Embed Size (px)
Citation preview
Business Continuity Planning A practical guide
Adam Lawrence, Director Terrorism RiskROSS CAMPBELL & ASSOCIATES
2
Introductiono Ross Campbell & Associates Crisis Management &
Recovery o Business resilience strategies
– Clients in 25 countries
– Workshops & reviews
– Preparedness audits
– Executive training
– Corporate plans & enterprise-wide programs
– Simulation exercises, walk-through rehearsals, capability tests
– Alignment of Crisis Management, Business Continuity, issues management, emergency management
o Managing the worst-case scenario
3
Agenda
o Introduction – case studies and contexto Business Continuity Management – an overviewo Identifying plausible disruption scenarios o Business Impact Analysis o Response-Resumption-Recoveryo BC Plan - the essentials o Leadership and governanceo Rehearsing the plan and capability testing
4
Purpose
o Raise awareness o Enhance capability of QUESTNET member institutions
in responding to and recovering from a major disruption
o QLD Government initiative to protect Mass Gathering Infrastructure in light of the threat of terrorism
5
Video compile
Terrorism – HSBC (Bank)
o Istanbul, Turkeyo 20 November 2003 o Car bombo 26 killedo 450 wounded
“In just three minutes, starting at 4.10pm, 21 power plants
shut down”CNN, 14 August 2003
Utilities failure – US power outage
8
Telco infrastructure failure
‘Telstra says more than 16,000 of its network cables were accidentally severed in the past 12
months’The Age, 25 July 2005
9
Data centre failure
‘Multiple failures at a datacentre run by CSC left hospital trusts without access to patient administration systems for up to five days’
ComputerWeekly.com, 13 Sep 2006
1
0
SARS
o Began in Asia February 2003o Within weeks reported in 25 countrieso Impact on airlines, tourism industryo Impact on businesses with operational links to
Asia o Learnings for Avian ‘flu preparedness?
1
1
Crisis/disaster impacts
o People harmed o Disruption to operations o Asset damage o Loss of reputationo Loss of customer/public supporto Financial losso Increased regulation o Increased insurance premiumso Legal actiono Destabilisation of senior management
1
2
Monash shootings 2002
ABC Interviewer “…no amount of training can equip you for what happened yesterday?”
Vice-Chancellor “…we had a crisis management exercise of something similar to this about three months ago, which
actually helped us through all of this…”
ABC Radio, October 2002
What is Business Continuity?
‘The uninterrupted availability of all key resources supporting essential business functions’
(ANAO, 2000)
Keeping the wheels of business in motion following a material disruption (irrespective of the cause)
Key strategic risk – that an organisation is unable to remain operational
1
4
Related disciplines
o Emergency Management o ICT Disaster Recovery (service disruption, data loss)o Salvage and recovery (damaged hard-copy files)o Issue Management (public perception/reputation)o Government response o Crisis Management – the worst-case scenario (during
the acute/emergency phase of response) ~
“A crisis is an adverse situation that has the potential to cause serious harm to people, operations, assets,
earnings, reputation or brand”
1
5
Common capability gaps
o Plans lacking fundamental components ~ WHO-WHAT-WHERE-WHEN-WHERE-HOW-WHY
o Unspecified or vague (contingency) roles and taskso Lack of pre-designated alternative venues o Alternative/back-up venues in same precinct o Ill-equipped contingency venues o Lack of alternate/deputy (contingency) roles o Un-rehearsed plans & call-out procedureso No pre-designated spokespersono No documented Business Impact Analysis (BIA)
1
6
Common capability gaps (cont.)
o Insufficient understanding of or linkages to government response
o Sole reliance on mobile telephones to co-ordinate the response (prone to failure)
o Insufficient protocols for communication with staff, visitors, students
o Recovery times (RTOs) not specified o Lacking 24/7 remote access to HR/vendor contact
detailso Lack of confidence in documented plans – too much
information
1
7
Critical success factors
o Learn from the experience of others– address the common capability gaps
o Clear command structure– Have a group that has authority to invoke recovery
plans and management strategic ramifications (Crisis Management Team)
o Clear communication & reporting channels (between Head Office and subordinate entities including first responders)
o Identify alternative command venue/s and contingency work accommodation
o Ensure adequate incident notification and call-out procedures
1
8
Other challenges
o Extreme stresso Cause may be beyond your control (3rd party
dependency)o Determining peoples’ whereabouts/safety o Implications of rapid and intrusive media o Rumours and innuendo – bad news travels fast o Panic/hysteriao Aspects of government response may be beyond your
influence– Understand the rights/obligations of all responders– Jurisdictional responsibility
crisismanagement.com.au
2
1
Operational Risk Assessment
o What does the organisation depend on to operate?o What can happen? o When, where and how?o What are the critical processes or assets?o Workshop hypothetical scenarios o Interviews with principal staff/department headso Site inspection (ideally by third party) o Event/media monitoring, industry briefs, case studies
- learn from the experiences of others
2
2
Identifying disruption scenarios
Consider worst-case (total loss) disruption scenarios ~o Loss of building o Loss of precincto Denial of access to building for a limited time o Loss of ICT (data)o Loss of ICT (voice)o Loss of vital (non-electronic) recordso Loss of key staff o Loss of key dependencies Source: APRA Prudential Standard APS 232 Business Continuity
Management
2
3
Business Impact Analysis (BIA)
o Undertaken for all key business processes ~ – Call management– Service activations– Service restorations– Escalation management – Vendor management
o Sets recovery processes, in the event of a high-impact disruption/loss (outage)
o Establish a scenario as an aid to planning ~– Physical event, e.g. fire, flood, earthquake, terrorist
attack– Assume worst case, e.g. total destruction of workplace
and primary ICT resources
2
4
What would happen if?
o Work with “business owner” or departmental representatives ~– Workshop/group approach– One-on-one interviews
o Determine Maximum Acceptable Outage (MAO) ~– Maximum time it will take before an outage threatens an
organisation achieving its business objectives – Max survival time before recovery procedures must
commence
o Qualify consequences/costs of impacts ~– By timeframes (1 day, 1 week, 1 month)– Simple narrative/description– Formal risk rating (negligible-extreme)
2
5
Recommended reading - BIA
o Better Practice Guide Business Continuity Management – Keeping the wheels in motion, ANAO 2000 (www.anao.gov.au)
o Has excellent BIA Worksheet templateo Example impact/risk analysis matrix
2
6
Example workshop approach (BIA)
Denial of access for a limited time ~o Multiple cases of Legionella infection are attributed to
the data-centre buildingo Victims include a number of maintenance vendors (2
are critically ill) o Management become aware of the situation during
business hours o Health authorities order the evacuation of all non-
essential staff and visitors o The water-coolers are shut down and samples taken
for testing o Disinfection action begins (will take several days)
2
7
Part 2 – Escalation
o A day later ~ the presence of a hazardous strain of Legionella bacteria is lab-confirmed
o Health authorities are advising anyone with symptoms (fever, cough, breathlessness, chest pain, diarrhoea) to seek medical attention and undergo tests
o Building will remain closed for at least 3 days to allow for Health Authority/Work Cover investigation and the identification of other potential victims
o Only a limited number of building services staff and specialist contractors are permitted to have access
2
8
Part 3 – Implications
o No air conditioning for up to 10 dayso Very limited staff access (to treat hazard only)
2
9
Phases of response
o Preparedness o Response – emergency protection of people and
property (to limit the impacts)o Resumption/continuity – “immediate fixes” to begin
interim operations o Recovery – steps for achieving full operational
normality (pre-disruption)
3
0
Response
o Protection of people and property – Evacuation/hold-in place procedures– Automated fire suppression – Actions of emergency services
o Processes to limit impact on critical services – e.g. back-up power fail-over – Standard service disruption procedures
o Incident escalation/notification to governing entity o Call-out of governing entity (Crisis Management Team)o Setting up Command Centre
3
1
Resumption
o Relocation of staff to alternative venue (e.g. commercial DR site)
o Source alternative office accommodation o Diversion of telephones o Data recovery from back-up tapes o Restoration of desktop environment, email, network
access etc o Work from home strategyo Emergency procurement of replacement infrastructureo Stakeholder communication - staff, vendors, students,
creditors, insurers, media etco Key issue - remote access to BCP with planning data
3
2
Recovery
o Specialist salvage and recovery - site clean-up o Rebuild primary site or seek new premises?o Sourcing new vendor/so Long term project effort o People issues: retention/recruitment
crisismanagement.com.au
3
4
BC Plan - the essentials
o WHO-WHAT-WHEN-WHERE-HOW (WHY)o Sample full table of contentso First Response Flowcharto Sample Role Checklist - Team Leader o Sample Threat/Risk Response Guidelineso Sample Business Unit Recovery Plan
– APRA compliant disruption scenarios o Sample ICT Disaster Recovery Plan table of contents
3
5
Crisis Leadership: The Challenge
o Managing information overloado What’s going on? ~ maintaining situational awarenesso What should I do?o Communication bottleneckso Public/customer perceptions/expectations?o Internal perceptions/expectations? o Expectations of higher office/regulators/authorities?
o “Tales of great strategies derailed by poor execution are all too common”
3
6
Human Response to Stress
o Perception of situation (as a threat)o Expectations of own ability to cope o Fight or flight response ~
– Calm/confident in facing situation (“fight”), or – Avoiding it (“flight”)
o Positive leadership influence on others– Sound judgment, decisive action
o Impaired judgement– indecision– poor execution of contingencies
3
7
Recovery• Short term operations• Long term recovery goals• Documented BCP • Integration with DRP
Employees and Next of Kin• Communicate• Training• Delivering the message
Commercial Issues•Legal•Risk•Insurance•Customers•Record of Incident
Response • Roles accountabilities• Resources available• Training requirements• Documented
External Affairs• Ministerial liaison• Interviews• Media releases• Media management on site• Community relations• Business relations
Communications• Control centre• Communications equipment requirements• Call centre interface
CRISISMANAGEMENT
3
8
Crisis Leadership: What it takes
o Calmness/confidence in tackling the unexpected
o Sound judgemento Decisivenesso Regular communication with stakeholders o Trust, delegation ~ allow yourself time to think o Have a special team to support you o Treat the stressors and build confidence
3
9
The solution?
o Have a single, organisation-wide framework for all occasions
o Ensure full alignment of BC, ICT DR, emergency procedures, security and other contingency plans
o Simple, concise checklists o Train, rehearse/validate, review and revise
TEAM LEADER• Leadership• Call-out decision • Key stakeholder liaison• Goal setting• Prioritising work
Crisis Management Team
Recovery
• BCP interface• Office relocation• Alt premises• Identify & allocate resources to achieve goals
External Affairs
• Media management• HQ advice• News releases• Community and government relations
Human Resources
• Internal communication• Tracking victims • Employee records• Next of kin liaison• Welfare• Counselling
CommercialServices
• Regulatory• Legal• Insurance• Customers• Suppliers• Maintainrecords
Response
•Contact with scene•Monitor situation •Advise team •Emergency control•Evacuation
ICT Coordinator
• CMT support • CMT venue set-up• ICT DR interface • Vendor liaison • Salvage recovery• Procurement
Spokesperson• Media face• Media conferences• One face once message
4
1
Team Structure
o Manageable span of control (5-7 direct reports)o Resist temptation to include additional direct reports ~
less is more o Having a larger, flatter structure means~
– More stress to Team Leader, and – Less efficient interaction between team members
o Distinguish contingency functions from status/rank and day-to-day role– Select best person for the job– Not everyone has to be involved
crisismanagement.com.au
4
3
Testing the capability
o HB 221 BCM guidelines ~ – Planning template
o Desktop “walk-throughs” o Individual component testing (e.g. IT DR)o Fully integrated tests with third party service
providers
4
4
Scenario planning & exercises
o Decide on participants - site, business unit and/or senior leadership team?
o Decide on desired outcome - general awareness building, compliance, plan orientation, evaluation of performance, full functional test – Resources to be tested - people, IT, vital records
(hardcopy/electronic), facilities, internal dependencies, external dependencies
– Exclusions o Decide on threat/risk scenario
4
5
Scenario planning & exercises
o Develop theoretical sequence of events - as situation unfolds - not in relation to planned response actions
o Consider possible reaction of key stakeholders ~ media, employees/contractors, students, investors, families, authorities, commercial partners, suppliers etc
o Write script o Establish the cast - who will play what roles
4
6
Scenario planning & exercises
o Establish how the “situation” will be communicated to participants
o Recommend real-time game play without too much fictitious background material beforehand
4
7
Recommended reading
o HB 221:2003 Business Continuity Management o ANAO better practice guide Business Continuity
Management – Keeping the wheels in motion o APRA Prudential Standard 232
crisismanagement.com.au
