GTAG 10 - Biz Cont - Forweb CX1 PDF
GTAG 10 - Biz Cont - Forweb CX1 PDF
GTAG 10 - Biz Cont - Forweb CX1 PDF
Business Continuity
Management
Global Technology Audit Guide (GTAG)
Written in straightforward business language to address a timely issue related to IT management, control, and security, the
GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended
practices.
objectives, as well as how change and control considerations from the client’s
Success
Visit The IIA’s Web site at www.theiia.org/technology to download the entire series.
Business Continuity
Management
Authors
July 2008
Copyright © 2008 by The Institute of Internal Auditors, 247 Maitland Ave., Altamonte Springs, FL
32701-4201, USA. All rights reserved. Printed in the United States of America. No part of this publica-
tion may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic,
mechanical, photocopying, recording, or otherwise — without prior written permission from the publisher.
The IIA publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such
advice and makes no warranty as to any legal or accounting results through its publication of this docu-
ment. When legal or accounting issues arise, professional assistance should be sought and retained.
GTAG — T
able of Contents
Table of Contents
1. Executive Summary ............................................................................................................................................ 1
2. Introduction.......................................................................................................................................................... 3
2.1 BCM Definition..................................................................................................................................................... 3
2.2 Crisis Management Planning ............................................................................................................................... 3
2.3 Disaster Recovery of IT ........................................................................................................................................ 3
4. Business Risks........................................................................................................................................................... 5
4.1 Common Disaster Scenarios.................................................................................................................................. 5
4.2 Common Disaster Impacts..................................................................................................................................... 6
5. BCM Requirements................................................................................................................................................ 7
5.1 Management Support............................................................................................................................................ 7
5.2 Risk Assessment and Risk Mitigation................................................................................................................... 8
5.3 Business Impact Analysis..................................................................................................................................... 10
5.4 Business Recovery and Continuity Strategy........................................................................................................ 11
5.5 Disaster Recovery for IT...................................................................................................................................... 12
5.6 Awareness and Training...................................................................................................................................... 14
5.7 Maintenance of the BCM Program..................................................................................................................... 14
5.8 Exercise of the Business Continuity ................................................................................................................... 15
5.9 Crisis Communications....................................................................................................................................... 18
5.10 Coordination with External Agencies ............................................................................................................... 18
6. Emergency Response.......................................................................................................................................... 19
7. Crisis Management............................................................................................................................................ 20
8. Conclusion/Summary....................................................................................................................................... 21
9. Appendix.................................................................................................................................................................... 22
9.1 Sample BCP Audit Guide................................................................................................................................... 22
9.2 BCM Standards and Guidelines.......................................................................................................................... 22
9.3 BCM Capability Maturity Model........................................................................................................................ 23
10. Glossary.................................................................................................................................................................... 32
1
GTAG — E
xecutive Summary
2
GTAG — Introduction
3
GTAG — B
uilding a Business Case
3. Building a Business Case calculate the return on investment of a BCM program until
a disaster strikes. Management needs to understand that if
Emergency preparedness is no longer the sole concern of busi- such a situation occurs, business must continue, but under
nesses located in earthquake- or tornado-prone areas of the very different circumstances. The cost of a disaster may be
world. Preparedness must now account for man-made disas- the end of the business. Business leaders need to weigh the
ters, such as terrorist attacks, in addition to pandemics and cost of being prepared against the cost of closing the doors
natural disasters. Knowing what to do during an emergency of the business for a week, a month, or forever, depending
is an important part of being prepared and may make all the on the catastrophe. Many governments around the globe
difference when seconds count. The goal of preparedness require certain industries to have a tested BCP in place. In
is to resume business operations with as much transparency, the United States, all businesses within the financial, utility,
from the customer’s perspective, as possible. Examples of and health care sectors are required to maintain an updated
recent catastrophic events affecting large and small busi- BCP. There are general and industry-specific standards and
nesses alike include: guidelines for effective BCM (see Appendix: BCM Standards
• The worldwide SARS outbreak (November 2002 and Guidelines, page 22).
through July 2003) consisted of 8,096 known During the first World Trade Center attack in 1993,
infected cases and 774 deaths. The near pandemic Morgan Stanley (MS) learned an important lesson. None of
caused a severe customer decline in Chinese cuisine the MS employees lost their lives, but it took four hours for
restaurants in North America, a 90 percent decrease all of the employees to evacuate the building. As a result,
in some cases. Most conferences and conventions management decided that the BCP needed to be updated.
scheduled in major cities were cancelled. In addition, MS took a careful look at its business operations and the risk
government intervention disrupted normal business of potential disasters and developed a new plan. On Sept.
functions (e.g., travel, supply chain, etc.) for many 11, 2001, the planning paid off. After the first hijacked
companies in countries with known infections. plane slammed into the first World Trade Center tower,
• The Sept. 11, 2001 terrorist attacks on the Pentagon MS security evacuated all the employees. The evacuation
and the World Trade Center were the most devas- took only 45 minutes this time, allowing MS to get on with
tating attacks on U.S. soil since the bombing of Pearl recovering daily operations. Improvements to ER capabili-
Harbor. In addition to upsetting military processes, ties likely saved numerous lives. The BCM capabilities were
the Sept. 11 attacks also targeted civilian processes also improved as part of the review.
and U.S. businesses.
• The July 7, 2005 London bombings were a series of
terrorist-planned explosions on the London public
transportation system. The attacks, which were
responsible for more than 50 deaths and 700 injuries,
seriously disrupted London’s public transportation
system as well as the country’s mobile telecommuni-
cations system.
• Hurricane Katrina (formed on Aug. 23, 2005) may be
the costliest natural disaster in U.S. history. At least
1,836 people lost their lives in the hurricane and the
subsequent floods. Katrina caused an estimated US
$81.2 billion in damage, including significant damage
to industrial (mainly oil, refinery, and chemical),
commercial (mainly hospitality), and agricultural
facilities.
4
GTAG — Business Risks
5
GTAG — Business Risks
Number of events 21 27 47 63 91 57
6
GTAG — BCM Requirements
7
GTAG — B
CM Requirements
units. All emergency management policies must be aligned • Communicating the importance of BCM and how it
to ensure that CM, ER, and BCM work together during an adds business value.
actual disaster. • Participating in BC exercises, training sessions, and
other emergency management events for the BU.
A. Senior Management Support • Ensuring appropriate funding for BU BCM activities
Senior management must display visible support for BCM via the BU annual business plan.
and the emergency management program. This can be
accomplished in various ways, including by: In deploying the BCM system, BU or regional manage-
• Defining a central group within the organization that ment should:
is responsible for BCM and managing governance • Update the BCM definition section to define busi-
(e.g., defining required standardization), knowledge ness value specific to the BU.
sharing, best practice coordination, consulting, and • Understand the steps that are required to deploy and
cross-business unit BCM activities. maintain a BCM program within a BU.
• Creating a BCM system that each business unit (BU) • Establish ownership for BCM within their BU,
must deploy. including assigning people to key roles such as BU
• Ensuring appropriate funding for organization-wide BCM sponsor (to arrange funding and provide lead-
BCM activities via the organization’s annual business ership of BCM), BU BCM manager (to lead and
plan, testing, and ensuring BUs include funding for maintain BCM capabilities), and BU BCM coordi-
their BCM efforts. nator (to arrange BCM activities at the direction of
• Communicating the importance of BCM and how it the BCM manager).
adds business value. • Define BU BCM metrics that can be used to evaluate
• Participating in BC exercises, training sessions, and progress of the program.
other emergency management events. • Deploy a BU BCM continuous quality program.
8
GTAG — BCM Requirements
it’s important to identify those that are credible and look • Geographic extent of the impact: A single building
for all potential events that may impact business operations. (e.g., fire), entire facility complex (e.g., chemical
Possible methods for predicting future disruptive events spill), metropolitan area (e.g., transportation strike),
include: large region (e.g., earthquake), or potentially the
• Looking at historical data associated with similar world (e.g., pandemic flu).
organizations in the same region. • Days of impact: Number of days before operations
• Using government or industry data concerning will likely return to 75 percent functionality, which
possible risks. means 75 percent of people, resources, and production
• Using subject matter experts when the business are functioning. Days of impact may be the period
model changes or limited data is available to perform before the organization can replace lost resources,
a detailed risk assessment. like renting a new building and making it functional
after a building fire.
A. Examples of Disruptive Events • Availability of staff (by days): Percentage of staff
Below are some examples of disruptive events that might that likely would be able to work based on each likely
impact critical business processes. disaster event (by days: 0, 3, 7, 14, or 30). Staff may
• Natural disasters such as earthquakes, hurricanes, need to go home for an extended period for some
rain/flooding, and lightning. disasters like earthquakes that may damage homes.
• Industrial events such as fire, explosions, spills, and • Availability of operations and/or offices: Likely
contaminations. percentage of operations and/or office space that is
• Supplier failures such as component provider disrup- functional (during the days of impact).
tions and electricity utilities. • Availability of IT (during the days of impact):
• Other catastrophes such as airplane crashes. Likely availability of key IT components for each
• Medical epidemic such as a pandemic or other disaster event. This includes IT infrastructure (logon
medical risks. capabilities), IT network, IT applications, etc.
• Labor disruption, including strikes, transportation
disruption, and civil unrest. The BC risk assessment can be used to determine the
• Economic or political instability, including terrorism/ impact to critical business processes. Some operating facili-
bombings and war. ties, like research and development offices, may have few
• Human factors such as employee errors, criminal acts, critical business processes performed at the site. The BC risk
and fraud. assessment for all sites should focus, at minimum, on the
• IT risks such as cyber-terrorism, viruses, hacker health and safety of staff, security, and potential environ-
attacks, and denial-of-service attacks. mental impacts to ensure that the CM and ER functions will
• Production and manufacturing risks such as: have the resources they need to be successful.
oo Supplier disruptions, including power, raw mate-
rials, and critical services. C. Developing Risk Mitigation Strategies
oo Production equipment failures to pipelines, Developing and deploying BC risk mitigation strategies will
boilers, and conveyor belts. help to minimize the impact of disruptive events and will
oo Unavailability of supporting utility services like improve response capabilities. Examples of risks and their
treatment plants and disposal equipment. corresponding mitigation strategies include:
oo Product storage, transportation, and distribution • Safety risks for various disasters: Leverage ER and/
failures. or Health, Safety, and Environmental team and/or
oo Unavailability of critical laboratory, testing, and/ operational plans.
or quality control processes. • Operational failures: Leverage standard operating
oo Process automation system (IT systems like procedures and normal maintenance activities.
SCADA and DCS) failures that stop production. • Loss of primary office: Arrange to move staff
oo Government delays in permits, customs, staff members to an alternative office or enable them to
visa, and/or certification. work at home, assuming their home is likely to be
functional (i.e. not damaged if the event is regional,
B. Assessing the Impact of Disruptive Events and home has necessary resources like equipment,
After identifying the credible events that could impact each computer, network connection, etc.)
of the organization’s sites or regions of operations, additional • Loss of IT network connectivity: Develop IT system
work is needed to understand the event. Some of the factors and information recovery (disaster recovery) plans to
that must be evaluated to better understand the scope and create network redundancy or recovery.
impact of the potential event include the:
9
GTAG — B
CM Requirements
• Loss of IT data center: Develop plan to manu- B. Determining RTO and RPO Based on
ally perform work processes until IT systems can be Business Impact
restored. Also, develop IT disaster recovery plans to The second step in a BIA is to identify the type of business
restore IT systems at alternative site. impact if the business process cannot be performed. Below
are some types of business impacts:
The BCM sponsor and an appropriate team of managers • Health and safety (e.g., injury).
must review and approve the BC risk assessment and BC risk • Environmental (e.g., spill).
mitigation strategies. Since management must act to address • Customer service (e.g., loss of customers).
the risks, it is critical that management approve the BC risk • Financial (e.g., penalties).
assessment and ensure the BC risk mitigation plan is funded, • Regulatory/legal (e.g., governmental action).
implemented, and tested periodically. • Reputation (e.g., loss of image).
Processing Gap:
RTO Lag time between the
disruption point and resumption of
Last Backup
normal processing.
Event
Disaster Declared
Normal Processing Initial Response Activation Recovery Process Backlog Normal Processing
Backup Backup
This
RPO represents the data that
will be lost, destroyed, or otherwise
unavailable, after successful
recovery.
Figure 4. Understanding RTO and RPO
10
GTAG — BCM Requirements
11
GTAG — B
CM Requirements
used to optimize production based on available resources and recovery solutions are implemented, they must own the
(vendor and utility) services. continuity strategies for their team.
12
GTAG — BCM Requirements
• The recovery capabilities of critical IT and informa- • Information security and compliance standards need
tion service providers must be assessed to ensure they to be considered when designing recovery solutions.
meet the requirements of the business. Recovery solutions should not introduce unreason-
• The recovery of IT and information components often able levels of security or compliance risks. Some
must be combined to create a complete system needed security and compliance controls will be relaxed if a
to support critical business processes. For example, real disaster occurs, but a conscious decision is needed
recovery of an application may require recovery of the to understand the risks that exist in the recovery
desktop application, server application, server hard- environment. Recovery solutions are intended to
ware, server operating system, infrastructure servers, reduce the risk associated with the loss of availability,
data center, third party network connections, etc. but must be balanced with the need for integrity and
• Internal and external service providers of IT and infor- confidentiality.
mation services should describe the recovery services
they provide, including information regarding: B. Recovery Solutions and Recovery Sites
oo The recovery activities the service provider is The following is a list of recovery solutions and recovery sites
responsible for and any recovery limitations there commonly used.
may be. • Hot recovery plan/capabilities.
oo The recovery activities (e.g., reconstructing lost oo A recovery plan exists.
data) the organization is responsible for. oo Recovery resources are available at recovery
oo The manner in which the organization and service site(s) and data is synchronized in real-time to
provider will communicate during a disaster. enable the system to be recovered immediately or
oo Contracts for third parties (e.g., application within hours.
service providers) or service level agreements for oo Typical recovery time is minutes to one day.
the internal provider. • Warm recovery plan/capabilities.
oo The scope of their recovery efforts (e.g., systems, oo A recovery plan exists.
data, network, etc.). oo Recovery resources (e.g., nonproduction systems,
oo Their recovery strategy. spare hardware, etc.) are available at recovery
oo Their RTOs and RPOs. site(s) but may need to be configured to support
oo The cost of their recovery solutions, services, the production system when the disaster occurs.
testing, and declaration of disaster. oo Some data may need to be restored (probably
oo The frequency of their recovery testing. from tape or other backups).
• Components of the environment may be recovered oo Typical recovery time is two to 13 days.
using solutions that would not normally be used in a • Cold recovery plan/capabilities.
production data center. For example, some data may oo A recovery plan exists.
not be recovered initially (e.g., large image libraries) oo Recovery site(s) have been identified with space
which means they would not be available (e.g., may and base infrastructure needed to perform the
generate error messages). recovery.
• Recovery strategies for each IT system or component oo Recovery resources (e.g., servers) are not avail-
should be developed independently without a need able at recovery site(s) and likely need to be
for consistency with other IT systems. However, it’s procured.
important that components that work together to oo Data likely needs to be restored (probably from
form a system be hosted in the same location or in tape backups).
multiple locations that have sufficient network band- oo Typical recovery time is 14 to 30 days.
width. For example, e-mail might be recovered at one • No recovery plan/capabilities.
large central data center, file replication may occur at oo No recovery plan exists.
another site on a server within the local region, some oo Recovery resources and data restore processes
applications and services (e.g., engineering) may be have not been defined.
outsourced temporarily during a disaster, local appli- oo Data backup plans exist to ensure that critical
cations recovery may occur using a PC instead of a data can be restored at some time in the future.
server, etc. The objective is to find the best and most oo A risk exists that the systems and business
cost-effective recovery solution for each system, even processes they support may never be recovered or
if solutions are spread around the world. The only may result in an extended delayed recovery.
requirement is that the systems be accessible by the
users, regardless of where they are recovered, and all The BCM sponsor and an appropriate team of managers
components of a system work together. must approve the IT recovery solutions for their scope of
13
GTAG — B
CM Requirements
operations. Because managers throughout the organization well as identifying gaps and weaknesses. See “Exercise of the
are responsible for ensuring the BC and recovery solutions Business Continuity” (page 15) for a description of different
are implemented, they must own the IT recovery solutions types of exercises.
for their team.
14
GTAG — BCM Requirements
• Reviewing exercise/test results and associated annually. More frequent testing may be required for compli-
action reports for exceptions (e.g., gaps) requiring cated environments and those with great impact (e.g., loss)
remediation. to the organization. Several component tests should also be
• Assessing the BCM program and BC recovery scheduled at regular intervals throughout the year.
capabilities to ensure they have been updated to Exercise/test requirements should be documented either
correct necessary gaps and have been implemented inside the plan itself or in the entity-level BCM policy. Most
effectively. of the standards used to govern BCM programs require three
basic elements of a testing regime:
• Tests must be held at periodic intervals. The actual
5.8 Exercise of the Business Continuity period between the events is determined by the BCM
Exercises, or tests, are generally considered the most effective Steering Committee and is based on the program
way to keep a BCM program and BC plans current and execut- goals and objectives.
able. Some organizations differentiate the terms exercise and • Tests should address a variety of threats/scenarios and
test, but there is no requirement to use these terms in specific different elements within the BCM program. It is
circumstances. Regardless of vernacular, the emphasis on possible to address these issues in a series of broadly-
plan testing should be to improve the organization’s perfor- based annual exercises or through more targeted site
mance in an actual event. It is important to note that there or component-level testing.
are many types of exercises, which, when used appropriately, • There must be some method to track issues and gaps
can provide assurance and add value. All major BC standards uncovered in the test and track their resolution.
require some sort of exercise/test regime to be an integral part
of the BCM program. Generally, a large-scale exercise of the
BCM programs and BC plans should be conducted at least
What elements of your BCM program have you exercised at least once in the past year?
(Select all that apply.)
12.96%
48.97%
38.07%
15
GTAG — B
CM Requirements
A. Types of Exercises
Orientation or Especially after a BC or CM plan has been recently adopted or significantly enhanced, it is
Plan Walkthrough helpful to walk through the document informally with those expected to implement it. The
effort would include a team meeting facilitated by a designated team leader. Normally, this type
of low-intensity event does not constitute a “test” in terms of an organization’s BCM policy
requirement.
Objectives:
• Ensure team members understand their new/updated roles.
• Ensure team members understand basic plan content and format.
Tabletop Exercise In many cases, it is helpful to bring the entire BC/CM team together for a session to work collab-
(Boardroom oratively through a realistic scenario to identify challenges and build rapport in solving them
Style Exercise) together. Generally, these exercises last two to four hours and are facilitated either by the BC/
CM manager or an independent third party. The effort concludes with a formal exercise critique
detailing whether pre-established exercise objectives were met and outlining gaps uncovered in
the event with a remediation timeline as well as next steps to be performed.
Objectives:
• Help team members understand the importance of their roles and responsibilities.
• See the benefit of solving continuity/crisis challenges as a team.
• Identify specific planning/training gaps across functional areas.
Communication Communication is a key component of a BCM process. In fact, failure to communicate accu-
Testing rately to key stakeholders is a frequent cause of failed crisis responses. These tests vary widely
depending on the scope of communications planning and level of automation used in the crisis
communications process. Companies that have deployed a mass notification tool realize a double
benefit from their exercise: evaluating the tool’s performance and exposing participants to how
the notification will be received. Normally, this type of event involves actually contacting busi-
ness partners and employees, not simply reviewing contact list information.
Objectives:
• Validate the contact information of key stakeholders.
• Train participants in how to use mass notification and any role they have in the
response.
• Properly configure mass notification tools.
• Identify communication gaps/bottlenecks where timely communication could falter in
an event.
16
GTAG — BCM Requirements
Alternate Site This test of all restoration/recovery components at an alternate site should include a test of the
Testing organization’s ability to relocate staff to the alternate site, as well as a validation that recovery
processes and IT assets operate at the alternate site, as designed.
Objectives:
• Demonstrate the actual capability to continue key processes at the alternate site.
• Identify whether privacy, security, and financial controls can be maintained in the alter-
nate operating environment.
• Train participants on any revised procedures to complete key processes at the alternate
site.
• Evaluate the sufficiency and effectiveness of IT assets at the alternate site.
• Ensure the plan to transport employees is reasonable based on the likely disaster scenarios
identified in the BCM risk assessment.
End-to-end This test of alternate site facilities should include both business and IT. An end-to-end test
Testing differs from an alternate site in that critical suppliers/business partners and customers — internal
or external — are included within the scope. This test typically validates connectivity to the
organization’s production site.
Objective:
• Demonstrate the ability to perform key processes at a pre-determined level without
significant issues. It is not necessary to demonstrate 100 percent operational capacity
in end-to-end testing; however, the leading practice would be to reconcile the effective
capacity of the continuity strategy with the performance expectations assumed or docu-
mented in the continuity plan.
17
GTAG — BCM Requirements
18
GTAG — Emergency Response
19
GTAG — C
risis Management
20
GTAG — Conclusion/Summary
8. Conclusion/Summary
BCM is an important risk management program designed to
protect companies from potential significant consequences
related to events that can disrupt critical business processes.
The CAE can help the organization understand the risks and
the options to create an effective BCM program. Managers
throughout the organization must be held accountable for
appropriately managing the risks associated with disruption
of the business operations and associated functions within
their organization.
A BCM program provides the framework for making
appropriate risk mitigation decisions and building organiza-
tion resilience. Critical business processes must be recovered
to support the recovery of critical business operations. The
BCM program enables an organization to maintain recovery
capabilities, including organizational capabilities and knowl-
edge, systems and information recovery, resource restoration
and procurement, supplier management, and alignment with
emergency management processes.
The BCM program should be designed to maintain and
grow the business continuity capabilities continuously.
Effective maintenance of the BCM capabilities must include
regular training of staff, periodic exercises (including resolu-
tion of any identified gaps and management commitment to
the program), audit assessments of the BCM program and
business unit capabilities, and continual improvement of the
BCM program.
21
GTAG — A
ppendix
British Standards Institute AS/NZ 4360 Risk Management — (AS/NZ: Australia / New
(BSI) includes: Zealand Standards)
• United Kingdom
• Australia HB221 Guide to Business Continuity Management —
• New Zealand handbook supplement to 4360
22
GTAG — Appendix
New York Stock Exchange Joint Interagency White Paper published by the U.S.
(NYSE) / Financial Industry Securities and Exchange Commission, Office of the
Regulatory Authority (FINRA) Comptroller of the Currency, and Board of Governors
of the Federal Reserve System on Sound BCP
Practices http://www.sec.gov/news/press/studies/2006/
soundpractices.pdf
American National Standards ANSI / ARMA 5 Vital Records Program (identification, management,
Institute (ANSI) and recovery of business critical records) (2003).
ARMA: American Records Management Association
American Society for ASIS GDL BC 10 Business Continuity Guideline: A practical approach
Industrial Security (ASIS) to emergency preparedness, crisis management, and
disaster recovery (2004 draft)
U.S. National Institute of Standards NIST SP 800-34,45 Contingency Planning Guide for IT Systems (2002)
and Technology (NIST)
U.S. National Fire Protection NFPA 1600 Standard on Disaster / Emergency Management
Association (NFPA) and Business Continuity Programs (referenced as a
standard for BCP)
23
Assessment Objective: Executive Management Support and Sponsorship
Maturity Evaluation
Optimizing BCM capabilities are improved contin- BCM strategies are aligned with strategic
uously and systematically. Senior objectives and customer expectations.
management utilizes BCM capabilities Senior management ensures that BCM
to drive other efficiencies internally and planning operates as a core business func-
build strategic relationships externally. tion, chartered with clear accountability
and responsibility.
Repeatable Senior management supports the BCM Senior management is aware of the need
program; however, limited involvement for BCM capabilities. A BCM policy has
in process execution persists. Although been created, and BCM efforts are driven
coordination of CM, BC, and IT disaster based on the results of a BIA (formal or
recovery are assigned to middle manage- informal).
ment, overall coordination of BCM is
ad-hoc or missing. Failure events are recog-
nized and corrected after they occur.
Initial Senior management sponsorship of BCM These efforts are led by middle manage-
efforts is informal or absent. At this stage, ment and executed without proper funding
BCM capabilities rely on individual efforts and sufficient resources. Consequently,
and “heroics,” and mostly focus on IT any existing continuity capabilities are
systems backup and restoration, and ER defined as tactical measures.
such as building evacuation procedures.
24
Assessment Objective: Risk Assessment and Business Impact Analysis (BIA)
Maturity Evaluation
Optimizing The results of the risk assessment and Senior management performs as a steering
BIA drive continued enhancement to committee to identify and approve risk
recovery strategies. The execution and and impact conclusions. The steering
review of risk assessments and BIAs are committee recommends changes to the
coordinated with organizational and tech- risk assessment and BIA process, based on
nology change management/due diligence the needs and requirements of the busi-
processes. ness itself.
Managed Senior management supports the formal The results of the risk assessments and
approach to the risk assessment and BIA. BIAs drive the definition and develop-
The establishment of objectives and effec- ment of recovery strategies and solutions.
tiveness are measurable. Both recovery Core business processes and IT applica-
time objectives (RTO) and recovery point tions/systems have been addressed and are
(data loss tolerance) objectives (RPO) are reviewed during the regularly scheduled
established, as is the capacity/capability risk assessment and BIA updates. Senior
at the RTO. The risk assessment process management uses these results to measure
takes into account controls assessment. and manage enterprise-wide risk.
These processes are repeatable and are
executed on a regularly scheduled basis.
Defined A more formal approach has been imple- As part of a formal BC strategy selection
mented regarding assessing risk and and implementation process, a defined
business impact. Management has iden- risk assessment, or BIA approach, is estab-
PROCESS MATURITY
tified an approach to define levels of lished. The strategy selection process also
criticality, supporting a methodology to includes recovery objectives tied directly
collect/estimate business impact data. to levels of criticality and impacts to
Recovery time objectives have been the organization. Executive manage-
defined, and strategies have been selected ment formally drives and approves these
to meet these requirements. Management analyses.
reviews and approves risk assessment and
BIA results.
Initial Neither a formal nor informal risk assess- Business and/or IT management devel-
ment or BIA has been performed. Business oped “ad hoc” recovery priorities based
and IT management may have developed on perceived levels of importance. Failure
recovery priorities, but these conclusions scenarios and controls assessments remain
are potentially limited to perceived levels incomplete. Measurement criteria have
of importance (focus on their isolated not been established.
knowledge of the business). The orga-
nization has not estimated the impacts
(financial or nonfinancial) associated
with business interruptions.
25
Assessment Objective: Business Continuity Strategy and Design
Maturity Evaluation
Optimizing BC strategies are reviewed as part of Senior executive strategy sessions and/or
strategic decision-making and organiza- change management committees drive
tional/technology change management. the design, selection, funding, and imple-
Strategies are refreshed on an as-needed mentation of BC strategies.
basis.
Managed The results of the risk assessment and A BC steering committee drives the
BIA drive the selection of BC strategies. selection of the BC strategies based on a
A multi-disciplined steering committee cost-benefit analysis. This multi-functional
evaluates CM, business resumption, and team evaluates and selects complementary
IT disaster recovery options in light of business and IT solutions.
a cost-benefit analysis. BC strategies are
reviewed on a periodic basis, typically
every 12 months (following a risk assess-
ment and/or BIA refresh).
Repeatable Cost control is the primary driver of BC The organization does not allocate
strategy selection. Strategies normally budget for BC strategy implementation
rely on cold site arrangements (internal and maintenance. Instead, the perceived
or third party) and vendor drop-shipped minimum is implemented, and if funding
resources. The organization remains at is needed, these issues are treated as budget
risk given the probability that BC strat- exceptions.
egies may fail to meet more aggressive
business objectives.
Initial BC plans lack recovery strategy and Management relies on ad hoc actions or
resource definitions due to poorly defined untested response and recovery strate-
BC program ownership or accountability. gies. The design of response and recovery
The organization places a heavy reliance strategies is not preplanned; instead,
on vendor support following the crisis or management expects that experiences,
business interruption. creativity, and ingenuity will prevail
when faced with a crisis situation.
26
Assessment Objective: Business Alignment
Maturity Evaluation
Optimizing BCM is present during change manage- BCM takes advantage of more advanced
ment review sessions, as well as during business strategy and change manage-
business strategy sessions, in order to ment processes in use throughout the
keep the organization abreast of all the organization.
changes that may have an effect on
existing response and recovery strate-
gies. The BCM steering committee meets
quarterly to assess the reasonableness of
existing and proposed strategies as well
as spending when compared to the rest of
the industry.
Managed A BCM steering committee takes into BCM is viewed as a key control, and
account customer requirements and/or internal auditing drives compliance with
formal service level agreements when the existing documented policy. All
evaluating BIA results and BC strategy aspects of the BCM lifecycle are imple-
investment. Internal auditing is involved mented in a joint business/IT manner.
in the BCM effort as an advisor, and BCM is used as a competitive advantage
reviews the program in light of the internal within other business initiatives.
policy and regulatory requirements (if
PROCESS MATURITY
Defined The organization has integrated the Accountability for the BCM program
three BCM disciplines, and a single is moved outside of the data center. An
BCM steering committee makes deci- executive with the ability to influence the
sions regarding strategies and solutions. entire organization sponsors the effort.
A BCM budget has been developed. A BCM objectives appear on the annual
BIA and formal cost-benefit analysis drive performance objectives of business unit
decision-making. Internal and third- management.
party response and recovery strategies are
formally evaluated, with selections based
on results from the risk assessment.
Repeatable The organization developed a formal BCM Although the scope of the planning effort
policy to drive design, implementation, has expanded to include the business,
and execution of BC. Although coordina- ownership and accountability remains
tion among CM, business resumption, and within IT, or internal auditing emerges
IT disaster recovery processes is immature as the driver of the BCM effort. The BIA
or absent, they exist and are positioned is the primary tool used to design BCM
to assist in response and recovery opera- strategies.
tions. A BIA drives the design of BCM
strategies.
27
Assessment Objective: Plan Development and Strategy Implementation
Maturity Evaluation
Optimizing Crisis, disaster recovery, and business Senior executive strategy sessions drive
resumption plans are integrated in plan- the planning priorities and alignment.
ning and execution. Team membership Standardized training and awareness
is cross-functional and cross-regional. programs featuring BCM content are deliv-
Expectations are clearly understood by all ered to all planning participants. Plan
stakeholders. Plan maintenance is tightly development responsibilities rest with
integrated with organizational change those closest to the issues, and plans are
management processes. vetted for content and alignment. Expert
independent review is scheduled and drives
both tactical and strategic change.
Defined CM (including ER and crisis commu- Each plan is assigned an owner who is
nications), business resumption, and IT responsible for its development and main-
disaster recovery plans are documented tenance (using an organization template
and include organizational detail. All standard as a starting point). The appro-
plans are updated annually. Although priate parties drive content of the plans,
roles and responsibilities are clear, and quality control remains with the plan
coordination among the plans is poorly owner. Scheduled maintenance drives plan
defined. updates. Internal auditing is seen as a BC
planning partner and is part of the contin-
uous improvement process.
Repeatable The focus of the planning effort is IT Plan documentation is driven by internal
disaster recovery documentation and ER or third-party audit findings. The tech-
planning (building evacuation, first aid, nology leadership team is leading the plan
etc.). Some CM documentation exists, documentation effort; therefore little exists
but its focus is on IT incident response. outside of IT.
The primary reason for plan documenta-
tion is to avoid audit comments. Plans
are often updated in an ad hoc manner.
Initial Where plans exist, they are developed Produced by a lack of understanding
in silos, lacking detailed business and and focus on BCM. Plans often start
technology procedural details. BCM with publicly available or software-based
stakeholders do not know their roles templates, and little is done to customize
and responsibilities or, in some cases, the content. Plans often focus on ER and
even their involvement in response and the theory of recovery planning.
recovery execution. Plans are often out
of date. Response and recovery relies on
memory, and execution is often ad hoc
and led by a few key employees.
28
Assessment Objective: Training and Awareness
Maturity Evaluation
Optimizing A deep understanding of the BCM Team members are specifically trained on
program and its impact on daily operations how to be a BCM proponent. BCM leader-
is understood by all layers of the organi- ship carefully coordinates BCM objectives
zation. Those responsible for performing with high-profile business objectives to
BCM tasks are active in training others. exploit their publicity. Team members
BCM strategies are evaluated in terms of who have been cross-trained are provided
their impact to enterprise value. BCM opportunities to exercise outside their
training is included in performance eval- normal responsibilities.
uations (e.g., balanced scorecard).
Managed Management has a broad understanding All team members are trained on their tasks
of how BCM elements work together. as well as the broader program. BCM lead-
Employees know their immediate respon- ership provides program updates to senior
sibilities in an actual event, and many management on a regular basis. Training
know their long-term activities. Team and awareness programs are budgeted
members can articulate their individual separately, including outside resources if
responsibilities, as well as how their necessary. Team members participate in
element interfaces with other BCM third-party or case study training. Training
elements and the company’s business includes issues surrounding how to execute
objectives as a whole. BCM issues are the plan in the midst of an event that
PROCESS MATURITY
Repeatable Some limited training or awareness is Middle management with tactical respon-
present within a program element, but sibility for program elements understands
no cross-training among crisis, business the danger of relying on one person to
resumption, and disaster recovery exists. perform a critical BCM task. BCM tests
Specific program components may have and/or updates are a period topic in depart-
designated backups, and team members ment staff meetings. Formal training on
are included in casual communication specific tasks is provided for those required
regarding the program. to do them, but nothing else. Training is
limited to participation in exercises.
29
Assessment Objective: Testing and Plan Maintenance
Maturity Evaluation
Managed Full BC testing, for business and IT, are regu- Test planning encompasses CM, business
larly performed. Simulations are developed resumption, and IT disaster recovery. Team
using probable risks that were identified in members are cross-trained on all relevant
a risk assessment. Tests are measured by the procedures. There is little reliance on plan
rate of recovery of critical components or documentation, although procedural and
functions such as connectivity, application contact list inaccuracies should be addressed
usage, or transaction processing. Plans are in a timely manner. Internal auditing moni-
maintained off site and updates are made at tors test planning, execution, and action items
the conclusion of testing. Internal auditing resulting from the test. Plan updates should be
observes the exercise and ensures plans are the responsibility of the process owners, with
updated. oversight from internal auditing.
PROCESS MATURITY
Defined BC and IT disaster recovery tests are some- Business and IT personnel conduct regularly
times performed together, but the focus is scheduled BC tests, designed to address busi-
typically on component recovery. Continuity ness process and IT asset recovery. Users test
procedures are discussed using facilitated connectivity and access to applications. The
sessions to identify planning gaps. Tests are planning process for these tests is extensive
primarily measured using an expected time- and involves internal and external personnel as
frame for recovery and overall effectiveness. facilitators and/or monitors. Internal auditing
Entire departments work at an alternate site participates in testing exercises and monitors
for a defined period of time, using backup the process for updating plans based on test
systems. Lessons learned are documented, and results. Plan updates are the responsibility of
plan updates are made on a scheduled basis. the process owner, with central coordination.
Repeatable Testing is focused on IT disaster recovery and IT personnel conduct regularly scheduled IT
may involve end user validation of the recov- disaster recovery and component recovery
ered environment and/or the test results. In tests. The planning process for these tests is
some organizations, management engages in extensive and should involve internal and
scenario-drive, tabletop exercises of its CM external personnel as facilitators and/or moni-
capabilities. IT disaster recovery tests are tors. Internal auditing participates in testing
focused on component recovery. Internal exercises and monitors the process for updating
auditing reviews continuity procedures, if this plans based on test results. One individual is
function exists. Plan updates are made on a responsible for plan updates.
scheduled basis.
Initial IT component testing takes place internally BC planning successes, normally limited to
within the IT department, with limited IT, are present where extraordinary individual
knowledge of management and no partici- efforts are the foundation. Training, where
pation from the user community. A formal present, is limited to ER (first aid, evacuation,
testing schedule is not established, and test etc.) and IT component recovery activities.
results are rarely documented. Testing does Plan updates are the responsibility of the
not result in amendments or improvements to process owners and do not follow a standard,
response/recovery procedural documentation. monitored process.
Plans may not be well maintained or up-to-
date because the BCM process is new.
30
Assessment Objective: Compliance Monitoring & Auditing
Maturity Evaluation
Optimizing Internal auditing, risk management, and Proactive contact is maintained with
the general counsel all review plan docu- regulatory bodies. A dedicated team leads
mentation on a regular basis and also BCM activities supported by a cross-
sponsor third-party audits of BCM capa- functional business and technology team,
bilities, including testing activities. The which includes internal auditing and out-
organization engages in industry discus- source providers for specialized services. A
sions regarding regulatory compliance and risk assessment (by location) and BIA (by
regularly reviews benchmarking analyses. process) should be conducted and used as
A risk assessment and BIA are performed the foundation for building plans. They
and regularly refreshed to ensure that should also be refreshed periodically.
plans reflect business reality and the regu-
latory environment.
Managed Cross-functional teams, including the A dedicated team leads BCM activities
general counsel and internal auditing supported by a cross-functional business
perform regular assessments of business and technology team, which includes
conditions and regulatory requirements. internal auditing and outsource providers
Internal auditing, risk management, and for specialized services. A risk assessment
the general counsel also review plan (by location) and BIA (by process) should
documentation, in some capacity, on an be conducted and used as the foundation
annual basis. A risk assessment and BIA for building plans. They should also be
are used to ensure that plans reflect busi- refreshed periodically. Internal auditing
PROCESS MATURITY
ness reality and focus on the most likely focuses on BCM program execution as
and severe risks and impacts. opposed to plan content.
Defined Regulations related to BCM are consid- A small, cross-functional team is in place,
ered and incorporated into BCM plans. and the internal audit function is actively
The responsibility to monitor the regu- involved in the actions of this team. A
latory landscape resides with the general risk assessment (by location) and BIA
counsel, who communicates with the (by process) is conducted and used as the
BCM steering committee. Internal foundation for building plans and iden-
auditing monitors the plan maintenance tifying the impact of regulation on plan
process and influences when regulatory development.
changes warrant updates to the docu-
mentation. A risk assessment and BIA
that consider the regulatory environment
have been performed within the past two
years.
Repeatable Regulations related to BCM are considered Internal auditing, risk management, or
and incorporated into BCM plans when general counsel shares regulatory updates
financially practical. Internal auditing with the BCM team or those responsible
reviews the relevance of the documenta- for BCM.
tion in accordance with a long-term audit
plan and may request evidence of plan
testing.
31
GTAG — G
lossary
10. Glossary
BC — business continuity
BU — business unit
CM — crisis management
ER — emergency response
IT — information technology
32
GTAG — About the Authors
11. About the Authors and industry prepare to minimize the impact of business
interruptions.
David Everest, CISA
David Everest is a vice president of Brian Peterson
Technology Risk Review for Key Bank in Brian Peterson is the team leader of the
Cleveland, Ohio. Everest concentrates Global Information Risk Management
on providing inside consulting expertise Consultant Team at Chevron Corp.
to the technology division within Key and is responsible for the delivery of
Bank. His specialties include infrastruc- consulting services to Chevron compa-
ture and networking projects. Prior to nies throughout the world. His current
joining Key, he was a technology auditor responsibilities include managing consul-
with General Motors in Detroit, MI. Everest has an exten- tants in four countries who perform risk
sive IT background, both technical and strategic, and has management consulting. Peterson has more than 25 years
worked in data centers and managed IT departments. of IT, project management, and risk management experi-
Everest has a BS in Computer Information Systems from ence. He has worked in 55 countries assisting Chevron
Baldwin Wallace College in Berea, Ohio and an MBA from business units with various risk management initiatives.
The Weatherhead School of Management at Case Western Peterson developed several tools and processes that are used
Reserve University in Cleveland. throughout Chevron to manage information risks.
Peterson helped establish the LOGIIC (Link the Oil and
Roy E. Garber, CIA, CISA Gas Industry to Improve Cyber-security) consortium that is a
Roy Garber is the director of Application partnership between government and industry and currently
Development at Safe Auto Insurance acts as the project manager.
Co. and is responsible for the project
management office (PMO) and delivery
of enterprise IT application solutions. His Reviewers
current responsibilities also include the The IIA thanks the following individuals and organizations
implementation of IT governance prin- who provided valuable comments and added great value to
ciples and best practices. this guide:
Garber has more than 20 years of IT, financial, and • Professional Practices Committee:
operational risk management experience. In his prior oo Advanced Technology Committee
internal audit role, he was a corporate officer responsible for oo Board of Regents
providing leadership over corporate IT audit services for an oo Committee on Quality
international insurance company. In his prior external audit oo Internal Auditing Standards Board
role, Garber managed IT assurance services engagements oo Professional Issues Committee
in large, medium, and small companies and partnered with oo Ethics Committee
client executives to help them meet their IT risk manage- • Lily Bi, The IIA
ment needs. • Larry Brown, The Options Clearing Corp., USA
• Faisal R. Danka, London, UK
Michael Keating • Christopher Fox, ASA, Delta, New York, USA
Mike Keating leads the business conti- • Nelson Gibbs, Deloitte & Touche, LLP, USA
nuity management practice for Navigant • Markus Künzel, Medizinische Universität Wien,
Consulting. Prior to joining Navigant Austria
Consulting, he held various leadership • Lemuel Longwe, Ernst & Young Chartered
positions in the crisis management and Accountants, Zimbabwe
business continuity consulting arena, • Steve Mar, Resources Global, USA
including nearly four years as the Midwest • Tom Margosian, Ford Motor Co., USA
Practice leader for the world’s largest insur- • James Reinhard, Simon Property Group Inc., USA
ance broker and four years as the Southeast BCM Practice
leader for a prominent internal audit and consulting firm.
Keating also developed the American Red Cross BICEPP
program, the first program of its kind to help organizations
prepare for disasters.
His specialty is in enterprise-wide business continuity
programs, and he has assisted clients of nearly every size
33
EGDI>K>I>
6A:69:G>C
>C9:E:C9:CI
G>H@
8DCHJAI>C<
E
gdi^k^i^^hV\adWVaXdchjai^c\ egdk^YZVjc^fjZeZgheZXi^kZdcVl^YZ
VcY ^ciZgcVa VjY^i [^gb gVc\Zd[Xg^i^XVaWjh^cZhh^hhjZh#
XdbedhZY d[ ZmeZgih Egdi^k^i^]VhbdgZi]Vc+%adXVi^dch
heZX^Va^o^c\ ^c g^h` VcY VYk^hdgn ldgaYl^YZVcY^hVl]daandlcZYhjW"
hZgk^XZh# I]Z [^gb ]Zaeh Xa^Zcih h^Y^Vgnd[GdWZgi=Va[>ciZgcVi^dcVa
hdakZ egdWaZbh ^c [^cVcXZ! deZgV" >cX#CNH:hnbWda/G=>#;djcYZY
i^dch! iZX]cdad\n! a^i^\Vi^dc VcY ^c&.)-!GdWZgi=Va[>ciZgcVi^dcVa^h
<G8# Egdi^k^i^h ]^\]an igV^cZY! VbZbWZgd[i]ZHE*%%^cYZm#
gZhjaih"dg^ZciZYegd[Zhh^dcVahhZgkZ
IdaZVgcbdgZVWdjidjghZgk^XZhdgid
Xa^Zcih^ci]Z6bZg^XVh!6h^V"EVX^[^X! YdlcadVYXdbea^bZciVgnXde^Zhd[djg
:jgdeZ VcY i]Z B^YYaZ :Vhi VcY ejWa^XVi^dch!eaZVhZk^h^iegdi^k^i^#Xdb#
© 2008 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 0608
G >H@
6C9 L = N @ C DL> C < L= : G : > I > H > C
NDJG 7JH>C:HH E G D8 : H H > H I= : @ : N ID
6<DD9
C><=I¼HHA::E
B
VcnZmZXji^kZhheZcY LZ i]Zc ldg` l^i] ndj id
haZZeaZhhc^\]ihldc" Zc\^cZZg egVXi^XVa hdaji^dch
YZg^c\ l]Zc VcY ^[ VcYegdXZhhZh[dgbVcV\^c\i]Z
i]Z^g Xg^i^XVa hnhiZbh VcY ^cX^YZcih i]Vi XVc jcYZgb^cZ
Wjh^cZhh egdXZhhZh l^aa [VaiZg# ndjg[^cVcX^VaeZg[dgbVcXZVcY
I]^h^h cdi hjgeg^h^c\! Xdch^Y" gZejiVi^dc# I]^h \^kZh ndj Vc
Zg^c\i]ViidYVn¼hdg\Vc^oVi^dch VYkVciV\Z dkZg XdbeZi^idgh
gZfj^gZ bjai^eaZ hjeea^Zgh! l]dignidbVcV\Z^ciZggjei^dch
iZX]cdad\^Zh! egdXZhhZh VcY YjZid]jbVcb^hiV`Zh!ZggVci
eZdeaZidldg`^cXdcXZgiidYZa^kZgi]ZXdci^cjdjh hd[ilVgZ VcY jcgZa^VWaZ hjeea^Zgh i]gdj\] ed^ci
hZgk^XZXjhidbZghZmeZXi#IdVYYgZhhi]^hX]VaaZc\Z! hdaji^dchVcYegdXZhhbVcjVah#>iVahdbZVchl]^aZ
dg\Vc^oVi^dch VgdjcY i]Z ldgaY VcY VXgdhh ^cYjh" i]Zn¼gZjeldggn^c\!ndj¼aaWZhaZZe^c\a^`ZVWVWn#
ig^ZhVgZijgc^c\idEgdi^k^i^#6iEgdi^k^i^!lZiV`ZV
egV\bVi^XVeegdVX]idWjh^cZhhXdci^cj^ineaVcc^c\ IdaZVgcbdgZVWdjiEgdi^k^i^¼hXVeVW^a^i^ZhVcYYdlcadVY
VcYZkVajViZi]Zg^h`h^c]ZgZci^cVaai]Z^ciZgYZ" VXdbea^bZciVgnXdend[djg<j^YZid7jh^cZhh8dci^cj^in
eZcYZciegdXZhhZhVcYeaVnZghd[ndjgdeZgVi^dch# BVcV\ZbZci'cYZY^i^dc!k^h^iegdi^k^i^#Xdb$WXb#
© 2008 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 0206-9009
Business Continuity Management
This GTAG focuses on how business continuity management (BCM) is designed to enable business leaders to
manage the level of risk the organization could potentially encounter if a natural or man-made disruptive event
that affects the extended operability of the organization were to occur. The guide includes disaster recovery
planning for continuity of critical information technology infrastructure and business application systems.
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks, controls,
costs, and benefits of adopting a BCM program. Although it is true that recent disasters around the world have
motivated some corporate leaders to give attention to BCM programs, the implementation of such programs
is far from universal. The key challenge is engaging corporate executives to make BCM a priority. Although
most executives are likely to agree that BCM is a good idea, many will struggle to find the budget necessary
to fund the program as well as an executive sponsor that has the time to ensure its success. Business Continuity
Management will help the CAE communicate business continuity risk awareness and support management in
its development and maintenance of a BCM program.
Visit www.theiia.org/guidance/technology/gtag/gtag10 to rate this GTAG or submit your comments.
ISBN 978-0-89413-623-8
www.theiia.org