Information Security Group
|
Business Continuity Management > SCM-CMMI Managing Business Resilience

A. SCM – CMMI

Service continuity management is one of the practice areas in CMMI enabling the availability, continuity as a continuous process to sustain business resilience for the organization.

A-1 Global business continuity practices followed across the organization is governed by the policies, procedures, guidelines through mechanized tools and meet objectives for business resilience.

B. Overview of Global Business Continuity

B-1 The exhibit below provides the organization resilience walls which enable us to achieve the purpose and objectives. Managing Business Resilience is the epicenter of these practices.

B-2 The policy, framework, inter-connect documentation for continuity enabling managing business resilience is represented in the below picture


Apex-Continuity & ICT/ Systems DR & Service Continuity

B-3 The LIGHTHOUSE in-house application enables Continuity-VIGIL across the organization. A quick view of important exhibits of the toolkit to meet practice areas is demonstrated below.

B-4 This exhibit is a view of the toolkit providing the capability to document continuity plans, test and utilize the same for response and recovery to meet minimum operating levels as well as service availability.

B-5 The flow chart below provides an overview of the process to achieve the objective of documenting, testing and identifying learning and risks. The enVIGIL applications facilitate this process.

Documenting a full life cycle business continuity plan in Lighthouse is the recommended best practice.

By following the best practice, the plan owner is capable to switch between Full Life Cycle and Lite Continuity Plan.

The option to be selected to document a full life cycle continuity plan is below

B-6 The below exhibit provides the flow and templates essential for the service continuity and integration of ICT/DR and application recovery documentation.

B-7 This exhibit provides multiple work and recovery models to manage business resilience across the organization. As an organization we have adopted the HYBRID work continuity model. Contagious Illness as an inclusive people safety aspect amidst diversified climate change hazards and ICT/DR & cyber threats.

C. SCM-CMMI – Practice Summary

There are multiple practices which provide value to achieve Continuity and enable Managing Business Resilience. These are divided into multiple levels.

C-1 The exhibit below provides a snapshot of practice areas in CMMI associated to Continuity. Each practice area presents the corporate and business implementation process followed. LIGHTHOUSE is the one window mechanized solution integration with organization systems which enables this seamless activity.

D. Practice -1: CONT 1.1

In this practice area the focus is associated with developing contingency approaches for managing significant disruptions to operations.

D-1 The first step to identify the criticality of the in-scope activity is the business impact analysis. The exhibit provided below is a visual aid to represent the same.

E. Practice -2: CONT 2.1

In this practice area the focus is associated with Identify and prioritize functions essential resources.

E-1 The important resources required to enable continuity is documented in the continuity plan. An exhibit which captures these requirements of IT needs as well as Non-IT needs associated to recovery is below.

F. Practice -2: CONT 2.2

In this practice area the focus is associated with Identification and prioritization of resources essential for continuity.

F-1 This is achieved by documenting requirements for business recovery needs, IT needs as well as support and service requirements – direct as well as indirect. This enables meet recovery time objectives, minimum operating levels as well as data availability where applicable by meeting recovery point objectives through the data backup / restore procedures.

Support functions, Internal Support teams follow the internal operational level agreements, whereas external suppliers are bound by the service level agreements signed up in service and support contracts.

F-2 Service continuity with external dependencies, suppliers is managed through supplier contracts. Respective teams who engage the supplier monitor and ensure that continuity service levels are met. The supplier risk management framework establishes this process. From a continuity perspective the business recovery exercise provides a platform for plan owners to test direct, indirect dependencies. The exhibit below provides an overview of the Business Recovery Exercise flow.

G. Practice -2: CONT 2.3

In this practice area the focus is associated with developing, maintaining a living continuity plan to activate the continuity plan on approval for recovering essential functions

G-1 The continuity plan is contains all the details provided in the LIGHTHOUSE tool. This comprises of 11 screens and a detailed project roll up plan document. An exhibit to capture the activities for scenarios is provided below. Detail plans are available for display with respective plan owners.



Global Business Continuity Unit Service Center Plan
Overlay_Contagious_Illness_Plan
Continuity_Guide_CPS

G-2 Below is the exhibit of the corporate crisis management practice followed aligned to the crisis management framework for the organization.

G-3 This exhibit below is the crisis communication linkages to ensure that Internal communication, external communication, Bespoke notifications as well as executive leaders are kept informed for associated decisions and actions.


An example of communication
Example_Crisis_Bespoke_Communication.pdf
Exhbit_BSPOKE Notification TO FASTQ.pdf
Crisis_Communications_Exhibit_ All_ Staff


H. Practice -3: CONT 3.1

In this practice area the focus is associated with developing and keeping updated materials for continuity training. This enables continuity aware associates and continuity knowledgeable competent team members who enable to resume performing essential functions (Service delivery projects / functions, support functions, service functions for essential services).

Service delivery projects, functions, support functions, service functions for essential services develop training programs individually for their respective entities and local awareness as well as training through meetings, walk through, orientation as well as internally conducted tests. Customer alignment is adhered to by the respective service delivery projects / functions, support functions, service functions for essential services.

The Global Business Continuity enablement for continuous competency enhancements, education, awareness as well as knowledge upgrade is achieved through mandates as well as workshops sponsored and engaged for the respective teams in service delivery projects / functions, support functions, service functions for essential services. Exercising as well as orientation programs is the medium integrated with mailers through mechanized corporate tools (ENS and POSTMAN integrated in LIGHTHOUSE the CONTINUITY VIGIL platform).

H-1 The below is the exhibit to provide insights of the activities planned to enable the training, awareness as well as customize workshops for relevant roles engaging in business continuity in the journey of managing business resilience.

H-2 The below exhibit is an extract of the training material integrated in the mandated program across the organization for service line managers.

I. Practice -3: CONT 3.2

In this practice area the focus is associated with providing and evaluating continuity training according to the plan for (Service delivery projects / functions, support functions, service functions for essential services).

I-1 The global business continuity team has executed the below trainings, awareness as well as workshops across the year. This is a summary of engaged competency and capability supporting activities for continuity to manage business resilience.

Training_Meeting_Invitations

I-2 As a Global Business Continuity Team, we integrate the workshop programs through the TISA (Tech Mahindra Information Security Academy) an internal to Information Security Group stream catering to security and continuity training for the organization. Individual badges of proficiency on completing the exercises, workshop and associated continuity deliverables are honoured to individuals participating.

I-3 The below exhibit provides an insight of integrating Information Library resources for reading, understanding and successful completion of continuity activities, exercises, workshop activities in conducted sessions sponsored by respective business units, support teams and service groups.

I-4 The below exhibit is an example usage for learning through Help Aid references and implementing the continuity plan documentation, testing and associated processes in a systematic navigated manner. This is a best practice adapted by users across the organization. This enables a self-service capability and mitigates single point of failure for assisted support during crisis. Preparing people to be independent with lower dependency is the objective.

J. Practice -3: CONT 3.3

In this practice area the focus is associated with preparing, conducting, and analysis of results. This is achieved by the verification and validation and oversight process.

The enVIGIL platforms and teams from Risk & Compliance, Assurance as well as oversight from the Global Business Continuity team have independent assessments, audits and checkpoints.

J-1 The tollgate to permit or upgrade the Lite continuity plan documented is validated in audits and observations are provided aligned to contractual requirements assessed. This action is conducted as a process in two sets of actions – the first one when the compliance manager signs off the plan and the second in the business continuity audits conducted by the internal audit team.

J-1A The Compliance requirements documented in the continuity plan are validated in the risk and compliance sign off as well as internal audits. An exhibit of the data capture screen is provided below to understand the importance and utility of the process and practice.

J-1B Lighthouse has an independent score card for every plan owner. The Security Project Health Report provides an insight of the Security Engineering practices and Continuity is one of those in the enVIGIL platform. This is how the integration with the SDLC process to demonstrate and integrate the health status of the continuity processes followed.

J-2 The below exhibit provides an online view of opportunities to reduce disaster risk through continuous monitoring and visual insights of key management parameters for managing business resilience.

J-3 This is an exhibit of the Checkmate report which enables a system control check point of the right documentation and activity performed by users and plan owners from the system.

J-4 This is an exhibit providing the host of Vigilance activities performed through enVIGIL applications as a systems approach to managing business resilience.

K. Business Recovery Exercise Oversight Observatory


L. Event Observatory



Lighthouse, Testing, Crisis Management First Point Contact :

Name Email Address
Global Business Continuity & Resilience Team Rajesh Patankar, Shivani, Javed, Shahid, Jayesh,
Vinod J, Harsha 		GlobalBusinessContinuity@techmahindra.com
Copyright © Tech Mahindra Limited. All Rights Reserved