2. 2
Presentation Outline
ISO Principles of Risk Management
Disaster Recovery vs. Business Continuity
Unexpected Events
Business Continuity and Risk Avoidance
Planning and Management
Break
Development, Implementation and Exercise
Return on Investment
Business Continuity as an Operational Process
3. 3
ISO Principles of Risk Management
Should create value
Must be an integral part of organizational processes
Must be part of decision making
Should explicitly address uncertainty and assumptions
Is systematic and structured
Should be based on the best available information
Should be customizable
Takes into account human factors
Is transparent and inclusive
Is dynamic, iterative and responsive to change
Is continually improved and enhanced
Must be continually or periodically re-assessed
5. 5
Disaster Recovery vs. Business
Continuity
Disaster Recovery
The processes involved in restoring a business to normal
operation after its operations have been partially or
completely interrupted by some event
Business Continuity Planning
Planning to keep your business operating through an
unexpected event
Business Continuity Management
Managing the sustaining key business components,
bridging the event
Discussion
6. 6
Is Business Continuity Planning
Necessary?
Compelling Factors
Regulatory requirements
Competitive requirements
Customer impact
Investor impact
Potential litigation
Does Company Size Matter?
Is BCP for large companies only?
Bottom Line
Keep business functioning and
Protect Company assets (human, IP, infrastructure)
8. 8
What Constitutes a Disaster or
Business Continuity Interruption?
Catastrophic Events
Location destroyed
Distribution center destroyed
Headquarters destroyed
Event Rising From:
Supply Chain disruption
Smoke/Fire
Cyber attack
Terrorism
Earthquake
Affects of nearby disaster (RR tanker derails; Fukushima)
Social disturbance (people are hurt and facility is crime scene)
Be careful of playing the odds
Virginia’s last earthquake: over 100 years ago; until August,
2011
9. 9
Example Disruption Scenarios
Level 1 — Loss of secondary function
Loss of SaaS provider (Outsourced Accounting
System)
Level 2 — Technology offline
Loss of local computing environment
Level 3 — Distribution network impact
Loss of warehouse (physical goods)
Level 4 — Regional command and control
Loss of entire division
Level 5 — Disaster
Loss of entire company
$$$$
$
Cost
11. 11
Business Continuity
Overview
Business initiative, not an Information Technology
initiative
Must keep key revenue streams operating
Need a vulnerabilities list (highest to lowest)
Risk avoidance
Total Risk Avoidance
Replicated facility (higher cost)
Minimal Risk Avoidance
Essential operational systems (lower cost)
Balancing act
13. 13
List Vulnerabilities
Remember S.W.O.T. analysis
Strengths — your Company may have an effective
logistics network that can sustain loss of a warehouse
with little or no impact to continuing operations
Weaknesses — list areas where the Company is most
vulnerable to interruptions ordered by business impact
Opportunities — you may be able to consolidate
operations for the short term, or take advantage of
unused space in a lesser-used building in the event of
facility loss
Threats — including those listed under Example
Disruptive Scenarios, natural disasters (floods,
hurricanes, tornados, earthquakes), etc.
14. 14
Other Vulnerability Assessment Tools
Brainstorming
Questionnaires
Business studies assessing
both internal and external
factors which can influence
operations
Industry benchmarking
Scenario analysis
Risk assessment workshops
Incident investigation
Auditing and inspection
HAZOP (Hazard &
Operability Studies)
Dependency modeling
Event tree analysis
Real Option Modeling
(Valuation)
Decision making under
conditions of risk and
uncertainty
Measures of central
tendency and dispersion
(descriptive statistics)
PEST (Political, Economic,
Social,Technological)
analysis
Risk Identification Risk Analysis
15. 15
Total Risk Avoidance
How much is too much?
Total Replication of all operational systems
Example U.S. Postal Service (two of five Data Centers)
Discussion.
Internet
San Mateo
Data Center
Eagan
Data Center
Copied to
Eagan
Copied to
San Mateo
16. 16
Minimal Risk Avoidance
Essential
Systems
Payroll (time clocks)
Inventory and Order
Management
E-mail
(communication)
5 Business Days
A/R
A/P
Shipping
Is this right?
Accounts
Receivable
Payroll
Accounts
Payable
Inventory and
Order
Management
Shipping
E-mail
Business Functions Essential 5 Business Days
Payroll
Inventory and
Order
Management
Shipping
E-mail
Accounts
Receivable
Accounts
Payable
17. 17
Balancing Act
Objective: Determine What You Need
Total Risk Avoidance
Fully Redundant Systems and Operations
Facilities
Inventory
Shipping/Receiving
Minimal Risk Avoidance
Select functions deemed essential
Some disruption in service is acceptable
Discussion
19. 19
Managing the Risk
High-level planning
Develop the plan and publish it
Implementation and exercise
When is the plan considered complete?
20. 20
Getting Started: Objectives
Your Company’s Business Continuity and Needs
Define what business continuity means for your company
Determine what you need in order to maintain it
Take nothing for granted
Review all operational concerns
Review both internal and external factors
Discovery process budget
Determine a rough order of magnitude budget for the
discovery process
Fund it
Discussion: how can this be done?
21. 21
High-level Planning
Engage management and build the BCP team
CEO, COO, CFO, CIO
Name business and technology leaders as BCP
stakeholders
Create a standard Charter for the project
Make it an Enterprise project
Agree on a single individual as the owner with an
understudy
Assign a project manager
Isolate Continuity targets
Essential business functions (use a risk matrix)
Scrutinize pitfalls/darlings/issues
22. 22
Project Charter
A Project Charter:
Lists reasons for undertaking the project
Solidifies objectives and constraints of the project
Provides directions concerning the solution
Gives names and titles of the main stakeholders
Enumerates in-scope and out-of-scope items
Dictates as a high-level risk management plan
Serves as a communication plan
Targets project benefits
Authorizes high-level budget
and spending authority
Project Charters are used to:
Authorize a project
Aid with resource
management
Focus overall scope
23. 23
Risk Matrix Example
Threat Probability (P) Impact (I) Risk = P x I
Hurricane 80% 1 80%
Flooding – Internal 80% 1 80%
Severe Storms 25% 1 25%
Flooding – External 80% 0.2 16%
Wind Storm 10% 1 10%
Tornado 10% 1 10%
Terrorism 10% 1 10%
Fire – Internal 10% 1 10%
Fire – External 10% 1 10%
Earthquake 1% 1 1%
Helps isolate potential interruptions in service
Link this to affected operations service continuity
plan
Backup site for Coastal
Office Operations
Temporary Relocation
for Key (or all) Staff
Coastal Operations BCP
Rebuild/Repair
Return to Normal
Operation
24. 24
Plan Components
Establish objectives for the plan. Examples include:
Run payroll within 24 hours of event
Ship product within 48 hours of the event
Essential personnel
List personnel required for managing the processes
List backup personnel, in the event the primary personnel
are directly affected by the event
Calendar/Timeline
Create a calendar to pinpoint specific timing of actions
List important dates such as payroll, monthly close, and
other recurring events that can influence the required
availability
25. 25
Systems Recovery
What systems are crucial to maintain continuity?
Payroll and time clocks?
Inventory and Order management?
Shipping and Receiving?
Email?
All of the above?
Be careful of purportedly autonomous systems
Question from the shipping manager:
“Since FedEx has supplied my shipping stations, and they are
able to print shipping manifests, is it okay to go ahead and ship
product even if the inventory and fulfillment systems are
offline?”
Do you think it’s
okay?
26. 26
Data Recovery
Differences between System and Data Recovery
Systems are the substrate that manage and present data
Data carries the information
Data Recovery Point Objective
How old is the data that can be recovered?
Where is the backup stored? Offsite, or still on-site?
When was the last validation that data could be
recovered?
Data Recovery Time Objective
How long will it take to recover?
Will data be recovered to the point just prior to the event?
What about data that is lost?
29. 29
Develop the Overall Plan
Stakeholders
List their area’s essential business functions
List alternatives for each business function in a matrix
Plan for functions without immediate alternatives
Assess alternatives for strategic functions
Example: if a warehouse goes offline, can product ship from
other warehouses? Include the estimated cost difference.
Document a process flow for decision-making and
emergency response.
Ensure everyone knows who is in charge
Establish a single-point of contact for media relations and
ensure all responses are funneled through them
Do not depend on making good decisions inside the tornado
30. 30
Develop the Execution Plan
Formulate Business Continuity Management Plan
Assign point individuals to manage specific areas of
operation
Ensure everyone has a backup
Establish action plans for:
Running day-to-day operations
Contacting insurance companies and managing
distributions
Recovering from the interruption. Include vendors to
source product, infrastructure and services
Crisis communications to keep staff updated as changes
occur
31. 31
Implementation and Exercise
Train for the exercise:
Notify participants of it,
Stage it, and
Implement it!
Implement it in stages:
First , work out what you thought would happen
Adjust the plan based on what actually happens
Common misconception: you can’t exercise everything in the
plan
Yes, you can
You may choose not to, because of disruption or cost
Choose a cycle for exercise, and stick to it.
Minimal: annual (has drawbacks)
Optimal: quarterly
Super-optimal: continual (may apply to specific processes only)
No plan survives the battle
field.
— Helmuth von Moltke
32. 32
When is the Plan Considered Complete?
Never
Business Continuity is not a Project
It’s a program
It’s an operational process
It’s a strategy
It exists as long as your business does
Each exercise should reflect an updated plan
Exercising the plan is like putting on a play
Remember your lines
Discussion
34. 34
Quote #1
A Grudge Buy or Providing ROI?
“The fact that most organizations are
unlikely to ever use the full extent of the
services they have paid for has, in the past,
made disaster [recovery] something of a
‘grudge buy’ and not something that most
companies are eager to spend money on.”
ITWEB
September 25, 2001
35. 35
Quote #2
Probability or Availability?
“…the probabilities associated by corporate
management with the occurrence of most
disasters are so low that the expected value
of most disaster recovery programs does not
begin to cover the costs required to
implement
(or purchase) them.”
William Cappelli
Disaster Recovery Program Costing: The Missing Element
from GIGA
January 22, 1998
36. 36
Quote #3
Bottom Line or Bottomless Pit?
“Recovery services don’t add anything to the
bottom line, but the consequences of not
having a plan in place can be disastrous.”
Dave Linacre
Managing Director
IBM Business Continuity and Recovery Services
37. 37
Reasons ROI Is Not Calculated
Difficulties in making the calculation
Not a financial decision
Lack of commitment to the process
Not an important issue
Bottom Line:
Should it take a disaster to recover your investment?
38. 38
Calculating Return on Investment
Calculated on projects with fixed costs and an end
date
Business Continuity starts as a project, but becomes an
on-going operational program
Cost vs. Time to Ownership: hard to calculate
The project has high development costs up-front
The project’s long tail never ends (constant updates as new
systems and changes to business processes occur)
Value Perspective: possible to calculate
Complex calculation (host of factors including loss of
productivity)
Moderate calculation (risk register)
Simple calculation (loss by specific system)
Cost of Downtime
39. 39
The Cost of Downtime
Lost Revenue
Lost Wages
Remedial Labor Costs
Lost Inventory
Marketing Costs
Bank Fees / Penalties
Legal Costs
Lost Opportunity
Employee Retention
Loss in Share Value
Goodwill
Brand Damage
Tangible Costs Intangible Costs
40. 40
Example Costs of Doing Nothing
Airline Reservations:
Retail Catalog:
Infomercials /
Promotion:
Retail Banking:
Retail Brokerage:
$ 89,500
$ 90,000
$ 199,500
$1,000,000
$6,500,000
Average Hourly Costs of Downtime
42. 42
Implementing Business Continuity
What Not To Do?
Treat BCP like a one-time project
Turn BCP into a Compliance Program
What To Do?
Weave the program into processes as a forethought, not
an afterthought
Make BCP part of the operational fabric
Validate progress with each Business Continuity exercise
Grow Business Continuity as your business grows
43. 43
ISO Principles of Risk Management
and Business Continuity
Should create value
BCP creates value by ensuring
continued business operation
Must be an integral part of organizational
processes
BCP is an operational process and is
therefore integral to the organization
Must be part of decision making
BCP is strategic, and therefore part of
decision making
Should explicitly address uncertainty and
assumptions
BCP inherently addresses uncertainty
and assumptions
Is systematic and structured
BCP is a systematic and structured
process that grows with the business
Should be based on the best available
information
BCP is based on the best available
information at its inception, and it is
continually updated
Should be customizable
BCP can be customized as changes in the
business dictate
Takes into account human factors
BCP ensures that the plan addresses
capabilities of people who can facilitate (or
hinder) business continuity
Is transparent and inclusive
BCP is transparent and inclusive by
ensuring that stakeholders are fully involved
in every aspect of the process
Is dynamic, iterative and responsive to
change
BCP changes as the business grows and
expands
Is continually improved and enhanced
BCP is an operational process that
continually improves as the business
grows
Must be continually or periodically re-
assessed
BCP is continually re-assessed as changes
occur in the business.