Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Continuity Planning

Similar presentations


Presentation on theme: "Business Continuity Planning"— Presentation transcript:

1 Business Continuity Planning

2

3 Outline Why BCP? BCP Phases CLIENT Lessons Learned

4 Why BCP? Definitions Business Continuity Plan (BCP) Restoration of critical business processes to an acceptable level of service in an acceptable period of time Disaster Recovery Plan (DRP) Restoration of information systems resources Recovery Planning BCP and DRP

5 Why BCP? Definitions (Continued)
Risk The possibility that an event will occur and adversely affect the achievement of objectives Vulnerability Likelihood of success of a threat due to openness or susceptibility to attack Threat Frequency of potentially adverse events Risk = Threat x Vulnerability x Asset Value

6 Why BCP? Risks Technology Virus System Failure Natural Man-Made Airports Pipeline Utilities Failure HVAC Gas Leak Human Terrorism Civil Riot Labor Stoppage

7 Why BCP? Risk Statistics
Q: How many organizations have reported external system penetration? 99% of organizations have firewalls >75% of organizations have IDS A: 65% reported external system penetration Q: How many organizations have reported malware problems? 99% of organizations use anti-virus software A: 82% reported malware problems Computer Security Institute/FBI Survey

8 Why BCP? Risk Examples Major Financial Institution:
A bank employee was transporting digital media on a commercial flight and accidentally left them on the plane. The records contained 1.2 million credit card records for federal employees, including 60 US Senators. (WSJ, March 2005) Global Financial Services Firm: A terminated employee of a major financial company planted a “logic bomb” in the central database. Over 10 billion files were deleted leading to over $3 million in remediation costs (August 2004, Secret Service/Carnegie Mellon Report).

9 Why BCP? Risk (Continued)
Remember that these are just the organizations that REPORTED incidents. In reality ALL organizations have been affected by these problems. Largest types of losses: Theft of proprietary information Fraud (Financial Reporting)

10 Why BCP? Who Cares? Regulators FFIEC Auditors GT Customers Employees Stakeholders Service Subscribers

11 BCP Phases Business Impact Analysis (BIA) Risk Assessment (RA) Risk Management (Create BCP Plan) Risk Monitoring (Test and Update)

12 BCP Phases Business Impact Analysis FFIEC Requirements
A business impact analysis (BIA) is the first step in developing a BCP. It should include: Identify potential impact of uncontrolled, non-specific events on the institution's business processes and its customers; Consideration of all departments and business functions, not just data processing; and Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial losses FFIEC Business Continuity Booklet – March 2003

13 BCP Phases Business Impact Analysis Steps
Process identification BIA workshop Detailed interviews BIA Report

14 BCP Phases Business Impact Analysis – Process Identification
Identify functions (departments) – Examples: HR - Accounting IT - Compliance Operations - Marketing Identify owners Identify all function processes Functions will be excluded during RA based on prioritization

15 BCP Phases Business Impact Analysis – BIA Workshop
Invite attendees: All function owners Upper Management Topics: Introduction of BCP Objective of BIA Detailed interview process

16 BCP Phases Business Impact Analysis – Detailed Interviews
Understand process Identify operational impacts Quantify financial impact Define Recovery Time Objective (RTO) Define Recovery Point Objective (RPO) Identify process requirements (people, systems, documents, communication, vendors)

17 Example: Detailed Interview Documentation

18 Example: Detailed Interview Documentation

19 BCP Phases Business Impact Analysis – BIA Report
Objectives Document detailed interview & inventories of requirements Process owner review of documentation Summarize impacts identified during interview Prioritize processes based on RTOs A = RTO < 5 B = 5 < RTO < 15 C = RTO > 15

20 BCP Phases Risk Assessment FFIEC Requirements
The risk assessment is the second step in developing a BCP. It should include: A prioritizing of potential business disruptions based upon severity and likelihood of occurrence; A gap analysis comparing the institution's existing BCP, if any, to what is necessary to achieve recovery time and point objectives; and An analysis of threats based upon the impact to the institution, its customers, and the financial markets, not just the nature of the threat. FFIEC Business Continuity Booklet – March 2003

21 BCP Phases Risk Assessment Steps
Risk identification RA workshop Risk assessment matrix Gap analysis (N/A for CLIENT) Contingency plan matrix

22 BCP Phases Risk Assessment – Risk Identification
Resources: FEMA Historical disasters per state Types of disasters FDIC Pandemic Flu News/Research studies Tsunami in Utah?

23 BCP Phases Risk Assessment – RA Workshop
Invite attendees: Only function owners for A and B processes Upper Management Topics: Debrief BIA and process prioritization Introduction to Risk Discussion of types of risk Contingency plan matrix process

24 BCP Phases Risk Assessment – Risk Assessment Matrix
Purpose: Prioritize potential business disruptions based upon severity and likelihood of occurrence Document for each significant location Identify likelihood for identified risks Identify level of impact for identified risks Identify restoration time required for identified risks Calculate risk level (High, Medium, Low) Involve BCP Officer and obtain feedback

25 Example: Risk Assessment Matrix Key

26 Example: Risk Assessment Matrix

27 BCP Phases Risk Assessment – Contingency Plan Matrix
Purpose: Analyze threats based upon impact to institution Document impact, LT action, ST action, and potential problems For A and B processes only For HIGH and MEDIUM risk scenarios only

28 Example: Contingency Plan Matrix

29 BCP Phases BIA and RA Deliverables
FFIEC Requirement Gap Analysis (Audit Checklist) BIA Report Process prioritizations Risk Assessment Matrix Contingency Plan Matrix

30 BCP Phases Risk Management FFIEC Requirements
Risk management is the development of a written, enterprise wide, BCP. The institution should ensure that the BCP is: Written and disseminated so that various groups of personnel can implement it in a timely manner Specific regarding what conditions should prompt implementation of the plan; Specific regarding what immediate steps should be taken during a disruption; FFIEC Business Continuity Booklet – March 2003

31 BCP Phases Risk Management FFIEC Requirements (Continued)
Flexible to respond to unanticipated threat scenarios and changing internal conditions; Focused on how to get the business up and running in the event that a specific facility or function is disrupted, rather than on the precise nature of the disruption; and Effective in minimizing service disruptions and financial loss. FFIEC Business Continuity Booklet – March 2003

32 BCP Phases Risk Management Strategies
BCP plan elements and strategies: Outsourcing Cross training of personnel/staff Alternate locations Telecommunications Data & computers

33 BCP Phases Other Policies, Standards, and Processes FFIEC Requirements
Other financial institution policies, in addition to the BCP, should incorporate business continuity planning considerations. These include: System Development Life Cycle; Change control policies; Data synchronization procedures; Employee training and communication plans; Insurance policies; Government, media, and community relations policies; and Security FFIEC Business Continuity Booklet – March 2003

34 BCP Phases FFIEC Audit Program Requirements
Inventories: Personnel (Calling tree) Facilities Technologies Vendors Data and Records Law enforcement contact Utilities Telecommunications/Networks Media Shareholders

35 Example: Inventory of Vendors/ Third Parties

36 Example: Inventory of Documents

37 Example: Inventory of Locations

38 BCP Phases FFIEC Audit Program Requirements (Continued)
BCP Policy Documented procedures for critical business processes Decision making authorities Specific actions to be taken Checklists Management oversight and support Review of vendor BCP plans Vendor resiliency questionnaire

39 Example: Action Checklist

40 BCP Phases Risk Monitoring FFIEC Requirements
Risk monitoring is the final step in the business continuity planning. It should ensure that the institution's BCP is viable through: Testing the BCP at least annually Subjecting the BCP to independent audit and review; and Updating the BCP based upon changes to personnel and the internal and external environments FFIEC Business Continuity Booklet – March 2003

41 CLIENT Lessons Learned BIA Phase
Immediately involve all process owners Identify all processes, not just the critical ones Don't try to prioritize before RTO is defined It is difficult for process owners to imagine that a disaster could affect them Quantifying financial impact for PMV

42 CLIENT Lessons Learned RA Phase
Adapt contingency plan based on the client Group by duration Group by disaster type Assess every scenario identified during risk assessment Use to document strategies for IT failures

43 CLIENT Lessons Learned Overall
Know your business! No cash No retail locations Specific relocation products Be organized Difficult to manage multiple process owners Maintain open communication with BCP officer and Upper Management

44 CLIENT Lessons Learned Overall
Be proactive Significant commitment of time from process owners Take time to meet with process owners individually Send reminder s Hold periodic status meetings Weekly reports to Marc

45 Conclusion It could happen to you…
…So start today! A good plan executed today is better than a perfect plan executed at some indefinite point in the future. General George S. Patton, Jr.


Download ppt "Business Continuity Planning"

Similar presentations


Ads by Google