Upload
others
View
7
Download
1
Embed Size (px)
Citation preview
How to Derive Value from Business Continuity Planning
Presented byRandall J. Till, Principal
Till Continuity Group
11
Spring World 2011 Disaster Recovery Journal
March 28, 2011
Economic
Downturn
BCM Challenges
• BCM funding is limited or shrinking
• BCM doesn’t have
Business Continuity Management
• BCM doesn t have organizational commitment
• BCM is targeted for reductions
2
BCM Drivers
Release Cycle/ Change Process
Development Testing Prod. Implementation
DR
Exercise
Y/N
2. Recovery System
Risk Exposure
DR Exercise Cycle
Y
N2-4+ weeks
Plan Update Exercise Publication • BCM Drivers• BCM updates tied to tests or exercises • BCM managed as an annual project
Risks:•Business services and systems are always changing
33
us ess se ces a d syste s a e a ays c a g g•BC/DR plans and environments remain unchanged waiting for a an exercise date or a project deliverable
BCM Approach
Plan To Pass Audits & Meet Regulatory
Embrace Audits & Exceed Regulatory
C li
4
Compliance
4
Compliance
✓ Poor Investment ✓ Valuable Investment
BCM Approach - Siloed Practices
Plans
Risk Management
Crisis Management
Disaster Recovery
Business Continuity
5
✓ Disjointed
✓ Enbroiled in Politics
✓ Lacks Integration
5
Plan Execution and CoordinationPlanning is focused on
“How to build the plan”
We don’t focus on
✓ Chaos
We don t focus on “How to execute the
plan”
Execute on the Fly
66
✓ Stress
✓ Impacts
Business Continuity Management (BCM) Program
Crisis/ Emergency
Management
Risk Management
(RM)
✓ Each organization is unique
Disaster Recovery
(DR - system recovery)
(CM/EM)
Business Continuity
(BC - work area recovery)
(RM)
BC Program Governance
and Management
BCM Program
Governance
q✓Different levels of
responsibly✓ Each BCM Program is at
a different level of maturity
✓ BCM is a long journey
7
y)y)
Business Continuity Planning Cycle
Maintain Assess
Prioritize
ApproveImplement
Test/Exercise BCM Planning
CycleMaintain
Readiness
Address Business Changes
8
Plan
Train Personnel
Focus of Today's Discussion
J F M A M J J A S O N D
2011N J
2012BCM Governance
D
O i h f BCM P
J F M A M J J A S O N D
2011J
2012BCM Planning CyclesN D
Oversight of BCM ProgramSets Direction and ExpectationsManagement Buy-in and Endorsement
BCM Planning BCM Planning CyclesCycles
1.1.PrePre--CycleCycle2.2.Planning CyclePlanning Cycle3.3.PostPost--CycleCycle
9
Planning Processes and ProceduresDeliverables and Time TablesPlanning Cycles for BCM (CM, BC, DR)
6
Business Continuity Business Continuity Pre-Cycle
10
BCM Program Governance
BCM Governance ✓ OwnershipBusiness
Continuity Steering
C itt✓ Responsibility
BCMStrategic Direction
Committee
✓ Educate
✓ Commitment
✓ Metrics
1111
✓ Reporting Structure
BCM Ownership and Execution
Ownership Corporate Headquarters Europe Asia Pacific Latin America
IT Headquarters
Marketing
Sales
CustomerServices
Finance
CM
Facilitation Business Continuity PlannersDivision
Coordinators(Primary)
Regional Coordinators
(Secondary)
Coordination
12
Legal
HR
IT
CMPlans
BCPlans
Business Continuity Management
DRPlans
Business Continuity Planners
Business Continuity Pre-Cycle Timeline
J F M A M J J A S O N D2011
N J2012Business Continuity Oversight
D
J F M A M J J A S O N D2011
J2012
• 2011 Cycle Deliverables
• 2011 Cycle Communication
Business Continuity Planning CyclesN D
• BC Steering
•BCM Objectives
13
• Develop 2011 Objectives
• Develop Planning Strategies
• Cycle Def.
• Processes
• Tools
• Templates
• Metrics
• Cycle Kickoff
• Meetings with Coordinators
Business Continuity Business Continuity Planning Cycle
14
Crisis/Emergency Management (CM/EM)
Crisis/Emergency Management
(CM/EM)
Management of incident• Assessment • Business perspective• Notification & Assembly • Communications
Crisis Management
Life Safety - First Response
1515
Communications• Decisions - Activation
Value of Crisis/Emergency Management ✓
CM Organization & Plans✓ Enterprise-wide✓ Assign responsibilities
National Incident Management System
(NIMS)
✓ Setup Command Centers
1616
✓ Train people✓ Practice roles and procedures
p
Office Type Crisis Management Team Assigned*
Corporate and Core Offices - Corporate Incident Response Team (CIRT)- Local Incident Response Teams (LIRT)
Crisis Management Planning Strategies
- Initial Assessment Teams (IAT)
Regional and Select Offices(Offices with significant # of people/operations)
- Local Incident Response Teams (LIRT)- Initial Assessment Teams (IAT)
17
Smaller Offices Initial Assessment Teams (IAT)
* Based on ICS Structure
Crisis Management Cycle Matrix
DeliverablesCorporate/Co
re
CIRT/LIRTs
Regional/Select
LIRTs
Smaller
IATsDue Dates
CIRT/LIRT Notification Tests 2 2 0 During exercises
CIRT/LIRT Functional Group Training
1 1 0 Apr‐Sept
CIRT/LIRT Scenario Based Exercise
1 0 0 NY ‐ 8‐30Dallas ‐ 04/15SF ‐ 10/20
LIRT Self Exercise 0 1 0 May‐Aug
f
18
IAT Notification Tests 3 1‐2 1 Mar, Jun, Sept
IAT Training 1 1 1 Mar‐Jul
IAT Exercises/Self Exercises 2 1‐2 1 May‐Sept
Business Continuity Planning (BC)
Business Continuity
(BC - work area recovery)
✓ Business service✓ People✓ Business function
Business Service
Business Business FunctionFunction
Business Business FunctionFunction
Business Business FunctionFunction
Business Business FunctionFunction
DR System DR System DR System DR System DR System DR System
✓ Department ✓ Processes & procedures
✓ Information
19
✓ Systems/applications✓ Technology
✓ Dependencies
✓ Customers
✓ 3rd parties/vendors
Value of Business Continuity Protection of critical assets
Access to critical Business Customer information
Business Interdependencies
Recovery locations
Business Continuity
(BC - work area recovery)
communications
2020
✓ Business process analysis ✓ Office Infrastructure
✓ Process improvement
Office Type BC Planning Levels
Corporate/Core Offices BC planning at business function level
Regional and Select Offices BC planing at department level
BC Planning Strategies
Regional and Select Offices BC planing at department level
Smaller Offices BC planing at office level
Plan Criticality Recovery Times and Facilities
Essential Plans – Critical business functions RTO < 7 days – Recovery facilities pre-established
21
Deferred Plans – Less critical business functions >7 days) – No recovery facilities established
Business Continuity Planning Cycle
Deliverables Core Key Small Start Date End DateBusiness Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-Mar
BIA Sign-off by Senior Business Leader Y Y Y 1-Mar 31-Mar
Plan Review/Update (Ess/Def) Y Y N/A 1-Apr 30-Jun
Business Continuity Manual Review/Update N/A Y Y 1-Apr 30-Sep
Plan Roster Review/Update (Ess/Def - Qrtly) Y Y Y Jan, Apr, Jul, Oct
Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-Jul
22
Team Activation Exercise (Ess/Def) Y Y Y 1-Apr 30-Sep
Plan Walkthrough Exercise (Ess/Def) Y Y N/A 1-Apr 30-Sep
Business Recovery Site Exercise (Ess only) Y N/A N/A Office-1: Jun 21/Sep 13Office-2: May 17/Aug 7Office-3: Jun 1/ Nov. 22
Business Continuity Planning Cycle
Business Continuity Planning CycleM A M J J A S O
• BIA Reviews
• BIA Sign-offs
• Plan Review/Updates
• BC Manual Review/Updates
• W-F-H Validation
• Team Notification Tests
• Plan Walkthrough Exercises
• Alternate Site Functional E i
• Alternate Site Functional E i
23
ExerciseExercise
• Roster Updates Quarterly
• End-user Training
DR StrategyDR Strategy
Disaster Recovery (DR) Planning
Cost Reductions
Primary Site Alternate
Site
Disaster Recovery
(DR - system recovery)
Shared Shared
DiskDiskShared Shared
DiskDisk
24
DR TestingDR Testing
Data BackupNetworks
Disk Disk
24
Value of Disaster Recovery
✓ Reduce recovery objectives
Primary Site
Alternate Site✓Live Switches
✓Less Planned O
✓ Reduce loss of data
✓ ✓ Utilize DR
DBDB DB DB
Outages✓Co-processing✓Virtualization✓Cloud Computing
2525
✓ Improve system design
✓ Utilize DR resources
✓ Enhance operating flexibility
Data Centers Planning & Exercises
Primary Data Center (Internal Control)
- Full DR plans Tier 1& 2 systems- Full functional exercises Tier 1 systems
Co-location Data Center DR plans for Tier 1&2 systems
DR Planning Strategies
Co-location Data Center - DR plans for Tier 1&2 systems- Coordinated DR exercises with provider
Outsourced Processing - DR plans oversight and evaluation
DR Plan Criticality Recovery Times and Facilities
Tier 1 Systems –Critical systems RTO = 0-3 days–Hot recovery site established
26
Tier 2 Systems –Critical systems RTO = 4-14 days–DR plans developed, Warm recovery site
Tier 3 Systems –Critical systems RTO = >14 days–No recovery site established
Disaster Recovery Planning Cycle Deliverables Tier 1 Tier 2-3 Start Date End Date
System Impact Analysis (BIA) Review (Tier 1, 2 & 3) Y Y 1-Mar 31-Jul
BIA Sign-off by Tech Owner and Business Owner Y Y 1-Mar 31-Jul
Recovery Plan Reviews 1-Apr 31-OctRecovery Plan ReviewsY Y
1 Apr 31 Oct
Technical Recovery Manual Review/Update Y Y 1-Sept 31-Oct
Plan Roster Review/Update (Quarterly)Y Y
Jan, Apr, Jul, Oct
Team Activation Exercise Y Y
1-Apr 30-Sep
Pl W lkth h E i 1 A 30 S
27
Plan Walkthrough Exercise Y Y 1-Apr 30-Sep
Disaster Recovery Exercise (Tier 1) Y N/A Primary DC: Jun /SepSecondary DC: May/Aug Secondary DC: Jul/ Oct Remote DC: AugRemote DC: July
Business Continuity Cycle Timeline
J F M A M J J A S O N D2011
N J2012
Business Continuity OversightD
J F M A M J J A S O N D2011
J2012
New Requirements
Escalations to Management
• BC Steering
Business Continuity Planning CyclesN D
M CM BC DR Pl i C l
28
• 2012 Budgets and Plans
Crisis Management Planning CycleBusiness Continuity Planning CycleTechnical Recovery "DR" Planning Cycle
• Manage CM, BC, DR Planning Cycles
Business Continuity Business Continuity Planning
Post-Cycle
29
BCM Metrics
✓ Gain commitment
✓ Show readiness
3030
Below Expectations < 6.0 Partially Meets Expectations ≥ 6.0 to < 8.0 Meets Expectations ≥ 8.0
✓ Show readiness
✓ Meet compliance
Build Measurements into Cycle
Action plan underway:• Establish BRP Ownership • Build management relationships
E h B i C ti it
Below Expectations < 6.0 P ti ll M t E t ti ≥ 6 0 t < 8 0
• Enhance Business Continuity Plans
• Practice & test plans
31
Partially Meets Expectations ≥ 6.0 to < 8.0 Meets Expectations ≥ 8.0
Crisis Management Cycle MatrixCrisis Management Cycle Matrix
Measurements Based on BCM Cycles
B i C ti it C l M t iB i C ti it C l M t i
DeliverablesCorporate/C
oreCIRT/LIRTs
Regional/Select
LIRTs
SmallerIATs Due Dates
CIRT/LIRT N ifi i T 2 2 0 D i iBusiness Continuity Cycle MatrixBusiness Continuity Cycle Matrix
Disaster Recovery Cycle MatrixDisaster Recovery Cycle MatrixDeliverables Tier 1 Tier 2-3 Start Date
System Impact Analysis (BIA) Review (Tier 1, 2 & 3) Y Y 1-Mar
BIA Sign-off by Tech Owner and Business Owner Y Y 1-Mar
Deliverables Core Key Small Start Date End DBusiness Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-M
BIA Sign-off by Senior Business Leader Y Y Y 1-Mar 31-M
Plan Review/Update (Ess/Def) Y Y N/A 1-Apr 30-J
Business Continuity Manual Review/Update N/A Y Y 1-Apr 30-S
CIRT/LIRT Notification Tests 2 2 0 During exercises
CIRT/LIRT Functional Group Training
1 1 0 Apr‐Sept
CIRT/LIRT Scenario Based Exercise
1 0 0 May & Oct
LIRT Self Exercise 0 1 0 May‐Aug
32
Recovery Plan Reviews Y Y 1-Apr
Technical Recovery Manual Review/Update Y Y 1-Sept
Plan Roster Review/Update (Quarterly) Y Y Jan, Apr, Jul, Oct
Team Activation Exercise Y Y 1-Apr
Plan Roster Review/Update (Ess/Def - Qrtly) Y Y Y Jan, Apr, Jul, Oct
Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-J
Team Activation Exercise (Ess/Def) Y Y Y 1-Apr 30-S
Plan Walkthrough Exercise (Ess/Def) Y Y N/A 1-Apr 30-S
Business Recovery Site Exercise (Ess only) Y N/A N/A Office-1: Jun 21/Sep
IAT Notification Tests 3 2 1 Mar, Jun, Sept
IAT Training 1 1 1 Mar‐Jul
IAT Exercises/Self Exercises 2 2 1 May‐Sept
BCM Inculcation
System Project Define Define
RequirementsRequirements
Implement Implement
ProductionProduction
SystemSystem
Design andDesign and
DevelopDevelop
SystemSystem
Perform Perform
System and System and
Integration Integration
TestingTesting
Implement Implement
Recovery Recovery
CapabilitiesCapabilities
Design andDesign and
Develop RecoveryDevelop Recovery
CapabilitiesCapabilities
Update Recovery
Matrix
Perform Perform
BIABIA
Test Recovery Test Recovery Capabilities and Capabilities and Develop PlansDevelop Plans
Test Recovery Test Recovery Capabilities and Capabilities and Develop PlansDevelop Plans
Integrate into Integrate into Contingency Contingency
ExercisesExercises
Integrate into Integrate into Contingency Contingency
ExercisesExercises
Perform Exercise
AssessmentContingency Contingency
Exercise SuiteExercise SuiteContingency Contingency
Exercise SuiteExercise Suite
Continue to Continue to Maintain the Maintain the
Recovery System Recovery System & Environment& Environment
3333
AssessmentExercise SuiteExercise SuiteExercise SuiteExercise Suite
✓ Assimilation
✓ Reduces Politics
✓ Repeatability
Redesign Testing & Exercise Requirements
System Release
Cycle Requirements Design Development Testing Production
Recovery
Redesign Testing Requirements
Recovery System
Update Process Analysis Plan Update System Recovery
Test
• Recovery System Analysis Meetings• Recovery Plan Updates• Procedure Validation• Owner sign-off on recovery status
Recovery System Update Process
Modify Exercise Program
3434
• Modify exercise approach to focus on Core Business Services• Conduct Ad-hoc DR Exercises (limit size and scope)• Test DR Plans for Deferred Systems
Maintenance Processes and Cycles
✓ Automate
✓ Reuse data -single source
✓ E t bli h S h d l✓ Reliable information ✓ Develop
3535
✓ Dynamic
✓ Significant Volume of Data
✓ Establish Schedule
✓ Define responsibilities
✓ Develop Streamline Processes
Business Continuity Post-Cycle Timeline
J F M A M J J A S O N D2011
N J2012Business Continuity Oversight
D
BC Steering
J F M A M J J A S O N D2011
J2012
D l 2011 R t
• BOD Endorsement
Business Continuity Planning CyclesN D
• BC Steering
36
• Develop 2011 Reports
• Develop 2012 Objectives
Emergency Management Planning Cycle
Business Recovery Planning CycleTechnical Recovery "DR" Planning Cycle
Plan and Exercise
Evaluations
Maintenance Cycles
Value of BCM Planning Cycle
Business Continuity
M t
Inculcates BCM
practices into business cultureDefines
Management Program
Makes BCM processes
consistent &
Provides mechanism to educate
BCM
measurable BCM
requirements
37
Sets BCM deliverables into business
cycles
Leads to BCM
Program Maturity
repeatable
37
Business Continuity Cycle - Full Timeline
J F M A M J J A S O N D2011
N J2012
Business Continuity OversightD
J F M A M J J A S O N D2011
J2012
• BC Steering
• 2011 Objectives
• 2011 Cycle Deliverables
• 2011 Cycle Communication
New Requirements
Escalations to Management
• BC Steering
D l 2011 R t
• BOD Endorsement
Business Continuity Planning CyclesN D
• BC Steering
38
• Develop 2011 Objectives
• Develop Planning Strategies
• Cycle Def.
• Processes
• Tools
• Templates
• Metrics
• Cycle Kickoff• 2012 Budgets & Plans
• Develop 2011 Reports
• Develop 2012 Objectives
Emergency Management Planning Cycle
Business Recovery Planning CycleTechnical Recovery "DR" Planning Cycle
Plan and Exercise
Evaluations
• Manage CM, BC, DR Planning Cycles
Maintenance Cycles