. Continuity for the Rest of Us: BC For SMEs Kathleen A. Lucey tel: (1)516.676.9234.

Slides:

Advertisements

Similar presentations

2005 Montague Technology Management, Inc. All Rights Reserved. Business Continuity for Small and Medium-Size Enterprises: Issues and Answers...and a short.

Advertisements

1 Kathleen Lucey Montague Technology Management, Inc. tel: Telling the Truth in Business Continuity.

Emergency Preparedness – The Utilitys Role in Ensuring Community Continuity Presented at the EEI Transmission, Distribution, and Metering Conference Tucson,

Raising Entrepreneurial Capital

Museum Presentation Intermuseum Conservation Association.

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,

Why Plan Ahead? Limit Susceptibility Limit Risk Contain Material Loss Contain Human Impact Limit Down-Time Ensure Longevity FEMA Fact: 80% of businesses.

NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.

EMS Checklist (ISO model)

Business Continuity Planning DavisLogicDavisLogic & All Hands ConsultingAll Hands Consulting.

Professional Services Overview

Detail actions necessary to implement the interim housing mission in the post-disaster environment Identify command and control structures at all levels.

Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Planning for the Future Disaster Recovery Plan / Business Continuity Plan Jim Zukowski, Ed.D. Texas State Board of Dental Examiners 2006 Annual ConferenceAlexandria,

Using Mitigation Planning to Reduce Disaster Losses Karen Helbrecht and Kathleen W. Smith United States: Federal Emergency Management Agency (FEMA) May.

Chapter 13 Managing Computer and Data Resources. Introduction A disciplined, systematic approach is needed for management success Problem Management,

1 LA42: Resilience vs. Recovery What Does Resilience Mean for Business Continuity? Kathleen A. Lucey Tel:

Building Disaster-Resilient Places STEP ONE – Forming a Collaborative Planning Team.

Introduction to Business Continuity Planning An Introduction to the Business Continuity Planning Process Including Developing your Process and the Plans.

@TxSchoolSafety Continuity of Operations Planning Workshop Devolution & Reconstitution.

1 Executive Office of Public Safety. 2 National Incident Management System.

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Disaster Communications System (DCS) Overview for State and Local Governments National Conference on Emergency Communications (NCEC) Panel 5: State and.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

EMERGENCY MANAGEMENT, BUSINESS CONTINUITY, AND HOMELAND SECURITY: PUBLIC AND PRIVATE SECTOR PROFESSIONS Kay C. Goss, CEM® Electronic Data Systems Corporation.

Crisis Management Planning Employee Health Safety and Security Expertise Panel · Presenter Name · 2008.

IT Risk Mitigation Lewan Technology, Agility Recovery, FORTRUST & Woodruff Sawyer.

Business Crisis and Continuity Management (BCCM) Class Session

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Module 3 Develop the Plan Planning for Emergencies – For Small Business –

23 rd September 2008 HFA Progress Report Disaster Risk Reduction in South Asia P.G.Dhar Chakrabarti Director SAARC Disaster Management Centre New Delhi.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

October 27, 2005 Contra Costa Operational Area Homeland Security Strategic and Tactical Planning and Hazardous Materials Response Assessment Project Overview.

AGENDA DEFINE RECONSTITUTION IDENTIFY THE IMPORTANCE OF RECONSTITUTION REFERENCES REQUIREMENTS.

Emergency Planning Steps 5 steps in emergency planning Step 1: Establish a team Step 2: Analyze capabilities and hazards Step 3: Conduct vulnerability.

David N. Wozei Systems Administrator, IT Auditor.

1 Energy Assurance Guidelines for States Miles Keogh, NARUC David Terry, Stateline Energy April 2007.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

Effectively Managing Transit Emergencies. Nature of Emergencies and Disasters Overview What Is an Emergency? What Is a Disaster? Differences What Is Emergency.

2012 MITA-ATA Annual Conference August 6-8, 2012 Disaster Recovery Planning for Telecommunications Companies.

Montague Technology Management1 Contingency Planning for Year 2000 Montague Technology Management November 19, 1998.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Developing Plans and Procedures

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

LEADERSHIP BUILDS RESILIENCE Resilience- the art of surviving in changing political and financial landscapes From: Resilient Organisations: What about.

 2006 Montague Technology Management, Inc. All Rights Reserved Case Studies in Business Continuity: What NOT to Do May 26, 2006 Kathleen A. Lucey

NFPA 1600 Disaster/Emergency Management and Business Continuity Programs.

Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

Tom Lenart & John Field CT DEMHS Region 2.  Department of Emergency Services and Public Protection (DESPP)  Commission on Fire Prevention and Control.

NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.

Business Continuity Disaster Planning

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

AUDITING BUSINESS CONTINUITY PROGRAMS AND PLANS What to Look For Presented by: Tommye White, CBCP, DRP Chuck Walts, CBCP, CRP.

Business Continuity Planning 101

SEC 480 assist Expect Success/sec480assistdotcom FOR MORE CLASSES VISIT

THINK DIFFERENT. THINK SUCCESS.

[Exercise Name] [Date]

John Deere Supply Chain Risk Management

Making Incident Management Work for Your Organization

BUSINESS CONTINUITY BY HUI ZHENG.

Business Contingency Planning

University of Maryland Robert H. Smith School of Business

A Risk Management Approach to Business Continuity

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Presentation transcript:

. Continuity for the Rest of Us: BC For SMEs Kathleen A. Lucey tel: (1)

. Continuity Trends Since 9/11 in the US: SMEs Need Something Different

. Part I: Recent Events Raise the Bar Part II: How Can SMEs Get What They Want... and What They Need?

. Part I: Recent Events Raise the Bar

. First, a few effects of 9/11 on downtown Manhattan... Source: Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003

. And a few more... Madrid 3/11/2004 London 7/7/2005, 7/21/2005 Katrina: Louisiana and Gulf Coast, 8/2005 Rita: Louisiana and Texas, 9/2005 Earthquake in Pakistan and India: 10/2005 Wilma: Mexico and Florida, 10/2005 New Delhi: 10/2005

. Post-9/11 Trends Politicization of Business Continuity –Homeland Security Department includes FEMA –Patriot Act –Pre-emptive wars: Afghanistan, Iraq Results-oriented regulation –Inter-agency White Paper –NASD regs 3610, 3620 –Sarbanes-Oxley California Law 1386 (2003), NY State Information Security Breach and Notification Act (August 2005) Increased BC awareness across most non-regulated sectors, and especially SMEs

. What we have learned... Effective response is a complex issue, and much larger than data center Disaster Recovery. Small and medium-size businesses are largely unprepared, but worry. Success = BC + Emergency Management + an ongoing program External and intra-industry dependencies have been mostly ignored. Resilience is the most effective strategy...and it is an organizational, not just a technical issue.

. Trends Today EFFECTIVE RESULTS? Compliance with regulatory checklists is NOT enough. Not all responses can be planned. Tools and information are necessary but not sufficient. The most effective 9/11 responses empowered operating-level people. Testing must become MUCH more serious: greater verisimilitude. Effective emergency communication is primary: automated notification systems.

. Trends Today SMALL AND MEDIUM-SIZE BUSINESSES ARE VULNERABLE Widespread awareness and concern. Traditional BC methods are too expensive and seen as unnecessary. Tools that are effective AND well-adapted to SME needs are difficult to find. Clear need to develop SME baseline standards and techniques. Pressure from large customers and/or suppliers can be a driver.

. Trends Today INTER-DISCIPLINARY AND INTER-SECTOR WORK IS NEEDED Government sets security levels, but the private sector holds 85% of critical infrastructure. Piecemeal solutions with different mindsets and languages: –IT: D/R and Technology InfoSec –Facilities: Infrastructure, Engineering, and Physical Access Control –Emergency and Crisis Management Planning –Organizational Planning, Strategic Planning, Social Sciences –Internal Audit, External Audit –First Responders: insider jargon and procedures

. It is not an option to remain where we have been...and where we are.

. Trends Today EXTERNAL AND INTER-INDUSTRY DEPENDENCIES Few businesses accomplish all of their critical functions alone: –Communications –Transportation, supply and distribution –Outsourcing Contractual penalties are insufficient to guarantee business survival. Creativity, planning, and persuasion are all required. WORKING TOGETHER! Multiple-sector testing is difficult and expensive. Need more public sector support.

. It is not an option to remain where we have been...and where we are.

. Trends Today RESILIENCE The power or inherent property of returning to the form from which it is bent, stretched, compressed, or twisted. – of objects or substances The power or ability to recover quickly from a setback, depression, illness, overwork, or other adversity. – of people The ability of a system to keep working when one or more of its components malfunctions. Also called fault tolerance. - of systems

. Part II: Where Can SMEs Get What They Want...and What They Need?

. How do SMEs see Continuity? Ask them and they will tell you.

. SME Continuity Requires the Proper Event D N A Definition, Notification, Action SME Continuity Requires the Proper Event D N A Definition, Notification, Action

. What is DNA? Includes designed processes and tools for: Definition of events + Notification Notification and communication activities required for immediate response + Action plans to respond to events.

. Poor Definition = emergency response tragedies: Regional Blackout of August 14, 2003 Three Mile Island 9/11 Definition is key

. Tools and strategies must be: Carefully designed for feasibility Understood and rehearsed; UP-TO-DATE Cover initial interruption management + recovery + return (move) Notification

. IT Recovery Coordination Business Recovery Coordination INTERRUPTION MANAGEMENT MODEL Business Continuity Teams Information Technology Recovery Teams Interruption Management Team Executive Oversight Team Media Relations Team Command Center Support Team Business Continuity Coordination Initial Interruption Management Recovery Management Employee Support EMT Government Liaison Emergency Funding Physical Security Transportation, Communications Site Repair and Restoration HAZMAT Admin. Services Damage Assessment Emergency Logistics Site Relocation and Re-creation Site Repair or Relocate Purchasing 2005 Montague Technology Management, Inc. All rights reserved. Insurance Liaison

. Implemented Actions and strategies should: Be additive: chosen to cover the maximum number of scenarios first. Provide the best response to requirements: the right choice. Provide a continuity capability that increases measurably over time. Actions

. ALL DNA processes must be working to achieve effective continuity.

. Where are MOST of the Continuity Challenges ?? CONTINUITY ISSUES Catastrophic Interruptions Minor Interruptions Everyday Blips Process Dysfunctions BCARE SOLUTIONS Continuity Availability Reliability Engineering Core Business Value Chain Processes

. BC Jumpstart for SMEs Steps 1 thorough 4: 1.Interruption Scenario Class Definitions: Internal and External. 2.Strategies and Tools by Scenario Class: Additive continuity components and interruption avoidance / mitigation measures by scenario class. 3.Gap Analysis: The firms current capability vs. the recommended set of continuity components and avoidance / mitigation measures, by scenario class. 4.Project Plan: Timeline and cost estimates to move forward.

. Interruption Scenario Classes EXTERNAL SCENARIOS Classes: 1 - minor (a and b) to 5 - catastrophic External scenario characteristics: –Day / time (workday hours, non-working hours) –Geographic scope –Length of time –Premises infrastructure services impact –Firm premises damage –Injuries to firm personnel –Effect on workplace

. External Scenario Classes DURATION OF INTERRUPTION BY CLASS ClassLength of Interruption 1: Minor less than 1 day 2: Significant 1-3 days 3: Serious 3-5 days 4: Very serious 5-10 days 5: Catastrophic 10 or more days

. Internal Scenario Classes Specific to each firm and each site. For example: ClassDescription ALocal equipment failure BLocal PBX failure CCentral network outage DWorkplace violence ESupplier outage FDisclosure of confidential information GKey staff loss HReputational Risk

. Benefits for SMEs 1: Avoid the risk. 2: Lower the risk probability. 3: Recover, reduce damages. Implement FIRST what is needed for all interruption scenarios. Pay attention to the obvious. Spread development and costs over time by building to catastrophic, worst-case capability step-by-step. Make BC capability progress visible, measurable, understandable, and present-able.

. And so what does all of this mean for us as business continuity professionals?

. We Need to GROW! Accept that current best practices are not the only truth. Study the concepts of allied fields; stay open to new ideas. Learn! Connect to related disciplines: emergency management, InfoSec, facilities, infrastructure, equipment reliability and physical security...and organizational theory! LISTEN....LISTEN.....LISTEN....AND HEAR!

. References (1) Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Board of Governors of the Federal Reserve System; Office of the Comptroller of the Currency; and Securities and Exchange Commission. Draft (Sep 2002): Final (Apr 2003): Report: Crisis, recovery, innovation: responsive organization after September 11, John Kelly, David Stark. Center on Organizational Innovation, Columbia University. New York, NY June SEC Approval of NASD Rules 3510 and 3520, including amendments 1-8, as published in the Federal Register, April 7,

. References (2) Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., *"A Desk on the 20 th Floor: Survival and Sense-Making in a Trading Room," Daniel Beunza, David Stark. Working Paper Series, Center on Organizational Innovation, Columbia University. Available online at 5 Habits of Highly Reliable Organizations, Keith H. Hammonds, Fast Company Magazine, Issue 58, May 2002, Page *Note extensive bibliography.

. Questions ?? Kathleen Lucey Montague Technology Management, Inc. (1)