Download presentation
Presentation is loading. Please wait.
1
Business Continuity Planning
3
Outline Why BCP? BCP Phases CLIENT Lessons Learned
4
Why BCP? Definitions Business Continuity Plan (BCP) Restoration of critical business processes to an acceptable level of service in an acceptable period of time Disaster Recovery Plan (DRP) Restoration of information systems resources Recovery Planning BCP and DRP
5
Why BCP? Definitions (Continued)
Risk The possibility that an event will occur and adversely affect the achievement of objectives Vulnerability Likelihood of success of a threat due to openness or susceptibility to attack Threat Frequency of potentially adverse events Risk = Threat x Vulnerability x Asset Value
6
Why BCP? Risks Technology Virus System Failure Natural Man-Made Airports Pipeline Utilities Failure HVAC Gas Leak Human Terrorism Civil Riot Labor Stoppage
7
Why BCP? Risk Statistics
Q: How many organizations have reported external system penetration? 99% of organizations have firewalls >75% of organizations have IDS A: 65% reported external system penetration Q: How many organizations have reported malware problems? 99% of organizations use anti-virus software A: 82% reported malware problems Computer Security Institute/FBI Survey
8
Why BCP? Risk Examples Major Financial Institution:
A bank employee was transporting digital media on a commercial flight and accidentally left them on the plane. The records contained 1.2 million credit card records for federal employees, including 60 US Senators. (WSJ, March 2005) Global Financial Services Firm: A terminated employee of a major financial company planted a “logic bomb” in the central database. Over 10 billion files were deleted leading to over $3 million in remediation costs (August 2004, Secret Service/Carnegie Mellon Report).
9
Why BCP? Risk (Continued)
Remember that these are just the organizations that REPORTED incidents. In reality ALL organizations have been affected by these problems. Largest types of losses: Theft of proprietary information Fraud (Financial Reporting)
10
Why BCP? Who Cares? Regulators FFIEC Auditors GT Customers Employees Stakeholders Service Subscribers
11
BCP Phases Business Impact Analysis (BIA) Risk Assessment (RA) Risk Management (Create BCP Plan) Risk Monitoring (Test and Update)
12
BCP Phases Business Impact Analysis FFIEC Requirements
A business impact analysis (BIA) is the first step in developing a BCP. It should include: Identify potential impact of uncontrolled, non-specific events on the institution's business processes and its customers; Consideration of all departments and business functions, not just data processing; and Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial losses FFIEC Business Continuity Booklet – March 2003
13
BCP Phases Business Impact Analysis Steps
Process identification BIA workshop Detailed interviews BIA Report
14
BCP Phases Business Impact Analysis – Process Identification
Identify functions (departments) – Examples: HR - Accounting IT - Compliance Operations - Marketing Identify owners Identify all function processes Functions will be excluded during RA based on prioritization
15
BCP Phases Business Impact Analysis – BIA Workshop
Invite attendees: All function owners Upper Management Topics: Introduction of BCP Objective of BIA Detailed interview process
16
BCP Phases Business Impact Analysis – Detailed Interviews
Understand process Identify operational impacts Quantify financial impact Define Recovery Time Objective (RTO) Define Recovery Point Objective (RPO) Identify process requirements (people, systems, documents, communication, vendors)
17
Example: Detailed Interview Documentation
18
Example: Detailed Interview Documentation
19
BCP Phases Business Impact Analysis – BIA Report
Objectives Document detailed interview & inventories of requirements Process owner review of documentation Summarize impacts identified during interview Prioritize processes based on RTOs A = RTO < 5 B = 5 < RTO < 15 C = RTO > 15
20
BCP Phases Risk Assessment FFIEC Requirements
The risk assessment is the second step in developing a BCP. It should include: A prioritizing of potential business disruptions based upon severity and likelihood of occurrence; A gap analysis comparing the institution's existing BCP, if any, to what is necessary to achieve recovery time and point objectives; and An analysis of threats based upon the impact to the institution, its customers, and the financial markets, not just the nature of the threat. FFIEC Business Continuity Booklet – March 2003
21
BCP Phases Risk Assessment Steps
Risk identification RA workshop Risk assessment matrix Gap analysis (N/A for CLIENT) Contingency plan matrix
22
BCP Phases Risk Assessment – Risk Identification
Resources: FEMA Historical disasters per state Types of disasters FDIC Pandemic Flu News/Research studies Tsunami in Utah?
23
BCP Phases Risk Assessment – RA Workshop
Invite attendees: Only function owners for A and B processes Upper Management Topics: Debrief BIA and process prioritization Introduction to Risk Discussion of types of risk Contingency plan matrix process
24
BCP Phases Risk Assessment – Risk Assessment Matrix
Purpose: Prioritize potential business disruptions based upon severity and likelihood of occurrence Document for each significant location Identify likelihood for identified risks Identify level of impact for identified risks Identify restoration time required for identified risks Calculate risk level (High, Medium, Low) Involve BCP Officer and obtain feedback
25
Example: Risk Assessment Matrix Key
26
Example: Risk Assessment Matrix
27
BCP Phases Risk Assessment – Contingency Plan Matrix
Purpose: Analyze threats based upon impact to institution Document impact, LT action, ST action, and potential problems For A and B processes only For HIGH and MEDIUM risk scenarios only
28
Example: Contingency Plan Matrix
29
BCP Phases BIA and RA Deliverables
FFIEC Requirement Gap Analysis (Audit Checklist) BIA Report Process prioritizations Risk Assessment Matrix Contingency Plan Matrix
30
BCP Phases Risk Management FFIEC Requirements
Risk management is the development of a written, enterprise wide, BCP. The institution should ensure that the BCP is: Written and disseminated so that various groups of personnel can implement it in a timely manner Specific regarding what conditions should prompt implementation of the plan; Specific regarding what immediate steps should be taken during a disruption; FFIEC Business Continuity Booklet – March 2003
31
BCP Phases Risk Management FFIEC Requirements (Continued)
Flexible to respond to unanticipated threat scenarios and changing internal conditions; Focused on how to get the business up and running in the event that a specific facility or function is disrupted, rather than on the precise nature of the disruption; and Effective in minimizing service disruptions and financial loss. FFIEC Business Continuity Booklet – March 2003
32
BCP Phases Risk Management Strategies
BCP plan elements and strategies: Outsourcing Cross training of personnel/staff Alternate locations Telecommunications Data & computers
33
BCP Phases Other Policies, Standards, and Processes FFIEC Requirements
Other financial institution policies, in addition to the BCP, should incorporate business continuity planning considerations. These include: System Development Life Cycle; Change control policies; Data synchronization procedures; Employee training and communication plans; Insurance policies; Government, media, and community relations policies; and Security FFIEC Business Continuity Booklet – March 2003
34
BCP Phases FFIEC Audit Program Requirements
Inventories: Personnel (Calling tree) Facilities Technologies Vendors Data and Records Law enforcement contact Utilities Telecommunications/Networks Media Shareholders
35
Example: Inventory of Vendors/ Third Parties
36
Example: Inventory of Documents
37
Example: Inventory of Locations
38
BCP Phases FFIEC Audit Program Requirements (Continued)
BCP Policy Documented procedures for critical business processes Decision making authorities Specific actions to be taken Checklists Management oversight and support Review of vendor BCP plans Vendor resiliency questionnaire
39
Example: Action Checklist
40
BCP Phases Risk Monitoring FFIEC Requirements
Risk monitoring is the final step in the business continuity planning. It should ensure that the institution's BCP is viable through: Testing the BCP at least annually Subjecting the BCP to independent audit and review; and Updating the BCP based upon changes to personnel and the internal and external environments FFIEC Business Continuity Booklet – March 2003
41
CLIENT Lessons Learned BIA Phase
Immediately involve all process owners Identify all processes, not just the critical ones Don't try to prioritize before RTO is defined It is difficult for process owners to imagine that a disaster could affect them Quantifying financial impact for PMV
42
CLIENT Lessons Learned RA Phase
Adapt contingency plan based on the client Group by duration Group by disaster type Assess every scenario identified during risk assessment Use to document strategies for IT failures
43
CLIENT Lessons Learned Overall
Know your business! No cash No retail locations Specific relocation products Be organized Difficult to manage multiple process owners Maintain open communication with BCP officer and Upper Management
44
CLIENT Lessons Learned Overall
Be proactive Significant commitment of time from process owners Take time to meet with process owners individually Send reminder s Hold periodic status meetings Weekly reports to Marc
45
Conclusion It could happen to you…
…So start today! A good plan executed today is better than a perfect plan executed at some indefinite point in the future. General George S. Patton, Jr.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.