Business Continuity Planning

Developing a Business Continuity Plan . . . . . More Than Disaster

Recovery!Recovery!

April 19, 2010UHY / MMA

Business Survival SeriesBusiness Survival Series

4/19/2010

1

Webinar Focus . . . .• Understanding the components of Business

Continuity Planning and resulting “Business Continuity Planning and resulting “Business Continuity Plan” (BCP)

• Conducting a BCP Gap Analysis/Risk Assessment

• Developing and implementing your BCP

• Establishing a Disaster Recovery Plan (DRP)

• Testing your BCP, DRP and associated controls

UHY Advisors, Inc.• UHY Advisors, Inc. is the 15th largest professional services

firm in the U.S.firm in the U.S.

• Provide Business Advisory, Audit and Tax services to a wide variety of companies and industries.

• 20 offices located through the U.S., with Michigan offices in Southfield and Sterling Heights.

• UHY International Limited (UHYI), is one of the largest accounting firms in the world with 198 offices in 65 countries and approximately 6,300 employees.

4/19/2010

2

Definitions . . .1. Business Continuity Planning (BCP):

The creation and validation of a practiced logistical plan forThe creation and validation of a practiced logistical plan for how an organization will recover and restore critical functions within a predetermined time after a disaster or extended disruption.

2. Disaster Recovery (DR):The process, policies and procedures related to preparing for recovery after a natural or human-induced disaster. Disaster recovery includes planning for resumption of business operations. Disaster Recovery includes physical facilities, equipment, applications, data, hardware, communications (such as networking) and other critical business processes.

Definitions . . .3. Risk Tolerance Level (RTL):

A process by which a company determines the risks, vulnerability p y p y , yand impact analysis of various disaster scenarios on critical business processes and/or activities. RTL incorporates:– Assessing and prioritizing business functions, processes,

activities, etc.

– Identifying interdependencies between critical operations, departments, personnel and servicesdepartments, personnel and services

– Identifying potential impacts of uncontrolled, non-specific events on business functions, processes, activities, etc.

4/19/2010

3

Definitions . . .4. Recovery Point Objective (RPO):

The acceptable time delay associated with systems, data and/or p y y ,process before the loss of an activity become critical.

5. Recovery Time Objective (RTO):The acceptable amount of time to restore a designated business function.

6. Probable Maximum Business Interruption Loss (PML):Losses, based on worst-case scenario, that result from a business interruption. . .Function of Seriousness and Duration

BCP – Why Bother?1. Stability:

Survival rate for companies that encounter a disaster Su a ate o co pa es t at e cou te a d sastewithout a business continuity plan is less than 10%!

Only 6% of companies suffering from a catastrophic loss survive, while 43 % never reopen and 51 % close within two years.

2. Financial:C ti Pl i R h th h l- Contingency Planning Research pegs the average hourlydowntime cost at $18,000 for a small business.

- Assume they are off by 90% . . .that’s:

$1,800/hr . . .$7,200/24 hrs . . .$50,400/wk

4/19/2010

4

BCP – Why Bother?

3. It Makes Good Business Sense!• Uncovers core business weaknesses

• Addresses visible and concealed areas of concern

• Strengthens customer perception

• Separates your company from competition

Proactive

BCP – A Strategy• BCP as an Offensive/Competitive Strategy . . .

1 Helps your company stand out from others:1. Helps your company stand out from others:Business Continuity Standards are coming!ISO 27001, Austrian Standard HB 221:2003, NFPA 1600, PAS 56, BS25999 . . . .

2. Creates a business which operates its systems at the optimum levels:Flexible with the ability to quickly identify and respondFlexible with the ability to quickly identify and respond to challenges, threats and disasters.

3. Builds a Resiliency into your operation:Hardened systems fail less often and return more quickly from day-to-day glitches.

4/19/2010

5

BCP – UHY Perspective• From our perspective . . .

– BCP process involves the recovery resumption BCP process involves the recovery, resumption, and maintenance of the entire business . . More than just IT and Data.

– Restoration of IT systems and electronic data is important . . but . . recovery of these system will not always be enough to restore operations.

– BCP involves the prioritization of business objectives and critical operations that are essential for recovery.

BCP – UHY Perspective

4/19/2010

6

BCP – Protection From???

Natural DisastersMaterial Shortages

BusinessContinuity

- Protection From –

?

ProductLiability

Client/Customer

Strikes

DeliveryDelays

TerroristActivities

? Power Failure

ComputerViruses

TechnologicalDevelopments

Client/CustomerInsolvency

BCP – Protection From???

Example of a Risk Map

4/19/2010

7

Business Continuity PlanningCritical Steps

Step 1Assessment

• Objectives Include:1. Raising Awareness1. Raising Awareness2. Involving All Business Units / Departments3. Involving All Personnel 4. Identifying the Critical Interactions Between

People, Processes and Departments . . .

• Examine the company as a whole for conditions d th t iti l f l and processes that are critical for seamless

business operations . . . a Threat Analysis.

• Plan is to provide management with a complete picture of processes, dependencies and threats.

4/19/2010

8

Step 2Risks, Vulnerabilities & Impact Analysis

• Impact Analysis:A t f ti t d t d d id tif Assessment of operations to understand and identify precisely what functions, activities, elements, etc. would be impacted should there be a disruption or disaster

• Risk Assessment:Determining the potential losses from a threat verses the cost of protecti e meas res against the al e of the cost of protective measures against the value of the asset.How Much Do We Spend to Protect?

RISK / COST / ROI


• UHY’s approach is to utilize a Risk Tolerance L l (RTL) t t t bi Ri k Level (RTL) strategy to combine, Risks, Vulnerabilities and Impacts.

• TRL incorporates a FMEA (Failure Mode & Effects Analysis) format with:- SEVERITY (impact on your business)- FREQUENCY / OCCURANCE- Impact on your Customer(s)

• Scale is 1 to 10 for each:1 = No Impact / Never Occurs

10 = Critical Impact / Daily Occurrence

4/19/2010

9


• RTL # Reaction Plan:Less than 20Less than 20No corrective action and/or additional controls are required.

20 to 40Risk control(s), including control method, process and frequency should be reviewed to identify reaction steps/actions needed to ensure business continuity.

41 to 60Risk control(s), including control method, process and frequency should be improved to incorporate actions that will lead to a reduction in the RTL #.

61 to 80Risk control(s), including control method, process and frequency indicate a concern regarding business continuity. Control should be improved to reduce the RTL #.

Greater than 80Represents a Business Continuity concern. The Risk and associated Control(s) must be improved by implementing actions that will reduce the RTL #.

Step 3Recovery – Strategies & Actions

• Recovery Window . . . Specific period in which l b i t l bl losses become intolerable. - The shorter the window, the more recovery

resources need to be in place and ready.- For longer windows, the recovery resources can

be put into place following the interruption.

• It is critical the recovery resources be:• It is critical the recovery resources be:- Identified- Listed / Documented - Pre-Arranged / Pre-Planned- Tested

4/19/2010

10


• Disaster / Interruption Levels:L l I I t ti i P i O tLevel I: Interruption, i.e., Power is Out

Time Frame - 1 hour, 4 hours, >24 hoursLevel II: Vacate the Facilities, i.e., Fire

Time Frame - 1 day, 1 week, 1 monthLevel III: Facilities Gone, i.e., Tornado

Time Frame - Immediate ActionsTime Frame Immediate ActionsBusiness Resumption

• Establish Recovery Action Checklist for each scenario . . .Action Steps and Responsibilities


• Recovery plans must:1 Id tif th i d t b i1. Identify the resources required to resume basic

level of business operations.

2. Document skills, equipment, procedures, steps,etc. required by each department/activity.

3 Specify authority roles and responsibilities to 3. Specify authority, roles and responsibilities to ensure that actions and tasks are managed,completed and communicated.

4/19/2010

11

Step 4Interdependencies

• Predominate Recovery Goal . . .to re-establish ti l d t d b i f ti b f essential day-today business functions before

consequential effects occur.

• Key concerns:- What’s the priority and sequence of recovery?- What should be first, second, third, etc.- Which functions are dependant on interactingp g

functions?

• Interaction or Process Flow Diagrams can be used to identify dependencies . . . .

Risk Mapping / Interactions

Step 5Training and Awareness

• Employees need to know and understand:1 Th f d t l i t f B i1. The fundamental requirements of your Business

Continuity Plan . . . Who, What, Where, When, Etc.

2. The documented recovery action steps and theirrole and responsibilities . . . Where do I go? What do I do? What don’t I do?

3. The reaction plan based on who is available.

• Employee training should be provided on at least an annual basis. Records should be retained.

4/19/2010

12

Step 6Testing Plans

• BCP testing should be based on the importance of the business process to the both the company and to the business process to the both the company and to the customer base.

• The testing process should be structured to:– Incorporate and address the identified risk levels

– Assign and designate roles and responsibilities for testing and reportingand reporting

– Demonstrate that the business continuity strategy and recovery action steps have the ability to sustain the business until operations can be re-established

Step 6Testing Methods

• Testing methods vary from simple to complex . . . Depends on the Risk and Business Process complexity.Risk and Business Process complexity.

• Level I - Structured Walk-Through:Used as a training tool and as a test to determine fundamental compliance.

• Level II - Walk-Through Simulation Test:Choose a specific event . . apply the established recovery actions.

• Level III - Functional Test:• Level III - Functional Test:Performing actual recovery processes as defined in the company’s Recover Action Checklists.

• Level IV - Full-Scale Test:Real-life emergency is simulated as closely as possible.

4/19/2010

13

Step 7Maintenance / Sustainability

• The final step in developing and implementing a BCP/DRP is “maintenance” to ensure sustainability and BCP/DRP is maintenance to ensure sustainability and effectiveness.

• The resulting BCP/DRP Manual is a living document that must be kept up-to-date:– This document defines the policies and sets out the

steps, recovery actions, roles, guidance, etc. for disaster recoveryrecovery.

– This document must reflect changes in business, staffing, processes, technologies, etc.

– Reviewed and updated on at least an annual basis.

BCP/DRP Manual . . .Format

4/19/2010

14

Business Continuity – Cost/Benefit• BCP entails costs . . . .There is no rule of thumb for the level

of costs involved. Depends on:- The nature of the possible losses- The potential impact- The probability of the risks occurring

• Fundamentals apply . . . The tighter the safety net and the greater the availability, the higher the costs.

• Example . . . Idle production costs and damage to a i f i i icompany’s image as a result of business interruption are

compared with the preventive and reactive expenses involved in BCP.

Remember the earlier slide . . . .minimum of$1,800/hour!

Cost/Benefit Example• Suppose we are considering the installation of a backup

generator so that our servers can continue operation in the event of an extended power failure.

• Assume that we lose on average $50k for each extended power failure, and on average there are two such failures a year. The backup generator will prevent all such failures.

• Calculate the Annualized Loss Expectancy (ALE) by multiplying the Annual Rate of Occurrence(ARO) by the i ( )Single Loss Expectancy (SLE):

ALE = ARO * SLE = 2 * $50k = $100k

4/19/2010

15

Cost/Benefit ExampleALE = ARO * SLE = 2 * $50k = $100k

• If the annualized cost (taking into account depreciation, training, and maintenance) of our backup generator is:

1. Less than $100k . . .we should install the generator.

2. Greater than 100k . . .we should accept the risk and not buy the generator.

• Business continuity plan is a countermeasure (like the backup generator) its value can be established using the same technique.

BCP . . . .Cost-Benefit• A Business Continuity Plan reduces the probability of

failure.

- Assume that it reduces the probability of failurefrom 5% to 3%.

- Assume the company is worth $20 million.

- The value of our Business Continuity program isworth the difference between these two valuations,

$400 000 or $400,000.

• Is a reduction of failure probability from 5% to 3% unrealistic? It might be substantially more!

4/19/2010

16

BCP . . . Just Thoughts . . . • Insurance:

- BCP regulates the preventive and reactive action to betaken in a crisis situation.

- Business interruption insurance covers the consequentialfinancial loss of a hazard (e.g. a fire).

- By paying standing charges, the cost of necessary lossminimization measures and the profits lost, businessinterruption insurance contributes to the company’s economic recovery following a crisiseconomic recovery following a crisis.

• Questions . . . .Do We Have:1. The Right Coverage?2. Enough Insurance?

BCP . . . Just Thoughts . . . • The object of business interruption insurance is to cover the

consequential loss(es) arising from a business disaster.

• Business interruption insurance essentially covers three main areas: 1. The net profit that would have been made if there had

been no consequential loss.

2. The normal standing charges that still have to be paidand cannot be reduced.

3. The (loss minimization) costs incurred in order to reducethe duration and extent of the business interruption loss.

Terms to Understand - PML & SUM INSURED

4/19/2010

17

BCP . . . To Do ListDetermine RISKs and Business Impact for critical processes

Define Business Recovery objectives priorities and expectations Define Business Recovery objectives, priorities, and expectations

Define critical, time-sensitive functions and systems

Incorporate changes into the plan

Establish the Disaster Recovery Team

Conduct employee training to test and understand the plan

Test the plan periodically . . .make amendments to the plan

Conduct Business Continuity Audits

Improve processes to minimize exposure during disruptions

Optimize operational strategies to mitigate against threats

Questions?

THANK YOU!Alan Lund

UHY Advisors, Inc.Southfield, Michigan 48034

(248) [email protected]

Documents

Business Continuity Planning