2016.04.06.business continuity planning
TRANSCRIPT
Business Continuity Planning –
Preparing Your Organization
Nicholas De Laurentis, CRM, IGP
1
Objectives
• Understand the importance of Business Continuity
Planning
• Know basic terms used and roles involved in
Business Continuity Planning
• Understand the steps and relationship of initial
Business Continuity Planning and continuous
review and maintenance
2
3
Information Governance Programs
Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition
4
Operational
Regulatory
• An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.
Protection
• An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.
Availability
5
DR is to BC as RIM is to IG
• Business Continuity is the entire process of planning how to recover from a disaster or significant interruption to normal business operations.
• We regard this process as developing plans and procedures in advance of an event that would allow our critical business functions to continue to operate at acceptable levels.
Business Continuity
• The process, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to an organization after a natural or human-induced disaster.
• Focus is on recovering IT capabilities, processes, and services.
Disaster Recovery
6
Importance of Business
Continuity Planning
7
70% of businesses involved in a major fire fail within 3 years (Chubb)
One out of two businesses never return to the marketplace following a major disaster (AXA)
Within 2 years after Hurricane Andrew in Florida (1992), 80% of affected companies that lacked a
BCP went out of business (FEMA)
Internal and External Threats
Natural Disasters
• Earthquake
• Hurricane
• Flood
Accidents• Fire
• Utility Outage
Malicious
• Sabotage
• Terrorism
• Cyber Attack
Market
• Suppliers
• Competitors
• Consumer Trends
Political • Legislation
8
Why is BCP Important?Board of Director Expectations
• We have expectations placed on us by the Board of Directors.
Customer Expectations
• In order for us to meet our mission statement of helping our customers manage the risks of everyday life, recover from the un-expected and realize their dreams, we need to have Business Continuity Plans (BCP) in place so that we can be available in their time of need.
Regulatory Requirements
• As an Insurance Company and Financial Institution, we have regulatory requirements with the Office of the Comptroller of the Currency (OCC), Department of Insurance (DOI) as well as other regulatory bodies.
9
FFEIC BCP ObjectivesThe business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components;
Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery;
Business continuity planning includes the integration of the institution's role in financial markets;
Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and
Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing.
10
FFEIC BCP Process
•BIA
•Threat Scenarios
•Analyze Threat Impact
•Prioritizing Disruptions
•GAP Analysis vs. Policies & Procedures
•BIA and RA
•Specific Steps
•Flexible to Respond
•Various Threats
•Minimize Disruptions
•Prioritization and Depend. of Busn. Process
•Potential Impact of Disruptions
•Leg/Reg Requirements
•Est. Downtime & Acceptable Loss
•RTOs, RPOs, Crit. Path
•BIA, RA, RM Testing
•Enterprise-wide Testing Program
•Assign Roles & Responsibilities
• Annual Test/Exercise
•Evaluate by Leadership & Independent Party
Risk Monitoring and Testing
Business Impact
Assessment
Risk Assessment
Risk Management
11
BCP Components
• Personnel;
• Communication;
• Technology issues;
– Hardware - mainframe, mid-range, servers, network, end-
user;
– Software - applications, operating systems, utilities;
– Communications (network and telecommunications);
– Data files and vital records;
– Operations processing equipment; and
– Office equipment.
12
BCP Components (cont.)
• Facilities;
• Electronic payment systems;
• Liquidity concerns;
• Financial disbursement;
• Manual operations; and
• Other considerations.
13
Key Roles in BCP
Enterprise Business Continuity
Communicates strategic decisions to
Department BRCs
Provide process and tool training for BUTLs
and BRCs
Provide Exercise Assistance
Business Recovery
Coordinator (BRC)
BRCs are located in the Field and in each
Corporate Dept to coordinate/communicate activities associated
with BCP
Corporate BRCs are responsible for a
specific Dept, while BRCs in the Field are
responsible for a particular location
Business Unit Team Leader
(BUTL)
BUTLs are responsible for maintenance/
update of Business Unit BCP, periodic plan exercises, and execution of plan at
time of disaster
BUTLs are also known as plan owners
14
Annual BCP Cycle
15
0.
Plan Development
1.
Review
2.
Exercise
3.
Update
4.
Verification
0. Plan Development
The goal of business continuity planning is to reduce the impact of any
disruptive event to a manageable level. Plans are developed to:
• Organize recovery of business units and/or processes.
• Establish team leadership responsibilities and design team structures.
• Document key information for the plan, including call trees, recovery
procedures, work area requirements and prioritization, vital records, key
contacts, etc.
Each BRC is responsible for ensuring that all BCPs are in place and current.
Continued plan development is critical for plans to be effective. The required
annual review of the BCP must be completed within a window and consists of:
1. Plan Review
2. Plan Exercise
3. Plan Update
4. Plan Verification 16
1. Plan Review
1. Review the roles and responsibilities of a BRC or BUTL
and the Business Continuity Annual Plan Review process.
2. Read through a printed copy of your plan, or navigate
through each section in BCP tool used. Make note of any
information currently contained in the plan that needs to
be verified, updated, or removed, as well as any
information that must be added.
3. If your plan encompasses multiple functional areas,
consider contacting subject matter experts in each of
those areas to ensure the plan adequately addresses their
recovery needs. If necessary, gather additional material
for those areas and incorporate the information into your
plan.
17
2. Plan Exercise
Some of the objectives of the Plan Exercise are:
• Evaluate the recovery procedures to ensure accuracy.
• Verify the ability of recovery teams to activate their plans and recover their
critical functions.
• Identify cross-functional interdependencies with other business units.
• Identify plan deficiencies and document information changes that require
plan modification.
• Evaluate whether recovery plans have been properly maintained and
updated to reflect actual recovery needs.
Annual exercises are performed to include all associates who have recovery
responsibilities under the BCP. Each BRC should establish an exercise cycle
that increases in scope and complexity over time.
18
Table TopWalk
ThroughMock
ExerciseIT DR
ExerciseActual Event
3. Plan Updates
• Based on changes identified during the annual plan review
and/or exercise process, the BUTL updates the BCP and
any related documentation in the plan.
• Updates to vital records, contact information, documented
procedures, equipment needs, skillset requirements,
vendor information, hardware and software requirements,
19
4. Plan Verification
• Plan Verification is the final phase of the business
continuity planning process. This ensures business
continuity plans are accurate and compliant with company
standards.
• Each business unit is required to submit review verification
documentation within 3 months from the date each
business unit plan expires. Each plan must be reviewed in
terms of accurate content, some level of exercise is
performed, and updates are made to the plan based upon
the plan review and exercise discoveries.
20
Additional Resources
• Federal Financial Institutions Examination Council
(FFIEC) IT Examination Handbook -
http://ithandbook.ffiec.gov/
• Federal Emergency Management Agency (FEMA) -http://www.fema.gov/media-library/assets/documents/89510
21
FEMA BCP Process
22
BCP Overview
23
Questions?
24