Presentation on theme: "Business Continuity Planning Is Your Company Prepared?"— Presentation transcript:
Business Continuity Planning Is Your Company Prepared?
Definitions Business Continuity The process of returning essential services to an acceptable level of operation after a disaster.
Definitions Business Continuity Plan A set of arrangements and procedures which enable an organization to respond to a disaster and resume its critical operations within a defined time frame.
Plan Objective The primary objective of a Business Continuity Plan is to identify what needs to be accomplished immediately after a disaster strikes.
Why Have A Plan? Responsible thing to do Post 911 How long can you survive? How much does it cost per day? Audit requirement, Federal & State Regulations Customers, Alliances, Partnerships High cost of insurance and carrier requirements It makes good business sense
Statistics Costs of recovery are significant. Studies show that: 40% of fortune 1000 companies will not be in business two years after disaster strikes, if not properly prepared.
Survey shows effects of August blackout on US IT systems Among those data centers affected by the outage, there were negative economic effects: 2% report that they lost more than $10 million as a result of the outage 1% report losses of between $5 million - $10 million 3% report losses between $1 million and $5 million 7% report losses between $500,000 - $1 million 10% report losses of $100,000 - $500,000. Courtesy: Continuity Central
TYPES OF DISASTERS
The Recovery Plan A Business Continuity Plan is NEVER a finished document – it evolves as business changes and improves over time. It is not expected to be perfect or complete at any point in time.
Do Your Business Recovery Initiatives Satisfy… Auditors? Investors? SEC, IRS, HIPAA Clients? Employees?
Getting Your BCP Plan Started & Sold
Challenges to Implementation Scope of the project seems daunting Many groups involved - decisions difficult Not viewed as a priority to others Limited risk perceived (probability low) Budget, budget, budget Time, time, time Procrastination
What to do? Something! If there are limits - use a phased approach to build momentum Scale project based on available $, interest & business need Although BCPs can be very sophisticated, fundamentals are basic Get something going
Getting the Plan Going Establish a corporate mindset that incorporates Business Continuity Planning into daily work life Common issue for all companies Objective: begin the dialog Builds on existing work/groups (safety committee, HR dept, risk management) Solidify plan foundation & improvement cycle
Do the basics Ensure your people are cared for & prepared (work & promote family preparedness - emergency kits, contact info, evacuation plans) Care for safety & security needs Define emergency roles & teams Develop a communications plan Establish recovery checklist
Complete a high-level Business Continuity Plan Formal or informal as is appropriate for your business situation & budget Frame understanding for your company - for the word disaster (Level 1, 2, 3) Identify essential functions & stakeholders (government, customers, children/parents) Develop basic recovery
Plan, Implement, Practice Test & Improve Written word memorializes the work effort & decisions, creates ability to update plan IMPLEMENT! Practice & test Incorporate lessons learned Revise & update the plan
Getting Started is just the Beginning Establish a corporate mindset that incorporates Business Continuity planning into daily work life Do the basics - (security, safety, roles) Complete a contingency planning analysis, develop critical operations recovery Plan, Implement, Practice, Test & Improve
Selling the concept of BCP Vow of secrecy (next time sales calls) Determine situation & your authority BCP required (regulation, market forces) Authorize or recommend? If Authorize - evaluate needs of business & complete a comprehensive BCP Top down usually easier, or consider...
Mini Sales Lesson First: Be clear on your objective Objective doesnt need to be $150K Consider steps to the process Objective might be: get topic on the managers meeting agenda funding for 10 PCs for remote access agreement that admin does the emergency call list
Identify decision-makers & stakeholders Start with organization (IT, PR, HR, Risk Management, CFO) & Customers Consider who youd call in an emergency - your customers, employees, family People with influence (+/-) can be very powerful Write the names down
Consider objective from the perspective of decision-maker Ask why does it matter to THEM? What advantage does it offer THEM? What does it cost THEM? Intangibles (politics, personalities) This is the KEY - determining need What if the person has no need?
Develop a plan to introduce your idea Consider your approach Evaluate formal/informal Person/person, indirect, a meeting Dont discount ROI & business logic - it can be a simple problem Determine timeframe to complete step
Build common understanding of the business need As you discuss BCP, LISTEN Let people offer their suggestions, point of view Dont have to build consensus, dont necessarily have to talk to everyone Key: Build agreement on business need Acknowledge concerns, frame w/i scope of business needs (deal with objections)
Advance to the next step Ask for … the funding, a meeting, expand the intranet site Use the understanding youve developed to move forward Acknowledge objective & limits or boundaries Begin again, with the next need
Provide positive feedback Make sure the good work is recognized Helps you build on the success Rewards the participants Establishes common ownership - supports companys BCP mindset Keeps the team going - practice, test... Manages second guessing the project
Getting BCP Approved Be clear on your objective Identify decision-makers/stakeholders Consider your objective from the perspective of each decision-maker Develop a plan to introduce your idea Build common understanding of need Advance to the next step Provide positive feedback
Building The Business Continuity Plan
Business Continuity Process Business Impact Analysis Risk Assessment Risk Management Risk Monitoring FFIEC BCP Booklet:
Business Impact Analysis Determines possible threats to business continuity and possible impact on the institution and the system Should include analysis of: Impact of uncontrolled, non-specific events on business processes and customers All critical business functions and departments Maximum allowable downtime and acceptable levels of data, operations, and financial losses
BIABusiness Processes Establish recovery priorities for business processes Identify: Essential personnel Technologies Facilities Communications systems Vital records and data Legal and regulatory requirements
BIADepartments Each department should document mission critical functions Consider answering questions like: How would the department function if mainframe, network, and/or Internet access were unavailable? What single points of failure exist and how significant are they? What are the critical outsourced relationships and dependencies?
Risk Assessment Stress-test business processes and BIAs using various threat scenarios Prioritize potential business disruptions based on: Severity of occurrence Likelihood of occurrence Analyze threats based on impact to your company and customers
Risk AssessmentThreats Malicious Activity Fraud, theft, sabotage, terrorism, etc. Natural Disasters Fire, floods, severe weather, earthquakes, etc. Technical Disasters Communications failure, power failure, software or equipment failure, etc. Interdependencies Telecommunications infrastructure, third parties, etc.
Risk Management Develop written enterprise-wide plan after BIA and risk assessmentthe BCP Make sure it: Is written and distributed to all relevant personnel Specifically states what immediate steps should be taken during a disruption Is effective in minimizing service disruptions and financial loss Etc.
Risk ManagementBCP Components Personnel Decision-making succession, leadership responsibilities, etc. Technology Hardware, software, communications, etc. Data Center Recovery Alternatives Hot site, cold site, geographic diversity, etc. Back-up and Storage Strategies Facilities Communications
Risk Monitoring Ensures BCP is viable through testing, independent review (audit), and periodic updating Make sure you: Develop a test plan and Test your BCP! Analyze results Update BCP as necessary
Drivers Responsibility to employees and business Post 911 Financial impact and loss of market share Audit requirement and regulations Customers, Alliances, Partnerships Perceived as competitive edge High cost of insurance and carrier requirements
What are the Insurance Issues Insurance carriers were impacted by 911 Stock market downturn has reduced profits Effect on Insurance carriers: Increased premiums Emphasis on risk control to reduce losses Companies are: Reducing coverage Self-insuring some areas of their business Enhancing Business Continuity programs
Risk Management Emphasis What are the risks and threats? Internal External - third parties Review type of coverage What are some of the uninsurable risks? What can be mitigated with BCP plans?
The Approach Holistic view of BCP program that integrates: Risk control Emergency Response Crisis Management Business Continuity Claims Management Risk Management approach that evaluates risks, costs, uninsurable items, and mitigation methods Plan for impacts and minimize downtime
PRE-PLANNING, RISK CONTROL EMERGENCY RESPONSE CRISIS MANAGEMENT BUSINESS CONTINUITY Incident (0 - 1 hr.) (1 hr. - 3 days) (2 days - mos.) Prevent/Mitigate Stabilize Communicate Recover Incident Examples: Terrorists Network Intrusion Virus Attacks Human Error Fire, Explosion, Earthquake, Tornado, Flood, and Other Natural Disasters Medical Crisis Hazardous Material Spill Theft, Vandalism Bomb Threat Kidnap and Ransom CLAIMS MANAGEMENT 5 Restoration (2 days - )
A BCP may help keep property insurance premiums below market costs A BCP program can contain uninsured loss costs Identify the need for insurance coverage that can not be mitigated by a BCP program What are the Cost Issues?
Implement BCP organizational structure Establish Corporate Support Team Conduct scenario based exercises to train employees and executives Minimize Downtime