Business Continuity Planning
Is Your Company Prepared?
Definitions
Business Continuity
The process of returning essential services to an acceptable level of operation after a
disaster.
DefinitionsBusiness Continuity Plan
A set of arrangements and procedures which enable an organization to respond
to a disaster and resume its critical operations within a defined time frame.
Plan Objective
The primary objective of a Business Continuity Plan is to identify what needs to
be accomplished immediately after a disaster strikes.
Why Have A Plan?
Responsible thing to do Post 911 How long can you survive? How much does it cost per day? Audit requirement, Federal & State Regulations Customers, Alliances, Partnerships High cost of insurance and carrier requirements It makes good business sense
Statistics
Costs of recovery are significant. Studies show that:
40% of fortune 1000 companies will not be in business two years after disaster strikes, if not
properly prepared.
Survey shows effects of August blackout on US IT systems
Among those data centers affected by the outage, there were negative economic effects:
• 2% report that they lost more than $10 million as a result of the outage
• 1% report losses of between $5 million - $10 million• 3% report losses between $1 million and $5 million• 7% report losses between $500,000 - $1 million• 10% report losses of $100,000 - $500,000.
Courtesy: Continuity Centralwww.continuitycentral.com
TYPES OF DISASTERS
The Recovery Plan
A Business Continuity Plan is NEVER a finished document – it evolves as business
changes and improves over time.
It is not expected to be “perfect” or “complete” at any point in time.
Do Your Business RecoveryInitiatives Satisfy…
Auditors? Investors? SEC, IRS, HIPAA Clients? Employees?
Getting Your BCP Plan Started & Sold
Challenges to Implementation
Scope of the project seems daunting Many groups involved - decisions difficult Not viewed as a priority to others Limited risk perceived (probability low) Budget, budget, budget Time, time, time Procrastination
What to do? Something!
If there are limits - use a phased approach to build momentum
Scale project based on available $, interest & business need
Although BCPs can be very sophisticated, fundamentals are basic
Get something going
Getting the Plan Going
Establish a corporate mindset that incorporates Business Continuity Planning into daily work lifeCommon issue for all companiesObjective: begin the dialogBuilds on existing work/groups (safety
committee, HR dept, risk management)Solidify plan foundation & improvement cycle
Do the basics
Ensure your people are cared for & prepared (work & promote family preparedness - emergency kits, contact info, evacuation plans)
Care for safety & security needs Define emergency roles & teams Develop a communications plan Establish recovery checklist
Complete a high-level Business Continuity Plan
Formal or informal as is appropriate for your business situation & budget
Frame understanding for your company - for the word “disaster” (Level 1, 2, 3)
Identify essential functions & stakeholders (government, customers, children/parents)
Develop basic recovery
Plan, Implement, Practice Test & Improve
Written word memorializes the work effort & decisions, creates ability to update plan
IMPLEMENT! Practice & test Incorporate lessons learned Revise & update the plan
Getting Started is just the Beginning
Establish a corporate mindset that incorporates Business Continuity planning into daily work life
Do the basics - (security, safety, roles) Complete a contingency planning analysis,
develop critical operations recovery Plan, Implement, Practice, Test & Improve
Selling the concept of BCP
Vow of secrecy (next time sales calls) Determine situation & your authority
BCP required (regulation, market forces)Authorize or recommend?
If Authorize - evaluate needs of business & complete a comprehensive BCP
Top down usually easier, or consider...
Mini Sales Lesson
First: Be clear on your objectiveObjective doesn’t need to be $150KConsider steps to the processObjective might be:
get topic on the managers meeting agenda funding for 10 PCs for remote access agreement that admin does the emergency call list
Identify decision-makers & stakeholders
Start with organization (IT, PR, HR, Risk Management, CFO) & Customers
Consider who you’d call in an emergency - your customers, employees, family
People with influence (+/-) can be very powerful
Write the names down
Consider objective from the perspective of decision-maker
Ask why does it matter to THEM? What advantage does it offer THEM? What does it cost THEM? Intangibles (politics, personalities) This is the KEY - determining need What if the person has no need?
Develop a plan to introduce your idea
Consider your approach Evaluate formal/informal Person/person, indirect, a “meeting” Don’t discount ROI & business logic - it
can be a simple problem Determine timeframe to complete step
Build common understanding of the business need
As you discuss BCP, LISTEN Let people offer their suggestions, point of view Don’t have to build consensus, don’t necessarily
have to talk to everyone Key: Build agreement on business need Acknowledge concerns, frame w/i scope of
business needs (deal with objections)
Advance to the next step
Ask for … the funding, a meeting, expand the intranet site
Use the understanding you’ve developed to move forward
Acknowledge objective & limits or boundaries
Begin again, with the next need
Provide positive feedback
Make sure the good work is recognizedHelps you build on the successRewards the participantsEstablishes common ownership - supports
company’s BCP mindsetKeeps the team going - practice, test ...Manages “second guessing” the project
Getting BCP Approved
Be clear on your objective Identify decision-makers/stakeholders Consider your objective from the perspective
of each decision-maker Develop a plan to introduce your idea Build common understanding of need Advance to the next step Provide positive feedback
Building The Business Continuity Plan
Business Continuity Process
Business Impact Analysis Risk Assessment Risk Management Risk Monitoring
FFIEC BCP Booklet: http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
Business Impact Analysis Determines possible threats to business
continuity and possible impact on the institution and the system
Should include analysis of: Impact of uncontrolled, non-specific events on
business processes and customers All critical business functions and departments Maximum allowable downtime and acceptable levels
of data, operations, and financial losses
BIA—Business Processes
Establish recovery priorities for business processes
Identify: Essential personnel Technologies Facilities Communications systems Vital records and data Legal and regulatory requirements
BIA—Departments Each department should document mission
critical functions Consider answering questions like:
How would the department function if mainframe, network, and/or Internet access were unavailable?
What single points of failure exist and how significant are they?
What are the critical outsourced relationships and dependencies?
Risk Assessment
“Stress-test” business processes and BIAs using various threat scenarios
Prioritize potential business disruptions based on:Severity of occurrenceLikelihood of occurrence
Analyze threats based on impact to your company and customers
Risk Assessment—Threats Malicious Activity
Fraud, theft, sabotage, terrorism, etc. Natural Disasters
Fire, floods, severe weather, earthquakes, etc. Technical Disasters
Communications failure, power failure, software or equipment failure, etc.
Interdependencies Telecommunications infrastructure, third parties, etc.
Risk Management
Develop written enterprise-wide plan after BIA and risk assessment—the BCP
Make sure it: Is written and distributed to all relevant personnel Specifically states what immediate steps should be
taken during a disruption Is effective in minimizing service disruptions and
financial loss Etc.
Risk Management—BCP Components
Personnel Decision-making succession, leadership
responsibilities, etc. Technology
Hardware, software, communications, etc. Data Center Recovery Alternatives
Hot site, cold site, geographic diversity, etc. Back-up and Storage Strategies Facilities Communications
Risk Monitoring
Ensures BCP is viable through testing, independent review (audit), and periodic updating
Make sure you: Develop a test plan and Test your BCP!
Analyze results Update BCP as necessary
Insurance Integration
Drivers
Responsibility to employees and business Post 911 Financial impact and loss of market share Audit requirement and regulations Customers, Alliances, Partnerships Perceived as competitive edge High cost of insurance and carrier requirements
What are the Insurance Issues Insurance carriers were impacted by 911 Stock market downturn has reduced profits
Effect on Insurance carriers: Increased premiums Emphasis on risk control to reduce losses
Companies are: Reducing coverage Self-insuring some areas of their business Enhancing Business Continuity programs
Risk Management Emphasis
What are the risks and threats? Internal External - third parties
Review type of coverage What are some of the uninsurable risks? What can be mitigated with BCP plans?
The Approach
Holistic view of BCP program that integrates: Risk control Emergency Response Crisis Management Business Continuity Claims Management
Risk Management approach that evaluates risks, costs, uninsurable items, and mitigation methods
Plan for impacts and minimize downtime
PRE-PLANNING,RISK CONTROL
EMERGENCYRESPONSE
CRISISMANAGEMENT
BUSINESSCONTINUITY
Incident (0 - 1 hr.)
(1 hr. - 3 days)
(2 days - mos.)
21
3
4
”Prevent/Mitigate”
“Stabilize”
“Communicate”
“Recover”
Incident Examples:• Terrorists• Network Intrusion• Virus Attacks• Human Error• Fire, Explosion, Earthquake, Tornado,
Flood, and Other Natural Disasters• Medical Crisis• Hazardous Material Spill• Theft, Vandalism• Bomb Threat• Kidnap and Ransom
CLAIMS MANAGEMENT5
“Restoration”(2 days - )
A BCP may help keep property insurance premiums below market costs
A BCP program can contain uninsured loss costs
Identify the need for insurance coverage that can not be mitigated by a BCP program
What are the Cost Issues?
Implement BCP organizational structure
Establish Corporate Support Team
Conduct scenario based exercises to train employees and executives
Minimize Downtime