Slide 2 CORPORATE RESILIENCE A Primer on Business Continuity
Protecting the Capability to Deliver Products & Services Under
a Wide Range of Adverse Conditions Rick Wilson ([email protected])
[email protected] Slide 3 Presentation Overview
Definitions & Objectives of a BCP Business Continuity Lifecycle
Components of Business Continuity Embedding BCP In the Organization
Participating in a BCP Exercise Slide 4 Disaster Recovery Backups
Operational Level Hardware Storage Recovery Telecommunications
Computer Recovery Technical Performance Single Discipline
Infrastructure Resilience Business Continuity Business Processes
Sr. Management Level Products / People / Profits Supply Chain
Sustainability Human Communications Product / Service Recovery
Company Performance Cross-Functional Organizational Resilience
Differentiating Disaster Recovery & Business Continuity Slide 5
Business Continuity Management Why Listen to This Talk? As a
Manager How Do I Ensure Timely Delivery of Product & Services?
As an Employee Where Do I Fit? How Can I Contribute? In Between
Jobs? New Discipline, Founded in IT BUT Broader Business Continuity
Management will: Focus on Business Activities Identify WHICH
Vulnerabilities Must Be Addressed Not ALL Analyze How Value is
Created and Maintained in an Organization Be a Discipline That Does
NOT Go Away Business Evolves Company Organizations Change
Technology Accelerates Work Processes Customers Migrate Products
are Added, Improved and/or Die Emphasize the Need for Resilience in
Business Processes Be Applicable to Any Company Slide 6 Business
Continuity Evolution of Business Continuity 1970sDisaster Recovery
Sites DP / MIS Tactical in Nature Hard to justify significant
investment for an event you hope never happens 1980sBusiness Impact
Analysis Shift the focus to the Impact on Business Broaden the
scope to include business risks and operational interruptions
1990sDrop the Reference to DR Rebrand to Business Continuity more
upbeat then recovery Standards evolving - Skill sets coalescing
Certifications emerged Y2K demonstrated dependence on single points
of failure / single supplier 2000sCodifying BCM (Business
Continuity Management) Part of the Family of Management Systems
standards PAS56 in UK, NFPA 1600 in US, Handbooks in Australia and
Asia Regulators: FSA in UK, APRA in Australia, Federal Reserve in
USA Then 9/11 Brought Business Continuity to the forefront National
Standards and ISO 22399 Slide 7 Business Continuity Objectives
Business Continuity Defined Business Continuity Management (BCM) is
a holistic process that identifies potential threats to an
organization and the impact to business operations that those
threats, if realized, might cause. BCM provides a framework for
building organizational resilience with the capability for an
effective response that safeguards the interests of key
stakeholders, organizational reputation, brand and value creating
activities. Objective: Sustain Operations Through Non-Specific,
Uncontrolled Environmental Events Prepare for the impact of
interruptions in Power, Flood, Storms, whatever Ensure the survival
of the organization, protect its assets and control financial loss
Minimize losses TO customers and the loss OF customers Facilitate
the resumption of operations Provide for the safety of personnel
and public before, during & after a disruption Slide 8 Business
Continuity Lifecycle Business Continuity Lifecycle from Business
Continuity Institute Slide 9 Transformational Consulting Business
Continuity Disaster Recovery is an IT Process --------- Business
Continuity Protects the Business BIA Business Impact Analysis
Assesses Time-Critical Processes Across the Organization Determines
RTO / RPO for Each Process Ranks the Processes by Urgency Defines
the Prioritized Recovery Path BCP Business Continuity Plan
Strategic BCP Sr. Management & Incident Management Team
Tactical BCP Line Management for Delivery of Products &
Services Operational BCP Staff level Execution of Specific Recovery
Steps Business Continuity provides the organization with the
capability to continue to deliver the products & services
essential to the existence of the firm. Slide 10 Business
Continuity Management Lifecycle Understanding the Organization
Create the Policy & BIA Determining a BCM Strategy Decide the
What, How, When Developing & Implementing a BCM Response -
Build the BCPs Exercise, Maintain & Review BCM BCM Program
Management Embedding BCM in the Organization BUSINESS CONTINUITY
MANAGEMENT Program Progression: Slide 11 Elements of the MASTER
Business Continuity Plan Slide 12 Elements Supporting the Business
Continuity Plan Slide 13 Defines the expected threats that could
conceivably occur Projects probability of occurrence and severity
to the organization Used by individual Departments to refine the
threats they could experience in preparing their specific
Continuity Recovery Plans. Hazard Matrix HAZARDLikelihoodOccurrence
SEVERITY LikelyUnlikelyHighMediumLow Tornado Flood Air Crash
Structural Collapse Disease Outbreak Civil Disorder Train Accident
Utility Failure Power Failure Telecomm Failure Major Fire Extreme
Weather Terrorist Threat Hazmat Earthquake Active Shooter Public
Assembly Emerg Hostage Situation Slide 14 Factors In Calculating
Impact Value of the Asset (Function) Overall Impact if Asset is
Lost Tangible Impact Reduced Productivity Increased Expense Delay
in Collecting $ Reduced Income Fines / Penalties Loss of
Information Intangible Impact Loss in Reputation Loss in Trust
Public Safety Regulatory Competitive Edge Compute Criticality
[1-100] Sort to Arrive at Critical Path Top 10 Processes BIA
Business Impact Analysis Score Each Process Critical, High, Medium,
Low Slide 15 Elements Supporting the Business Continuity Plan Slide
16 Tactical Continuity Recovery Plans Department Continuity
Recovery Plan - SAMPLE Evacuation and Fire Safety Plan Incident
task list to follow Instructions on communications in crisis
Emergency GO-BELT makeup Building Wardens Building Evacuation
Diagram Department Staff Call List Emergency Services Contact List
Alternate locations & staff assignments Critical tasks to
execute & task timing Contact list for Key team members Contact
list for Key customers (optional) Essential equipment list &
software list Supplies list Vendors list Vital records list Slide
17 Elements Supporting the Business Continuity Plan Slide 18
Conducted Physical Inspection & Assessment Inspected Remote
Sites Power Reliability Availability of Generator Distance From
Corporate Distance From Operations Bathrooms / Kitchen Flooding or
Septic Issues Hotels Nearby Food Stores Nearby Parking available
Mass Transit Nearby Tables / Chairs # People Accommodated
Technology In Place Allocation of Departments Across Alternate
Sites Slide 19 Allocated Departments to Alternate Sites Departments
Across the TOP Facilities DOWN the Side Staff Size: Normal /
Emergency Home Location Primary Alternate Site w/ People Count
Secondary & Tertiary Site Choices Requisite Upgrades of
Technology Noted Total Counts PRIMARY, SECONDARY, TERTIARY Usage
(not shown) Allocation of Departments Across Alternate Sites Slide
20 Inventory Applications Used by Each Department Usage Level High,
Medium, Low Client / Server or Web Based Application Name
Departments Used How to Make the Application Available Applications
Per Department Slide 21 Elements Supporting the Business Continuity
Plan Slide 22 Business Continuity Management Lifecycle
Understanding the Organization Create the Policy & BIA
Determining a BCM Strategy Decide the What, How, When Developing
& Implementing a BCM Response - Build the BCPs Exercise,
Maintain & Review BCM BCM Program Management Embedding BCM in
the Organization INITIAL BC PROJECT OBJECTIVE: Complete a Full BCM
Lifecycle Each Step Builds on Previous First Iteration First
Iteration of BCM Slide 23 Awareness & Effectiveness Increase
with Each Iteration AWARENESSAWARENESS EFFECTIVENESS Business
Continuity Maturity Model Improve the Organizations Capability to
Deliver Products & Services Improve Organizational Resilience
Slide 24 Embedding Business Continuity In the Organization GOALS
Ensure All Information in the Plan is Verified Ensure All Plans are
Rehearsed Ensure All Relevant Personnel are Exercised BCM Maturity
Strive to Embed Business Continuity in the Organization Awareness
Initiatives Specialized Training Exercises Table Top & Full
Rehearsals Make BCM inherent in the Organizations Normal Management
Processes After the Initial Iteration [End of Year 1] Review BIAs
for Changes in Assumptions Update Department CRPs for Alternate
Locations, Department Coordinators, etc. Revisit Dynamic Data in
Departmental Documents Verify Status of Lessons Learned from Past
Events Slide 25 Embedding Business Continuity In the Organization
AWARENESS INITIATIVE Ensure Each Department Is Oriented to Business
Continuity Identify 15 Metrics Reflecting BCM Awareness & BCM
Effectiveness Attributes from Business Continuity Institutes Good
Practice Guidelines Does Staff know where to go?Metric 1 Does the
Staff know what Tools to use?Metric 2 Know what tasks are
time-critical?Metric 3 How to notify Next-of-Kin?Metric 4
Incorporate BCP into Process Change?Metric 5 Build BCP in to Job
Desc / Perf Appraisal?Metric 6 Outstanding items from previous
events?Metric 7 Contact Counseling during Emergency?Metric 8
Arranging for TEMP Accomodations?Metric 9 Dealing w/ Special Needs
in Event?Metric 10 Do they Have Updated Dynamic Data?Metric 11
Extra Copies of Dept Recovery Plan?Metric 12 Review BIA for Change
in Assumptions?Metric 13 Have they Considered "Sustainable"
levels?Metric 14 Have they Engaged 3rd Parties in Exercixes?Metric
15 Slide 26 Embedding Business Continuity In the Organization
AWARENESS INITIATIVE Met with Each Department Reviewed Awareness
Attributes Scale of 0 75 Graphed as - 37 to +37 Slide 27 Embedding
Business Continuity In the Organization Slide 28 EXERCISING THE BCP
A BCP Cannot be Considered Reliable - Until it is Exercised
Objectives: Develop Competence within the Staff Install Confidence
in their Ability to Execute Impart Knowledge Essential in Time of
Crisis Focus on MAXIMUM Benefit of Exercise MINIMUM Disruption to
Business Types of Exercises Table Top Simulations Full Rehearsals
(Evacuate the Building) Real-Life Exercise Example Slide 29
Business Continuity Maturity Preparedness Ensured Responsibilities
Clearly Assigned BCM Documentation Current Embedding BCM Program in
the Organization Activities Able to be Monitored Program Managed
Effectively Engage Supply Chain In BC Exercise Continuous
Improvement BCM throughout the Organization Demonstrate
Effectiveness in Audit Slide 30 QUESTIONS Build and Use Your
Business Continuity Plan Slide 31
