Presentation on theme: "Business Continuity Planning For Research and Development Organizations Presented by Steve Davis, Principal, DavisLogic & All Hands ConsultingDavisLogic."— Presentation transcript:
Business Continuity Planning For Research and Development Organizations Presented by Steve Davis, Principal, DavisLogic & All Hands ConsultingDavisLogic All Hands Consulting
Stuff Happens How should you help your company maintain "business continuity" in the wake of disaster?
Are You Ready For Anything? Eighty-one per cent of CEOs say that their company's plans were inadequate to handle the myriad of issues arising from the World Trade Center tragedy
Disaster Causes & Effects Common Causes Man-made Hazards (Deliberate) Riot Bomb Damage Bomb Hoax Terrorists Hacking Man-made Hazards (Accidental) Operator Error Explosion Fire Water Leaks Fire Extinguisher Discharge
Disaster Causes & Effects Common Effects Man-made Hazards (Indirect) Power Failure Telecommunications Failure Smoke Damage Fire Suppression Agents Hardware/Software failure
Disaster Causes & Effects Common Effects Denial of Service Data Loss Loss of Personnel Loss of System Function Lack of Information Denial of Access Compromised or Corrupted Data Damaged Environment Productivity Loss
Disaster Causes & Effects Common Effects Loss of Control Loss of Communication Interrupted Cash Flow Loss of Image Loss of Market Share Costs of Repair Cost of Recovery Lower Morale Loss of Profits
Special Considerations Animals Evacuation - where Ongoing care and feeding Bites/Scratches Hazardous Materials Bio Hazards Radiation Chemicals Alternate Space Wet Labs Power Needs Containment
Terminology Business Continuity Planning
What is Business Continuity Planning? Planning to ensure the continuation of operations in the event of a catastrophic event. Business continuity planning includes the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs, and operations in the event of unexpected interruptions.
BC Plan Components BCP Disaster Recovery Business Recovery Business Resumption Contingency Planning Objective Critical Computer Apps Critical Business Processes Process Restoration Process Workaround Focus Data Recovery Process Recovery Return to Normal Make Do Example Event Mainframe or server failure Laboratory Flood Building Fire Loss of Application Solution Hot Site Recovery Dry Out & Restart New Equip. New Bldg. Use Manual Process
Create a Business Continuity Management Team Lead by Top Management Project BoD Monitors Regular Status Reporting to Management Broad-based Awareness for Everyone Key Players Senior Officials Facilities/Safety Risk Management Legal Finance/Budget Procurement
Business Continuity Process Assess - identify and triage all threats (BIA) Evaluate - assess likelihood and impact of each threat Mitigate - identify actions that may eliminate risks in advance Prepare – plan for contingent operations Respond – take actions necessary to minimize the impact of risks that materialize Recover – return to normal as soon as possible
Building a BCP Plan
Business Impact Assessment The purpose of the BIA is to: Identify critical systems, processes and functions; Establish an estimate of the maximum tolerable downtime (MTD) for each business process Assess the impact of incidents that result in a denial of access to systems, services or processes; and, Determine the priorities and processes for recovery of critical business processes.
BIA Review Factors All Hazards Analysis Likelihood of Occurrence Impact of Outage on Operations System Interdependence Revenue Risk Personnel and Liability Risks
Risk Analysis Matrix Probability of Likelihood Severity of Consequence High Medium Low MediumHigh Area of Major Concern
Developing Business Continuity Strategies 1. Understand alternatives and their advantages, disadvantages, and cost ranges, including mitigation and mutual aid as recovery strategies. 2. Identify viable recovery strategies with business functional areas. 3. Consolidate strategies. 4. Identify off-site storage requirements and alternative facilities. 5. Develop business unit consensus. 6. Present strategies to management to obtain commitment.
Contingency Planning Process Phases Assessment - organizing the team, defining the scope, prioritizing the risks, developing failure scenarios Planning - building contingency plans, identifying trigger events, testing plans, and training staff on the plan Plan Execution - based on a trigger event, implementing the plan (either preemptively or reactively) Recovery - disengaging from contingent operations mode and restarting primary processes of normal operations by moving from contingency operations to a permanent solution as soon as possible.
Evaluating Alternatives Functionality - provides an acceptable level of service Practicality - is reasonable in terms of the time and resources needed to acquire, test, and implement the plan Cost Benefit - cost is justified by the benefit to be derived from the plan
Emergency Management Planning Work with local and regional disaster agencies and business associations Assess special problems with disasters Loss of lifelines Emergency response Review and revise existing disaster plans Look for new areas for disaster plans Include Disaster Recovery Planning
Elements of a Good Plan Prevention, Response, Recovery, Remediation, Restoration Top Priorities addressed first
Elements of a Good Plan Action Plan responsibilities clearly defined Communication alternatives are considered Redundancies are in place
Elements of a Good Plan Product sources are identified Personnel sources are identified
Keys to Success Vulnerabilities Clearly Identified Comprehensive Plan in Place Plan Understood, Communicated and Updated Tested quarterly Adequately funded
Disaster Alert If you have advanced warning: People come first. Provide assistance. Note special needs. Move or secure vital records/high priority items if it can be done safely. Screw plywood over windows or use tape to reduce shattering. Verify master switch shut-off (water, gas, electricity) by trained staff. Secure outdoor objects.
Disaster Alert If you have advanced warning: Move items away from windows and below-ground storage into water-resistant areas. Wrap shelves and storage units in heavy plastic sealed with waterproof tape. Take Emergency Contact Lists, insurance and financial data, inventory, emergency plan and supplies with you. Give instructions on returning to work.
Safety First! Remain calm. Alert staff to potential hazards. Look for loose or downed power lines. Avoid area and report problems to local utility. Look for electrical damage: sparks, broken/frayed wires, burning smell. Turn off electricity at main switch if you can without risk. Shut off water. If you smell gas, open a window and immediately leave the building. Turn off gas if trained to do so. Call gas company at once. Do not reenter the building until declared safe by security or emergency management officials.
Getting Started Off-Site Gather staff off-site to assign tasks and review priorities. Establish a Command Center. Create a secure salvage area with necessary materials. Notify officials of the extent of damage. Establish alternative work sites. Appoint a PIO to report conditions to public and employees. Verify amount and terms of insurance, government assistance, potential funding. Contact service providers for disaster recovery equipment and services. Arrange for repairs as needed.
Stabilize the Building and Environment Do not enter without proper personal protective equipment. Identify structural hazards. Brace shelves. Remove debris. Stabilize vital equipment or experiments. Reduce temperature and humidity at once to prevent mold. Use air conditioning; or commercial dehumidification. In cool, low-humidity weather open windows, use circulating fans. If mold is already present, do not circulate air. Do not turn on heat unless required. Remove standing water and empty items containing water; remove wet carpets and furnishings.
Documentation Once it is safe to enter the building, make a preliminary tour of all affected areas. Do not move objects without documenting their condition. Use a camera to record the condition of property. Make sure images clearly record damage. Make notes and voice recordings to accompany photographs. Keep written records of contacts with insurance agents and other investigators, and decisions on retrieval and salvage. Make visual, written and voice records for each step of salvage procedures.
Retrieval And Protection Leave undamaged items in place if the environment is stable and area secure. If not, move them to a secure, environmentally controlled area. If no part of the building is dry, protect all objects with loose plastic sheeting. Separate undamaged from damaged items. Until salvage begins, maintain each group in the same condition you found it; i.e., keep wet items wet, dry items dry, and damp items damp. Retrieve all pieces of broken objects and label them. Check items daily for mold. If mold is found, handle objects with extreme care and isolate them.
Damage Assessment Notify insurance representative - You may need an on- site evaluation before taking action. Make a rough estimate of the area affected and the extent and nature of damage. A detailed evaluation can slow recovery now. Look for threats to worker safety or collections. Determine status of security systems. Look for evidence of mold. Note how long the materials have been wet and the current inside temperature and relative humidity. Documenting the damage is essential for insurance and will help you with recovery.
Salvage Priorities 1. Irreplaceable items and related documentation. 2. Vital information; employee and accounting records, succession lists, inventories, and data. 3. Other items that directly support your mission. 4. Items that are unique, most used, most vital for research, most representative of subject areas, least replaceable or most valuable. 5. Items most prone to continued damage. 6. Materials most likely to be successfully salvaged.
Indoor Air Quality Failure to remove contaminated materials and to reduce moisture and humidity can present serious long-term health risks. Standing water and wet materials are a breeding ground for microorganisms, such as viruses, bacteria, and mold. They can cause disease, trigger allergic reactions, and continue to damage materials long after the flood. Source: EPA
Some DR Questions Do you have an alternate person for every key function? Do the Fire and Police departments have pre- plans including key contact information? Are your key technology rooms protected from "falling" water? Do each of your locations have emergency cabinets, first-aid kits, and disaster supplies? Do you have off-site storage of critical documents like contact information and forms?
Emergency Response Action Steps The first 48 hours can make the difference. Safety First! Getting Started Off-Site Stabilize the Building & Environment Documentation Retrieval & Protection Damage Assessment Salvage Priorities Adapted from FEMA – handout contains details.
For More Information Contact: Steve Davis, Principal DavisLogic & All Hands DavisLogic.com AllHandsConsulting.com