NEXT GENERATION BUSINESS CONTINUITY EXERCISE PROGRAMEXERCISE PROGRAMDRJ Fall WorldSeptember – 2011

John Linse, Global BC/DR Program Director

1© Copyright 2011 EMC Corporation. All rights reserved.

John Linse, Global BC/DR Program DirectorSam Stahl, Program Manager

Agenda• Synopsis• Definitions / Program Components• Approach

– Assess the Organization and Resiliency – Identify the Gaps – Recommendations

• Exercise and Training – Design– Socialize– Build

Implement

2© Copyright 2011 EMC Corporation. All rights reserved.

– Implement– Track

• Credibility– Measure – Validate

Synopsis“Next Generation Business Continuity Exercise Program”

This presentation will showcase the importance of designing, socializingand implementing a next generation exercise and training program that p g g g p gbetter positions your organization to manage crisis-potential disruptions from preparation to recovery.

- Does your exercise program assess the credibility of contingency plans?- Does your organization have a disciplined notification and assembly process?- Do you integrate public sector participants in your exercise program?- Are your employees aware of their role and responsibilities during a crisis?- How do you increase involvement and support of your senior executives?- How do you develop the next generation of business resilience leaders?

3© Copyright 2011 EMC Corporation. All rights reserved.

Discussion will focus on answering these and many other questions as it suggests a baseline from which to develop your next generation business continuity exercise program.

Definitions / Program Components• Recovery Time Objective (RTO) vs. Recovery Point Objective

(RPO)• Business Impact Analysis (BIA)• Disaster Recovery vs. Business Continuity vs. ICS… • Recovery Program / Continuity Program / Crisis Management

Program• Governance Teams vs. Response Team vs. Recovery Teams• Crisis Management vs. Emergency Management• Emergency Response

4© Copyright 2011 EMC Corporation. All rights reserved.

• Organizational Resilience• SLAs, DOUs, Contracts & Regulations• Creditability / Audit / Review

Approach• Approach

– Assess the Organization and Resiliency – Identify the Gaps

R d ti– Recommendations• Exercise and Training

– Design– Socialize– Build– Implement– Track

5© Copyright 2011 EMC Corporation. All rights reserved.

• Credibility– Measure – Validate

Assess – OrganizationAnnual Report – ABC Manufacturing , CO

REVENUEREVENUE

Computers50%

Peripherials30%

Consulting20% Administration

- R & R - HR- R & R - Sales

6© Copyright 2011 EMC Corporation. All rights reserved.

- Manufacturing- Sales- Services- IT

- Legal- Payroll- Accounting- Help Desk- Education

- Manufacturing- Sales- Services- IT

- IT

Assess – Organization Major Business Facilities

7© Copyright 2011 EMC Corporation. All rights reserved.

Phoenix Greensboro Germany AustraliaMinneapolis Houston Mexico JapanCanada Great Britain

Assess – Resiliency• Existing Recovery Infrastructure

– Organization – Who Owns and Drives Resiliency?– Program – What are the processes and Guidelines?– Plans – What is the Resiliency, Response, and

Recovery Structure?– Exercises – Who and What do you test and How often?– Training – Who do you train on What areas and How

often?

8© Copyright 2011 EMC Corporation. All rights reserved.

Assess – Resiliency• Resiliency

– Current understanding of• Business Impacts• Business Impacts• Risks • Mitigation

– Having put mitigation plans in place– Having comprehensive recovery plans in place

• Corporate or Geographical / LocalEmergency Management

• Geographical / Local

9© Copyright 2011 EMC Corporation. All rights reserved.

• Geographical / LocalEmergency ResponseDisaster RecoveryBusiness Continuity

Assess – Recovery and Response Teams

Corporate Emergency

Management Team

Geographic Emergency

Management Team

Emergency Response Team

Geographic Emergency

Management Team

Emergency Response Team

10© Copyright 2011 EMC Corporation. All rights reserved.

p

Business Unit Business Continuity

Team

Geographic IT / Asset Disaster Recovery Team

p

Business Unit Business Continuity

Team

Geographic IT / Asset Disaster Recovery Team

Assess – Recovery and Response Plans Response Overview

NaNational Crisis Management TeamNational Incidents

Executive Crisis ManagerSenior Leadership

Team

Regional Crisis Management TeamRegional Crisis Manager / RVP

Regional/LocalIncidents and

Outages

Emergency ResponsePlans

Incident Management Plans

Business Unit / IT

Recovery Plans

People & Property Impacts Network & InfrastructureImpacts

Business Unit Impacts

11© Copyright 2011 EMC Corporation. All rights reserved.

People

People BuildingsTechnical BuildingsRetail Stores

People Buildings Data Centers DR CTRs Comms Critical Business Processes

Outages/Escalations for:Information TechnologyNetwork ServicesData DistributionData Replication

Maintain Product and Services DeliveryMaintain Billing ProcessFund Bank Accounts/Pay EmployeesManage Reputation and Brand ImpactManage Internal and External Communications

Assess – Risks• Facility or Building

• People or staff

• Technology

• Machinery

• Transportation

• Critical Records

Suppliers (or Supply chain)

12© Copyright 2011 EMC Corporation. All rights reserved.

• Suppliers (or Supply chain)

Assess – Exercise Program• What kind of exercises do you run?

– IT Disaster Recovery: Application, Data Center, Enterprise– BC Business Unit: Business Unit, Location, Regional, Enterprise

E R B i U it L ti R i l– Emergency Response: Business Unit, Location, Regional, Enterprise

– Emergency Management: Location, Regional, Enterprise

• Does your exercise strategy reflect back to the:– Plans, teams,– Revenue , – Business Impact Analysis, and

13© Copyright 2011 EMC Corporation. All rights reserved.

– Risks?

• Is your exercise strategy aimed at proving that your recovery program provides resiliency based on key business factors?

• How do you measure it?

Assess –Exercise Program: Who Participates?

• Crisis Management Team

• Response Teams• Business Unit

Other Teams / Agencies /Organizations

Participation or due diligence Handicap employeesNon-recovery team employees

Operations Technology

Business

TeamsNon recovery team employeesPolice: Town, County, State,

DOC, otherFireHospitalsOffice of Emergency

ManagementMilitaryRegulatorsFEMAStrategic VendorsStrategic Customers?Post Office

14© Copyright 2011 EMC Corporation. All rights reserved.

Risk• Information

Technology Support Teams

Other Support Teams, such as Facilities, HR, Finance, Corporate Communications

School officialsOther private companies

Assess – Training Program• What kind of training do you hold?

– IT Disaster Recovery: Application, Data Center, Enterprise– BC Business Unit: Business Unit, Location, Regional, Enterpriseg– Emergency Response: Business Unit, Location, Regional,

Enterprise– Emergency Management: Location, Regional, Enterprise

• Does your training strategy reflect back to the:– Exercises, Plans, teams,– Revenue ,

15© Copyright 2011 EMC Corporation. All rights reserved.

– Business Impact Analysis, and – Risks?

Conclusions & Recommendations• Develop conclusions and Recommendations based on the

research findings outlined above:Geographical– Geographical

• Security• Crime• Social Unrest• Quickly changing regulations

– Supply Chain– Financial

Operational

16© Copyright 2011 EMC Corporation. All rights reserved.

– Operational– Etc. based on actual findings

Next Steps – Exercise and Test Strategies• Design• Socialize• Build• Implement

17© Copyright 2011 EMC Corporation. All rights reserved.

Credibility• Measure

– Develop measurements based on the resiliency i trequirement

– Tie back to ROI– Review measurement strategy with stakeholders

• Track– Document all measurements based on resiliency

requirements

18© Copyright 2011 EMC Corporation. All rights reserved.

requirements• By business unit, revenue stream, critical infrastructure, critical

products, etc.– Track risk mitigation issues identified by exercises

THANK YOUJohn Linse, Global BC/DR Program Director, john.linse@emc.com847 903 5246

19© Copyright 2011 EMC Corporation. All rights reserved.

847-903-5246

Sam Stahl, Program ManagerSamuel.stahl@emc.com303-810-4806