business continuity workshop final
DESCRIPTION
Business Continuity Planning Workshop for the Dayton Chapter of the Construction Financial Management AssociationTRANSCRIPT
Business Continuity PlanningPresented by
Bill Lisse, CISSP, CISA, CGEIT, GPCI, GHSC, Security+ SME
Manager, Technology & Risk Management
Jack Lohbeck, CPA
Director, Business Consulting
Increasing Competition & Risks
• Businesses are constantly at risk for interruptions to their operations, any of which can have devastating consequences
• Gartner reports that two out of five organizations that experience a disaster go out of business within five years
• A speedy recovery from interruption is imperative to staying solvent as a business
Business Continuity
• “The process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change.”
Disaster Recovery Institute International’s Glossary of Industry Terms
Planning for Disruptions
• If you do not develop and implement a business continuity (BC) plan and disaster recovery (DR) procedures, one that is able to bring its business back up in as short a time as possible, the potential for lost revenue can add up to millions of dollars within several days
Common Roadblocks
• Over confidence - “It can’t happen to me”• Over extension - don’t feel you have the
time, personnel or other resources to devote to comprehensive contingency planning
• Over reaching - reaching too far and wide; makes the process overwhelming and seem impossible
• Over planning - several contingency plans for specific situations or departments which become uncoordinated
Business Continuity Management (BCM)
• BCM is a process that applies to any business, small or large, that helps to manage the risks that threaten its survival
• The objective is to identify the hazards that may affect critical functions or activities and to ensure that these can be reduced or responded to in an effective way
Reasons for BCP
• Loss or Injury to Personnel• Compliance• Loss of Revenue• Damage to Critical Resources• Loss of Customers• Reputation Damage• Civil and Criminal Liabilities
People
Materials
Critical Records
Office Work Areas
Critical Machinery & Equipment
Communications Infrastructure
BCP Resource
Scope
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Business Continuity Management
• Risk Management • Business impact analysis (BIA)• Classification of operations and criticality
analysis • Document the BC plan and DR procedures • Training & Awareness • Testing • Ongoing Monitoring & Plan Maintenance
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Risk Management
ProbabilityThreats
Impacts
FoundationHistory - Analytical Tools - Technology Maturity - Knowledge/Experience
Risks
How likely is an adverse outcome?
What can go wrong?
- Human (Intentional or accidental)
- Natural Events
What are the consequences of the event?
Threats - Examples
• Labor Disruptions• Pandemics• Strikes and disputes• Accidents• Workplace Violence
• Natural Disasters• Tornado• Hurricane• Earthquake• Floods
• Lack of Materials• Shortages• Delays• Supplier breach
• Facilities• Fire• Black/Brown Outs
• Equipment• IT Failures• Communications
failures• Equipment Failures
Threat
Opportunity Exposure
Vulnerability
Risk ManagementQuestion High Impact Medium Impact Low Impact
What is the impact of the function on revenue generation?
Direct correlation to revenue
Peripheral correlation to revenue
No correlation to revenue
What is the impact on other projects?
Entire company One or more departments
Select users throughout the company
What is the cost to overcome disruptions?
Material to the company
Material to a departmental or project budget
Peripheral departmental or project budget
How will it impact customers or prospects?
Direct impact on revenue generation or end-customer support
Peripheral impact on revenue generation or end-customer support
No impact
Which business processes will be affected?
Any external facing processes
Critical internal processes
Non-critical internal processes
Potential Business Consequences
• Inability to maintain critical customer services • Damage to your market share, image,
reputation or brand • Failure to protect the company assets
(including intellectual property and personnel) • Fraud• Failure to meet legal or regulatory
requirements• Financial loss
Risk Management
•Risk Responses•Mitigate•Accept•Avoid•Transfer
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Business Impact Assessment
• The BIA is the most critical process in the development of a DR strategy• provides the business requirements used
to develop the plan (focus resources)• Typical Areas
• Identify critical business processes• Determine the disruptions & probability • Impact of disruptions on business • Determine Loss Exposures
Business Impact Analysis
• A Business Impact Analysis Helps Organizations:• Identify and prioritize risks• Identify requirements• Identify the extent of financial impact • Identify the extent of operational
impact
The process of analyzing all core business functions and establishing an optimized timetable for recovery.
Provides baseline for: Justification for costs associated with recovery Developing recovery strategies Developing Support Level Agreements
Maps data flow Identify maximum tolerance for downtime Identify interdependencies Determine the recovery priorities of the organization
Business Impact Analysis
End-User Questionnaire Highlights:
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
Business Impact Analysis
Department OverviewDepartment Overview
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Identify department, location, and at least
two representatives from each department.
2. Develop a comprehensive list of
applications used in the department.
3. Describe the business function(s) of the
department.
4. Gather information about the
department’s daily business hours,
revenues generated, transaction volume,
and any peak or high demand periods.
Workflow InterdependenciesWorkflow Interdependencies
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Identify the departments and organizations
that send work to the department.
2. Determine what routes or channels of
communication are used to send that
incoming work and estimate the percentage
that comes via each route or channel.
3. Gather the same information in #1 and #2
for work sent by the department.
Computer ResourcesComputer Resources
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Gather information on the computing
equipment in the department and how it is
used.
2. Begin exploring the reliance that the
department has on the computing
equipment, e.g., What data entry backlog
would there be if it was unavailable for one
day?
Application Impact AnalysisApplication Impact Analysis
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Basic description of each application,
including what it does, what business
functions it supports, if it handles PHI, and
who the department contacts are for the
application.
2. Estimate the level of departmental business
interruption associated with the
application being unavailable through
various time thresholds.
3. Estimate the associated data entry backlog
that would result and how many staff
hours it would take to eliminate the
backlog.
Application Impact AnalysisApplication Impact Analysis
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
4. Evaluate the downtime procedures
associated with the application, asking
questions like have the procedures been
used before?, how did they work, and how
long can the department function using
them?
5. Evaluate any regulatory, legal, financial,
customer service, and public image
problems that could arise as a direct or
indirect result of the application being
unavailable through various time
thresholds.
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Business Continuity Strategy
• Market Structure & Budget• Data and system backup and restore• System & Data failover, redundancy • System vulnerabilities & threats • Disruptions to internal systems,
telecommunications, applications, Web access
• Operation of environmental systems • Natural disasters and other interruptions
Business Continuity Strategy
• Transfer Control/ Function• Relocate of staff• Manual or alternative• Work from home• Shut down• Hot Site or dedicated• Warm Site• Cold or Shell Site
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Business Continuity Plan
• Considerable effort and time are necessary to develop the initial BCP
• Effective documentation and procedures are extremely important in a BCP
• Well-written plans reduce the time required to read and understand the procedures• Result in a better chance of success if the plan
has to be used. • Significantly reduce maintenance time and
effort.
Business Continuity Plan
• An overarching plan of the company to be able to recover from a disaster and to resume normal business processes in as little time as possible
• The BCP is made up of many “sub-plans”:• Emergency Response Plan• Disaster Recovery Plan• Public Affairs Plan• Occupant Emergency Plans
Business Continuity Plan
• Within a BCP, you have some key components:• Assessment: A way to identify threats (BIA -
more on this later)• Evaluation: The likelihood and impact of each
threat• Preparation: For contingent operations• Mitigation: The reduction or elimination of risks• Response: The response to minimize the
impact of an emergency• Recovery: The return to normalcy
Business Continuity Plan
Business Continuity Plan
• A document stating• Who and What (systems, Equipment, records
and facilities) are required• When they are required• Where to operate your business for an
indefinite period
• A standard format for the procedures should be used for consistency, conformity, and maintenance
• Standardization is especially important if several people write the procedures
Business Continuity Plan
• Two basic formats are used to write the plan: background information and instructional information.
• Background information should be written using indicative sentences
• Instructions should use an imperative style (issue directions)
Business Continuity Plan• Helpful tips in writing the BCP:
• Be specific. Write the plan with the assumption it may be implemented by personnel unfamiliar with the function and operation.
• Use short, direct sentences, and keep it simple. Long sentences can overwhelm or confuse the reader.
• Use short paragraphs. Long paragraphs can be detrimental to reader comprehension.
• Use active voice verbs in present tense. Passive voice sentences can be lengthy and may be misinterpreted.
• Use descriptive verbs. Non-descriptive verbs such as “make” and “take” can cause procedures to be wordy.
• Avoid jargon.• Use position titles (rather than personal names of individuals)
to reduce maintenance and revision requirements.• Develop uniformity in procedures to simplify the training
process and minimize exceptions to conditions and actions.• Identify events that can occur in parallel, and events that
must occur sequentially.
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
BCP Testing
• Plan Audit• Passive Walk Through• Scenario Workshop• Physical Test• Live Simulation Test
BCP Testing
• Dependencies• Frequency• Test Plan Development• Test Procedures• Test Results• Management and Staff Awareness
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
BCP Maintenance
• It is important that the plan be continually maintained and updated. Business continuity plans should include specific maintenance responsibilities and procedures. The major considerations in this process include:• Maintenance frequency• Change factors• Maintenance responsibilities• Distribution considerations
BCP Maintenance
• The recovery procedures for each team should be updated at minimum on a yearly basis and should also be updated following major organizational changes
• Telephone lists and other inventories should be updated at least quarterly
• The plan should also be reviewed and updated when there are major changes in technology
• A plan maintenance form can be used to record and control all maintenance changes, additions or modifications to the plan
BCP Maintenance
• It is important to recognize factors that may change the business continuity plan:
• Procedural changes• Organizational structure changes• Personnel changes/turnover• Physical changes (e.g., facilities)• Technology changes• Recovery requirements changes
testing issues
BCM Cycle - Summary
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Keys to Success
• Link Business and IT Processes• Develop a comprehensive DR plan based
on realistic threats• Keep DR procedures current• Test the DR plan – don’t view as an exam;
it is quality improvement exercise• BC goals should be realistic • Clearly define DR roles, responsibilities
and ownership• Have a clear data backup strategy• Communicate!
Resources
• Disaster Response Institute International (DRII) – http://www.drii.org
• Business Continuity Institute (BCI) - http://www.thebci.org/
• Disaster Response Journal – http://www.drj.com • NFPA 1600 Standard on Disaster/Emergency
Management and Business Continuity Programs http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf
• Continuity Central http://www.continuitycentral.com/info.htm
• Federal Financial Institutions Examination Council Business Continuity Handbook http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf
Conclusion
• Don’t wait till a disaster occurs• Even with a small budget, prudent
steps can be taken• ensuring good backups • establishing roles and responsibilities• effective planning• new technologies may also be leveraged
to make recovery more affordable
Questions?
• Bill Lisse - (937) 853-1490• Email - [email protected]
• Jack Lohbeck - (937) 853-1423• Email – [email protected]