Business Continuity Program Overview July 25, 2012 © Level 3 Communications, LLC. All Rights Reserved. Level 3, Level 3 Communications and the Level 3 Communications Logo are either registered service marks or service marks of Level 3 Communications, LLC and/or one of its Affiliates in the United States and/or other countries. Level 3 services are provided by wholly owned subsidiaries of Level 3 Communications, Inc. Any other service names, product names, company names or logos included herein are the trademarks or service marks of their respective owners.
Events are never on our calendars…
But we can be prepared for them…
How do you prepare for the unplanned ? Implementing a Business Continuity Program (BCP) BCP is … A holistic Program that identifies potential impacts that threaten continuity of business activities A framework for building resiliency capability and effective response Based on standards designed to minimize the impact to customers from unplanned disruptions A discipline that is consistent and repeatable for preparing for and responding to disruptions in a coordinated, timely, and effective manner Based on the key principles of incident prevention, detection, response, recovery and improvement A proactive planning process vs. reacting at time of event Planning for the impacts of caused by any scenario Testing to verify recovery timeframes can be met BCP is a holistic Program that identifies potential impacts that threaten continuity of business activities and provides a framework for building resiliency capability and effective response. It is a standards-based program designed to minimize the impact to customers from unplanned disruptions. BCP is a discipline that is consistent and repeatable and ensures Level 3 is prepared to respond in a coordinated, timely, and effective manner. It is based on the key principles of Incident prevention, detection, response, and recovery, and learning from each event to improve all of those aspects.
Why is BCP Important? Return on investment: Threats/hazards and their impacts are known and risk is mitigated Safeguarding and protecting employees, key stakeholders, and long-term market share Ability to recover from unavoidable disruptions quickly and efficiently 4. Responding to emergency situations in a safe and orderly manner We know without BCP, the hole will be much deeper and it will take longer to get out of it. …. Examples of past events that highlight the value of the BCP Program are hurricanes (preplanning, notification, mobilize resources, restoration) fire in NY Gateway (control of media and customer communications) loss of several drives in the 3Par storage array (Disaster recovery) Customers are also demanding proof we have a standard-s based Program. It is better to have a plan and not need it rather than need it and not have one.
Tests, Exercises and Events How do we Implement BCP? BCP Component Key Deliverables Program Management Program accountability, resource commitment, and continual improvement BIA Determining the criticality of operations for prioritizing the sequence of recovery Risk Assessment Identifying the threats and hazards that could impact critical operations and mitigate risk of loss Develop Strategies Hardening operations to safeguard and maintain critical operations and assets Plan Maintain an incident management structure and planning for responding to and recovering from disruptions Tests, Exercises and Events Training staff, validating planning, managing events, and improving performance The Corporate BCP Program is comprised of the following components: Understanding the business risk and criticalities, Determining our resiliency strategies, Developing and implementing planning Evaluating our response through exercise and maintenance. The life cycle of the Program provides a roadmap for how Functional Groups will progress through various components in executing the Program. It also delineates those components that are strategic which require senior management direction and those that are tactical. The Program incorporates key deliverables for each component of the Program’s life cycle. BCP Program Life Cycle
Program Planning and Response Framework Enterprise Crisis Management Team (Brand Protection) Facility Recovery Teams Exec. Management Functional Groups Site Operations Application Business Operations Regional Incident Management Teams (Coordination Layer) Enterprise Business Continuity Plan (Overarching Strategies) Level 3’s BCP Program model includes: An Enterprise BCP Plan describing how Level 3 prepares for, responds to and recovers from disruptions The top layer represents an enterprise crisis management team, which provides direction for crisis level events to protect the Level 3 brand The middle layer represents the command, coordination and communication over events by providing support to recovery teams The bottom layer represents the site level recovery teams recovering operations, facilities and systems This chart represents the planning and response framework utilized in the Program and how all teams work together. This proactive response and planning structure is put into place and tested. Therefore, when actual events do occur, the Incident Management layer coordinates the tactical recovery of business operations, facilities and applications to ensure recovery time objectives are met. If an event escalates into a crisis, the Crisis Management Team is convened to ensure our corporate brand is adequately protected.
Stakeholders / Dependencies A key element in business continuity planning is identifying essential dependencies. Who do you rely on in order to operate under normal conditions? Who relies on you? It is important to identify these upstream and downstream dependencies in advance to determine your recovery and communication strategies. Coordinate with the essential dependencies you rely on and agree upon how they will support you if they are impacted, and how they will support you if you are impacted. It is also important for you to know who will be impacted if you are unable to maintain normal operations. How will you notify your customers? What is your SLA to your customers and will your recovery strategies meet them? By understanding your dependencies you can determine a more accurate recovery strategy and plan accordingly.
Loss Prevention Strategies Resiliency begins with developing loss prevention strategies The need for implementation of loss strategies is determined based upon several factors: The significance to operations and Level 3’s brand if disrupted How vulnerable resources are to loss The cost of implementing a strategy/solution The consequences of inaction Level 3 maintains strategies for protecting the availability of its: People Facilities and workplace Vital records Data Suppliers/vendors/partners Processes Technology (redundant capability) Applications/systems Communications Network Data centers
How does Level 3 Respond to Events? Plans contain pre-defined activation triggers and activation/notification protocols IM Teams are available 24x7 and trained on their roles and responsibilities When an impending or actual event is identified Level 3 initiates the following actions: Assess impacts Determine if an activation trigger is met Declare an Event Notify and mobilize team Develop recovery goals and action plan Invoke the stakeholder communication plan Manage recovery activities Return to normal operations Conduct post-event review for process improvement process To illustrate the process of how Incident Management teams work, this graphic shows how an event unfolds, is responded to, recovered from, transitioned to business as usual and reviewed for improvements.
Questions?