+1 610 768-4120 (800) 634-2016 [email protected] Business Continuity Planning Overview, Regulations and the Growing Significance

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]

Business Continuity Planning Business Continuity Planning Overview,Overview,

Regulations and the Growing Regulations and the Growing Significance of Automated BC Significance of Automated BC

SolutionsSolutions

Presented byPresented bySteve Kokol, Vice President of International SalesSteve Kokol, Vice President of International Sales

Strohl Systems Group, Inc.Strohl Systems Group, Inc.

[email protected]

September 2006September 2006


What is a Disaster?

• A disaster is a sudden, unplanned calamitous event that creates the inability on an organisation’s part to provide the critical business functions for some predetermined period of time and which results in great damage or loss. (DRI International)

• The time factor which determines whether a service interruption is an inconvenience or a disaster will vary from organization to organization.

• The type, timing and severity of any business disruption is unpredictable.


Disasters are never on our calendar


Disasters. . . But we can prepare for them


Business Continuity Planning – Defined

• An ongoing programme to ensure prudent risk reduction and to resume key business operations before unacceptable impacts and losses are incurred.

• Business continuity bridges the gap between disaster and recovery

• Whatever the scenario, business continuity identifies weak links in the flow of information and builds systems and procedures to eliminate downtime.


Business Continuity Planning

• BCP v. DR– BCP grew out of DR– Disaster Recovery tends to focus on data– BCP focuses on the entire Business and Business Units– BCP takes a more proactive stand

• BCP programme elements include – Program authorization (a Business Impact Analysis and a

commitment by executive management)– Business Continuity Plan development (response, resumption,

recovery and crisis management)– Recovery Plan (and the regular maintenance of this plan) – Availability and survivability components such as UPS and

redundant telecommunication systems.


Proactive v. Reactive

• Business Continuity Planning– Proactive Process– By having a BCP, organisations seek to prevent interruption

of mission critical services– BCPs generally cover most or all of an organization’s critical

business processes and operations• Disaster Recovery Planning

– Reactive Process– More technical plans that are developed for specific groups

within an organization to allow them to recover a specific business application

– Areas requiring specific DRP’s include IT, call centers, and distribution centers


A Business Continuity Programme is NOT:

• A project • A one time task with a fixed duration• Just about data

• BCP must be an on-going, living programme with commitment from Top Management.


BCP Acceptance Worldwide• What drives BCP Acceptance in a particular country versus

another?– Country Culture

• Risk Avoidance• Laissez-faire • To some extent - Technological Advancement


BCP Acceptance Worldwide• What drives BCP Acceptance in a particular country versus another?

– Presence of BCI, DRII or other organisations promoting BCP Standards – BCI Country Representatives – www.thebci.org

• http://www.thebci.org/worldwideoffices.htm – Both BCI and DRII offer BCP certification

Australia Belgium Caribbean

Canada China Denmark

France Germany Greece

Hong Kong India Indonesia

Israel Italy Japan

Malaysia Middle East New Zealand

Norway Pakistan Philippines

Republic of Ireland Russian Federation Singapore

South Africa Sweden The Netherlands

United Kingdom UAE United States


BCP Acceptance Worldwide• What drives BCP Acceptance in a particular country versus

another?– Propensity to experience frequent natural disasters

• Typhoons• Earthquakes• Floods• Monsoons

– Country Specific Regulations– Industry Regulations– Corporate Governance Laws– Avian Pandemic / SARS– War / Terrorism


Type of Threats

• Acts of nature

• Man-made disruptions/disasters

• Failure of infrastructure or technology


Ability to Recover versus BCP Maturity

Abilityto

Recover

NoPlan Documented Tested Trained Maintained


Assure strategy reflects the business’ needs

On-going testing

Trained recovery teams

Keep the plan up-to-date

Four Elements of a Business Continuity Program


Integrated Business Continuity Program

CORPORATERISK MGT

EMERGENCYRESPONSE

RISKMITIGATION

TECHNOLOGYRECOVERY

CORPORATECRISIS

MGTBUSINESS

RECOVERY

CRISISCOMMUNICATIONS

PLAN

PROCESSRECOVERY

INFRASTRUCTURERECOVERY


Business Continuity Planning Budget

BUDGET ELEMENTS:• Hot Site Contracts • Staff• Hardware • Education• Media Storage • Testing• Software

FACTORS INFLUENCING THE PERCENTAGEOF BCP BUDGET

• Executive Commitment • Geographical Disbursement• Industry Regulations • Industry• Revenues and Profits • RTO• Availability Goals - Protection of Data versus Operations


0

5

10

15

20

25

30

35

40

Per

cen

t of

Res

pon

ses

IT Financial Risk Security BCP Dept Other

2002

2003

2006

Which department in your organization is ultimately responsible for business continuity planning?


0

5

10

15

20

25

30

35

Per

cen

t o

f R

esp

on

ses

Manager VP CIO CFO CEO/Pres. Other

2002

2003

2006

What is the title of the executive sponsor of your organization's BCP program?


Recovery Time Objective

The RTO (Recovery Time Objective) is The RTO (Recovery Time Objective) is the Timeframe in which a Business the Timeframe in which a Business Function must resume a Level of Function must resume a Level of

Service that will Prevent Service that will Prevent UnacceptableUnacceptable Financial and/or Operational Impacts Financial and/or Operational Impacts

from being Incurred by the from being Incurred by the Organization.Organization.


Protection of Data versus Protection of Operations

Protect the Data: – Research and Development – Pharmaceutical– Downtime not as important as protection against lost data

• Retesting to meet documented regulatory requirements• Isn’t the protection of data always most important ?

Maintaining Continuous Operations:• Manufacturing and Supply Chain

• Cost of stopped product line can cost Millions per hour.• Also need to look “upstream” to ensure suppliers’ maintain continuous operations through a formal BCP.

• Philips Electronics fire at Chip Plant• Nokia v. Ericsson (one did a better job than the other because of their tested BCP plan)


Define the Cost of an OutageData – 99% availability = 88 hours each year thatcomputing resources are unavailable

Average Cost of an outage according to Gartner:USD $42,000 per hour for mission critical applications

For companies that rely 100% on technology such as online brokers, e-commerce companies and traders, hourly downtime risks can be $1,000,000 or more !

$3,600,000 lost each year due to unplanned downtime


Define the Cost of an Outage

• It must be measured in more than just $$– Why do I need a BCP programme if I have insurance?

• Insurance only covers the financial considerations• Need a plan to stay in business

– 50% of companies that experience a significant interruption or disruption in service who do not have tested, up-to-date BCP Plan go out of business within one year of this interruption or disaster

– Can often recover from the financial impact, but can you recover from the lost of market share and customer confidence?


BCP Acceptance Worldwide• Regulations drive Acceptance

– UK Financial Services Authority– Basel II Accord– European Central Bank– Bank of Russia– SAMA – Saudi Arabian Monetary Agency– De Nederlandsche Bank– Monetary Authority of Singapore– Hong Kong Monetary Authority– Bank of Thailand– NYSE Rule 446– Quality Standards ISO 17799, BS 7799– ISO Crisis Management Standards – ISO studying – May 2006– BS 25999 – BCM Planning – In Progress – August 2006– Australian Standards - AS 4444, AS/NZS 4360, HB 221– British Standards – PAS 56– UK Civil Contingencies Bill of 2005

– Insurance Regulations– Corporate Governance


BCP Acceptance Worldwide• UK Financial Services Authority (FSA)

– Independent non-governmental body, given statutory powers by the UK Financial Services and Markets Act of 2000 (responsibility transferred to FSA from the Bank of England)

• Her Majesty’s Treasury appoints the FSA Board• Banks, Financial Services, Securities and Futures• Combined Code – Directors must annually conduct a

review of the group’s effectiveness system of internal controls and report to the shareholders that they have done so. (No requirement to publish this review)


BCP Acceptance Worldwide

• UK Financial Services Authority (FSA)– Guidance on Business Continuity (SYSC 3.2.19 [G]):

• “A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness”

– www.fsa.gov.uk/


BCP Acceptance Worldwide• New Basel Capital Accord (Basel II) – issued by the Bank for

International Settlements (BIS) www.bis.org– Originally issued the Basel Capital Accord (Basel I) in 1988

– applied minimum capital reserve standards to the banking industry (8%)

– January 2001 – Proposal for new Basel Accord to replace 1988 standard

– Initial goal was to finalise by 2004 – pushback from the banking community, fearful that they could not comply)

– Implementation by year-end 2006, (or possibly later)


BCP Acceptance Worldwide – Basel II• New Basel Capital Accord (Basel II)

– Three Pillars of Basel II• Capital Standards• Supervisory Review• Market Discipline

– Operational Risk addressed in all three pillars


BCP Acceptance Worldwide – Basel II• New Basel Capital Accord (Basel II)

– Banks that can demonstrate “sound practices for the management and supervision of operational risk” will be able to reduce their capital reserves, freeing up large amounts of additional funds for investment.

• Sound Practices for the Management of Operational Risk– Operational Risk: “the risk of loss resulting from inadequate or

failed internal processes, people and systems, or from external events”

– Developing an Appropriate Risk Management Environment» Principle 7: Banks should have in place contingency

and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption

• Basel II places emphasis on internal controls and risk management


BCP Acceptance Worldwide• New Basel Capital Accord (Basel II)

– Once finalised, each Nation may make amendments to their domestic versions of Basel II

– Companies wanting to reduce their operational reserves must show a 5 year track record of compliance to be able to reduce these reserves.

– Basel II should not simply be viewed as a compliance initiative, but as an opportunity for change!

– www.bis.org/publ/bcbsca.htm


BCP Acceptance Worldwide• ECB – European Central Bank – June 2006

– Three-year deadline for the introduction of stricter business continuity planning and crisis management procedures

– Payments system operators, key suppliers and participants - should have well-defined strategies and monitoring mechanisms for dealing with major outages aimed at the recovery and resumption of critical functions within the same settlement day.

– Systems should also have a secondary, geographically separate site, capable of independent operation in the event of failure at the primary facility.

– June 2009 compliance with revised standard– http://www.ecb.int/pub/pdf/other/businesscontinuitysips2006

en.pdf


BCP Acceptance Worldwide• Standard of the Bank of Russia – January 2006

– Ensuring information security of the organizations of the banking system of Russian Federation

• 9.6. Business continuity management and disaster recovery– Organization should develop and deploy the plan of

business continuity management and disaster recovery.

– The plan and corresponding business processes should be reviewed on the regular basis and updated (e.g. after significant changes in operational activities, organizational structure, business processes and information systems).

– The effectiveness of documented procedures of recovery should be periodically checked and tested (at least twice per year). All staff involved into the plan execution and DR procedures should be familiarized with the plan

– As a methodological basis for the plan development common international standards of Business continuity management (like BSI PAS-56) could be used.


BCP Acceptance Worldwide• SAMA – Saudi Arabian Monetary Agency

– 2006 • Currently seeking guidance in setting BCP standards

from their member banks• http://www.sama.gov.sa/


BCP Acceptance Worldwide• De Nederlandsche Bank

– 2005 – Business Continuity Assessment Framework• Assist firms to benchmark their BCP activities• Framework will be introduced to other firms within the

“Euro-zone”• Each firm must have a BCP plan approved by

management board or senior management• Advisable to have the BCP plan assessed by by the

internal audit department• The Assessment framework contains a total of 10 criteria


BCP Acceptance Worldwide• Monetary Authority of Singapore

– June 2003 – Guidelines on Risk Management Practices – Business Continuity

• The guidelines will serve as a standard for financial institutions and raise their awareness and preparedness by having in place effective and comprehensive BCP

• Institutions are encouraged to adopt these principles and implement BCP that is commensurate with the institution’s nature, scale and complexity of business activities

• MAS will, in the course of its supervision of institutions, review the BCP implementations

• Board and Senior Management should be responsible for the BCP preparedness of their institution

• Institutions should embed BCP into their business-as-usual operations, incorporating sound BCP practices


BCP Acceptance Worldwide• Monetary Authority of Singapore

– June 2003 – Guidelines on Risk Management Practices – Business Continuity

• Institutions should test their BCP regularly, completely and meaningfully

• Institutions should develop recovery strategies and set recovery time objectives for critical business functions

• Institutions should understand and appropriately mitigate interdependency risks of critical business functions

• Institutions should plan for wide-area disruptions• Institutions should practice a separation policy to mitigate

concentration risk of critical business functions– www.mas.gov.sg/regulations/download/BCMGuidelines.pdf



• Hong Kong Monetary Authority– New BCP policy established in December 2002

• Sets out the HKMA’s supervisory approach to business continuity planning (BCP)

– www.info.gov.hk/hkma/eng/bank/spma/index.htm


BCP Acceptance Worldwide• The Bank of Thailand – November 2005

– Requirement of an IT Contingency Plan – BOT Notification No 1953-2548

– Restore IT systems of Financial Institutions “within a suitable period”– Maintain customer and stakeholder confidence in financial

institutions’ services– Board of Directors of each Financial Institution must establish a written

policy statement and guide for preparing the IT Contingency plan– Functional and full scale tests must be conducted at least once per

year– BOT recognized that IT plan is part of the BCP plan. BOT is in the

process of issuing guidance for the preparation of business continuity plans.

– www.bot.or.th


• NASD 3500 Series-Emergency Preparedness (3510 and 3520) and NYSE-Rule 446 Business Continuity Rules– Approved by the US SEC - April 2004– NASD and NYSE member organizations must develop and maintain

a written business continuity and contingency plan– Must conduct, at minimum, and annual review…in light of changes to the

organization’s operations, structure, business or location– Plan must address

• Data back-up and recovery or mission critical systems• Alternate communications between customers and the firm• Alternate communications between the firm and its employees• Financial and operational risk• Alternate Physical location of employees• Communication with Regulators



• NASD and NYSE Business Continuity Rules– NASD and NYSE member also required to disclose to its

customers a summary of its business continuity plan that addresses how the member intends to respond to potential disruptions of varying scope

– Must designate a senior officer to approve the Plan and be responsible for the annual review and emergency contact person(s)

– NASD providing a template for small businesses and a repository to hold BCP plans: http://www.nasdr.com/business_continuity_planning.asp

– http://www.sec.gov/news/press/2004-53.htm



BCP Acceptance Worldwide• Quality Standards ISO 17799, BS 7799-2:2002

– International Organization for Standardization (ISO)– British Standards Institute – Specification for Information

Security Management • BS7799 is the most widely recognized security standard

in the world.– Best practices in information security

• Code of practices (ISO)• Specification for Information Security Management (BS)


BCP Acceptance Worldwide• Quality Standards ISO 17799, BS 7799-2:2002

– ISO17799 is organized into ten major sections, each covering a different topic or area:

• 1. Business Continuity Planning - The objectives of this section are: To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

– www.iso.org


BCP Acceptance Worldwide• ISO Crisis Management Standards

– ISO Technical Committee (ISO/TC) studying – May 2006– Mission of ISO/TC 223 is to develop International Standards

or other ISO deliverables that will improve preparedness before a crisis, coordination during a crisis and reconstruction and remedial action afterwards.

– Scope of crisis management is broad, spanning everything from preparation, analyses, forecasts and development of systems to education, drills and evaluation.

– Next Meeting – November 2006– www.iso.org


BCP Acceptance Worldwide• Quality Standards BS 25999

– Code of practice for business continuity management• Draft for public comment ended August 2006

– Part 1: Code of practice for business continuity management;

– Part 2: Specification for business continuity management• Part 2 specifies the process for achieving certification

that business continuity capability is appropriate to the size and complexity of an organization.

– www.bsi-global.com/bs25999


BCP Acceptance Worldwide• Australian Standard - Security Standards - AS 4444

– Key Controls 1:• Information Security Policy document

– Key Controls 2:• Business Continuity Planning

• AS/NZS 4360 – Risk Management Standards• Business Continuity Management Handbook – HB 221:2003

– www.standards.com.au/catalogue/script/search.asp


British Standards – PAS 56• Publicly Available Specification 56

– “Guide to Business Continuity Management”– March 2003 – Published by the British Standards Institute and

sponsored by the BCI• Based on the BCI’s Good Practiced guide• Pre-Standard which may form the basis for an eventual

standard– Envisioned that organizations who already have processes in

place will be asked at some point by their stakeholders to confirm that they comply with PAS 56

– Provides a framework for incident anticipation and response evaluation techniques and criteria

– Provides recommendations for good practice– www.thebci.org/pas56.html


UK Civil Contingencies Bill of 2005• UK Drafted the Act in January 2004• Became a UK Regulation in early 2005

– Addresses various natural and man-made threats, emergencies or disasters

– Requires “Responders” to perform contingency planning, risk assessment and maintain plans that “…if an emergency occurs the person or body is able to continue to perform his or her functions”

– Responders:• Category 1: County Councils, District Councils, Police,

Fire Health, Environmental• Category 2: Utilities, Transport, Health and Safety

– http://www.parliament.the-stationery-office.co.uk/pa/cm200304/cmbills/014/2004014.htm

– Self Assessment tool: http://www.audit-commission.gov.uk/emergencyplanning/index.asp


BCP Acceptance Worldwide• Insurance Regulations

– A documented and tested BCP plan is a requirement of many insurance firms

• Precondition of Insurance• Premiums lower for sound, mature, tested BCP

programs.


BCP Acceptance Worldwide• Other Factors

– Have experienced a disaster in the past – have “felt the pain” • Power Outages Worldwide

– Mandate for BCP plans from other corporations with whom you are doing business

• Supply chain - diversify– Competitive Advantage– Avian Pandemic / SARS– Fear factor


BCP Acceptance Worldwide• Corporate Governance

– WorldCom, Enron, Ansett Airlines, “dot-gones”• Directors being held directly responsible for Business Continuity Plans

– USA: Sarbanes-Oxley Act of 2002• Increased standards for corporate governance, transparency and accountability• Section 404 focuses on BCP and Operational risk

– Executives must review internal controls and publish the results of the review

• Section 409 focuses on prompt disclosure– Executives are required to disclose to the public, on an urgent basis,

information on material changes in their financial condition or operations• Only applies to publicly traded companies

– Does apply to Non-USA companies that are listed in the USA– Effective for US companies 15 June 2004 and 15 April 2005, depending on the

size of the business– Effective for non US companies in 2005

• http://www.soxlaw.com/s802.htm


BCP Acceptance Worldwide• Corporate Governance

– The Turnbull Report – 1999 – Institute of Chartered Accountants in England and Wales (ICAEW) – provides guidance to Directors on the “Combined Code of the Committee on Corporate Governance”

• Compliance is a prerequisite for being listed on the London Stock Exchange– Higgs Report – Role of the Board Proposed to be combined into the UK’s

“Combined Code”• http://www.dti.gov.uk/cld/non_exec_review/pdfs/higgsreport.pdf

– King Report on Corporate Governance (King 2): South Africa• Company must protect stakeholders from effects of the worst disasters• Places BCP responsibility at the Board of Directors level• Formal risk assessment at least once per year

– Australian Stock Exchange – Principles of Good Corp Governance– Australia – AS 8000-2003 Principles of Corporate Governance– Upcoming Malaysia Regulations for listed companies


Business Continuity Planning

• The Business Impact Analysis• Plan Development• Plan Testing• Incident Management• Emergency Notification


What is a Business Impact Analysis?

• A business impact analysis (BIA) is the foundation for all business continuity planning programs.– It prioritizes your business units and critical processes so that

you can identify the timeframes in which they need to be recovered

– It helps executive management develop strategies for managing continuity and recovery

• Without this knowledge, making the right decisions to protect your company's assets is tenuous if not impossible.


What is a Business Impact Analysis (BIA)?

• Objective, management-level analysis tool

• Objective, not subjective

• Deals in Roubles, € , $, £, etc. and business terms that managers understand

• Uses data provided by business function managers, not project team


What kind of information does a BIA provide?

• Financial impacts

• Operational impacts

• Extraordinary expenses

• Current state of preparedness

• Recovery resource requirements

• Competitive Analysis


Questions to be Answered

• What is the magnitude of the potential financial & operational impacts and exposures?

• How quickly do they escalate over time?• What are the business function interdependencies?• What is the dependence on technology?• What resources are required to recover each function?


MS Excel is NOT the Answer to your BIA

• BIA surveys must be designed so they are easy for the recipient to understand and use.

• You must be able to send the BIA surveys and collect the data in a number of ways:

– Interviews

– E-mail

– Over the Internet

• You must be able to validate the data that recipients enter into the survey

• You must be able to easily change the survey to meet the demands of various business departments

• You must be able to easily consolidate the BIA data and provide automated reporting

BIA Professional –

BIA Professional –

Business Impact Analysis

Business Impact Analysis


The Goal of Business Continuity Planning

• Protect employees, members, etc. . . PEOPLE!! through controlled emergency recovery.

• Define service alternatives for accomplishing critical applications.

• Minimize the extent of interruption.• Limit financial losses and hardships.• Establish customer confidence in a company’s ability to

maintain operations.• Satisfy federal and state compliance regulations.


Time-Frames

Administration

Organization

Alternate Facilities

Recovery Inventories

The “PLAN”

Responsibilities

Containment

Assessment

Escalation

Notification

Actions

1. _______2. _______3. _______4. _______PrioritiesPriorities

What’s in a Business Continuity Plan?


Assumptions• A major disruption will occur

• Planning will be for “worst case” scenario

• Recovery will be executed using only pre-positioned resources and materials from off-site storage

• Recovery readiness is a formof insurance


Vital Records

Voice & DataCommunications

Recovery Processes

Locations

Transportation

Equipment

People

Hardware

Software & Data

Backups

Special Forms& Documentation

Plan Development


Functions

DamageAssessment

Salvage

Security

Insurance

TravelArrangements

PersonnelIssues

EmergencyPurchase

Travel Advances

Facilities-Building(s)

RecoveryManagement

I/SHardware

I/SSoftware

DataCommunications

Public/MediaRelations

Legal

Clerical &SecretarialI/S

Operations

I/SApplications

VoiceCommunications

LANHardware

LANSoftware

LANApplications

PC Support

Facilities-Electrical &Mechanical

Facilities-Furnishings

Vital Records

DataPreservation

Off-SiteStorage

ComputerHot Site(s)

AlternateBus. Unit Site(s)

PayrollOperations

General Acctg.Operatons

Accts. Recv.Operations

Accts. PayableOperations

Accts. PayableOperations

Mfg. ProductionScheduling Opns.

Mfg. ToolingOperations.

Mfg. AssemblyOperations

Mfg. QualityAssurance Opns.

Executive OfficesOperations

Shipping &Receiving Opns.

Human ResourcesOperations

General CounselOperations

SalesOperations

Marketing &Advertising Opns

Inventory ControlOperations

DistributionCenter Opns.


STROHL PR4

STANDARD

RRECOVERYECOVERY

RRESUMPTIONESUMPTION

RR ESPONSEESPONSE

PPREVENTIONREVENTION

RRESTORATIONESTORATION Repair/restore facilities and contentsReturn "Home"

Recover all other operations

Resume time-sensitive operationsat alternate site

Manage crisisContain damageActivate Recovery Organisation

Protect corporate assetsManage risks

PR4


RESPONSE Assessment Escalation Declaration

RECOVERY & RESTORATION Long-term Continuity Repair/ Replace Migration Resume “Normal” Service

RESUMPTION Initial Short-term Continuity

The Recovery Cycle


Why New Requirements for BCP?

• What’s Changed?– New threats– New technology

• As a result there is more regulatory focus on business resumption and a greater emphasis on testing and maintenance



• Requirement for enterprise-wide planning• Recovery time objectives – becoming shorter and shorter• Interdependency• Technology dependence outside the organization• Importance of HR



• Old Assumptions – in the past a business could assume that if the main office was in NY, and the backup was in Chicago, the staff would just fly to the backup location in the event of an unplanned disruption

• New Perspectives – No one ever planned for all airlines being grounded – but it happened.

Source: FFIEC IT Handbook Presentation


What is a BCP Plan?

A collection of resources, actions, procedures, and A collection of resources, actions, procedures, and information that is developed, tested, and held in readiness information that is developed, tested, and held in readiness

for use in the event of a major disruption in business for use in the event of a major disruption in business operations.operations.


Technology Recovery• Computer Processing:

• Mainframes/Mini-Computers• Client/LAN/Servers• PCs/Terminals

• Voice Communications:• Consoles• PBX• Telephones• FAX Machines

• Data Communications• Internet Operations (e-business)• Special Equipment


MS Word is NOT the Answer to your BCP Plans

• BCP plans are dynamic, constantly changing

– Need to be updated regularly

• Extremely difficult and time consuming to continually update information in MS Word

– Employee Changes, Company Structural reorganisations, application changes

– Need the power and flexibility of a BCP plan built on a relational database

• Plans from various business units should be consolidated to provide a corporate, global, enterprise BCP plan

– No way to do this with MS Word

– Specialised planning solutions provide for the development of an organizational plan hierarchy for summarization and drill down

LDRPS –

LDRPS – LivingLiving Disaster

Disaster

Recovery Planning System

Recovery Planning System


Test, Test, Test

• You have done your BIA• You have created a great BCP plan• Now, how are you going to test it?

– Simulated disaster• Start small, then expand to include larger portions of

your company, finally moving to coordination with vendors, suppliers and your local community

• Automated Tool to help collect and analyze the results of a test


Before and After the Test• Pre-test Meeting with Disaster Recovery Team

– Identify objectives and the members of the team– Verify RTOs

• Post Test Review– Original RTOs versus Actual Recovery Times– Review Infrastructure Problems– Review Data Issues– Identify changes to the plan based on documents issues

discovered during the test• Test, Test, Test


MS Project is NOT the Answer to your Incident Management Needs

• Incident Management is dynamic with many uncertainties

– Must be linked to your BCP Plan

• As the Incident Changes, we must manage those changes

• Plans from various business units should be integrated to act as the basis for your incident management and needs

Incident Manager –

Incident Manager –

Testing and Incident

Testing and Incident

Management

Management


Do you have a plan in place to contact employees prior to a known disaster ?

0

10

20

30

40

50

60

70

80

90

Per

cen

t o

f R

esp

on

ses

Yes No

2005


If your organisation was to experience a Regional or National disaster, do you feel your plan would be able to withstand wide-

scale communication failures?

45

46

47

48

49

50

51

52

53

Per

cen

t o

f R

esp

on

ses

Yes No

2005


When was the last time you tested your call tree?

0

5

10

15

20

25

30

Per

cen

t o

f R

esp

on

ses

Within thelast month

Within thelast sixmonths

Within thelast year

Over oneyear ago

Never

2005


Covering All the Bases

1) Utilise a well documented Emergency Notification plan

2) Leverage technology

3) Test your Emergency Notification plan

4) Test your Emergency Notification plan again

5) Establish accurate Emergency Notification reports

6) Implement corrective actions in your Emergency Notification Plan


Increased Need for Effective Crisis Communications

GOALS

• Centralise control of the incident• Control the message• Avoid speculation and misinformation• Set pace and tone for resolution• Protect people first; assets second


Developing a Communications Plan

An effective plan allows you to focus on solving problems and communicating appropriately.

Pre-Crisis Mid-Crisis Post-Crisis

+Warn+Protect+Prevent

+Update+Repair

+Recover+Assure+Improve

Emergency Notification useful before, during, and after disasters

Not just a disaster recovery (after the disaster has struck) tool


Best Practices

• Automate!• Eliminate rumor• Prevent loss of

important information• Speed


Manual Call Trees are NOT the Answer to your Emergency Notification Plans

• Informing your stakeholders of a disruption in service or disaster– Automate the process

• Contact Emergency Response Personnel, suppliers, general employee population

• Contact via phone, Mobile, Pager, SMS, e-mail all simultaneous and within a specified Service Level Agreement (SLA)

NōtiFind, powered by

NōtiFind, powered by

EnvoyWorldWide

EnvoyWorldWide


SummarySummary


BCP Trends• Increased Standards

– Industry– Country– Corporate Governance

• Globalization of BCP– Enterprise Continuity Planning

• Greater visibility of Business Continuity Planning issues at the Managing Director and “C” levels of the organization


BCP Trends• BCP expanding outside of its traditional IT boundaries• Move toward resiliency (zero down time) versus recovery• Move toward disaster prevention versus disaster recovery• BCP is increasingly becoming integrated with corporate functions

– Leading organizations integrating business continuity with risk management


BCP – A Coordinated Effort• Business Continuity Planners should work with:

– Emergency Response Plans (typically owned by facilities managers)

– Disaster Recovery Plans (typically an IT responsibility) – Corporate Crisis Management (typically the responsibility of

corporate security)– External Communications (typically the responsibility of the

corporate communications organization)


BCP – An Ongoing, Living Process• BCP is not a project or one time event• Must be coordinated throughout an organization and include

external dependencies.• Enterprise Continuity Planning – a Corporate Function• We must not only meet regulatory requirements….

– …we must strengthen corporate governance as a means of gaining competitive advantage in today’s global economy.


For the past 18 years, Strohl Systems has been devoted exclusively to the business of providing the world’s finest business continuity planning software and services to a worldwide market.

LDRPS, Strohl’s Business Continuity planning tool, is the cornerstone of the Strohl Systems organization.

It offers:

a proven methodology

an existing support network

an extensive user community

Strohl Systems


Industries Served - USA 9 out of 10 securities firms

5 out of 6 telecommunication companies

4 out of 5 U.S. insurance companies

4 out of 5 financial institutions

4 out of 5 household goods producers

4 out of 5 aerospace and defense companies

3 out of 5 general retailers

6 out of 10 commercial banks

3 out of 5 computer makers

4 out of 6 energy companies


Industries Served


Strohl Systems, Inc.Worldwide organization dedicated solely to Business Continuity

Planning solutions


Successful Program

Business Continuity!!!

Strategy Up-to-Date

PlanTrainedPersonnel

Testing

IBM S/370

Laptop computer

IBM PS/2


Strohl’s Worldwide Presence – August 2006

37 Distributors and Reseller covering 79 Countries


Questions?

??? ?

? ?? ? ????

?

Documents

+1 610 768-4120 (800) 634-2016 [email protected] Business Continuity Planning Overview, Regulations and the Growing Significance