Gulf Coast Energy International Business Continuity / Disaster Recovery Planning and Design Proposal Prepared by Andrew Rolf, Felipe Torres, Pranay Jaiswal
© IT Consulting LLC. All Rights Reserved. Disaster Recovery Plan IT systems Corporate processes and procedures BCP/DR & Emergency Preparedness Plan Business continuity, emergency management and disaster recovery are interconnected to protect, recover and resume business operations
© IT Consulting LLC. All Rights Reserved. How to initiate a BCP? Perform in-depth review of existing DRP and perform immediate improvements as appropriate. Establish a GCE Project Sponsor and Steering Committee. Establish Business Continuity Definitions, Terms and Assumptions
© IT Consulting LLC. All Rights Reserved. Initiate Business Continuity Management Risk Assessment Business Impact Analysis Strategy Evaluation and Selection BR Organization and Responsibilities Develop Standard Operating Procedures Develop IT Recovery Plans Implement stand-by arrangements Implement Risk Reduction Measures Quality Assurance Stage 1 Initiation Stage 2 Requirements and Strategy Stage 3 Implementation Stage 4 Operational Management Education and Awareness Review and Audit Testing Change Management Training Business Continuity Lifecycle © IT Consulting LLC. All Rights Reserved.
Schedule for BCP/DR (SOW) CURRENT STATE TARGET STATE STABILIZE OPTIMIZE TRANSFORM Project Initiation Scope / Assumptions Schedule Team Contract Review / Validate Existing BCP/DR processes & procedures for ability to meet SLAs Deliverable (RA) Deliverable (BIA) Initiate Risk Assessment (RA) Initiate Business Impact Analysis (BIA) Recommend immediate updates to current procedures as appropriate Plan Annual Exercise Conduct Annual Exercise Periodic Review/ Validate BIAs And DRPs Coordinate Regular DR Tests per SLAs DR not a priority DR plans not updated to meet new business req. Plans not tested DR HW out-dated New BCP/DR Plan Annual Testing Constant Update Periodic BIAs validations Updated HW Management commitment Initiate Strategy Evaluation And Selection Deliverable (SES) Project Planning Project Execution Develop Recovery Plans Develop Procedures Implementation Deliverable (Exercise Result) Hurricane Season Starts Implement Critical Functions
© IT Consulting LLC. All Rights Reserved. Risk and Business Impact Analysis Analysis Team Members –Individuals from each functional business unit –DR consultants from IT Consulting Analysis Team Responsibility –Plan & conduct Risk & Business Impact Analysis –Report findings to management
© IT Consulting LLC. All Rights Reserved. Risk and Business Impact Analysis Data Gathering –Cross-functional analysis –Interviews, Meetings, Questionnaires, Polls –On-site and electronic conferences Data Storage and Distribution –Stored on LAN –Software: Microsoft Office –Distributed by mail, , LAN, face to face
© IT Consulting LLC. All Rights Reserved. Risk Analysis Risk Evaluation Areas –Geographical Locations –Building Composition –Upstream, Downstream, Corporate, & IT Physical access controls and security Computing environments Personal practices Operating practices Backup practices
© IT Consulting LLC. All Rights Reserved. Risk Analysis Items Included in Risk Analysis –List of potential disasters/crisis –Impact to people, assets, environment, reputation –Likelihood of occurrence –Severity rating based on impact and likelihood –Others…
© IT Consulting LLC. All Rights Reserved. Risk Analysis
© IT Consulting LLC. All Rights Reserved. People and Disasters Disaster Awareness and Training –Detailed Evacuation Plans –Evacuation Drills Emergency Communication Processes –Contact Information for All Employees Laptops for Critical Functions
© IT Consulting LLC. All Rights Reserved. Business Impact Analysis Critical Functions Questionnaire –Is function time critical? –Can function be performed at reduced efficiency? –Max time function can be unavailable? –Loss of revenue? –Fines or penalties? –Legal liabilities? –Loss of public image? –Others…
© IT Consulting LLC. All Rights Reserved. Business Impact Analysis Steps in Analysis –Compare to risk analysis –Develop matrix of critical functions, risks, impacts –Review with stakeholders/management
© IT Consulting LLC. All Rights Reserved. Business Impact Analysis
© IT Consulting LLC. All Rights Reserved. Business Impact Analysis
© IT Consulting LLC. All Rights Reserved. Steps for a Disaster Recovery Plan Identify staffing requirements Identifying recovery strategies Selecting recovery strategies Draft Creation of disaster recovery plan Testing the disaster recovery plan
© IT Consulting LLC. All Rights Reserved. Staffing Resources
© IT Consulting LLC. All Rights Reserved. Staffing Resources Time Dedication: Not more than 30% of their total work time should be needed to provide guidance to the IT Consulting Project Team.
© IT Consulting LLC. All Rights Reserved. Time to recover Money Maximum cost of plan Acceptable Downtime Cost (RTO) Loss (RPO) Relationship between RTO, RPO & Cost Recovery Point Objective (RPO): Refers to the point in time to which data must be recovered. Recovery Time Objective (RTO): Refers to the acceptable time period within which the business functions should be restored and made available to ensure normal functioning of the organization. Weeks Days Hrs SecsSecs Hrs Days Weeks DISASTER RPO RTO
© IT Consulting LLC. All Rights Reserved. Identifying Recovery Strategies Computer facilities recovery strategy –Hot sites, Cold sites, Mirror sites, etc Data and documentation recovery strategies –RPO, RTO Department recovery strategies –Business Functions Telecommunication recovery strategies –Voice and Data
© IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Cost Benefit Analysis
© IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Cost Benefit Analysis
© IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Cost Benefit Analysis
© IT Consulting LLC. All Rights Reserved. GCE Global Operations Corporate Headquarters Division Headquarters European Headquarters Asia Pacific Headquarters Houston: Corporate Upstream Downstream Real Estate IT ~4K employees Lockport, LA: Upstream Real Estate IT ~1K employees Brussels: Upstream IT ~200 employees Kuala Lumpur Upstream IT ~150 employees
© IT Consulting LLC. All Rights Reserved. GCE Gulf Coast Operations As Is
© IT Consulting LLC. All Rights Reserved. GCE Corporate IT Group (as-is) Oil Platforms Operations/Support Datacenter Developer Datacenter Support/Op. Personnel Office Developers & PM Office
© IT Consulting LLC. All Rights Reserved. GCE Gulf Coast Operations Redundancy –On-Shore –Off-Shore
© IT Consulting LLC. All Rights Reserved. GCE Gulf Coast Operations Critical Data
© IT Consulting LLC. All Rights Reserved. Oil Platforms Operations/Support Datacenter Developer Datacenter Support/Op. Personnel Office Developers & PM Office Developers & PM Office COLDSITE MIRRORED Operations/Support Datacenter MIRRORED Developer Datacenter Support/Op. Personnel HOTSITE
© IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Data, Time, and Criticality
© IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Data, Time, and Criticality –Huge Data Quantity –Low Business Criticality –RTO → Delayed
© IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Data, Time, and Criticality –Small Data Quantity –High Business Criticality –RTO → Immediate
© IT Consulting LLC. All Rights Reserved. Steps for a Disaster Recovery Plan Identifying recovery strategies Selecting recovery strategies Draft Creation of disaster recovery plan –Reviews and discussion sessions –Finalize and Sign-off Testing the disaster recovery plan –Initial Test –Subsequent annual tests
Gulf Coast Energy International Business Continuity / Disaster Recovery Planning and Design Proposal
© IT Consulting LLC. All Rights Reserved. Total Project Cost: $3.1 Million –.51% of GCE 2005 Income of $600M –.03% of GCE 2005 Revenue of $10B –Costs based on work completed through DR implementation for Critical systems (June 1, 2007) Project Cost Estimates GCE losses estimated to be $1 Million a day without a comprehensive disaster recovery plan.