Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Continuity Planning Is Your Company Prepared?

Similar presentations

Presentation on theme: "Business Continuity Planning Is Your Company Prepared?"— Presentation transcript:

1 Business Continuity Planning Is Your Company Prepared?

2 Definitions Business Continuity
The process of returning essential services to an acceptable level of operation after a disaster.

3 Definitions Business Continuity Plan
A set of arrangements and procedures which enable an organization to respond to a disaster and resume its critical operations within a defined time frame.

4 Plan Objective The primary objective of a Business Continuity Plan is to identify what needs to be accomplished immediately after a disaster strikes.

5 Why Have A Plan? Responsible thing to do Post 911
How long can you survive? How much does it cost per day? Audit requirement, Federal & State Regulations Customers, Alliances, Partnerships High cost of insurance and carrier requirements It makes good business sense

6 Costs of recovery are significant. Studies show that:
Statistics Costs of recovery are significant. Studies show that: 40% of fortune 1000 companies will not be in business two years after disaster strikes, if not properly prepared.

7 Survey shows effects of August blackout on US IT systems
Among those data centers affected by the outage, there were negative economic effects: 2% report that they lost more than $10 million as a result of the outage 1% report losses of between $5 million - $10 million 3% report losses between $1 million and $5 million 7% report losses between $500,000 - $1 million 10% report losses of $100,000 - $500,000. Courtesy: Continuity Central



10 It is not expected to be “perfect” or “complete” at any point in time.
The Recovery Plan A Business Continuity Plan is NEVER a finished document – it evolves as business changes and improves over time. It is not expected to be “perfect” or “complete” at any point in time.

11 Do Your Business Recovery Initiatives Satisfy…
Auditors? Investors? SEC, IRS, HIPAA Clients? Employees?

12 Getting Your BCP Plan Started & Sold

13 Challenges to Implementation
Scope of the project seems daunting Many groups involved - decisions difficult Not viewed as a priority to others Limited risk perceived (probability low) Budget, budget, budget Time, time, time Procrastination

14 What to do? Something! If there are limits - use a phased approach to build momentum Scale project based on available $, interest & business need Although BCPs can be very sophisticated, fundamentals are basic Get something going

15 Getting the Plan Going Establish a corporate mindset that incorporates Business Continuity Planning into daily work life Common issue for all companies Objective: begin the dialog Builds on existing work/groups (safety committee, HR dept, risk management) Solidify plan foundation & improvement cycle

16 Do the basics Ensure your people are cared for & prepared (work & promote family preparedness - emergency kits, contact info, evacuation plans) Care for safety & security needs Define emergency roles & teams Develop a communications plan Establish recovery checklist

17 Complete a high-level Business Continuity Plan
Formal or informal as is appropriate for your business situation & budget Frame understanding for your company - for the word “disaster” (Level 1, 2, 3) Identify essential functions & stakeholders (government, customers, children/parents) Develop basic recovery

18 Plan, Implement, Practice Test & Improve
Written word memorializes the work effort & decisions, creates ability to update plan IMPLEMENT! Practice & test Incorporate lessons learned Revise & update the plan

19 Getting Started is just the Beginning
Establish a corporate mindset that incorporates Business Continuity planning into daily work life Do the basics - (security, safety, roles) Complete a contingency planning analysis, develop critical operations recovery Plan, Implement, Practice, Test & Improve

20 Selling the concept of BCP
Vow of secrecy (next time sales calls) Determine situation & your authority BCP required (regulation, market forces) Authorize or recommend? If Authorize - evaluate needs of business & complete a comprehensive BCP Top down usually easier, or consider...

21 Mini Sales Lesson First: Be clear on your objective
Objective doesn’t need to be $150K Consider steps to the process Objective might be: get topic on the managers meeting agenda funding for 10 PCs for remote access agreement that admin does the emergency call list

22 Identify decision-makers & stakeholders
Start with organization (IT, PR, HR, Risk Management, CFO) & Customers Consider who you’d call in an emergency - your customers, employees, family People with influence (+/-) can be very powerful Write the names down

23 Consider objective from the perspective of decision-maker
Ask why does it matter to THEM? What advantage does it offer THEM? What does it cost THEM? Intangibles (politics, personalities) This is the KEY - determining need What if the person has no need?

24 Develop a plan to introduce your idea
Consider your approach Evaluate formal/informal Person/person, indirect, a “meeting” Don’t discount ROI & business logic - it can be a simple problem Determine timeframe to complete step

25 Build common understanding of the business need
As you discuss BCP, LISTEN Let people offer their suggestions, point of view Don’t have to build consensus, don’t necessarily have to talk to everyone Key: Build agreement on business need Acknowledge concerns, frame w/i scope of business needs (deal with objections)

26 Advance to the next step
Ask for … the funding, a meeting, expand the intranet site Use the understanding you’ve developed to move forward Acknowledge objective & limits or boundaries Begin again, with the next need

27 Provide positive feedback
Make sure the good work is recognized Helps you build on the success Rewards the participants Establishes common ownership - supports company’s BCP mindset Keeps the team going - practice, test ... Manages “second guessing” the project

28 Getting BCP Approved Be clear on your objective
Identify decision-makers/stakeholders Consider your objective from the perspective of each decision-maker Develop a plan to introduce your idea Build common understanding of need Advance to the next step Provide positive feedback

29 Building The Business Continuity Plan

30 Business Continuity Process
Business Impact Analysis Risk Assessment Risk Management Risk Monitoring FFIEC BCP Booklet:

31 Business Impact Analysis
Determines possible threats to business continuity and possible impact on the institution and the system Should include analysis of: Impact of uncontrolled, non-specific events on business processes and customers All critical business functions and departments Maximum allowable downtime and acceptable levels of data, operations, and financial losses

32 BIA—Business Processes
Establish recovery priorities for business processes Identify: Essential personnel Technologies Facilities Communications systems Vital records and data Legal and regulatory requirements

33 BIA—Departments Each department should document mission critical functions Consider answering questions like: How would the department function if mainframe, network, and/or Internet access were unavailable? What single points of failure exist and how significant are they? What are the critical outsourced relationships and dependencies?

34 Risk Assessment “Stress-test” business processes and BIAs using various threat scenarios Prioritize potential business disruptions based on: Severity of occurrence Likelihood of occurrence Analyze threats based on impact to your company and customers

35 Risk Assessment—Threats
Malicious Activity Fraud, theft, sabotage, terrorism, etc. Natural Disasters Fire, floods, severe weather, earthquakes, etc. Technical Disasters Communications failure, power failure, software or equipment failure, etc. Interdependencies Telecommunications infrastructure, third parties, etc.

36 Risk Management Develop written enterprise-wide plan after BIA and risk assessment—the BCP Make sure it: Is written and distributed to all relevant personnel Specifically states what immediate steps should be taken during a disruption Is effective in minimizing service disruptions and financial loss Etc.

37 Risk Management—BCP Components
Personnel Decision-making succession, leadership responsibilities, etc. Technology Hardware, software, communications, etc. Data Center Recovery Alternatives Hot site, cold site, geographic diversity, etc. Back-up and Storage Strategies Facilities Communications

38 Risk Monitoring Ensures BCP is viable through testing, independent review (audit), and periodic updating Make sure you: Develop a test plan and Test your BCP! Analyze results Update BCP as necessary

39 Insurance Integration

40 Drivers Responsibility to employees and business Post 911
Financial impact and loss of market share Audit requirement and regulations Customers, Alliances, Partnerships Perceived as competitive edge High cost of insurance and carrier requirements

41 What are the Insurance Issues
Insurance carriers were impacted by 911 Stock market downturn has reduced profits Effect on Insurance carriers: Increased premiums Emphasis on risk control to reduce losses Companies are: Reducing coverage Self-insuring some areas of their business Enhancing Business Continuity programs

42 Risk Management Emphasis
What are the risks and threats? Internal External - third parties Review type of coverage What are some of the uninsurable risks? What can be mitigated with BCP plans?

43 The Approach Holistic view of BCP program that integrates:
Risk control Emergency Response Crisis Management Business Continuity Claims Management Risk Management approach that evaluates risks, costs, uninsurable items, and mitigation methods Plan for impacts and minimize downtime

44 1 2 3 4 5 “Stabilize” (0 - 1 hr.) ”Prevent/Mitigate” “Communicate”
EMERGENCY RESPONSE PRE-PLANNING, RISK CONTROL Incident “Stabilize” 1 2 (0 - 1 hr.) ”Prevent/Mitigate” CRISIS MANAGEMENT 3 “Communicate” Incident Examples: Terrorists Network Intrusion Virus Attacks Human Error Fire, Explosion, Earthquake, Tornado, Flood, and Other Natural Disasters Medical Crisis Hazardous Material Spill Theft, Vandalism Bomb Threat Kidnap and Ransom (1 hr days) BUSINESS CONTINUITY “Recover” 4 (2 days - mos.) CLAIMS MANAGEMENT “Restoration” 5 (2 days - )

45 What are the Cost Issues?
A BCP may help keep property insurance premiums below market costs A BCP program can contain uninsured loss costs Identify the need for insurance coverage that can not be mitigated by a BCP program

46 Minimize Downtime Implement BCP organizational structure
Establish Corporate Support Team Conduct scenario based exercises to train employees and executives

Download ppt "Business Continuity Planning Is Your Company Prepared?"

Similar presentations

Ads by Google