NNPCL GRC_Business Continuity Proccesses_Competency and Training.pdf

Full Transcript

NNPC Limited Investigation Processes and Procedures



Contribute to business impact analyses and risk assessments where
required.

4 Competency and Training Requirements
Management has recognized that business continuity management is a
key component of an enterprise risk management program. Therefore,
NNPC will ensure that all staff that support the BC management are
competent based on appropriate education, training, skills, and experience.
The skills required will be determined and reviewed regularly within NNPC.
Training needs will be identified, and a plan maintained to ensure that the
necessary competencies are in place.

5 Policy Statements
A Business Continuity policy will be controlled and maintained to ensure
that all plans and processes are consistent and in line with the
documented purpose to ensure the safety of personnel and the protection
of information processing facilities and company’s property:


NNPC Business Continuity Policy is intended to reduce or address
substantial business disruptions affecting its critical business
operations conducted in its headquarters, and across all its subsidiaries,
divisions, offices and business channels nationwide.



The primary objective of this Policy is to ensure the Company's ability to
continue or immediately resume performing its critical business
functions, which are the functions that support the Company's mission,

NNPC Limited Investigation Processes and Procedures

while ensuring life safety and complying with legal requirements,
under all circumstances.


NNPC will establish, maintain, update, and improve a Business
Continuity Plan, and will carry out testing of its Business Continuity
Plans, both (i) at least once per year, and (ii) when there are significant
changes in the organizational structure, equipment, facilities,
processes, or business activities. All applicable business areas of the
Company will actively participate in the process of maintenance,
updating, testing, and improvement of the Business Continuity Plan.



NNPC will ensure that all participants in the Business Continuity Plans,
as well as others who may be involved in them, are informed of their
responsibilities and the actions they must take, both in normal
situations as in the event of a contingency, within the framework of
Business Continuity, through regular training, dissemination, and
testing of the Plans.



NNPC must ensure that an appropriate level of awareness is carried out
organisation-wide and that sufficient capacity is built to guarantee that
business continuity remains relevant and satisfies the needs of the
company.



NNPC must ensure they understand the risks the organization is
exposed to, the likelihood of their occurrence, and their impact.



NNPC must ensure the identification and prioritization of critical
business processes including assets required to deliver these critical
services are carried out.



NNPC must understand the impact and consequences that
interruptions are likely to have on the Company’s business.

NNPC Limited Investigation Processes and Procedures



NNPC will take adequate measures to establish emergency procedures,
which describe the actions to be taken following an incident, which
jeopardizes business operations and/or human life. This should include
arrangements for public relations management and effective
communication liaison with appropriate public authorities, e.g., police,
fire service, and local government.



NNPC will take adequate measures to establish fall-back procedures,
which describe the actions to be taken to move essential business
activities or support services to alternative temporary locations, and to
bring business processes back into operation in the required time
scales.



NNPC will take adequate measures to establish resumption
procedures, which describe the actions to be taken to return to normal
business operations.



NNPC will establish a maintenance schedule, which specifies how and
when the plan will be tested, and the process for updating and
maintaining the plan.



NNPC will make the Business Continuity Policy available to all key
stakeholders.

5.1

Key Stakeholders
Senior management and the owners of crucial systems, services, and
applications will actively participate in establishing the business continuity
management strategy, planning, and governance inside NNPC, as will all

NNPC Limited Investigation Processes and Procedures

other key stakeholders both inside and outside the organization. These
significant parties include, but are not limited to:

5.2



NNPC Board



Group Chief Executive Officer



Chief Financial Officer



Executive Vice Presidents



Group General Managers



Managing Directors



NNPC Employees



Suppliers/Contractors/Vendors



State Security Agencies – Police, Army, etc.



Fire Service Agencies

Business Impact Analysis (BIA) and Risk Assessment
(RA)
Identifying potential interruptions to company processes, such as building
collapse, equipment failure, explosion, flood, and fire, is the first step in the
business continuity process. A risk assessment will be conducted after that
to establish the effects of these interruptions (both in terms of damage
scale and recovery period). Business resources and process owners will be
fully involved in these tasks.
The organisation will identify and rank critical business processes and
downtime costs through the BIA process. Primary business operations that
touch on various organisational units will be covered within the BIA. The
Maximum Tolerable Period of Disruption (MTPD), Business Process

NNPC Limited Investigation Processes and Procedures

Availability Recovery Time Objectives (RTOs), and Business Process
Recovery Point Objectives (RPOs) will all be identified. The BIA's findings will
help NNPC decide how to handle risks and will help in the development of
viable business cases to support any costs associated with risk
management.
The BIA and RA processes shall be reviewed and updated on an annual
basis.

5.3

The Business Continuity Plan
Following an interruption or failure of important business activities, plans
will be devised to maintain or restore business operations within the
required time frames. The following will be considered during the business
continuity planning process:


Identification and agreement of all roles and responsibilities and
emergency procedures.



Clearly defined terms and agreement on the circumstances surrounding
the use of the business continuity plan and the ensuing return to regular
business operations.



Identification of any acceptable loss of information and services.



The use of emergency measures to enable recovery and restoration
within necessary time frames.



Contact lists of all suppliers, external dependencies, and personnel
identified with roles and responsibilities, as well as alternate and
escalation contacts.

NNPC Limited Investigation Processes and Procedures



Clear and precise documentation of all agreed procedures and
processes.



Details of any IT infrastructure used for business continuity purposes,
including procedures to activate and deactivate.



Appropriate education of staff on the agreed emergency procedures and
processes including crisis management.



Regular testing and updating of the plans.

The planning process will be centred on the required business objectives.
The services and resources that will enable this to occur will be considered,
including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities.
The Business Continuity Management Team will work with the business
units and other stakeholders to develop the following plans:


Resumption and Recovery Plans for People Assets



Resumption and Recovery Plans for Facilities and Office Space



Resumption and Recovery Plans of IT Systems and Network
Infrastructure

Each plan will have a specific owner. Emergency procedures, manual fallback plans, and resumption plans should be within the responsibility of the
owners of the appropriate business resources or processes involved.

5.4 Testing the Business Continuity Plans
The Business Continuity Management Team shall ensure that the Business
Continuity Plans (BCPs) are reviewed annually, although the frequency may
be changed to account for changes in the business strategy, business

NNPC Limited Investigation Processes and Procedures

processes, personnel, location, or technology, as well as changes in the
external business environment.
The review shall be done to ensure that:


Plans are up to date and address all NNPC’s critical business processes.



All members of the Recovery Team and other relevant staff are aware of
the plans and required actions.



NNPC is adequately prepared to execute a credible recovery in the event
of a real incident.

A test schedule shall be drawn annually indicating the type of tests that
shall be carried out during that year. A full test (complete rehearsal) of the
BCP shall be carried out periodically. The test schedule for Business
Continuity Plan(s) shall also indicate:


How and when each element of the plan will be tested?



How the test plan will be activated?



External organizations to be involved in the test, if appropriate.



Escalation procedures in case there is an error during testing or when
necessary.



Who within the organization should be informed that the plan has been
activated and satisfactorily tested (for example, NNPC Board, Group
Chief Executive Officer, and Executive Vice Presidents?



A comprehensive schedule of the test plan and the process of
maintaining the plan shall be provided by the Governance, Risk and
Compliance (GRC) Division.



The critical assets and resources needed to be able to perform the
emergency; fallback and resumption procedures shall be made available
before the commencement of the test.

NNPC Limited Investigation Processes and Procedures



How individual components of the plan(s) will be tested more frequently,
such as quarterly.



Technical recovery testing (ensuring information/network systems can
be restored effectively).



Testing recovery at an alternate site (running business processes in
parallel with recovery operations away from the main site).

NNPC Limited Investigation Processes and Procedures

5.5

Maintaining

and

Re-Assessing

the

Business

Continuity Plans
To ensure that business continuity plans remain effective, they will be
regularly reviewed and updated, especially when there are changes to the
business operations and processes.
The Business Continuity Manager shall carry out a review and update of the
BCP annually. The company's change management program must contain
procedures to guarantee that business continuity issues are properly
addressed.
Each business continuity plan will be subject to regular reviews, which will
be allocated responsibility. An appropriate update of the business continuity
plan should come after identifying changes in business arrangements that
have not yet been reflected in it. With the use of this formal change control
procedure, it should be possible to make sure that new plans are distributed
and regularly reviewed.
A business continuity manager should also complete an in-depth analysis of
the company's current preparedness level before creating or updating the
plan. Examples of situations that might necessitate updating the BC plans
include the acquisition of new oil and gas reserves or upgrading of
operational systems and changes in:


Personnel



Addresses or telephone numbers



Business strategy and need



Location, facilities, and resources



IT Systems and Infrastructure

NNPC Limited Investigation Processes and Procedures



Legislation



Contractors, Trade Partners, Suppliers, and key customers



Processes, new/or withdrawn ones



Risk (operational and financial)