Your SlideShare is downloading. ×
ISACA Business Continuity Management Lifecycle
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

ISACA Business Continuity Management Lifecycle


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ISACA Business Continuity Management Lifecycle Deloitte & Touche LLP
  • 2. Agenda Introductions 12:00 – 12:05 Overview of Business Continuity 12:05 – 12:20 Business Continuity Lifecycle 12:20 – 12:35 Module 1: Analyze 12:35 – 1:05 Break 1:05 – 1:10 Module 2: Develop 1:10 – 1:30 Module 3: Implement 1:30 – 1:50 Issues 1:50 – 2:55 Q&A 2:55 – 2:05 Copyright © 2009 Deloitte Development LLC. All rights reserved. 1
  • 4. What is Business Continuity Management (BCM)? • Business Continuity Management: – “The ability and readiness to manage business interruptions, in order to provide continuity of services at a minimum acceptable level and to safeguard the financial and competitive position in the short and longer term. It includes the organization in place to determine the continuous adaptation to changing risks, changing environment, and coordination of regular training and testing.” • Viability – Keeping the company in business • Earnings/Profit Protection Business – Protecting the Enterprise’s Financial Commitments Continuity • Continuing New Business – Preserving the ability to sell in the marketplace Objectives • Brand Protection – Avoiding public embarrassment and loss of credibility Copyright © 2009 Deloitte Development LLC. All rights reserved. 3
  • 5. What is BCM? (cont.) • Elements include – Principles of Risk Management – Design and implementation of Crisis Management and Emergency Operations Programs – Planning for recovery and continued availability of operations during disruptive events – Designing and implementing business process manual procedures for use during a disruption – Designing and implementing secure, fail-proof (fault-tolerant) systems for continuous availability – Designing and implementing threat prevention and detection systems – Encompasses development of procedures, acquisition of resources, testing, and maintenance Copyright © 2009 Deloitte Development LLC. All rights reserved. 4
  • 6. Crisis event timeline Incident Emergency Response T The Th T T T h imag e h h h e e im e e e i cann ag i m ot be e i i m a displ ca m m a g ay ed nn a a g e . ot g g e c Your be e e c a com dis a n put… pla c c n The image cannot be display ed. The image cannot be display ed. The The The image The image The image The The The T The The T Th T The The The T The T Th T The T T T T The T T T T Th T T T The T T T T The The The T The The The The T The The The image The The The T image The The image cannot be The The The The Your computer may not hav e Your computer may not hav e ima ima cannot be cannot be cannot be image ima image h image ima h e h ima ima ima h ima h e h ima h h h h ima h h h h e h h h ima h h h h ima ima h ima ima image image ima h image ima ima cannot be ima h cannot be ima image ed. Yourima display ima image enough memory to open the enough memory to open the ge ge display ed. Your display ed. display ed. cannot ge cannot e cannot ge e ima e ge ge ge e ge e ima e ge e e e e ge e e e e ima e e e ge e e e e ge ge e ge ge cannot cannot ge e cannot be ge gedisplay ed. ge e display ed. Your ge cannot computer may not ge ge cannot image, or the image may hav e image, or the image may hav e can can computer may Your Your be can be be can ge can can can can ge can can ge can can can can can be be can display ed. can can Your can computer may can be e enough memory hav can can be Crisis Management Plan activated been corrupted. Restart y our been corrupted. Restart y our not not not hav e computer computer display not display e i display not i can i not not not i not i can i not i i i i not i i i i can i i i not i i i i not not i not not display display not i Your not not computer not i not hav e not display the image, or to open not not display e computer, and then open the file computer, and then open the be be enough may not may not ed. be d. Your m ed. be m not m be be be m be m not m be m m m m be m m m m not m m m be m m m m be be be m be ed. ed. be m computer be bemay not be enough memory m be ed. image may hav e the be be d. Your again. If the red x still appears, file again. If the red x still dis dis memory to hav e hav e Your dis comput a Your dis a be a dis dis dis a dis a be a dis a a a a dis a a a a be a a a dis a a a a dis disp disp a dis Your Your dis a may not dis dis have dis to open the dis a Your corrupted. been dis dis comput you may have to delete the image appears, y ou may hav e to pla pla open the enough enough comput pla er may g comput pla g dis g pla pla pla g pla g dis g pla g g g g pla g g g g dis g g g pla g g g g pla lay e lay g e pla compu compu pla g hav e pla pla enough pla image, or the g pla comput y our Restart pla pla er may and then insert it again. delete the image and then yed yed image, or the memory to memory to er may yed not e er may yed e pla e yed yed yed e yed e pla e yed e e e e yed e e e e pla e e e yed e e e e yed d. d. e yed ter ter yed e enoughyed yed memory yed image may hav e e yed er may computer, and thenyed yed not insert it again. . . image may open the open the not . hav e not . yed . . . . yed . . yed . . You You . may may . memory. . to open . been corrupted.. not the file again. If open . . hav e You You have been image, or image, or hav e You enough c hav e You c . c You You You c You c . c You c c c c You c c c c . c c c You c c c c You r r c You not not You c to open You You the You Restart y our You c have the red x still appears, You You enough r r corrupted. the image the image enough r memor a enough r a Yo a r r r a r a Yo a r a a a a r a a a a Yo a a a r a a a a r co co a r have have r a the r r image, or r computer, and a r enough have to you may r r memor co co Restart y our may hav e may hav e memor co y to n memor co n ur n co co co n co n ur n co n n n n co n n n n ur n n n co n n n n co mp mp n co enoug enoug co n image, or co co image co the thennopen the co memor the image and delete co co y to mp mp computer, and been been y to mp open n y to mp n co n mp mp mp n mp n co n mp n n n n mp n n n n co n n n mp n n n n mp uter uter n mp h hmp n the image mp mpmay hav e mp file again. If the n mp ythen insert it again. to mp mp open ute ute then open the corrupted. corrupted. open ute the o open ute o mp o ute ute ute o ute o mp o ute o o o o ute o o o o mp o o o ute o o o o ute ma ma o ute memor memor ute o may hav e ute ute been ute red x still o ute open ute ute the r r file again. If Restart Restart the r image, t the r t ute t r r r t r t ute t r t t t t r t t t t ute t t t r t t t t r y y t r y to y to r t been r r corrupted. r appears, y ou t r the r r image, ma ma the red x still your your image, ma or the image, ma r ma ma ma ma r ma ma r ma ma not not ma open open ma corrupted. ma maRestart ma may hav e toma image, ma ma or the hav hav y the the b Restart y your delete the y Restoration y y appears, y ou computer, computer, or the y image b or the y b ma b y y y b y b ma b y b b b b y b b b b ma b b b y b b b b y b y y y b or the y y image not not may hav e to and then and then image not may e image not e y e not not not e not e y e not e e e e not e e e e y e e e not e e e e not e e not image, image, not e your not not computer, not image and then e not image not not may hav hav delete the open the open the may hav hav e may hav not hav hav hav hav not hav hav not hav hav eno eno hav or the or the hav computer, hav hav then hav and insert it again. hav may hav hav hav e e e image and then file again. If file again. If hav e e been d hav e e d hav d e e e d e d hav d e d d d d e d d d d hav d d d e d d d d e ugh ugh d e image image e d and then e e open the e d e have e e been eno eno insert it again. the red x the red x been eno corrupt i been eno i e i eno eno eno i eno i e i eno i i i i eno i i i i e i i i eno i i i i eno me me i eno may may eno i open eno the eno again. eno file i eno been eno eno corrupt Response Period Recovery Period still still ed. R have have file agai If the re ed. R Period Normal Operations Damage Business Continuity Plans activated Assessment IT-DR Plans activated The T The T T T T Th image h image h h h h e cannot e cannot e e e e im be be ag display ed i display e i i i i e . Your m d. Your m m m m ca computer a compute a a a a nn may not g r may g g g g ot hav e e not hav e e e e e be enough enough dis memor … c memo … c c c c pla Hour “0” Recovery Recovery in Back to Time Begins Place Normal Copyright © 2009 Deloitte Development LLC. All rights reserved. 5
  • 8. Evolution of BCM • The future towards a “Resilient Enterprise” – Companies are seeking a paradigm shift in their business continuity program – from a responsible organization to one that is able to predict and isolate events before adverse effects occur. Predictive Modeling Anticipating the effects of emergencies before Business they happen Continuity Management Building availability into Disaster Business management Recovery Continuity processes Plan Plan Business Value Plan for the Plan for recovery of data recovering Contingency processing Business facilities operations Plan Procedures to Resilience follow after operational mishaps Hardening the enterprise Backups against many foreseeable Making exact emergencies copies of electronic data Continuous Availability Automatic rollover of information systems Vision Copyright © 2009 Deloitte Development LLC. All rights reserved. 7
  • 9. Evolution of BCM (cont.) • A Model of Risk to Business Continuity – Companies are seeking an approach that is business oriented focusing on the business process instead of applications. Companies are seeking measures based on business risk instead of event External Sources Internal Sources Continuous Threat Monitoring Empirical Data Company Activities Subject Matter • Risk analysis • Legal and regulatory Skilled • Investment analysis • Political and economic • Geo-political risk skilled • Interviews with key leaders/management • State of affairs • Economists • Focus Groups • Industry-wide insights • Forums • Process subject matter experts • Geo-political risk • Executives from • Company strategy • Assessment • Diverse industries • Known weaknesses • Networks Scenarios and Threats • People • Technology • Partners • Process • Infrastructure • Market and Economic Reality Check • Enhanced monitoring and mitigation Impacts of Scenarios • Assess response and mitigation plans technique • Redefine/Bolster test criteria • More preventive and responsive plans • Reevaluate priorities of risk Copyright © 2009 Deloitte Development LLC. All rights reserved. 8
  • 10. Business Impact to Regulatory Requirements 9
  • 11. Impact of regulatory requirements Industry Regulation Impact on Business Continuity Management Sarbanes-Oxley • Guidelines for corporate governance and oversight of accounting and audit practices as well as financial record retention SEC Policy • Regulates self-regulatory organizations operating trading markets, ECNs and Many Publicly important "shared systems" such as market data feeds Traded • Mandates recovery/resumption by next business day Companies • Business continuity plans, geographic diversity, and industry wide test of capacity and connectivity with counterparties ISO 17799 • Require a BCM process implementation and implementation of a acceptable level of preventative and recovery controls HIPAA • Requires data backup, DR and emergency mode operation plan Healthcare • Requires reasonable and appropriate measures relative to the size, complexity and resources of the organization FDA • Establishes the requirements for electronic records and electronic signatures FISMA and Executive Order • Mostly emphasizes data security rather than BC and DR on Critical Infrastructure An important need to be addressed is the requirement that government is open Protection in the Information and running during a crisis Age, 16 October 2001 Government COOP and COG • Establishes minimum planning considerations for federal government operations NIST and Contingency • Defines detailed recommendations from NIST, requiring contingency, DR and Planning Guide for COOP plans Information Technology • Mandatory security controls will become a federal standard by the end of 2005. Systems NIST 800-53A will provide assessment guidelines that are closely aligned to the controls listed in NIST 800-53 Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005 As used in this document, “Deloitte” means Deloitte LLP. Please see Copyright © 2009 Deloitte Development LLC. All rights reserved. for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. 10
  • 12. Business impact to regulatory requirements (cont.) Industry Regulation Impact on Business Continuity Management FFIEC • Specifies that directors and managers are accountable for organization-wide contingency planning and for “timely resumption of operations in the event of a disaster” Gramm Leach Bliley • Requires banks, insurance companies, brokerages, and other financial institutions to establish administrative, technological, and physical safeguards to determine the confidentiality and integrity of customer records and information. Financial institutions are required to establish measure to monitor and manage security systems Basel II, Basel Committee • Requires that banks put in place BC and DR plans to determine continuous on Banking Supervision, operation and to limit losses Finance Sound Practices for Management and Supervision, 2003 Interagency Paper on Sound • More focused on systemic risk than individual enterprise recovery. Requires Practices to Strengthen the BCP to be upgraded and tested to incorporate risks discovered as a result of Resilience of the U.S. the World Trade Center disaster Financial System, 2003 EFA • Requires federally chartered financial institutions to have a demonstrable BCP to determine prompt availability of funds NASD 3510/3520 and NYSE • Mandates securities firms to establish Business Continuity Plans for critical Rule 446 systems and to determine compliance with many aspects of the regulation including senior management review and approval, customer disclosure, and maintenance of Business Continuity Plans SEC Rule 17a4 • Requires securities firms to preserve electronic records in a non-rewriteable, non-erasable format with a focus on archival practices for email systems and instant messaging Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005 Copyright © 2009 Deloitte Development LLC. All rights reserved. 11
  • 13. Business impact to regulatory requirements (cont.) Industry Regulation Impact on Business Continuity Management GASB • Requires a BCP to determine that agency mission continues in time of crisis. NERC • Recovery plans currently voluntary. Includes BC in information security standards for the industry-government partnership (guided by Critical Infrastructure Protection Committee [CIPC]). FERC • Mandates recovery plans. RUS 7 CFR Part 1730, 2005 • Emergency restoration plan required as condition of continued borrowing. Utilities Telecommunications Act of • Requires the Federal Communications Commission (FCC) to establish 1996, Section 256, procedures to oversee coordinated network planning by carriers and other Coordination for providers. Interconnectivity Chemical Facilities Security • Mandate chemical operators to craft vulnerability assessments and site Act security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants. Chemical Facilities Security • Mandate chemical operators to craft vulnerability assessments and site Act security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants. Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005 Copyright © 2009 Deloitte Development LLC. All rights reserved. 12
  • 14. Business Continuity Management Life Cycle 13
  • 15. Business Continuity Management Life Cycle The Deloitte & Touche Approach to Business Continuity Management The Deloitte & Touche Approach to Business Continuity Management Analyze Analyze Develop Develop Implement Implement Resource Current State Governance Acquisition/ Assessment Implementation Availability/ Risk Recoverability Training Assessment Strategies Business Procedures Testing Impact Analysis Continuous Improvement / Quality Continuous Improvement / Quality Assurance Copyright © 2009 Deloitte Development LLC. All rights reserved. 14
  • 16. Module 1 ANALYZE 15
  • 17. Current State Assessment Analyze Objective To assess the organization’s current BCM program status including identifying any existing gaps and provide a quick, high-level report card based on observations and interviews. 1Current State Assessment Overview  A current state assessment examines each major component important to a BCM program. It includes the following: 2Risk • Evaluate the current BCM program Assessment • Determine where the organization is currently on a “lagging” to “leading edge” maturity scale • Compare with industry peer status (optional depending on scope and availability of information) 3Business Impact Analysis • Align BCM program objectives with management’s goals and objectives Copyright © 2009 Deloitte Development LLC. All rights reserved. 16
  • 18. Current State Assessment Key Considerations Analyze The current state assessment framework could be organized into the following 15 components. • Leadership/Governance 1Current State • Regulatory/Industry Compliance Assessment • Crisis Management • Business Process/Work Recovery Plans • Centralized IT Recovery Plans 2Risk Assessment • Distributed IT Recovery Plans • Desktop-Technology Plans • Data Communications • Voice Communications 3Business Impact • Data/Vital Records Analysis • Facilities/Infrastructure • Third-Party Continuity • Testing • Training • Life Safety Copyright © 2009 Deloitte Development LLC. All rights reserved. 17
  • 19. Current State Assessment Partial Sample Current State Assessment Summary 3 – Partial Category 1 – Lagging 2 – Awareness 4 – Implemented 5 – Leading Implementation Many single points of Risk analysis performed. Recovery plans address Leading technologies failure. Redundancy built in for Technology Assessment many aspects of IT. implemented providing IT Disaster Recovery Limited awareness of power, some redundancy full. Mitigation of risk. IT Examining electronic data and system the impact of full in place for key Recovery sites identified vaulting, journaling, redundancy from technology outage technology components data replication solutions separate locations Single telecomm Leading provider. Recovery strategy Recovery strategy Recovery plans address telecommunications Limited awareness of addresses partial addresses partial many telecomm Telecommunications technologies such as telecomm redundancy telecomm redundancy requirements and are Technology the impact of full Internet, cellular, and telecomm outage with with incorporated into annual radio frequency are built limited recoverability limited recoverability testing into recovery plans Data backups taken for Leading technologies Data backups stored Examining methods for Inconsistent data many platforms: such as elect. vaulting, offsite. Frequencies and minimizing potential data Data / Vital Records retention and offsite operating sys apps and journaling, mirroring are methods driven by IT loss and providing Storage program in data and tested at implemented. Duplicate system and application duplicate copies of data place. remote site. Imaging copies of all data is requirements at multiple sites program in place maintained. Awareness of need to Facilities plans in Facilities plans Exploration and support Building security/ development. Utilities implemented to support implementation of Public Facilities / Infrastructure alternate workspace, safety plans exist; limited backup/ resiliency. UPS, and / relocation, and utilities business requirements recovery planned, not diesel generators. Annual Private response backup/ recovery fully implemented testing. cooperation Annual testing of Integrated evacuation Absence of Life Periodically conduct evacuation and medical and medical testing Safety measures. No Evacuation routes and evacuation drills and emergency procedures. between Crisis Life Safety evacuation routes emergency medical medical emergency Drills and Emergency Management, Business posted or evacuation procedures posted training. Floor wardens Response coordinated Units, IT, Facilities, and People drills performed established with local authorities external parties Regular BCP Training BCP Training program Pro-active BCP Training IT Department and sessions conducted. established includes Process including Training and Absence of BCP Training Business Unit are Awareness BCP training manuals regular employee contact factoring in BCP / BCM and Awareness Program trained to execute distributed to key and continuous into design and recovery plan activities employees improvement implementation Copyright © 2009 Deloitte Development LLC. All rights reserved. 18
  • 20. Current State Assessment Sample Current State Continuum C urren t/G o al State R atings C ategory Sub -Categ ory 3 - Partially 1 - Lagging 2 - Aw areness 4- Im plem ented 5 - Leading Im plem ented Leadership / G overnance C G R egulatory / Industry M anag em ent C om pliance C G C risis M anagem ent C G Business Process / W ork R ecovery C G Process Third Party C ontinuity C G Testing (validation) C G Centralised Inform ation Technology C G Distributed Inform ation Technology G Techn olog y D ata / Vital R ecords C G D ata C om m unications C G Voice C om m unications C G Prim ary Site C G B uildin gs Backup Site C G Training C G Peop le Life Safety Legend CG Current State G oal State C G Copyright © 2009 Deloitte Development LLC. All rights reserved. 19
  • 21. Risk Assessment Objective Analyze To assess existing business continuity threats and recommend solutions to further mitigate vulnerability where appropriate. 1Current State Assessment Overview  A risk assessment is a broad analysis of the potential hazards, threats, and perils that can disrupt the continuity of the 2Risk Assessment organization’s business processes  A list of inherent risks and the likelihood of occurrence is developed based on natural and man-made events known to the area and the organization’s industry 3Business Impact Analysis  Existing experience is gathered through Internet research and select interviews  Based on existing mitigating measures and implemented, an overall “residual risk” rating is developed  Risk avoidance solutions will be recommended by the project team to mitigate gaps between the residual risk and an estimated risk tolerance for the organization Copyright © 2009 Deloitte Development LLC. All rights reserved. 20
  • 22. Risk Assessment Key Considerations Analyze  Identification of credible threats Site specific history of threat occurrences 1Current State Assessment Risk • The exposure to loss, injury, and/or major business disruption • Types of Risk include: 1. Inherent Risk – risk that any business is exposed to, involving 2Risk Assessment multiple threats that can impact the company’s ability to perform major business processes. These risks have a potential negative impact on business resources including people, assets and information. Companies can implement additional measures to either prevent their occurrence or mitigate their 3Business Impact impact Analysis 2. Residual Risk – risk that remains after taking into account the organization's existing mitigation measures. Businesses may not be able to completely remove residual risk. Business continuity plans are usually implemented in an effort to deal with the residual risk, reducing the threats to a level that is acceptable to management Copyright © 2009 Deloitte Development LLC. All rights reserved. 21
  • 23. Risk Assessment Inherent Risk THREATS + CONSEQUENCES FOR RESOURCES = INHERENT RISK • Natural Level 1 Level 2 • People • Accidental • Confidentiality • Strategy • Assets • Information • Deliberate • Availability • Transaction • Customers • Technical • Integrity • Compliance • Vendors • Accuracy • Reputation • Other Stakeholders • Completeness • Other • Other Residual Risk INHERENT RISK - CONTROLS = RESIDUAL RISK • Preventing Controls • Mitigating Controls Copyright © 2009 Deloitte Development LLC. All rights reserved. 22
  • 24. Risk Assessment Analyze Risk Assessment Approach General risk is based on NFPA 1600 which grouped risk into three categories: 1Current State Assessment  Natural Events – risk driven by natural or act of God  Technological Events – risk driven by technology, broadly defined  Human Events – event driven by acts of specific individuals 2Risk Assessment both internal and external to the organization Specific risk is further assessed based on: 3Business Impact Analysis  Infrastructure Single Points of Failure (SPOF)  Reliance on few individuals  Reliance on third parties Copyright © 2009 Deloitte Development LLC. All rights reserved. 23
  • 25. Risk Assessment Sample of Threat List Group by Threat Categories Analyze Threat Types/ Causes Examples Health Bioterrorism – Anthrax, Plague, Chemical Hazard etc Workplace injuries 1Current State Pandemic Radiation emergencies Assessment Traveler’s Health Food/Water Safety Natural Flooding Sandstorm Earthquake Snow / Ice Storm Hurricane Tornado Landslide Wind Storm 2Risk Assessment Man-Made Bomb Threat Extortion / Embezzlement Computer Crime/Theft Loss of Key Personnel Inadvertent Disclosure Non-Compliance (Ignorance or Fire Willful) Fraud Riot / Civil Disorder Hacking Sabotage 3Business Impact Human Error – Administration Labor Strike Neglect / Data Entry Theft / Loss Analysis Technological Alteration of Data Malicious Code Alteration of Software Software Error Disclosure Telecom Outage Hardware Failure VandalismCyber-vandalism Infrastructural Power Failure/Fluctuation Fire Hazardous Material Spill Water Pipe Leak/Burst Emanations Telecom Outage Copyright © 2009 Deloitte Development LLC. All rights reserved. 24
  • 26. Risk Assessment Sample Threat Chart Analyze 1Current State Assessment 2Risk Assessment 3Business Impact Analysis Copyright © 2009 Deloitte Development LLC. All rights reserved. 25
  • 27. Business Impact Analysis Objective Analyze To establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for major business processes based on a structured approach to estimate financial and operational impacts associated with disruptions. RTO is the business tolerance for operational down time and 1Current State RPO is the maximum allowable data loss. The BIA is also be used to identify Assessment the resource requirements necessary to meet RTO and RPO. Overview  A Business Impact Analysis (BIA) is the cornerstone of a BCM program. It 2Risk identifies the impacts as a function of time resulting from a major unplanned Assessment disruption to one or more business processes  It provides measurable metrics to assist management with the business case for making the appropriate investment in business continuity solutions 3Business Impact Analysis  It identifies external and internal interdependencies of business functions, technologies, and services and analyzes the overall impact of outages to determine appropriate solutions. It also leverages a structured approach and tools and templates provide an enterprise view of business impacts Copyright © 2009 Deloitte Development LLC. All rights reserved. 26
  • 28. Business Impact Analysis Analyze Key Considerations Sample Results from a BIA • Identify the RTO and RPO for each major business process 1Current State Assessment • Identify existing departmental business continuity and disaster recovery capabilities – including departmental recovery capabilities • Business functions within each department deemed critical by management 2Risk Assessment • Information flow of operations within each department and location and any interdependencies between them • Existing business resources that support these functions including, but not limited to, information technology, electronic and paper-based vital records, hardware, software, telecommunications, etc 3Business Impact Analysis • Resources within each department deemed necessary for the various disruption scenarios discussed • Ability to meet regulatory compliance issues at the time of a disaster • Minimum operating requirements are your organization’s key operating resource dependencies; they must be replicated at alternate recovery facilities, including people, vital records, communications, facilities, equipment and IT infrastructure Copyright © 2009 Deloitte Development LLC. All rights reserved. 27
  • 29. Business Impact Analysis Identification of dependencies Analyze 1Current State Building (Facilities / Utilities) Assessment Equipment 2Risk Technology Assessment (Application, Data, Infrastructure) Human Resources 3Business Impact 3rd Parties (Vendors, Customers, Analysis Service Providers) Copyright © 2009 Deloitte Development LLC. All rights reserved. 28
  • 30. Business Impact Analysis Measuring Financial Impact The types of impacts of disruption for an organization are Analyze grouped by: Quantitative 1CurrentState  Financial in nature; where dollar values or ranges can be estimated Assessment  Examples are – Revenue loss; fines; cash flow; account receivables; accounts payable discounts; legal liability; loss of productivity; etc 2Risk Assessment Operational and Qualitative  More difficult to quantify; obtained by estimating impacts based on a ranking scale from minimal to significant 3Business Impact  Examples are Analysis – Customer Service; Human Resource; employee morale; confidence; legal; social and corporate image; credibility; etc Copyright © 2009 Deloitte Development LLC. All rights reserved. 29
  • 31. Business Impact Analysis Measuring Financial Impact The Most Significant Quantitative Impacts for a Analyze Commercial Enterprise:  Revenue Impacts – Sales revenue, professional fees or other financial losses that can be estimated based on an hourly cost of operational 1CurrentState downtime or the chronological loss of data records. Revenue loss Assessment should be understood as a one-time financial loss tied to a single event. One time revenue impacts should be measured separately from the loss of future revenue tied to the permanent loss of customers who have become dissatisfied as a result of the business disruption and have chosen to take their business elsewhere 2Risk Assessment  Productivity Impacts – Can be quantified by estimating the percentage change in effectiveness (i.e. reduction in normal work product) for a business function relative to operational downtime and/or the chronological data/records loss. Assuming normal productivity of a group of workers to be 100%, the organization can estimate how 3Business Impact productivity can degrade during downtime or based on data/record loss. Analysis One approach could be to multiply this percentage of productivity loss against a full time resource pay rate for each employee within a business function to quantify the cost of productivity loss for that function over time Copyright © 2009 Deloitte Development LLC. All rights reserved. 30
  • 32. Business Impact Analysis Measuring Financial Impact The Most Significant Financial Impacts for a Commercial Enterprise: Analyze  Market Share Loss – Are losses from customers who are so dissatisfied from the business disruption that they permanently take their business to another company. This results in a future revenue 1Current loss. To calculate such losses State Assessment 1. First, estimate the number of customers that may be permanently lost related to operational downtime and/or chronological data record loss. This number will likely grow as operational downtime and/or chronological record loss grows. 2Risk 2. Second, the organization must be able to define the average Assessment lifetime of a typical customer in months or years. 3. Last, multiply these variables by an estimate of the average monthly revenue per customer. This quantifies future revenue losses due to permanent customer loss 3Business Impact  Regulatory Fines and Sanctions – Depending on the enterprise, Analysis potential liabilities for non-compliance with applicable regulations can range from minor to disastrous. Copyright © 2009 Deloitte Development LLC. All rights reserved. 31
  • 33. Auditing Module 1 Risk Assessment: • Does a risk assessment exist, when was it last updated and what facilities or business functions does it cover? • Has a residual risk been assigned to each threat with mitigation strategies and single points of failure (SPOF)? • Has it been reviewed and accepted by senior management? Business Impact Analysis: • Does a BIA exist and when was the last time it was updated? • Does a prioritized list, including recovery timeframes of business functions or units and applications exist and have they been reviewed and accepted by senior management? • Have interdependencies been outlined, including other business functions or units, facility, personnel, equipment, technology and vendors? • Have quantitative and qualitative impacts been identified? Copyright © 2009 Deloitte Development LLC. All rights reserved. 32
  • 34. BREAK 33
  • 35. Module 2 DEVELOP 34
  • 36. Governance Develop Objective To introduce key BCM governance practices; to explain the operational and functional roles and responsibilities of management; to promote a successful BCM program 4Governance Overview  Business Continuity Governance oversight includes senior management’s involvement in the overall program. The governance program should 5Availability/ involve the BCM steering committee, program standards and guidelines, Recoverability Strategies monitoring and updating standards, Board reporting, budget approval, and goal setting  BCM proposals should highlight that our demonstrated methodology 6Plans & includes a structured approach to Governance to further distinguish us from Documentations our competition Copyright © 2009 Deloitte Development LLC. All rights reserved. 35
  • 37. Governance Key Considerations Develop  Must identify a senior management champion. A visible corporate sponsor is an influencer in the budgeting process.  Integrate effective governance as much as possible into 4Governance organization’s leadership structure; the goal is to embed BCM in the corporate culture. Understand the strategic business continuity goals. Refer to any business availability and recovery priority requirements developed as part of a BIA. The governance process 5Availability/ should include the triggers to re-evaluate this information when Recoverability Strategies business change occur  Reassess staffing levels. It is common that an organization has staff dedicated to business continuity. Assessing the staffing structure should be based on the governance model developed to determine 6Plans & Documentations that the program can meet expectations.  Identify primary and secondary resources to fill roles. This is critical and ideally includes BCM responsibilities within the formal performance appraisal process  Develop BCM policies and roles and responsibilities that make business continuity a key accountability throughout the organization Copyright © 2009 Deloitte Development LLC. All rights reserved. 36
  • 38. Governance Governance Approach Consist of both regulatory and organizational structure Governance Decision Framework Policy • What should the fundamental BCM Leadership operating principles be? Monitoring & Control • What internal BCM standards, rules • What qualitative benchmarking • What is the overall direction for the and protocols are needed? should be performed? business and related IT within the corporation? • How should periodic BCM progress • What are the cultural values reports be created and reviewed? regarding risk management? • What corrective action should be • How should key stakeholders be BCM Governance taken as key findings are made? represented? • How should the organization Decisions determine corrections take place? Allocating Capital Planning • How should limited resources be • What should the corporate efficiently allocated? Coordination & Compliance business recovery strategy • What capital is available for • What process should be used to include? investment? determine compliance with BCM • What should be the corporate IT • What criteria should be used to standards and obligations recovery goals? dictate BCM investment decisions? • How should Corporate BCM • How should BCM program • What process should be used to coordinate recovery activities between management be measured? review expenditures? organizational units? Copyright © 2009 Deloitte Development LLC. All rights reserved. 37
  • 39. Governance Governance Approach On Policy Development A company policy must contain enough information to carefully reflect your organization’s BCM program. It should include the sections listed below; use the following sample company policy as your guide. • Policy Introduction • Crisis management (continue) • Authority • Employee response & communication for events occurring AFTER business hours • Scope – Crisis calling procedures • Audience – Staff & corporate communications • Governance Policy • Command post – Purpose • Crisis communications • Business recovery plan activation procedures – Scope • Plan distribution – Governance structure business objectives – Business recovery plan – Governance framework (refer to module 2.2) – Testing – Program administration roles & responsibilities • Types – Crisis management roles & responsibilities • Calendar & frequency • Business Continuity Policy Statements (“Thou Shall”) for: • Strategy –Assessment –Assumptions •BIA – Objectives – Success criteria •Critical ratings – Retesting/Post-test activities • Crisis management – Maintenance – Team activation & escalation • Schedule triggers – Damage assessment • Unscheduled triggers – Crisis management plan – Monitoring & reporting • Employee response & communication for events occurring DURING – Training business hours – Awareness – Evacuation & assembly – Crisis calling procedures • Compliance – Staff & corporate communications • Non-compliance • Communication • Technology & Tools Copyright © 2009 Deloitte Development LLC. All rights reserved. 38
  • 40. Governance Governance Approach to Governance Framework A successful business continuity governance model must align the business continuity lifecycle to accountable resources within the organization’s structure. The Governance Framework includes a RACI matrix that assigns cross-functional responsibilities. The following is a sample of the RACI Governance Framework that highlights the value of a RACI matrix: • (R) Responsible – Doing the work • (A) Accountable – The buck stops here • (C) Consulted – Adds input • (I) Informed – Kept abreast of activities Milestone/Task Technologist Business Dept. Business Chief Chief Risk Head Continuity Information Officer Coordinator Officer Identify System R C I A I Outage Assess Situation C I C R A Accept Disaster I R C I A Declaration Invoke Life Safety I I R C A Procedures Copyright © 2009 Deloitte Development LLC. All rights reserved. 39
  • 41. Governance Governance Approach Governance Structure Board of Directors Audit Committee Executive Management Team Business Continuity Human Resources Management Regulatory Agencies Facilities Corporate Business Area Corporate Media Relations Support Team Leaders Information Legal Technology Recovery Risk Mgt. Business Area Continuity Teams Other Copyright © 2009 Deloitte Development LLC. All rights reserved. 40
  • 42. Availability/Recovery Strategies Develop Objective To recommend tactical and strategic solutions to enable the organization to meet availability and recoverability objectives established during the Business Impact Analysis. Recommended alternatives are based on criteria 4Governance developed to be compatible with organization’s risk tolerance. Overview 5Availability/  Compile a list of potential solutions that meet RTO and RPO’s accepted by Recoverability management Strategies  Develop selection criteria and order of importance based on key operational, cost, and risk attributes to assist with the selection approach 6Plans & Documentations  Establish management expectations regarding the level of detail necessary in the alternative definition and costs in order to obtain directional approval  If rapid recovery is not required, relocation, restoration and rebuilding may be appropriate strategies Copyright © 2009 Deloitte Development LLC. All rights reserved. 41
  • 43. Availability/Recovery Strategies Develop Key Considerations  There are no universal solutions when designing availability and recoverability strategies. 4Governance  Consider legal and regulatory requirements, as well as company policies and culture  Consider both the formal organization of a company as well as the informal delegation of authority when defining solutions 5Availability/ Recoverability  Consider operational enhancements that may result from a Strategies solution in addition to its recovery capabilities. For example, if data networks need to be resilient, it may be value added to provide voice network resiliency as well, even if the RTO does not require the same. If both travel over the same physical facilities, 6Plans & Documentations conduits, carriers, frames, etc, the recovery of data communications will allow recovery of voice communications at minimal incremental cost  Eliminate non viable alternatives from consideration as soon as possible Copyright © 2009 Deloitte Development LLC. All rights reserved. 42
  • 44. Availability/Recovery Strategies Availability/Recovery Strategies Practical Approach Business Process Needs based on BIA and Risk Analysis • Strategic Drivers are • Understand strengths Build on the considerations Continuity and limitations of the Strategic Strengths (network, people, etc.) Process current environment Drivers & Reduce to be factored in when Design • Understanding Limitations looking at recovery Business Needs capability from both a risk avoidance and business continuity point of view. • Consolidation and • Leading Business Industry & Leading globalization Executive Practices Market Trends Practices • Increased regulatory scrutiny Alignment • Achieving high-quality • Threat from intentional acts and Buy-In performance based on of terrorism cost-benefit analysis • Reduced tolerance for downtime Recommended Solutions Copyright © 2009 Deloitte Development LLC. All rights reserved. 43
  • 45. Availability/Recovery Strategies The list below describes 15 categories that may require a strategy to recover from a major unplanned disruption. This list is meant to be suggestive rather than exhaustive. • Business Process • Testing and Maintenance • Facility • Training and Awareness • Technical - Desktop • Governance • Technical – Centralized and • Crisis Management Distributed • Third-party • Voice • Life Safety • Data Network • Regulatory • Electronic Data • Vital Hard Copy Records Copyright © 2009 Deloitte Development LLC. All rights reserved. 44
  • 46. Availability/Recovery Strategies Range of Recovery Alternatives for Business Function Availability $$$ Dedicated Facility & Infrastructure Supporting Continuum of Pre-staged Providing Immediate Access to a Replicated Work Environment Availability Strategies Workspace Shared Vendor Facility with Desktop Technology (PC and Voice) Dedicated Facility with Quick Ship for Desktop Technology Cost of Solution Commercial Third Party Offices with Critical IT Work Area Connectivity Dedicated Vendor Shipped Leading Effort Workspace Facility Configured Time of Disaster for Quick Set-up Acquisition Remote Access Mobile Facility Acquisition Time To Functional Availability Seconds Minutes Hours Days Weeks Copyright © 2009 Deloitte Development LLC. All rights reserved. 45
  • 47. Availability/Recovery Strategies Summary Description of Business Function Availability Alternatives Description Relative Cost Recovery Time Floor space: $$$$ Remote Server Clustering with Pre-staged Infrastructure: $$$$ Application Load Balancing and/or Network: $$$$ Zero to 8 Hours Workspace Intelligent Fail-Over Processing Total Cost: $$$$ Floor space: $$$$ Remote Server Clustering with Commercial Infrastructure: $$ Manual Fail-Over Requiring Network: $$$ 4 Hours to 24 Hours Work-area Operator Intervention Total Cost: $$$ Floor space: $$$$ Restoration of Application Dedicated Infrastructure: $ Processing to Pre-Staged Network Network: $$$ 12 Hours to 72 Hours Workspace and Dedicated IS Infrastructure Total Cost: $$$ Floor Space: N/A Restoration of Application Infrastructure: $$$ Remote Access Processing to Pre-Staged Network Network: $$ 4 Hours to 5 Days and Limited IS Infrastructure Total Cost: $$ Floor Space: $$$ Restoration of IS to Pre-Staged Mobile Infrastructure: $$ Facility & Utility. Infrastructure Network: $$ 3 Days to 10 Days Facility Acquired at Time of Disaster Total Cost: $$ Floor Space: N/A Leading Effort At Time of Disaster to Infrastructure: N/A Acquisition Acquire Facility & Infrastructure. Network: N/A 5 Days to 21 Days Data Restored From Tape Backup Total Cost: N/A Copyright © 2009 Deloitte Development LLC. All rights reserved. 46
  • 48. Availability/Recovery Strategies Range of Recovery Alternatives for IT Application Availability $$$ Dedicated Facility & Infrastructure Supporting Continuum of Automatic Automated Fail-Over And Application Load-Balancing Availability Strategies Fail-Over Dedicated Facility & Infrastructure Supporting Manual Fail-Over Pre-Staged Facility, IT Equipment, & Network (shared or dedicated) Cost of Solution Manual Pre-Staged Facility, Utility, & Fail-Over Network, Awaiting Equipment Delivery (shared or dedicated) Hot-Site Facility, Utility, & Leading Effort Environmental Only Time of Disaster Acquisition Warm-Site Cold-Site Acquisition Time To Functional Availability Seconds Minutes Hours Days Weeks Copyright © 2009 Deloitte Development LLC. All rights reserved. 47
  • 49. Availability/Recovery Strategies Summary Description of Availability Alternatives Description Relative Cost Recovery Time Storage: $$$$ Remote Server Clustering with Automatic Hosts: $$$$ Application Load Balancing and/or Network: $$$$ Zero to 60 Minutes Fail-Over Intelligent Fail-Over Processing Facilities: $$$$ Storage: $$$$ Remote Server Clustering with Manual Hosts: $$$$ Manual Fail-Over Requiring Network: $$$ 60 Minutes to 12 Hours Fail-Over Operator Intervention Facilities: $$$$ Storage: $$$ Restoration of Application Hosts: $$$ Hot-Site Processing to Pre-Staged Network Network: $$$ 12 Hours to 72 Hours and Dedicated IS Infrastructure Facilities: $$$ Storage: $$ Restoration of Application Hosts: $$ Warm-Site Processing to Pre-Staged Network Network: $$ 48 Hours to 5 Days and Limited IS Infrastructure Facilities: $$$ Storage: N/A Restoration of IS to Pre-Staged Hosts: N/A Cold-Site Facility & Utility. Infrastructure Network: $ 96 Hours to 14 Days Acquired at Time of Disaster Facilities: $$$ Storage: N/A Leading Effort At Time of Disaster to Hosts: N/A Acquisition Acquire Facility & Infrastructure. Network: N/A 10 Days to 30 Days Data Restored From Tape Backup Facilities: N/A Copyright © 2009 Deloitte Development LLC. All rights reserved. 48
  • 50. Availability/Recovery Strategies Range of Recovery Alternatives for Data Recovery Real-Time Data Volume Mirroring (no data loss) $$$ Continuum of Data Near Real-Time Data Recovery Strategies Replication (with limited data loss) Synchronous Mirroring Remote Data-Base Replication with Electronic Journaling Asynchronous Cost of Solution Transaction Replication Replication To Remote Facility Stand-By Tape Based Bulk Data Transfer Backup & Recovery (time/event driven) Database (daily, weekly, monthly) Remote Journaling Electronic Traditional Vaulting Data Recovery Chronological Point in Time for Data Recovery Days Hour Minutes Seconds Zero s Copyright © 2009 Deloitte Development LLC. All rights reserved. 49
  • 51. Availability/Recovery Strategies Summary Description of Data Recovery Alternatives Description Relative Cost Data Recovery Point Real-Time Remote Storage: $$$$ Hosts: $$$ Synchronous Mirroring Disk Volume Mirroring Network: $$$$ Zero Data Loss (equivalent to remote RAID-1) Tape: N/A Near Real-Time Remote Storage: $$$$ Data Recovery Within Asynchronous Disk Volume Mirroring Hosts: $$$ Seconds to Minutes of Last Replication Network: $$$$ Transaction, Track Change, or or Data Replication Tape: N/A Other Delta Remote Transaction Storage: $$$ Data Recovery Within Stand-By Hosts: $$ Journaling or Vaulting as Seconds or Minutes Database Network: $$$ Applied To a Standing Database Tape: $ of Point of Failure Storage: $$ Data Recovery Within Remote Remote Transaction Data Hosts: $$ Seconds or Minutes Journaling Recovery Near to Point of Failure Network: $$$ Tape: $ of Point of Failure Bulk Data Transfer to Storage: $$ Data Recovery Within Electronic Hosts: $ Remote Tape/Disk as Minutes or Hours Vaulting Network: $$ Triggered By Time or Event Tape: $ of Point of Failure Weekly, Nightly or Intra-Day Storage: $ Data Recovery Within Traditional Hosts: $ Data Backup To Off-Line Tape Media That Hours or Days Network: $ Recovery Is Manually Moved Off-Site Tape: $$ Of Point of Failure Copyright © 2009 Deloitte Development LLC. All rights reserved. 50
  • 52. BCM Plans & Documentation Develop Objective To detail the required people, processes, procedures and infrastructure necessary based on the recovery strategy selection to meet RTO’s and RPO’s developed in the BIA and accepted by management 4Governance Overview  Documented procedures to enable emergency response and recovery teams to understand and perform their recovery tasks 5Availability/ Recoverability  Types of plans include: Strategies – Emergency Response – Business Continuity/IT-DR –Crisis Management 6Plans & Documentations –Pandemic  Plans should be action oriented and provide a level of detail so that individuals less familiar with the task will be able to accomplish it  Plans should include 24 X 7 internal and external contacts to facility timely decision making and recovery Copyright © 2009 Deloitte Development LLC. All rights reserved. 51
  • 53. BCM Plans & Documentation Crisis Management Plan Roles & Responsibilities (RACI Chart) Develop Crisis Command Center Declaration Procedures Event Management 4Governance Problem Resolution Coordination with local/state/federal authorities Communication Plans 5Availability/ Community Response Actions Recoverability Media Coordination and Spokespersons Strategies Damage Assessment Emergency Response Plan Roles & Responsibilities 6Plans & Life Safety Documentations Coordination with First Responders and Local Authorities Disaster Recovery Plan Roles & Responsibilities (RACI Chart) Information Technology Infrastructure Recovery Application Recovery Data Recovery & Synchronization Copyright © 2009 Deloitte Development LLC. All rights reserved. 52
  • 54. BCM Plans & Documentation Develop Business Continuity Plan Roles & Responsibilities (RACI Chart) Procedural Work-Arounds 4Governance Facilities Personnel Support/Replacement Contact Information 5Availability/ Tools Recoverability Strategies Established Word Templates Strohl Systems LDRPS/eBRP/BPSI Notification – Everbridge, Envoy, MIR3, Others 6Plans & Documentations Copyright © 2009 Deloitte Development LLC. All rights reserved. 53
  • 55. BCM Plans & Documentation Develop Key Considerations  Documented plans should be flexible, adaptable and easy to follow, exercise, and maintain 4Governance  Methods of building plans includes • Specialized BCP software application • Document repository system 5Availability/ • MS Word based plan templates Recoverability Strategies  Determine life safety procedures are addressed for employees and visitors  Include communication methods to be use including email, cell 6Plans & phones, pages, radio, etc. Define any tracking tools needed to Documentations document the situation, actions taken and upcoming decision points Copyright © 2009 Deloitte Development LLC. All rights reserved. 54
  • 56. BCM Plans & Documentation Develop Components of a plan include: • Roles & Responsibilities of who executes the plan and what is needed to recover, resume and restore business function • Alternate location to recover critical business processes and shared 4Governance services • Elapsed expected timeframes for business functions to be operational and key milestones for the recovery and business resumption 5Availability/ • Detail tasks and supporting information and procedures for recovery Recoverability • BCP plans will likely have multiple teams with specific roles and Strategies responsibilities. Examples include: – Crisis Management Team – Damage Assessment Team 6Plans & – IT Functional Recovery Teams Documentations – Business Function Teams  Refer to the next page for a description of the response and recovery timeline that plans must address Copyright © 2009 Deloitte Development LLC. All rights reserved. 55
  • 57. BCM Plans & Documentation PHASE 1 PHASE 2 PHASE 3 PHASE 4 PHASE 5 PHASE 6 Emergency Mobilization Environment Application Data-Flow Business Response /Failover to Restoration at Restoration at Restoration Function to Disruption Recovery Site Alternate Site Alternate Site & Recreation Restoration Business Recovery Operations Mobilize Restore Execute Manual Business Workspace Contingency Data Recovery & Manage Work Around Re-Entry & Team Backlog Procedures Validation Re-Synch & Resume Recovery Voice & Data Network EVENT Business Operations IT Recovery Operations Restore IT Validate Recreate Mobilize IT Systems, System & Lost Recovery Applications, Application Transactions Team and Data Integrity & Data Vital Records Backlogged Transactions & Data Recovery Point Recovery Time Copyright © 2009 Deloitte Development LLC. All rights reserved. 56
  • 58. Pandemic Planning The broad preparation strategy leverages ten key components which are critical to sustaining operations during a pandemic crisis including supply chain, distribution and retail. Key Components Key Business Processes Develop policies and processes to maintain operational effectiveness during a pandemic Leadership/Decision Implement a Pandemic Planning and Coordination Unit (PPCU) as part of the existing Business Making Continuity Planning (BCP) function Increase awareness and knowledge about influenza prevention and treatment through clear, Education consistent, medically accurate information Public/Private Develop and maintain valuable partnerships with trading partners and critical stakeholders such as Partnerships unions and public health agencies Communicate the response plan and approach to employees and families, customers, suppliers, Communication and partners Identify organizational and technical infrastructure requirements to minimize the potential disruption Teleworking resulting from a pandemic Identify likely threats in order to decrease the risk of threat occurrence and contain damage Risk and Legal Develop risk mitigation policies and procedures HR Policies & Identify core staff and functions and establish policies and procedures during the pandemic Procedures Review demand, distribution, and production plans and link strategies with key trading partners to Trading Partners determine that critical business processes are maintained Review contracts with health plans and provider networks to determine coverage and provision of Employee Wellness services such as vaccinations and access to medical facilities Copyright © 2009 Deloitte Development LLC. All rights reserved. 57
  • 59. Auditing Module 2 Governance: • Does someone own the program? Is there a steering committee that oversees the overall program? • Do BCM policies and procedures exist? Strategies: • Are the current business and technical strategies that are in place appropriate? Plans: • Do plans exist for critical business functions and applications/infrastructure? • Do they meet recovery timeframe requirements? • Do they include procedures defining what to do in the event of a facility, technology, equipment, personnel, or vendor outage? Copyright © 2009 Deloitte Development LLC. All rights reserved. 58
  • 60. Module 3 IMPLEMENT 59
  • 61. Resource Acquisition & Implementation Implement Objective To provide project management assistance for the 7Resource implementation of BCM infrastructure and processes and Acquisition & the organizational rollout of the overall BCM program Implementation Overview  Provide BCM coordination with the implementation and 8Training rollout of recovery strategies, plans, and ongoing quality confirmation and process improvement 9Testing  Provide a structured approach and guidance for the tracking of multiple project initiatives and coordination for a successful program implementation Copyright © 2009 Deloitte Development LLC. All rights reserved. 60
  • 62. Training & Awareness Implement Objective To develop an ongoing awareness and training program to 7Resource support and improve an organization’s BCM capability. The Acquisition & training and awareness should be integrated with other Implementation company programs and become an integral part of the company’s overall organizational culture. Overview 8Training  BCM awareness and communications should effectively involve and communicate with many key stakeholders in order to successfully support the BCM program 9Testing  Successful BCM program implementation occurs when everyone involved in the process is aware of and enabled to fulfill their BCM responsibilities Copyright © 2009 Deloitte Development LLC. All rights reserved. 61
  • 63. Training & Awareness Implement Key Considerations  Objectives of any awareness communication 7Resource should be: Acquisition & Implementation – Promote the vision and purpose of the BCM program and its benefits to stakeholder groups – Actively enlist, engage, and inform all identified 8Training stakeholders to participate to the level necessary to achieve BCM goals – Build energy and momentum within business 9Testing units to promote and support the BCM program Copyright © 2009 Deloitte Development LLC. All rights reserved. 62
  • 64. Training & Awareness Key Considerations A big picture view of the communications and education strategy: BCM Program Communications & Education Strategy Articulation of a compelling, shared vision and business imperative for BCM communication & Compelling, education Shared Vision Key employees are enabled to perform their BCM roles and responsibilities Stakeholders with authority, Training power and/or influence lead & Performance Power & Politics and visibly support the Support communication & education Business effort Continuity Management Organizational Communications Infrastructure Associates are well- & Engagement & Processes informed about BCM Development of a framework that supports ongoing BCM Measures, communication & Milestones education & Evaluation Establishment of short- and long-term measures of success Copyright © 2009 Deloitte Development LLC. All rights reserved. 63
  • 65. Training & Awareness Training Approach Training Roles and Resources Large global organizations may want to include a formal BCM training program to educate local BCM coordinators and recovery team members. If this is the case, the program may require resources described below: • The training manager is responsible for overseeing overall CPL education and learning effort: – Validate and fine-tuning of training strategy and plan – Develop and managing work plan – Provide direction and leadership around course development and delivery Training – Provide direction and overall leadership around quality review process Manager – Coordinate training the trainers on presentation and facilitation skills, as necessary – Manage and resolving issues as they arise – Recommend approach, tools and standards to support continuous improvement – Managing training budget • Training developers are responsible for creating all course content and related materials for both classroom and computer-based training courses Training – Review existing documentation to identify gaps Developers – Engage business units as required to leverage current training infrastructure and tools – Work with BCM Team to develop course content, training scripts, case studies and exercises – Develop instructional material (instructor / participant), CPL documentation and exercises • Professional trainers facilitate CPL training to assist the BCM team in training delivery • BCM team members support the development of CPL training by serving as SME’s and by serving as co-leads to professional trainers Trainers – Support training developers as required to develop course outlines and instructional materials – Work with trainers to co-lead training – Gather feedback from the CPL community and providing input to the training team through the appropriate channels • The logistics necessary to prepare both training facilities and materials are listed below: Facilities & – Reserve training rooms and setup with proper equipment and connectivity Materials – Order and install all training equipment – Arrange for material reproduction and delivery to the classrooms Copyright © 2009 Deloitte Development LLC. All rights reserved. 64
  • 66. Testing Implement Objective To provide guidance in the development of a broad 7Resource integrated testing program that includes business work-area Acquisition & recovery, data center recovery, and emergency Implementation communications Overview 8Training  Testing is a critical component of BCM in uncovering problems with exist plans for improvements  Involve management goal setting and results reporting to 9Testing help determine problem resolution discovered from testing is corrected  Testing BCM plans regularly is an effective approach to keeping plan information current and in sync with the every changing business needs Copyright © 2009 Deloitte Development LLC. All rights reserved. 65
  • 67. Testing Implement Key Considerations  Develop and/or revise a testing strategy annually or when an organization experiences a major business change. The testing process provides a 7Resource roadmap describing the methods and frequency of test execution during the Acquisition & next 12 month period including specific test dates, key success criteria, and Implementation establish responsibilities for leading test planning and execution activities  Often test time with commercial recovery vendors must be scheduled at least twelve months in advance  Adopt a testing approach that designs and executes tests consistent with 8Training actual recovery during an actual interruption  It is critical that a test does not create a major disruption to ongoing business activities  A formal review should be conducted after all tests to share lessons learned 9Testing and to develop an action plan for plan improvement Copyright © 2009 Deloitte Development LLC. All rights reserved. 66
  • 68. Testing Testing Approach Implement There are four types of tests outlined, they 7Resource are: Acquisition & Implementation • Work-Area Recovery • Data Center Recovery Test Test 8Training • Emergency • Table-Top Walk- Communications Test Through Test 9Testing Copyright © 2009 Deloitte Development LLC. All rights reserved. 67
  • 69. Continuous Improvement/QA Objective To develop an ongoing process to enable an organization to maintain and constantly improve their BCM program with procedures to support a goal of “Zero Defects” Overview Analyze Develop Implement • A business continuity plan is bound to have defects after its initial implementation (e.g., issues overlooked or unknown during plan 1Current State 4Governance 7Resource Acquisition & Assessment development, to shortcomings that only Implementation become apparent after testing, to business and technology changes that occurred 5Availability/ 2Risk since the plan was first drafted and to Assessment Recoverability 8Training Strategies common misunderstandings introduced into every development process). 3Business • The purpose of continuous improvement Impact 6Plans & Documentations 9Testing Analysis and quality assurance is to identify and rectify defects, and identify and implement 10Continuous Improvement & Quality Assurance process improvements in the BCM program # Refers to it’s respective module which this training is organized Copyright © 2009 Deloitte Development LLC. All rights reserved. 68
  • 70. Continuous Improvement/QA Key Considerations Determine if internal or external auditors, risk management, or if any independent groups have performed an assessment or gap analysis of the organization’s BCM program. Gather data and determine the status of recommendations for corrective action There are four major components for consideration in a continuous improvement and quality assurance program:  Continuous Improvement – A process instituted by the organization’s BCM program to recognize areas in which business continuity plans, tools, procedures or any other aspect of the program require enhancement and to make the necessary changes  Root Cause Analysis – A process by which shortcomings are noted and the underlying reasons for the defects are identified and rectified  Quality Assurance – A process performed by an entity independent of the BCM program to determine that standards are followed and that the plans, tools, etc not only remain effective, but improve over time. Improvement in this case may mean shortened RTO’s, less latency in RPO’s, timelier updates to plans, a greater number of business functions included in the plan, etc.  Change Management – A process involving many sectors of the organization’s operations in which changes to the business are reflected in the plan and changes in Copyright © 2009 Deloitte Development LLC. All rights reserved. the organization’s normal business operations the plan are reflected in 69
  • 71. Auditing Module 3 Training: • Does a training program exist and how often do training sessions occur? • Are key personnel included in the training sessions? Testing: • Does a testing strategy exist? • Are all CM, ER, critical BCPs and IT-DR plans tested? • Do testing plans exist? • Are results from the tests documented and if so, are the results reflected in the plans? Continuous Maintenance/QA: • What sort of maintenance and change control procedures are in place? • Are all aspects of the program updated on a regular basis? Copyright © 2009 Deloitte Development LLC. All rights reserved. 70
  • 72. ISSUES 71
  • 73. Top issues we have identified 1. Reliance: Relying on a BCM plan can lead to a false sense of security and potential business failure if the plan is not updated regularly and fully tested. In addition, recovery personnel must be trained on plan execution and employees must be aware of the plan's provisions. 2. Scope: Companies often limit the scope of their efforts to systems recovery. Business continuity planning requires consideration of both business process and systems recovery. 3. Prioritization: A formal process prioritizing key business processes is a critical step that often does not get its due attention by senior management. Without prioritization, a plan may recover less-than-critical business processes rather than the ones crucial for survival. 4. Plan Update: Formal mechanisms are not in place to force a plan update on a regular basis or when significant systems or business process change occurs. 5. Ownership: Senior management often appoints the wrong person to manage the BCM process; someone with the power to lead, influence, support, prioritize, and organize the project should be named. 6. Communications: Communications issues are often overlooked. Formal plans to contact employees, vendors, business partners, and clients often lack specific communications strategies. Strategies to address how these groups obtain recovery status updates is often inadequate. 7. Security: Information systems security controls are often disregarded during plan development, resulting in a greater risk exposure during recovery operations. 8. Public Relations: Practitioners often fail to plan for public relations and investor considerations, therefore missing the opportunity to limit perceived impact by the public and investors. 9. Insurance: Many BCMs fail to adequately plan to support the filing of insurance claims resulting in delayed or reduced settlements. 10. Service Evaluation: Many companies poorly evaluate recovery products (hot site, cold site, and planning software), relying on vendor-supplied information. This often leads to a solution that may not adequately address a company's needs. Copyright © 2009 Deloitte Development LLC. All rights reserved. 72
  • 74. Helpful sites • The Institute of Internal Auditors (IIA) guidance/ippf/practice-guides/gtag/gtag10/ • Disaster Recovery Institute International (DRII) • Business Continuity Insights (BCI) • National Fire Protection Association September 25 - 27, Presented by: 73 Copyright © 2009 Deloitte Development LLC. All rights reserved. 73 2006
  • 75. Q&A Copyright © 2009 Deloitte Development LLC. All rights reserved. 74
  • 76. Contact information M.J. Vaidya, Senior Manager, CISSP Deloitte & Touche LLP Email: Phone: 516-445-9434 Copyright © 2009 Deloitte Development LLC. All rights reserved. 75
  • 77. This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Copyright © 2009 Deloitte Development LLC. All rights reserved. 76