Business Continuity Planning 101 Presented to the Main line Association for Continuing Education February 19, 2015
Objectives By the end of the presentation, the participants should be able to: Explain the difference between a Business Continuity Plan and a Disaster Recovery Plan List the steps to create a Business Continuity Plan List at least three reasons why every business should have a Business Continuity Plan
Why are you here? What do you hope to gain from this presentation? What are your “burning questions”?
Poll – What is the most frequent cause of business interruptions?
You need a plan, but what kind? Business Continuity Plan Disaster Recovery Plan Concerned with the recovery of People Processes Property Concerned with the recovery of Data Business Continuity plans usually incorporate Disaster Recovery plans. Disaster Recovery Plans do not incorporate Business Continuity plans.
Ten Step Process for Creating a Business Continuity Plan Program Initiation and Management Risk Evaluation and Control Business Impact Analysis Develop the Business Continuity Strategy Emergency Preparedness and Response
Ten Step Process for Creating a Business Continuity Plan (contd.) Develop and Implement the Plan Awareness & Training Program BC Plan Exercise, Audit, & Maintenance Crisis Communications Coordination with External Agencies
Step 1:Program Initiation Establish the need for a program Is it required by law or regulatory body? Mandated by industry standards? Required to close any gaps found in an audit?
Program Initiation A Business Continuity Plan will: Help safeguard human life Minimize confusion and enable effective decision making during a crisis Reduce dependency on specific personnel during a crisis Help minimize the loss of assets, revenue, and customers
Business Continuity Program Management To be successful, a Business Continuity program needs a Steering Committee made up of members of Executive Management and Senior Leaders from throughout the business. The Steering Committee becomes the Crisis Management Team during an event.
Role of the Steering Committee Provide oversight and guidance Provides resources Provides input and approval of the program scope, objectives, and timeframe Assists in defining roles and responsibilities Provides support for the Business Continuity Planner
Role of the Business Continuity Planner Obtain Management Support Gathers relevant information for the Program Defines the program objectives and scope Assesses the project’s risks Plans the project in detail Tracks and reports progress up, over, and down
Step 2: Risk Evaluation & Control Identify threats and vulnerabilities and their potential impact on the business Evaluate the effectiveness of existing controls and safeguards Understand the organization’s risk appetite and its exposure to risk and loss Implement appropriate controls to prevent, deter, or mitigate risk
Threats and associated risks Vulnerabilities Controls Impact Assets
1st Exercise
Step 3: Business Impact Analysis The purpose of the Business Impact Analysis (BIA) Identify the likely and potential impacts from an event on an organization Identify the criteria that will be used to quantify and qualify those impacts Identify time-sensitive processes and the requirements to recover them in an acceptable period of time
Criteria to be Quantified and Qualified Human Impact Customer Impact Financial Impact Regulatory Impact Operational Impact Reputational Impact
Establish the BIA process and methodology Choose a Business Impact Analysis tool Choose a data collection methodology Analyze the data to establish the Recovery Time Objective (RTO) for processes and the Recovery Point Objective (RPO) for data. Data analysis will help in establishing the order in which processes should be recovered.
Recovery Time Objective vs Recovery Point Objective The amount of time between when a business process is interrupted and when it is restored to an acceptable level The point in time of the last good off-site backup at the time of the disruption It identifies the amount of acceptable data loss
RPO RTO Data Backup Initial Data Loss Post Disruption Data Loss BC Plan Activated Business restored to acceptable level RPO RTO
2nd Exercise
Step 4: Business Continuity Strategies 2 + 3 = 4 Based on the information gathered in Steps 2 & 3, you can now begin to develop strategies to recover your operations.
Examples of Business Continuity Strategies Develop manual work-around procedures Have staff work from home Contract with 3rd party service providers Transfer work to a surviving site
Assess the viability of the strategies against the BIA What are the advantages? What are the disadvantages? What are the results of a cost/benefit analysis?
3rd Exercise
Step 5: Emergency Preparedness & Response How will the organization respond to an emergency situation? An emergency response plan documents how the organization will respond to an emergency in a coordinated, effective, and timely manner.
Identify applicable emergency response regulations FEMA Department of Homeland Security State Office of Emergency Preparedness County/City Emergency Preparedness agencies
Identify potential types of emergencies and their impact Causes Impacts Natural Human Technological Casualties Property Damage Operational Interruption Environmental Contamination
Is it a Disruption or a Disaster? Incident duration is less than your RTO Impacts are limited and controlled Disruption has a small financial impact Incident duration is greater than your RTO Impacts are extensive and outside of your control Disaster has a major financial impact
Develop an Incident Management System Have clear lines of authority and succession Responsible for internal and external resources Protocols and procedures for escalation Procurement of additional resources
Step 6: Develop & Implement your Business Continuity Plan The Business Continuity Plan is a set of documented processes and procedures which enable the organization to continue or recover time-sensitive processes at an acceptable level within an acceptable time frame.
Design the Framework Organization of the plan Teams needed to provide information for the plan Types of plans to be documented Damage Assessment Plan Technology Recovery Business Continuity Plan Planning scenarios to be used in developing the plan Loss of Building Loss of People
Plan the Table of Contents Introduction Policy Statements For the Business Continuity Plan For Confidentiality Scope and Objectives Tied to the organizational strategy Identification of time-sensitive processes and technology Assumptions and exclusions Recovery team descriptions, organization, and responsibilities Plan activation procedures
4th Exercise
Step 7: Training and Awareness Programs A Training and Awareness Program will establish and maintain the means to keep the Program top of mind and to ensure the organization’s staff are trained to effectively respond to an event.
Where to Start? Obtain Senior Management support Secure a training budget Define the program management approach and implementation timeline Obtain the commitment from managers and staff who will implement the Business Continuity plan
Step 8: BC Plan Exercise, Audit & Maintenance To continue to be effective, a Business Continuity Plan should be exercised at least annually to ensure that it can be properly and effectively implemented. The Plan needs to be maintained on a regular basis to ensure the information it contains is current. The Plan should be audited to ensure its completeness, accuracy, and compliance with internal and external policies.
Where to start a Business Continuity Exercise Program? Get executive sponsorship Identify the participants, their roles, and their responsibilities Define the objectives of the exercise program Select appropriate, plausible scenarios Schedule and conduct the exercise/test Conduct a post exercise/test review
Types of Exercises Life Safety Table Top Review Table Top Exercise Call Notification Alternate Site Activation N.B. Tests are done with hardware/software. Exercises are done with people.
Establish a Plan Maintenance Program Define the method and schedule Define the change control process
Establish a Business Continuity Plan Audit Process Create a schedule for self-assessment Prepare to support other audits Internal Audit Staff Federal or State Regulators Companies for which your organization is a vendor
5th Exercise
Step 9: Crisis Communications Program The purpose of the Crisis Communications program is to ensure effective, timely, consistent communications between the organization and all stakeholders during a crisis.
Where to Start? Obtain executive support for the program Define the scope, objectives, and program structure Review any existing plans and identify any gaps Establish the roles and responsibilities of the Crisis Communications Team Identify all the stakeholders in the Crisis Communications process
Crisis Communications Plan Elements A public relations policy and procedure including social media policy Organizational profile with details on the core business(as) Reference files on potential crises Position Statements Call and emergency contact lists Designated spokesperson(s) Media directory Media contact log Contacts for government agencies
Exercise and Update the Crisis Communications Plan Determine the frequency of review Establish a schedule to exercise the plan Review the results of each exercise Implement a change control process
Step 10: Coordinate with External Agencies The reason for coordinating with external agencies is to establish the policies and procedures to coordinate the response, continuity, and recovery activities with external local, state, and federal agencies.
Why coordinate with external agencies?
To coordinate with external agencies: Identify and create emergency preparedness and response procedures Identify all applicable regulations (local, state, federal) Review your emergency procedures with external agencies
Ten Step Process for Creating a Business Continuity Plan Program Initiation and Management Risk Evaluation and Control Business Impact Analysis Develop the Business Continuity Strategy Emergency Preparedness and Response
Ten Step Process for Creating a Business Continuity Plan (contd.) Develop and Implement the Plan Awareness & Training Program BC Plan Exercise, Audit, & Maintenance Crisis Communications Coordination with External Agencies
Questions?
Thank You!