Embed Size (px)
Citation preview
1
Coping with a Crisis:
Business Continuity & Recovery Strategies and their Implementation
By Dr Paul R. Duller, Instant Library
Agenda♦ 1. The Anatomy of A Disaster♦ 2. CBR Attacks♦ 3. Impacts, Risks and Rewards♦ 4. Business Continuity Management♦ 5. Loss Prevention and Recovery♦ 6. Information Sources and Contacts
Session 1The Anatomy of a Disaster
So What is a Disaster? Disruption and Disasters♦A Disruption is any event that impacts
business activities
2
Disruption and Disasters♦ 55% of companies have experienced
disruptions which resulted in an inability to use computer systems for more than 1 hour
♦ 11% have experienced computer disruptions for 24 hours or more
[Comdisco Continuity Services Survey, 1997]
Disruption and Disasters♦ Downtime =
– Lost Revenue, Lost Profit, Reduced Productivity
– Costly emergency measures to restore normal operations and other expenses
– Damaged Reputation (customers, suppliers, financial markets, banks, business partners)
Disruption and Disasters♦ A Disaster is any event that causes
significant disruption to business activities
– Vary in scale and seriousness• Incidents, major incidents, national incidents
– Usually involve substantial destruction and both direct and Indirect losses
• Loss of buildings and contents• Loss of employment, revenue, sales• Loss of documentation and information
Disruption and Disasters♦ 40% of organisations suffering a disaster
have gone out of business within a year
♦ 43% never recovered
♦ 29% ceased trading within 2 years
♦ 93% of business that had a major data processing disaster went out of business within 5 years
Classes of Disaster♦Natural (geographical)
♦Technological
♦Social
Natural Disasters♦ Geological: Earthquakes, volcanic eruption,
landslide, erosion, subsidence
♦ Meteorological: Hurricane, tornado, blizzards, lightning, hailstorms, fog, drought, snow, avalanche
3
Natural Disasters♦ Oceanographic: Tsunami, sea storm
♦ Hydrological: Flood, flash-flood
♦ Biological: Fires, Forest fire, insect infestation, epizootic, disease outbreaks (meningitis, cholera etc)
Natural Disasters Technical Disasters♦ Hazardous Material and Processes: Carcinogens,
mutagens, heavy metals, other toxins
♦ Dangerous Processes: Structural failure, radiation emissions, refining and transporting hazardous materials
Technical Disasters♦ Devices and Machines: Hardware/software failure,
explosives, unexploded bombs, vehicles, trains, aircraft, obsolescence of electronic technology
♦ Installations and Plant: Bridges, dams, mines, refineries, power plants, oil and gas terminals, power lines, pipelines, high-rise buildings
Social Disasters♦ Terrorist Incidents: Attacks, bombings, shootings,
hostage taking, hijacking
♦ Crowd incidents: Riots, demonstrations, crowd crushes, stampedes
♦ Personal incidents:User error, computer viruses, physical theft, physical or electronicvandalism
Session 2
Chemical, Radiological, Biological or Nuclear (CRB) Attacks
4
“If you do not have a terrorist CRB plan,you do not have a Business Continuity
or Disaster Recovery plan”
Metropolitan Police, 2003
“It is only a matter of time before a crude version CBRN attack is launched on a Western City”
Eliza Manningham-Buller
Head of MI5, June 17th 2003
Chemical Weapons♦ Blister Agents (vesicants)
– Mustard gas, Lewisite & Phosgene Oxime
♦ Nerve agents – Malathion, Sevin
♦ Blood Agents– Cyanide
♦ Pulmonary agents– chlorine
Biological Weapons
♦ BacteriaAnthrax, Brucellosis,Cholera,Glanders,Meliodosis, Plague,Typhoid fever Rickettsia,Endemic Typhus, Q Fever.Tularemia, (rabbit fever), Plague, Pneumonic or Bubonic.
♦ Botulism (A-G)
♦ Vector agents (viruses)
Natural Viral & Bacterial Infections
♦ SARS (severe acute respiratory syndrome)
♦ NLV (Newark like virus)
♦ Legionella
♦ Chicken Flu
♦ Outbreaks can close buildings for days or weeks
Toxins
♦ Neurotoxins: botulinium toxin, Saxitoxin, (algae)
♦ Cytotoxins: Ricin,Saxiotoxin,Staphylococcusenterotoxin
♦ T2: Tricothecene mycotoxins.
5
Toxic Mould♦ All mould is allergenic, some are toxic
♦ Growth requires• Food source (organic)• Water (condensation)• Temperature (20c plus)• Humidity (60%Rh plus)
What’s this?
The Rinse wipe methodAppendix B
Strategic National Guidance
Feb 2003
Session 3Impacts, Risks and Rewards
How Do We Assess Risks? Risks to Your Business♦ Loss of work to competitors♦ Failures within your supply chain♦ Loss of Reputation♦ Human Resource Issues♦ Health and Safety Issues♦ Higher Insurance Premiums♦ Business Failure
6
Liabilities♦ Business interruption♦ Personnel containment♦ Building decontamination♦ Contents decontamination♦ Permanent loss of IT♦ Personnel decontamination♦ Loss of Property ♦ Loss of Vital Records
Disaster Planning for IT and IM
♦ Nature, Size and Scale of the disaster– One piece of paper, file room, or building
♦ Disaster Control and Recovery Plan– Key Component = Risk Assessment
♦ Impact Analysis and Risk Assessment– to determine the effects of information loss
resulting from a disaster and develop a plan to reduce the level of risk and aid recovery
Impact Analysis on Information
♦ Risk Assessment Criteria– Type of medium / type of storage– Location in the building– Possible disasters and their likelihood – Impact
• internal staff (Technical, IT, Finance, Legal etc) • external customers and government agencies• Worst-case scenario – total loss of information
♦ Identification of Vital Records– Focus of protection effort
Risk Factor Graph
HIGH
MEDIUM
LOW
Severity
Like
lihoo
d
1 10
10
Risk Factor Graph
HIGH
MEDIUM
LOW
Severity
Like
lihoo
d
1 10
10
♦ Low Risk: – If the hazard can be eliminated then the risk
disappears
– If not, monitor and review annually
Risk Factor Graph
HIGH
MEDIUM
LOW
Severity
Like
lihoo
d
1 10
10
♦ Medium Risk: – Consider if preventative and protective measures
are required to reduce the risks
– A new safe system of work may have to be developed, or the current measures in place revised and improved
7
Risk Factor Graph
HIGH
MEDIUM
LOW
Severity
Like
lihoo
d
1 10
10
♦High Risk: – Immediate attention required to eliminate it or to
reduce it to an acceptable level
– develop and implement preventative and protective measures as soon as possible
Summary♦ Identify, document and prioritise each risk
♦ Assign responsibility for corrective actions
♦ Agree a realistic completion date
♦ Monitor Progress and re-evaluate risks once additional control measures are in place
♦ Project possible monetary loss (down time, replacement costs, financial loss)
Session 3 (Part B)
Risk Reduction in the Aftermath of September 11th
Likelihood Low/Severity High
HIGH
MEDIUM
LOW
Severity
Like
lihoo
d
1 10
10
9/11
8/11- Risk Factor ~0 9/11 Risk Factor ?
8
Structural steels protected 55 tons asbestos !
Session 4Business Continuity
So What is Business Continuity?
“Back to Business” Why BCM?The Dangers - physical impacts such as reputation, failure of critical fire, flood, terrorism, denial of access, environmentaldamage, non suppliers/services, adverse media, criminal activities e.g. product tampering
Simple insurance is not enough!
BCM protects against:Lost ReputationLost CustomersLost Brand EquityLost Share Price
Lost MarketsLost QualityLost Staff Loyalty
What is BCM?“ The process of anticipating incidents which will affect mission critical functions and activities within the organisation that enable end to end deliverables, and ensuring a planned and rehearsed response”.
The Business Continuity Institute 1999
Part of the business’s CULTURE
- a business as usual activity.
9
Initiating the Culture Effective BCM requires:
• Business Continuity Manager
• Specific teams for managing the crisis and managing the recovery/continuity
• Board level commitment, direction and hands-on involvement
• Training, Education, and Awareness
• Management Information System (if measured, it gets done).
• BCM built into job description
• Detailed Documentation
• Rewards and Recognition - annual performance contracts
Session 5Loss Prevention and Recovery
Information Loss Prevention♦ Requires a strategic ongoing programme of
support linked to Business Continuity Plan
♦ Standards– Ensure storage systems meet BS5454 requirements
Information Loss Prevention♦ Onsite Storage
– Adequate IT back-up and archiving services – Store information on upper floors (not the basement)– Install suitable racking which divert falling water, allows
water to drain, copes with increase in weight (60%-200%) because of absorption
– Move information away from water pipes and prevent damp
Information Loss Prevention ♦ Duplication and Dispersal
– Take copies of information and store off-site– Transcribe vital records to microfilm or electronic media
♦ Safes– Store sensitive information in fire safes/data safes– Ensure safes are accessible in case of fire or flood
♦ Other Options– Smoke alarms, water detectors, sprinkler systems, bomb
blast curtains, back-up generators,
Information Recovery Plan♦ Prepare a Recovery Plan (as part of the
organisations Business Continuity Plan) to address the issues identified in the Risk Assessment,including details on:
– Detection and Security– Responsibility– Safety– Utility Services and Back-up Systems– Communications– Staff Policy– Equipment and Facilities– Document Handling
10
Information Recovery Plan♦ Recovery of:
– Paper– Microfiche– Photographic Materials– Electronically Stored Data (tapes/CD’s)
Information Recovery Plan♦ Health and Safety Issues♦ Emergency Services Liaison♦ Options for the recovery of Paper Media
– Effect of water on books and unbound materials– Dealing with wet paper media
• Freezing• Freeze Drying• Air Drying• Mould growth
– Effect of fire and smoke on paper
Information Recovery Plan♦Use of Teams
– Health and Safety Team– Salvage Team– Recovery Team– Drying Team– Press Team
♦ And finally, returning Information to Store!
Document SOS Case History♦ Ealing Borough Council Fire In September 1996, an arsonist on
parole set fire to the Social Services and Housing Departments of the London Borough of Ealing damaging thousands of critical documents and raised the building to the ground.
♦ It was impossible to put a value on the irreplaceable records that were damaged in the fire.
♦ 170 crates of housing and social security files were affected bysmoke. A small quantity were charred and needed to be trimmed. Over 4,600 damaged files were identified and packed into 187 crates. 80% of the files were both wet and charred and these were immediately transported into chilled storage, and kept at a constant temperature just above freezing point to prevent mould formation.
♦ Key files required for immediate business use were cleaned and returned within a day.
Document SOS Case History♦ All other documentation was categorised into priority requirements
and returned throughout a two-week period.
♦ File retrieval ensured that any aspects could be fast-tracked.
♦ All surface smoke was removed from the paperwork, deodorised and the originals then re-filed into clean stationery.
♦ All wet documents were dried immediately to prevent any mould growth and charred documents were either consolidated with a synthetic resin or prepared for business usage.
♦ Timescale: One day for urgent files with the entire collection completed in two weeks
♦ Cost£18,000
Session 6Information Sources and Contacts
11
Information Sources & Contacts♦ Publications (Journals and Books)♦ Specialist Organisations (e.g. Business Continuity Institute)♦ Government Agencies (e.g. UK Resilience)♦ Conferences and Exhibitions♦ Web-sites (….its all out there, if you know where to look!)
Publications
www.kablenet.com
Specialist Organisations
The Business Continuity Institute
♦ Established to provide opportunities to obtain guidance and support for business continuity professionals.
♦ Provides an internationally recognised status and its wider roleis to promote the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity management services.
♦ Web site contains a wealth of information and resources for the both the business continuity novice and expert
www.thebci.org
Business Continuity Planning Guides
♦ BSI Guide To Business Continuity Management (Pas 56) ♦ DTI Guide To Business Continuity Management ♦ BCI Good Practice Guidelines For Business Continuity♦ The Business Guide To Continuity Management♦ Expecting The Unexpected, BCM For SMEs♦ Uk Civil Contingency Secretariat Disaster Guides ♦ Australian BCM Guide ♦ UK - Major Incident Procedure Manual For London
www.thebci.org
Business Continuity Standards1. Initiation and Management2. Business Impact Analysis3. Risk Evaluation and Control4. Developing Business Continuity Management Strategies5. Emergency Response and Operations6. Developing and Implementing Business Continuity & Crisis
Management Plans7. Awareness and Training Programmes8. Maintaining Business Continuity & Crisis Management Plans9. Crisis Communications10.Co-ordination with External Agencies
www.thebci.org
12
♦ The website of the Civil Contingencies Secretariat in the Cabinet Office.
♦ Provides links to government and non-government sources on a wide variety of emergencies and crises that can affect the UK, plus emergency planning guidance and government information.
♦ A wide Range of topics, including:
www.ukresilience.info
♦ Aviation ♦ Chemical, Biological, Radiological Or Nuclear (CBR or CBRN) ♦ Chemical or Nuclear Accident♦ Civil Contingencies ♦ Energy And Power Supply ♦ Epidemic ♦ Fire Safety ♦ Flooding or Water Shortage ♦ Food Alerts ♦ Fuel Situation ♦ Severe Weather ♦ Terrorism ♦ Train Crash ♦ Travel ♦ Web And Internet Alerts
www.ukresilience.info
Listed on this page are many links which you may find useful, along with a brief description. The links have been categorised for ease of use. You can go directly to a category by clicking on the links below, or you can scroll down the page for the full list.
♦ Business Continuity♦ Government Organisations♦ Emergency Services♦ Emergency Planning
www.cityoflondon.gov.uk/our_services/law_order/security_planning/
www.business-continuity-online.com Web Sites♦ CBR Response (www.cbr-response.com)♦ Business Continuity Magazine (www.kablenet.com)♦ The Business Continuity Institute (www.thebci.org)♦ UK Resilience (www.ukresilience.info)♦ City of London (www.cityoflondon.gov.uk/our_services/
law_order/security_planning/)
Session 7Summary and Conclusions
13
Summary♦ Disruptions vs. Disasters♦ Classes of Disaster♦ CRB Attacks♦ Risk Assessment ♦ Business Continuity♦ Loss Prevention♦ Information Recovery Plan
“ If you think developing and exercising a crisis management plan is
expensive – you should try the real thing”.
Simon Langdon – Insight Consulting
Conclusions“Disasters are extraordinary events
that require special organisation and resources to tackle the damage
that they cause…..”
“…however, they are sufficiently frequent and similar to one another to be normal events, not abnormal, and as such, predictable enough to
be planned for!”
Thank you!Dr Paul [email protected]
