Business Continuity Expanded to Include Critical Suppliers bychapters.acp-international.com/images/gardenstate/documents/... · testing%and%maintenance%of%BC%/%DR%plans%and%reporting%to%the%Governance%Board.%%The%tests%are%

2015 Garden State Chapter Newsletter - 1st Quarter

Association of Contingency Planners Dedicated to the Evolution of Business Continuity

1 of 14

ACP Garden State Chapterhttp://gardenstate.acp-international.com/index.htm

Adopting a business continuity (BC) program is the start of a journey, which ensures continuous operations of critical processes within a company and expands to include critical suppliers as the program matures. In this chapter we will discuss what business continuity is and once the program is robust how to apply it to a company’s supply chain.

A business continuity program’s mission is to assure the availability, reliability and recoverability of business processes servicing the company’s customers, partners, and stakeholders. In order for business continuity to be effective it must be an integral part of the business planning life cycle.

Business Continuity Expanded to Include Critical Suppliersby

Betty Byrnes - ACP Garden State Chapter President

Successful business continuity management requires a commitment from the company’s executive team in order to show commitment to, raise awareness and implement sound approaches to build resilience.

continued on page 2

ACP GARDEN STATE CHAPTER

Newsletter Features

Business Continuity, Emergency Management,

and Disaster Recovery “Tid-Bits” are back!!!

Advertising Section

Whenever business changes impact a process/function, business continuity considerations must be evaluated and adjusted as necessary to understand the affect to existing recovery strategies and plans.

We all make plans based on tradeoffs of cost and benefits. Business Continuity formalizes a company’s overall approach to effective risk management, and should be closely aligned to the company’s incident management, emergency response management and information technology disaster recovery.

Betty ByrnesPresident

Lori KeenanSecretary

Richard RehakTreasurer

Tatiana PezzoliEducation

Bernard JonesInformation

David StuartMembership

Richard YoungProgram

2015 ACP Garden State Executive Board Members

Inside This Issue

“BC Expanded to Include Critical Suppliers”

2015 Executive Board Members

BC, EM, and DR “Tid-Bits”

ACP National News

“Book of the Month”

Chapter Photo “Time Capsule”


2 of 14


Business continuity life cycle

Business Continuity Expanded to Include Critical Supplierscontinued from p.1


There%are%six%stages%within%the%BC%cycle.%%They%are:

1. Governance

2. Business%Impact%Analysis

3. Risk%Assessment

4. Recovery%Strategies

5. Business%Continuity%/%Disaster%Recovery%Planning

6. Test%and%VeriKication

Let%us%brieKly%describe%each%stage.

continued on page 3


3 of 14




Governance:*Senior%management%involvement%and%support%are%critical%to%the%success%of%a%company’s%business%

continuity%program.%%Executive%buyQin%enables%the%BC%program%to%be%in%alignment%with%the%

company’s%strategic%direction%and%business%objectives.%%%This%also%ensures%that%the%program%is%able%

to%obtain%appropriate%resources%and%visibility.%%Without%adequate%senior%management%involvement%

and%support,%a%business%continuity%program%risks%losing%effectiveness%and%alignment%with%business%

strategy,%misspent%or%unKit%resources,%gaps%between%capability%and%requirements,%or%in%the%worst%

case,%senior%management%cutting%business%continuity%altogether%because%they%do%not%see%the%value%

in%the%investment.%%A%key%component%for%governance%is%the%creation%and%enforcement%of%business%

continuity%standards%and%policies.%%These%standards%and%policies%outline%the%“what%“%and%“how”%of%

business%continuity.%%This%allows%for%the%program%to%be%consistent%across%the%company%and%

auditable.%%The%governance%board%has%the%responsibility%to%support%and%oversee%the%BC%program.%%

No%company%can%implement%a%robust%business%continuity%program%overnight;%it%can%take%years%for%a%

complex%global%company%to%fully%implement%their%business%continuity%program.%%Business%continuity%

is%a%journey%that%must%be%evaluated,%maintained%and%aligned%with%the%business%three%to%Kive%year%

strategy.%%The%governance%board%is%responsible%for%BC%oversight%and%direction;%they%are%in%charge%of%

the%journey.

Business*Impact*Analysis*(BIA):A%BIA%is%a%methodology%to%identify%critical%business%processes%and%functions%based%on%operational%

and/or%Kinancial%impacts.%%This%is%done%by%interviewing%business%process%owners%and%asking%them%

to%describe%their%business%process.%%This%interview%includes%the%identiKication%of%critical%resource%

requirements%(e.g.,%staff,%equipment),%vital%records%and%data,%along%with%internal%and%external%

dependencies.%%Analysis%of%the%data%gathered%through%these%interviews%paints%a%picture%of%the%

critical%paths%within%a%business%at%any%given%time.%%This%step%also%identiKies%the%business%threshold%

for%disruption%loss,%including:%applications,%systems,%platforms%and%infrastructure.%%The%business%

impact%analysis%identiKies%the%preliminary%recovery%time%objective%(RTO)%%and%recovery%point%

objective%(RPO)%%.%%It%is%important%to%remember%when%designing%a%business%continuity%solution%that%

it%is%not%restoring%business%to%normal,%it%is%the%restoration%of%what%is%most%crucial%at%the%giving%time.%%

For%example,%if%the%company%issued%payroll%the%day%previous%to%the%“event”,%restoring%the%payroll%

process%would%not%be%critical.%But%if%payroll%was%due%be%released%the%day%after%the%“event”%then%

restoring%the%payroll%process%would%be%critical,%especially%to%the%employees!%%The%business%process%

owners%also%describe%workaround%procedures%that%can%be%implemented%until%the%process%can%be%

resumed%or%the%staff%can%return%to%work.

continued on page 4


4 of 14




Risk*Assessment:The%risk%assessment%identiKies%business%continuity%risks%that%could%result%in%a%business%process%

disruption%or%hinder%recovery.%%A%risk%assessment%usually%includes%a%facility%assessment%and%an%

environmental%analysis.%%A%high%level%physical%inspection%of%a%facility%should%include:%review%of%the%

electrical%design,%mechanical%heating%ventilation%and%air%conditioning%(HVAC)%design,%

communications%and%network%architecture%review,%physical%security%evaluation,%emergency%egress/

ingress,%and%structural%design%of%the%data%center%and%call%center%(as%applicable).%%The%environmental%

risk%analysis%includes%the%analysis%of%the%likelihood%of%natural%and%manQmade%disasters%at%a%speciKic%

location.%%For%example:%hurricanes,%earthquakes,%lighting%strikes,%rainfall,%Klooding,%crime%rates,%and%

proximity%to%railroads,%highways,%and%airports.%%Once%the%risks%are%identiKied%they%should%be%ranked%

and%rated%by%criteria%speciKied%in%the%BC%standards,%(e.g.,%probability%of%occurrence%+%impact%to%

business%x%controls%in%place%to%remediate).%%For%example,%special%evacuation%plans%would%be%needed%

in%the%event%for%a%derailment%on%a%nearby%freight%train%line.

Recovery*Strategies:The%data%gathered%from%the%BIA%and%risk%assessment%portrays%the%existing%business%continuity%

capabilities%and%gaps.%%Recovery%strategies%are%developed%to%mitigate%these%potential%risks.%%The%

recovery%strategies%and%the%associated%estimated%costs%for%implementation%are%developed%and%

presented%to%the%BC%governance%board%for%review.%%It%is%up%to%the%BC%governance%board%to%approve%

and%fund%the%chosen%recovery%strategies.%%Note%the%governance%board%should%also%“signQoff”%on%high%

ranked%business%risks%with%the%reasoning%on%the%decision%not%to%remediate.

Business*Continuity*/*Disaster*Recovery*Plans:Business%continuity%planning%allows%for%the%availability%of%critical%business%processes%in%the%event%of%

an%incident%that%renders%facilities,%computer%systems,%and/or%employees%inoperable%or%inaccessible.%%

The%goal%of%the%creation%and%implementation%of%BC%and%DR%plans%is%to%minimize%economic%losses%

resulting%from%disruptions%to%business%functions.%%These%plans%provide%steps%and%procedures%to%

facilitate%an%orderly%recovery%of%critical%business%functions%and/or%systems.%%Business%continuity%

plans%address%the%recovery%of%business%functions%and%workspaces%while%disaster%recovery%plans%

address%the%recovery%of%the%information%technology%environment%and%systems%that%supports%the%

business,%(e.g.,%applications,%platforms,%infrastructure).

The%provisions%in%these%types%of%plans%are%used%as%the%basis%for%providing%guidance,%preparing%for,%

and%effecting%recovery%activities%in%connection%with%executive%management’s%(e.g.,%Governance%

Board’s)%discretion.%%Tactically,%the%BC%/DR%plans%address%the%following:

continued on page 5


5 of 14




• Minimize%business%losses%resulting%from%disruptions%to%business%processes.

• Provide%a%plan%of%action%to%facilitate%an%orderly%recovery%of%critical%business%processes%

and%technical%infrastructure.

• Identify%key%individuals%or%teams%who%will%manage%the%process%of%recovering%and%

restoring%the%business%and/or%technology%after%an%incident%or%disaster.

• Specify%the%critical%business%and%technical%activities%that%need%to%continue%after%an%

incident.%%

• Outline%the%logistics%of%recovering%critical%business%processes%and%technical%

infrastructure.

Proper%execution%of%BC%/%DR%plans%facilitate%the%timely%recovery%of%critical%business%processes.%%BC%/

DR%plans%are%effective%only%if%they%are%maintained%properly%and%the%content%information%is%kept%

current.%%A%key%element%of%business%continuity%/%disaster%recovery%plans%is%the%coordination%

between%information%technology%and%business%processes%to%align%RTO%and%RPO%with%business%

requirements%over%time.

Test*and*Verify:The%BC%standards%will%guide%the%Business%Continuity%Program’s%roadmap%to%the%development,%

testing%and%maintenance%of%BC%/%DR%plans%and%reporting%to%the%Governance%Board.%%The%tests%are%

used%to%train%associates%and%create%an%awareness%of%the%BC%program%model%and%individual%roles.%%

This%is%done%through%exercising%the%plan.%%Different%levels%of%plan%testing,%from%tabletop%/%structured%

walkthrough,%component,%to%mobilization%of%plan%actions,%require%increased%resources%but%provide%

more%through%results.%

continued on page 6


6 of 14




Tabletop*/*Structured*Walkthrough*Exercise:*• Paper%evaluation%of%a%portion%of%a%BC%plan%without%the%expenses%or%personnel%resources%

associated%with%a%full%test.

• The%exercise%scope%can%vary%from%a%review%of%a%portion%of%the%BCP%to%a%review%of%the%entire%

plan.

• Objectives:

o Verify%the%contents%of%the%plan;

o Prepare%for%simulation%testing;

o Train%new%members%and%create%employee%awareness;%

o Maintain%preparedness%while%limiting%use%of%resources;

o AfKirm%that%the%strategy%documented%in%the%plan%is%viable;

o Educate%critical%personnel%on%their%responsibilities%in%a%disaster;

o ConKirm%that%the%information%in%the%plan%is%current%and%accurate;%and

o Identify%areas%of%the%plan%that%need%revision%or%updates.

• The%beneKit%of%a%tabletop%exercise%is%that%it%is%costQeffective%and%nonQinvasive.

Component*Exercise:• A%component%exercise%is%usually%performed%during%offQhours%and%tests%a%particular%segment%

of%the%recovery%plan.

• It%differs%from%the%structured%walkthrough%in%that%it%involves%actual%recovery%activities.

• Types%of%component%tests%can%include:%

o Emergency%notiKication%test%(e.g.,%call%tree%tests);

o Evacuation%tests;

o Data%center%or%application%recovery%test;

o Remote%or%dialQin%access%test;%and/or

o Critical%business%function%recovery%test.

• Objectives:

o Demonstrate%accuracy%of%the%execution%of%the%plan;

o Verify%the%appropriate%operating%and%incident%escalation%procedures;

o Train%and%increase%awareness%of%personnel;%and

o Validate%previous%modiKications%of%the%plan%including%the%coordination%

between%the%business%and%information%technology.

• The%beneKit%of%a%component%exercise%is%that%it%is%nonQdisruptive%and%focused.

continued on page 7


7 of 14




Mobilization*Exercise:Is%an%integrated%simulation/full%operations%test;%that%includes:

• The%exercise%to%be%performed%at%the%actual%recovery%sites;

• The%utilization%of%the%backup%resources%(i.e.,%AS%400%systems%and%workspace);

• A%structured%walkQthrough%and/or%a%component%exercise%test%should%precede;

• A%mobilization%exercise%tests%the%transactions%or%replicated%“live”%transactions%are%processed;%

and

• That%reports%can%be%produced%(i.e.,%actual%results)%during%the%exercise%and%then%are%

reconciled%against%expected%results.

• Objectives:

o Test%entire%plan%or%a%portion%of%the%plan%under%emergency%scenarios;

o Validate%operational%effectiveness%and%business%unit%interdependencies;%and

o Provide%technical%and%administrative%measurable%results.

• An%exercise%of%this%proportion%is%normally%scheduled%to%take%place%after%hours%or%during%a%

weekend.

• While%the%most%costly%in%terms%of%resources,%the%beneKit%of%a%mobilization%exercise%is%that%it%

requires%interQdepartment%coordination%and%is%the%best%true%test%of%the%BC%program.

Once%the%exercise%type,%identiKication%of%recovery%priorities,%objectives,%timeline%and%scenario%has%

been%determined,%then%the%company%conducts%the%test,%analyzes%the%Kindings,%and%develops%

corrective%actions.%%The%Kinal%step%is%to%update%the%BC%/%DR%plan,%as%applicable,%to%incorporate%lessons%

learned%from%testing.%%The%BC%standard%has%outlined%the%BC%program’s%progress%timeline.%%The%

Kindings%from%the%test%indicate%whether%or%not%the%plan%is%where%it%should%be%on%its%BC%journey.%%

Through%this%program%all%business%continuity%initiatives%can%be%easily%measured%and%assessed%on%

their%maturity%level.%

Supply*Chain*Business*Continuity*AssessmentOnce%a%company%has%developed%a%strong%internal%business%continuity%program%they%begin%to%expand%

it%to%include%their%critical%supply%chain%vendors,%but%as%one%can%realize,%no%vendor%will%let%a%client%

company%dictate%their%business%continuity%program.%%So%companies%have%developed%a%highQlevel%one%

day%BC%supply%chain%assessment.%%This%entails%visiting%each%critical%vendor%within%their%supply%chain%

at%the%supplier’s%speciKic%location%that%performs%the%work%for%your%company.%%

continued on page 8


8 of 14




Mobilization*Exercise:Is%an%integrated%simulation/full%operations%test;%that%includes:

• The%exercise%to%be%performed%at%the%actual%recovery%sites;

• The%utilization%of%the%backup%resources%(i.e.,%AS%400%systems%and%workspace);

• A%structured%walkQthrough%and/or%a%component%exercise%test%should%precede;

• A%mobilization%exercise%tests%the%transactions%or%replicated%“live”%transactions%are%processed;%

and

• That%reports%can%be%produced%(i.e.,%actual%results)%during%the%exercise%and%then%are%

reconciled%against%expected%results.

• Objectives:

o Test%entire%plan%or%a%portion%of%the%plan%under%emergency%scenarios;

o Validate%operational%effectiveness%and%business%unit%interdependencies;%and

o Provide%technical%and%administrative%measurable%results.

• An%exercise%of%this%proportion%is%normally%scheduled%to%take%place%after%hours%or%during%a%

weekend.

• While%the%most%costly%in%terms%of%resources,%the%beneKit%of%a%mobilization%exercise%is%that%it%

requires%interQdepartment%coordination%and%is%the%best%true%test%of%the%BC%program.

Once%the%exercise%type,%identiKication%of%recovery%priorities,%objectives,%timeline%and%scenario%has%

been%determined,%then%the%company%conducts%the%test,%analyzes%the%Kindings,%and%develops%

corrective%actions.%%The%Kinal%step%is%to%update%the%BC%/%DR%plan,%as%applicable,%to%incorporate%lessons%

learned%from%testing.%%The%BC%standard%has%outlined%the%BC%program’s%progress%timeline.%%The%

Kindings%from%the%test%indicate%whether%or%not%the%plan%is%where%it%should%be%on%its%BC%journey.%%

Through%this%program%all%business%continuity%initiatives%can%be%easily%measured%and%assessed%on%

their%maturity%level.%

Supply*Chain*Business*Continuity*AssessmentOnce%a%company%has%developed%a%strong%internal%business%continuity%program%they%begin%to%expand%

it%to%include%their%critical%supply%chain%vendors,%but%as%one%can%realize,%no%vendor%will%let%a%client%

company%dictate%their%business%continuity%program.%%So%companies%have%developed%a%highQlevel%one%

day%BC%supply%chain%assessment.%%This%entails%visiting%each%critical%vendor%within%their%supply%chain%

at%the%supplier’s%speciKic%location%that%performs%the%work%for%your%company.%%

continued on page 9


9 of 14




A%company’s%business%continuity%program%should%require%that%the%company%assess%their%critical%

vendors’%recovery%capabilities.%%The%company%identiKies%key%suppliers,%which%could%result%in%a%risk/

disruption%to%a%Company’s%product%line%and%business.%%The%data%gathering%in%a%vendor%assessment%is%

done%by%conducting%a%site%visit,%reviewing%related%documents,%(e.g.,%BC%plans,%emergency%response%

plans)%and%faceQtoQface%interviews.%%The%objective%of%this%vendor%site%meeting%is%to%understand%the%

probability%and%impact%to%your%company’s%business%if%the%vendor%was%to%suffer%a%major%disruption.

The%site%visit%includes%the%following%areas%as%they%support%the%product%your%company%acquires%from%

the%vendor:

Survey'Area: Including:Product%Lines List%of%all%current%Company%product%lines%supported%by%the%vendor.

Resiliency Discuss/review%the%vendor’s%management%policy%and%standards%on%how%their%

company%manages%risk%and%implements%risk%mitigation.%%These%areas%should%

include%emergency%response,%crisis%management%and%business%continuity%/%

disaster%recovery%process.

Metrics Describe%the%vendor’s%metrics,%monitoring%and%reporting%procedures%

regarding%their%governance%and%policies.

Recovery%Capability What%is%the%vendor’s%current%recovery%capability?%%Do%they%have%a%recovery%%

plan?%%If%yes,%has%it%been%tested?

Alternate%Source Discuss%any%alternate%source%capability%that%they%have%built%into%their%process.

Procedures Describe%how%they%manage%your%company’s%raw%ingredients%to%Kinished%

product,%e.g.,%transportation,%warehousing,%logistics.

Supply%Chain Describe%where%and%how%they%get%the%precursors%for%“your”%products%they%are%

manufacturing%and%their%resilience%traceability,%(e.g.,%tier%1%through%tier%7).

Site%Tour Walk%through%the%vendor%site%to%gain%an%understanding%of%the%product%

manufacturing%process%and%the%supporting%infrastructure.

continued on page 10


10 of 14




An%example%of%a%Supply%Chain%business%continuity%maturity,%and%overall%readiness%graphic%is%below.

As%stated%this%is%a%very%highQlevel%evaluation%of%one%vendor%in%a%company’s%supply%chain.%%Many%

companies%are%conducting%these%oneQday%vendor%assessments%to%evaluate%each%critical%vendor’s%

resiliency%across%the%company’s%supply%chain.%And%identify%any%weak%links.

Concluding*PointsThe%key%to%a%thriving%business%continuity%program%is%that%it%is%never%stagnant.%%Constant%improvement%

and%evaluation%are%critical.%%It%is%a%living%process,%as%it%matures%it%should%evolve%into%being%part%of%

regular%business%operations,%not%an%addQon.

1%RTO%=%Recovery%Time%Objective:%The%maximum%tolerable%time%to%recover%critical%business%functions%and%the%existing%

resources%that%support%each%function.

%2%RPO%=%Recovery%Point%Objective:%The%maximum%amount%of%data%loss%allowable.


Emergency Management, Business Continuity, Disaster Recovery “Tid-Bits”



NIST publishes guidance on supply chain risk management practices

NIST has announced the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.http://www.continuitycentral.com/news07599.html

New report: Cyber Security and Critical Infrastructure in the Americas

The General Secretariat of the Organization of American States (OAS) and the Trend Micro have jointly presented a new report ‘Cyber Security and Critical Infrastructure in the Americas,’ which gathers the views of governments and security professionals from key industries, such as communications, finance, manufacturing, energy and security, on cyber vulnerability in the region.http://www.continuitycentral.com/news07594.html

Does business continuity manage the real risks to your organization?

Charlie Maclean-Bristol discusses the remit of a typical business continuity manager and asks whether the BIA is fit for purpose.http://www.continuitycentral.com/feature1301.html

The challenge of keeping your critical applications running: how cloud and managed services can help

Legacy applications and older IT platforms can be a business continuity headache: Ian Masters offers some advice for those struggling with the issue.http://www.continuitycentral.com/feature1304.html

Reprinted with permission from Continuity Central


ACP National “Fund for the Future”

Fundraising Campaign

ACP's Fund for the Future was created to grow our membership and thereby ensure ACP's future and financial stability.The Fund for the Future and the ensuing membership campaign will secure ACP's long-term viability by expanding our presence, expertise and strength in numbers.

Interested in contributing as a chapter or individual? Email us today at [email protected].

“Book of the Month”Principles and Practices of Business Continuity: Tools and

Techniques

Jim Burtles, FBCI, (2007, Rothstein Associates) ISBN 1-931332-39-8.

This comprehensive book was written by Jim Burtles, a founding fellow of the Business Continuity Institute. The book comes with a

BCP tool kit on CD with 24 planning and analysis tools.




Chapter Photo “Time Capsule”In each newsletter edition, we will feature photos taken over years of

our Garden State Chapter.

Each chapter event is special and we hope to continue to highlight our various chapter events on film!

“Can you name the chapter members in each photo?”




Chapter Advertising Section

In each newsletter edition, we feature organizations willing to

promote thier services to the New Jersey business continuity

community.

If you are know of an organization interested in advertising in an upcoming ACP newsletter, please contact Stan Carlstadt

Our next Newsletter Edition will be published during the 2nd week of

October!

If you have content that you would like to share with your fellow ACP Garden State chapter members either on the chapter website or in the newsletter, please feel

free to contact Information & Publications Director: Bernie Jones ([email protected])



Documents

Business Continuity Expanded to Include Critical Suppliers bychapters.acp-international.com/images/gardenstate/documents/... · testing%and%maintenance%of%BC%/%DR%plans%and%reporting%to%the%Governance%Board.%%The%tests%are%