Enabling a Comprehensive Business Continuity Strategy

Lauret Howard

CEO, Watchtower Consulting

Chief Risk Officer, Retired, NASCO

1

Learning Objectives

At the end of this session, you will:

• Learn how to apply the ASP framework to complete a risk analysis and prepare a plan to limit business interruption

• Understand how to drive employee adoption of a business continuity program

• Hear about lessons learned from NASCO’s work to create and continuously improve its comprehensive business continuity strategy

2 2

• NASCO the Company

• NASCO Services and Delivery

• NASCO Infrastructure

• Locations

• Associates

• Contingent Workers

NASCO Profile

3 3

Business

Continuity

Disaster

Recovery

Enterprise Risk

Management

Capability of an organization

to respond and recover from

business interruption keeping

all essential aspects of a

business functioning despite

significant disruptive events

Capability that enables the

recovery or continuation

of vital technology

infrastructure and

systems following a

disaster

Capability of an organization to

identify, assess, monitor and

report major risks that could

impede or negatively affect the

achievement of an organization’s

strategic goals and operational

objectives

Business Continuity Defined

4 4

IT Disaster

Recovery

Plan

Emergency

Response

Plan

Business

Continuity

Plan

Crisis

Management

Plan

Event

Emergency Response Plan –

ERP• Fire

• Tornado

• Bomb Threat

Crisis Management Plan –

CRP• Event Response

• Impacts

Disaster Recovery Plan –

DRP• IT Systems

• Network

• Ransomware

Business Continuity Plan –

BCP• Time Driven Response

• Site Impact

• Business Disruption

Adapted from ChainLink Research

Business Continuity Framework

5 5

Stuff Happens• Continue business operations

• Protect associates and contingent workers

• Protect company assets

• Comply with government regulations

• Obtain certifications

Business Continuity – Why?

6 6

NASCO’s Business Continuity Journey

7 7

• Business Impact Analysis

• Business Continuity Plan

REMEMBER

THIS IS SURVIVAL,

NOT BUSINESS AS USUAL!!

Business Continuity Model

8 8

• Identify scope of the BCM program

• Define governance

• Assign roles and responsibilities

• Establish project and program management

• Manage documentation

• Document BCM policy◦ Purpose of BCP

◦ Organization accountabilities

◦ BCP Team members and roles

◦ Annual tabletop requirement

◦ Crisis Management Team

Policy and Program Management

9 9

GENERAL FINANCIAL IMPACTS AND EXPOSURES

Assume your work area is totally inaccessible and other departments have been similarly affected.

What financial impacts and exposures would the company face?

• None

• Lost Revenue

• Penalties

• One Time Expense

• Maintaining Service

• Recovery of Lost Transactions

• Backlog Business Functions

• Other Impact (explain)

Impact Analysis by Division

10 10

Revenue

• What revenue is this department directlyresponsible for producing?

• Daily amount

• Weekly amount

• Monthly amount

• Does the department regularly experience any peak revenue or volume or otherwise critical period?

• Are there particular times of the day/month/year that are more critical to your department?

Customer Service

• Does this department interface directly with end customers?

• If so, how many customer contacts occur daily, weekly, or monthly?

• What is the nature of those contacts?

• If the department provides critical customer service, what adverse effect would likely occur on operations or customer services should this process not be available?

• Does this department indirectly influence the customer experience? If so, how?

Impact Analysis by Division

11 11

Operations

• What business decisions, if any, are based on the information provided by this business function(s)?

• How does the absence of functions performed by this department affect the management and control of the division? The entire organization?

• What is the length of time before the absence of this department’s functions would critically impact the ability to continue the operation of the division? The entire organization?

• Are there any penalty payments costs that would be incurred should this function(s) be unavailable for operation? (i.e., Lawsuits, etc.)

• Would the absence of this department’s function(s) result in adverse publicity for the organization? (Give reason why this is critical).

• What is the degree of disruption to third parties? Financial or Dollar Impact?

• What times of the year would a significant outage have the most impact on your business unit?

Impact Analysis by Division

12 12

Work Received

• List the departments/functions, in-house central computer systems, data processing service bureaus, or other organizations from which your unit receives work

• Of the total amount of incoming work your unit receives, what percentage comes through the following routes?

Work Sent

• List the units, in-house central computer systems, data processing service bureaus, or other organizations to which your unit sends completed work or information

• Of the total amount of outgoing work your unit produces, what percentage is sent through the following routes?

❑ E-mail

❑ US mail

❑ Telephone or fax

❑ Interoffice mail

❑ Courier (FedEx, UPS, etc.)

❑ Online information from internal computer systems

❑ Reports generated from internal computer systems

❑ Online information from external data processing services

❑ Reports generated by external data processing services

Impact Analysis by Division

13 13

Regulatory/Legal Issues

• Are there any reporting requirements or deadlines that would be affected by a delay in or loss of the services your unit provides?

• Would a delay in or loss of service result in any fines or penalties?

◦ List the regulations

◦ Describe the conflict

◦ Describe possible consequences (e.g., penalties)

• Will a delay in or loss of the services your unit provides result in possible legal liability, damages, or other public harm?

◦ List the legal issue

◦ Describe the conflict

◦ Describe possible consequences (e.g., penalties)

Impact Analysis by Division

14 14

Extraordinary Expenses

• Estimate the extraordinary (unbudgeted) expenses that your business unit will incur if you must perform your mission critical function(s) manually or in a substitute manner during a significant outage

• What expense factors comprise your estimate of the extraordinary expenses?

None Rental/Lease Equipment Outside Services

Wages Paid to Idle Staff Temporary Employees Temporary Relocation

Overtime Emergency Purchases Other, please explain

Impact Analysis by Division

15 15

Application List

• What are the critical systems/applications this department depends upon to perform its functions?

• How soon must they be recovered following a disaster?

Critical Applications - RTO

Immediate 4 hrs 12 hrs 24 hrs 48 hrs 72 hrs 96 hrs 1 wk > 2 wks

Business Impact / Application Dependencies

Impact Analysis by Division

16 16

Minimum Acceptable Recovery Configuration

• The Minimum Acceptable Recovery Configuration specifies the estimated number of the resources that are necessary to restore essential operations

Item Normal

Level

Day 1 Day 2 Day 3 Day 4 Day 5 Week 2 Week 3 Week 4

• Personnel

• Remote

• Desk/Chairs

• Desktop Computer

• Notebook Computer

• Local Printers

• Network Printers

• Copiers

• Fax

• Filing Cabinets

• Tables

• Special Forms

• Other?

Impact Analysis by Division

17 17

• Consolidate BIAs◦ Conduct a ‘reasonability’ check

• Determine strategies and tactics ◦ Recover critical functions

◦ Identify threat mitigation measures

◦ Define incident response structure

◦ Determine who makes the decisions

• Identify incident response structure and create project plan for implementation using scenario analysis◦ Diversify

◦ Replicate

◦ Post-incident acquisition

◦ Do nothing

Design of BCP

18 18

BCP Hosted Service

• Store and retrieve BCP and BIA

• Set up database of NASCO associates and contractors with alternate email and cell phone contact information

• Create standard text messages and emails to send in case of an event

• Incorporate into communication, training and annual table top exercise

• Includes sample table top exercises

• Provides consulting support

Design of BCP

19 19

Table of Contents

1. Response/Recovery Flowchart

2. Preplanned Recovery Strategy – Summary

3. Team Roles, Responsivities and Contact Information

4. Specific Recovery Scenarios and Associated Tasks

◦ Loss of Workplace

◦ Loss of IT Supporting NASCO Offices

5. Recovery Requirements

6. Work Resumption Procedures

7. Appendix

◦ Management Team Members

◦ Reference Materials for Recovery of Offices

◦ Administrative Information

Response

Initial Response

• Evacuate or shelter in place

• Notify Public Authorities

• Notify Damage Assessment Team

Damage Assessment

• Determine notification protocol

• Conduct onsite evaluation

• Determine extent of impact

Declare

Disaster?No

• Situation contained, resolved, documented

• Communication distributed

• Document lessons learned

Yes

Assess Damage

• Determine extent

• Establish command center

• Notify Executive Team

• Notify Recovery Team Leaders

Activate IMT

• Move to alternative recovery site

• Provide ongoing support

Initiate Division BCP

Design of BCP

20 20

Email and Time Tracking Moved to cloud solution

Corporate SystemsMoved to co-lo

Created and tested DR plan

Adequacy of Insurance Limits

Loss of Office

Initial Design Test of BCP

What We Learned Actions Taken

21 21

Increased limits for personal property

Scenarios dependent on recovery time

• Execute the project plan created in the design phase

• Incorporate awareness and knowledge sharing

• Ensure adequate resource assignment and funding to complete the plan

• Items to consider◦ Adequate insurance for lost revenue, additional

expenses, legal fees, crisis communications

◦ Communication to customers and suppliers

◦ Contractual obligation of suppliers to have BCP and test no less than annually

Implementation

22 22

• Use table top exercise ◦ Created by BCP team

◦ Conducted with Senior Staff

• Include outside participants as required◦ Property Manager

◦ Property Security Staff

◦ Observer and Recorder

• Provide recap and action plan

• Include action plan into following year’s business plan

• Revisit scenario every 3 years

Validation

23 23

• Governance and BCP Team ◦ 1 BCP owner 500 hours/year

◦ Executive Sponsor 40 hours/year

◦ Executive Sponsor 40 hours/year

◦ IT 60 hours/year

◦ Crisis Management team 10 hours/year

• Funding◦ BCP Hosted Environment $10,000 - $25,000/year

and Consulting Support

• Training◦ Development Included in staff hours

◦ Content and Test .5 hours/year

Staffing and Funding Requirements

24 24

Executive Sponsorship

• Include senior leadership and key participants in table top exercises

• Analyze results

• Identify improvements and create action plan for following business cycle

Adoption and Buy In

Communication

• What and why

• Preparis connection test

• Badge insert

• Posters in break rooms and near copiers

• National Preparedness Month -September

• Business Continuity Awareness Week – May

Reinforce Importance

• Completion of Business Impact Analysis included in leaders’ performance objectives

• Business Continuity Program training tied to compensation

25 25

• Loss of access to property

• Personal property insurance

• Corporate systems moved to co-lo

• Corporate systems DR created and testing as part of annual DR test

• Weather app downloaded to cell phones

• Weather radio for key staff

• Walkie-talkie and batteries for key staff

Lessons Learned - Tornado

26 26

Active Shooter Preparation

• Local police meeting and walk through

◦ Run/hide/fight

◦ Safe rooms

◦ Panic button

◦ Camera configurations

• Property Manager and Security Staff had no plan

• Crisis communication test

Lessons Learned – Armed Intruder

Table Top Outcomes

• Ensure appropriate staff alerted prior to table top

• Crisis communication training

• Property Management exercise

◦ Hide/fight

◦ Solid safe rooms/doors

◦ Use of frosted glass

• Safe rooms items to fight

27 27

• Understand power grid

• Role of Property Management

• Time to power down systems

• Badge reader issue◦ Trapped inside office space

◦ Required upgrade and reconfiguration of badge reader system

• Able to use tornado loss of access to property plan and lessons learned from Hurricane Sandy scenario

Lessons Learned – Power Outage

28 28

Situation

• Mid-day snow/ice storm

• Relied on school closure announcement

• Entire city left to go home at the same time

• No metro-wide preparation

Changes

• VP/HR and CRO make the call

• Communicate to staff in advance of office closing

• Remind associates of work from home requirements

• Remind associates of car emergency kit

Lessons Learned – Snowmaggedon 2014

29 29

Homeland Security – www.ready.gov

Business Continuity Institute - www.thebci.com

Run, Hide, Fight - www.youtube.com/watch?v=5VcSwejU2D0

Federal Emergency Management Agency – www.fema.gov

Financial Industry Regulatory Authority – www.finra.com

Center for Medicare and Medicaid Services – www.cms.gov

National Fire Prevention Agency – www.nfpa.org

Local law enforcement web sites

Google ‘Business Continuity Plan’

Lauret Howard – lauret.howard@outlook.com

Resources - Free

30 30

Take Away

31 31