Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Enabling a Comprehensive Business Continuity Strategy
Lauret Howard
CEO, Watchtower Consulting
Chief Risk Officer, Retired, NASCO
1
Learning Objectives
At the end of this session, you will:
• Learn how to apply the ASP framework to complete a risk analysis and prepare a plan to limit business interruption
• Understand how to drive employee adoption of a business continuity program
• Hear about lessons learned from NASCO’s work to create and continuously improve its comprehensive business continuity strategy
2 2
• NASCO the Company
• NASCO Services and Delivery
• NASCO Infrastructure
• Locations
• Associates
• Contingent Workers
NASCO Profile
3 3
Business
Continuity
Disaster
Recovery
Enterprise Risk
Management
Capability of an organization
to respond and recover from
business interruption keeping
all essential aspects of a
business functioning despite
significant disruptive events
Capability that enables the
recovery or continuation
of vital technology
infrastructure and
systems following a
disaster
Capability of an organization to
identify, assess, monitor and
report major risks that could
impede or negatively affect the
achievement of an organization’s
strategic goals and operational
objectives
Business Continuity Defined
4 4
IT Disaster
Recovery
Plan
Emergency
Response
Plan
Business
Continuity
Plan
Crisis
Management
Plan
Event
Emergency Response Plan –
ERP• Fire
• Tornado
• Bomb Threat
Crisis Management Plan –
CRP• Event Response
• Impacts
Disaster Recovery Plan –
DRP• IT Systems
• Network
• Ransomware
Business Continuity Plan –
BCP• Time Driven Response
• Site Impact
• Business Disruption
Adapted from ChainLink Research
Business Continuity Framework
5 5
Stuff Happens• Continue business operations
• Protect associates and contingent workers
• Protect company assets
• Comply with government regulations
• Obtain certifications
Business Continuity – Why?
6 6
NASCO’s Business Continuity Journey
7 7
• Business Impact Analysis
• Business Continuity Plan
REMEMBER
THIS IS SURVIVAL,
NOT BUSINESS AS USUAL!!
Business Continuity Model
8 8
• Identify scope of the BCM program
• Define governance
• Assign roles and responsibilities
• Establish project and program management
• Manage documentation
• Document BCM policy◦ Purpose of BCP
◦ Organization accountabilities
◦ BCP Team members and roles
◦ Annual tabletop requirement
◦ Crisis Management Team
Policy and Program Management
9 9
GENERAL FINANCIAL IMPACTS AND EXPOSURES
Assume your work area is totally inaccessible and other departments have been similarly affected.
What financial impacts and exposures would the company face?
• None
• Lost Revenue
• Penalties
• One Time Expense
• Maintaining Service
• Recovery of Lost Transactions
• Backlog Business Functions
• Other Impact (explain)
Impact Analysis by Division
10 10
Revenue
• What revenue is this department directlyresponsible for producing?
• Daily amount
• Weekly amount
• Monthly amount
• Does the department regularly experience any peak revenue or volume or otherwise critical period?
• Are there particular times of the day/month/year that are more critical to your department?
Customer Service
• Does this department interface directly with end customers?
• If so, how many customer contacts occur daily, weekly, or monthly?
• What is the nature of those contacts?
• If the department provides critical customer service, what adverse effect would likely occur on operations or customer services should this process not be available?
• Does this department indirectly influence the customer experience? If so, how?
Impact Analysis by Division
11 11
Operations
• What business decisions, if any, are based on the information provided by this business function(s)?
• How does the absence of functions performed by this department affect the management and control of the division? The entire organization?
• What is the length of time before the absence of this department’s functions would critically impact the ability to continue the operation of the division? The entire organization?
• Are there any penalty payments costs that would be incurred should this function(s) be unavailable for operation? (i.e., Lawsuits, etc.)
• Would the absence of this department’s function(s) result in adverse publicity for the organization? (Give reason why this is critical).
• What is the degree of disruption to third parties? Financial or Dollar Impact?
• What times of the year would a significant outage have the most impact on your business unit?
Impact Analysis by Division
12 12
Work Received
• List the departments/functions, in-house central computer systems, data processing service bureaus, or other organizations from which your unit receives work
• Of the total amount of incoming work your unit receives, what percentage comes through the following routes?
Work Sent
• List the units, in-house central computer systems, data processing service bureaus, or other organizations to which your unit sends completed work or information
• Of the total amount of outgoing work your unit produces, what percentage is sent through the following routes?
❑ US mail
❑ Telephone or fax
❑ Interoffice mail
❑ Courier (FedEx, UPS, etc.)
❑ Online information from internal computer systems
❑ Reports generated from internal computer systems
❑ Online information from external data processing services
❑ Reports generated by external data processing services
Impact Analysis by Division
13 13
Regulatory/Legal Issues
• Are there any reporting requirements or deadlines that would be affected by a delay in or loss of the services your unit provides?
• Would a delay in or loss of service result in any fines or penalties?
◦ List the regulations
◦ Describe the conflict
◦ Describe possible consequences (e.g., penalties)
• Will a delay in or loss of the services your unit provides result in possible legal liability, damages, or other public harm?
◦ List the legal issue
◦ Describe the conflict
◦ Describe possible consequences (e.g., penalties)
Impact Analysis by Division
14 14
Extraordinary Expenses
• Estimate the extraordinary (unbudgeted) expenses that your business unit will incur if you must perform your mission critical function(s) manually or in a substitute manner during a significant outage
• What expense factors comprise your estimate of the extraordinary expenses?
None Rental/Lease Equipment Outside Services
Wages Paid to Idle Staff Temporary Employees Temporary Relocation
Overtime Emergency Purchases Other, please explain
Impact Analysis by Division
15 15
Application List
• What are the critical systems/applications this department depends upon to perform its functions?
• How soon must they be recovered following a disaster?
Critical Applications - RTO
Immediate 4 hrs 12 hrs 24 hrs 48 hrs 72 hrs 96 hrs 1 wk > 2 wks
Business Impact / Application Dependencies
Impact Analysis by Division
16 16
Minimum Acceptable Recovery Configuration
• The Minimum Acceptable Recovery Configuration specifies the estimated number of the resources that are necessary to restore essential operations
Item Normal
Level
Day 1 Day 2 Day 3 Day 4 Day 5 Week 2 Week 3 Week 4
• Personnel
• Remote
• Desk/Chairs
• Desktop Computer
• Notebook Computer
• Local Printers
• Network Printers
• Copiers
• Fax
• Filing Cabinets
• Tables
• Special Forms
• Other?
Impact Analysis by Division
17 17
• Consolidate BIAs◦ Conduct a ‘reasonability’ check
• Determine strategies and tactics ◦ Recover critical functions
◦ Identify threat mitigation measures
◦ Define incident response structure
◦ Determine who makes the decisions
• Identify incident response structure and create project plan for implementation using scenario analysis◦ Diversify
◦ Replicate
◦ Post-incident acquisition
◦ Do nothing
Design of BCP
18 18
BCP Hosted Service
• Store and retrieve BCP and BIA
• Set up database of NASCO associates and contractors with alternate email and cell phone contact information
• Create standard text messages and emails to send in case of an event
• Incorporate into communication, training and annual table top exercise
• Includes sample table top exercises
• Provides consulting support
Design of BCP
19 19
Table of Contents
1. Response/Recovery Flowchart
2. Preplanned Recovery Strategy – Summary
3. Team Roles, Responsivities and Contact Information
4. Specific Recovery Scenarios and Associated Tasks
◦ Loss of Workplace
◦ Loss of IT Supporting NASCO Offices
5. Recovery Requirements
6. Work Resumption Procedures
7. Appendix
◦ Management Team Members
◦ Reference Materials for Recovery of Offices
◦ Administrative Information
Response
Initial Response
• Evacuate or shelter in place
• Notify Public Authorities
• Notify Damage Assessment Team
Damage Assessment
• Determine notification protocol
• Conduct onsite evaluation
• Determine extent of impact
Declare
Disaster?No
• Situation contained, resolved, documented
• Communication distributed
• Document lessons learned
Yes
Assess Damage
• Determine extent
• Establish command center
• Notify Executive Team
• Notify Recovery Team Leaders
Activate IMT
• Move to alternative recovery site
• Provide ongoing support
Initiate Division BCP
Design of BCP
20 20
Email and Time Tracking Moved to cloud solution
Corporate SystemsMoved to co-lo
Created and tested DR plan
Adequacy of Insurance Limits
Loss of Office
Initial Design Test of BCP
What We Learned Actions Taken
21 21
Increased limits for personal property
Scenarios dependent on recovery time
• Execute the project plan created in the design phase
• Incorporate awareness and knowledge sharing
• Ensure adequate resource assignment and funding to complete the plan
• Items to consider◦ Adequate insurance for lost revenue, additional
expenses, legal fees, crisis communications
◦ Communication to customers and suppliers
◦ Contractual obligation of suppliers to have BCP and test no less than annually
Implementation
22 22
• Use table top exercise ◦ Created by BCP team
◦ Conducted with Senior Staff
• Include outside participants as required◦ Property Manager
◦ Property Security Staff
◦ Observer and Recorder
• Provide recap and action plan
• Include action plan into following year’s business plan
• Revisit scenario every 3 years
Validation
23 23
• Governance and BCP Team ◦ 1 BCP owner 500 hours/year
◦ Executive Sponsor 40 hours/year
◦ Executive Sponsor 40 hours/year
◦ IT 60 hours/year
◦ Crisis Management team 10 hours/year
• Funding◦ BCP Hosted Environment $10,000 - $25,000/year
and Consulting Support
• Training◦ Development Included in staff hours
◦ Content and Test .5 hours/year
Staffing and Funding Requirements
24 24
Executive Sponsorship
• Include senior leadership and key participants in table top exercises
• Analyze results
• Identify improvements and create action plan for following business cycle
Adoption and Buy In
Communication
• What and why
• Preparis connection test
• Badge insert
• Posters in break rooms and near copiers
• National Preparedness Month -September
• Business Continuity Awareness Week – May
Reinforce Importance
• Completion of Business Impact Analysis included in leaders’ performance objectives
• Business Continuity Program training tied to compensation
25 25
• Loss of access to property
• Personal property insurance
• Corporate systems moved to co-lo
• Corporate systems DR created and testing as part of annual DR test
• Weather app downloaded to cell phones
• Weather radio for key staff
• Walkie-talkie and batteries for key staff
Lessons Learned - Tornado
26 26
Active Shooter Preparation
• Local police meeting and walk through
◦ Run/hide/fight
◦ Safe rooms
◦ Panic button
◦ Camera configurations
• Property Manager and Security Staff had no plan
• Crisis communication test
Lessons Learned – Armed Intruder
Table Top Outcomes
• Ensure appropriate staff alerted prior to table top
• Crisis communication training
• Property Management exercise
◦ Hide/fight
◦ Solid safe rooms/doors
◦ Use of frosted glass
• Safe rooms items to fight
27 27
• Understand power grid
• Role of Property Management
• Time to power down systems
• Badge reader issue◦ Trapped inside office space
◦ Required upgrade and reconfiguration of badge reader system
• Able to use tornado loss of access to property plan and lessons learned from Hurricane Sandy scenario
Lessons Learned – Power Outage
28 28
Situation
• Mid-day snow/ice storm
• Relied on school closure announcement
• Entire city left to go home at the same time
• No metro-wide preparation
Changes
• VP/HR and CRO make the call
• Communicate to staff in advance of office closing
• Remind associates of work from home requirements
• Remind associates of car emergency kit
Lessons Learned – Snowmaggedon 2014
29 29
Homeland Security – www.ready.gov
Business Continuity Institute - www.thebci.com
Run, Hide, Fight - www.youtube.com/watch?v=5VcSwejU2D0
Federal Emergency Management Agency – www.fema.gov
Financial Industry Regulatory Authority – www.finra.com
Center for Medicare and Medicaid Services – www.cms.gov
National Fire Prevention Agency – www.nfpa.org
Local law enforcement web sites
Google ‘Business Continuity Plan’
Lauret Howard – [email protected]
Resources - Free
30 30
Take Away
31 31