Upload
nostrad
View
1.614
Download
1
Embed Size (px)
Citation preview
Business Continuity Planning
OverviewClarence Elliott, MBCP
What is Business Continuity Planning?BUSINESS CONTINUITY MANAGEMENT
PROGRAM: An ongoing management and governance process, supported by senior management, and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services, through exercising, rehearsal, testing, training, maintenance and assurance.
Source: Disaster Recovery Journal/Disaster Recovery Institute
Benefits of Continuity Planning• Maintain continuity of operations – stay in business!• Maintain customer service• Relocate critical operations quickly• Minimize financial losses• Reduce disruptions to critical operations• Achieve an orderly recovery• Provide organizational stability• Limit potential exposure and reduce legal liability• Lower the probability of occurrence• Reduce reliance on key personnel• Protect assets• Increase the safety of all personnel• Minimize decision making during the recovery• Reduce delays during the recovery process• Provide a sense of security• Comply with legal, contractual, audits, and government regulations
Elements of Business Continuity Planning – the Complete Program
1. PROJECT INITIATION AND MANAGEMENT 2. RISK EVALUATION AND CONTROL3. BUSINESS IMPACT ANALYSIS4. BUSINESS CONTINUITY STRATEGIES5. EMERGENCY RESPONSE AND OPERATIONS6. BUSINESS CONTINUITY PLANS, IT DR PLAN7. AWARENESS AND TRAINING PROGRAMS8. MAINTAIN AND EXERCISE BUSINESS
CONTINUITY PLANS9. PUBLIC RELATIONS AND CRISIS
COMMUNICATION, CRISIS MANAGEMENT PLAN
10. COORDINATION WITH PUBLIC AUTHORITIES
All Elements fit together to form a complete Business Continuity Program
BCP is an ongoing process cycle
Project Initiation & Mgmt
Risk AnalysisBusiness Impact
Analysis
Develop/ Maintain Plans:Business, IT etc.
Exercise Plans
Emergency Response, Crisis Mgmt
Awareness,Communication
BCP approach: sequenceThese should be done in sequence if at all possible:1. PROJECT INITIATION AND MANAGEMENT 2. RISK EVALUATION AND CONTROL3. BUSINESS IMPACT ANALYSIS4. BUSINESS CONTINUITY STRATEGIES
These may be done simultaneously:• EMERGENCY RESPONSE PLANS• BUSINESS CONTINUITY PLANS• IT DR PLAN• CRISIS MANAGEMENT PLAN• AWARENESS AND TRAINING PROGRAMS
This follows plan completion:• MAINTAIN AND EXERCISE BUSINESS CONTINUITY PLANS• PUBLIC RELATIONS AND CRISIS COMMUNICATION,
COORDINATION WITH PUBLIC AUTHORITIES
Consider these as Building Blocks, in SequencePROJECT INITIATION AND MANAGEMENT
RISK ANALYSISBUSINESS IMPACT ANALYSIS BUSINESS CONTINUITY STRATEGIES
BUSINESS CONTINUITY PLANS, IT PLAN, CRISIS MGMT PLAN, EMERGENCY RESPONSE PLANS
MAINTAIN AND TEST PLANS
TOTAL QUALITY BUSINESS CONTINUITY PLAN!
=
Business Continuity Planning Approach
• Initial Components• Project Plan• Risk Assessment• Business Impact Analysis• Review Strategies for Recovery• Review Emergency Response Plan• Plan for IT Disaster Recovery Plan• Plan for Business Continuity Plans
BCP Approach
• Process vs. just a Project• Annual Risk Assessment/BIA, plus Plan
Reviews• Efforts for Next Year identified before
budget cycle• Annual testing of at least some aspect of
the plan• BCP Coordination ongoing
BCP Approach
• Next Steps• Select Strategy for recovery Business and IT alternate sites etc.• Draft Business Continuity/IT Plans• Integrate Emergency Response Plans• Complete/distribute Plans• Exercise Plans
Risk AssessmentScope:• Complete a Risk Assessment for the geographic area and
facilities. This Risk Assessment will be a site “threats and hazards” assessment.
Methodology:• Develop a plan for this effort, and Business Continuity
Planning overall• Utilize BCP “Industry Standard” templates for Risk
Assessment/Survey• Customize survey templates, with risks pre-defined• Keep survey short/concise, yet complete (cover all areas)• Complete most of survey ourselves, with Facilities input• Utilize available public information (e.g., VDEM, geographical
risk info)• Review findings with project team, business representatives• Present findings to management, set stage for next efforts
(BIA etc.)
Business Impact Analysis (BIA)Scope:• Complete a BIA for the entire organization, all functions. The BIA will
be an assessment of business functions, to complement the Risk Assessment. It quantifies financial and operational impacts of disruptions, and helps determine recovery priorities.
Methodology:• Develop a plan for the BIA, and Business Continuity Planning overall –
incorporate project team with business representatives• Utilize BCP “Industry Standard” templates for BIA/Survey• Customize survey templates, with areas of analysis and IT applications
pre-defined• Include both business functions and computer applications in analysis• Keep survey short/concise, yet complete (cover all areas)• Provide overview (memo, explanation) for Business Unit
representatives• Conduct BIA by Business Unit – survey plus follow-up interview• Collect data for Business Continuity Plans as part of the BIA• Minimize business resource requirements• Verify results with business representatives• Present findings to management, set stage for next efforts
Emergency Response Plans• Approach
• Review existing plan(s)• Conduct Physical facility review• Collect additional information• Incorporate into Business Continuity Plan• Review, approve completed plans• Publish plans• Train employees• Test plans• Maintain plans
Business Continuity Plan(s)• Approach
• Base plan(s) on BIA and Risk Assessment• Agree on outline of plan• Get plan template• Get management guidance/approval• Collect information (note – part of BIA)• Determine any BCP software use• Draft plan(s) – IT and business• Review, approve completed plans• Publish plans• Train employees• Test plans• Maintain plans