BCP Methodology Benefits realisation

Similar documents
Business Continuity Framework

Business Continuity & IT Disaster Recovery

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Management Policy. Guidance

Global Crises: What We Really Need to Do to Be Prepared. Day One / Session C5

Operational Resilience Measure and Report

Introducing ISO 22301

Head of Security and Business Continuity

Business Continuity. Building a Program Fit for Purpose

Citizens Property Insurance Corporation Business Continuity Framework

Rising to the challenge Delivering Internal Audit excellence

Use of data and technology in the audit

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Is your supplier risk management keeping pace with your strategic

Business Continuity Management for Singapore s Logistics Sector. By Singapore Business Federation and Singapore Logistics Association

Caribbean Association of Audit Committee Members Inc. Independent Quality Assurance Assessment of the Internal Audit function

Business Continuity Policy. Interim Governance Consultant. October Greenwich Executive Group

What s the cost of control? Keeping control of your business when cash is king

Business Continuity/ Disaster Recovery. Sean Gunasekera

Protecting Information Assets - Week 9 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protecting Information Assets

Managing the payments landscape Standing still is not an option

Third Party Risk Management ( TPRM ) Transformation

Value driver modelling with Archimedes FACX for optimising mining company operations. Ilya Golubinskiy, PwC Russia 9 February 2011

US Business Continuity Safeguarding Your Business from a Disaster

Business Continuity Guide 2017

Stand out for the right reasons Getting your approach to CASS right

Are you prepared to make the decisions that matter most? Decision making in banking & capital markets

Counterfeit goods in the UK. Who is buying what, and why? PwC Contents

BUSINESS CONTINUITY PLANNING WORKPROGRAM

Essential Concepts. For Effective. Business Continuity Planning

12.0 Business Continuity Management

Presentation on Crisis Management and Business Continuity. ISCA Breakfast Talk 13 September See Hong Pek, Partner, PwC

Working Capital the cheapest source of cash 2017 Middle East Working Capital study

The winning tax transformation trinity. Data, technology and operations

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

External Quality Assurance Review of the Office of the Auditor General Proposed Statement of Work for the Audit Sub- Committee.

CHAPTER 2: IMPLEMENTATION PHASES AND OFFERINGS

Effective Preliminary Surveys. Presented by: UCSF Audit Services

Tier I assesses an institution's process for identifying and managing risks. Tier II provides additional verification where risk is eviden

Internal Audit Advisory

Building a Standard for Business Continuity Planning

Article from: CompAct. April 2013 Issue No. 47

A Discussion About Internal Controls February 2016

IPSec Professional Risk Victorian Protective Data Security Standards Compliance Services Overview in Brief

The Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector

University Information Technology Services. Business Impact Analysis For {System Name}

Disaster Preparedness & Your Supply Chain

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Moving from BS to ISO The new international standard for business continuity management systems

Looking beyond simple savings

2016 Business Continuity / Disaster Recovery Internal Audit Report

IT Services Management

How to to transition to ISO One year on. Rob Acker Business Continuity Lead Assessor LRQA Ltd

The hidden reality of payroll & HR administration costs

Business Continuity Planning

An Overview of the AWS Cloud Adoption Framework

Yale University Business Continuity Planning Quick Start Guide

Transformation confidence Helping you get closer to your transformation programme

Present and functioning: Fine-tuning your ICFR using the COSO update

The Future of Internal Auditing:

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

2017 Archaeology Audit Program Procedure Manual. April 2017

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Head of Protective Services Specialist Operations. Business Continuity Manager

Disaster Recovery Planning

IT Management & Governance Tool Assess the importance and effectiveness of your core IT processes

WILTSHIRE POLICE FORCE POLICY

Building and Maintaining a Business Continuity Program

ENTERPRISE RISK MANAGEMENT THE KEY TO BUSINESS SUCCESS By Phil Griffiths FCA

Fixed scope offering. Oracle Fusion Inventory & Cost Management Cloud Service. 22 February 2016 A DIVISION OF DIMENSION DATA

Measuring and communicating success

Idhammar MMS The Business Case

Auditor General s Office REVIEW OF THE CITY SAP COMPETENCY CENTRE APPENDIX 1. June 1, 2010

Risk Analysis (Project Impact Analysis)

Federal Financial Supervisory Authority (BaFin)

STATE OF NORTH CAROLINA

Contents. Is Paris possible? 3. The Index 5. UK leading the low carbon revolution 8. China: Tackling coal consumption 9. Bracing for disruption 10

AN ASSESSMENT OF THE COSTS AND BENEFITS ASSOCIATED WITH THE IMPLEMENTATION OF SARBANES OXLEY SECTION 404 IN A SOUTH AFRICAN CONTEXT

It s all about the tech, right? How to succeed with your digital transformation

Financial Industry Summit on Business Continuity Federal Reserve Bank of New York February 26, Meeting Summary

Unleashing the power of innovation

Navigating the Intersection of Vendor Management and Business Continuity

Draft Internal Audit Plan for Institute of Technology Blanchardstown 2017

On the Revision of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal Control

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Preparatory study for Steam Boilers Ecodesign

IT Audit Process. Michael Romeu-Lugo MBA, CISA March 27, IT Audit Process. Prof. Mike Romeu

Supply Chain Management within Business Continuity

Digital Transformation - What s Happening in Waste and Recycling Tech, Software, Cloud, Data, Mobile & Analytics?

ISO Business Continuity Management. Your implementation guide

Global Transfer Pricing Conference

Coastal Equities, Inc.

BDO LUXEMBOURG TRANSPARENCY REPORT 2016

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Accelerate Your Digital Transformation

GEMS Education Global Education Survey

CLICNET TELECOMMUNICATIONS INC. Business Continuity Plan

Implementation Guides

Book A : REFERENCE DOCUMENTS

bizsafe Level 2 Ver. 1.0 by MOM/WSH Council. For Authorised Use Only. All Rights Reserved.

Transcription:

www.pwc.com.cy BCP Methodology Benefits realisation

Risk Assurance Consulting (RAC) Risk Assurance Consulting (RAC) helps management to make well informed decisions. The insight and independent assurance we bring provides an invaluable safeguard in today s complex operating environment. We work with our clients in their boardrooms and their back offices, delivering business control to help them to protect and strengthen every aspect of their business from people to performance, systems to strategy, business plans to business resilience. We draw proudly on our auditing heritage as well as our commercial experience, to rigorously evaluate our clients governance procedures, processes, information and controls and, where necessary, recommend the best way to fix them. Our Risk Assurance Consulting service consists of nearly 30 employees with various background knowledge and offers expertise on Business Continuity Management (BCM), Internal Audit Services, Internal Controls Optimisation, Corporate Governance and Reporting, as well as Assurance and Advisory services related to security and controls of information technology systems including Enterprise Resource Planning (ERP) systems (e.g. SAP, Oracle, Navision), Project Implementation Assurance (PIA), Computer -Assisted Audit Techniques (CAATs), Spreadsheet Integrity, ISO/IEC 27001 standard, Penetration Testing and IT Risk Diagnostic and Benchmarking. Contact us Christos Tsolakis Partner Risk Assurance Consulting christos.tsolakis@cy.pwc.com PricewaterhouseCoopers Ltd 3 Themistocles Dervis Street CY-1066 Nicosia, Cyprus P O Box 21612, CY-1591 Nicosia, Cyprus Tel: +357-22555000 Fax: +357-22555001 www.pwc.com.cy/risk-assurance-consulting BCP Methodology 1

PwC BCP Methodology Our BCP methodology incorporates five (5) phases. The phases take an organisation from prioritising core business processes and developing recovery strategies, through creating plans for the critical business units and the initial testing of the plans. This methodology will be applied to deliver our services to the critical departments at your location(s). Phase I Risk Assessment HealthCheck of existing Plans Perform Threat Analysis Review existing mitigation Phase II Business Impact Analysis Determine Business Process Analyse and Validate Prioritize Consider threat & Impact Determine RTOs and Resources Phase III Strategy Selection Minimum Recovery Resources Range of Strategies Cost vs. Benefit Review RFI/RFP cost Strategy Selection Phase IV Plan Development Prepare Team Structure Prepare Team Procedures Draft Business Continuity Plan Phase V Testing & Maintenance Testing & Maintenance Procedures Test (walk through, other) Document Final BCP Phase I: Risk Assessment During the risk assessment phase, the relevant threats are identified. PwC has built an inventory which exhaustively lists the possible disasters and incidents that can impair the continuity of the operations. Our specialised consultants use this list as a basis for the identification of the threats that are relevant for the organisation of the client. The resulting inventory of threats is validated and completed in cooperation with client management. For each threat, the impact and probability of occurrence of the risks are both analysed and documented. In order to build a practical set of measures, we suggest the grouping of the identified threats into crisis scenarios. During this phase, the existing plans and measures are also evaluated if this is required by the client. This will enable us to assess the extent to which the organisation is prepared to face the identified crisis scenarios. 2 PwC Cyprus

Phase II: Business Impact Analysis Through the Business Impact Analysis (BIA) phase of the project we take a broad look at the organisation s business functions and narrow down the functions into a focused list of critical processes. In our experience, concentrating the list of business functions allows for the most effective planning and use of recovery resources. Specifically, the BIA will allow the team to: Identify the organisation s core, critical processes Distinguish the impacts to each business function Identify the resource requirements for each critical process Estimate the financial and operational impacts of disruption and, through this, determine the required Recovery Time Objective for each business function Categorize the criticality and vulnerability of each business process Confirm or modify required recovery resources for each critical business function identified The BIA begins with the distribution of customized BIA questionnaires to the management of the organisation. The questionnaires serve to determine and quantify the impacts to each department and the impact a disruption of the business function would have on the organisation. It also probes into the internal and external interdependencies, identifies threats, assesses levels of risk, and prioritises the core processes. The organisation s respondents can expect to spend one (1) to two (2) hours completing the questionnaire. PwC reviews the questionnaires in preparation for the first work session. PwC will conduct these work sessions with the Subject Matter Experts (SME) from each division. The work sessions focus on validating and clarifying questionnaire responses, and gathering more detailed information. In our experience, these interviews tend to take approximately two (2) hours. The information gathered from the questionnaires and work sessions will then be analysed and the organisation will be provided with a preliminary draft of our findings. The results will be reviewed with appropriate members of the organisation s management to ensure accuracy and completeness. The draft report includes critical information addressing the following issues: Financial impacts of disruption Operational impacts of disruption Recovery time objectives Recommended staffing levels for business continuity Required resources (i.e., office equipment computer systems, vital records, telecommunications) for business continuity of each critical department Rational recovery strategies for critical business functions The questionnaires and work sessions provide the critical data for creating the BIA. The results of the BIA provide the foundation upon which the organisation s business continuity plans and program are created. BCP Methodology 3

Phase III: Strategy Alternatives Analysis/Evaluation and Selection In this phase, PwC, in conjunction with the organisation, explores a variety of strategy alternatives for the recovery of the critical business units. Based on the information from the BIA and strategy options, we help the organisation select the most cost effective and beneficial recovery solution(s). In particular, this stage is used to: Confirm or modify required recovery resources for each critical business function identified during the BIA Explore internal, as well as external, sites for recovery Explore manual and interim workarounds to deal with the loss of systems, facilities, regional infrastructure and critical third parties Explore alternative recovery strategies Roundtable discussions with the organisation s management, IT and Facilities department will be conducted to achieve the objectives stated above. General Recovery Strategies: Cold Site Warm Site Hot Site Sample of Specialized Sites: Conference Centre Work from Home 3rd Party / Vendor Location The primary deliverable from this phase will be a high-level recovery strategy evaluation for all critical areas, covering both manual and automated recovery strategies. The discussion of the recovery options will address the following for each alternative: Recovery Strategy - a brief description of the option, including alternate site requirements Strengths - features that support business continuity Weaknesses - features that hinder business continuity Costs - pre-disaster and post-disaster costs Outstanding Issues - items that require further investigation and management approval before implementing an option Recommendations suggestions about which business functions or types of functions should use a given recovery strategy Information gathered during this phase will provide the organisation with viable recovery strategies, their costs and benefits and allow the organisation s management to make informed, effective decisions regarding resource allocations for the business continuity program. 4 PwC Cyprus

Phase IV: Plan Development/Documentation The efforts of the first three phases are the foundation for a comprehensive and viable business continuity program. The information from the earlier stages is used in the creation of the Business Continuity Plan. In this phase, PwC works with the organisation s personnel to prepare draft plans for the organisation s critical business functions. In addition, PwC will design the plan to facilitate updates and changes as required for plan maintenance. This plan will serve as a guide for the organisation to assess disruptive events, determining the appropriate response(s), and initiating procedures to activate required contingency methods and procedures. Specifically, the BCP includes: Team member organization and notification Disaster assessment and declaration procedures High-level recovery resource coordination Notification and coordination of internal and external contacts Detailed recovery and restoration procedures that will provide a streamlined and effective framework for the continuity of the organisation s business The individual business process or function plans, within the greater BCP, will be based on a team concept. Recovery teams are structured to provide dedicated support for specific recovery activities. These teams will serve one or more of three functions: Recover critical business functions Provide logistical, technological and infrastructure support Manage the recovery and restoration process The second group of work sessions will be conducted with each recovery or BCP team to review and develop more detailed procedures and revise the plan. Each work session will last from 1.5 to 2.0 hours depending on the complexity of the business function. PwC will be responsible for facilitating and documenting the results of these work sessions. Each team will be responsible for incorporating the information into their business continuity plan. We propose to develop the BCP documentation, plans and supporting information in an MS Word format, which affords the organisation with an easily maintained and updated document. Initially, PwC will develop the structure and format for the overall BCP. This structure addresses the following issues: Purpose and objectives of the plan Assumptions for planning Summary of recovery strategies Roles and responsibilities Recovery policies and procedures from initial response through recovery Team membership and contact information Required applications and data Internal and external contacts information Resource requirements While no business wants to experience an outage, the details and procedures developed in this phase and supported by the recovery strategy will help the organisation s critical business functions have a quick and smooth recovery and restoration period. The goal is that all personnel will know how to function during a disruption, what business priorities they should focus on, and exactly what they should do to maintain the organisation s financial standing and reputation. BCP Methodology 5

Phase V: Plan Testing and Maintenance Once the business continuity plan and recovery procedures are developed, we conduct one structured walk-through for each plan (the final work session), to test the plan s effectiveness. The objective of this exercise is to validate recovery procedures, familiarize the organisation s personnel with their roles and responsibilities, and to identify areas of the plans that may need revisions. The testing phase of the BCP is a key step and allows us to accelerate the plan development phase and provides a substantial knowledge and ownership transfer to the organisation s personnel. While we will be involved in the initial test, it is important to recognize that business continuity plans are living documents and need to be updated on a regular basis, especially when changes in the organization occur (e.g. new applications, change in personnel). Additionally, the plans should be tested on a periodic basis. As facilitators of the test, we provide assistance in the following areas: Developing objectives and test scenarios Creating scripts before the test Observing the test Noting the progress and results of the test Conducting post-test debriefings 6 PwC Cyprus

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Ltd, Cyprus, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2011PricewaterhouseCoopers Ltd. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers Ltd of Cyprus, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback