When disaster strikes... A guideline to business continuity awareness E-Book

Impressum:

Copyright (c) 2013 GRIN Verlag GmbH, alle Inhalte urheberrechtlich geschützt. Kopieren und verbreiten nur mit Genehmigung des Verlags.

Bei GRIN macht sich Ihr Wissen bezahlt! Wir veröffentlichen kostenlos Ihre Haus-, Bachelor- und Masterarbeiten.

Jetzt beiwww.grin.com

Table of contents

Table of contents

List of abbreviations

Table of figures

1 Introduction

1.1 Motivation

1.2 Context and assignment of the thesis

1.3 Goals of the thesis

1.4 Methodology

2 Singapore’s cultural dimensions

2.1 Singapore State

2.2 Hofstede’s Dimensions of Culture

2.2.1 Power Distance

2.2.2 Uncertainty Avoidance (UA)

2.3 Singapore’s SARS crisis

3 Sample AG

3.1 Organization of Sample Pte Ltd, Singapore

3.2 The Corporate Information Office

3.3 BCP of SAMPLE Pte Ltd Singapore

4 Basics – Business Continuity Planning

4.1 BCP as Project

4.2 Definition of Business Continuity Planning

4.2.1 Dimensions of Business Continuity Planning

4.2.2 The BCP planning method

4.2.3 Business Continuity Institute

4.2.4 Disaster Recovery Institute International

4.2.5 The Phases of the BCP development process

4.3 Business Impact Analysis

4.3.1 Definition of Business Impact Analysis

4.3.2 Goals and contents of a BIA

4.3.3 Methods for collecting Data

4.3.4 Key Performance Indicator Review

4.3.5 Process Flows

4.3.6 Questionnaires

4.4 Disaster Recovery Planning

4.5 Testing of BCPs

4.5.1 Walk-through

4.5.2 Simulation

5 Problem analysis

5.1 Analysis of the Business Continuity Plans at SAMPLE PL

5.2 Requirements of the business continuity plans at SAMPLE PL

5.3 GAP-Analysis

5.4 Summary

6 Proposal of solution

6.1 Parameters for embedding of BCP

6.2 Objectives for a solution concept

6.2.1 Change Management

6.3 Strategy for implementation

6.3.1 Simulation Training

6.3.2 Awareness Program

6.3.3 Developing a BCP culture

6.4 Summary

7 Implementation of solution

7.1 BCP Communication

7.1.1 Leaflets

7.1.2 Crisis Information Number

7.1.3 Summary of Business Continuity Plans

7.1.4 BCP Intranet site

7.1.5 BCP podcast

7.1.6 BCP Web site

7.1.7 Crisis Reporting Number

7.1.8 BCP Crisis Conference number

7.2 BCP Process

8 Conclusion and recommendations for future work

8.1 Conclusion

8.2 Achieved goals

8.3 Recommendations

Appendices

List of abbreviations

Table of figures

Figure 1: Our Disaster Recovery Plan Goes Something Like This... By Dilbert, Scott Adams

Figure 2: Methodology of my diploma thesis, own diagram

Figure 3: Better performance of opaque industries in uncertainty-tolerant countries http://home.uva.nl/r.huang/www/uai_growth.pdf

Figure 4: BC Maturity Pyramid (Hiles, 2000, p.3)

Figure 5: The principal phases in BCM

Figure 6: Time for Recovery – Tandem Clients

Figure 7: Development Process BCP

Figure 8: Business Impact Analysis Process for the Hypothetical Government Agency

Figure 9: BCP as a business process by Elliott, Swartz & Herbane

Figure 10: Crisis Management Team organization chart

Figure 11: Own diagram, BCP Communication

Figure 12: Crisis reporting process flow, own diagram

1 Introduction

Figure 1: Our Disaster Recovery Plan Goes Something Like This... By Dilbert, Scott Adams

”When there is a crisis, the crisis has to be managed”, was once said by Gerhard Schröder, the former German Chancellor (From: http://www.business-wissen.de/de/aktuell/kat13/akt18759.html). In actual disaster situations it is not as easy to handle the crisis and just “manage” it, you better be prepared.

When disaster strikes…these incidents cannot usually be handled with the organizational structures and resources provided for “normal everyday business” and therefore require a business continuity plan.

As we have experienced an increasing number of disaster events over the recent years, big and dramatic events like – the World Trade Center terrorist attack of 9/11, the Madrid and London train bombings, earthquakes in Pakistan, hurricanes in North America or the Southeast Asia tsunami, which were highly recognized in the media all over the world. But at the same time there have been also large number of disasters at a less recognized level, like fires, flooding, building crush down, and so forth. All these events have one thing in common: They can put a company out of business. To prevent that we are not prepared to respond these disaster events, we need to have a plan!

But planning for an event can only be the first step, next we need to implement these plans in our organization and make communicate it, to ensure that every employee knows what to do and how to react in a disaster event. Many organizations fail to actually implement a BCP program because of the perception that it is a process that is too costly, time-consuming, and requires a large amount of resources. Therefore the management must be assured that by investing in BCP, the organization’s life gets protected and that it makes good business sense.

1.1 Motivation

The determining factors for writing a thesis in the field of Business Continuity Planning (BCP) have been on the one hand the necessity of a 24/7-availability of all business relevant systems in the today’s business world and on the other hand the actuality of the topic, due to factors of new threats, requirements arising from e.g. Sarbanes-Oxley Act (SOA) Section 404 (Appendix 1) and the integration into corporate governance processes.

As all Business Units (BUs), Vendors and Customers are connected thru a network of IT-Systems; these systems also became crucial for the success or the failure of a company. But BCP is not solely to be seen as an IT topic, it is more a holistic management program.

For Sample Private (Pte) Limited (Ltd) (SAMPLE PL), Singapore the subtopics like Change Management and a practical approach for an implementation of the BCP were the main causes for assigning this thesis. As there are already Business Impact Analysis (BIA), Risk Analysis (RA) and a Disaster Recovery Plan (DRP) realized, but these plans had to be reviewed and implemented into the organization. Another purpose was to customize the tools and awareness programs for the management and the employees at SAMPLE PL. This is also an important element as every organization and each environment is different from the other.

1.2 Context and assignment of the thesis

BCP as planning for disaster events is also to be seen as a method to prevent crisis for a company in general. It should enable an organization to respond to crisis and/or disasters, to be prepared.

There are many events that can develop into a crisis and/or a disaster. Here are just a few examples: data theft and manipulation with blackmail involved, loss of data through negligence with an adverse PR effect, smear campaign, abduction, hostage-taking, hijacking, blackmail and protection rackets, bomb threats, sabotage, bomb attacks, fire, catastrophes, illegal stoppages/strikes/demonstrations, product piracy, contamination of food, accidents involving injury/death or considerable material damage or serious repercussions for the local population, for employees and/or the environment, business trips and projects in countries with high security risks.

Of increasing importance in crisis management are also the risks associated with the global networking of information and communication systems. These risks include: virus attacks, hacking, “cyber crime”, internet criminality and economic espionage.

The thesis does not cover the whole Crisis Management (CM) of the SAMPLE PL organization, as CM also includes topics like financial risk management and fraud as they are not relevant for the assignment. The formulation of this assignment puts emphasis on a deep analysis of the BCP program. In the scholarly literature BCP is also called Business Continuity Management, I will use the terminology BCP for my thesis, as there is no differentiation given and both terms are used in the same meaning.

Suku Nor, the Business Continuity Manager (BCM) of SAMPLE PL answers, asked about the main focus of implementing a BCP program for Singapore “the difficulties come from the fact that people really are not aware of this topic (…) in the environment of Singapore, people are not aware of possible threats, what gives some additional challenge…” (Appendix 3).

The paper should therefore provide a practical approach to the following problem: How can the implementation of a BCP build awareness of the management and the employees to possible risks and what enables them, to respond efficiently when a disaster strikes?

1.3 Goals of the thesis

The goal of my thesis is to show a way of implementing a BCP awareness program successfully in a big and complex organization and make the BCP entities recognizable by every employee. It should be realized as part of the culture of SAMPLE PL. Because only an ongoing BCP program with a strong focus on awareness and training can be efficient. The employees of SAMPLE PL should be enabled to respond to disaster events which are identified in the performed risk analysis. All members of the organization have to know their particular role and their responsibilities for business continuity.

1.4 Methodology

By giving an overview about Singapore’s regional premises and dimensions of culture (Chapter0) I want to show the environment and people involved. I am then giving an overview about Sample in general, some facts and figures (Chapter0), as well as an introduction to the Corporate Information Office (CIO) and its functions within the SAMPLE PL organization. During my time at SAMPLE PL, I was attached to the CIO department, because the Chief Information Officer also has the role of the BCM in the company. The CIO department has to ensure a lot of the requirements for BCP like the Information Technology Disaster Recovery Planning (ITDRP) or Information Security issues. The BCM has to drive the program and coordinate and communicate BCP in the organization. The following Chapter is then giving the theoretical basics to the topic, for an understanding of the underlying terminology and their definitions (Chapter0). Different methods for performing BCPs and BIAs as well as their testing are explained and the phases and processes are shown. The problem analysis of the BCP program at SAMPLE PL will then be given in the next Chapter (Chapter0). Here an analysis of the BCP plans at SAMPLE PL and their requirements are brought together. The chapter is finalized by a GAP-Analysis, which shows the main focus and problems that have to be solved. A proposed solution for the difficulties found in the earlier Chapter is then given (Chapter0) and should help to “bridge the gap”. The parameters and objectives of a solution concept are explained and proposed processes are shown. The actual implemented solution program is subsequently presented in Chapter0. The introduced BCP communication, with all of its modules can be found as well as a BCP process flow for SAMPLE PL. On the final pages a conclusion and recommendation for the topic is then finalizing the thesis (Chapter0).

For getting a clear understanding of Singapore’s environment in general and BCP in particular as well as of the SAMPLE PL Company, I had to obtain and analyze information from various resources.

During a six month internship with SAMPLE PL, I obtained all the necessary internal data and information for an analysis of the existing BCP program and its requirements. I also gathered lots of external information in case studies, terminologies and theoretical background of BCP, which could be found in books, online-magazines, internet pages, continuity organizations and surveys.

A lot of information was provided to me during meetings, interviews and talks to colleagues who worked with me on the BCP topic. Throughout my stay in Singapore, I was working very closely with the team and was able to get all needed information and support for the thesis. Carrying out an interview with the BCM of SAMPLE PL helped me to understand the situation and problems better and gave me insight to the realistic every-day management concerns.

A problem I faced by obtaining information about BCP in general and an efficient implementation in particular was simply to find appropriate sources, as:

The topic is pretty new and not well established especially not in and for the Asian region.

There is not a lot of existing literature, especially books about BCP.

The terminologies like continuity planning, disaster recovery or continuity management are used with different meanings in a lot of the variable sources.

As every BCP has to be adapted to the environment and organization it is difficult to use lessons learned and case studies from past disasters as they may not be appropriate for us.

Finally the functioning and response of BCP is different from other programs and processes as we can only simulate but not really practice business continuity in the every day workflow.