Upload
informa-australia
View
424
Download
2
Embed Size (px)
Citation preview
3
Incident-Emergency-Disaster Management Continuum
• Local Emergency Response– Code response– Evacuation procedures– Interaction with Emergency Services– Protection of Staff– Communication & Escalation
4
Incident-Emergency-Disaster Management Continuum • Crisis Management– Declaration, Decision Making– Resource Allocation– Stakeholder & Staff Interaction– Dealing with media – distraction & accuracy
5
Incident-Emergency-Disaster Management Continuum • Business Continuity
– People– Equipment– Facilities– Documents & Records– CBORD & ICT– Third Party Suppliers
6
Incident-Emergency-Disaster Management Continuum
• ICT Continuity– ICT People– ICT System– Electronic Data– Facilities –(Data Centre)– Infrastructure
7
PPRR Risk Management Model• Prevention – take action to reduce or eliminate the likelihood or impact of an incident – Prepare a Risk Management Plan
• Preparation – take steps before an incident to ensure an effective response and recovery – Conduct a Business Impact Analysis
• Response – contain, control or minimise impact of an incident –Prepare an Incident Response Plan
• Recovery – take steps to minimise disruption and recovery times – Develop a Recovery Plan
8
Planning Process – based on BCP
• Consistent with business continuity policy• Minimum level of products & services acceptable to achieve its objectives
• Measurable• Take into account applicable requirements• Monitored and updated regularly
9
Business Continuity Planning• Holistic management process • Identifies potential threats to an organisation • Impact to business operations if threats realised• Provides a framework for building organisational resilience with capability of an effective response
10
Business Continuity Planning• Safeguards interests of key stakeholders, reputation, brand, value creating activities/services
• Ensures operational resilience to support the business needs• Ensures capability to continue to meet customer critical products & services regardless of any operational disruption
• Ensures maintenance of “Business As Usual” management practices
11
Business Continuity Planning• Key Terms– RTO = Recovery Time Objective– MAO = Maximum Acceptable Outage– RPO = Recovery Point Objective
12
Business Continuity Planning• Time– Time is applicable to every business activity– Time sensitive business activities establish the order in which they must be restored.
15
Business Continuity Objectives• Who will be responsible• What will be done• What resources will be required• When it will be completed• How results will be evaluated
16
Recovery Strategies Focus
• Business activity Critical Functions• Recovery issues & assumptions• Contingencies• Strategies
17
Strategy Types• Activity Contingency Strategies– Relocation – logistics for moving– Workaround – procedures when key resources unavailable
• Resource Recovery Strategies– Resource replacement, repair, recovery or alternate capability
18
Strategy Types• Common Strategies – Resource or Activity Based– Link more than one Business Activity or Resource• Move business activities to new location• Apply some emergency purchasing process to many resources• Workaround for a group of Activities
19
Conducting a Business Impact Assessment• Objective– Identify key critical business processes – Determine resources & dependencies essential to their operation
20
Conducting a Business Impact Assessment• Team structure• Key business objectives • Critical success factors• Key business processes – outputs & RTO• Key staff and work locations
21
Conducting a Business Impact Assessment• Assess Impact of a process failing – Impact relating to whole of business not just business unit
– Consider impact over <1 day, 1 day, 5 days, 10 days & 30 days
– Consider Master Service Agreements– Assume failure occurs at worst possible time
22
Conducting a Business Impact Assessment• Financial & legal• Communication & Information, Facilities & Asset Management
• Customer Service & Operations (Workforce)• Reputation /Brand (Community expectation Leadership Management)
23
Conducting a Business Impact Assessment• Emergency & Disaster Response• People (Safety & Security)• Customers (Health, Clinical Care & Patient Safety)
25
Process Information• Business Unit/Department/Process• Location• Primary customers• Description (of output)• Service level• Worst time
26
Resources/Dependencies• Key Staff (Role/Title) – include name if desired/required• External Suppliers – Supplier & name the process or service• Internal Suppliers – Supplier & name the process or service• IT Applications/Systems/Networks• Vital Records (refers to non-electronic records)• Other equipment
27
Work Area Requirements• Resource• Resource location• BAU Number• Description• Critical process relying on resource• Telephone re-direction destination number• Alternate Source
28
From Immediate Action to Recovery Assessment & Activation• Assess & determine scope of incident and impact
• Advise management & other impacted business units
• Implement response and determine whether to declare a crisis.
29
From Immediate Action to Recovery Assessment & Activation• Local management determine potential for escalation into a crisis
• Local & senior management decide when to follow Recovery Action Plan
30
From Immediate Action to Recovery Assessment & Activation• Recovery Action Plan– Recovery Immediate Action• Task• Action• Responsibility• Timeframe
31
From Immediate Action to Recovery Assessment & Activation• Recovery Assessment– Maintain communication with staff & key stakeholders
– Determine status of critical processes– Evaluate recovery options– Confirm recovery strategy priority, schedule, procedure & resourcing
32
From Immediate Action to Recovery Assessment & Activation• Recovery of Critical Processes– Maintain line of communication with staff & key internal stakeholders
– Update staff on HR policies– Salvage equipment & vital records from affected facility
– Continue processing from alternative recovery site
33
From Immediate Action to Recovery Assessment & Activation• Resumption (Return to BAU Operations)– Review staff welfare– Initiate resumption project– Identify what can be salvaged– Procure office/business space if required
34
From Immediate Action to Recovery Assessment & Activation• Resumption (Return to BAU Operations)– Move from alternate recovery site to new or restored premises
– Migrate processing from alternative facility– Introduction to new facility– Communicate with stakeholders
35
Testing Emergency Management & Business Continuity Plans• Walkthrough• Tabletop exercise/discussion• Limited actual exercise – test critical processes & resources
• Complete major exercise e.g. live evacuation