Continuity Planning 101

1

Continuity Planning 101

An Introduction to Business Contingency Planning for the New Planner

2

Welcome to Business Continuity Planning

BCP

Feeling Overwhelmed?

Business Functions

Emergency Notification Lists

Alternate Sites

Recovery Plans

Testing

Recovery Priorities? Risks

Business Impact

Emergency Response

Threat Assessments

3

Lessons Learned from 9/11 Testing was the key to the success of the recovery Critical operations in a single site are bad business We don’t have problem by business, we have

problems by building Transportation was a major issue in the first few days Incomplete/inaccurate inventories made insurance

claims difficult People do not want to travel away from their families Very few business operations stand alone Voice is harder than data to recover Some of our vendors were in trouble too The devil is in the details

4

1993 WTC

5

Lessons Learned from Hurricane Sandy

Testing was the key to the success of the recovery Upper floors don’t equate to recovery Remote recovery can be problematic Transportation was a major issue in the first few days People do not want to travel away from their families Very few business operations stand alone Hotel lost power Food and water Some of our vendors were in trouble too Long term planning an issue

6

The Planning Process

General Plan Information

7

Don’t get caught without a plan

8

Approach

Loss of Building

Loss of Systems

Loss of Staff

Loss of Critical Vendors

9

Project Initiation and Management

Defining Project Scope, Objectives and Assumptions

Estimating Project Resources Obtaining Management Commitment Defining Project Timeline and

Identifying Major Milestones Identifying Project Deliverables

10

Sample Program Requirements

Deliverables Due dateEmergency Notification List Quarterly

Business Functions/ Resource Requirements Semi-Annually

Business Resumption Plans with sign-off Annually

Training & Awareness Quarterly

Vital Records Program On-going

Technology Reviews Annually

Strategy for loss of site/systems Annually

Procedures for loss of site/systems Annually

Call Tests Semi-Annually

Walk-Through Exercise Annually

Simulated Or Actual Exercise Semi-Annually

Systems Loss Test Annually

11

Phased Approach

Emergency Notification List Identifying the functions Business Impact Analysis and Threat

Assessment Strategy Development Alternate Site selection and planning Vital records backup and recovery Plan Development Testing, maintenance, update

12

Business Functions

Make a list of all Business Functions and managers

Conduct interviews with all business function managers

Work with managers to identify loss potential of not performing the function

Determine recovery timeframe to meet the business or regulatory requirements governing that function

13

Business Impact Analysis

Description of the function or process City/State Building – primary function where the work is performed Applicable mail zones Category or type of business (financial, phone operations, security, IT) Headcount - FT and Contingency RTO Function type (Operational, IT Support, Emergency) Owners Shifts Impacts (Financial, Customer, Legal/Regulatory, Contractual) How will you rank

these? Primary and Secondary recovery strategies How are your computers imaged? Last time the BIA was updated/reviewed

14

Technology

Document all technology used to support the business functions» Hardware platform» Application owner» Location of hardware/application/data» Recovery strategy

15

Interdependencies

It is critical that the internal and external dependencies for the business function be understood and documented» Inputs to the function and where they come

from» Outputs of the function and where they go

to» System Application dependencies

16

Dependencies

Vendor and Application» Determine business RTO for each» Mitigation and control strategies» What is the biggest impact» Is an action plan needed» Will the business accept the risk?» Do they need to follow up?» Is there another provider? A work around?

17

Threat Assessment

SPOF Gap Analysis Vendor Application Financial Customer/reputational Contractual Legal

18

Elements of Risk

Mitigating Factors -» Mitigating factors are the protection

devices, safeguards and procedures which are in place that reduce the effects of the threats.

» They do not reduce the threat, they only reduce the effect of the threat

Examples of mitigating factors in use are UPS (Uninterruptible Power Supply)

and Generator backups for replacement power, sprinkler systems to control the spread of fire, Assess Card Readers to control physical access to your space etc....

19

What next?

When disaster strikes, the mostimportant thing --- after assuring

the safety and welfare of employees---is to get vital support services functioning

to the best of our ability.

20

Emergency Response

21

Emergency Response

Assess Situation» Potential Impact

Determine Response» Wait and See or» Declare Disaster» Activate Plan» Activate Command Center» Retrieve Offsite Storage

22

Emergency Response

Communicate» Inform Management» Inform Teams» Inform Corporate Contingency

Respond and Recover

23

Emergency Notification

Identify the different types of recovery you will plan for

Identify who would have the authority to declare a disaster depending on the scenario

Identify who would be part of the recovery effort

Build your notification list based on this information

24

Vital Records

Do you know:» Where they are?» What is included in them?» How to get them?» Who is authorized to retrieve them?» How long it will take to retrieve them?» Where to have them delivered?» How long it will take to restore them?» Who will restore them?

25

Vital Records

Joplin, Mo. EF5 Tornado» St. John’s Regional Medical Center

Medical Records dispersed “In addition to those existential challenges, St. John's must sort out the highly unusual privacy breach of

paper medical records falling out of the sky after the tornado struck Joplin on May 22, forging a three-quarter-mile-wide path of near total destruction estimated to be six miles long….

The tornado-driven release of the records is unlikely to cause a legal problem for the hospital, attorneys said. “I doubt there's any liability they would be facing,” assuming that the records were kept in a reasonably secure place when the tornado hit, said James Pyles, principal with the law firm Powers Pyles Sutter & Verville, Washington. Slatton said Mercy already had scanned electronic backups of the paper records that had been lost in the storm. In a statement, Mercy asked anyone who had medical records that were lost in the tornado to determine if the record can be linked to a specific person, and if so return it to the Mercy/St. John's command center in person or by mail. If it can't be linked, Mercy asked that the finder “destroy the record by shredding, cutting into small pieces and disposing of the pieces, or burning.”

26

Impact of a Disaster

Customers

Your Paycheck

Company ReputationA disaster may impact...........

Ability to meet regulatory requirements

27

Resource Requirements

Establish the resources that are required to continue to perform those functions

Two Phases should be defined:

Survival - In the period immediately following the disaster, the emphasis will be to keep the business running at the minimum acceptable level.

Recovery - In the longer term, the business will need to be restored to it’s original performance. Identification of all resources required to support the function is required to facilitate the longer term recovery.

28

Resource Requirements

Personal Safety and Readiness

Recovery of business = associates More likely to assist w/business recovery if home recovery is mitigatedwww.Ready.gov – personal plans also

29

Recovery Strategies

Identify the types of recovery strategies you will employ.» Remote access» Move operations by shifting work to

available facilities» Alternate Sites (SunGard & RLC)» Mutual Aid

30

Selecting a Recovery StrategyRecovery strategies will be driven by the recovery timeframe of

the function. Recovery options might include the following: Self -service - A business unit can transfer work to another of it’s own locations which have

available facilities Internal Arrangement - Training rooms, cafeterias, conference rooms etc.... may be equipped

to support business functions. Reciprocal Agreements - Other business units may be able to accommodate those affected.

This could involved the temporary suspension of non-critical functions at the business units not affected by the outage.

Dedicated alternate sites - Built by your company to accommodate critical function recovery. External Suppliers - A number of external companies offer facilities covering a wide range of

business recovery needs. No arrangement - for low priority business functions it may not be cost justified to plan to a

detailed level. The minimum requirement would be to record a description of the functions, the maximum allowable lapse time for recovery and a list of the resources required.

31

Developing the Plan

Teams for Recovery Emergency Notification List Incident Management Declaration Procedures Checklists and Action Plans Detailed Recovery Procedures Roles

32

Sign Off and Maintenance

Executive Sign-Off

» Signed by President

» Acknowledges approval

» Meets Policy which states Senior management is responsible for the plan and it’s contents

Plan Maintenance History» History of the Plan

Document

» Date issued

» Date of changes

» Type of change

33

Purpose, Objectives and Assumptions

Purpose of writing the Plan Document The Objectives you have set for the

Plan Document Planning Assumptions made while the

plan was being written

34

Recovery Strategies

General Recovery Strategies used to recover critical functions

Recovery Strategy for loss of the primary site

Recovery Strategy for Loss of dependent systems

35

Disaster Recovery Management

Executive Emergency Management Team

Emergency Management Teams Emergency Response Teams Command Centers

36

Disaster Recovery Management

Emergency Management Agencies» What they can do to assist» What they are unable to do» How they can help you identify risks

Ohio Private Public Partnership (OP3) Police Fire

37

Emergency Management Team Perform preliminary damage assessment Identify business risk Declare Disaster Initiate and administer plan during emergency Organize and control Command Centers Manage overall recovery efforts being executed

by Response Teams Administer and direct problem management Direct recovery communications

38

Emergency Response Teams

Retrieve information from offsite storage Report to primary or alternate sites Execute business/technical recovery and

restoration plans Communicate status to Command Center Re-establish support operations Identify replacement equipment/ software

needed for recovery effort and return to normal operations

Assist in repair/rebuild primary site

39

Command Center Locations

Command Center for Site Recovery» Primary» Secondary

Command Center for Business Function Recovery» Primary» Secondary

40

Human Resource Management

Employee Injuries/Fatalities Reassigning of non-essential staff to support

recovery Temporary Help/Contractors Family Issues Financial Assistance

41

Administrative Support

Travel, Food and Accommodations Copying Answering Phones Arranging Courier Services Meeting Scheduling/Minutes

42

Finance Issues

Provide Channel of Authorization for Expenditures

Record Emergency Costs Provide Cash Advances Order Replacement Supplies and Equipment Provide Immediate Payment of Expenditures

Required to Support Recovery Effort Expense Report Processing

43

Recovery Communications

Recovery Status Updates to Contingency Information Line Communication to Employees External Communications Client Communications Problem Management

44

Site Recovery Plan

» Notification and identification of emergency situation

» Initial damage assessment» Business risk assessment» Decision to activate plan» Declaration Procedures» Notification Procedures» Command Center Activation

45

Sample Checklists

Step by step checklist for each team member» Executive Team» Management Team» Response Teams

46

This section of the plan contains general information which may be useful in a disaster situationSuch as:» Forms» Travel Directions» Common procedures» Hotel/Caterer lists» Vendors

Appendices

47

Exercising the Plan

Types of Exercises» Call Notification

» Walkthrough

» Actual/Simulated

» Comprehensive Setting Exercise Objectives Developing a Exercise Plan Conducting Exercises Documenting Exercise Results Plan Maintenance Strategies

48

Maintaining the Plan

Plan reviews should be performed on a regularly scheduled basis and must occur at least annually

Reviews should be linked where possible to change management controls to ensure the details of significant business changes are correctly incorporated into the plan

Results of review should be formally reported and where appropriate, the plan should be updated

49

Training and Awareness

Developing Awareness Programs Training for BCP’s Team Training

50

Review

Phased Approach to the Planning Process Next Steps

51

Step 1Identify your team

• Identify your team members for each team:

–Executive Team

–Management Team

–Response Team

52

Step 2Vital records

• Identify vital records

–Procedure manuals

–forms

–vendor lists

–contact lists

–customer lists

–contracts

–source documents

53

Step 3Identify Your Business Functions

• Identify the business functions for your functional areas

• Perform risk and business impact analysis for each function

• Establish Priority rating of the function

• Identify Critical Staff requirements

• Identify Interdependencies

54

Step 4Identify your desktop requirements

• Minimum desktop configuration

• Application connectivity

• Voice Requirements

–phones

–Fax

–Modems

• Print Requirements

• Proprietary software running on desktop

55

Step 5Define Recovery Strategy

• Develop recovery strategy for business functions based on the recovery priority

56

Step 6Internal Site Survey

• Survey existing sites

• Identify equipment/phone services

• Identify desktops to be used for contingency

• Identify staff to be displaced or moved to offshift

57

Step 7External Site Recovery

Prepare RFP which includes all requirements

Identify essential vs “nice to have” Receive proposals from vendors Compare for requirements and costs Visit sites identified as potential vendors Select vendors

58

Step 8Survey staff on availability to support

recovery

• Survey all staff

–Ability to travel on limited notice for up to two weeks

–Ability to work off-shift ( 2nd or 3rd shift)

–Corporate Credit Card or other credit for travel expenses

59

Step 9Internal Systems

• Identify all platforms and applications supported by internal systems group

• Identify recovery priority for each application

• Identify recovery strategy which meets the business requirements

• Develop recovery procedures for critical applications

60

Step 10Document Plan

• Pull the information together into a plan document and distribute

61

DRI International» Associate Business Continuity Professional

(ABCP)» Certified Functional Continuity Professional

(CFCP)» Certified Business Continuity Professional (CBCP)» Master Business Continuity Professional (MBCP)

BCI Business Continuity Institute» Associate Membership» Membership » Fellow Membership

Qualifying theProfessional

62

SupportOrganizations

• Contingency Planners of Ohio http://www.cpohio.org/ • Disaster Recovery Institute (DRII) http://www.drii.org/ • Continuity Insights

http://www.continuityinsights.com/ • Disaster Recovery Journal http://www.drj.com/ • FEMA http://ready.gov