building a standard business continuity planning · 2016-06-14 · business impact analysis (bia)...

April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona

1

Building a Standard for Business Continuity Planning

John Lugo

Sr. Business Continuity Analyst

April 17, 2012


Business Continuity @ Citrix


Statistics

• Over 36% of organizations reported incidents of workplace violence

Source ‐ Society for Human Resource Management (SHRM)


Agenda• Business Continuity Goals

• Global Core Business Continuity Team Structure

• Regional Business Continuity Plans

• Disaster Recovery / Business Continuity Testing

• Crisis Communications

• Employee Safety and Awareness Programs


Business Continuity Goals• Maintain business critical functions and

services before, during and after a wide range of disaster events

• Limit the impact to operations and the magnitude of any financial loss

• Ensure rapid recovery and timely resumption of company operations to protect employees, customers, shareholders and company reputation

• The formal BC plans combine preventive and recovery measures; the plans are updated, tested and communicated regularly to ensure effectiveness in mitigating business disruption


Global Business Continuity Team Structure

• The Teams mission is to provide overall direction / preparation and recovery efforts

• Team members are a mixture of diverse departments including IT, HR, Legal, Facilities, Physical Security and Finance

• On‐Site Recovery Teams are the ‘boots on the ground’ team responsible for individual offices in EMEA and Pacific

• Business Unit contacts are part of the Non‐Core BC Team


Emergency Management Team (EMT)

• Provide overall recovery / preparation direction• Provide strategically response and incident management

• Ensure Business Continuity Team communication• Monitor event activity• Escalate alert levels to all team members• Facilitate communication with the Executive Management Committee

• Ensure the appropriate and adequate disaster response


Communications Team

• Provides communication to all parties including employees, vendors, public service agencies, customers

• Communication methods including emergency notification systems, email, vmail, external / internal web pages, press releases, media

• Team conveys a message on behalf of company


Campus Response Team

• Operational response and business direction• Prepare property and equipment for the impending disaster event

• Provide HR related assistance for building items (people staying on site, building closures, parking garages, etc.

• Damage assessment from a disaster and its impact on continuing operations; assistance with insurance claims

• Secure buildings and grounds; liaise with landlord • Historian Function – Documenting all critical decisions once an event has occurred and keeping track of expenses


Business Readiness Team

• Make necessary arrangements to implement disaster business operations in accordance with business plan for each unit

• Provide a tactical response and business direction• Act as a liaison with the Business Unit Teams• Provide travel assistance for recovery team members

• Ensure critical business functions are operational at alternate processing centers


On Site Recovery Team

Drivers of decisions regarding:• Recovery of office

• Well being of employees

• Alternate relocation plans

• Communications out to employees in affected location(s)


Our Business Continuity plans are based on two incident types

1) Unexpected Disaster• Fire, flood, earthquake, tornados, terrorist act, explosion, workplace violence, flu outbreak…

2) Expected Scenario • Scheduled protests, scheduled power outages / rolling blackouts

• Hurricane / severe weather due to our South Florida exposure; lead time allows for storm preparedness

Business Continuity Planning Scenarios


Business Impact Analysis (BIA)

• The BIA is the initial step for Business Continuity planning from which the whole BCP program is built

• Provides the data from which appropriate continuity strategies can be determined

• Ranks core business activities– Grades activities from a financial and non‐financial impact – Determines interdependencies– Defines Recovery Time Objectives (RTO)– Defines process, people, equipment and IT systems needed to

meet continuity objectives


Disaster Recovery Strategies

• What technology based solutions do you incorporate in your BC Program?

Cloud computing, data replication, clustering, failover circuits, redundant equipment, restore from tape, software as a service (SAS)

• Bring Your Own Computer (BYOC) Program

• Desktop virtualization

• ‘Work Anywhere’ Initiative


Business Continuity Plans

• Structure your plans around the responses from your BIA

• Plans contain critical processes and procedures to recover business functions in the event of an emergency interruption

• Individual plans are regional, country and business unit specific and are updated annually


Emergency Response Plans

• Build your ERPs with the help of executive management – host a table top exercise

• ERPs are based on worse case scenario; anything less severe becomes a subset of the plan

• Develop plans for specific incidents – hurricane, earthquake, active shooter scenario


IT Disaster Recovery Test

• Based on your requirements, do you have a Hot Site, Cold Site, Warm Site?

• Review the responses from your BIA to ensure that your critical applications and services reside in your DR environment

• Create a detailed site bring up script that is simple to follow

• Do you have plans in place to fail back to Production?

• Exercise your IT DR Plan at least once a year


Workplace Recovery Test

• In the event your office is inaccessible for a period of time, where are your employees going to relocate?

• Leverage offices in other cities / countries• Work from home vs contracted office space• Exercise your workplace recovery plan once a year

• Document your results and forward to senior management


Emergency Response Tests

• Develop realistic scenarios that your organization is likely to experience

• Establish a strong relationship with external agencies including local fire departments and emergency responders

• Work with senior management and HR to develop an emergency response plan around workplace violence

• Coordinate emergency evacuation drills with Facilities

• Exercise emergency response tests annually


Measurable Results


Crisis Communication Plan

• Establish a crisis communication program with the Core Business Continuity Team

• Plan should identify all stake holders that are inclusive of emergency communications –employees, clients, vendors, media, EMC…

• Draft sample communications around realistic scenarios that could affect your location

• Have HR and Public Relations review communications before distribution


Communicate!

• Emergency notification systems

• Communicate quickly

• Push/pull communications

• Pre‐script communications

• Wallet cards and badges

• Satellite phones


Crisis Communication Tools

• Use internal resources – Telecom Team, PBX, PA system, intranet Sharepoint site, company website

• Toll free emergency notification numbers for employees

• Blast emergency alerts through vmail• Emergency Notification Software – Sungard, Everbridge; sends messages via mobile, email, text, etc

• Satellite phones – service is available even if infrastructure is down


Train the People in Charge

• Develop table top exercises with Core Business Continuity Teams

• Research emergency response training through local agencies – Red Cross, Fire Departments, SWAT Teams, C.E.R.T.

• Review the roles and responsibilities with the Core BC Team annually

• Ensure that the global teams buy into the Standards of Business Continuity

• Deliver a robust employee safety program, even if there isn’t a requirement by law in a particular country!!


Practice

• Emergency evacuation drills

• Bomb threat procedures

• Workplace violence process

• Emergency training

• Awareness newsletters

• Emergency information cards


New Employee Orientations

• Work with HR to include overview of Business Continuity Program

• Review emergency evacuation procedures

• Ensure that employees know where to find BC and DR documentation

• If possible, make training a mandate for compliance


Communications out to Employees

• Develop communications around specific incidents – hurricane season, earthquake scenario, emergency evacuations

• Work with Business Unit leads to ensure that teams understand recovery processes

• Work with HR to develop a newsletter• Post Incident Response Action Items in break room or common areas – evacuation routes, assembly points, security hotlines


Plans Put into Practice

Scenario 2

Scenario 1


Hurricane Wilma at HQ• When: October 24th 2005

• Damage: 3 out of our 4 buildings closed for over a week

• 6 million people without power

• Local infrastructure damaged• Pre‐storm activities completed

– Campus prepared

– Key business teams and IT flown out of area

– Communication schedule established with employees

• Post storm– Reserved hotel rooms out of the area

– Employee assistance program

– Employees helping employees intranet site

– Post mortem review

– Long term – office opened for customer facing teamsout of the path of hurricanes

HQLocationHQ

Location


Pandemic PlanningAvian, H1N1, H3N2 and Influenza B Viruses

• Citrix Planning – Creation of Pandemic Influenza Continuity Plan – Phased alerts from the World Health

Organization and the Center for Disease Control– Updated internal policies; infected employees

requested to stay home until symptoms subsided

• Employee awareness– Communications sent to employees around best

practices – Travel recommendations posted on Intranet site

• Manager communication and training– Distributed messages to managers around

working with employees; options include working from alternate locations


Earthquake in Japan• Damage:

– 10 employees overnight in office (elevator was on limited power)

– Office closed for 3 days ‐Most employees worked from home leveraging our own products

• Daily meetings held with on‐site recovery teams (IT, Facilities and HR)

• Alternate relocation plan for employees (150 hotel rooms in Hiroshima)

• Resources sent to Tokyo from CA office

• Lessons learned: – Creation of on‐site recovery teams for

other regions– Upgrade emergency notification system

in Tokyo


Wrap ‐ Up

• Make sure your plans are flexible

• Revisit your strategy around DC infrastructure – physical vs virtual

• Partner with key Business Units (IT, Facilities, HR) in other offices to help you build and test plans

• Include end users within your testing platform

• People come first!!


Building a Standard for Business Continuity Planning

John Lugo ‐ Sr. Business Continuity Analyst

building a standard business continuity planning · 2016-06-14 · business impact analysis (bia)...

Documents