level agreements (SLA) were also crucial. Getting lower service levels from providers put them in a tight spot with their clients.

Clients wanted higher and higher amount of service for their sites. This necessitated adoption of newer technologies providing the required better service, higher resilience and redundancy at costs according to the service level. Now, TCS has a system in place that can continue to function even if one centre fails completely. Arun Dagar, country manager, Singtel had a very interesting piece of information that he brought to the discussion. "According to a study done in the US, 60% of organisations suffer losses if their normal services are disturbed for more than 48 hrs. And per hour cost can be as high as $250/ hour.

There has been a case during New York Blackout where a company lost $6.75 million within 24 hrs. Another finding was that less than 40% of the companies had a BCP in place." Mr Dagar further added that most companies should look at more reliable communication links as backup so that in event of calamity striking; the communication network does not collapse.


Daryl Francis, executive director, Morgan Stanley, gave the example of their communication system that continued functioning during the 9/11 tragedy, thanks to the built in redundancy. This raised another point of debate between outsourcing and in-housing.

He also said that the need to segregate people from the data centres so that the risk to any single site is minimised. At the same time, you need to keep in mind whether movement would be possible in the case of any calamity. Therefore, they have now come up with remote computing solution to overcome that. He also emphasised the need to continuously monitor and upgrade the BCP.

Safir Adeni, CEO, Sitel India, made an excellent point about unpredictability of the direction from which a threat to business can come. As the CEO of a young organisation, he found out that the world cup happening in Mumbai was an event for which a BCP needs to be in place.

This was because of the high absenteeism it caused. Another pertinent point he raised was the cost of the redundancy built in for a disaster recovery. According to him, the points to focus on while designing a BCP were the timeline and the response time required.

In the end it is the credibility required with the client that is of paramount importance. According to Mr Adeni, the impact of any disaster needs to be measured on the infrastructure, the people, the connectivity and networks and the data. This would help to come up with mitigation plans for each of these areas.

P.S: Thanks to Anthony for sharing.

Monday, September 25, 2006

"Highly anticipated" GAP(draft) from DRJ Editorial Advisory Board’s (EAB) Generally Accepted Business Continuity Practices Committee and DRII. Open for public review. Similar to TR-19 from Spring Singapore. Another source for comparison perhaps?

Got this summary from www.drj.com. More elaborated version (I think) compared to DRII's.

Reorganized them slightly. Agree? ;)

1. Management commitment to the process.
2. Develop a justification document for management approval for the BCP process.
3. Obtain funding for the BCP effort.
4. Determine if you have in house experience, will you be learning the process, or bringing in an experienced planner.
5. Perform a risk assessment.
6. Select the appropriate software tool (Word based if less than 1000 employees, or consider database if more).
7. Develop a project plan.
8. Perform a Business Impact Assessment (BIA).
9. Develop recovery timelines, or recovery time objectives (RTO).
10. Develop recovery strategy.
11. Document BCP in-scope coverage and out-of-scope.
12. Document assumptions.
13. Identify recovery teams and select the team leaders.
14. Build your team plan templates to include: response, recovery, resumption of business, reconstruction, and relocation back (the 5 “R’s, the first three being your focal point).
15. Address required resource requirements, media spokesperson, call notification process, BCP reporting structure, manual work around processes, critical contacts and numbers, process for declaring a disaster, and damage assessment.
16. Build the team plans, that when all have been completed you will have a BCP.
17. Determine plan distribution,
18. Identify and secure work area recovery for the business units and a hot/warm/cold/mobile location for information technology.
19. Ensure information technology backups and sends those backups to offsite storage.
20. Ensure that business, support, and information technology stores copies of critical documentation offsite.
21. Select and stock a command center
22. Run an exercise on the BCP, a test on the information technology segment, and a drill on the response team.
23. Develop a BCP maintenance schedule.
24. Train existing and new staff members.
25. Ensure that you periodically review the existing hot/warm/cold/mobile location, offsite storage, command center, and work area resources/processes and see if they are still adequate.
26. Remain current on BCP techniques and processes, and become certified at a later date if appropriate.

Friday, September 22, 2006

10 Professional Practices for Business Continuity Professionals

Why is this designation necessary? ;)

Retired Business Continuity Professional (RBCP)
The "Retired" category is reserved for those individuals who have achieved the CBCP or MBCP designation, and who have maintained their certification in good standing, for a minimum of five years prior to retiring from active employment or full or part-time consulting in the Business Continuity Planning profession. Individuals seeking this designation must obtain prior approval from the DRII administrative office. No continuing education activities required.