Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal

on

  • 734 views

In light of the hurricane coming up the east coast of the U.S., Grant Thornton has a holistic approach to business continuity and disaster preparedness.

In light of the hurricane coming up the east coast of the U.S., Grant Thornton has a holistic approach to business continuity and disaster preparedness.

Statistics

Views

Total Views
734
Views on SlideShare
728
Embed Views
6

Actions

Likes
0
Downloads
15
Comments
0

2 Embeds 6

http://www.linkedin.com 5
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal Presentation Transcript

  • 1. Grant Thornton, LLPBusiness Continuity Planning (BCP) methodologyAugust 2011Danny Miller, CISA, CRISC, ITIL, QSA -1- © Grant Thornton LLP. All rights reserved.
  • 2. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Table of contents • Introductions and initial discussion • Our Understanding of your interest • Basic concepts for BCP • Scope and Approach for a BCP exercise • Value to the organization -2- © Grant Thornton LLP. All rights reserved.
  • 3. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach (Our Understanding of Interest) Grant Thornton Grant Thornton Grant Thornton Grant Thornton Perform or Evaluate Develop requirements with Observe testing of BCP, Review and give feedback Risk Assessment Organization leadership, develop RFPprovide oversight, evaluate on training and awareness (BIA), develop and issue to short-list test results program short-list of possible vendors of providers Develop Business Risk Assessment Validate BCP Post-Implementation Continuity Plan (BCP) Organization Vendor Vendor Vendor & Organization Work with GT on Receive RFP, attend bidders Develop test scripts, Develop and roll-out employee either updating existing BIA meetings, go through conduct test (multi-level), awareness program and or identifying development process, issue develop and implement BCP conduct training of emergency risks and assets for BIA RFP response, meet to prove across all locations with and key personnel build-out response to GT/Organization team, walkthroughs with stakeholders winner develops BCP and update BCP on results -3- © Grant Thornton LLP. All rights reserved.
  • 4. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Our understanding of Organization interest • BCP Objectives − Concepts − Vulnerability and Risk Analysis − Business Impact Analysis (BIA) − Build-up of Business Continuity • How a BCP project works (with options) -4- © Grant Thornton LLP. All rights reserved.
  • 5. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Continuity Management (BCM) Defined …the development of strategies, plans, and actions which provide Business Continuity protection or alternative modes of operation for those activities or business Management processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning -5- © Grant Thornton LLP. All rights reserved.
  • 6. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Components of Business Continuity Management • Crisis Management – Governance/ownership – Organizational structure – Human Factor • Business Resumption Planning – Business Impact Analysis – Tested, documented procedures – Communications Processes • IT Disaster Recovery Planning – Emergency Operations Center – Alternate Processing Facility -6- © Grant Thornton LLP. All rights reserved.
  • 7. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Continuity Management Governance structure Business Continuity BCM Steering Committee Management requirements need to include business and IT. Business Requirements IT Requirements RTO App redundancy RPO Infra redundancy -7- © Grant Thornton LLP. All rights reserved.
  • 8. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Resumption Planning Business Impact Analysis BIA Defined • The careful, holistic study of individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations. The “BCP Blue Print” • If performed correctly, the BIA is the business continuity plan (BCP) blueprint. It establishes the business case for spending scarce funding on a process traditionally viewed as a glorified insurance policy. -8- © Grant Thornton LLP. All rights reserved.
  • 9. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Resumption Planning Business Impact Analysis (cont.) The relationship between the BIA and the Enterprise (organization)-wide risk assessment… • Now more than ever, the BIA and the enterprise-wide risk assessment are tied together. • One can’t be done without the other. • Also, the BIA is no longer limited to the internal workings of an organization, but rather to the extended enterprise, meaning customers and suppliers are now included. -9- © Grant Thornton LLP. All rights reserved.
  • 10. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Impact Analysis Potential impacts significance and likelihood • The Analysis of Risk, as part of the BIA, determines the loss potential and other tangible and intangible impacts to the organization • Taking into account − Key functions − Personnel and other resources − Technology − Regulations − Service level agreements (SLAs), internal dependencies and third-party interdependencies − Emergency hotline lists (Drs, Medical assistance, Medical type transportation etc.) − Backup facilities (hospitals, clinics etc) − Community notification procedures − Internal/external communications strategies and implementation mechanisms. - 10 - © Grant Thornton LLP. All rights reserved.
  • 11. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Impact Analysis The analysis of risk Analysis of Risk defined: • Continuous process of estimating the likelihood of potential events and their impact on the organization − Terms used: − Likelihood  probability − Impact  $$ - 11 - © Grant Thornton LLP. All rights reserved.
  • 12. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Impact Analysis Categories of risk • Strategic • Environmental • Operational • Man-made Risks (Accidental & • Market Intentional) • Regulatory • Business Process-related Risk • Contractual Relationship • Single Points of Failure • HR • Supply Chain • Reputation • Information Technology Availability Risks - 12 - © Grant Thornton LLP. All rights reserved.
  • 13. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Business Impact Analysis Potential impacts • Loss of Human Life • Work Stoppage • Opportunity Costs • Cash Flow Interruption • Idle Workforce and Resources • Financial Control/Reporting • Regulatory Noncompliance • Customer Service • Financial Loss • Vendor Relations • Reputation Impairment • Employee Morale/Retention • EHS Impairment (OSHA) • Market Reaction • Loss of Market Share • Contractual Default - 13 - © Grant Thornton LLP. All rights reserved.
  • 14. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Typical approach to conducting the BIA • Work through a Steering Committee • Identify what the deliverables should look like and the desired content • Develop an initial scope • Identify process-level subject matter experts (including care experts) • Develop fact gathering plan • Summarize findings • Conduct analysis and develop conclusions • Validate findings with subject matter experts • Present validated findings to executive management for buy-in • Transition to strategy development - 14 - © Grant Thornton LLP. All rights reserved.
  • 15. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Framework for successful Business Impact Assessment 1 A Business Impact Project Analysis structure Initiation 2 3 leverages the same Project Plan Risk & Issue process model as project 4 Management 5 Management 6 management. The BIA Change Reporting & Project structure includes an Management 7 Communication 88 Administration integration component to Quality Financial manage inter- Management 9 Management dependencies, key Integration milestones and key Management deliverables related to the requirements. - 15 - © Grant Thornton LLP. All rights reserved.
  • 16. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Framework for successful Business Impact Assessment (cont.) BCM Managers need to look at and address the points below, to ensure quality of service to customers: • Prolonged disruption of service from multiple failure scenarios is a tangible risk in today’s business and health care environments crawling with unforeseen threats. • Safety and security of employees and clients (patients) are at higher risk • Service contracts these days essentially address business continuity SLAs and it benefits both parties in that it lays down expectations clearly if a disaster strikes. • With increased outsourcing, customers take no compromise on security and continuity. • Laws and regulations have now come into force clearly holding business leaders / vendors responsible for ensuring demonstrable continuity planning. • Legal and standards requirements of clients (patients) domains - 16 - © Grant Thornton LLP. All rights reserved.
  • 17. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Framework for successful Business Impact Assessment (cont.) Developing a BIA facilitates balancing business requirements, resource utilization (cost) and targeted results to keep the business running. REQ’MT COST RESULTS • aligned business and technology objectives • repeatable standards, processes and tools • achieved customer and management expectations • maintain budget • maximized technology investment - 17 - © Grant Thornton LLP. All rights reserved.
  • 18. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Strategies for achieving BIA value Understand how IT systems and activities support Align IT with the business (BT) BCM processes and priorities (includes equipment and tech that is used for patients) Innovate Identify and implement solutions to support and enable BCM Ensure information system availability and Policies, Procedures, Standards, Redundancy, Monit business continuity, security and integrity oring, Training Assess, address and communicate risks Assess and address IT risks to achieving BCM Support compliance Integrate IT into compliance process and leverage to optimize - 18 - © Grant Thornton LLP. All rights reserved.
  • 19. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Compliance Requirements – Cost Drivers • National Fire Protection Association • Foreign Corrupt Practices Act (FCPA) (NFPA) • Federal Energy Regulatory • NFPA 1600 – Standard on Disaster, Commission (FERC) Emergency Management and Business Continuity Programs • US Securities and Exchange Commission (SEC) • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • International Organization for Standardization (ISO) • Gramm-Leach-Bliley Act (GLBA) • QS 9000 – Quality Systems Handbook • Federal Financial Institutions Examination Council (FFIEC) • State Insurance Departments • Occupational Safety & Health Administration (OSHA) - 19 - © Grant Thornton LLP. All rights reserved.
  • 20. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Why BCP initiatives fail? Mainly, because the approach and conclusions fail to meet management expectations. Here are some of the more common criticisms. • “The results are too high level” • “Those numbers can’t be right” • “You assumed the worst-case scenario” • “Weak approach” • “Yeah, but it depends…” • “That part of the business isn’t that critical - they’re just trying to justify their jobs!” • “You collected the wrong information from the wrong person” - 20 - © Grant Thornton LLP. All rights reserved.
  • 21. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Framework for successful Business Continuity Management Enhance BCM value through robust business requirements aligned with technology capabilities requires a holistic integrated approach with the following balanced framework: • Governance requires: - Active engagement to promote ownership - Business partnering to align strategy and mobilize energy - Formal process to drive consistency, credibility, and accountability • Methodology must support: - Business Impact Assessment approach across the enterprise - Investment management focused on the results - Multi-dimensional change management • Measurement supports decision-making: - Assessing business and financial value - Monitoring the plan - 21 - © Grant Thornton LLP. All rights reserved.
  • 22. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Grant Thornton uses a four-phase approach to develop a Business Continuity Plan Develop Business Risk Assessment Validate BCP Post-Implementation Continuity Plan (BCP) - 22 - © Grant Thornton LLP. All rights reserved.
  • 23. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase I: Risk assessment Phase I consists of the following three categories: Risk Assessment a. Perform Project Initiation and Management b. Perform Threat Analysis c. Perform Business Impact Analysis Phase I (a) – Perform Project Initiation & Management During this stage, a project manager and representatives to the Business Continuity project are named; an outline of personnel and resource requirements for the project are also identified. Appropriate project initiation and management are critical to business continuity planning success. - 23 - © Grant Thornton LLP. All rights reserved.
  • 24. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase I: Risk assessment Phase I (b) – Perform Threat Analysis Risk Assessment During the Threat Analysis, a business criticality assessment is performed to identify the key business processes and IT infrastructure of the company. A threat probability assessment is performed to identify the events and environmental surroundings that can adversely affect the organization and its facilities with or without disruption and/or disaster. The likelihood of occurrence for each event is identified, along with the damage such events can cause. The controls needed to prevent or minimize the effects of potential loss are also identified. A gap analysis is performed to determine if measures currently in place are adequate to mitigate the identified risks. - 24 - © Grant Thornton LLP. All rights reserved.
  • 25. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase I: Risk assessment Identify Key Business Perform Threat Processes Probability Assessment Threat Analysis Identify Key Perform Gap Analysis IT Infrastructure - 25 - © Grant Thornton LLP. All rights reserved.
  • 26. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase I: Risk assessment Business Impact Analysis Determine Criticality of Business Units Determine Determine Identify Determine Criticality Business Unit Application Critical Partners of IT Infrastructure Recovery Priorities Recovery Priorities and Vendors Components Document Processes in Flow Charts - 26 - © Grant Thornton LLP. All rights reserved.
  • 27. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase I: Risk assessment • Develop project timeline • Facilitate monthly checkpoint meetings with team members Risk Assessment • Provide meeting notes, including action items, issues and recommendations • Create Risk Assessment and Impact Analysis Report, including: – confirmed and prioritized list, in matrix form, of the in-scope processes, risk priority and acceptable outage criteria communicated by the team – identification of responsible parties and supporting systems – documentation of the potential impact to the business of uncontrolled, non-specific disruption events on the business processes and customers, based on information provided by management. - 27 - © Grant Thornton LLP. All rights reserved.
  • 28. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase II: Develop business continuity plan Phase II – Develop Business Continuity Plan Develop Business Phase II includes developing the business continuity plan based on Continuity Plan (BCP) managements approval of potential recovery. • Communications plans are established for employees, clients, suppliers, owners/stockholders and any local/state/federal government organizations. • The project team develops specific recovery procedures and names members to each recovery team. • Public relations mechanisms and crisis communications structures are implemented. - 28 - © Grant Thornton LLP. All rights reserved.
  • 29. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase II: Develop business continuity plan Phase II – Develop Business Continuity Plan (OPTION A continued) Develop Business Phase II includes creating an avoidance and mitigation strategy to resume Continuity Plan (BCP) business operations and to recover vital physical records that are not part of IT. At this point, business resumption requirements should be documented and the resumption organization, such as the location of the command center, recovery responsibilities and the communication process involved if a disaster occurs. We would seek to provide different scenarios, such as working with Organization management to arrive at alternate site locations for events and other strategic decision-making on a site-by-site basis. The business resumption organization is combined with the threat analysis, business impact analysis, disaster recovery plan, avoidance/mitigation strategy and vital record recovery strategy, constructing the business continuity plan. - 29 - © Grant Thornton LLP. All rights reserved.
  • 30. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase II: Develop BCP deliverables • Conduct checkpoint meetings with team members Develop Business • Create Business Continuity Plan, including: Continuity Plan (BCP) – trigger events and conditions for activating the BCP – list of key personnel necessary to recover and sustain a function – description of advance activities required for business recovery readiness – plan for internal and external communications, as needed – description of outsourcing alternatives, as needed – instructions to activate the BCP and resume normal operations upon disruption resolution, including activities, responsibilities, timeframe and required resources. - 30 - © Grant Thornton LLP. All rights reserved.
  • 31. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase III: Validate business continuity plan Phase III – Validate the Business Continuity Plan Validate BCP Phase III should include separate walkthroughs of the BCP with key stakeholders (tabletop exercise) to identify potential issues in plan design/workability, missing documentation, training requirements, etc. - 31 - © Grant Thornton LLP. All rights reserved.
  • 32. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase III: Validate business continuity plan • Conduct ongoing checkpoint meetings with team Validate BCP members • Create Business Continuity Plan Test Scripts for each business process • Perform walkthroughs with stakeholders • Update BCP document with changes - 32 - © Grant Thornton LLP. All rights reserved.
  • 33. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Grant Thornton’s Business Continuity Planning Scope and Approach Phase IV: Post-implementation Phase IV – Post-Implementation Post-Implementation Phase IV establishes provisions to build employee awareness and train emergency response & recovery personnel. Business continuity plans are living documents that are tested annually – or whenever significant business process changes occur – to determine the adequacy of strategies, and are updated as needed. - 33 - © Grant Thornton LLP. All rights reserved.
  • 34. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Value to Organization Value drivers • Ensuring the safety and care of clients • Quicker recovery from operational failure • Rapid reaction to environmental threats • Reduced risk of missed commitments to product donors and other stakeholders • Greater resiliency and recoverability of the existing business and technology environment - 34 - © Grant Thornton LLP. All rights reserved.
  • 35. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Value to Organization Grant Thornton Value Proposition • Strong business, IT and operational knowledge leveraged to identify critical processes and develop corresponding continuity strategies. • A business continuity process designed to manage the safety and care of clients in the event of incident, financial loss, and reputation impairment risk through the use of a proven planning approach – the end result is staying in the market and protecting the brand. • A planning process that efficiently leverages internal resources, freeing employees to focus on their primary jobs. • A planning philosophy grounded in a mature knowledge transfer process, designed to enable our clients to effectively manage business continuity internally without significant additional overhead. - 35 - © Grant Thornton LLP. All rights reserved.
  • 36. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Experience in Performing BCP/DR work Grant Thornton Value Proposition • Manufacturing companies of various sizes, including regional • Healthcare organizations in the NE region • Asset management firms with multiple operating locations/branches in NY and Boston • Government consulting firm focused on defense contracts in the DC area • Apparel manufacturer, designer, importer and distributor with a global footprint • Real estate property owner/manager who is based in NYC, NJ and Long Island - 36 - © Grant Thornton LLP. All rights reserved.
  • 37. Table of Our understanding Basic concepts for BCP Scope and Approach Value to Organization Contactcontents of Organization interest Contact information Danny Miller T: 215.376.6010 E: Danny.Miller@us.gt.com - 37 - © Grant Thornton LLP. All rights reserved.