A business resiliency audit of a NSW Government Agency by the NSW Audit Office found that its ability to respond to emergencies, recover IT systems and to continue business operations was lacking and the Agency’s plans were inadequate, somewhat outdated, and had not been adequately “proven”.
Centium was engaged to review and remediate the Agency’s business resilience capabilities. We were asked to consider and risk assess key threat scenarios faced by the Agency that could give rise to business disruptions and to document existing (and additionally required) preventive controls and associated procedures and to develop emergency response procedures, IT (disaster) recovery procedures and business continuity procedures.
We conducted a threat and risk assessment using the agency’s existing Enterprise Risk Management Framework (including its risk definitions) to determine likely threats and events that could give rise to business disruption scenarios. For example, we considered scenarios that could result in loss of: access to premises; key personnel; core IT systems; electronic and paper records; key suppliers; and of course, to clients and their access to Agencies systems.
We then documented existing controls and associated procedures and for each threat scenario, wedeveloped business continuity plans that covered the three phases following a business disruption events, namely: initial emergency response procedures; business continuance procedures (for key business services within Maximum Acceptable Outage timeframes), and procedures for resumption to a “business as usual” state. Included with this, we also developed technical IT recovery procedures to assist IT personnel to recover, restore and assure failed IT systems. To round out the resiliency framework, we helped our Client develop a detailed stakeholder communication plan, which included procedures about how to liaise with the media, in the event this was necessary.
Central to the success of any resiliency planning is staff awareness so once the plans were developed, we created engaging eLearning videos to teach different teams of staff what is required of them in response to different incident scenarios. This included the “play out” of hypotheticals so that staff could understand first-hand what they should do.
We also conducted a semi-live exercise of the plans. This included the setup of a mass communication alerting system (SMS in this case) to alert personnel of an incident and the deployment of a 1800 emergency number for staff to call for regular updates. It involved the test-relocation of key personnel to an alternate site, the rebuild and/or failover of core IT systems, the testing of a supplier “contact tree” and the implementation of “lessons learnt” (improvements) arising from the exercise.
It was pleasing to note that the Agency “passed” its next internal and external audit follow-up review with flying colours. More importantly, they ended up with a practical, actionable, “proven” and understood business resilience framework with embedded continual improvement triggers.
Business disruption preventive controls were documented as part of a Quality Management System so that all personnel understood their role in helping to prevent a business disruption threat from materialising.
Emergency response, business continuity and IT (disaster) recovery plans were also documented so that all parties would know exactly what to do in the event of a crisis or incident.
New personnel who join the agency are now trained in the steps they need to follow in the event of a business disruption scenario via the eLearning video and role play.
We have been advised that the Agency’s IT Recovery Procedures have been initiated a couple of times with great success: systems were recovered, restored and assured within Maximum Acceptable Outage timeframes with minimal data loss. Thankfully, the agency has not yet had to instigate its Emergency Response or Business Continuity Plans; however, they continue to be tested and continually improved.