Transcript Introduction to Instructor - INDIAN BANKS' ASSOCIATION

Business Continuity Management :
Reducing Operational Risk
DHIRAJ LAL
Country Manager, BCMI India
Risk and Compliance Annual Summit 2007
Mumbai - March 9, 2007
Introduction to Dhiraj Lal
Professional Certifications
– Certified Business Continuity Professional
(CBCP)
– Certified Information Security Auditor (CISA)
– ITIL Foundation Certified
– Certified Six Sigma Green Belt
• Prior Corporate Appointments
–
–
–
–
Agilent Technologies International
American Express
Citibank NA
Standard Chartered Bank
BCMI Objectives
 Promote awareness in disaster recovery
planning and business continuity
management
–
–
–
Deliver Courses & Exams
Organizing Conferences & Seminar Events
Publishing Technical & Research Papers
 To be Asia’s premier professional service
provider of training for Business
Continuity and Disaster Recovery
practitioners.
 To create a common body of knowledge
for business continuity and disaster
recovery professionals in Asia.
BCM and Operational Risk
“Business Continuity planning is a key pre-
requisite for minimising the adverse effects
of one of the important areas of operational
risk – business disruption and system
failures…It is imperative that all banks have
BCP's in place to be in readiness to tackle
serious business disruptions”
Source - RBI Circular Ref.RBI/2004-05/420 dated April
15, 2005 entitled “Operational Risk Management Business Continuity Planning”
What is Business Continuity?
A holistic management and governance
process supported by senior management
and resourced to ensure that the necessary
steps are taken to identify the impact of
potential losses, maintain viable
recovery strategies and plans, and
ensure continuity of products/services
through exercising, rehearsal, testing,
training, maintenance and assurance
BCM vs. DR….
The term “Disaster Recovery” usually refers to the
technology recovery effort. Disaster Recovery is
a component of the Business Continuity
Management Program.
Other than restoration of Technology, Business
Continuity also requires the presence of people
who perform critical functions, and the restoration
of critical infrastructure and processes to ensure
minimum assured level of service
Why BCM - Regulations and standards
• RBI mandate to banks
• IBA Working Group - Guideline Notes on Business
Continuity & Disaster Recovery Plan
• SEBI Circular to Mutual Fund Industry
• Basel II regulations – 7 Principles for Business
Continuity
• BS25999 – First globally acceptable standard for
Business Continuity
Learn from others’ mistakes
• Around 40% of businesses experiencing a
disaster never re-open, and almost 30% of
those that do close within 2 years
• Of around 930 companies in the WTC towers on
Sept 11, over 550 had failed 18 months later
• Companies can lose 75% of their business
after a disaster
• Businesses can be destroyed by the loss of a
critical resource for more than 10 days
• Would loss of e-mail access for even one day
significantly damage your business ?
Why BCM - Survival
•
•
•
•
•
•
•
•
Loss of Business and Revenues
Embarrassment and non-value add
Fines and penalties
“Non-professional” image
Question mark on your reliability and judgement
Customer and employee attrition
Gradual erosion of market share
Eventual closure of Business
Myths
•
•
•
•
•
•
•
It will never happen to me
Things have been fine so far
We are covered by insurance
The risk is negligible
Our customers will understand
These things are OK in India
We will manage
Reality
• For a listed company, a critical incident can be expected
once every 2.4 years
• 88% experience ‘disaster’ on non contract systems or in
unplanned areas
• 43% stated that it took them 2 months or longer
to recover fully from the event
• 82% substantially upgrade their ‘capability’ after an event
• An effective Business Continuity Plan can reduce
the total loss by 90% +
Wake-up calls
• Cloudbursts, Flooding in Mumbai and Chennai
• Strikes & bandhs in Bangalore and Kolkatta,
transportation bottlenecks
• Sealing drive in Delhi
• Mumbai train bombings, Terrorism
• AIDS time-bomb, Dengue
• Internet based Viruses or worms/Denial-of-Service
• Data issues – privacy, inappropriate backup,
corruption, accidental or malicious deletion
• People issues – lack of backup, lack of training,
absence, attrition, malicious conduct
BCP – per IBA Working Committee
“…IT infrastructure, Power and Communication
networks in some of the banks were severely
damaged and the customer services in the
banks were greatly affected. Even the physical
records and documents were damaged….
To protect the critical infrastructure in the banks
from natural and man made disasters/events
and to ensure business continuity of the
branches, it is necessary that a Business
Continuity Plan is in place which identifies
the course of action in case of such
eventualities”
RBI Expectations
• Responsibility in respect of BCP rests with the
Board of directors and the top management.
• The Board fulfils its responsibilities by approving
policy on BCP, prioritizing critical business
functions, allocating sufficient resources,
reviewing BCP test results and ensuring
maintenance and periodic updation of BCP.
• The top management should annually review
the adequacy of the institution's business
recovery, contingency plans and the test results
and put up the same to the Board….including
periodic testing by service providers
whenever critical operations are outsourced.
Business Continuity Cycle
A
n
a
l
y
s
e
B
u
s
i
n
e
s
s
I
m
p
a
c
t
A
n
a
l
y
s
i
s
C
u
r
r
e
n
t
R
e
c
o
v
e
r
a
b
i
l
i
t
y
A
n
a
l
y
s
i
s
R
i
s
k
A
n
a
l
y
s
i
s
R
e
c
o
v
e
r
y
S
t
r
a
t
e
g
y
D
e
s
i
g
n
I
m
p
l
.
I
T
R
e
c
o
v
e
r
y
P
l
a
n
I
m
p
l
e
m
e
n
t
I
m
p
l
.
B
u
s
i
n
e
s
s
C
o
n
t
i
n
u
i
t
y
P
l
a
n
B
u
s
i
n
e
s
s
C
o
n
t
i
n
u
i
t
y
P
l
a
n
10 Professional Practices for BCP
Practitioners (Source – DRI Intl.)
1. Project Initiation and Management
2. Risk Evaluation and Control
3. Business Impact Analysis
4. Developing Business Continuity Management Strategies
5. Emergency Response and Operations
6. Developing and Implementing Business Continuity Plans
7. Awareness and Training Programs
8. Exercising and Maintaining Business Continuity Plans
9. Crisis Communications
10. Coordination with External Agencies
BIA – per IBA Working Committee
1. INSIGNIFICANT – Direct loss up to INR 100,00
2. MINOR
– Direct loss up to INR 25,00,000
3. MODERATE
– Direct loss up to INR 250,00,000
4. MAJOR
– Direct loss - up to INR 10,00,00,000
5. MASSIVE
– Direct loss > INR 10,00,00,000
Other parameters – reputational loss, loss of confidence
by customers and the public, Media and Public outcry,
staff confidence and morale, Regulatory and political
repercussions, Share price crash
BCMI Service Offerings
Offers in India DRI International’s
certification courses – leading to the
ABCP, CFCP, CBCP and MBCP
certifications (www.drii.org)
Also offers non-certification courses
such as:
–
–
–
–
–
BCM Best Practices Workshops
BCM Disaster Simulation Exercise
BCM Pandemic Flu Workshop
BCM Walkthru workshops
Specialised workshops on BIA etc
– Auditing of BCM
Competence
DRI Asia Certified Instructors (Minimum
CBCP qualified)
A network of 50+ instructors across Asia.
“Hands on”, with practical experience in
the Industry
Highly experienced, with International
exposure
An exposure to Global Standards and
Best Practices
A thorough understanding of the 10
Professional Practices for Business
Continuity Professionals, the common
body of knowledge for BCM practitioners
What we offer – via our sister Companies
The ability to help you to create
your Business Continuity Plan – or
enhance it via BCM Best Practices
 Specialised assistance for specific
stages of the BCM cycle, such as
BIA, Exercising and Maintenance
etc
 Auditing or review of BCM. Also
preparedness for BS25999
Thank you
Dhiraj Lal
[email protected]
+91-9910110240
+91-11-42235338