Business Continuity Management

COMPANY
Business Continuity Management

Program Assessment
March 2015
Powered by Global Markets – EY Knowledge

Contents Page
I. Executive Summary 3
Executive Summary 4
BCM Maturity Model Assessment Domains 6
II. Detailed Findings 8
BCM Program Maturity Ratings per BCM Domain 9
BCM Program Maturity Ratings per Functional Area 10
III. Benchmark Analysis 17
Overview 18
Summary of Findings 19
Detailed Findings by Functional Area 20
IV. Prioritized Findings and Recommendations 27
Business Impact Analysis 29
Disaster Recovery Plan Development 30
Business Continuity Plan Development 31
Exercise / Maintenance 32
Recovery Strategy Development 33
Governance 34
Risk Assessment 35
Crisis Management 36
V. Future State Roadmap 37
Future State Implementation Roadmap 38
Implementation Cost and Effort 39
Implementation Project Plan 40
VI. BCM Metrics and Scorecards 43
Example Program Health Scorecard 44
Example Testing Scorecard 45
Example BCM Program Update 46
Next Steps 47
VII. Appendix 48
Maturity Assessment Detailed Work Plans by Functional Area 53
Maturity Assessment Mapping 55
Maturity Assessment Standards Mapping 72
Example BCM Governance Structure 99
Page 2 Meeting Participants 102
I. Executive Summary
Page 3
Executive Summary
OVERVIEW
Ernst & Young (EY) performed an assessment of COMPANY’s Business Continuity Management (BCM) program using EY’s proprietary maturity model comprised
of leading practices. In preparation for this review, EY mapped the domains of the maturity model to international standards including ISO 22301, ISO 27001
and ITIL ITSCM. EY then evaluated a sampling of COMPANY’s level of preparedness for each of the BCM maturity model domains relative to Business Continuity
Planning, Disaster Recovery Planning, and Crisis Management Planning, as well as the related methods, processes and deliverables developed to support
COMPANY’s BCM efforts. COMPANY’s maturity was benchmarked against the BCM program maturity of other technology companies to identify and prioritize
the areas requiring remediation. The objective of the assessment is to provide COMPANY with a current state baseline, a set of recommendations, and a future
state roadmap to facilitate planning of enhanced program activities for the global organization.
SCOPE
The scope of the BCM assessment covered the COMPANY Corporation functional areas listed below. EY did not assess COMPANY’s Federated Companies (i.e.
………).
► ORG UNIT A
► ORG UNIT B
► ORG UNIT C
OPERATING ASSUMPTIONS
► Each functional organization’s BCM maturity is rated based on the collective and dependent capabilities of its underlying functions as established within the
domains of our Maturity Model. For example, the lack of a BIA to establish clear process priorities, RTOs and dependencies will affect the maturity score of
the BC/DR plans that the business has developed, as a leading practice BCP/DRP depends on a current BIA to establish the priorities in the BCP/DRP.
► Maturity ratings are based on whether capabilities are in place AND if those capabilities meet industry best practice maturity criteria.
► A process discussed with business areas without documentation does not satisfy the maturity criteria.
► A process with documentation that is greater than 2 years old will only partially satisfy the maturity criteria.
Page 4
Executive Summary
COMPANY CORPORATION BCM MATURITY RATING
EY’s rating of COMPANY’s enterprise BCM program is “Low Preparedness”. COMPANY scored a X.XX maturity assessment rating out of a scale of zero to three
(0-3).
KEY TAKEAWAYS
► COMPANY’s BCM program is less mature than the technology industry benchmark in all domains with the greatest disparity in the BIA, BCP, and DR
domains.
► A majority of the functional areas have not conducted BIAs to understand critical business processes, recovery times objectives (RTO), and dependencies.
Recovery capabilities are developed based on legacy information and/or high level assessments that lack a consistent and standardized approach for
measuring and defining bus process criticality.
► COMPANY has response and recovery processes and capabilities in place, though these capabilities often lack formal and consistent documentation across
the enterprise and within the functional areas.
► BCM governance is not defined and established consistently across the functional areas.
► The functional areas are aware that there are opportunities for improvement, many of which are already in the process of rebuilding and/or refreshing
their BCM programs.
RECOMMENDATIONS
► Formalize the BCM governance team structures across the functional areas and develop a clear reporting structure into the Business Continuity Council
(BCC) and the corporate BCM PMO.
► Define the minimum requirements for BCM maturity across the enterprise and establish a process for holding functional area BCM teams accountable for
meeting those requirements.
► Develop standard impact criteria for assessing business impacts and for determining business process criticality and recovery priorities.
► Perform a BIA refresh across the enterprise to define recovery time objectives (RTOs) and to identify key dependencies (e.g. systems/applications).
► Conduct a gap analysis to compare current recovery capabilities against business requirements.
► Identify recovery strategy options that will remediate the gaps and meet the business requirements, and select the most cost effective solution(s).
► Develop standard templates for recovery plan, test plans, post-exercise/incident reports, and scorecards to drive consistency and standardization across the
enterprise.
► Develop/refresh recovery plans (e.g. BCPs, DRPs, CMPs) and ensure that plans are aligned with the BIA output and recovery strategies identified.
► Establish a cadence for the functional areas to report out on program status and maturity to the BCC.
Page 5
BCM Maturity Model Assessment Domains
BCM Elements / Leading Practice
Business Continuity team tests coincide with IT tests in which business personnel test
operations on the recovered equipment. All plans are updated on a regular basis.
Exercise/
Maintenance
The Disaster Recovery (DR) Plan is developed according to the organization’s IT
framework and is fully integrated with Business Recovery and Crisis Management. It
Disaster Recovery addresses recovery procedures for infrastructure, applications, systems and data that
supports the business.
Business Continuity (BC) Plan is developed according to the corporate BCM
Business Continuity framework and spans all processes within the organization. Detailed plans address
continuity and recovery procedures for employees and processes.
Crisis Management The Crisis Management (CM) Plan is approved, distributed and has been
used repeatedly by the company (testing or actual events).
Cost effective continuity strategies that align with business

Strategy Development requirements. It has factored technical, physical, people and
financial resources in recovery efforts.
Financial decisions to mitigate risk are based upon the

Risk Assessment (RA) potential business impacts to operations at an examined
facility.
BIAs determine critical business processes and required
Business Impact Analysis (BIA) technical and non-technical needs in the midst of a
crisis.
Company has received commitment from all

Governance levels of the organization and individual lines of
business.
Page 6
BCM Maturity Ratings
Leveraging the maturity model, the project team facilitated a process to assess COMPANY’s BCM capabilities.
Colors representing the ratings were assigned to the various capabilities as defined below. Refer to the “Maturity
Assessment Mapping” in the appendix for more details.
3 - High An enforceable, practical business continuity policy, set of practices and processes been adopted. The BCM
Preparedness Program has been created to govern the program and support all enterprise participants. All critical business
functions and applications have been identified and BCPs/DRPs/Crisis Management plans have been
developed. Tests of BCPs/DRPs/CMPs are regularly conducted and routinely updated. A multi-year plan has
been adopted to continuously improve preparedness levels. A communications and training program exists to
sustain business continuity awareness.
2 - Moderate Senior management understands and is committed to the strategic importance of an effective business
Preparedness continuity program. A rudimentary business continuity management policy has been developed mandating at
least limited compliance to a set of standards enterprise-wide. Several business units have achieved a high
state of preparedness. However, as an enterprise, the organization is, at best, moderately prepared. Senior
management, as a group, has not yet committed to an enterprise business continuity program, although they
may have a project underway to assess the business case for it.
1 - Low At least one business unit or corporate function has recognized the strategic importance of business
Preparedness continuity management and has begun efforts to increase executive and enterprise awareness. At least one
internal or external professional is available to support the business continuity, disaster recovery or
emergency management efforts. The state of preparedness may be moderate for participants, but remains
relatively low across the majority of the company.
0 - No None or preliminary work has been performed. The organization has not addressed the component from an
Preparedness enterprise perspective and it needs to be created.
Page 7
II. Detailed Findings
Page 8
BCM Maturity Rating by Domain
Overall Maturity Rating: Low Preparedness
The table below summarizes COMPANY’s maturity ratings for each BCM maturity domain. The following slides illustrate the maturity ratings for
each functional area. The detailed assessment work plans for each functional area can be found embedded on slide 54.
BCM Overall
Domain Description Rating COMPANY BCM Program Rating Summary
Policies and procedures that define the BCM Although a BCM governance structure exists at the enterprise level (i.e. EGRC, BCC), there is little to no
Low
Program framework governance at the functional area level. The functional areas lack consistency in terms of having formal
Governance Preparedness
governance structures, BCM policies, key performance indicators / program metrics, and management
(X.XX) review/approval.
Measure impact from business disruption, RTO, COMPANY has not performed a BIA across the enterprise. There is evidence that some of the functional
Low
Business Impact RPO, gap analysis areas have performed high level assessments of their critical business processes and dependencies (e.g.
Preparedness
Analysis (BIA) (X.XX) applications, facilities, suppliers, etc.). A gap analysis has not been performed to understand where gaps
exist between business requirements and current recovery capabilities.
Identify risks, threats, vulnerabilities, and develop Low There was little evidence that a consistent risk assessment methodology is applied across the enterprise.
risk mitigation strategies Many of the functional areas have not performed a risk assessment to identify their risks and to
Risk Assessment Preparedness
determine whether to mitigate or accept the risks. FM Global conducts periodic site risk assessments for
(X.XX)
insurance purposes.
Continuity strategies for business and IT, manual Low The COMPANY functional areas do not consistently identify or document recovery strategy options for
Strategy
workarounds, alternate workspace Preparedness loss scenarios (e.g. loss of facility, loss of systems, etc.) in the recovery documentation observed.
Development
(X.XX)
Global Crisis Response Plan, Emergency Response, Moderate At a corporate level, COMPANY has a robust Crisis Management program in place. Several of the
Crisis Emergency Communication Plan, Incident functional areas have robust crisis/incident/emergency response plans in place (e.g. COE, FAC/SEC/EHS),
Preparedness
Management Management/response Plans (X.XX) while others functional areas have in place, at a minimum, incident/emergency response teams and
contact information.
BCP includes critical processes, recovery strategies BCPs are not consistently documented across the enterprise. Some functional areas have developed
Business and procedures for critical people and processes, Low robust BCPs addressing the loss of normal operating capabilities, while other areas lack BCPs all together
Continuity identification of critical partners and suppliers and Preparedness and only address the immediate response and escalation within the incident management plans.
(X.XX)
dependencies
Disaster IT Disaster Recovery Plan includes critical Moderate The IT DR program has strong oversight and governance; however the DR program scope is not driven by
Recovery infrastructure, data, applications, systems Preparedness a formal assessment of business requirements with defined RTOs and RPOs. Additionally, several of the
(Enterprise IT) (X.XX) functional areas that utilize non-IT managed systems do not have DR plans in place.
Business exercises, IT critical systems are regular The documents observed indicate that they are reviewed and updated regularly (in most cases annually)
Low
Exercising & tested, and plans updated lessons learned from Preparedness and that table top exercises are performed by several functional areas to provide awareness to the
Maintenance exercises and testing. Regular training and recovery team members.
awareness programs instituted (X.XX)
Page 9
BCM Maturity Rating by Functional Area
BCM Domain ORG UNIT A ORG UNIT B ORG UNIT C ORG UNIT D ORG UNIT E ORG UNIT F
Low Low Moderate Moderate Low Low
Governance Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1.17) (0.8) (2) (2) (0.67) (1.33)
Low Low Moderate Low Moderate No
Business Impact Analysis
(BIA) Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(0.83) (0.83) (1.5) (1.17) (1.83) (0.17)
Low Low Moderate No Low
Moderate Preparedness
Risk Assessment (1.5) Preparedness Preparedness Preparedness Preparedness Preparedness
(0.5) (1.33) (1.67) (0) (0.5)
Low No Moderate Moderate Low Low
Strategy Development Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1) (0) (2) (1.8) (1) (0.8)
High High Moderate Low Low Moderate
Crisis Management Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(3) (2.8) (2) (1) (1.4) (1.5)
Moderate Low Moderate Low Moderate No
Business Continuity Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1.83) (0.67) (1.5) (1.17) (2.17) (0)
Disaster Recovery Moderate Moderate Moderate Moderate Moderate Moderate

(Enterprise IT) Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1.83) (1.83) (1.83) (1.83) (1.83) (1.83)
N/A N/A N/A No Low Moderate
Disaster Recovery
(Functional Areas) No DR responsibility No DR responsibility No DR responsibility Preparedness* Preparedness* Preparedness
outside of IT outside of IT outside of IT (0) (1.17) (1.83)
Low Low Moderate Moderate No Moderate
Exercise Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1.4) (0.6) (1.6) (1.6) (0.2) (1.8)
Low Low Moderate Moderate Low Moderate
Maintenance Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1) (1) (2) (2) (0.67) (2)
Functional Area Low Low Moderate Low Low Low

Maturity Ratings Preparedness Preparedness Preparedness Preparedness Preparedness Preparedness
(1.47) (0.90) (1.74) (1.38) (1.01) (1.10)
Page 10 *Maturity scores reflect technology DR capabilities for systems managed by the functional organization.
Enterprise systems managed by IT are reflected in the Disaster Recovery (Enterprise IT) score.
BCM Maturity Rating by Functional Area
ORG UNIT A (Repeat for additional Org Units)
BCM Domain COE Observations Recommendations
Low
(1.17)
Business Impact Low

Preparedness
Analysis (BIA)
(0.83)
Moderate
(1.5)
Low
Strategy Development Preparedness
(1)
High
Crisis Management Preparedness
(3)
Moderate
Business Continuity Preparedness
(1.83)
Disaster Recovery Moderate
(Enterprise IT Preparedness
systems) (1.83)
N/A
Disaster Recovery
(Functional Areas) No DR responsibility
outside of IT
Low
Exercise Preparedness
(1.4)
Low
Maintenance Preparedness
(1)
Page 11
III. Benchmark Analysis
Page 12
BCM Program Benchmark
Overview
EY performed a benchmark of COMPANY’s BCM program maturity against other technology and manufacturing companies. The
analysis measures and compares each company’s maturity for each EY BCM maturity model domain using the standardized maturity
ratings (0-3) used to measure COMPANY’s BCM program maturity. The benchmark includes four (4) global organizations and two (2)
groups of organizations that participated in the EY Global Information Security Survey (GISS) and the Security Program Management
(SPM) survey. Table 1 provides a summary of the company profiles used in the benchmarking analysis.
Revenue
Company Industry/ Sector Employees Area Served Public / Private
(billions)
Company A Technology $75 - $100 > 100,000 Global Public
Company B Technology / $1 - $25 < 25,000 Global Public
Manufacturing
Company C Technology / $25 - $50 75,000 – 100,000 Global Public
Manufacturing
Company D Technology $50 - $75 50,000 – 75,000 Global Public
Survey Pool 1 Technology <$1 - $50 < 1,000 – 100,000+ Americas, APAC, Public / Private
(117 participants) EMEIA, Japan
Survey Pool 2 Technology <$1 - $20 < 1,000 – 25,000+ Americas, Asia, EMEA Public / Private
(8 participants)
Table 1 – BCM Benchmark Company Profiles
The benchmarking results are captured in the following slide. Table 2 summarizes the maturity ratings for each COMPANY functional
area assessed and for each company in the benchmarking analysis. Figure 2 illustrates COMPANY’s overall maturity compared to the
industry benchmark. Figure 3 illustrates the program maturities for each COMPANY functional area across the BCM domains
compared to COMPANY’s overall maturity and the industry benchmark.
Page 13
Summary of Findings
Functional Risk
Govn’ BIA Strategy CMP BCP DRP Exercise Maintain
Areas Ass’t
ORG A 1.17 0.83 1.5 1 3 1.83 NA 1.4 1
ORG B 0.8 0.83 0.5 0 2.8 0.67 NA 0.6 1
ORG C 2 1.5 1.33 2 2 1.5 NA 1.6 2
ORG D 2 1.17 1.67 1.8 1 1.17 0 1.6 2
ORG E 0.67 1.83 0 1 1.4 2.17 1.17 0.2 0.67
ORG F 1.33 0.17 0.5 0.8 1.5 0 1.83 1.8 2
COMPANY 1.33 1.05 0.92 1.10 1.95 1.22 1.00 1.20 1.45
Company A 2.83 2.83 2 2.6 3 3 2.33 2.8 3
Company B 0.8 1.3 1 0 3 1 1.5 1.3 1.3
Company C 1.77 2.33 2 2.33 2.8 2.5 2.17 2.33 2.5
Company D 2.67 2.5 1.77 2.6 2.8 2.83 2.33 2.8 2.67
Survey Pool 1 1.83 1.33 1.2 1.5 2.33 2.33 1.67 1.67 1.83
Survey Pool 2 1 1 1.5 1 1 1 1.5 1.5 1
Benchmark 1.82 1.88 1.58 1.67 2.49 2.11 1.92 2.07 2.05
COMPANY
vs. -0.49 -0.83 -0.66 -0.57 -0.54 -0.89 -0.92 -0.87 -0.61
Benchmark
Table 2 – BCM Benchmark Program Maturity Ratings Figure 1 – COMPANY vs. Benchmark Program Maturity
Page 14 Figure 2 – COMPANY Functional Areas vs. Benchmark Program Maturity

COMPANY Company Average
BCM Domain No Low Moderate High
Preparedness (0) Preparedness (1) Preparedness (2) Preparedness (3)
Governance
Risk Assessment
Strategy Development
Crisis Management
Business Continuity Planning
Disaster Recovery Planning
Exercise
Maintenance
COE GBS GS COMPANY

FAC/SEC/EHS GPO IT/GSO Benchmark
Page 15
ORG A (Create for each Org Area)
Governance
Risk Assessment
Crisis Management

DOMAIN NOT APPLICABLE
Exercise
Maintenance
ORG A ORG C ORG E COMPANY

ORG B ORG D ORG F Benchmark
Page 16
IV. Prioritized Observations
and Recommendations
Page 17
BCM Future State Implementation Roadmap
Q1 FY15 Q2 FY15 Q3 FY15 Q4 FY15 Q1 FY16 Q2 FY16
Form and operate Functional BCM PMOs 1
Develop BCM program metrics; continuously measure program health and maturity 1
Perform BIA scoping 2
Perform/Refresh BIAs for critical areas 2
Identify recovery strategies to close gaps 3
Develop/Refresh DRPs for critical apps 4
Develop/Refresh BCPs for critical processes 5
Implement standardized test evaluation process 6
Exercise recovery plans across the enterprise 6
Perform Risk Assessments 7
Develop/Refresh CMPs, IMPs, and ERPs 8
Page 18
BCM Maturity Rating by Domain
Overall Maturity Rating: Low Preparedness
The table below summarizes COMPANY’s maturity ratings for each BCM maturity domain. The following slides illustrate the maturity ratings for
each functional area. The detailed assessment work plans for each functional area can be found embedded on slide 53.
BCM Overall
Domain Description Rating COMPANY BCM Program Rating Summary
Policies and procedures that define the BCM Although a BCM governance structure exists at the enterprise level (i.e. EGRC, BCC), there is little to no
Low
Program framework governance at the functional area level. The functional areas lack consistency in terms of having formal
governance structures, BCM policies, key performance indicators / program metrics, and management
(1.33) review/approval.
Measure impact from business disruption, RTO, COMPANY has not performed a BIA across the enterprise. There is evidence that some of the functional
Low
Business Impact RPO, gap analysis areas have performed high level assessments of their critical business processes and dependencies (e.g.
Preparedness
Analysis (BIA) (1.05) applications, facilities, suppliers, etc.). A gap analysis has not been performed to understand where gaps
exist between business requirements and current recovery capabilities.
Identify risks, threats, vulnerabilities, and develop Low There was little evidence that a consistent risk assessment methodology is applied across the enterprise.
risk mitigation strategies Many of the functional areas have not performed a risk assessment to identify their risks and to
determine whether to mitigate or accept the risks. FM Global conducts periodic site risk assessments for
(0.92)
insurance purposes.
Continuity strategies for business and IT, manual Low The COMPANY functional areas do not consistently identify or document recovery strategy options for
Strategy
workarounds, alternate workspace Preparedness loss scenarios (e.g. loss of facility, loss of systems, etc.) in the recovery documentation observed.
Development
(1.10)
Global Crisis Response Plan, Emergency Response, Moderate At a corporate level, COMPANY has a robust Crisis Management program in place. Several of the
Crisis Emergency Communication Plan, Incident functional areas have robust crisis/incident/emergency response plans in place (e.g. COE, FAC/SEC/EHS),
Preparedness
Management Management/response Plans (1.95) while others functional areas have in place, at a minimum, incident/emergency response teams and
contact information.
BCP includes critical processes, recovery strategies BCPs are not consistently documented across the enterprise. Some functional areas have developed
Business and procedures for critical people and processes, Low robust BCPs addressing the loss of normal operating capabilities, while other areas lack BCPs all together
Continuity identification of critical partners and suppliers and Preparedness and only address the immediate response and escalation within the incident management plans.
(1.22)
dependencies
Disaster IT Disaster Recovery Plan includes critical Moderate The IT DR program has strong oversight and governance; however the DR program scope is not driven by
Recovery infrastructure, data, applications, systems Preparedness a formal assessment of business requirements with defined RTOs and RPOs. Additionally, several of the
(Enterprise IT) (1.83) functional areas that utilize non-IT managed systems do not have DR plans in place.
Business exercises, IT critical systems are regular The documents observed indicate that they are reviewed and updated regularly (in most cases annually)
Low
Exercising & tested, and plans updated lessons learned from Preparedness and that table top exercises are performed by several functional areas to provide awareness to the
Maintenance exercises and testing. Regular training and recovery team members.
awareness programs instituted (1.32)
Page 19
Prioritized Observations and Recommendations
OBSERVATIONS
Domain Leading Practices Current State Observations Domain Risks and Potential Impacts
Description Rating
Measure impact BIAs determine critical business COMPANY has not performed a BIA The lack of understanding critical
from business processes and required technical across the enterprise. There is evidence business processes that need to
disruption, RTO, and non-technical needs in the that some of the functional areas have be recovered, the RTOs and
RPO, gap analysis midst of a crisis. performed high level assessments of their priorities in which they need to
critical business processes and Low be recovered, and their critical
dependencies (e.g. applications, facilities, Preparedness dependencies could result in
suppliers, etc.). A gap analysis has not (1.05) delayed recovery efforts and the
been performed to understand where prolonged inability to
gaps exist between business manufacture and ship products,
requirements and current recovery service customers, meet SLAs,
capabilities. and generate revenue.
RECOMMENDED ACTIONS
Roadmap Phase /
Initiative Detailed Recommendations
• Conduct a BIA scoping exercise (e.g. Impact Tolerance Workshop) to understand the focus area priorities (e.g. services,
functional areas) within COMPANY’s organization for the BIA.
2 • Design a consistent global BIA methodology, tools (e.g. Excel, Archer), templates, and enablers.
• Develop standard impact criteria (e.g. Financial, Regulatory, Customer, Brand) for measuring process criticality consistently.
Perform BIA scoping, • Conduct a global, joint-effort BIA for all critical functional areas using formal impact criteria to determine business process
design, and execution criticality and RTOs. Leverage previous BIA results where applicable.
• Perform a dependency analysis for each functional area assessed to identify key recovery dependencies (e.g. applications, data,
upstream/downstream processes, workforce) required to support recovery capabilities and to continue operations. The
dependency analysis should capture the RPO for critical data to understand the business’ tolerance for data loss.
• Perform a gap analysis for each functional area to understand the gaps/exposure between the current recovery capabilities
and the recovery objectives defined in the BIA.
Page 20
Business Continuity Plan Development
OBSERVATIONS
Domain Description Leading Practices Current State Observations Domain Rating Risks and Potential Impacts
BCP includes critical Business Continuity (BC) BCPs are not consistently documented The lack of up-to-date BCPs
processes, recovery Plan is developed according across the enterprise. Some functional with tested and proven
strategies and to the corporate BCM areas have developed robust BCPs recovery effectiveness and
procedures for critical framework and spans all addressing the loss of normal operating Low capabilities could potentially
people and processes, processes within the capabilities, while other areas lack BCPs Preparedness result in delayed recovery
identification of organization. Detailed plans all together and only address the (1.22) efforts and the prolonged
critical partners and address continuity and immediate response and escalation inability to service customers,
suppliers and recovery procedures for within the incident management plans. meet SLAs, and generate
dependencies employees and processes. revenue.
RECOMMENDED ACTIONS
Roadmap Phase / Detailed Recommendations
Initiative
• Develop/refresh BCPs for all critical functional areas and the underlying business processes identified in the BIA.
• BCM PMO to develop standardized templates and/or plan requirements to drive consistency in BCPs across all
5 functional areas.
• Include the following plan elements in all BCPs as part of new plan development or BCP refresh:
Perform a BCP refresh • Business processes and applications covered in the plan scope
while driving • The recovery objectives (RTOs and RPOs) as defined in the BIA
standardization across • Incident Response Teams with team member assignments and contact information
all regions • Manual workaround procedures for loss scenarios (e.g. systems, facility, people, suppliers, etc.)
Page 21
Disaster Recovery Plan Development
OBSERVATIONS
Domain Leading Practices Current State Observations Domain Rating Risks and Potential Impacts
Description
IT Disaster The Disaster Recovery (DR) Plan The IT DR program has strong oversight Potential impacts to
Recovery Plan is developed according to the and governance; however the DR COMPANY’s ability to provide
includes critical organization’s IT framework and program scope is not driven by a formal service to customers, generate
infrastructure, is fully integrated with Business assessment of business requirements revenue, and maintain
data, Recovery and Crisis with defined RTOs and RPOs. Additionally, regulatory compliance and
applications, Management. It addresses several of the functional areas that utilize Moderate contractual obligations (e.g.
systems recovery procedures for non-IT managed systems do not have DR Preparedness federal contracts). The revenue
infrastructure, applications, plans in place. (1.83) impacts would vary by
systems and data that supports system/application and can be
the business. more precisely determined
through the BIAs,
recommended as part of this
assessment.
RECOMMENDED ACTIONS
Initiative
• Conduct a BIA to identify critical application and data dependencies and their RTOs and RPOs, respectively, and determine
where gaps exist between current DR capabilities and business requirements.
4 • Identify DR recovery strategy options (e.g. in-house, co-location, cloud, etc.) and select the most cost effective solution(s) that
meet the business’ requirements.
Develop/Update DR • Leverage Archer to monitor the status of the applications in scope for IT DR (e.g. plan, build, run) and report DR program status
plans for data centers to Sr. Management on a periodic basis (e.g. monthly, quarterly)
supporting critical • Define requirements for non-IT managed business owned applications to have DR plans and capabilities in place if they are
service lines deemed critical as per the BIA.
• Develop and roll out a standardized DR plan template for non-IT managed systems.
Page 22
Recovery Strategy Development
OBSERVATIONS
Description
Continuity Cost effective IT continuity The COMPANY functional areas do not A lack of viable recovery
strategies for IT, strategies that align with consistently identify or document strategies (people, process,
failover, high business requirements. It has recovery strategy options for loss technology) developed based
availability, factored technical, physical, scenarios (e.g. loss of facility, loss of Low on defined business
manual people and financial resources systems, etc.) in the recovery requirements will result in
workarounds, in recovery efforts. documentation observed. Preparedness recovery plans that are not
alternate (1.10) actionable. Substantial delays
workspace in recovery are likely resulting
in revenue and customer
impacts.
RECOMMENDED ACTIONS
Initiative
• Develop and document the recovery strategy options for the critical processes and dependencies identified in the BIA.
Recovery strategy development should include the following:
3 • What is to be recovered (e.g. systems/applications)
• How will it be recovered (e.g. tape/replication)
Perform a BIA to understand • Where will it be recovered (e.g. in-house, co-location, cloud)
business requirements. • When will it be planned
Identify and evaluate potential • How much will it cost
technical recovery strategy • At a minimum, develop recovery strategies for site recovery, workforce recovery, technology recovery, and critical
options that align with IT’s suppliers
strategy and that meet the • Some countries may have restrictions around data leaving the country, thus these geographic regulations/laws need
business needs. to be considered in the strategy development and recovery planning process
Page 23
Exercise/Maintenance
OBSERVATIONS
Business exercises, IT Business Continuity team The documents observed indicate that The lack of up-to-date recovery
critical systems are tests coincide with IT tests in they are reviewed and updated regularly plans with tested and proven
regular tested, and which business personnel (in most cases annually) and that table recovery effectiveness and
plans updated test operations on the top exercises are performed by several Low capabilities could potentially
lessons learned from recovered equipment. All functional areas to provide awareness to result in delayed recovery
exercises and plans are updated on a the recovery team members. Preparedness efforts and the prolonged
testing. Regular regular basis. (1.32) inability to service customers
training and and generate revenue.
awareness programs
instituted
RECOMMENDED ACTIONS
Initiative
• Conduct plan (CMP, BCP, DRP) exercises periodically for each functional area to test the effectiveness and accuracy of the plans
in accordance with the BCM policy and framework to ensure that they meet business requirements and expectations.
6 • Design and implement a process to record critical information and lessons learned after each incident and/or exercise. Post
mortem reports should be reviewed and signed off by functional area senior management.
Implement a process • Perform annual refresh/maintenance activities of the BCM program lifecycle to ensure recovery plans are current and effective.
for measuring • Develop/update the metrics and reporting process to measure the health of the BCM program. Conduct audits and/or third-
program maturity and party reviews to provide an assessment on the current state of the BCM Program.
capabilities
Page 24
Governance
OBSERVATIONS
Description
Policies and Company has received Although a BCM governance structure The lack of consistent executive
procedures that commitment from all levels of exists at the enterprise level (i.e. EGRC, support and oversight across
define the BCM the organization and individual BCC), there is little to no governance at COMPANY’s functional areas
Program lines of business. the functional area level. The functional Low could lead to ad hoc and
framework areas lack consistency in terms of having Preparedness inconsistent BCM efforts and
formal governance structures, BCM (1.33) stop gap solutions with no long
policies, key performance indicators / term sustainability and
program metrics, and management ineffective recovery
review/approval. capabilities.
RECOMMENDED ACTIONS
Initiative
• Form functional BCM PMOs for each organizational area (e.g. GPO, GBS, GS, etc.) comprised of individuals with BCM
experience and competencies responsible for coordinating and executing BCM activities and reporting BCM program status to
1 the Business Continuity Council and Enterprise GRC department.
• Define BCM governance organizational reporting structure, roles and responsibilities and communicate the BCM operating
Establish a global BCM model to senior management and key stakeholders.
Governance Team • Define standardized KPIs, program metrics, and success criteria against which each functional area’s BCM program will be
framework and measured; establish a cadence for reporting BCM program status for all functional areas.
structure • Design and implement a BCM training/awareness program; develop a training roll-out schedule for key BCM stakeholders.
Page 25
Risk Assessment
OBSERVATIONS
Description
Identify risks, Financial decisions to mitigate There was little evidence that a consistent Risks and vulnerabilities that
threats, risks are based upon the risk assessment methodology is applied have not been identified and
vulnerabilities, potential business impacts to across the enterprise. Many of the that are left unaddressed and
and develop risk operations at an examined functional areas have not performed a Low unmitigated could potentially
mitigation facility. risk assessment to identify their risks and Preparedness disrupt and/or delay
strategies to determine whether to mitigate or (0.92) COMPANY’s ability to
accept the risks. FM Global conducts manufacture and ship
periodic site risk assessments for products, service customers,
insurance purposes. and generate revenue.
RECOMMENDED ACTIONS
Roadmap Phase /
Initiative Detailed Recommendations
• Conduct/refresh risk assessments to include major/critical COMPANY offices, manufacturing sites, and data center locations as
well as key suppliers and outsourced partners.
7 • Present risk assessment results to functional area Sr. Management and/or the Business Continuity Committee (BCC) to
determine whether to (a.) accept the risk; or (b.) ask the BCM/DRM team to evaluate appropriate risk treatments (recovery
Perform a risk strategy solutions and cost options) as a next step.
assessment for each
critical location,
supplier/business
partners
Page 26
Crisis Management
OBSERVATIONS
Global Crisis The Crisis Management (CM) At a corporate level, COMPANY has a The lack of an integrated Crisis
Response Plan, Plan is approved, distributed robust Crisis Management program in Management process across
Emergency and has been used place. Several of the functional areas COMPANY’s functional areas
Response, repeatedly by the company have robust crisis/incident/emergency could result in
Emergency (testing or actual events). response plans in place (e.g. COE, Moderate miscommunication, or lack of
Communication Plan FAC/SEC/EHS), while others functional Preparedness timely communication
areas have in place, at a minimum, (1.95) internally and/or to the
incident/emergency response teams and public/media, which could
contact information. result in delayed recovery
efforts and potential negative
impacts to COMPANY’s brand.
RECOMMENDED ACTIONS
Initiative
• Conduct a refresh of the Corporate Crisis Management plan and functional area Incident Management/Response Plans to
ensure that recovery processes, procedures, teams, and contact information are current.
8 • Ensure that all Crisis and Incident Management plans include methods for recording information about the crisis/incident (e.g.
templates, forms)
Implement a process • Conduct a joint Crisis Management exercise with the corporate Crisis Management Teams and the functional area Incident
for measuring Management teams. Execute the communications and escalation plans, and utilize the SendWordNow mass notification system
program maturity and to test the effectiveness.
capabilities
Page 27
V. Future State Roadmap
Page 28
BCM Future State Roadmap
Proposed Transformation Roadmap Ex
erc
ise
/ High
M Preparedness
Disaster
ain
Recovery
t.
Moderate
Business Continuity Preparedness
Crisis Management
Low
Preparedness
Risk Assessment (RA) No

Preparedness
Business Impact Analysis (BIA)
Ex Governance Ex
erc erc
ise
ise
/ Short-term /
M M
Disaster
ain Disaster
ain
Recovery
t. Recovery
t.
Business Continuity Business Continuity
Crisis Management Crisis Management
Strategy Development Strategy Development
Risk Assessment (RA) Risk Assessment (RA)
Business Impact Analysis (BIA) Business Impact Analysis (BIA)
Governance Governance
Current State Long-term

Page 29
BCM Future State Implementation Roadmap
Form and operate Functional BCM PMOs 1
Develop BCM program metrics; continuously measure program health and maturity 1
Perform BIA scoping 2
Perform/Refresh BIAs for critical areas 2
Identify recovery strategies to close gaps 3
Develop/Refresh DRPs for critical apps 4
Develop/Refresh BCPs for critical processes 5
Implement standardized test evaluation process 6
Exercise recovery plans across the enterprise 6
Perform Risk Assessments 7
Develop/Refresh CMPs, IMPs, and ERPs 8
Page 30
Implementation Cost and Effort
Phase Initiative Effort Cost Resources Cost Estimate
Formalize the BCM Governance structure with
1 functional area PMOs reporting into the BCC
and Corporate BCM PMO
 $$
 1 FTE / Contractor $ <$100,000
 2 FTE / Contractor $$ $100,000 - $500,000
2
Perform/Refresh BIA scoping, design, and
execution across all functional areas and
 $$  3+ FTE / Contractor $$$ >$500,000
conduct a gap analysis 
Develop recovery strategies to remediate gaps
3
identified in the BIA and gap analysis  $$$
High
3 2 1
Develop/Update DR plans for systems 4 8
6
4
(enterprise and business owned) supporting
critical processes identified in the BIA
 $$
7 5
Benefits
Perform a BCP refresh while driving standard
5
plan criteria/elements and minimum
requirements across all functional areas
 $$
Develop minimum requirements for testing and

6
recording outcomes. Exercise plans and
measure program maturity and capabilities
 $$
Perform a risk assessment for each critical Low

7
location, suppliers, and business partners  $$
High Implementation Effort Low
Refresh Corporate CMP and Functional Area
8
IMPs. Conduct integrated IMP and CMP
exercise.
 $
Page 31
Implementation Project Plan and Estimated Effort / Investment
Estimated Estimated Rough Order
## Activities / Tasks
Resources Hours Cost Estimate Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
1 Establish a global BCM Governance Team 2 BCM FTE 960 FEES DELETED
framework and structure
2 Perform the design, scoping, and execution 3 BCM FTE 4540
phases of the BIA
3 Develop recovery strategy options aimed at 2 IT DR 2000
remediating the gaps identified in the BIA/gap FTEs,
analysis 2 BCM FTE
4 Develop/Update DRPs for critical applications 2 IT DR 4000
identified in the BIA FTEs
5 Perform a BCP refresh while driving 2 BCM FTE 1960
standardization across all regions
6 Test and evaluate recovery capabilities and 2 BCM FTE 1600
program maturity; refresh of BCM activities
7 Perform a risk assessment for critical locations, 1 Vendor 1000
and suppliers/business partners
8 Refresh the Corporate Crisis Management Plan 1 BCM FTE 240
and Functional Area Incident Management Plans
to ensure that plan content is current
- Total Effort and Cost 4 BCM 16,300
FTE,
2 IT DR
FTE,
1 Vendor
► Assumptions:
► Investment covers labor only and does not include IT hardware
► Project plan does not include investment and activities after FY2016
► Detailed Project Plan: EMBEDDED FILE DELETED
Page 32
Recommended Activities by Functional Area
COMPANY Functional Areas
Phase Roadmap Activity ORG A ORG B ORG C ORG D ORG E ORG F
Establish a documented BCM governance org structure - X X - - -
1. Governance Develop the functional area BCM policy X X X - - X
Establish KPIs, success criteria, and the management reporting process X X X X X X
Define standard impact Criteria X X X X X X
Identify business processes to assess X X X - - -
2. BIA Assess impacts, establish RTOs and tiers X X X - X -
Identify dependencies X X X X X -
Conduct a gap analysis of recovery capabilities against BIA results X X X X X X
Develop recovery strategies - Workforce X X X - X X
3. Recovery Develop recovery strategies - Facilities X X X - X X
Strategies Develop recovery strategies - Technology X X X - X X
Develop recovery strategies - Supplies X X X - X X
Define recovery teams roles/responsibilities NA NA - NA X X
Develop technology recovery procedures NA NA X NA X X
4. DR
Develop failback process NA NA - NA X X
Define process for information recording NA NA - NA X X
Define recovery teams roles/responsibilities - X X - - -
Define the recovery procedures - X X - - -
5. BCP
Define the stand down process - X X - X -
Define process for information recording - X X X X X
Define the testing schedule - X X - X X
6. Testing / Align tests with recovery plans and RTOs/RPOs - X X - X X
Maintenance Define the test reporting and post-test evaluation process X - - X - X
Update recovery plans based on test results X X X X X X
Perform a risk assessment for critical sites - X X X X X
7. Risk Define process for accepting and/or mitigating risks X X X X - X
Assessment
Develop/update recovery strategies based on risk assessment results X X X - X X
Develop emergency, incident, and crisis management process/plans - - - - X X
Define recovery teams roles/responsibilities - - - - X X
8. CMP
Define severity levels and plan invocation criteria - - X X X X
Define escalation and communication process - - X X X X
X Develop/Create — Document/Refresh/Update NA Activity Not Applicable
Page 33
VI. Metrics and Scorecards
Page 34
BCM Program Metrics
Example Program Health Scorecard
Page 35
BCM Program Metrics
Example Testing Scorecard
Exercise Stage Key:

C = Completed (e.g. The RTO and RPO of all the components in the plan are met.)
R = Re-Test Required
S = Scheduled
Page 36
BCM Program Metrics
Example BCM Program Update
Tier Plan Name and Owner** BIA Completion Status Plan Update Status* Test Status*
Tier 1 1. Example Plan Plans by Tier 6
Complete Incomplete Updated Not Updated
Owner: First Last Name
2. Example Plan 5
Owner: First Last Name Tie
r1 20% 4
Tier 2 3. Example Plan 20
4. Example Plan % 3
5. Example Plan Tie
r3 50% 50% 2
Tier 3 6. Example Plan 50
7. Example Plan % 1
8. Example Plan Tie
9. Example Plan r2
30 80% 0
10. Example Plan Tier 1 Tier 2 Tier 3
%
Tested Not Tested
Plan Count by Year BIA Completion by Tier Plan Updates by Tier* Plans Tested by Year
7 6 6 6
6 5 5 5
5 4 4 4
4 3
3 3
3
2 2 2
2
1 1 1
1
0 0 0
0 Tier 1 Tier 2 Tier 3 Tier 1 Tier 2 Tier 3 FY13 FY14 FY15
FY13 FY14 FY15
Complete Incomplete Updated Not Updated Tier 1 Tier 2 Tier 3
Tier 1 Tier 2 Tier 3
FY15 Corporate Business Continuity Initiatives

Business Impact Analysis (BIA) Plan Updates (BCPs, CMPs, DRPs) Plan Testing
• Assess business impacts and process criticality, and assign • Update recovery plans for all functional areas to ensure • Test the BCPs and process recovery plans to provide
recovery time objectives (RTO) and criticality ratings information is up to date and accurate training and to identify gaps and areas for improvement
Page 37
Next Steps
► COMPANY Functional Area Leads to perform detailed review of BCM

Assessment Report by Friday, February 6th
► Dermot to coordinate follow up calls between COMPANY Functional Teams

and EY to discuss feedback the week of February 9th
► EY to issue final BCM assessment report by end of day Friday, February 13th
Page 38
VII. Appendix
Page 39
Business Continuity Management Overview
Bu
t
en
si
em
ne
ag
ss
an
Co
s
ces
is M
nti
Peo
Pro
nu
p
s
le
Cri
ity
Technology
IT Resiliency & Disaster Recovery
Business Continuity Management is an ongoing management and governance process supported

by senior management and resourced to ensure that the necessary steps are taken to identify the
impact of potential losses, manage risk, develop resiliency, maintain viable recovery strategies and
plans and ensure continuity of products/services through exercising, rehearsal, testing, training,
maintenance and assurance.
Page 40
BCM Definitions
• Focuses on keeping the business operating

Business • A process of developing and documenting arrangements and procedures that
Continuity enable an organization to respond to an event that lasts for an unacceptable
period of time and return to performing its critical functions after an interruption
• Focuses on getting the technical infrastructure up and running in the event of

an interruption/outage
Disaster • The technical (e.g., application, network, platform, storage, external dependency)
Recovery component of business continuity planning to recover a data center, service or
application
• Focuses on managing unexpected events

Crisis • Crisis Management is the orchestration of activities before, during and after a
disruption addressing communications, decisions and activities. The Crisis
Management Management Plan outlines the process by which organizations respond with and
manage unexpected and emergency-type of events that could pose serious threats to
the life safety of the organization’s people, and the disruption of critical processes.
Page 41
BCM Maturity Model
Assessment Domains
BCM Elements / Leading Practice
Business Continuity team tests coincide with IT tests in which business personnel test
operations on the recovered equipment. All plans are updated on a regular basis.
Exercise/
Maintenance
The Disaster Recovery (DR) Plan is developed according to the organization’s IT
framework and is fully integrated with Business Recovery and Crisis Management. It
Disaster Recovery addresses recovery procedures for infrastructure, applications, systems and data that
supports the business.
Business Continuity (BC) Plan is developed according to the corporate BCM
Business Continuity framework and spans all processes within the organization. Detailed plans address
continuity and recovery procedures for employees and processes.
Crisis Management The Crisis Management (CM) Plan is approved, distributed and has been
used repeatedly by the company (testing or actual events).
Cost effective continuity strategies that align with business

Strategy Development requirements. It has factored technical, physical, people and
financial resources in recovery efforts.
Financial decisions to mitigate risk are based upon the

Risk Assessment (RA) potential business impacts to operations at an examined
facility.
BIAs determine critical business processes and
Business Impact Analysis (BIA) required technical and non-technical needs in the
midst of a crisis.
Company has received commitment from all

Governance levels of the organization and individual lines
of business.
Page 42
BCM Maturity Model
Elements of Leading Practices
Element Attributes of Leading Practice
• Senior Management committed to BCM and IT BCM program and actively participates
• Senior Management issues policy directives
Governance • Senior Management approves critical processes and level of risk the enterprise is willing to accept
• Senior Management authorizes funding for the BCM program
• Published policies and procedures for overall governance of the BCM program that outline roles, responsibilities, and common methodology
to be used in the program
• Business impact analysis conducted to determine impact of disruption and covers all business processes within entire enterprise
• Business processes have defined recovery time frames (RTOs and RPOs) for all critical processes, supporting systems and data
BIA Define Minimum Operating Requirements necessary for continuity
•
• BIAs determine critical business processes and required technical and non-technical requirements
Risk • Organization regularly measures risk and makes decisions and bases budgets on that risk
• Business Continuity program is based on an enterprise risk focus
Assessment • Risk mitigation measures implemented whenever practical and integrated with BIA findings
• Recovery strategies developed for business processes, IT and telecommunications systems
Strategy • Emergency service levels for customer support units approved and communicated
• Manual processes developed, where possible, documented and tested regularly
Development Automatic failover technology for most critical and time-sensitive systems
•
• Technical strategies factor in all technical dependencies of an application
• Crisis Management plans and processes have been developed to prepare for, manage and recover from emergencies impacting any global,
regional or local area, including but not limited to: natural and man-made disasters, data center outage, cyber attack, brand/reputational
Crisis incident, etc.
Management • The plan is integrated with emergency response procedures defined at each location
• The plan contains the minimum components for notification, recovery and returning to normal operations eventually
• The Crisis Management team activates the business continuity and disaster recovery strategies and plans
Business • BCP development spans the entire company with a focus on mission and business critical processes
Continuity • BCPs are reviewed and updated annually or as changes to the business occur
• BCPs contain minimum components for notification, recovery and returning to the status before the disaster event and returning home
Disaster • IT Disaster Recovery Plan development spans the entire company and includes planning for IT resiliency
Recovery • The plans contain minimum components addressing notification, recovery and returning to normal operations before the disaster event
• IT testing performed at least annually and the process integrates business units, IT and telecommunications areas
Exercise & • Business unit plans tested twice per year and exercise results are discussed to determine strengths and weaknesses
Maintenance • Plans updated with test results, training and awareness process instituted, and planning tools are used to aid in storage and maintenance
• Training programs developed so employees understand their roles and responsibilities
Page 43
BCM Maturity Assessment
Detailed Work Plans by Functional Area
The embedded BCM Assessment work plans include the detailed observations
and maturity ratings for each of the in-scope COMPANY functional areas
Functional Area BCM Assessment Work Plan
Center of Excellence (COE) EMBEDDED FILES DELETED
FAC/SEC/EHS
Global Business Services (GBS)
Global Product Operations (GPO)
Global Services (GS)
Information Technology (IT) /

Global Security Organization (GSO)
Page 44
All COMPANY Functional Areas
Governance
Risk Assessment
Crisis Management
Exercise
Maintenance
COE GBS GS COMPANY

FAC/SEC/EHS GPO IT/GSO Benchmark
Page 45
Maturity Assessment Mapping:
Domain 1: Governance
# Domain Sub-process 0. No Preparedness 1.Low Preparedness 2. Moderate Preparedness 3. High Preparedness
1.1 Non directed; Governance Regional management Regional BCM governance Global executive sponsorship
unstructured, potentially commitment & coordination; Ad model established; Awareness and global governance
counter productive hoc escalation of participating and adoption of roles and established; Escalation
Governance Structure regions if necessary responsibilities; Regional procedures implemented and
mandates for escalation spans across enterprise; Explicit
processes vertical and horizontal
integration
1.2 No consistent processes used One or several Enterprise policy exists; Regions/areas share common
within the organization regions/areas implemented self- consistent framework policies, plans and templates;
selected components of BCM – developed for use by all BCM standards developed to
no enterprise policy exists regions/countries; Increasing ensure consistency; consistent
Policy understanding of BCM, practices enforced through goal
common terminology in use setting and quality review
1.3 Lack of practical BCM/DR Leadership is experienced; Centralized PMO team with High level of Business
experience however those who have to high level of experience, but Continuity and Disaster
execute are not. Lack of training less experience in the regions Recovery Experience at both
Program Management and development available. for execution centralized (PMO) and
Competency decentralized (regional levels);
Training available to assist
regional teams.
Page 46
Domain 1: Governance (Cont.)
1.4 Unmeasured Limited departmental level Development of enterprise Performance consistently

measurement metrics measured against goals; Multi
KPIs (Key Performance – year planning associated with
Indicators) and Critical Success future state improvement
Factors strategies
1.5 No identified centralization of No consistency of where Regional/Area standardization of All global documentation is
documentation storage documentation is stored. No where critical recovery centralized, made redundant,
Document storage publishing of storage locations documentation is stored and is available regardless if
(i.e. local hard drives, etc.) critical systems or networking
is operational
1.6 Training and Awareness Employees generally unaware Employees involved in BC/DR Employees are aware of BC/DR Enterprise communications
of BC/DR program have some fundamental policies, standards and practices vehicle(s) initiated including a
awareness. Employees outside of that have been published and training program. Employees
these few enlightened groups implemented. across enterprise achieve
remain ‘in the dark’ baseline competency in BC/DR
concepts and principles.
Selected groups across
enterprise participate in drills
and exercises at least once.
Page 47
Domain 2: Business Impact Analysis
0. No 2. Moderate
# Domain Sub-process 1.Low Preparedness 3. High Preparedness
Preparedness Preparedness
2.1 No definition or Adhoc definition of Business Impact BIAs performed for the global enterprise, Critical processes approved by
prioritization of critical processes, not Analysis in process or global steering committee; Refreshed on an annual basis or whenever
Key Business processes defined through a BIA; completed for some major business changes
Processes No management areas/regions to
approval or processes. define critical business
processes and RTOs
2.2 No standard impact Industry known Business specific Enterprise impact criteria defined and applied to determine the
Impact Criteria criteria defined business impact criteria impact criteria criticality and tiering of all critical processes
defined defined
2.3 No RTOs/RPOs RTOs for applications, if BIAs have been BIAs conducted globally, RTOs/RPOs determined and approved by
established they exist, are not conducted across management, Recovery capabilities measured against needs established
mapped to the RTO of a some regions/areas in BIA to define strategy requirements
Recovery
business process (i.e. and define specific
capabilities IT’s best guess) RTOs/RPOs for
processes,
applications and data
2.4 BIA not performed; BIAs performed for BIA performed, BIA Performed at least every other year, critical process information
applications not some regions/areas, however critical kept up to date; widely published list of recovery commitments are
mapped to rationales for process process information consistent with SLAs; Results presented to Sr. Management; BIA
processes and application may be out of date; process is embedded in organizational change management and SDLC
criticality may be Application tiers processes
Tiering of Business different across the identified based upon
Processes/ regions; IT believes it is RTOs/RPOs defined by
Applications aware of critical business; Applications
business processes and mapped to critical
substitutes IT’s processes
judgments as to
criticality in place of the
business
Page 48
Domain 2: Business Impact Analysis (Cont.)
2.5 Application and process Some applications have mapped Application and process Application and process
dependencies not mapped to dependencies, not consistent dependencies mapped dependencies mapped to each
critical applications/ across all critical applications consistently across all critical other for critical applications in
processes processes addition to being mapped to
critical processes. Sr.
Management agrees with
process/app mapping;
Process Dependency Mapping Application dependencies are
tracked in a Configuration
Management Data Base to
allow for changes to DR
strategies if the technology
changes
2.6 Recovery gaps identified Some Recovery gap analysis Company assigns criticality of Gap analysis refreshed annually
through production incidents performed based on IT’s each gap identified through the and reported upon to senior
and not documented understanding of critical gap analysis; management. Senior
applications and results of tests management identifies if risk is
accepted or if a project/funding
must be initiated to close gap.
Company has defined and
Gap Analysis documented Infrastructure
components in all technical
recovery areas and have been
assessed for RTC (Recovery
Time Capability) and RPC
(Recovery Point Capability) for
various levels of resilience
Page 49
Domain 3: Risk Assessment
3.1 Risk assessments are not Some internal site risk Risk assessments performed for Global Risk assessments
performed assessments performed; Risk some, but not all critical sites; performed for all sites in which
assessments have not been Some third party risk critical business processes are
performed for critical third parties assessments performed performed; Threats risks
identified, including those
Risk Analysis provided by suppliers and
outsourced partners; Mitigation
solutions and costs presented
to Sr. Management for risk/cost
evaluation
3.2 No understanding of current Controls may be in place, but are Gaps in controls have been For all critical sites, risk
controls or potential risk not mapped to and identified risk determined; However, criticality levels are determined,
or gap mitigation options are either in gaps in current controls
process or not fully estimated, costs to mitigate the
Recovery Gap Analysis implemented on a global basis gaps estimated and residual risk
remaining is documented.
3.3 Site criticality has not yet Some critical sites have been Some site risk assessments have Global Risk assessments
been established; no site risk determined, but site risk been performed; Sites critical to performed for all sites in which
assessments performed assessments have been the business have not yet been critical business processes are
performed determined through a BIA, or performed; Threats risks
Site Risk Assessments some critical sites have not yet identified, and costs presented
performed a site risk to Sr. Management for risk/cost
assessment; evaluation; Site risk
assessments refreshed at least
annually
Page 50
Domain 3: Risk Assessment (Cont.)
3.4 Risks and costs of mitigation Some risks identified; costs to Risks identified, costs vs risk Global business executive
have not yet been determined mitigate used as the only factor considered at a regional level; stakeholders have reviewed and
for whether a control should be little to no escalation to formally signed off the risk
implemented corporate firm level to assessment results by either:
determine whether risk could (a)accepting the costs of the
Risk Acceptance impact EY brand mitigation solutions presented
or (b) accepting the risk;
3.5 Risks have not been formally Risks are not used as an input to Determined business risks used Risks are used as input in the
determined the development of a recovery as input to drive the determination of an
strategy development of a recovery appropriate recovery strategy
strategy for one of people, for people, process and
Risk Mitigation Planning process, or technology, but not technology including solutions,
all three elements. roadmap and cost options for
each business function and
under-lying applications.

Page 51
Domain 4: Recovery Strategy
4.1 No BC/DR recovery Some BC/DR strategies The company has developed Multiple strategy options are presented to the
strategies in place in place, but capabilities strategic options for its business and senior management for
may not map to business critical business processes, consideration to assist in making an informed
expectations people and applications and risk vs. cost decisions; Proven recovery tools in
the resources that each place for all applications. Infrastructure
Strategic Options activity will require on its components, applications and services for all
resumption. Business is tiers are accommodated
aware of the RTCs and RPCs
4.2 Employee skillsets and Some employee skillsets Cross training programs Cross training and exercising of backup
backups not defined and backup team mates established for defined personnel on a regular basis to prove the
defined critical skillsets; Regional workforce recovery strategy
Workforce Strategy definition of backup team
personnel based on skillset
4.3 No alternate sites defined Assumption that all Internal sites considered and The organization has developed appropriate
employees would work identified; however, no facility strategies for reducing the impact of the
“anywhere” with no evaluation of the site’s unavailability of its normal worksite(s). This
review of the feasibility feasibility or ability for the may include one or more of the following:
of the strategy (i.e. recovery teams to timely (a) alternative facilities (locations) within the
availability of remote deploy, bring family and pets, organization, including displacement of other
Site Recovery Matrix connections, safety of how travel costs would be activities;
laptops, etc.) handled, etc. (b) alternative facilities provided by other
organizations (c) alternative facilities provided
by third-party specialists;
(d) working from home or at remote sites;
(e) other agreed suitable premises; and
(f) use of an alternative workforce in an
established site.
Page 52
Domain 4: Recovery Strategy (Cont.)
4.4 No technology/IT recovery No alternate data center Alternate data center Alternate data center defined, RTOs and
strategies defined defined. Recovery would be strategy defined, Alternate RPOs considered when building the
initiated at the primary site hardware may be defined strategy, Strategy meets defined business
Technology Recovery using data backups. RTCs will but not fully allocated to DR criteria, and was presented to
Strategy not meet RTOs defined by the (i.e. test boxes, or re- management for cost/risk consideration
business provisioning of existing
hardware)
4.5 No understanding of critical Key critical third parties and Contractual terms requiring Contractual terms / DR/BC plans and
third parties and suppliers suppliers identified, single DR/BC solutions of third strategies of third parties solutions
sourced suppliers exist with no parties in place at reviewed regularly as a part of a Vendor
Critical Supplies Strategy risk mitigation solution in place contracting stage; Risk Management Program
Alternatives identified for
single sourced suppliers
Page 53
Domain 5: Crisis Management Planning
5.1 No Crisis Management Plan Local crisis management only; Centralized crisis The organization has a clearly defined,
in place No escalation or triggers to a management program with documented and approved Crisis
global firm-wide team no local crisis management Management Plan, incorporating both local
Crisis Management Plan responsible for the EY brand support for localized response, triggers and escalation
incidents requirements to a firm-wide crisis
management team

5.2 No Crisis Management Plan Plan has not been reviewed or Plan has not been reviewed Regular established review and update of
in Place updated within 5 years and updated within the past the crisis management plan
Plan Viability 12 months
5.3 No Crisis Management Plan Crisis management plans Crisis management plans The Crisis Management plan has been
in Place developed are inconsistent and have not been developed developed following a management
fragmented, include different pursuant to a policy, approved policy and guidelines for
taxonomy, incident levels, etc. guideline or standard consistent structure, activation and
Structure and Guidelines approved by senior escalation triggers to clearly establish levels
management of authority between local and firm-wide
crisis management teams
5.4 No Crisis Management Local crisis response teams Centralized crisis Plans include defined team and roles and
Team established established, but no management team that is responsibilities for local and firm-wide
global/firm-wide expected to serve all global teams within areas such as: HR, PR, Legal,
Crisis Management Team establishment events Facilities, Security, IT, BU’s, etc.
Page 54
Domain 5: Crisis Management Planning (Cont.)
5.5 No crisis management plan in No crisis management plan Crisis management plans focus Plans address:
place in place; however media primarily on emergency - Advice, process, procedures
policy in place that restricts management, evacuation, concerning confidential staff counseling
who can speak with media employee safety, etc. However, - Process to ensure all staff and
and third parties on an plans do not address other issues other stakeholders are kept informed
incident that could adversely impact the firm - Media and public relations policy,
and its brand. strategy and plans.
- Identify stakeholders and interest
groups.
Plan Contents - Identify external liaison
points/roles with external agencies.
- Identify the media
spokespersons who have been trained
to interface with the media
-Clear lines of authority and escalation
for local vs. firm wide crisis
management teams

Page 55
Domain 6: Business Continuity
# Domain Sub-process 0. No 1.Low Preparedness 2. Moderate Preparedness 3. High Preparedness
Preparedness
6.1 No Business Call trees/or 1800 Life safety plans in place, fire drills The plans contain details for managing the immediate
Continuity Plans in numbers for notifying practices, outbound messaging consequences of a business disruption giving due
Place employees of an system to advise employees of event regard to:
incident (a) the welfare of individuals;
(b) strategic and operational options for responding
to the disruption; and
(c) prevention of further loss or unavailability of
Immediate Response/ critical business processes/applications
Incident Management
Change control links between Change Control process
and Incident Management program/plans; Inbound
and outbound automated employee notification that
is regularly tested;
Plans include enterprise emergency operations center
(EOC) and defined EOC activation and deactivation
procedures
Page 56
Domain 6: Business Continuity (Cont.)
6.2 No BCPs in Place BCPs developed; however three or more of the BCPs are missing 1-2 of the BCPs have been
following leading practice elements are missing: leading practice components; implemented globally and
or not all regions have yet contain all of the leading
(a) identified lines of communications(b) critical developed a BCP practice components
processes and RTOs
(c) recovery tasks and reference information;
(d) defined roles and responsibilities for people and
teams having authority during and following an
incident;
(e) guidelines and criteria regarding which individuals
have the authority to invoke each plan and under
Business Continuity what circumstances;
Plan (f) a method by which each plan is invoked;
(g) meeting locations with alternatives, and up-to-date
contact and mobilization details for any relevant
agencies, organizations and resources that might be
required to support the response;
(h) a process for standing down once the incident is
over; and
(i) a reference to the essential contact details for all
key stakeholders
(j) a reference to relevant contracts, SLAs, and letters
of agreement with 3rd party
(k) procedures for loss of critical personnel, loss of
facility, loss of vendor, loss of system
Page 57
Domain 6: Business Continuity (Cont.)
6.3 No critical resources Reliance on specific individuals to Skill sets determined, but The BCP includes primary and backup roles
identified execute a recovery task; little cross not mapped to recovery and responsibilities and skillsets needed to
training of recovery skills team members with those recover following a disaster event. The plan
skills also documented who would drive the
Resource Plan activation of the BCP
6.4 No process dependencies BCPs are inconsistent as to the Process dependencies The BCP contains details of the internal and
identified manner in which process identified in the BCPs; external operational resources
dependencies are determined and however, it is not clear on (applications, vendors, vital records,
documented how the dependency will be process RTOs) required for business
met in the BC strategy (e.g. continuity and the points in time during the
Process Dependencies need 400 laptops, but plan recovery that they are needed. Process
does not address how that dependencies were determined during the
will be done) BIA; All BCPs are “synchronized” to the
extent there are dependencies upon each
other.
6.5 No BCP developed BCPs do not consistently detail how A process for recording The plans contain a method for recording
to document incident actions taken information about the key information about the incident, actions
and lessons learned incident, actions taken and taken and decisions made and lessons
lessons learned has been learned
Analysis and Evaluation documented, but is not used
during an actual event or
exercise
Page 58
Domain 7: Disaster Recovery
0. No
# Domain Sub-process Preparedness 1.Low Preparedness 2. Moderate Preparedness 3. High Preparedness
7.1 No Incident Ad hoc and unorganized Incident response teams are developed Each data center maintains a DRP that
Response Team in response to application for break fix responsibilities, but do not includes a defined data center, software
Incident Response place outages or local events at necessarily transfer to DR or widespread support and data support incident
Team some data centers data center impacts response teams.
7.2 No Incident Ad hoc and unorganized Immediate response procedures are The DRPs contain details for managing the
Response processes response to outages and DR developed for break fix responsibilities, immediate consequences of a technology
in place events at some data centers but do not necessarily transfer to DR or disruption giving due regard to:
Immediate Response/ widespread data center impacts (a) the welfare of individuals;
Incident Response (b) strategic and operational options for
responding to the disruption; and
(c) prevention of further loss or
unavailability of critical applications
7.3 No DR plans in place Reliance on specific Skill sets determined, but not mapped to The DRP includes primary and backup roles
individuals to execute a disaster recovery team members with and responsibilities and skillsets needed to
Resource Plan recovery task; little cross those skills recover following a disaster event. The plan
training of disaster recovery also documented who would drive the
skills activation of the DRP
7.4 No standards in place Some DRPs developed, Consisted standards and DRP templates Consistent DRP templates used with self-
to define minimum However, major gaps exist used that contain: review of plan quality against DRP
DRP components with critical application (a) has a defined purpose and scope; standards; Quality Review program
recovery (b) is accessible to and understood by established where third parties assess
Technology Plans those who will use it; quality of plans relative to DRP standards
(c) is owned by a named person(s) who is
responsible for its review, update and
approval; and
(d) Is aligned with relevant contingency
arrangements within the organization.
Page 59
Domain 7: Disaster Recovery (Cont.)
7.5 No additional plans Salvage and damage Salvage and damage assessment The DRP includes or has reference
developed assessment are included in procedure are included in DRPs for to other plans for recovery of key
some DRPs all critical data centers elements of the firm such as:
1. Damage Assessment Plan
Additional Plans 2. Salvage Plan
3. Vital Records Plan
4. Public Relations Plan

7.6 No procedures for failback Some DRPs have failback and Failback procedures are high level Every DRP details how to failback
documented verification procedures, some and do not consider accuracy and to the primary data center and
do not. currency of the data procedures for how to verify that
failback has occurred accurately
Failback Process
7.7 No DRP developed DRPs do not consistently detail A process for recording information The DRPs contain a method for
how to document incident about the incident, actions taken recording key information about
actions taken and lessons and lessons learned is documented the incident, actions taken and
Information Recording learned in each DRP decisions made, lessons learned
Process and process improvement
activities, as a result
Page 60
Domain 8: Exercising and Testing
8.1 No test schedule developed Table-top testing of BC Company tests the BCPs/ Company has integrated the BC/DR program
and DR procedures DRPs plans functionally in with other business and technical initiatives to
occurs annually accordance to the policy and ensure tests are carried out at planned
framework to ensure that intervals and when significant changes occur;
Test Schedule they meet business Business users take part in IT tests to verify
requirements recovery; Includes provisions for complex and
end-to-end testing
8.2 Testing/ Exercising not Testing/ Exercising Testing/ Exercising Test/Exercise planning documentation
performed performed. But no pre- performed. But no predefined identifies a clear scope and objectives of what
Setting the Testing Scope planning documentation scope and objectives were the test is expected to accomplish
and Objectives developed developed as a part of the
pre-planning documentation
8.3 Little or no participation Passive participation at Active DR/BC communication DR/BC are working in groups or project teams;
DR/BC meetings and information source Active leadership in DR/BC with authority and
Test Alignment with consistent communications on metrics and
BCP/DRP status on projects (current or future)
8.4 No reporting of test results Ad hoc reporting of Company produced a written Post-test review and output reporting
testing results report and log of the test, presented to senior management steering
outcome and feedback, committees to determine if changes should be
including required follow up made to the DR strategies; Testing results
Test Reporting and post actions presented to the board of directors annually to
test review provide additional assurance to the program;
Formalized post-test review of each test that
assess the achievement of the aims and
objectives of the test; Defined action plans to
mitigate gaps determined during the test
Page 61
Domain 9: Maintenance
9.1 BC/DR documentation Isolated projects used by a Updated annually for compliance Updated when there are significant
updates not performed handful of DR practitioners reasons or in preparation for a changes to recovery or underlying
trigger plan maintenance (i.e. test technology or whenever recovery
Review and Maintenance staff changes) process and procedures change;
of BC/DR records Continuous validation/refresh, especially
when there are changes to the
applications or supporting technology
(i.e. SDLC)
9.2 No post-incident reviews Ad hoc post incident review Informal post event review Formal post-incident review is
are undertaken processes with some teams process with all teams. Results undertaken to:
not presented to management (a) identify the nature and cause of the
incident;
(b) assess the adequacy of the response;
(c) assess the organization’s
Invocation Incident effectiveness in meeting its recovery
Recording time objectives;

(d) assess the adequacy of the BC/DR
arrangements in preparing employees
for the incident; and
(e) identify and document
improvements to be made to the BC/DR
arrangements.
9.3 No program metrics Planning and record keeping Rudimentary metrics for some Program metrics are established against
developed; no are generally informal and are regions accumulated and annual goals; Metrics are regularly
management review not generally reported to reported to regional partnership reported to Sr. Management team as
management status updates; Metrics intended to
Management Review Audit findings on BCM/DRP help establish that RTOs and RPOs established
to drive needed change are attainable
Page 62
Maturity Assessment Standards Mapping
► The following slides illustrate how the leading practices in our

maturity model map to industry standards:
► ISO 22301
► ISO 27001
► ITIL ITSCM
Page 63
Governance
Process EY Maturity Model Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM Mapping to ISO27001
The organization has defined the BCM/DRM mission and objectives in 4. Context of the Organization ITIL Service Design - ITSCM: A.14.1.1
regards to: 4.1 Understanding of the Stage I (Initiation) Including
(a) requirements for business continuity; organization and its context 1. Policy definition information
Governance (b) the organization’s business continuity objectives and obligations; 4.2 Understanding the needs 2. Define DR organization security in the
(c) acceptable level of risk; and expectations of interested structure and control business
Structure (d) statutory, regulatory and contractual duties; parties 3. Agree on quality plan continuity
(e) interests of its key stakeholders; and 4.3 Determining the scope of management
(f) program budget and investments the business continuity process
management system
There is a BCM/DRM policy. The BCM/DRM policy includes or makes 5.3 Policy ITIL Service Design - ITSCM: A.14.1.1
reference to: Stage I (Initiation) Including
(a) the scope of BCM/DRM, including limitations and exclusions; and 1. Specify scope and terms of information
(b) procedures, templates and the tools that facilitate the execution of reference security in the
BCM/DRM program. 2. Resource allocation business
continuity
Policy The BCM/DRM policy: management
(a) is approved by top management; process
(b) is communicated to all persons working for or on behalf of the
organization; and
(c) includes defined intervals for review and/or required review when
significant changes occur to ensure the policy's continuing suitability,
adequacy and effectiveness.
The organization's top management: 5. Leadership ITIL Service Design - ITSCM: A.14.1.1
(a) defined and communicated the BCM/DRM operating model, roles, 5.1 Leadership and Stage I (Initiation) Including
responsibilities, competencies and authorities commitment 1. Policy definition information
(b) appointed or nominated a person with appropriate seniority and 5.2 Management commitment 2. Define DR organization security in the
Operating authority to be accountable for BCM/DRM program policy and 5.3 Policy structure and control business
model overseeing the implementation; and 3. Agree on quality plan continuity
(c) appointed one or more persons, who, irrespective of other 4. Specify scope and terms of management
responsibilities, are responsible for implementing and maintaining the reference process
BCM/DRM program 5. Resource allocation
Page 64
Governance (cont.)
Mapping to
Process EY Maturity Model Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM ISO27001
The organization has ensured that all personnel who are assigned 5. Leadership ITIL Service Design - ITSCM: A.14.1.1
business continuity responsibilities are competent to perform the 5.1 Leadership and Stage III (Implementation) Including
required tasks by: commitment 1. Organization planning information
(a) determining the necessary competencies for such personnel; 5.2 Management security in the
(b) conducting training needs analysis on personnel being assigned commitment business
Identifying BCM/DRM roles and responsibilities; 5.3 Policy continuity
(c) providing training; 5.4 Organizational roles, management
competencies
(d) ensuring that the necessary competence has been achieved; and responsibilities and process
(e) maintaining records of education, training, skills, experience and authorities
qualifications. 7. Support
7.1 Resources
The key stakeholders of each business unit have formally accepted 7.2 Competence
accountability for compliance with the BCM/DRM Policy
Program status is established to measure the BCM/DRM program status 7. Support ITIL Service Design - ITSCM: A.14.1.1
of identified Key Risk Indicators (KRIs) and Key Performance Indicators 7.5 Documented Key performance indicators Including
(KPIs) on the business (e.g. processes, functions, units) and technical (e.g. information Scorecards / evaluation based information
business applications, infrastructure foundation services) levels to: on security in the
(a) indicate the level of compliance with policy and progress towards goals 1. Documenting service business
of the BCM/DRM; and recovery targets as SLAs continuity
KPIs (Key (b) roll-up to the organizational level desired (e.g. practitioner scorecard 2. Regular audits and reviews management
Performance and executive scorecard). 3. Comprehensive testing (at process
Indicators) and least annually)
Critical Success The senior management team is updated on the status of the BCP 4. Organization awareness
Factors program regularly. 5. Overall risk reduction
through mitigation plans for IT
services
6. IT staff preparedness
7. Regular communication of
ITSCM objectives with business
areas
Page 65
Governance (cont.)
Mapping to
Process EY Maturity Model Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM
ISO27001
There is a central repository for BCP documentation. 7.5 Documented N/A A.14.1.1
information Including
information
Document storage security in the
business
continuity
management
process
Page 66
BIA
The organization has defined and documented appropriate 8. Operation ITIL Service Design - A.14.1.2
methods for determining the impact of any disruption of the 8.1 Operational planning ITSCM: Stage II Business continuity and risk
business processes/applications that support the organization’s key and control (Requirements and assessment
Key Business products and services 8.2 business impact analysis strategy)
Processes
and risk assessment 1. Business Impact
The organization has identified business processes/applications that Analysis
support its key products and services
The organization has identified, at the minimum, financial and 8. Operation ITIL Service Design - A.14.1.2
operational (quantitative and qualitative) impacts resulting from 8.1 Operational planning ITSCM: Stage II Business continuity and risk
Impact Criteria the disruption to these business processes/applications, and
determined how these vary over time
and control
8.2 business impact analysis
(Requirements and
strategy)
assessment
Analysis
The organization has established the maximum tolerable period of 8. Operation ITIL Service Design - A.14.1.2
disruption for each business processes/applications by identifying: 8.1 Operational planning ITSCM: Stage II Business continuity and risk
(a) Recovery Time Objectives (RTOs): the maximum amount of time and control (Requirements and assessment
that the business can withstand the loss of a critical process, 8.2 business impact analysis strategy)
Recovery function or resource before a serious adverse business impact and risk assessment 1. Business Impact
capabilities would result. Analysis
(b) Recovery Point Objectives (RPOs): the maximum amount of data
loss from a time perspective that the business can sustain during an
event.
The organization has categorized its business 8. Operation ITIL Service Design - A.14.1.2
processes/applications according to its priority for recovery and 8.1 Operational planning ITSCM: Stage II Business continuity and risk
Tiering of
Business identified its critical activities and control (Requirements and assessment
Processes 8.2 business impact analysis strategy)
Analysis
Page 67
BIA (cont.)
The organization has identified all dependencies 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.2
(SIPOC: Suppliers – Inputs – Process – Outputs – 8.1 Operational planning II (Requirements and strategy) Business continuity and risk
Customers) relevant to the critical business and control 1. Business Impact Analysis assessment
processes/applications, including but not limited to: 8.2 business impact analysis
(a) upstream and downstream business and risk assessment
processes/applications and data dependencies
(b) Applications and under-lying infrastructure
technology dependencies
Process (c) suppliers and outsources partners on whom
Dependency critical processes/applications depend, and
Mapping determined what BCM/DRM arrangements are in
place for the relevant products and services they
provide; and
(d) resources that each critical business
process/application will require for resumption:
1. Key personnel;
2. Workspace;
3. Personal tools/equipment; and
4. Personal records [paper and electronic]
The organization has identified and documented the 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.2
risk criticality levels and residual risk to be assumed 8.1 Operational planning II (Requirements and strategy) Business continuity and risk
Gap Analysis which identifies the difference (Gaps) between the and control 1. Business Impact Analysis assessment
business objectives (as defined in the BIA) and the 8.2 business impact analysis
current recovery capabilities. and risk assessment
Page 68
Risk Assessment
The organization has identified and documented the 8. Operation ITIL Service Design - ITSCM: Stage II A.14.1.2
threats to and vulnerabilities of its critical business 8.2 Business impact analysis (Requirements and strategy) Business continuity and risk
Risk Analysis processes/applications and supporting resources, and risk assessment 1. Requirements - Risk Analysis > assessment
including those provided by suppliers and outsourced Management of Risk (M_o_R)
partners
The organization understands the impact that would 8. Operations ITIL Service Design - ITSCM: Stage II A.14.1.2
arise if an identified threat became an incident and 8.2 Business impact analysis (Requirements and strategy) Business continuity and risk
caused a business disruption and risk assessment 1. Requirements - Risk Analysis > assessment
Management of Risk (M_o_R)
Recovery Gap
Analysis The organization has identified and documented the
risk criticality levels and residual risk to be assumed
which identifies the difference (Gaps) between the
business objectives (as defined in the BIA) and the
current recovery capabilities.
The organization has conducted site risk assessments, 8. Operations ITIL Service Design - ITSCM: Stage II A.14.1.2
Site Risk including technology (e.g. data centers, data rooms) 8.2 Business impact analysis (Requirements and strategy) Business continuity and risk
Assessments and workplace facilities, to specifically address and risk assessment 1. Requirements - Risk Analysis > assessment
operational and environmental related threats Management of Risk (M_o_R)
The organization's business executive stakeholders 5. Leadership ITIL Service Design - ITSCM: Stage II A.14.1.2
have reviewed and formally signed off the risk 5.1 Leadership and (Requirements and strategy) Business continuity and risk
assessment results by either: commitment 1. Requirements - Risk Analysis > assessment
Risk (a) accepting the risk; or 5.2 Management Management of Risk (M_o_R)
(b) asking the BCM/DRM team to evaluate appropriate commitment
Acceptance risk treatments (recovery strategy solution and cost
options) as a next step 8. Operational
8.2 Business impact analysis
and risk assessment
Page 69
Risk Assessment (cont.)
The resulting gaps are used as input in the 8. Operational ITIL Service Design - ITSCM: Stage II A.14.1.2
determination of an appropriate recovery strategy 8.2 Business impact analysis (Requirements and strategy) Business continuity and risk
including solutions, roadmap and cost options for each and risk assessment 1. Requirements - Risk Analysis > assessment
business function and under-lying applications. 8.3 Business continuity Management of Risk (M_o_R)
Risk Mitigation strategy 2. IT service continuity strategy
Planning 3. Risk response measures
4. IT service recovery options (Manual
work-around, Gradual recovery,
Intermediate recovery, fast recovery,
immediate recovery)
Page 70
Mapping to ISO
Process EY Maturity Model Leading Practice Mapping to ITIL ITSCM Mapping to ISO27001
22301
The organization has developed strategic options for its critical 5. Leadership ITIL Service Design - ITSCM: Stage II A.14.1.3
business processes/applications and the resources that each activity 5.1 leadership (Requirements and strategy) Developing and
will require on its resumption. The strategy or strategies depend on and commitment 1. Business Impact Analysis implementing
a range of factors such as: 5.2 Management 2. Requirements - Risk Analysis > Management of continuity
(a) the maximum tolerable period of disruption of the critical commitment Risk (M_o_R) plans including
business processes/applications; 3. IT service continuity strategy information
(b) the costs of implementing a strategy or strategies; and 8. Operation 4. Risk response measures security
(c) the consequences of inaction. 8.2 Business 5. IT service recovery options (Manual work-
Strategic impact analysis around, Gradual recovery, Intermediate recovery,
Options The BCM/DRM steering group and top management has reviewed and risk fast recovery, immediate recovery)
and approved the recovery strategy. assessment
8.3 Business ITIL Service Design - ITSCM: Stage III
continuity (Implementation)
strategy 1. Development of additional plans such as Vital
records plan, Damage assessment plan,
Emergency response plan etc.
The organization has developed appropriate workforce strategies 8. Operation ITIL Service Design - ITSCM: Stage III A.14.1.3
for maintaining key internal (employees) and external (contractors) 8.3 Business (Implementation) Developing and
workforce requirements to support business recovery following a continuity 1. Development of additional plans such as Vital implementing
Workforce
Strategy disaster. strategy records plan, Damage assessment plan, continuity
Emergency response plan etc. plans including
information
security
Page 71
Strategy Development (cont.)
Mapping to ISO
Process EY Maturity Model Leading Practice Mapping to ITIL ITSCM Mapping to ISO27001
22301
The organization has developed appropriate facility strategies for 8. Operation ITIL Service Design - ITSCM: Stage II A.14.1.3
reducing the impact of the unavailability of its normal worksite(s). 8.3 Business (Requirements and strategy) Developing and
This may include one or more of the following: continuity 1. Business Impact Analysis implementing
(a) alternative facilities (locations) within the organization, including strategy 2. Requirements - Risk Analysis > Management of continuity
displacement of other activities; Risk (M_o_R) plans including
(b) alternative facilities provided by other organizations (whether or 3. IT service continuity strategy information
not these are reciprocal arrangements); 4. Risk response measures security
(c) alternative facilities provided by third-party specialists; 5. IT service recovery options (Manual work-
Site Recovery (d) working from home or at remote sites; around, Gradual recovery, Intermediate recovery,
Matrix (e) other agreed suitable premises; and fast recovery, immediate recovery)
(f) use of an alternative workforce in an established site.
ITIL Service Design - ITSCM: Stage III
(Implementation)
1. Development of additional plans such as Vital
records plan, Damage assessment plan,
Emergency response plan etc.
Page 72
Mapping to
Process EY Maturity Model Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM
ISO27001
The organization has developed appropriate technology strategies 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.3
that depend on the nature of the technology employed--the 8.3 Business continuity II (Requirements and strategy) Developing and
organization current infrastructure technology strategy--and its strategy 1. Business Impact Analysis implementing
relationship to critical business processes/applications. Technology 2. Requirements - Risk Analysis > continuity
strategies may include: Management of Risk (M_o_R) plans including
(a) geographical spread of technology, i.e. maintaining the same 3. IT service continuity strategy information
technology at different locations that will not be affected by the 4. Risk response measures security
same business disruption; 5. IT service recovery options
(b) holding older equipment, utilizing lesser performance (Manual work-around, Gradual
equipment (e.g. recover physical server on virtual server) or recovery, Intermediate recovery,
repurpose equipment (e.g. testing equipment) as emergency fast recovery, immediate
replacement or spares; and recovery)
(c) additional risk mitigation for unique or long lead time equipment
(i.e. vendor drop-ship). ITIL Service Design - ITSCM: Stage
III (Implementation)
Technology Recovery The organization technology strategies developed include, but not 1. Development of additional
Strategy limited to, the following: plans such as Vital records plan,
(a) recovery time objectives (RTOs) for systems and applications Damage assessment plan,
which support the key activities identified in the BIA; Emergency response plan etc.
(b) recovery point objectives (RPOs) for applications data which
support the key activities identified in the BIA;
(c) correlation between the application / systems RTOs, and RTOs
(Degraded Operations Objective [DOO])
(d) location and distance between technology sites;
(e) number of technology sites;
(f) remote access;
(g) the use of un-staffed (dark) sites as opposed to staffed sites;
(h) telecoms connectivity and redundant routing;
(I) the nature of “failover” (whether manual intervention is required
to activate alternative IT provision or whether this needs to occur
automatically); and
(j) third-party services, connectivity and external links.
Page 73
The organization identified inventory of 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.3
the core supplies that support its critical 8.3 Business continuity strategy II (Requirements and strategy) Developing and
activities. These may include: 1. Business Impact Analysis implementing continuity
(a) storage of additional supplies at 2. Requirements - Risk Analysis > plans including information
another location; Management of Risk (M_o_R) security
(b) arrangements with third parties for 3. IT service continuity strategy
delivery of stock at short notice; 4. Risk response measures
(c) diversion of just-in-time deliveries to 5. IT service recovery options
Critical Supplies other locations; (Manual work-around, Gradual
Strategy (d) holding of materials at warehouses recovery, Intermediate recovery,
or shipping sites; fast recovery, immediate recovery)
(e) transfer of sub-assembly operations
to an alternative location which has ITIL Service Design - ITSCM: Stage
supplies; and III (Implementation)
(f) identification of 1. Development of additional plans
alternative/substitute supplies and such as Vital records plan, Damage
suppliers. assessment plan, Emergency
response plan etc.
Page 74
Crisis Management
The organization has a clearly defined, documented and approved 8. Operation ITIL Service Design - ITSCM: A.14.1.4
Corporate Crisis Management Plan. 8.1 Operational Planning and Stage III (Implementation) Business continuity
control 1. Service continuity plan planning
Crisis 8.3 Business continuity development framework
Management
strategy 2. Development of
Plan 8.4 Establish and implement additional plans - like vital
business continuity records plan, emergency
procedures response plan, etc.
The Crisis Management Plan is considered a “living document” and is N/A N/A A.14.1.4
Plan Viability reviewed and updated on a regular basis. Business continuity
planning
framework
The Crisis Management Plan is developed as defined by the guidelines 8. Operation ITIL Service Design - ITSCM: A.14.1.4
in the BCM Program. 8.1 Operational Planning and Stage III (Implementation) Business continuity
Structure and 8.3 Business continuity development framework
Guidelines strategy 2. Development of
8.4 Establish and implement additional plans - like vital
Page 75
Crisis Management (cont.)
Crisis Management Plan clearly define s: A.14.1.4

(a) Clearly defined and structured notification, invocation and Business continuity
escalation process. planning
(b) Alternate site for emergency command center or other designated framework
area to meet and make decisions and orchestrate the recovery 8. Operation ITIL Service Design - ITSCM:
(c) Procedures for each of the crisis management team plans 8.1 Operational Planning and Stage III (Implementation)
addressing roles and responsibilities within areas such as: HR, PR, Legal, control 1. Service continuity plan
Crisis Facilities, Security, IT, BU’s, policyholders, etc. specifically addressing: 8.3 Business continuity development
Management - Advice, process, procedures concerning confidential staff strategy 2. Development of
Team counseling 8.4 Establish and implement additional plans - like vital
- Process to ensure all staff and other stakeholders are kept informed business continuity records plan, emergency
- Media and public relations policy, strategy and plans. procedures response plan, etc.
- Identify stakeholders and interest groups.
- Identify external liaison points/roles with external agencies.
- Identify the media spokespersons who have been trained to
interface with the media.
A Crisis Management Team exists at each location where the roles and 8. Operation ITIL Service Design - ITSCM: A.14.1.4
responsibilities are clearly understood. 8.1 Operational Planning and Stage III (Implementation) Business continuity
Plan Contents 8.3 Business continuity development framework
strategy 2. Development of
8.4 Establish and implement additional plans - like vital
Page 76
Business Continuity
Mapping to
Process Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM
ISO27001
The organization nominated incident response 8. Operation ITIL Service Design - ITSCM: A.14.1.4
personnel with the necessary responsibility, 8.1 Operational Planning and Stage III (Implementation) Business
Incident Response authority and competence to manage an incident. control 1. Development of additional plans continuity
Team 8.4 Establish and implement such as Vital records plan, planning
business continuity Damage assessment plan, framework
procedures Emergency response plan etc.
The organization has documented plans that detail 8. Operation ITIL Service Design - ITSCM: A.14.1.4
how the organization will manage an incident and 8.1 Operational Planning and Stage III (Implementation) Business
how it will recover or maintain its activities to a control continuity
predetermined level in the event of a disruption. 8.3 Business continuity planning
strategy framework
The plans contained details for managing the 8.4 Establish and implement
immediate consequences of a business disruption business continuity
giving due regard to: procedures
(a) the welfare of individuals performing the
recovery;
(b) strategic and operational options for responding
Immediate
to the disruption; and
Consequences and
(c) prevention of further loss or unavailability of
Action items
critical business processes/applications
The plans additionally contained prioritized

objectives in terms of the critical business
processes/applications to be recovered, the
timescales in which they are to be recovered and
the recovery levels needed for each critical
business process/application and associated
technology scripts / tasks that need to be performed
during an incident to recover critical business
processes/applications
Page 77
Business Continuity (cont.)
Mapping to ISO Mapping to
Process Leading Practice Mapping to ITIL ITSCM
22301 ISO27001
The Business Continuity Plan developed: 8. Operation ITIL Service Design - A.14.1.4
(a) has a defined purpose and scope; 8.1 Operational ITSCM: Stage II Business continuity
(b) is accessible to and understood by those who will use it; Planning and (Requirements and planning
(c) is owned by a named person(s) who is responsible for its review, update and control strategy) framework
approval; and 8.3 Business 1. IT service continuity
(d) is aligned with relevant contingency arrangements within to the organization. continuity strategy strategy
8.4 Establish and 2. Risk response
The plans contain details for managing the immediate consequences of a business implement business measures
disruption giving due regard to: continuity
(a) the welfare of individuals; procedures ITIL Service Design -
(b) strategic and operational options for responding to the disruption; and ITSCM: Stage III
(c) prevention of further loss or unavailability of critical business (Implementation)
processes/applications 1. Organizational
Plan The plans collectively contain: 2. Development of
(a) identified lines of communications; additional plans
(b) key tasks and reference information;
(c) defined roles and responsibilities for people and teams having authority during
and following an incident;
(d) guidelines and criteria regarding which individuals have the authority to invoke
each plan and under what circumstances;
(e) a method by which each plan is invoked;
(f) meeting locations with alternatives, and up-to-date contact and mobilization
details for any relevant agencies, organizations and resources that might be required
to support the response;
(g) a process for standing down once the incident is over; and
(h) a reference to the essential contact details for all key stakeholders
(i) a reference to relevant contracts, SLAs, and letters of agreement with 3rd party
Page 78
Business Continuity (cont.)
Process Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM Mapping to ISO27001
The business continuity plan included 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.4
clear roles and responsibilities and 8.1 Operational Planning and control II (Requirements and strategy) Business continuity planning
names of individuals who would be 8.3 Business continuity strategy 1. IT service continuity strategy framework
responsible for the recovery during a 8.4 Establish and implement business 2. Risk response measures
disaster event. The plan also had continuity procedures
Resource Plan documented as to who would drive the ITIL Service Design - ITSCM: Stage
execution of the plan III (Implementation)
1. Organizational Planning
2. Development of additional
plans
The plans contain details of the internal 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.4
and external operational resources 8.3. Business Continuity Strategy II (Requirements and strategy) Business continuity planning
Process Dependencies required for business continuity and 1. IT service continuity strategy framework
business recovery at different points in
time
The plans contain a method for 8. Operation ITIL Service Design - ITSCM: Stage A.14.1.4
recording key information about the 8.1 Operational Planning and control IV (Ongoing operations) Business continuity planning
incident, actions taken and decisions 8.3 Business continuity strategy 1. Education, awareness & Training framework
Analysis and made and lessons learned 8.4 Establish and implement business 2. Testing of DR plans
Evaluation continuity procedures 3. Review and feedback process
9. Performance evaluation
Page 79
Disaster Recovery
Mapping to Mapping to
ISO 22301* ISO27001
The overall organizational accountability and responsibility for the 8. Operation ITIL Service Design - ITSCM: Stage III A.14.1.4
management of the DR program is clearly defined and documented. 8.1 Operational Planning (Implementation) Business continuity
Incident and control 1. Development of additional plans such planning
Response 8.4 Establish and as Vital records plan, Damage framework
Team implement business assessment plan, Emergency response
continuity procedures plan etc.
The organization has documented plans that details on how the 8. Operation ITIL Service Design - ITSCM: Stage III A.14.1.4
organization will manage an incident and how it will recover or 8.1 Operational Planning (Implementation) Business continuity
maintain its activities to a predetermined level in the event of a and control 1. Development of additional plans such planning
disruption. 8.4 Establish and as Vital records plan, Damage framework
The plans contained details for managing the immediate implement business assessment plan, Emergency response
consequences of a business disruption giving due regard to: continuity procedures plan etc.
(a) the welfare of individuals performing the recovery;
(b) strategic and operational options for responding to the
Disaster disruption; and
Incident
(c) prevention of further loss or unavailability of critical business
Mngt. Plan processes/applications
The plans additionally contained prioritized objectives in terms of
the critical business processes/applications to be recovered, the
timescales in which they are to be recovered and the recovery levels
needed for each critical business process/application and associated
technology scripts / tasks that need to be performed during an
incident to recover critical business processes/applications
*NOTE: While ISO22301 is regarded as a Business Continuity Standard, we believe its concepts, in some cases, map equally as well to
disaster recovery; thus we have included those sections we believe are relevant as mapped to our DR leading practices
Page 80
Disaster Recovery (cont.)
Mapping to Mapping to
ISO 22301* ISO27001
The incident response plan included clear roles and responsibilities 8. Operation ITIL Service Design - ITSCM: Stage II A.14.1.4
and names of individuals who would be responsible for technology 8.1 Operational Planning (Requirements and strategy) Business continuity
recovery during a disaster event. The plan also had documented as and control 1. IT service continuity strategy planning
to who would drive the execution of the plan 8.4 Establish and 2. Risk response measures framework
Resource implement business
Plan continuity procedures ITIL Service Design - ITSCM: Stage III
(Implementation)
1. Organizational Planning
2. Development of additional plans
Page 81
Maturity Assessment Standards Mapping Disaster
Recovery (cont.)
Process Leading Practice Mapping to ISO 22301* Mapping to ITIL ITSCM Mapping to ISO27001
Each technology recovery plan developed: 8. Operation ITIL Service Design - A.14.1.4
(a) has a defined purpose and scope; 8.1 Operational ITSCM: Stage I Business continuity
(b) is accessible to and understood by those who will use them; Planning and control (Initiation) planning
(c) is owned by a named person(s) who is responsible for their review, update 8.4 Establish and 1. Specify scope and framework
and approval; and implement business terms of reference
(d) is aligned with relevant contingency arrangements external to the continuity procedures 2. Resource allocation
organization.
ITIL Service Design -
ITSCM: Stage III
The plans collectively contained technology scripts and tasks that need to be (Implementation)
performed during an incident to recover 1. Service continuity
(a) Technology facility (e.g. data center, data room) plan development
(b) Core infrastructure foundation services (e.g. networks, security, active 2. Development of
directory, DNS) additional plans
(c) Core infrastructure platform service (e.g. systems/OS, Storage)
Technology Plans ITIL Service Design -
The plans also included the below: ITSCM: Stage IV
(a) identified lines of communications; (Ongoing operations)
(b) key tasks and reference information; 1. Service continuity
(c) defined roles and responsibilities for people and teams having authority planning
during and following an incident; 2. Invocation decision
(d) guidelines and criteria regarding which individuals have the authority to considerations
invoke each plan and under what circumstances;
(e) a method by which each plan is invoked;
(f) meeting locations with alternatives, and up-to-date contact and
mobilization details for any relevant agencies, organizations and resources
that might be required to support the response;
(g) a process for standing down once the incident is over; and
(h) a reference to the essential contact details for all key stakeholders
(i) a reference to relevant contracts, SLAs, and letters of agreement with 3rd
party
Page 82
Mapping to
Process Leading Practice Mapping to ITIL ITSCM Mapping to ISO27001
ISO 22301*
The overall incident response plan also contained the 8. Operation ITIL Service Design - ITSCM: Stage III A.14.1.4
below additional plans along with technology and 8.1 Operational Planning (Implementation) Business continuity
operational recovery plans and control 1. Service continuity plan development planning
1. Damage Assessment Plan 8.4 Establish and implement 2. Development of additional plans - like vital framework
2. Salvage Plan business continuity records plan, emergency response plan, etc.
3. Vital Records Plan procedures
Additional
4. Crisis Management Plan (will leverage the GBR CM
Plans process)
5. Public Relations Plan
6. Accommodation and Services Plan
7. Security Plan
8. Communication Plan
9. Finance and Administration Plan
The plans contained details of failback procedures and 8. Operation ITIL Service Design - ITSCM: Stage II A.14.1.4
verification after failback. 8.4 Establish and implement (Requirements and strategy) Business continuity
business continuity 1. Business Impact Analysis planning
procedures 2. Requirements - Risk Analysis > Management of framework
Risk (M_o_R)
3. IT service continuity strategy
Failback 4. Risk response measures
Process 5. IT service recovery options (Manual work-
around, Gradual recovery, Intermediate recovery,
fast recovery, immediate recovery)
ITIL Service Design - ITSCM: Stage III
(Implementation)
1. Service continuity plan development
Page 83
Maturity Assessment Definitions and Mapping
Mapping to
ISO 22301*
The plans contained a method for recording key 8. Operation ITIL Service Design - ITSCM: Stage IV (Ongoing A.14.1.4
information about the incident, actions taken and 8.1 Operational Planning operations) Business continuity
decisions made and lessons learned and control 1. Education, awareness & Training planning
8.3 Business continuity 2. Testing of DR plans framework
Information
strategy 3. Review and feedback process
Recording 8.4 Establish and implement 4. Integration with change management
Process
business continuity
procedures
9. Performance evaluation
Page 84
Exercising
Mapping to ISO
22301
The organization has performed exercises of its 8 Operation ITIL Service Design - ITSCM: Stage II (Requirements and A.14.1.5
business recovery plans and the DR plans 8.5 Exercising and strategy) Testing, maintaining
periodically in accordance with the BCM/DRM testing 1. Requirements - Risk Analysis > Management of Risk and reassessing
policy and framework to ensure that they meet (M_o_R) business
business requirements 2. IT service continuity strategy continuity plans
3. Risk response measures
The organization has integrated the BCM/DRM
program with other business and technical ITIL Service Design - ITSCM: Stage III (Implementation)
initiatives to ensure exercises are carried out at 1. Service continuity plan development
planned intervals and when significant changes 2. Development of additional plans
Test Schedule occur
ITIL Service Design - ITSCM: Stage IV (Ongoing operations)
1. Education, awareness & Training
2. Testing of DR plans
3. Review and feedback process
4. Integration with change management
The organization has defined the aims and 8 Operation ITIL Service Design - ITSCM: Stage II (Requirements and A.14.1.5
objectives of every exercise 8.5 Exercising and strategy) Testing, maintaining
testing 1. Requirements - Risk Analysis > Management of Risk and reassessing
(M_o_R) business
2. IT service continuity strategy continuity plans
Setting the ITIL Service Design - ITSCM: Stage III (Implementation)
Testing Scope
and Objectives 2. Development of additional plans
Page 85
Exercising (cont.)
Mapping to ISO
22301
The organization has carried out a range of 8 Operation ITIL Service Design - ITSCM: Stage II (Requirements and A.14.1.5
different exercises that, taken together, validate the 8.5 Exercising and strategy) Testing, maintaining
whole of its business continuity and disaster testing 1. Requirements - Risk Analysis > Management of Risk and reassessing
recovery plans (M_o_R) business
Alignment with ITIL Service Design - ITSCM: Stage III (Implementation)
BCP 1. Service continuity plan development

The organization has produced a written report and 8 Operation ITIL Service Design - ITSCM: Stage II (Requirements and A.14.1.5
log of the exercise, outcome and feedback, 8.5 Exercising and strategy) Testing, maintaining
including required follow up actions testing 1. Requirements - Risk Analysis > Management of Risk and reassessing
(M_o_R) business
Test Reporting ITIL Service Design - ITSCM: Stage III (Implementation)


Page 86
Exercising (cont.)
Mapping to ISO
22301
The organization has carried out a post-exercise 8 Operation ITIL Service Design - ITSCM: Stage II (Requirements and A.14.1.5
review of each exercise that assess the 8.5 Exercising and strategy) Testing, maintaining
achievement of the aims and objectives of the testing 1. Requirements - Risk Analysis > Management of Risk and reassessing
exercise (M_o_R) business
Post-Test ITIL Service Design - ITSCM: Stage III (Implementation)
review 1. Service continuity plan development

Page 87
Maintenance
Process Leading Practice Mapping to ISO 22301 Mapping to ITIL ITSCM Mapping to ISO27001
The organization has reviewed its BCM/DRM 7. Support ITIL Service Design - ITSCM: Stage II A.14.1.5
arrangements (e.g. BIA, strategy, plans), capability and 7.5 Documented Information (Requirements and strategy) Testing, maintaining
appropriateness at planned intervals and when significant 1. Requirements - Risk Analysis > and reassessing
changes occur to ensure its continuing suitability, 9. Performance evaluation Management of Risk (M_o_R) business
adequacy and effectiveness. 9.1 Monitoring, 2. IT service continuity strategy continuity plans
measurement, analysis and 3. Risk response measures
BCM/DRM arrangement records (e.g. BIA, strategy, evaluation
exercises, plans) are established, maintained and 9.2 Internal audit ITIL Service Design - ITSCM: Stage III
Review and controlled to provide evidence of the effective operation 9.3 Management review (Implementation)
Maintenance of the BCM/DRM program 1. Service continuity plan development
of DR records 10. Improvement 2. Development of additional plans
10.1 Nonconformity and
corrective action ITIL Service Design - ITSCM: Stage IV (Ongoing
10.2 Continual improvement operations)
In the event of an incident that results in the invocation of 9. Performance evaluation ITIL Service Design - ITSCM: Stage IV (Ongoing A.14.1.5
the business continuity plan or the incident response 9.1 Monitoring, operations) Testing, maintaining
plan, a post-incident review is undertaken to: measurement, analysis and 1. Invocation planning and reassessing
(a) identify the nature and cause of the incident; evaluation business
Invocation (b) assess the adequacy of management’s response; 9.3 Management review continuity plans
Incident (c) assess the organization’s effectiveness in meeting its
Recording recovery time objectives; 10. Improvement
(d) assess the adequacy of the BCM/DRM arrangements 10.1 Nonconformity and
in preparing employees for the incident; and corrective action
(e) identify and document improvements to be made to 10.2 Continual improvement
the BCM/DRM arrangements.
Page 88
Maintenance (cont.)
Mapping to ISO Mapping to ITIL
Process Leading Practice Mapping to ISO27001
22301 ITSCM
The BCM/DRM team provides the program status on a periodic basis to the organization's top 9. Performance ITIL Service A.14.1.5
management to continually improve the effectiveness of the program. The information evaluation Design - Testing, maintaining and
provided includes, but is not limited to: 9.1 Monitoring, ITSCM: Stage reassessing
(a) results of BCM/DRM audits and reviews, including, where appropriate, those of key measurement, IV (Ongoing business
suppliers and outsource partners; analysis and operations) continuity plans
(b) feedback from interested parties, including independent observations; evaluation 1. Testing of
(c) techniques, products or procedures, which could be used in the organization to improve the 9.3 Management DR plans
BCM/DRM's performance and effectiveness; review 2. Review and
(d) status of preventive and corrective actions; feedback
(e) level of residual risk and acceptable risk; process
(f) vulnerabilities or threats not adequately addressed in the previous risk assessment;
(g) follow-up actions from previous management reviews;
(h) any internal or external changes that could affect the BCM/DRM;
(i) recommendations for improvement;
(j) exercise results;
(k) emerging good practice and guidance;
Management (l) lessons from incidents; and
Review (m) results of the education and awareness training program.
The output from the organization top management review included decisions and actions
related to:
(a) varying the scope of the ITSR (DR);
(b) improving the effectiveness of the ITSR (DR);
(c) modification of ITSR (DR) strategy and procedures, as necessary, to respond to internal or
external events that could impact on the ITSR (DR)S, including changes to:
1. business requirements;
2. resilience requirements;
3. business processes affecting the existing business requirements;
4. statutory, regulatory and contractual requirements; and
5. levels of risk and/or levels of risk acceptance;
6. resource needs; and
7. funding and budget requirements.
Page 89
BCM Governance Model
Example Organizational Model
Oversight
Authority Steering Team (Centralized)
• COMPANY Vision, Mission, Enterprise GRC Council
Accountability and Strategy
Visibility BCC(Centralized) Business

• Align BCM with business strategy
Consistency Continuity
• Set BCM policy and standards
Coordination • BCM Planning, guidance, oversight Council
• Metrics and reporting
• Training and awareness
Corporate Corp Support (Decentralized)
Support • FAC/SEC/EHS
Functions • Procurement
Assessment
Management
Responsibility IT Disaster Recovery Crisis Management Functional Area
Teams Teams BCM PMOs
Mitigation DR Team (Decentralized) CM Team (Decentralized) BCM PMOs (Decentralized)

Reporting • Align DR with BC requirements • BC/DR Plan Activation • Execution of the BCM lifecycle
Maintenance • Develop/update DR plans • Crisis communications globally per the BCM policy and
• Coordinate DR Tests • Command and control standards for each country
• Report on DR status • Report BCM status to the BCC
Page 90
Example Hybrid PMO
Program elements
► Direction established by business unit and
Governance information technology executive leadership
Executives Steering Enterprise PMO ► Roles and responsibilities
Oversight and Committee (Centralized) ► Methods, standards, templates tools, metrics
strategy Authority/ Visibility, consistency and other enablers – leveraged across BUs
accountability and coordination and corporate
Align and Integrate
Business continuity ► BU ownership of plans, defines business

(Decentralized PMO) process prioritization and requirements for
recovery
Region / Country / Region / Country / Region / Country /
High degree of dependencies
Functional Org Functional Org Functional Org
between the business and
technology
Disaster recovery planning
(Decentralized PMO) ► IT ownership, application disaster recovery
procedures/plans, test framework,
Enterprise Corporate Infrastructure maintenance and change management
Applications Network, platform, storage and ► Corporate-wide infrastructure DR
IT service management procedures/plans, test framework,
maintenance and change management
Page 91
Example RACI
RASCI Decision Domains
BCM Program Activities
(Framework) Executive Org Corporate
PMO IT Leaders
Steer Co Leaders Leaders The RASCI model constitutes of
Plan the following:
Program Vision and Mission A R S C I
• R = Responsible: that is the
Program Framework (Life Cycle Methodology) I A C R S person who is owner of the
Program Reporting I A C R S problem/project
Program Communication I A R C S
• A = Accountable: that is the
Program Resource Planning I A S R C person to whom "R" is
Lifecycle integration with the BCM program I A S R C Accountable and is the
authority who approves to
Assess and Validate
sign off on work before it is
Business Impact Assessment I CS A R S effective
Non-Technical Dependency I CS A R S
• S = Supportive: that is a
Technical Dependency I CS I A R
person who provides
Site Risk Assessment I C S A R resources or plays a
Gap Analysis I C A R S supporting role in
implementation
Design
Continuity Strategy Development I C S A R • C = Consulted: that is a
Technical Recovery Architecture I C S A R person who provides
information and/or expertise
Implement
necessary to complete the
Solution Engineering/Implementation I C S A R project
BC Plan Development I C S A R
• I = Informed: that is a person
DR Plan Development I C S A R
who needs to be notified of
Exercise results but need not
BC Plan Testing I C S A R necessarily be consulted
DR Plan Testing I C S A R
Sustain and Maintain
BC Plan Maintenance I C S A R
DR Plan Maintenance I C S A R
Training I A C R
Page 92 and Awareness S
Scorecard Reporting I A C R S
BCM Current State Assessment
Meeting Participants
COMPANY Functional
Interview Date Stakeholders and Titles
Organization
January 8, 2015 Global Product Operations (GPO) LIST DELETED
January 9, 2015 Global Services (GS)
January 12, 2015 Center of Excellence (COE)
January 12, 2015 Facilities / EHS
January 14, 2015 Global Security Organization (GSO)
January 14, 2015 Center of Excellence (COE)
January 15, 2015 Information Technology (IT)
January 16, 2015 Global Business Services (GBS)
January 23, 2015 IT Incident Management
Page 93

Business Continuity Management - BCM - Assessment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Continuity Management - BCM - Assessment

Uploaded by

Copyright:

Available Formats

COMPANY

Powered by Global Markets – EY Knowledge

Cost effective continuity strategies that align with business

Financial decisions to mitigate risk are based upon the

Company has received commitment from all

Disaster Recovery Moderate Moderate Moderate Moderate Moderate Moderate

Functional Area Low Low Moderate Low Low Low

Business Impact Low

Table 1 – BCM Benchmark Company Profiles

Page 14 Figure 2 – COMPANY Functional Areas vs. Benchmark Program Maturity

Business Impact Analysis

Business Continuity Planning

Disaster Recovery Planning

COE GBS GS COMPANY

Business Impact Analysis

Business Continuity Planning

Disaster Recovery Planning

ORG A ORG C ORG E COMPANY

Form and operate Functional BCM PMOs 1

Perform BIA scoping 2

Perform/Refresh BIAs for critical areas 2

Identify recovery strategies to close gaps 3

Develop/Refresh DRPs for critical apps 4

Develop/Refresh BCPs for critical processes 5

Implement standardized test evaluation process 6

Exercise recovery plans across the enterprise 6

Perform Risk Assessments 7

Develop/Refresh CMPs, IMPs, and ERPs 8

Risk Assessment (RA) No

Business Continuity Business Continuity

Crisis Management Crisis Management

Strategy Development Strategy Development

Risk Assessment (RA) Risk Assessment (RA)

Business Impact Analysis (BIA) Business Impact Analysis (BIA)

Current State Long-term

Form and operate Functional BCM PMOs 1

Perform BIA scoping 2

Perform/Refresh BIAs for critical areas 2

Identify recovery strategies to close gaps 3

Develop/Refresh DRPs for critical apps 4

Develop/Refresh BCPs for critical processes 5

Implement standardized test evaluation process 6

Exercise recovery plans across the enterprise 6

Perform Risk Assessments 7

Develop/Refresh CMPs, IMPs, and ERPs 8

Develop minimum requirements for testing and

Perform a risk assessment for each critical Low

► Detailed Project Plan: EMBEDDED FILE DELETED

X Develop/Create — Document/Refresh/Update NA Activity Not Applicable

Exercise Stage Key:

Tested Not Tested

FY15 Corporate Business Continuity Initiatives

► COMPANY Functional Area Leads to perform detailed review of BCM

► Dermot to coordinate follow up calls between COMPANY Functional Teams

IT Resiliency & Disaster Recovery