NNPCL GRC_Business Continuity Proccesses_Competency and Training PDF
Document Details
Uploaded by ReplaceableSalmon
null
Tags
Summary
This document outlines the business continuity processes and procedures at NNPC Limited. It covers competency and training requirements, policy statements, and business impact analysis and risk assessment (BIA/RA). The document details the initiatives needed to ensure the safety of personnel and to protect company property during disruptions, while emphasizing safety and compliance with legal requirements.
Full Transcript
NNPC Limited Investigation Processes and Procedures Contribute to business impact analyses and risk assessments where required. 4 Competency and Training Requirements Management has recognized that business continuity management is a key component of an enterprise risk management program. There...
NNPC Limited Investigation Processes and Procedures Contribute to business impact analyses and risk assessments where required. 4 Competency and Training Requirements Management has recognized that business continuity management is a key component of an enterprise risk management program. Therefore, NNPC will ensure that all staff that support the BC management are competent based on appropriate education, training, skills, and experience. The skills required will be determined and reviewed regularly within NNPC. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place. 5 Policy Statements A Business Continuity policy will be controlled and maintained to ensure that all plans and processes are consistent and in line with the documented purpose to ensure the safety of personnel and the protection of information processing facilities and company’s property: NNPC Business Continuity Policy is intended to reduce or address substantial business disruptions affecting its critical business operations conducted in its headquarters, and across all its subsidiaries, divisions, offices and business channels nationwide. The primary objective of this Policy is to ensure the Company's ability to continue or immediately resume performing its critical business functions, which are the functions that support the Company's mission, NNPC Limited Investigation Processes and Procedures while ensuring life safety and complying with legal requirements, under all circumstances. NNPC will establish, maintain, update, and improve a Business Continuity Plan, and will carry out testing of its Business Continuity Plans, both (i) at least once per year, and (ii) when there are significant changes in the organizational structure, equipment, facilities, processes, or business activities. All applicable business areas of the Company will actively participate in the process of maintenance, updating, testing, and improvement of the Business Continuity Plan. NNPC will ensure that all participants in the Business Continuity Plans, as well as others who may be involved in them, are informed of their responsibilities and the actions they must take, both in normal situations as in the event of a contingency, within the framework of Business Continuity, through regular training, dissemination, and testing of the Plans. NNPC must ensure that an appropriate level of awareness is carried out organisation-wide and that sufficient capacity is built to guarantee that business continuity remains relevant and satisfies the needs of the company. NNPC must ensure they understand the risks the organization is exposed to, the likelihood of their occurrence, and their impact. NNPC must ensure the identification and prioritization of critical business processes including assets required to deliver these critical services are carried out. NNPC must understand the impact and consequences that interruptions are likely to have on the Company’s business. NNPC Limited Investigation Processes and Procedures NNPC will take adequate measures to establish emergency procedures, which describe the actions to be taken following an incident, which jeopardizes business operations and/or human life. This should include arrangements for public relations management and effective communication liaison with appropriate public authorities, e.g., police, fire service, and local government. NNPC will take adequate measures to establish fall-back procedures, which describe the actions to be taken to move essential business activities or support services to alternative temporary locations, and to bring business processes back into operation in the required time scales. NNPC will take adequate measures to establish resumption procedures, which describe the actions to be taken to return to normal business operations. NNPC will establish a maintenance schedule, which specifies how and when the plan will be tested, and the process for updating and maintaining the plan. NNPC will make the Business Continuity Policy available to all key stakeholders. 5.1 Key Stakeholders Senior management and the owners of crucial systems, services, and applications will actively participate in establishing the business continuity management strategy, planning, and governance inside NNPC, as will all NNPC Limited Investigation Processes and Procedures other key stakeholders both inside and outside the organization. These significant parties include, but are not limited to: 5.2 NNPC Board Group Chief Executive Officer Chief Financial Officer Executive Vice Presidents Group General Managers Managing Directors NNPC Employees Suppliers/Contractors/Vendors State Security Agencies – Police, Army, etc. Fire Service Agencies Business Impact Analysis (BIA) and Risk Assessment (RA) Identifying potential interruptions to company processes, such as building collapse, equipment failure, explosion, flood, and fire, is the first step in the business continuity process. A risk assessment will be conducted after that to establish the effects of these interruptions (both in terms of damage scale and recovery period). Business resources and process owners will be fully involved in these tasks. The organisation will identify and rank critical business processes and downtime costs through the BIA process. Primary business operations that touch on various organisational units will be covered within the BIA. The Maximum Tolerable Period of Disruption (MTPD), Business Process NNPC Limited Investigation Processes and Procedures Availability Recovery Time Objectives (RTOs), and Business Process Recovery Point Objectives (RPOs) will all be identified. The BIA's findings will help NNPC decide how to handle risks and will help in the development of viable business cases to support any costs associated with risk management. The BIA and RA processes shall be reviewed and updated on an annual basis. 5.3 The Business Continuity Plan Following an interruption or failure of important business activities, plans will be devised to maintain or restore business operations within the required time frames. The following will be considered during the business continuity planning process: Identification and agreement of all roles and responsibilities and emergency procedures. Clearly defined terms and agreement on the circumstances surrounding the use of the business continuity plan and the ensuing return to regular business operations. Identification of any acceptable loss of information and services. The use of emergency measures to enable recovery and restoration within necessary time frames. Contact lists of all suppliers, external dependencies, and personnel identified with roles and responsibilities, as well as alternate and escalation contacts. NNPC Limited Investigation Processes and Procedures Clear and precise documentation of all agreed procedures and processes. Details of any IT infrastructure used for business continuity purposes, including procedures to activate and deactivate. Appropriate education of staff on the agreed emergency procedures and processes including crisis management. Regular testing and updating of the plans. The planning process will be centred on the required business objectives. The services and resources that will enable this to occur will be considered, including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities. The Business Continuity Management Team will work with the business units and other stakeholders to develop the following plans: Resumption and Recovery Plans for People Assets Resumption and Recovery Plans for Facilities and Office Space Resumption and Recovery Plans of IT Systems and Network Infrastructure Each plan will have a specific owner. Emergency procedures, manual fallback plans, and resumption plans should be within the responsibility of the owners of the appropriate business resources or processes involved. 5.4 Testing the Business Continuity Plans The Business Continuity Management Team shall ensure that the Business Continuity Plans (BCPs) are reviewed annually, although the frequency may be changed to account for changes in the business strategy, business NNPC Limited Investigation Processes and Procedures processes, personnel, location, or technology, as well as changes in the external business environment. The review shall be done to ensure that: Plans are up to date and address all NNPC’s critical business processes. All members of the Recovery Team and other relevant staff are aware of the plans and required actions. NNPC is adequately prepared to execute a credible recovery in the event of a real incident. A test schedule shall be drawn annually indicating the type of tests that shall be carried out during that year. A full test (complete rehearsal) of the BCP shall be carried out periodically. The test schedule for Business Continuity Plan(s) shall also indicate: How and when each element of the plan will be tested? How the test plan will be activated? External organizations to be involved in the test, if appropriate. Escalation procedures in case there is an error during testing or when necessary. Who within the organization should be informed that the plan has been activated and satisfactorily tested (for example, NNPC Board, Group Chief Executive Officer, and Executive Vice Presidents? A comprehensive schedule of the test plan and the process of maintaining the plan shall be provided by the Governance, Risk and Compliance (GRC) Division. The critical assets and resources needed to be able to perform the emergency; fallback and resumption procedures shall be made available before the commencement of the test. NNPC Limited Investigation Processes and Procedures How individual components of the plan(s) will be tested more frequently, such as quarterly. Technical recovery testing (ensuring information/network systems can be restored effectively). Testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site). NNPC Limited Investigation Processes and Procedures 5.5 Maintaining and Re-Assessing the Business Continuity Plans To ensure that business continuity plans remain effective, they will be regularly reviewed and updated, especially when there are changes to the business operations and processes. The Business Continuity Manager shall carry out a review and update of the BCP annually. The company's change management program must contain procedures to guarantee that business continuity issues are properly addressed. Each business continuity plan will be subject to regular reviews, which will be allocated responsibility. An appropriate update of the business continuity plan should come after identifying changes in business arrangements that have not yet been reflected in it. With the use of this formal change control procedure, it should be possible to make sure that new plans are distributed and regularly reviewed. A business continuity manager should also complete an in-depth analysis of the company's current preparedness level before creating or updating the plan. Examples of situations that might necessitate updating the BC plans include the acquisition of new oil and gas reserves or upgrading of operational systems and changes in: Personnel Addresses or telephone numbers Business strategy and need Location, facilities, and resources IT Systems and Infrastructure NNPC Limited Investigation Processes and Procedures Legislation Contractors, Trade Partners, Suppliers, and key customers Processes, new/or withdrawn ones Risk (operational and financial)