Embed Size (px)
DESCRIPTION
An Introduction to Business Contingency Planning for the New Planner You can download additional resources here: https://intrustcloud-my.sharepoint.com/personal/tim_rettig_intrust-it_com/_layouts/15/guestaccess.aspx?guestaccesstoken=H62iIK9BNH6l%2fLt%2bxDK4AXZhOHk%2fpu3rQ%2fl84I6ijd4%3d&docid=0c3b81a446d4c42f9bedff529b6b413c1
Citation preview
1
Continuity Planning 101
An Introduction to Business Contingency Planning for the New Planner
2
Welcome to Business Continuity Planning
BCP
Feeling Overwhelmed?
Business Functions
Emergency Notification Lists
Alternate Sites
Recovery Plans
Testing
Recovery Priorities? Risks
Business Impact
Emergency Response
Threat Assessments
3
Lessons Learned from 9/11 Testing was the key to the success of the recovery Critical operations in a single site are bad business We don’t have problem by business, we have
problems by building Transportation was a major issue in the first few days Incomplete/inaccurate inventories made insurance
claims difficult People do not want to travel away from their families Very few business operations stand alone Voice is harder than data to recover Some of our vendors were in trouble too The devil is in the details
4
1993 WTC
5
Lessons Learned from Hurricane Sandy
Testing was the key to the success of the recovery Upper floors don’t equate to recovery Remote recovery can be problematic Transportation was a major issue in the first few days People do not want to travel away from their families Very few business operations stand alone Hotel lost power Food and water Some of our vendors were in trouble too Long term planning an issue
6
The Planning Process
General Plan Information
7
Don’t get caught without a plan
8
Approach
Loss of Building
Loss of Systems
Loss of Staff
Loss of Critical Vendors
9
Project Initiation and Management
Defining Project Scope, Objectives and Assumptions
Estimating Project Resources Obtaining Management Commitment Defining Project Timeline and
Identifying Major Milestones Identifying Project Deliverables
10
Sample Program Requirements
Deliverables Due dateEmergency Notification List Quarterly
Business Functions/ Resource Requirements Semi-Annually
Business Resumption Plans with sign-off Annually
Training & Awareness Quarterly
Vital Records Program On-going
Technology Reviews Annually
Strategy for loss of site/systems Annually
Procedures for loss of site/systems Annually
Call Tests Semi-Annually
Walk-Through Exercise Annually
Simulated Or Actual Exercise Semi-Annually
Systems Loss Test Annually
11
Phased Approach
Emergency Notification List Identifying the functions Business Impact Analysis and Threat
Assessment Strategy Development Alternate Site selection and planning Vital records backup and recovery Plan Development Testing, maintenance, update
12
Business Functions
Make a list of all Business Functions and managers
Conduct interviews with all business function managers
Work with managers to identify loss potential of not performing the function
Determine recovery timeframe to meet the business or regulatory requirements governing that function
13
Business Impact Analysis
Description of the function or process City/State Building – primary function where the work is performed Applicable mail zones Category or type of business (financial, phone operations, security, IT) Headcount - FT and Contingency RTO Function type (Operational, IT Support, Emergency) Owners Shifts Impacts (Financial, Customer, Legal/Regulatory, Contractual) How will you rank
these? Primary and Secondary recovery strategies How are your computers imaged? Last time the BIA was updated/reviewed
14
Technology
Document all technology used to support the business functions» Hardware platform» Application owner» Location of hardware/application/data» Recovery strategy
15
Interdependencies
It is critical that the internal and external dependencies for the business function be understood and documented» Inputs to the function and where they come
from» Outputs of the function and where they go
to» System Application dependencies
16
Dependencies
Vendor and Application» Determine business RTO for each» Mitigation and control strategies» What is the biggest impact» Is an action plan needed» Will the business accept the risk?» Do they need to follow up?» Is there another provider? A work around?
17
Threat Assessment
SPOF Gap Analysis Vendor Application Financial Customer/reputational Contractual Legal
18
Elements of Risk
Mitigating Factors -» Mitigating factors are the protection
devices, safeguards and procedures which are in place that reduce the effects of the threats.
» They do not reduce the threat, they only reduce the effect of the threat
Examples of mitigating factors in use are UPS (Uninterruptible Power Supply)
and Generator backups for replacement power, sprinkler systems to control the spread of fire, Assess Card Readers to control physical access to your space etc....
19
What next?
When disaster strikes, the mostimportant thing --- after assuring
the safety and welfare of employees---is to get vital support services functioning
to the best of our ability.
20
Emergency Response
21
Emergency Response
Assess Situation» Potential Impact
Determine Response» Wait and See or» Declare Disaster» Activate Plan» Activate Command Center» Retrieve Offsite Storage
22
Emergency Response
Communicate» Inform Management» Inform Teams» Inform Corporate Contingency
Respond and Recover
23
Emergency Notification
Identify the different types of recovery you will plan for
Identify who would have the authority to declare a disaster depending on the scenario
Identify who would be part of the recovery effort
Build your notification list based on this information
24
Vital Records
Do you know:» Where they are?» What is included in them?» How to get them?» Who is authorized to retrieve them?» How long it will take to retrieve them?» Where to have them delivered?» How long it will take to restore them?» Who will restore them?
25
Vital Records
Joplin, Mo. EF5 Tornado» St. John’s Regional Medical Center
Medical Records dispersed “In addition to those existential challenges, St. John's must sort out the highly unusual privacy breach of
paper medical records falling out of the sky after the tornado struck Joplin on May 22, forging a three-quarter-mile-wide path of near total destruction estimated to be six miles long….
The tornado-driven release of the records is unlikely to cause a legal problem for the hospital, attorneys said. “I doubt there's any liability they would be facing,” assuming that the records were kept in a reasonably secure place when the tornado hit, said James Pyles, principal with the law firm Powers Pyles Sutter & Verville, Washington. Slatton said Mercy already had scanned electronic backups of the paper records that had been lost in the storm. In a statement, Mercy asked anyone who had medical records that were lost in the tornado to determine if the record can be linked to a specific person, and if so return it to the Mercy/St. John's command center in person or by mail. If it can't be linked, Mercy asked that the finder “destroy the record by shredding, cutting into small pieces and disposing of the pieces, or burning.”
26
Impact of a Disaster
Customers
Your Paycheck
Company ReputationA disaster may impact...........
Ability to meet regulatory requirements
27
Resource Requirements
Establish the resources that are required to continue to perform those functions
Two Phases should be defined:
Survival - In the period immediately following the disaster, the emphasis will be to keep the business running at the minimum acceptable level.
Recovery - In the longer term, the business will need to be restored to it’s original performance. Identification of all resources required to support the function is required to facilitate the longer term recovery.
28
Resource Requirements
Personal Safety and Readiness
Recovery of business = associates More likely to assist w/business recovery if home recovery is mitigatedwww.Ready.gov – personal plans also
29
Recovery Strategies
Identify the types of recovery strategies you will employ.» Remote access» Move operations by shifting work to
available facilities» Alternate Sites (SunGard & RLC)» Mutual Aid
30
Selecting a Recovery StrategyRecovery strategies will be driven by the recovery timeframe of
the function. Recovery options might include the following: Self -service - A business unit can transfer work to another of it’s own locations which have
available facilities Internal Arrangement - Training rooms, cafeterias, conference rooms etc.... may be equipped
to support business functions. Reciprocal Agreements - Other business units may be able to accommodate those affected.
This could involved the temporary suspension of non-critical functions at the business units not affected by the outage.
Dedicated alternate sites - Built by your company to accommodate critical function recovery. External Suppliers - A number of external companies offer facilities covering a wide range of
business recovery needs. No arrangement - for low priority business functions it may not be cost justified to plan to a
detailed level. The minimum requirement would be to record a description of the functions, the maximum allowable lapse time for recovery and a list of the resources required.
31
Developing the Plan
Teams for Recovery Emergency Notification List Incident Management Declaration Procedures Checklists and Action Plans Detailed Recovery Procedures Roles
32
Sign Off and Maintenance
Executive Sign-Off
» Signed by President
» Acknowledges approval
» Meets Policy which states Senior management is responsible for the plan and it’s contents
Plan Maintenance History» History of the Plan
Document
» Date issued
» Date of changes
» Type of change
33
Purpose, Objectives and Assumptions
Purpose of writing the Plan Document The Objectives you have set for the
Plan Document Planning Assumptions made while the
plan was being written
34
Recovery Strategies
General Recovery Strategies used to recover critical functions
Recovery Strategy for loss of the primary site
Recovery Strategy for Loss of dependent systems
35
Disaster Recovery Management
Executive Emergency Management Team
Emergency Management Teams Emergency Response Teams Command Centers
36
Disaster Recovery Management
Emergency Management Agencies» What they can do to assist» What they are unable to do» How they can help you identify risks
Ohio Private Public Partnership (OP3) Police Fire
37
Emergency Management Team Perform preliminary damage assessment Identify business risk Declare Disaster Initiate and administer plan during emergency Organize and control Command Centers Manage overall recovery efforts being executed
by Response Teams Administer and direct problem management Direct recovery communications
38
Emergency Response Teams
Retrieve information from offsite storage Report to primary or alternate sites Execute business/technical recovery and
restoration plans Communicate status to Command Center Re-establish support operations Identify replacement equipment/ software
needed for recovery effort and return to normal operations
Assist in repair/rebuild primary site
39
Command Center Locations
Command Center for Site Recovery» Primary» Secondary
Command Center for Business Function Recovery» Primary» Secondary
40
Human Resource Management
Employee Injuries/Fatalities Reassigning of non-essential staff to support
recovery Temporary Help/Contractors Family Issues Financial Assistance
41
Administrative Support
Travel, Food and Accommodations Copying Answering Phones Arranging Courier Services Meeting Scheduling/Minutes
42
Finance Issues
Provide Channel of Authorization for Expenditures
Record Emergency Costs Provide Cash Advances Order Replacement Supplies and Equipment Provide Immediate Payment of Expenditures
Required to Support Recovery Effort Expense Report Processing
43
Recovery Communications
Recovery Status Updates to Contingency Information Line Communication to Employees External Communications Client Communications Problem Management
44
Site Recovery Plan
» Notification and identification of emergency situation
» Initial damage assessment» Business risk assessment» Decision to activate plan» Declaration Procedures» Notification Procedures» Command Center Activation
45
Sample Checklists
Step by step checklist for each team member» Executive Team» Management Team» Response Teams
46
This section of the plan contains general information which may be useful in a disaster situationSuch as:» Forms» Travel Directions» Common procedures» Hotel/Caterer lists» Vendors
Appendices
47
Exercising the Plan
Types of Exercises» Call Notification
» Walkthrough
» Actual/Simulated
» Comprehensive Setting Exercise Objectives Developing a Exercise Plan Conducting Exercises Documenting Exercise Results Plan Maintenance Strategies
48
Maintaining the Plan
Plan reviews should be performed on a regularly scheduled basis and must occur at least annually
Reviews should be linked where possible to change management controls to ensure the details of significant business changes are correctly incorporated into the plan
Results of review should be formally reported and where appropriate, the plan should be updated
49
Training and Awareness
Developing Awareness Programs Training for BCP’s Team Training
50
Review
Phased Approach to the Planning Process Next Steps
51
Step 1Identify your team
• Identify your team members for each team:
–Executive Team
–Management Team
–Response Team
52
Step 2Vital records
• Identify vital records
–Procedure manuals
–forms
–vendor lists
–contact lists
–customer lists
–contracts
–source documents
53
Step 3Identify Your Business Functions
• Identify the business functions for your functional areas
• Perform risk and business impact analysis for each function
• Establish Priority rating of the function
• Identify Critical Staff requirements
• Identify Interdependencies
54
Step 4Identify your desktop requirements
• Minimum desktop configuration
• Application connectivity
• Voice Requirements
–phones
–Fax
–Modems
• Print Requirements
• Proprietary software running on desktop
55
Step 5Define Recovery Strategy
• Develop recovery strategy for business functions based on the recovery priority
56
Step 6Internal Site Survey
• Survey existing sites
• Identify equipment/phone services
• Identify desktops to be used for contingency
• Identify staff to be displaced or moved to offshift
57
Step 7External Site Recovery
Prepare RFP which includes all requirements
Identify essential vs “nice to have” Receive proposals from vendors Compare for requirements and costs Visit sites identified as potential vendors Select vendors
58
Step 8Survey staff on availability to support
recovery
• Survey all staff
–Ability to travel on limited notice for up to two weeks
–Ability to work off-shift ( 2nd or 3rd shift)
–Corporate Credit Card or other credit for travel expenses
59
Step 9Internal Systems
• Identify all platforms and applications supported by internal systems group
• Identify recovery priority for each application
• Identify recovery strategy which meets the business requirements
• Develop recovery procedures for critical applications
60
Step 10Document Plan
• Pull the information together into a plan document and distribute
61
DRI International» Associate Business Continuity Professional
(ABCP)» Certified Functional Continuity Professional
(CFCP)» Certified Business Continuity Professional (CBCP)» Master Business Continuity Professional (MBCP)
BCI Business Continuity Institute» Associate Membership» Membership » Fellow Membership
Qualifying theProfessional
62
SupportOrganizations
• Contingency Planners of Ohio http://www.cpohio.org/ • Disaster Recovery Institute (DRII) http://www.drii.org/ • Continuity Insights
http://www.continuityinsights.com/ • Disaster Recovery Journal http://www.drj.com/ • FEMA http://ready.gov
