Arab Academy for Science , Technology and Maritime Transport

SCENARIO BUILDING & BUSINESS CONTINUITY PLANNING

Prepared By : Dr. Mahmoud Beshr

Copyrights© AAST/Dr. Mahmoud Beshr

 1. Business continuity planning foundation
2. Business Impact Analysis
3. Design business continuity, Response & Recovery
Strategies
4. Scenario building and Business continuity
planning
5. Business continuity plan Testing & Maintenance

dr mahmoud beshr 2
▪ 30% Mid term
▪ 20% report and presentation
▪ 40% final exam
▪ 10% attendance and participation

dr mahmoud beshr 3
 ▪ Business Continuity and Risk Management: Essentials of Organizational
Resilience First Edition by Kurt J Engemann (Author), Douglas M
Henderson (Author)

▪ ISO 22301:2019 standard : Security and resilience — Business

continuity management systems — Requirements

dr mahmoud beshr
4
5
▪ Companies without a plan fail – 80% of companies without a business continuity plan will go out of
business within 13 months.
▪ Data Loss is inevitable – 20% of all companies will suffer fire, theft, flood, storm damage, power failures,
hardware or software disaster this year.
▪ Disaster threats are increasing – Companies are at increasing risk of natural disasters, competitive
espionage, human error, and power grid failures.
▪ Data is critical to your companies success – Data loss can happen at any time and your business depends on
this data. Protecting this data is key to your companies future success.
▪ Hardware failure is the leading cause of unplanned outages – 45% of all unplanned downtime is attributed
to hardware failures.
▪ Power outages account for 35% of unexpected downtime – While this fluctuates each year, power outages
and other utility losses will always pose a threat.
▪ 90% of businesses without a disaster recovery plan will fail after a disaster.
▪ 1 in 3 businesses were unprepared for disaster, despite having a plan.
▪ Unplanned downtime costs between $926 to $18k per minute – These costs include lost revenue, lost

6
▪ the processes by which business can be maintained to an
acceptable level until full processes and systems are
restored

▪ the plans and supporting procedures that guide the

continuity or timely recovery of business operations
following an unplanned interruption to business operations
over an extended period

▪ BCP is about minimizing the impacts of critical events on

an organisation and its stakeholders [internal and external]
7
Disaster Recovery - the creation & execution of plans to
recover the data & systems of an organisation to the point
immediately prior to the interruption
Contingency - the physical or process alternative to a single
point of failure eg. Back up generator for power failures
Operational Continuity - the alternative processes
implemented during a failure, which allow the “process” to
continue, whilst relying on the contingencies or DR Plans
to restore full operations
Business Continuity - the processes by which business can be
maintained to an acceptable level until full processes and
systems are restored
8
▪ A Key Component of Compliance & Business
Resilience
MYTHS & ASSUMPTIONS
Emergency Risk
Management Management ▪ If you have an IT DR Plan you
don’t need BC Planning
▪ Contingency planning and risk
management cover BCP
IT/DRP BR
Crisis ▪ We’ve already got Evac. Plans
Management
▪ We’re well insured against losses
BCP
▪ We’ve been OK until now and
survived a few problems – we’ll be
OK!
▪ BCP is a minimalist approach

9
▪ To identify the organization's key processes
▪ To identify the critical underlying technology & services
▪ To identify the critical stakeholder relationships
▪ To identify the alternative approaches
▪ To establish a plan[s] that can be readily and effectively
activated
▪ To provide real operational alternatives

10
The nature of the major impact incidents would be those that result in:
▪ Extended loss of, unavailability of or denial of access to the organisation’s major location at
.....................................;
▪ Extended loss of, or unavailability of key personnel required to deliver the key functions;
▪ Extended and significant interruption to critical supply chain goods and services;
▪ Extended loss or unavailability of critical infrastructure necessary for the operation of the
organisation or the delivery of its services;
▪ Extended loss of or unavailability of key information/vital documents, including electronic data &
systems,
Or the combination of or consequential impacts of any of the above impacts.

11
▪ Recent international and business crisis events
▪ September 11 - Hurricane Katrina
▪ Asian Tsunami - Christchurch ‘quakes
▪ BP Oil Rig blow-out - COVID 19

▪ Corporate governance/compliance
▪ Protecting assets, employees and stakeholders
▪ The influenza pandemics

▪ Government - for the public good

▪ New fire warning and evacuation regulations
▪ Public transport, public safety

12
▪ Maintaining a viable ongoing business
▪ Continuity of key services
▪ Reduces and manages uncertainty
▪ An aid to meeting legal and moral commitments
▪ Protection of:
▪ Staff & staff confidence
▪ Assets
▪ Reputation
▪ Economic position
▪ A firm level of security for both suppliers and customers

13
Business Continuity Essentials:

▪ Corporate Commitment

▪ Staff understanding & training

▪ Stakeholder engagement

▪ Planning & testing

▪ Continuing Review and Revision

14
Business Continuity for Universities

Deliver the right message for the Ensure that all the facilities
students, faculty, and administrative required for the students to have
staff that the university is taking serious an effective and enjoyable
steps to have excellence in business
continuity in its daily operations and
learning experience are in place
that it understands its risk and have and that they are available
mitigating actions to deal with these whenever needed
risks

Ensure the continuity of The university have international

research and that there are recognized standards in place and
mitigating actions in place to that is one of the most important
ensure that the research goals that can help deliver positive
process is performed in the message for the students, research
best possible way partners, industry partners

15
16
Supplier’s Customer’s
Supplier Customer
Supplier(s) Customer(s)
A

S C

Your C
S Organisation A

B S C

B
Potential impacts on you Potential impacts you could create

17
Business Continuity Management Lifecycle
Business Continuity Management
(BCM) is a holistic management
process that:

1. Identifies potential threats to an

organization and
2. The impacts to the business
operations those threats might
cause.
3. It provides a framework for At the heart of BCM good practices
building organizational resilience sits the BCM lifecycle.
and effective response
4. Enables the business to stay on It shows the stages of activity that
course whatever storms it is an organization moves through and
forced to weather repeats with the overall aim of
improving organizational resilience.

18
19
 Governance Crisis
Crisis Business
Business Disaster
Disaster
Governance Management Continuity Recovery
Management Continuity Recovery
Governance, Event Response People and Processes Technology
Governance,
Training, Assurance Event Response People and Processes Technology
Training, Assurance Response to an event, or Sustain acceptable Restore or recover
Insuring compliance, Response
a series ofto escalating
an event, or Sustainand
acceptable Restore
critical or recoverand
infrastructure
Insuring compliance, uptime, restore
setting policy, standards, a series
events, thatofthreatens
escalating our uptime, and restoreto critical infrastructure
applications followingand
a
setting policy, standards, business operations
procedures, metrics and
procedures, metrics and
events,
strategic objectives,our
that threatens business
the operations
acceptable to
level after data center or systemsa
applications following
reporting strategic objectives,
reputation or viability theaacceptable level after data center or systems
failure
reporting disruptive event.
reputation or viability a disruptive event. failure

Global Resiliency Global Resiliency Global Resiliency Global Resiliency

Global Resiliency Global Resiliency Global Resiliency Global Resiliency

20
Term Definition
(1) Business Continuity (a) Incident, whether anticipated or unanticipated, that causes an unplanned,
negative deviation from the expected delivery of products and services according
to an organization’s objectives.
(2) Business Continuity Plan (b) Activity to which urgency is given in order to avoid unacceptable impacts to the
business during a disruption.
(3) Business Impact Analysis (c) Capability of an organization to continue the delivery of products and services
within acceptable time frames at predefined capacity during a disruption.
(4) Disruption (d) Effect of uncertainty on objectives.
(5) Incident (e) Process of analyzing the impact over time of a disruption on the organization.
The outcome is a statement and justification of business continuity requirements.
(6) Prioritized Activity (f) Event that can be, or could lead to, a disruption, loss, emergency or crisis
(7) Risk (g)Documented information that guides an organization to respond to a disruption
and resume, recover and restore the delivery of products and services consistent
with its business continuity objectives.

21
Term Definition
(1) Business Continuity (a) Capability of an organization to continue the delivery of products and services
within acceptable time frames at predefined capacity during a disruption.
(2) Business Continuity Plan (b)Documented information that guides an organization to respond to a disruption
and resume, recover and restore the delivery of products and services consistent
with its business continuity objectives.
(3) Business Impact Analysis (c) Process of analyzing the impact over time of a disruption on the organization.
The outcome is a statement and justification of business continuity requirements.
(4) Disruption (d) Incident, whether anticipated or unanticipated, that causes an unplanned,
negative deviation from the expected delivery of products and services according
to an organization’s objectives.
(5) Incident (e) Event that can be, or could lead to, a disruption, loss, emergency or crisis
(6) Prioritized Activity (f) Activity to which urgency is given in order to avoid unacceptable impacts to the
business during a disruption.
(7) Risk (g) Effect of uncertainty on objectives.

22
 OVERVIEW OF THE BCM PROCESS

▪ ISO22301 doesn’t include a ‘model’ for the BCM process –

something the former called ‘the BCM Lifecycle’, which was,
in fact, quite similar to the ‘Plan-Do-Check-Act’ (PDCA) cycle
which does form part of the basis of the Standard.
▪ The structure of ISO22301 is consistent with other ISO
management system standards.

23
 Continual Improvement of BCM Program

Establish business continuity

(BC) policy, objectives,
targets, control, process &
procedures relevant to Implement & operate the BC
improving BC in order to policy, controls, processes &
deliver results that align procedures
with the department’s
overall policies & objectives

CONTINUEL
IMPROVEMENT OF
BCM PROGRAM

Maintian & Improve the BCM Monitor & review performance

program by taking corrective against business continuity
action, based on the results policy & objectives, report the
of the management review & results to the Executive for
reappraising the scope of the review, determine & authorize
BCM Program & BC policy & actions for remediation &
objectives improvement

dr mahmoud beshr 24
The key sections of ISO22301:2019

Clause(4): Clause (9):

Clause (5): Clause (6): Clause (8): Clause (10):
Context of Clause (7): Performance
Leadership Planning Operation Improvement
the Support evaluation
organisation

25