CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Transcription

1 CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY BUSINESS CONTINUITY MANAGEMENT FRAMEWORK Effective Date 1 July 2016

2 TABLE OF CONTENTS GLOSSARY OF TERMS... 4 PRIMARY LEGISLATIVE AND REGULATORY PROVISIONS... 5 PUBLIC SECTOR AND LEADING PRACTICE PRINCIPLES STANDARDS AND CODES... 5 RELATED CITY FRAMEWORKS AND POLICY... 6 APPLICABILITY OF BUSINESS CONTINUITY MANAGEMENT FRAMEWORK INTRODUCTION AND BACKGROUND PURPOSE OBJECTIVE AND BENEFITS BCM FUNDAMENTAL PRINCIPLES BUSINESS CONTINUITY MANAGEMENT METHODOLOGY BUSINESS CONTINUITY MANAGEMENT LIFE CYCLE DEVELOPING BUSINESS CONTINUITY PLANS (BCPS) RISK AND VULNERABILITY ANALYSIS BUSINESS IMPACT ANALYSIS (BIAS) BUSINESS IMPACT ANALYSIS (BIAS) PROCESS BUSINESS RESPONSE PLANS (BRPS) BUSINESS RECOVERY PLANS /STRATEGIES BUSINESS RESUMPTION PLAN (BRP) IT CONTINUITY PLAN (ITCP) IT DISASTER RECOVERY PLAN (ITDRP) INCIDENT AND CRISIS MANAGEMENT PLAN (ICM) LINK BETWEEN BCP, EMERGENCY, CRISIS AND DISASTER RECOVERY PLANNING GUIDELINE FOR EMERGENCY EVACUATION PLANS STRIKE MANAGEMENT ACTION PLAN DEVELOPING STRIKE MANAGEMENT ACTION PLAN STRIKE MANAGEMENT GOVERNANCE STRUCTURE DOCUMENTATION DISASTER MANAGEMENT PLAN DEVELOPING DISASTER MANAGEMENT PLAN DECLARATION OF DISASTER TESTING AND EXERCISE OF BUSINESS CONTINUITY PLANS BENEFITS OF BCPS TESTING AND EXERCISE MAINTENANCE OF BUSINESS CONTINUITY PLANS BUSINESS CONTINUITY MANAGEMENT TEAMS TRAINIG OF STAFF ON BUSINESS CONTINUITY MANAGEMENT ROLES AND RESPONSIBILITIES BUSINESS CONTINUITY MANAGEMENT GOVERNANCE STRUCTURE... 48

3 14. RECORDS AND ARCHIVING BUSINESS CONTINUITY MANAGEMENT POLICY INSURANCE AUTHORITY AND APPROVAL OWNERSHIP REVIEW AND APPROVAL... 51

4 Glossary of Terms Term Executives and Senior Management BCM Lifecycle Business Continuity Business Continuity Management Business Continuity Plan Business Impact Analysis (BIAs) Crisis Disruption Recovery Time Objectives (RTOs) Recovery Point Objectives (RPOs) Business Response Plan Business Recovery Plan Business Resumption Plan Hot site Definition Head of Departments, CEOs and MDs The stages of activity that an organization moves through and repeats with the overall aim of improving organizational resilience. The capability of the organization to continue delivery of products or services at acceptable redefined levels following a disruptive incident. A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. A Documented procedures that guide organizations to respond, recover, resume and restore to a predefined level of operation following disruption. A Process of analysing critical business operations and the impact that a business disruption might have on them. A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. Situation that might be, or could lead to interruptions on normal business operations, Targeted duration of time within which business processes must be restored after a disruption/ disaster. A maximum targeted period in which data must be recovered after a disruption/ disaster Respond to a disaster during and immediately after it has occurred Recover all other operations that may have been delayed Ancillary Functionality Resume time-sensitive operations quickly after a disaster has occurred Critical Functionality is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. Real time

5 Term Cold Site Warm Site Altenate Site Definition synchronization between the two sites may be used to completely mirror the data environment of the original site using wide area network links and specialized software. Business resumption at this site could take estimated few minutes to hours. provides office space but does not include backed up copies of data and information from the original location of the organization, nor does it include hardware already set up, business resumption at this site could take estimated 6 weeks Offsite location which has hardware and connectivity already established, the site minimal backups at hand,. Business resumption at this site could take estimated few days to a week. refers to a temporary re-allocation of people and the equipment for a period of time until the normal production environment restored Primary Legislative and Regulatory Provisions This Framework is developed based on the following legislative regulatory frameworks; Municipal Finance Management Act No 56 of 2003 Municipal Systems Act No 32 of 2000, as amended Disaster Management Act 57 of 2002; and The Occupational Health and Safety Act (85) 1993 (Emergency Preparedness and Response); Labour Relations Act (66 of 1995) Public Sector and Leading Practice Principles Standards and Codes The following are relevant standards and best practice principles taken into consideration in developing this framework; National Treasury Regulations April 2010 ISO 22301: 2012 Societal security Business continuity management systems - Requirements; ISO 22313: Societal security Business continuity management systems - Guidance; ISO 22390: Guidelines for exercises and testing; Business Continuity Institute Good Practice Guideline 2013: (

6 Control Objectives for Information and related Technology (COBIT5); Information Technology Infrastructure Library (ITIL v3); COSO ERM Framework 2004 ISO 31000: 2009 Risk Management Principles and Guidelines ISACA IT Risk Framework Related City Frameworks and Policy This framework must be read in conjunction with: Group Risk Management Policy Group Risk Management Framework Anti-Fraud and Corruption Framework Group Combined Assurance Framework Group Internal Control Framework Group Compliance Framework Applicability of Business Continuity Management Framework This framework is applicable to all Departments and Entities regardless of size and nature of business. Business continuity planning should be a focus on all critical business functions that need to be recovered to resume operations. Continuity planning for technology alone should no longer be the primary focus of a BCP, but rather viewed as one of critical aspect of processes.

7 1. INTRODUCTION AND BACKGROUND Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to the City and the impacts to business operations should those threats be irealized, and provides a framework to build City s resilience, with capability of an effective response that safeguards the interests of key stakeholders, reputation, brand and value-adding activities. (Source: ISO 22301:2012). Business continuity encompasses planning and preparation to ensure that the City can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period. As such, business continuity includes the following three key elements; Resilience: critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions; Recovery: arrangements have to be made to recover or restore critical and less critical business functions that were impacted by disruption, this include development of Business Recovery Plan (BRP); Contingency: the City establishes a generalized capability and readiness to cope effectively should major incidents and disasters occur. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice. Business continuity plans are designed and documented procedures utilised to respond to disruptive incidents, to guide recovery efforts, to resume prioritized activities, and to restore operations to acceptable predefined levels. Business continuity plans are designed in order for the City to be able to identify; the necessary services to recover and/ or resume operations after disruption occurred; business critical activities that should continue in operation during disruption, and resources needed to ensure that prioritized business activities and functions can continue during and after disruptions occured. (Source: ISO 22301:2012). Page 7

8 To identify critical business activities, business disruption-related risks should be identified. Business disruption-related risks include physical and non-physical events such as natural disasters, pandemics, significant loss of utilities, financial crises, accidents, and incidents that threaten City s reputation, these events may be infrequent, however they have severe consequences for critical services, and are not able to be resolved through routine management strategies, therefore it is vital to equip the City to; ensure continued delivery of critical services despite the occurrence of a potentially disruptive event stabilise the effects of a disruptive event and return to normal operations and a full recovery within reasonable timeframe capitalise on opportunities created by the disruptive events BCM focuses on the resiliency of people, property, processes and providers as well as the availability and integrity of information. The management of disruption-related risk is founded on a thorough understanding of internal and external risks. As risk management leads to a better understanding of risks impact to City s operations, BCM evaluates City s functions, its dependencies and vulnerabilities on a long-term survival and a short-term recovery should a potential disruption occur. 2. PURPOSE The aim of this framework is to guide the Executives, Senior Management and all City officials in developing and executing Business Continuity Plan. The main purpose is to provide a practical framework to assist the City in the effective identification and evaluation of vulnerabilities and incidents that could cause business disruptions, and how to plan for those business disruptions and to activate business resumption and recovery strategies in the event that the disruption occur. 3. OBJECTIVE AND BENEFITS BCM is an application of risk management strategies, an integral component of sound corporate governance and an important aspect of emergency preparedness and operational resilience. The objective of BCM is to ensure continued operation of City s critical functions and associated Page 8

9 expectations of key stakeholders should the disruption occur. It assists the City to meet its legal, regulatory and contractual obligations and to protect its reputation. As every step taken to achieve an objective/ goal involves uncertainty, it is therefore critical that the City is alert and prepared for business disruptions. There is usually little or no time, to assess the affected business processes and resources at that time of disruption, however crucial decisions are quickly required to divert resources and ensure sustainability of those City s critical functions, that is ICT processes, continued supply of community basic needs, to ensure employee safety and safeguarding of assets, whilst recovery is being coordinated and alternative ways of operating are being established. BCM therefore assists the City to prioritise processes and supporting resources, and clarify decision-making. This is necessary to limit discontinued service delivery by the City during business disruption, and to minimise loss of life, and any damage to City s property and reputation. Benefits of BCM are to: Keep employees and the community safe; Reduce the City s vulnerability to business disruptions; Protect critical functions within the City; Protect City s intellectual assets; Ensure continued service delivery during and after disruption has occurred; Preserve the ability to meet stakeholder expectations in a wide range of circumstances; Provide for an orderly and expedited recovery after a disruptive event; and Maintain or gain competitive advantage due to a swift and effective response. Additional benefits include improvement in overall City s efficiency by addressing issues of complexity, as BCM processes enhance deployment of strategies to promote a better understanding of interrelationships between the City s core service delivery functions, the business support/administrative services, resources and critical processes required, to ensure the continued capability, and upstream, downstream and the third party dependencies. Page 9

10 4. BCM Fundamental Principles A well designed BCM practices involve resilience measures designed to keep essential business processes and also supporting ICT infrastructure, despite of any incidents and/ or business disruptions. BCM includes the following fundamental concepts: Business Continuity Plans (BCPs) involves measures to ensure, as far as possible, that critical business processes continue to operate satisfactorily despite a wide range of incidents. This includes aspects such as having alternative hot and cold sites, Uninterrupted Power Supply (UPS), or parallel running activities at disparate locations. IT Continuity Plan (ITCP) involves measures to ensure that, as far as possible, IT systems, networks and associated infrastructure and processes supporting critical business processes remain in operation despite disasters. This includes aspects such as fault tolerant, resilient or high availability system/network designs and configurations, builtin redundancy and automated failover of the supporting IT systems, capacity and performance management; Business Response Plans (BRPs) involves planning to recover/ restore critical and important business processes following disasters or major incidents. This includes activities such as relocating employees to alternative office locations, manual fall-back processing, temporary relaxation of divisions of responsibility and delegated authorities etc.; Business Recovery Plans (BRPs) relates to recovering business and IT operations following incidents and disasters IT Disaster Recovery Planning (IT DRP) involves planning for the recovery of critical IT systems and services following a disaster that impacted the resilience arrangements, examples include manually restoring IT systems and data on alternate/standby equipment from backups or archives, utilizing emergency communications facilities etc. Page 10

11 Crisis Management activities are focused on managing incident and disaster scenarios as they occur. Crisis Management involves emergency management, primarily relating to Health and safety aspects. Key activities in the crisis management phase include typically preliminary assessment of the situation, liaison with emergency services and management. Quickly forming a competent crisis management group/team to manage and control ongoing recovery activities is an important element; Incident Management involves activities and processes designed to evaluate and respond to information security-related incidents of all sorts. Most activities are routinely exercised in the normal course of business, dealing with all manner of minor incidents, through continuously updating the processes, systems and controls, and improving resilience and recovery activities in response to actual incidents and disasters. 5. BUSINESS CONTINUITY MANAGEMENT METHODOLOGY BCM is about being pragmatic, but also creating a capability in a planned manner. Having a planned business continuity capability denotes a proactive action to enhance the City s image within both internal and external stakeholders. BCM assists the Executives and Senior Management to determine the cause of a disruptive events, to identify critical business functions and processes that have the greatest exposure and susceptibility to interruptions, and the greatest significance of achieving time-sensitive objectives and strategic success. The BCM Methodology guides the Executives and Senior Management in developing the effective business continuity plans, to ensure that business functions and processes are riskassessed for their criticality, using a consistent risk assessment methodology and risk matrix as outlined under Group Risk Management Framework, to implement and test the plans regularly. Developing Business Continuity Plans for critical processes must include; Business Recovery/ Resumption Plans (BRPs); IT Continuity Plan (ITCP); IT disaster recovery plan; Disaster Recovery Plan (DRP); and Page 11

12 Incident and Crisis Management Plan (ICM). The diagram below depicts BCM methodology as outlined by ISO Standards; BCM Methodology; Source: ISO Common IT infrastructure and data components must be identified, that must exist to support all the plans. Physical and Security risk assessments, (as illustrated under Group Risk Management Framework) should be conducted on all City properties, (Property, Plant and Equipment) as part of Business Continuity Management programme, and to ensure proper safeguarding and maintenance of City properties. Page 12

13 6. BUSINESS CONTINUITY MANAGEMENT LIFE CYCLE The BCM Lifecycle indicates stages of activities for implementation of BCM processes, with the overall aim of improving City s resilience to disruptions. These stages are referred to as the Professional Practices and are made up of Management and Technical Practices. The City has adopted BCM lifecycle as illustrated by ISO standards. The below diagram depicts Business Continuity Management Life Cycle (ISO: 31000); 7. DEVELOPING BUSINESS CONTINUITY PLANS (BCPs) Business Continuity Plans (BCPs) is a function within BCM programme. It is a continuous process of identifying hazards and vulnerabilities, the likelihood of disruptions, potential consequences on time-sensitive strategic objectives, effectiveness of existing controls and strategies to improve performance and efficiency. The BCP process is geared towards providing the City Council, as well as City s stakeholders, comfort that in the event of business disruption, the City has the capacity to recover safely, at cost effective, within a reasonable timeframe. Page 13

14 BCPs determines risk over time, when usual working sites, staff, assets or processes are not available due to disruptions. In line with this framework, the Executives and Senior Management should ensure to develop Business Continuity Plans for their business operations. The Executives and Senior Management must ensure that BCP is: Properly documented and circulated, so various groups of personnel can implement it in a timely manner; Specific regarding what conditions should prompt activation of the plan; Specific regarding what immediate steps should be taken during a disruption; Specific regarding key assets and resources required to support critical processes; Flexible to respond to unanticipated hazard/threat scenarios and changing internal conditions; Diagram below shows BCP development stages; Page 14

15 7.1.1 Risk and Vulnerability Analysis Risk assessment is the primary activity in the development of Business Continuity Plans, to identify disruption-related risks and analyse vulnerabilities. The identification, analysis and evaluation of risks is the important early step to understand the probability and potential consequences, and to determine a scope for continuity plans. Disruption refers to not day-to-day operational glitches which can be managed through standard operating procedures. Disruption results from an event which interrupts business critical processes and operations. Disruption-related risks can emanate from both external and internal environment, these include, natural and un-natural factors, technology, human activities and economic factors. Specific effects resulting from disruption-related risks include damage to City s property, infrastructure and facilities, financial loss, declined economic growth, impairment of ICT systems, socio-economic, injuries and/ or loss of life. A risk assessment identifies potential hazards and disruptions, such as earthquake, fire, floods, system downtime, power outage, cyber-attacks etc., and evaluates areas of vulnerability should the hazard or disruption occur. Assets put at risk include people, property, supply chain, information technology, business reputation and contract obligations. Risk assessment evaluates points of weakness that make assets more susceptible to disruptions, and assists in the development of mitigation strategies to reduce the probability of significant impact. The following are samples of disruption-related risks; Protests Data loss Cyber attack New Technology initiative Network system failure (downtime) Power failure Vandalism Outbreak of communicable diseases Fire breakages Page 15

16 Natural events and forces (floods, draught, Storms) Environmental contamination Industrial action/political changes International incidents Xenophobia attacks Occurrence of these risks, individually or in combination could delay achievement of timesensitive business objectives and, as a cumulative effect, potentially threaten the City s strategic success, in this case, developing Business Continuity Plans, enhances understanding of disruption-related risks, response strategies, and increases staff vigilance and competency to work around business disruption until full functionality is restored or a new mode of operation is implemented. The diagram below shows the Integration between Risk Assessment and BCM; Page 16

17 To respond effectively to disruption-related risks, the City need to build a resilience capability that refers to effective strategies of managing uncertainties, to be able to effectively adjust functions in anticipation of disruptions, recognise emerging hazards, absorb stress consequences and use adversity as an opportunity for change and improvement. Therefore the City needs to have a sufficiently developed and tested method of treating disruption- related risks in the most effective way, in order to gain opportunity to meet defined Mayoral Priorities. When developing Business Continuity Plans (BCPs), the Executives and Senior Management must ensure that each critical process have its own continuity strategies, which can be invoked either individually or en-masse as required, therefore a thorough streamlining of business operations is required. This is to ensure effective planning through BCP lifecycle, to capture, validated and to ensure appropriate capabilities will exist if/when required. It is therefore the responsibility of the Executives and Senior Management to provide budget allocation for BCM processes in order to ensure successful implementation of the plans. Idenfitying crical processes involves defining time-sensitive strategic objectives, identifying critical process inputs and outputs, and functional dependencies, prioritising processes and resource requirements, and determining external supply and contractual arrangements. The diagram below illustrate process flow in developing Business Continuity Plans; Source: ISO Page 17

18 7.1.2 Business Impact Analysis (BIAs) Business impact analysis (BIAs) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of disaster, major incidents, accidents or emergency. BIAs as an essential component of City s business continuance plan, its purpose is to identify the critical services aligning to City s mandate, rank in order of priority of services, and identify internal and external impacts of disruptions. It includes an exploratory component to reveal any vulnerabilities and a planning component to develop response strategies to minimise risks. BIAs process determines what information, resources, efforts and timelines are required to maintain critical processes and meet time-sensitive objectives, through identifying key business functions and the financial and non-financial impact. BIAs should be identified for each business function within the City, to assess business disruption impact and help to establish recovery strategies, priorities, and requirements for resources and time. BIAs focuses on the effects or consequences of the interruption to critical business functions, and attempts to quantify the financial and non-financial costs associated with disruption, while Risk assessment focuses on identification of disruption-related risks. The diagram below illustrates Business Impact Analysis Method; - Source: ISO Page 18

19 Business Impact Analysis (BIAs) Process BIAs process serves as a starting point for business recovery strategy and examines Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), resources and materials needed for business continuance. Identification of BIAs is a multi-phase process that generally includes the following steps: Gathering of information for each business function (Departments and Entities); Evaluating and analysing the collected information; Preparing a report to document the findings; Presenting the results to Executives and Senior Management; Gathering information involves engaging with key personnel on the likely effects of interruptions or disruption to services, the associated systems and business processes. This is usually achieved through structured interviews, workshops, and/ or questionnaires, or a combination of thereof. The main aim in utilising any of these approaches is to assess both the quantitative and qualitative impact of disruptions on critical services. BIAs should be identified through the determination of; critical business processes and time-sensitive services; vulnerability of business operations; prioritize critical services and processes; the likelihood of disruption to the continuity of services and operations; the likelihood of violating appropriate legislation, regulations or standards; the probability of losing physical and intellectual assets; the likelihood of impact on key personnel; the financial impact of disruption ( loss of revenue etc); the environmental impact of such disruption; the likelihood of impact on City s reputation; Page 19

20 BIA s Outputs diagram; Business Response Plans (BRPs) Business Response Plans (BRPs) for the continuity of services and operations are based on the outcome of Business Impact Analysis (BIAs). This is to ensure that response plans are properly developed in order to manage the severity of impact from business disruptions/ incidents and or disaster. At this stage, Executives and Senior Management must develop mitigation and recovery strategies to protect people, assets and business functions, including network systems, manual and technical procedures. Identify alternative worksites and resources required for recovery of each process (technology, people). Business Response Plans (BRPs) for the City, must be developed in a manner that they will successfully coordinate the City s response strategies to specific types of business disruptions/ incidents. The timeframes should be taken into consideration in developing the response plans, separating major disruptions/incidents from other disruptions/incidents. Major disruptions/incidents are those that last longer and could require the involvement of other parties e.g. Emergency Services, Police etc. Page 20

21 To determine effective response strategies the Executives and Senior Management must consider the following; The type of hazard(s)/ disruption the Department/ Entity is exposed to; Alternate procedures for carrying out the process to completion or to a minimal acceptable level until full recovery Manual processing abilities and related costs; Use of insurance (replace rather than salvage); 3rd party arrangements, business partnering/dependencies, sector mutual aid; Operation cycles and peak periods; Internal resource capabilities, critical supply chains and service providers management; Deciding whether or not an alternative site is required; Accessibility of data; The Executives and Senior Management must execute the development of BRPs to ensure the reliability of the plans. Business Response Plans must include the following elements; Business Recovery Plans / strategies; Business Resumption Plan; Disaster Recovery Plan and Emergency Recovery Plan Business Recovery Plans /Strategies Business Recovery Plans/ strategies are executed/ activated in response to business disruption/incident events, the objective is to ensure that City s business operations and processes are recovered after the disruption/incident occurred. The Executives and Senior Management must utilise BIAs report to develop strategies for recovery of business processes after a business interruption. As the BIAs report clearly prioritizes those identified critical functions, recovery strategies must clearly stipulate the limited amount of time to recover and maintain those critical business operations. The recovery strategies must be properly developed in order to allow an effective respond to a disruption/ incident as soon as it occurs, and allow to recover both critical functions and noncritical functions for operations within a limited amount of time. Page 21

22 The first step in determining recovery strategies is to perform a comparison of the City s current critical functions capabilities vs. business requirements, and conduct gap analysis to determine areas where critical functions are incapable to maintain critical processes at a minimum required performance level. The responses in bridging that gap must result into a recovery strategy. Determining recovery strategies also depend on the following two factors; Recovery Time Objective (RTO) - the acceptable amount of time to recover Recovery Point Objective (RPO) - the acceptable point of recovery Response strategy is informed by a well-designed and approved time frames for the recovery of critical processes (RTO). This is the target time for resuming services and operations before City s image is compromised. Strategy should also address the restoration target (RPO) for the integrity and availability of data (electronic and manual). In order to effectively determine recovery strategies, the Executives and Senior Management should take into consideration the inter-dependencies on critical processes within the City, understand the type and severity of impact a disruption/incident to any process can cause to City s operations including financial, legal, stakeholders and reputation, and then to gauge the maximum amount of time these operations can survive within the allowable downtime. The Executives and Senior Management should also consider the resources required to recover processes to a minimum acceptable level within the maximum allowable downtime window period, and to prioritize the allocation of recovery activities and resources. However, the need to determine a proper balance between the costs and recovery time to meet minimum operational requirements, is still a pre-requisite. This will guide the Executives and Senior Management on strategies to be implemented. Each Department and Entity should develop recovery strategies for its critical processes, based on the Recovery Time Objectives (RTOs) and data Recovery Point Objectives (RPOs). The strategies should be properly documented and communicated to relevant personnel to enhance effective implementation. Due to City s inter-dependencies, the standard procedure must be utilised to document recovery strategies across the departments and entities. The purpose is to minimize duplication of efforts (resources, time) should the disruption/incident occur and to Page 22

23 ensure consistency. During the recovery procedure, the document should be utilised as a process-monitoring tool. The process recovery document must include the following information; Functional description (a high-level overview of the functions of the process) Dependencies ( people, resources, systems and applications, both internal and external, are required for each critical process) Recovery contacts (Emergency services, primary process owners, alternate team leaders, team members, key personnel and insurance contacts)recovery objectives (RTO and RPO estimated recovery time and restore method to be followed) Internal and external dependencies The Spokesperson (to handle media) Recovery procedures (step-by-step recovery procedures, with columns to document recovery during the disruption/ incident. List procedures for pre-recovery, during- recovery and post recovery) Manual procedures (List manual procedures for carrying out key functions while recovery is underway) Alternative worksites - (If a primary site is destroyed or rendered uninhabitable for a period of time, a predetermined solution to continue working at alternate locations is required) Testing (a solid test criteria for response plans/ strategies) Business Resumption Plan (BRP) Business Resumption Plan addresses the restoration of business operations immediately after the disruption/incident. Different from the business recovery plan and business contingency plan, the Business Resumption Plan does not contain continuity procedures used during disruption, instead it focuses on replica of original operations/processes. The plan should be developed in a manner that illustrate how critical functions will resume immediately or within few minutes/hours after being interrupted (IT systems). Based on the Business Impact Analysis report, the Executives and Senior Management should decide on those critical functions that must be resumed immediately or within few minutes/hours. Some of these functions must be IT processes and power supply. The plan involves replica for IT functions and parallel running power supply (UPS). Page 23

24 While Business Recovery Plans involve adopting temporary measures (alternative worksite, manual procedures etc.), Business resumption plan is concerned with restoring operations to their normal state immediately or within few hours, in order of their priority. The Business Resumption Plan should coordinate with other Business Recovery Plans (DRP, IT Recovery Plan, and Emergency Recovery Plan). The Business Resumption Plan deals with how, where, when, and who will be responsible and what they will do when a significant disruption occurs. As indicated, disruptions could also be as a result of external factors natural or un-natural events, such as floods, fires, explosion, contamination, storms, political unrest and many others whose impact may not be clearly evident. Any or a combination of these can result in the requirement to reconstruct critical infrastructure, in the shortest period of time. The approach to Business Resumption plan involves; Identifying the pre-set arrangements stand-by in order to start vital functions operating with as little delay as possible. This could involve identifying a Cold sites, Warm sites, and Hot sites, investing on IT applications replica and Uninterrupted Power Supply Ensuring the availability of necessary resources including personnel, technology, information, equipment, office space Helping operations to service interruptions, making sure that essential, community basic service delivery are met The Executives and Senior Management must be actively involved in the development of business resumption plans. They must; Assign the necessary resources for plan development (including budget) Concur in the selection of critical functions and prioritization Be prepared to authorise activation of the plan should the need arise Based on the maturity of Departmental and Entities recovery continuum, as well as nature of service the department or entity provides, assigning a numeric priority *0 5* to resume each "time-critical" operations, could be beneficial; Immediate = Priority 1 1 day = Priority days = Priority 3 Page 24

25 5-7 days = Priority days = Priority IT Continuity Plan (ITCP) IT Continuity Plan is a subset of Business Continuity Planning (BCP), and encompasses IT disaster recovery planning and wider IT resilience planning. It is a systematic process to prevent, predict and manage Information and Communications Technology (ICT) disruption and incidents. The plan is a valuable tool that assist the Executives and Senior Management to determine and assess IT vulnerabilities, potential loss of intellectual information and safeguarding of critical/ sensitive IT processes. In this case, conducting Business Impact Analysis (BIAs) is essential. IT Continuity Plan cycle; Source: ISACA IT Risk Framework Page 25

26 While conducting IT BIAs, it is important to ensure that every major application enhancement, technology infrastructure, and each IT function have their own separate Business Impact Analysis and risk assessment, and that their individual BIAs and risk profiles are reviewed for applicability, along with RTO (Recovery Time Objective) and RPO (Recovery Point Objective). This is to ensure effective embedding of IT processes into Business Continuity lifecycle. The Chief Information Officer (CIO) must ensure to develop IT continuity plan and IT disaster recovery plans. The plans should be clear, precise and explicit local knowledge, in the event that the external assistance would be required to rebuild the systems. Each procedure should be selfcontained so that it can be utilised to effect recovery of a single system or component (e.g. the server is running successfully but the database management system has crashed). Each document must also contain details of pre-requisites, in the event of multiple component failures, this is to ensure that the correct sequence for recovery is followed, (e.g. replace failed disk, rebuild operating system, install database, configure security settings and then restore data). The IT recovery plans must be organised in a hierarchy, with detailed procedures and step-by-step guidelines for each stage of an incident so that the Recovery Teams are able to restore the services correctly, and thereby to meet the agreed process and component RTOs. IT recovery Hierarchy plan; Disaster Recovery Plans Downtime Tolerance Solutions Non Stop Business Continuity of IT Services Detection of system dysfunctional High Availability Software Backup and storage solutions Protection of Data Page 26 of 52

27 The Information Technology Continuity Plan is the procedure and a tool to assist the City to improve its ability to respond to major system failures, and also to improve the systems resilience to major disruptions/incidents, ensuring that critical functions and services are recovered within acceptable RTOs (Recovery Time Objectives) limits. The Executives and Senior Management must utilise Business Impact Analysis (BIAs) report to define the process RTOs and determine the recovery prioritisation. The IT Continuity Plan must contain the following information: IT and critical business process list Details of the combined component RTOs and RPOs and inclusion of the IT requirements gap analysis IT Architecture Roles and Responsibilities during contingencies and recovery Invocation Procedures IT security plans Damage Assessment Backup plans IT continuity procedures IT recovery procedures Escalation and process flow charts Detailed procedures specifying how to recover each component of the IT system Recovery Test Plans, specifying how to test each component that has been recovered Incident Logs Contact Details of recovery team IT Service Test Plan - Tests will familiarize staff and IT teams with the continuity and recovery process IT continuity plan must also include strategies for infrastructure improvements. Improving the environment is a proactive measure to minimise the risks of IT downtime and outdate infrastructure. The strategy is a phased approach to achieving resilience, and it is driven by risk assessment, experiences and technology changes. The IT recovery plan should detail the following stages: Initial response - damage assessment and invocation of the appropriate incident management teams; Page 27

28 Service recovery includes the damage assessment of primary facilities, initiation and completion of recovery tasks Interim measures alternative functions, servers, applications that may be provided to users should interruptions occur. This is a temporary measure to provide a limited service until normal service can be resumed; Normal service resumption - returning to the usual service, fail-back from the abnormal service delivery. The CIO must ensure commitment of resources, development of IT policies, procedures, and tools in order to maintain and sustain City s critical business process, and to enhance recovery time as quick as possible during unforeseen circumstances and major incidents. IT continuity plan requires a budget that should be included in the Departmental and Entities SDBIP (Service Delivery Business Implementation Plan). The key point is to have a proactive approach in managing IT services and ensuring continual improvement of IT infrastructure across the City IT Disaster Recovery Plan (ITDRP) An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the IT continuity plan (ITCP). Priorities and recovery time objectives (RTOs) for information technology should be developed during the business impact analysis (BIAs). Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery. The City operates under large volumes of electronic, sensitive information and data. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, cyber-attacks or malware could cause a significant impact. Developing IT disaster recovery plan begins by compiling an inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. The plan should include a strategy to ensure that all critical information is backed up. A comprehensive plan should include identification of critical software applications, data and the hardware required to run them. Using standardized hardware will help to replicate and reimage new hardware. Ensure that copies of program software are available to enable re-installation on replacement equipment. Prioritize hardware and software restoration. Page 28

29 A risk assessment and business impact analysis (BIAs) processes are required to identify the IT services that support City s critical business activities, and then establish recovery time objectives (RTOs) and recovery point objectives (RPOs). Once identified, disaster recovery strategies must be determined to protect the critical systems. Formulating a detailed recovery plan is the main aim of the entire IT disaster recovery planning. It is in this phase where plans set out should detail step-by-step to recover IT systems to a state in which they can support the business after a disaster. Therefore, IT disaster recovery plan must be documented and be tested periodically to make sure that it works as intended. Disaster could strike in a numerous forms of internal and external factors (sever crash, major data loss). It is therefore important that Chief Information Officer (CIO) ensures the development of effective City s Disaster Recovery strategies for Information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity. Priorities for IT recovery should be consistent with the priorities for recovery of critical business functions and processes that were developed during the business impact analysis (BIAs). IT resources required to support time-sensitive business functions and processes should also be identified and documented. It is critical to ensure that the recovery time for IT functions, compliments the recovery time objective (RTO) for business functions or processes that depends on IT operations. The table below serves as sample to communicate IT Recovery Time Objectives and protection strategies; Critical System RTO/RPO Threat Prevention strategy Applications Tolerable amount Server failure Secure equipment of time room, backup server, UPS Information ICT security Tolerable amount of time Tolerable amount of time Loss of data Security system interrupted Data loss alerts, UPS, regular inspections Locate system in secure area, UPS, install protective enclosures around critical functions Response Strategy Switch over to backup server, validate UPS running Run on alternate system Deploy protection strategies (replica) Recovery Strategy Fix/replace, primary server, fall back to primary server Fix primary system, return to normal operations Obtain/Install replacement systems Page 29

30 Information technology systems require hardware, software, data and connectivity. Without one component, the system may not run. Therefore, recovery strategies should be developed to anticipate the loss of one or more of the following system components: Computer room environment (should be secured, with climate control, conditioned and backup power supply, etc.) Hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals) Connectivity to a service provider (fibre, cable, wireless, etc.) Software applications (electronic data interchange, electronic mail, office productivity, etc.) Data and restoration Some sensitive/critical business applications within the City, cannot tolerate any downtime, even during the time that disaster strikes, therefore a need to identify dual/ mirrored data centres that are capable of handling all data processing is necessary. Which run in parallel with data mirrored or synchronized between the two centres Incident and Crisis Management Plan (ICM) It is highly crucial that each Department and Entity have a fully developed, implemented emergency procedures. The procedures that are designed to assist the Departments and Entities to survive and recover during emergencies, and to ensure adequate safety of employees, visitors, contractors and anyone else in the facilities. This could also assist the Departments and Entities to limit public claims and litigations. The purpose of the plan is to provide readiness should any incident and/ or crisis occur. The plan illustrates Emergency Plan to be followed and resources available to carry out recovery strategies. An important component of the preparedness program is a recovery plan. The plan should enable the Departments and Entities to recover promptly, accurately and effectively after an emergency, within an acceptable timeframes. There are many resources required for the preparedness program, and these should be included in the Incident and Crisis Management Plan (ICM); People (crisis coordinators and wardens) Facilities (evacuation plan, assembly area, employees checklist, position of fire alarms) Communications and warning technologies Fire protection and life safety systems and equipment Special experts contacts (fire department, policy, security, trauma counselling ) Page 30

31 Duties of emergency team members Link between BCP, Emergency, Crisis and Disaster Recovery Planning The link between BCP, emergency, crisis and disaster recovery planning is very important. There is a requirement for the City to be able to address any issue of threat at the earliest, most appropriate and most effective opportunity. Link between BCP, emergency and crisis planning; Source: ISO Standards An emergency action plan should be developed and documented as per the requirements of OHASA, in order to facilitate and organize employer and employee actions during workplace emergencies. In order to develop an effective emergency action plan, employees should be involved in the planning process, and be assigned responsibilities specifying what actions should be taken before, during and after the incident/crisis occur. The actions taken in the initial minutes of an emergency are critical. Therefore actions by employees with knowledge and understanding of the plan, building and process systems, can help put the situation under control and minimize injuries/ loss of lie and damage to facilities. The first step in developing an emergency response plan is to conduct a physical risk assessment (as illustrate on Group Risk Management Framework) in order to identify potential emergency Page 31

32 scenarios. The assessment will enable the Executives and Senior Management to determine resource requirements and to develop plans and procedures to prepare for emergencies. The following threat types should be taken into consideration in the development of Incident and Crisis Management plan; Natural Threats (Floods, storms) Internal or external threats (fire, explosions, burglary, Xenophobia attacks) When an emergency occurs, organized teams will respond in accordance with the established plans. Public emergency services may be called to assist. Contractors may be engaged and additional resources may be required. Therefore it is highly important for the Executives and Senior Management ensure that the testing and exercises to evaluate the effectiveness of preparedness program takes place. There are many benefits to testing and exercises: Train personnel; clarify roles and responsibilities Reinforce understanding of procedures, facilities, systems and equipment Improve individual performance as well as coordination and communications Evaluate policies, plans, procedures and the knowledge and skills of team members Reveal weaknesses and gaps Compliance with OHASA Gain recognition for the emergency management and business continuity program The first aid team (that is trained to administer first aid and perform CPR) will be able to reach any employee within minutes. The evacuation team will be able to direct all employees to safe exits and account for them outside the building within minutes. It is essential that the emergency action plan developed should be comprehensive with site specific, with respect to emergency conditions evaluated, evacuation policies and procedures, emergency reporting mechanisms, and alarm systems. An explanation of each issue and/or examples of how each issue must be addressed in typical workplaces should be indicated in the plan. Page 32

33 Guideline for Emergency Evacuation Plans An emergency plan is a written set of instructions that outlines procedures to be followed during an emergency, and it must provide the following; an effective response to an emergency; evacuation procedures; emergency services contact numbers; medical treatment and assistance (First Aid kit); effective communication between the person authorised to coordinate the emergency response; testing of the emergency procedures including the frequency of testing, and information; emergency contact details for key personnel for example fire wardens, floor wardens and first aid officers; map of the workplace illustrating the location of fire protection equipment, emergency exits, assembly points; and the post-incident follow-up process; Emergency Evacuation procedures should be communicated to all employees to ensure that they are aware and understand the procedures to carry out during emergency or crisis. Evacuation plans must be visibly displayed around the office buildings. In cases where Departments or Entities share office space, Evacuation procedures and plans must be prepared and tested together, in order to avoid duplication of efforts and duties. For departments that resides in the Council building, Evacuation procedure and plans must be prepared for each office with the involvement of SHEILA office within Group Corporate Shared Services (GCSS) department Strike Management Action Plan In accordance with the provisions of the Labour Relations Act (66 of 1995) ( the LRA ). Any strike action that commences as per the Notice is accordingly legal and protected in terms of the LRA. Industrial action is one of the business disruptions in the City, and can cause harm to City s reputation, damage to property, injuries /or loss of life, and increases potential non-service delivery. Page 33

34 In order to ensure effective Strike Management Action Plan, it is important that the Executives and Senior Management put contingency measures in place, in order to mitigate the impact of the strike action, and ensure that service delivery is affected as little as possible. The plan must be comprehensive, and provide a project time line that ensures that the Department/ Entity will be completely prepared should any labour dispute erupt, and must include response strategies, security measures, alternative resources for operations, recovery and resumption plans. Specific legal and public communication plans and strategies should be determined at the onset of the planning process. Human Resource policy issues for both striking staff and non-striking staff should be taken into consideration, including payroll and strike compensation issues for nonstriking staff and alternate staffing. The Strike Management Action Plan must focus on the following five key elements: i. Communications / Stakeholder relations ii. Security Measures iii. Operational continuity / Major Incident plan v. Environmental threats vi. Legal issues Communication and Stakeholder relations Constant engagement with stakeholders is necessary. Internal and external stakeholders must be kept informed in a transparent and timeous manner about impending industrial / strike activity, and the plan should address the communication to all stakeholders, that is employees, community, service providers etc. Security Measures Industrial action raises security risks, and could necessitates liaison with police if there are threats to life or property. The Executives and Senior Management must ensure that procedures for security measures are included as part of Strike Management Plan. The strike team leader should be responsible for this function throughout the duration of the strike. The appointed strike security coordinator must ensure safeguarding of those areas that are likely to be targeted for vandalism and supervise security of personnel. Page 34

35 Operational continuity / Major Incident plan Many of the same measures undertaken on Business Continuity Plans can be deployed, when necessary, to ensure continuation of normal operations during strike action, including Incident and Crisis Management Plan, where life of employees is threatened / or put at risk. Environment The Executives and Senior Management must identify potential environmental hazards which could cause potential danger/ or damage to business, and determine how to prevent an occurrence of an incident in the event of a labour disruption. Activity may relate to waste treatment and management areas. Vulnerable areas and the evacuation procedures must be monitored regularly. Legal matters If strikers actions violate the law, the city may approach the courts for relief. Therefore the Executives and Senior Management must ensure that the procedures to preserve visual and audio documentation of any law breaking are in place. The evidence must clearly show any unfair labour activity, criminal mischief, or crime against persons and/or property Developing Strike Management Action Plan Identify and Prioritize Critical Business Services in each Business Section _ The Executives and Senior Management must identify those critical service delivery areas that should continue in operation during the strike action, and determine alternative measures that will ensure that those areas will not be negatively impacted, and therefore shall continue as normal. The Departments and Entities must conduct Business Impact Analysis (BIAs) as illustrated in this framework, to identify and prioritize critical business services based on the City s outcomes and labour disruption. Develop Response Strategies to Minimize Impacts to Critical Business Sections Minimizing the impact of the labour disruption to key business operations is key to effective labour dispute contingency planning. The Executives and Senior Management must ensure that service delivery on critical business operations is a prime objective, when developing a departmental/ Page 35

36 entity labour disruption contingency plan, the plan must provide a clear indication on the business operations that should continue during strike action. Develop strategies to minimize labour disruption impacts to critical business operations, this include identifying alternate resources, that is determine minimum staffing levels and skill sets required to maintain critical business operations in each business section, identifying alternate work locations or consolidation of business operations. Using historical staffing information, vacation scheduling, skills required, and an assessment tool, business units should, in conjunction with HR, determine minimum staffing levels for a labour disruption of various durations. Develop a Business Continuity/Labour disruption checklist for business unit managers on maintaining their business operations, while dealing with staff shortages and addressing strike issues. Develop tools and guidelines for all employees to assist in the labour dispute response strategies. Identify Response Strategies to Deal with non-critical Business Services Strategies to deal with non- critical business services, is to determine areas where services can be ceased, reduced or re-deployed. Resources available from non-critical business units may be redeployed, non-critical unit services may be consolidated or services may be curtailed during the Labour dispute. A review of determined Recovery Time Objectives (RTOs) should be taken into consideration when activating/ implementing this response strategy. However, management should consult with Group Communication and Group Legal and Contracts, prior to implementing / activating the strategy. Monitoring and Communication The Executives and Senior Management must review and update contingency plan periodically and provide a summary report to Mayoral Committee, the Board, and Group Risk and Governance Committee (GRGC). The provision of the report to the committees serves as part of stakeholder engagement and communication on the Departmental/ Entity Strike Management Action Plan, and to provide assurance to the committees that the Department/Entity maintains an effective and Page 36

37 sufficient labour disruption response strategies. The summary report to the GRGC should be provided annually, at the end of every first quarter. After the industrial action plans has settled, onsite inspections must take place, in order to conduct a security risk assessment at impacted areas, and to ensure that the appropriate steps have been taken to minimize security risks. The inspection report must be provided to the Mayoral Committee, the Board and GRGC immediately Strike Management Governance Structure A governance structure for labour disruption response strategies should be established, and be included in the plan. The structure must include Strike Management Team with detailed responsibilities, duties and authorities. In some cases, Strike Management Team could be the same as Crisis and Emergency Management Team. Strike Management governance structure; Executives and Senior Management Tactical Team Business Units and Site Recovery Teams Documentation The Strike Management Action Plan must be properly document and secured safely. Other suggested documents, and materials that may be kept are; Identified critical business operations summary spreadsheets Training module for Strike Management Team, employees and management Page 37

38 Managing Labour Dispute Manual for Management Strike Response Guideline Illegal Strike Response Guideline for Management Communications Guidelines Internal and External Strike Training Videos Incident Report spreadsheet Readiness check list for Security Disaster Management Plan Disaster Risk Management refers to the systematic process of using administrative processes, operational skills and capacities to implement policies and strategies to address the impacts of natural hazards and related environmental disasters. A disaster is an unexpected major event, which has catastrophic impact to business, no organisation can be excluded from or is immune to its probability. Therefore, it is critical that the Executives and Senior Management develop a Disaster Management Plan. A formal written plan enables the City to respond efficiently and quickly to disaster events, and to minimize damage to property and loss of life. Disaster can erupt from natural environmental factors and un-natural factors. The following are some of those factors; Natural environmental factors Un-natural factors Floods Fire Storms Explosives Outbreak of disease Chemicals Earthquakes Facilities deficiencies (structure, design, maintenance) Terrorism Natural disasters cannot be prevented, but measures can be taken to reduce the probability of damage to property, injuries and or loss of life. Disaster Management Plan involves four phases; Prevention - identify and minimize the risks posed by natural environmental factors. Preparedness designed emergency and evacuation procedures Page 38

39 Response - developed response strategies to stabilize the impact Recovery - developed recovery strategies after occurrence of the event. Established programme to restore both the disaster site to a stable and a normal condition Developing Disaster Management Plan The Departments and Entities must develop Disaster Management Plan in conjunction with a Disaster Management Unit situated at Public Safety. The Disaster Management Plan should include the following components; 1. Policy, Institutional Mandates and Institutional Development 2. Hazard, Vulnerability and Risk Assessment 4. Preparedness and Response Plans 5. Mitigation and Integration of Disaster Risk reduction 6. Community based Disaster Risk Management 7. Public Awareness, Education and Training 8. Disaster Recovery Teams and their responsibilities Business Impact Analysis (BIAs) process is a necessity in the development of Disaster Management Plan, in order to create a critical function list. The list must indicate the required steps and dependencies to recovery state and a determined minimum acceptable time to activate response strategies. Most of the Business Continuity Plans, as indicated in this framework, may be deployed/ activated during a disaster event, this include IT disaster Recovery Plan, Incident and Crisis Management Plan etc Declaration of Disaster Not all major incidents/ events are considered as a disaster, therefore, in accordance to Disaster Management Act, 57 of 2002; distaster must be officially declared. Sec. 55. (1 ) - Declaration of local state of disaster-; states that, in the event of a local disaster, the council of a municipality having primary responsibility for the co-ordination and management of the disaster, may, by notice in the provincial gazette, declare a local state of disaster if- (a) existing legislation and contingency arrangements do not adequately provide Page 39

40 (b) other special circumstances warrant the declaration of a local state of disaster for that municipality to deal effectively with the disaster Sec. 55 (2) - states that, if a local state of disaster has been declared in terms of subsection (1), the municipal council concerned may, subject to subsection (3), make by-laws or issue directions, or authorise the issue of directions. concerning - a) the release of any available resources of the municipality, including stores,equipment, b) the release of personnel of the municipality for the rendering of emergency services; c) the implementation of all or any of the provisions of a municipal disaster management plan that are applicable in the circumstances; d) the evacuation to temporary shelters of all or part of the population from the disaster-stricken or threatened area if such action is necessary for the preservation of life; e) the regulation of traffic to, from or within the disaster-stricken or threatened area; f) the regulation of the movement of persons and goods to, from or within the disaster-stricken or threatened area; g) the control and occupancy of premises in the disaster-stricken or threatened area; h) the provision, control or use of temporary emergency accommodation; i) the suspension or limiting of the sale, dispensing or transportation of alcoholic beverages in the disaster-stricken or threatened area; j) the maintenance or installation of temporary lines of communication to, from or within the disaster area; k) the dissemination of information required for dealing with the disaster; l) emergency procurement procedures; m) the facilitation of response and post-disaster recovery and rehabilitation: or n) other steps that may be necessary to prevent escalation of the disaster, orto alleviate, contain and minimise the effects of the disaster. (3) The powers referred to in subsection (2) may be exercised only to the extent that this is necessary for the purpose of-- (a) assisting and protecting the public; (6) providing relief to the public; (c) protecting property; d) preventing or combating disruption Page 40

41 (e) dealing with the destructive and other effects of the disaster. (4) By-laws made in terms of subsection (2) may include by-laws prescribing penalties for any contravention of the by-laws ( 5 ) A municipal state of disaster that has been declared in terms of subsection (1 )-- (a) lapses three months after it has so been declared; (b) may be terminated by the council by notice in the provincial gazette before it lapses in terms of paragraph (a): and (c) may be extended by the council by notice in the provincial gazette for one month at a time before it lapses in terms of paragraph (a) or the existing extension to expire. 8. TESTING AND EXERCISE OF BUSINESS CONTINUITY PLANS Once BCM has been embedded into the organisation as an ongoing management process it enters an iterative cycle of being reviewed at regular intervals and updated when necessary. To ensure that BCPs are practical and will work as intended should the disruption or emergency occur, all the plans illustrated above must be exercised and tested annually. The relevant staff must understand what is expected of them. Staff with BCP responsibilities must rehearse their roles and validate the procedures, to confirm their competence and confidence. When conducting the test and exercise, it is important to include factors such as time, sequence of events, and any external conditions. Enhanced realism can be achieved by giving participants access to emergency contact personnel, who share in the exercise. Messages can also be passed to participants during an exercise to alter or create new conditions. Testing and Post-Exercise Evaluation - the exercise must be monitored impartially to determine whether objectives were achieved. Participants' performance, including attitude, decisiveness, command, coordination, communication, and control should be assessed. Debriefing should be short, yet comprehensive, explaining what did and did not work, emphasizing successes and opportunities for improvement. Participant feedback should also be incorporated in the exercise evaluation. Page 41

42 Exercise complexity level can also be minimised by carrying out the exercise on one part of the BCPs at the time by focusing on testing the plans individually, instead of carrying out the exercise on the entire BCM all at once. The exercise can be strategized as follows; Business Continuity Plans (BCPs) Testing and Post- Exercise Evalution Activities scheduled reviews (annually or bi-annually) considers; updates on changes to the threat environment substantive changes to the internal environment Demonstration of emergency management team capabilities; Rehearse people with BCM roles and responsibilities; Practice and validation of specific functional response capability; Focus on demonstration of knowledge and skills, as well as team interaction and decision-making capability; Role playing with simulated response at alternate locations/facilities; Deployment of all or some of the crisis management/response team to practice proper coordination; Carry out evacuation plan test separate from IT and power recovery plans; Test the listed contact numbers and understanding of roles of persons involved (internal and external) ; Desk check test review of document in-situ; Walk through test (participants walk through the planned procedures in response to a scenario to validate their role knowledge and confirm viability of the plan against business objectives and risk environment) Rehearse use of fire extinguishers; Review First Aid Kit for completeness and validation of expiry dates on medical products; Mobilization of personnel and resources at varied alternate locations; Validation of crisis response functions; Enterprise-wide participation and interaction of internal and external management Page 42

43 Response teams with full involvement of external parties The Executives and Senior Management must review the BCP test results to ensure that the tests were conducted successfully, identify the gaps and enhance improvements where required. 8.1 Benefits of BCPs Testing and Exercise Benefits on Testing and Exercise of BCPs involves the following; Provides participants with the necessary background information; sets the preparedness of the environment; Validates plans for accuracy and pragmatism; Maintain and Update the BRPs (Business Recovery Plans); Testing verifies business recovery strategies and expose gaps; Testing assist to ensure that plans adhere to all applicable legal, regulations and standards; Periodically reassess risks, impacts and strategies, make corrections as necessary, and retest frequently to ensure effectiveness of plans; Risk monitoring - ensures a BCP is viable through testing, independent review, and periodic updating. 9. MAINTENANCE OF BUSINESS CONTINUITY PLANS Continuous appraisal of the BCP is essential to maintaining its effectiveness and relevancy. Following resolution of any serious interruption to, or cessation of service, the risks should be reassessed to identify any new threats and vulnerabilities or any changes in known risks such as an increased probability of occurrence. Business continuity plans should be maintained subject the disruption, to ensure their effectiveness. This responsibility should be assigned to a relevant personnel to ensure sustanaibility, adequacy and effectiveness. IT Disaster Recovery Plan (DRP) maintenance is also of utmost important to ensure capability of recovering and governing procedures. This involves keeping implementation plan relevant and in sync with business changes, especially when new technology initiatives is being introduced. A formal review of IT Disaster Recovery Plan should be conducted bi-annually, to identify and incorporate any changes in the IT environment. Particular attention should be paid to the review of Page 43

44 the recovery equipment configurations to ensure that the business has the required equipment to restore the business functionality as quickly as possible. These reviews will require the time and attention of all Plan holders and team members, especially those that have hardware and network responsibilities. 10. BUSINESS CONTINUITY MANAGEMENT TEAMS Proper response to business disruptions and crisis require teams to lead and support recovery and response operations. Team members should be selected from trained and experienced personnel who are knowledgeable about their responsibilities on business recovery strategies. The development of each plan should be facilitated by GRAS, on behalf of the Business Continuity Planning Team, however each contingency and recovery plan should be a responsibility of BCM teams at the Departments and Entities. GRAS facilitates the identification of risks and the development of risk mitigation strategies across business areas. To ensure continuity and sustainability of recovery plans, back-up nominees for the teams should also be identified. Each contingency and recovery team should comprise of knowledgeable, trained and skilled personnel in each relevant field of BCM and business functions. The purpose of teams is to develop, activate and co-ordinate the implementation of each BCPs. To ensure adequate resources, recovery teams may involve using services from external experts where necessary (Emergency Services). Those persons should be provided with a good knowledge of the business area involved and be capable of providing the level of support required at short notice. Appointment of Crisis and Emergency Management Teams must involve; Building Evacuation Manager/Crisis Coordinator; Fire Fighters Evacuation Marshalls First Aiders; Damage Assessor or Damage Assessment Team Leader. 11. TRAINIG OF STAFF ON BUSINESS CONTINUITY MANAGEMENT For the successful Business Continuity Management, employees should be educated about the business recovery strategies, the types of emergencies that may occur, and be train in the proper Page 44

45 course of action. BCM awareness should be raised amongst all the employees, and Business Continuity Plans should be communicated them, that s include, Business recovery plans, Business resumption plans, Incidents and Crisis Management plans, ICT recovery and disaster plans. BCM teams must undergo the specialised /selected training, for instance; Training in developing, implementation, testing and maintenance of BCPs Business Resumption Plan Implementation Training Emergency procedures, Backup retrieval, etc. Risk Management Documenting the Disaster Recovery Plan A program training for those directly involved in the execution of evacuation plan However, all staff should undergo a Basic awareness training which gives the staff an insight into basic Business Continuity and informs them about Business Recovery Plans and incident response. 12. ROLES AND RESPONSIBILITIES ROLES RESPONSIBILITIES Council is responsible to; adopt and approve developed City s Business Continuity Management Framework and Business Continuity Plans; oversee the Business Continuity Management process within the City, ensure that the City develops and maintains effective, efficient and economical Business Continuity Management strategies, ensure that the City identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process City Manager The City Manager is responsible for; ensuring that Business Continuity Management is established and implemented effectively; authorising the resources (budget) for the development and implementation Page 45

46 of Business Continuity Plans in all their entirety Group Risk and Governance Committee (GRGC) Group Risk and Governance Committee (GRGC) has the authority of the Mayoral Committee to; oversee City s Business Continuity Management function; provide guidance on City s Business Continuity Management processes; discuss and review Group Risk Management Business Continuity Plans with respect to Group Risk Management Policy; set the tone and influence the culture of risk management which includes determining the appropriate Business Contiguity Plans; monitor the management and the implementation of Business Continuity plans thereof; satisfy itself that business disruptions are being actively managed with the appropriate response strategies in place; annually review the City s approach to Business Continuity Management and recommends to Mayoral Committee changes or improvements to key elements of its processes and procedures; perform other activities consistent with its charter, City by-laws and governing regulations as deemed appropriate; and provide assurance to the Mayoral Committee that at the operation level, the BCM function is handled by all heads of department, CEOs, EDs and MDs across the City Group Risk and Assurance Services (GRAS) GRAS has the responsibility to facilitate the development and the implementation of BCM at Departments and Entities; by conducting Business Impact Analysis at all areas of business operations; facilitating the development and implementation of Business Continuity Plans; assisting in reviewing BCPs testing and exercising results and identify gaps; Page 46

47 facilitate the development of Business Continuity response plans; carry out physical and security risk assessments at all departments and entities office buildings; carry out physical and security risk assessments at all City s properties (buildings, plants, landfills); conduct on-going risk monitoring and communicate the results to the Executives and Senior Management; and provide adequate information on timely manner to the Group Risk and Governance Committee (GRGC) on the status of Business Continuity Management within the City Chief Information Officer (CIO) CIO responsibility includes; providing guidance and strategies to IT staff in establishing IT continuity and discovery Programs; this includes contingency planning actions, developing, testing, and implementing executable DRP and BRPs; reviewing of IT DRP and BRPs; track and monitor compliance with this BCM framework. Provide an assessment report of all IT Contingency Plans to City Manager and to all relevant internal committees; identifying measures that may enable advantages in DRP and BRP activities across the City; and observing ITDRP testing, as required, evaluate and recommend specific course of action to remedy deficiencies found during review of plans or tests Executives and Senior Management Executives and Senior Management is responsible for Business Continuity Management (BCM) within the City, and; should ensure that all Business Continuity Plans, procedures and policies are developed, implemented, reviewed and tested in conjunction with this framework; should secure funding to cover the cost of developing implementing, and maintaining Business Continuity Plans in their Service Development Page 47

48 Business and Implementation Plan (SDBIP); provide annual budgeted funding and staffing for disaster recovery and business resumption activities such as testing, training and off-site storage, and contingency planning for IT systems; and should also ensure that all major systems are identified and prioritized in order of criticality and that all plans are reviewed and approved 13. BUSINESS CONTINUITY MANAGEMENT GOVERNANCE STRUCTURE To ensure the effectiveness of Business Continuity Mananagement within the City, the BCM governance structure should be established. The diagram below depicts City s BCM Governance Structures. CoJ Business Continuity Management Governance Structure; Page 48

49 Council Mayoral Committee Sub- Mayoral Committee Group Oversight Committees (GRGC, GAC, GPAC) City Manager ME s Oversight Committees (ARC/RC, Board) Executive/ Senior Management (MD, CEO, ED, Group Head,CIO, HoD) Cluster Committees BCM Steering Committee Business Continuity Steering Committee tasked with developing and reviewing business continuity planning decisions and recovery strategies should be established and it should be effective and functional. The committee should consist of relevant personnel including IT specialists and BCM team members. The Executives and Senior Management are responsible to establish BCM Steering committee within area of their responsibilities. Unlike a typical project management committee which is disbanded on completion of the project, the BCM Steering Committee should be permanent and the committee should meet on a quarterly basis. The BCM Steering Committee is responsible to provide a report, on quarterly basis, on the status of business continuity within the City, and recommend improvements, where necessary to City s Business Continuity Management Governance Structure. Page 49

50 Business Continuity Management Steering Committee; Executive/ Senior Management (MD, CEO, ED, Group Head, HoD) Risk Officer Legal Representative Chief Information Officer (CIO) HR Representative Crisis and Emergency Team Security Representative IT Specialists Strike Management Team 14. RECORDS AND ARCHIVING Continuity of critical operational services, functioning of IT systems and the integrity of essential supporting business processes, within the City, is dependent upon the availability of records. A record, in this context, contains information, which has been generated or gathered as a result of Business Analysis Impacts (BIAs), Business Continuity Plans and Risk Assessments (including Physical and Security Assessments). Therefore, each Department and Entity should ensure the proper record keeping and archiving of BCM information, this will also ensure proper audit trail. Business Continuity Management Teams are accountable for records management and have a duty to make arrangements for the safekeeping of those records (manual or electronic), and to ensure the accessibility of such in the event where response strategies need to be activated. 15. BUSINESS CONTINUITY MANAGEMENT POLICY The City must operate within the terms of Group Risk Management Policy as approved by Group Risk and Governance Committee, which includes policy on Business Continuity Management. The implementation of the Group Risk Management Policy is guided by this Framework. Page 50

51 16. INSURANCE Insurance in the City, is commonly used to recoup losses from risks that cannot be completely managed through normal business operations. Generally, insurance coverage is obtained for risks that cannot be entirely controlled, yet could represent a significant potential losses or even disastrous consequences. The decision to obtain insurance should be based on the probability and degree of loss identified during the BIAs process. Departments and Entities should determine potential exposures for various types of disasters/ Crisis and review the insurance options available to ensure appropriate insurance coverage is provided. The Executives and Senior Management should know the limits and coverage detailed in insurance policies to make sure coverage is appropriate given the risk profile of the Department/Entity, and to ensure coverage is commercially reasonable, and consistent with any legal and Council requirements. The Executives and Senior Management must have an understanding that, Insurance can reimburse the City for some or all losses incurred as the result of a disaster, crisis or other significant event. However, insurance is by no means a substitute for an effective BCM. 17. AUTHORITY AND APPROVAL 17.1 Ownership Ownership of this Framework vests with the Group Risk and Governance Committee, this in turn, has been delegated to the GRAS Risk Advisory Services (RAS) Unit Review and Approval The Framework must be reviewed and approved by the Group Risk and Governance Committee annually or as necessitated by changes in legislation or the requirements in the City s risk management landscape. GRAS is responsible for the coordination, drafting and update of this Framework, and the submission of this Framework to the Group Risk and Governance Committee for review and approval. Page 51

52 Approved CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY Mr. NDIVHONISWANI LUKHWARENI CITY MANAGER CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY DATE: Approved Mr. J. MAKORO CHAIRPERSON GROUP RISK & GOVERNANCE COMMITTEE DATE: CLLR DR REBALANI DAGADA MMC: FINANCE CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY DATE: Page 52