www.preparednessllc.com

DONALD L. SCHMIDT, ARM, CBCP, MCP, CBCLA, CEM©

PREPAREDNESS, LLCMARCH 30, 2017

Business Continuity & IT Disaster Recovery

What are Business Continuity & IT Disaster Recovery?■ BUSINESS CONTINUITY: “An ongoing process to ensure that the

necessary steps are taken to identify the impacts of potential losses and maintain viable continuity and recovery strategies and plans.” NFPA 1600 www.nfpa.org/1600

■ BUSINESS CONTINUITY MANAGEMENT: “management process that identifies risk, threats, and vulnerabilities that could impact continued operations. Business continuity provides a framework for building organizational resilience and the capability for an effective response.” DRI’s Professional Practices www.drii.org

■ DISASTER RECOVERY: The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster Recovery Journal (DRI’s International Glossary for Resiliency) www.drii.org

2

Key Elements of a Continuity & Recovery Program

1. Management commitment, direction & support (policy statement)

2. Program management

3. Risk assessment4. Business impact

analysis5. Resource needs

assessment

6. Continuity & recovery strategies

7. Incidentmanagement system

8. Education & training9. Testing & exercises10.Reviews and

continuous improvement

3

Why is senior management support so important?

■ Provides leadership■ Approves program

resources■ Ensures people get

involved■ Provides insight into

the business■ Can build a culture of

preparedness

4

Understanding the business is critical!■ Mission & vision■ Value stream■ Profits vs. revenues■ Growth potential■ Research & development■ Customers■ Regulations■ Essential services

(nonprofits and public sector)

■ What are the priorities?

2015 % Sales

Product A Product BProduct C Product D

5

0

20

40

60

80

2015 2016 2017 2018

Sales 2015-2018 projected

Product A Product BProduct C Product D

2015 % Profits

Product A Product BProduct C Product D

Build a strong team to manage your program

■ Program Coordinator☑ Vested with authority and

held accountable■ Program Committee

☑ Management☑ Operations☑ Information Technology☑ Supply Chain management☑ Facilities Management☑ Quality☑ Finance☑ Sales & Marketing☑ Human Resources☑ EH&S☑ Purchasing☑ …others

6

Credit: katemangostar Freepik

Risk Assessment; Evaluate planning scenario(s)

■ Make the best possible decisions about loss prevention, hazard mitigation, risk financing, and continuity planning.

■ Identify availability of resources for planning scenarios.

7

Business Impact Analysis: What’s critical and when?

“Management level analysis that identifies, quantifies, and qualifies the impacts resulting from interruptions or disruptions of an entity’s resources. The analysis can identify time-critical functions, recovery priorities, dependencies, and interdependencies so that recovery time objectives can be established and approved.” NFPA 1600

8

■ Identify impacts☑ Lost sales and

revenue☑ Loss of customers☑ Customer

dissatisfaction■ Determine minimum

acceptable production or service level to avoid unacceptable impacts

■ Identify how quickly minimum level must

be restored: “Recovery Time Objective”

■ Assess the Timing of Interruption☑ Customer

requirements☑ Peaks in business

activity☑ End of month or

quarter☑ Deadlines

ProductionDowntimeAvoided

Recovery Time Objective (RTO)

Time

Prod

uctio

n

Pre-DisasterProduction or Service Level

T disaster T recovery

RTO

Lost ProductionMinimum AcceptableProduction or Service Level

9

BIA continued: What resources are required?

■ People■ Facilities■ Machinery & equipment■ Internal dependencies■ Supply chain■ Vital records■ Information &

communications technology

10

Conducting the BIA

■ Focus on priorities identified by senior management

■ Identify and agree upon the planning scenario(s) (e.g., loss of facility, supply chain failure, technology or power outage, pandemic, etc.)

■ Provide specific criteria to quantify and qualify impacts and recovery time objectives

1. Develop questionnaires with built-in criteria specific to each function

2. Conduct a workshop to introduce the project and explain how to complete questionnaires

3. Use spreadsheets or a database to compile resource requirements

4. Review questionnaires and interview persons to validate information

11

BIA Methodology & Process

Report

Quantify Impacts Recovery Time Objectives Compile Resource Requirements

Prioritize Functions, Processes & Applications

Conduct Interviews

Validate Assumptions Fill-in Gaps in Information Question Criticality

Conduct BIA Workshop & Distribute Questionnaires

Why is the BIA important? What information is needed? How should questionnaire be completed?

Develop Questionnaire

Impacts Resources Vital Records Dependencies Workarounds Pending Changes

12

Continuity & Recovery Strategies

■ Considerations☑ Availability, capability,

capacity, and cost of resources

☑ Planning scenarios☑ Consistent with

assumptions☑ Intellectual property☑ Quality☑ Customer requirements☑ Time to execute

■ Options☑ Work extra shifts☑ Relocate or transfer to

a surviving site☑ Displace lower priority

operations☑ Inventory management☑ Partnership

agreements☑ Outsource☑ Telecommuting☑ Lease space☑ Repair or rebuild

13

Implementation: IT Disaster Recovery

“Identify the acceptable amount of data loss for physical and electronic records to identify the recovery point objective (RPO)” – NFPA 1600

■ IT Strategies☑ Data backups☑ Application recovery☑ The “cloud”☑ Active-active sites☑ Hot sites☑ Mobile recovery center☑ Equipment procurement

and rebuild

■ Scope☑ Enterprise apps☑ Productivity apps☑ Process control systems☑ Building management,

security, and other systems

■ Considerations☑ Scope & alignment with

business needs☑ Cost☑ Reliability☑ Availability

14

Training, Testing & Exercises

■ Training☑ Alerting of team☑ Activation of the plan☑ Incident management,

roles, responsibilities, lines of authority and lines of succession

☑ Coordination internally and externally

☑ Continuity strategies and manual workarounds

■ Exercises evaluate plans, procedures, training, and capabilities

■ Testing☑ Data backups and

restoration capabilities☑ Failover of systems and

equipment☑ IT disaster recovery:

validation of the sequence and procedures for restoration of operating systems, applications, and data on specified hardware and networks

☑ Recovery strategies☑ Alerting capabilities

15

Program Reviews & Continuous Improvement

■ Change is constant but does your program keep pace?

■ “Triggers” for program review☑ New/revised regulations☑ Acquisitions and divestitures☑ Changes in operations☑ Changes in infrastructure

including technology environment

☑ Resource availability or capabilities

☑ Funding change■ Appropriate action to

address program deficiencies

16

Program Development Resources

17

www.PreparednessLLC.com

For More Information

■ Donald L. Schmidt, ARM, CBCP, MCP, CBCLA, CEM©Preparedness, LLC(781) 784-0672DLS@PreparednessLLC.comwww.preparednessllc.com

18©2017 Preparedness, LLC