Presentation on theme: "Business Continuity Planning Is Your Company Prepared?"— Presentation transcript:
1Business Continuity Planning Is Your Company Prepared?
2Definitions Business Continuity The process of returning essential services to an acceptable level of operation after a disaster.
3Definitions Business Continuity Plan A set of arrangements and procedures which enable an organization to respond to a disaster and resume its critical operations within a defined time frame.
4Plan ObjectiveThe primary objective of a Business Continuity Plan is to identify what needs to be accomplished immediately after a disaster strikes.
5Why Have A Plan? Responsible thing to do Post 911 How long can you survive?How much does it cost per day?Audit requirement, Federal & State RegulationsCustomers, Alliances, PartnershipsHigh cost of insurance and carrier requirementsIt makes good business sense
6Costs of recovery are significant. Studies show that: StatisticsCosts of recovery are significant. Studies show that:40% of fortune 1000 companies will not be in business two years after disaster strikes, if not properly prepared.
7Survey shows effects of August blackout on US IT systems Among those data centers affected by the outage, there were negative economic effects:2% report that they lost more than $10 million as a result of the outage1% report losses of between $5 million - $10 million3% report losses between $1 million and $5 million7% report losses between $500,000 - $1 million10% report losses of $100,000 - $500,000.Courtesy: Continuity Central
10It is not expected to be “perfect” or “complete” at any point in time. The Recovery PlanA Business Continuity Plan is NEVER a finished document – it evolves as business changes and improves over time.It is not expected to be “perfect” or “complete” at any point in time.
11Do Your Business Recovery Initiatives Satisfy… Auditors?Investors?SEC, IRS, HIPAAClients?Employees?
13Challenges to Implementation Scope of the project seems dauntingMany groups involved - decisions difficultNot viewed as a priority to othersLimited risk perceived (probability low)Budget, budget, budgetTime, time, timeProcrastination
14What to do? Something!If there are limits - use a phased approach to build momentumScale project based on available $, interest & business needAlthough BCPs can be very sophisticated, fundamentals are basicGet something going
15Getting the Plan GoingEstablish a corporate mindset that incorporates Business Continuity Planning into daily work lifeCommon issue for all companiesObjective: begin the dialogBuilds on existing work/groups (safety committee, HR dept, risk management)Solidify plan foundation & improvement cycle
16Do the basicsEnsure your people are cared for & prepared (work & promote family preparedness - emergency kits, contact info, evacuation plans)Care for safety & security needsDefine emergency roles & teamsDevelop a communications planEstablish recovery checklist
17Complete a high-level Business Continuity Plan Formal or informal as is appropriate for your business situation & budgetFrame understanding for your company - for the word “disaster” (Level 1, 2, 3)Identify essential functions & stakeholders (government, customers, children/parents)Develop basic recovery
18Plan, Implement, Practice Test & Improve Written word memorializes the work effort & decisions, creates ability to update planIMPLEMENT!Practice & testIncorporate lessons learnedRevise & update the plan
19Getting Started is just the Beginning Establish a corporate mindset that incorporates Business Continuity planning into daily work lifeDo the basics - (security, safety, roles)Complete a contingency planning analysis, develop critical operations recoveryPlan, Implement, Practice, Test & Improve
20Selling the concept of BCP Vow of secrecy (next time sales calls)Determine situation & your authorityBCP required (regulation, market forces)Authorize or recommend?If Authorize - evaluate needs of business & complete a comprehensive BCPTop down usually easier, or consider...
21Mini Sales Lesson First: Be clear on your objective Objective doesn’t need to be $150KConsider steps to the processObjective might be:get topic on the managers meeting agendafunding for 10 PCs for remote accessagreement that admin does the emergency call list
22Identify decision-makers & stakeholders Start with organization (IT, PR, HR, Risk Management, CFO) & CustomersConsider who you’d call in an emergency - your customers, employees, familyPeople with influence (+/-) can be very powerfulWrite the names down
23Consider objective from the perspective of decision-maker Ask why does it matter to THEM?What advantage does it offer THEM?What does it cost THEM?Intangibles (politics, personalities)This is the KEY - determining needWhat if the person has no need?
24Develop a plan to introduce your idea Consider your approachEvaluate formal/informalPerson/person, indirect, a “meeting”Don’t discount ROI & business logic - it can be a simple problemDetermine timeframe to complete step
25Build common understanding of the business need As you discuss BCP, LISTENLet people offer their suggestions, point of viewDon’t have to build consensus, don’t necessarily have to talk to everyoneKey: Build agreement on business needAcknowledge concerns, frame w/i scope of business needs (deal with objections)
26Advance to the next step Ask for … the funding, a meeting, expand the intranet siteUse the understanding you’ve developed to move forwardAcknowledge objective & limits or boundariesBegin again, with the next need
27Provide positive feedback Make sure the good work is recognizedHelps you build on the successRewards the participantsEstablishes common ownership - supports company’s BCP mindsetKeeps the team going - practice, test ...Manages “second guessing” the project
28Getting BCP Approved Be clear on your objective Identify decision-makers/stakeholdersConsider your objective from the perspective of each decision-makerDevelop a plan to introduce your ideaBuild common understanding of needAdvance to the next stepProvide positive feedback
30Business Continuity Process Business Impact AnalysisRisk AssessmentRisk ManagementRisk MonitoringFFIEC BCP Booklet:
31Business Impact Analysis Determines possible threats to business continuity and possible impact on the institution and the systemShould include analysis of:Impact of uncontrolled, non-specific events on business processes and customersAll critical business functions and departmentsMaximum allowable downtime and acceptable levels of data, operations, and financial losses
32BIA—Business Processes Establish recovery priorities for business processesIdentify:Essential personnelTechnologiesFacilitiesCommunications systemsVital records and dataLegal and regulatory requirements
33BIA—DepartmentsEach department should document mission critical functionsConsider answering questions like:How would the department function if mainframe, network, and/or Internet access were unavailable?What single points of failure exist and how significant are they?What are the critical outsourced relationships and dependencies?
34Risk Assessment“Stress-test” business processes and BIAs using various threat scenariosPrioritize potential business disruptions based on:Severity of occurrenceLikelihood of occurrenceAnalyze threats based on impact to your company and customers
35Risk Assessment—Threats Malicious ActivityFraud, theft, sabotage, terrorism, etc.Natural DisastersFire, floods, severe weather, earthquakes, etc.Technical DisastersCommunications failure, power failure, software or equipment failure, etc.InterdependenciesTelecommunications infrastructure, third parties, etc.
36Risk ManagementDevelop written enterprise-wide plan after BIA and risk assessment—the BCPMake sure it:Is written and distributed to all relevant personnelSpecifically states what immediate steps should be taken during a disruptionIs effective in minimizing service disruptions and financial lossEtc.
40Drivers Responsibility to employees and business Post 911 Financial impact and loss of market shareAudit requirement and regulationsCustomers, Alliances, PartnershipsPerceived as competitive edgeHigh cost of insurance and carrier requirements
41What are the Insurance Issues Insurance carriers were impacted by 911Stock market downturn has reduced profitsEffect on Insurance carriers:Increased premiumsEmphasis on risk control to reduce lossesCompanies are:Reducing coverageSelf-insuring some areas of their businessEnhancing Business Continuity programs
42Risk Management Emphasis What are the risks and threats?InternalExternal - third partiesReview type of coverageWhat are some of the uninsurable risks?What can be mitigated with BCP plans?
43The Approach Holistic view of BCP program that integrates: Risk controlEmergency ResponseCrisis ManagementBusiness ContinuityClaims ManagementRisk Management approach that evaluates risks, costs, uninsurable items, and mitigation methodsPlan for impacts and minimize downtime
441 2 3 4 5 “Stabilize” (0 - 1 hr.) ”Prevent/Mitigate” “Communicate” EMERGENCYRESPONSEPRE-PLANNING,RISK CONTROLIncident“Stabilize”12(0 - 1 hr.)”Prevent/Mitigate”CRISISMANAGEMENT3“Communicate”Incident Examples:TerroristsNetwork IntrusionVirus AttacksHuman ErrorFire, Explosion, Earthquake, Tornado, Flood, and Other Natural DisastersMedical CrisisHazardous Material SpillTheft, VandalismBomb ThreatKidnap and Ransom(1 hr days)BUSINESSCONTINUITY“Recover”4(2 days - mos.)CLAIMS MANAGEMENT“Restoration”5(2 days - )
45What are the Cost Issues? A BCP may help keep property insurance premiums below market costsA BCP program can contain uninsured loss costsIdentify the need for insurance coverage that can not be mitigated by a BCP program
46Minimize Downtime Implement BCP organizational structure Establish Corporate Support TeamConduct scenario based exercises to train employees and executives