Business Continuity:

The Art and Science of Keeping the

NICSA ▪ 8400 Westpark Drive, 2nd Floor ▪ McLean, VA ▪ 22102

Tel: 508-485-1500 ▪ Fax: 508-485-1560 ▪ www.nicsa.org

Engine Running

Wednesday, May 11, 2011

2:00 – 3:00 p.m. Eastern

Our Moderator

Erika Ivanyi

Senior Vice President and General Manager

(San Antonio Office)

American Funds

Capital Group Companies

Our Presenters

Peggy S. Lynnes

Capital Group

Companies

Andy Waples

Eaton Vance

Management

Michael Haikola

MFS Investment

Management

Business Continuity Planning

By Michael Haikola, CHMM, CFI,

CIPS

Business Continuity

• What is it?

– The ability of an organization to provide

service and support for its customers and to

maintain its viability before, during, and after a

business continuity event

Business Continuity

Who governs it?

• Depending on the industry it could be

– Your clients/customers

– Regulatory Bodies (SEC, OSHA, FINRA)

– Shareholders

Business Continuity

Management• Consists of 4 distinct elements

Business Continuity

Emergency Response

Disaster Recovery

Crisis Management

Business Recovery

Business Continuity Planning

How do you do it?

Risk Assessment

Business Impact Analysis

Plan DevelopmentTest

Planning/Execution

Continuous Improvement

Planning

Keys to success• Management commitment

• Don’t bite off more than you can chew• Don’t bite off more than you can chew

– Pending maturity of your program; gradually

complete your implementation

– Use a continuous improvement methodology

to build on weaker components

• Exercising, Exercising, Exercising

Disaster Recovery Planning

By Andy Waples, CBCP

Disaster Recovery Defined

Disaster Recovery is the technical aspect of business continuity. The

collection of resources and activities to re-establish information technology

services (including components such as infrastructure, telecommunications, services (including components such as infrastructure, telecommunications,

systems, applications and data) at an alternate site following a disruption of

IT services. Disaster recovery includes subsequent resumption and

restoration of those operations at a more permanent site.

Source: Disaster Recovery Journal

Disaster Recovery

Categories of Assets To “Recover”

• Datacenter / Core IT Infrastructure• Datacenter / Core IT Infrastructure

• Supporting Facility Infrastructure

• Workspace

Disaster Recovery Planning Steps

Design

• Policy Statement / Objectives

• Risk Assessment & Identify Preventive Controls

Implement

• Develop Recovery Strategies

• Implement and Document Recovery Capabilities

Exercise

• Exercise to Validate

• Maintain

Recovery Framework Options

Speed o

f R

ecovery

Cold or No Standby Capacity

Warm Recovery Site – “Active / Passive”

Full Geographic Redundancy –“Active/Active”

Speed o

f R

ecovery

Cost & Complexity

Identify Critical IT Resources

Source: NIST SP 800-34

A Picture Says 1,000 Words

• Create Context Diagrams

for all applications

• Create Network topology

diagram(s)

• Connectivity diagram(s)

• Follow the path of all

touch-points to

understand

interdependencies

Datacenter &“Core” IT Infrastructure

Hardware

• Network: Core Routers,

floor hubs

Infrastructure Applications

• Job Scheduler

• ETL Tools

• Servers

• Storage

• Tape Library

• Security Appliances

• Other Appliances (e.g.

Load Balancers)

• BES (Blackberry Server)

• Secure Transport

• Intranet

• Active Directory

• DNS

• NTP Server / Protocol

IT Recovery Documentation

Application Recovery

IT Group Recovery

IT DR

“Run Book”

Recovery Plans

Recovery Procedures

Emerging Trends

• Virtualization

– Servers– Servers

– Desktops - VDI

• Cloud Computing

Key Takeaways• Prioritize on Risk / Impact

• Choose Recovery Framework to Match • Choose Recovery Framework to Match

Business Requirements

• Establish Recovery Ownership /

Responsibility

• Don’t forget the core: Dig into system

interdependencies

Selected References

• Disaster Recovery Journal (www.drj.com)

• National Institute of Standards and Technology (www.nist.gov)– Contingency Planning Guide for Information Technology Systems– Contingency Planning Guide for Information Technology Systems

• Financial Services Roundtable (www.bits.org)– BITS Technology Risk Transfer Gap Analysis Tool

Crisis Management

NICSA ▪ 8400 Westpark Drive, 2nd Floor ▪ McLean, VA ▪ 22102

Tel: 508-485-1500 ▪ Fax: 508-485-1560 ▪ www.nicsa.org

Peggy Lynnes, CBCP

Vice President, Business Continuity

Capital Group Companies

This is not a drill!!!

• Key components of Crisis Management

– Speed of event awareness…. “Houston, we – Speed of event awareness…. “Houston, we

have a problem.”

– Well trained responders

– Fully developed response process

– Communicate accurately and often

How do you know there is a

problem?• Surveillance of facilities, systems, weather

events, regional eventsevents, regional events

– Monitor alarm systems

– Local, regional, national, and international

news

– Partner with other surveillance sources, (e.g.

Govt. agencies)

Who needs to be involved?

Business Continuity

I T MgmtDisaster Recovery

Facilities Mgmt

Human ResourcesKey Business Leads

Corporate Communications

Educate and train

Crisis Management

teams in place to

Global event =

Global Crisisteams in place to

address varying

degrees of events

Exercise, exercise,

exercise!

Mgmt Team

Technology Event =

Critical Incident

Mgmt Team

Single site event =

Facility Crisis

Mgmt team

Crisis Management Plans

• Ability to assess and respond with speed

– Automate assembly process – blast up calls, – Automate assembly process – blast up calls, emails, etc.

– Agenda to focus on life safety, impacts to critical business functions, who is taking action, communication needs, set up next meeting

– Communication plan, internal and external

Questions for our presenters?

Peggy S. Lynnes

Capital Group

Companies

Andy Waples

Eaton Vance

Management

Michael Haikola

MFS Investment

Management