1. Pre-Planning
   1. Program Initiation & Mgmt
      1. Establish the entity need for BCM
         1. reference relevant legal / compliance requirements
         2. review audit reports
         3. state benefits of BCM and relate them to org. mission & objectives
      2. Obtain mgmt support & commitment for BCM
         1. develop BCM policy
         2. obtain mgmt support & approval
            1. in countries where BC is accepted, senior mgmt is accountable and liable to know the following:
            2. applicable laws
            3. contractual & empl. agreements
            4. applicable industry regulations
         3. identify BCM executive sponsors
         4. obtain executive approval for budget requirements
            1. As a BCM Mgr, your role is to:
            2. clearly define and obtain all necessary requirements to prepare the budget
            3. Obtain the executive approval for the budget requirements
            4. storage & replication costs
            5. Planning & notifcations software
            6. recovery facility
            7. consultation services costs
            8. training costs
            9. labor costs
         5. assignment of BCM SC roles/responsibilities
         6. tie BCM objectives to org. ones
         7. develop BCM budget requirements
         8. define BCM porgram structure, policies and success factors
      3. Coordinate & manage BCM impl. throughout entity
         1. Lead S.C in defining objectives, program structure, policies
         2. develop BCM policies, procedures
         3. clearly define & obtain BCMprogram resources
         4. identify BCM impl & execution teams
         5. monitor the ongoing budget status
         6. develop project plans
         7. monitor ongoing effectiveness of BCM program
         8. report program status to senior mgmt on regular basis
      4. Role of Executive Mgmt
         1. protect org's assets
         2. assign key functional personnel to required roles
         3. liable for consequences of :
            1. business interruption
            2. loss of critical info
            3. adequate protection of assets / resources by law
      5. Role of Steering Committee
         1. providing strategic guidance for BCMP
         2. providing necessary resoures to support the BCMP
         3. approve the project scope, objective and timeframe
         4. assist in defining roles/responsibilities
         5. support BC projects/planner
         6. support/coordination of plan development
      6. Role of Coordinator/planner
         1. obtain mgmt support
         2. gather info relevant to BCMP
         3. organize/manage BCM projects
         4. track/report projects progress
         5. manage change
   2. Risk Evaluation & Control
      1. Primary objectives:
         1. identify risks/threats/impacts and vulnerabilities (inhernt/acquired)
            1. To achieve a holistic view of risk across the entity:
            2. Frequency
            3. Probability
            4. speed of development
            5. severity
            6. reputational impact
         2. evaluate effectivness of current controls
         3. assess, state, and prioritize level of risk
         4. assess threats/ vulnerabilities and impact
         5. understand organization's exposure to loss
         6. focus on high propability and high impact events
         7. recommend controls, mitigations for the most commonly occuring / highest impact events
      2. Role of BCM Mgr:
         1. Work with mgmt to standardize risk assessment methodology
         2. develop info gathering activities to identify T/R/V
            1. Forms/questionnaires
            2. interviews
            3. meetings
            4. combination of methods
            5. observations of premises & facilities
            6. documentation review
         3. identify propability/impact of T/R
            1. Risks can be under/beyond entity's control
            2. Risks can be with/out prior warnings
         4. Prioritize identified risks.
         5. identify evaluate effectiviness of current controls
            1. preventive controls:to inhibit impact exposure
            2. reactive controls: to compensate for impact exposure
            3. inherent protection of key assets
            4. BC for external party that entity depends on
         6. identify business resiliency strategies to manage risks
            1. establish interruption scenarios based on exposed risks
            2. identify trigger points for key services
            3. develop a formal risk acceptance docuementation
            4. make recoemmendations on feasible cost-effective security measures to manage security related risks
            5. recommend changes to reduce impact due to risks/vulnerability
            6. physical protection
            7. cctv, access control
            8. logical protection
            9. data backup & protection
            10. assets location
            11. off-site data backup for criticak information
            12. personnel procedures changes
            13. increased preventive maintenance
            14. duplication of utilities
            15. interface with external agencies
         7. docuement risk assessment for mgtm approval
            1. prepare risk assessment report
            2. present findings
            3. receive approval on recommendations
            4. proceed to BIA
      3. Definitions:
         1. Risk: potiential for exposure to loss (EFFECT)
         2. Threat: a combination of risk, consequences of risk and likelihood a negative event takes place (CAUSE)
         3. vulnerability: susceptibiiity to damage or weakness
         4. Impact: effect of event on organization
         5. control: process, procedure or device that reduces loss or deters events
      4. What is Risk Managment?
         1. Risk Acceptance/tolerance
         2. Risk Prevention/mitigation
         3. Risk Retention
         4. Risk transfer
      5. Annual Loss Exposure (ALE) : Risk = Frequency * Exposure
      6. Cost of Prevention (COP) : Cost of Prevention = Probability * Magnitude of Harm
      7. ALE + COP lack time/duration of the event
      8. Risk Management :
         1. 1. Method used: Risk Analysis
         2. 2. Analysis Factors: Impact + Probability
         3. 3. Coverage: All events
         4. 4. Proactive approach
      9. BC Management :
         1. 1. Method used: Business Impact Analysis
         2. 2. Analysis Factors: Impact + time
         3. 3. Coverage: survival of the organization
         4. 4. Proactive/Reactive approach
   3. Business Impact Analysis
      1. Primary Objectives:
         1. determine business functions and process criticality & time sensitivity
         2. identifiy interdependecies b/w business functions & processes
         3. assess the losses/Impact over time
            1. Types of loss/impact:
            2. quantative: loss identified in quantities, percentage
            3. qualtative: intangible losses that have operational impact that cannot be described in numbers or losses with financial impact that cannot be described in numbers
         4. identify the critical resources needed for a recovery
         5. determine recovery objectives for each business function/process
            1. determine prioritization of processes/services
            2. document interdependencies b/w business and technology processes
            3. determine the order for recovery for business functions & technology
            4. Recovery Objectives
            5. RTO: Recovery Time Objective: time elapsed from the impact till the function is back to normal operation.
            6. RPO: Recovery Point Objective: amount of acceptable data loss.
            7. MTPD: Maximum tolerable period of disruption: time in which the service disruption is acceptable.
         6. determine legal/regulatory requirements
         7. identify vital records
            1. accounting records
            2. engineering & Information & Trade secrets
            3. IT documents: Database backups, Servers backups
            4. any document required for BC and recovery
      2. BCM Mgr Role:
         1. identifiy criteria used to quantify/qualify the impact from events
            1. Customer Impact
            2. Financial impact
            3. loss of revenue
            4. additional cost to recover
            5. contractual fines and penalties
            6. lawsuits
            7. regulatory impact
            8. Fines
            9. Penalties
            10. required to pull product off market
            11. operational impact
            12. reduced service levels
            13. increased overtime costs
            14. workflow disruption
            15. loss of controls
            16. inability to meet deadlines
            17. supply chain disruption
            18. reputational impact
            19. media attention
            20. social media
            21. community
            22. shareholder confidence
            23. competitor taking advantage of negative attention
            24. human impact
            25. loss of life & injury
            26. impact to the community
            27. stress
            28. long term emotional impact
         2. establish BIA process
            1. identify a sponsor for BIA activity
            2. define BIA scope and objectives
            3. choose BIA planning methodology
            4. choose appropiate BIA data ceollection methodology
         3. plan/coordinate data gathering and analysis
            1. Questinnaires
            2. Interviews
            3. Used for managers. Enable interviewees to verify all data gathered.
            4. Workshops
            5. Use a combination of all
            6. Used for remote users
         4. gain mgm approval on BIA methodology and used criteria
            1. on potential financial/non-financial impacts
            2. on non-quantifiable impacts
            3. establish definition of impact scales(H,M,L)
            4. on final time schedule
            5. identify team members in BIA process
            6. conduct data collection
         5. establish RTO (Recovery Time Objective) and RPO (Reovery Point Objective) for each process/function
         6. document minimum resource requirements for resumption and recovery for core and support business functions & their escalation over time
            1. determine resources requirements (Minimum)
            2. Internal & External
            3. owned versus non-owned
            4. short versus long term
            5. determine vital records
            6. paper/electronic format
            7. evaluate existing backup/restore procedures to bridge the gap b/w them and recovery requirements
            8. identify gap b/w current recovery capability and requirements in BIA results
            9. identify the gap b/w current recovery capability & requirements
         7. prepare & present BIA results to senior mgmt for RTO RPO acceptance for each process defined by BIA results
            1. draft BIA report using initial findings & identified gaps
            2. final BIA report
            3. submit format presentation of BIA findings
            4. gain acceptance of RTO, RPO for each process defined in BIA results
            5. Proceed with Developing BC strategies
      3. BIA planning team role:
         1. identify all business processes in their area if responsibility
         2. determine the RTO of each function based on the plan objectives:
            1. maintain public image/reputation
            2. maintain financial controls
            3. maintain revenue
            4. minimizie customer loss
            5. ensure regulatory compliance
      4. BIA methodology:
         1. 1. prioritize business functions/processes based on criticality/time sensitivity
         2. 2. recovery objectives for core & support business functions/processes
         3. 3. order of recovery for core & support business functions/processes based on parallel and interdependent activities
      5. BIA Gaps
         1. Resource Gaps = available resources - BIA required resources
         2. Time Gaps = actual recovery time - RTO
         3. Data Gaps = amount of data lost when it restores the systems from backups
      6. Result of conducting BIA : Identification of essential business functions, and operations and their critical dependencies., processes
   4. Developing Business Continuity Strategies
      1. Role of Planner
         1. Utilize data collected from BIA & RE to identify continuity & recovery strategies for operations that meet BIA's RTOs & RPOs
            1. review recovery requirements for each operations
            2. identify alternative business continuity options
            3. identify available business continuity & recovery strategies
            4. review alternate site options
            5. assess viability of alternative strategies against BIA RTOs
            6. develop cost-benefit analysis
            7. Important strategies to consider for continuity:
            8. 1. Reciprocal Agreements (same industry, technology)
            9. 2. Internal alternative site in dual usage space
            10. 3. dedicated alternative site
            11. 4. Manual workarounds
            12. 5. Displacement
            13. 6. Work from home
            14. Important strategies to consider for Technology Recovery:
            15. 1. Dual Data Center/ High Availability
            16. 2. Hot site strategies
            17. External Hot Site
            18. Internal Hot Site
            19. 3. Warm/Cold site strategies
            20. Warm Site
            21. Cold Site
         2. Utilize data collected from BIA & RE to identify continuity & recovery strategies for technology that meet BIA's RTOs & RPOs
            1. Strategies for recovery of Technology Data
            2. Full backup
            3. Differential backup
            4. incremental backup
            5. disk mirroring : asynchronous & synchronous data replication
         3. consolidate strategies to reduce cost/complexity
         4. use cost/benefit analysis to asses the cost of strategies implementation against assets at risk
         5. obtain approval/fund for recommended strategies
            1. use practical & understandable methodology
            2. realistic timeframe for implementation of recovery strategies
            3. concise and specific recommendations for approval
            4. document senior management support
      2. Types of strategies
         1. Continuity Strategies : used for critical business functions/operations
         2. Recovery Strategies: used for NON-critical business functions/operations
      3. RFP: Request For Proposal
   5. Emergency Preparedness & Response
   6. Developing & Implementing BCPs
   7. Awareness & Training Programs
   8. Business continuity Plan Excercise, Audit & Maintenance
   9. Crisis Communications
   10. Coordination with External Agencies
2. Planning
3. Post-Planning
4. 10 PPs are the body knowledge to develop BC program
5. serves as a guidance for
   1. BC program development & implmentation
   2. a tool for conducting an audit of existing programs
6. Mapped onto ISO27001 & FIPS200 standards
7. Why BC is important
   1. to safeguard human life
   2. ensure survival of the organization
   3. enable effective decisons in case of crisis
   4. minimize loss of assets, revenue, and customers
   5. comply with legal requirements
   6. facilitate timly recovery of critical business functions
   7. Maintain organization reputation
8. 3 important elements of BCMP
   1. Scope: documents what to recover and not
   2. Objectives: deliverables + benefits to org.
   3. Assumptions: mgmt commit, funding, and human resources
9. BC Approaches:
   1. Recovery Protection: (non-critical) implmenting prioritized actions to return business functions to operation following a disaster
   2. Continuity Protection (critical): implementing advanced actions to respond to a disaster in a manner that critical business functions continue without any interruption
10. BCM often:
    1. reports to technology org
    2. preceived as only about technology
    3. concerns most aspects of org not only technology
11. Business recovery is very hard, because:
    1. invloves people
    2. human lives have more priority than recovering business
    3. requires excercises/tests
12. Technology Recovery is also very hard, because:
    1. invloves people
    2. success of the recovery depends on budget and frequency of excercise/tests
13. BCM has nothing to do with business growth but everything to do with protecting core assets
14. Why we need to recover core business functions
    1. Get new business
    2. Service existing customers
    3. Maintain financial control to stay in business
15. Facts about BC plans:
    1. Org will still loose time, money and resources
    2. recovery time is longer than planned excercises
    3. real disaster requires extraordinary action
    4. not everone can work from home and not for all events
16. Business Drivers for BC/DR plan:
    1. competitive advantage
    2. some customers require it
    3. some industries require it
    4. regulations of BC/DR continue to grow
17. Reporting to Senior Mgmt should include:
    1. BCM benefits / values
    2. best practices
    3. status/changes to BCMP
    4. formal reports/presentations
    5. industry standards/benchmarks ( competitors)
    6. program compliance and testing results
18. Emergency Response Team is responsible for Human lives
19. Crisis Managment deals with Human lives and organization properties
20. Emergency Preparediness deals with human safety