Business Continuity and Disaster Recovery Planning

1. Risk Management
Business Continuity Planning and Management

2. 2
Presentation Outline
 ISO Principles of Risk Management
 Disaster Recovery vs. Business Continuity
 Unexpected Events
 Business Continuity and Risk Avoidance
 Planning and Management
Break
 Development, Implementation and Exercise
 Return on Investment
 Business Continuity as an Operational Process

3. 3
ISO Principles of Risk Management
 Should create value
 Must be an integral part of organizational processes
 Must be part of decision making
 Should explicitly address uncertainty and assumptions
 Is systematic and structured
 Should be based on the best available information
 Should be customizable
 Takes into account human factors
 Is transparent and inclusive
 Is dynamic, iterative and responsive to change
 Is continually improved and enhanced
 Must be continually or periodically re-assessed

4. Disaster Recovery
vs.
Business Continuity

5. 5
Disaster Recovery vs. Business
Continuity
 Disaster Recovery
 The processes involved in restoring a business to normal
operation after its operations have been partially or
completely interrupted by some event
 Business Continuity Planning
 Planning to keep your business operating through an
unexpected event
 Business Continuity Management
 Managing the sustaining key business components,
bridging the event
 Discussion

6. 6
Is Business Continuity Planning
Necessary?
 Compelling Factors
 Regulatory requirements
 Competitive requirements
 Customer impact
 Investor impact
 Potential litigation
 Does Company Size Matter?
 Is BCP for large companies only?
 Bottom Line
 Keep business functioning and
 Protect Company assets (human, IP, infrastructure)

7. Unexpected Events

8. 8
What Constitutes a Disaster or
Business Continuity Interruption?
 Catastrophic Events
 Location destroyed
 Distribution center destroyed
 Headquarters destroyed
 Event Rising From:
 Supply Chain disruption
 Smoke/Fire
 Cyber attack
 Terrorism
 Earthquake
 Affects of nearby disaster (RR tanker derails; Fukushima)
 Social disturbance (people are hurt and facility is crime scene)
 Be careful of playing the odds
 Virginia’s last earthquake: over 100 years ago; until August,
2011

9. 9
Example Disruption Scenarios
 Level 1 — Loss of secondary function
 Loss of SaaS provider (Outsourced Accounting
System)
 Level 2 — Technology offline
 Loss of local computing environment
 Level 3 — Distribution network impact
 Loss of warehouse (physical goods)
 Level 4 — Regional command and control
 Loss of entire division
 Level 5 — Disaster
 Loss of entire company
$$$$
$
Cost

10. Business Continuity
and
Risk Avoidance

11. 11
Business Continuity
Overview
 Business initiative, not an Information Technology
initiative
 Must keep key revenue streams operating
 Need a vulnerabilities list (highest to lowest)
 Risk avoidance
 Total Risk Avoidance
 Replicated facility (higher cost)
 Minimal Risk Avoidance
 Essential operational systems (lower cost)
 Balancing act

12. 12
Keep Key Revenue Streams Operating
 Reduce or eliminate revenue stream interruptions
by:
 Keeping supply chain moving
 Filling orders to key customers
 Receiving payments
 Paying key invoices
Manufacturing
Customer
Suppliers
Distribution
Shipping

13. 13
List Vulnerabilities
 Remember S.W.O.T. analysis
 Strengths — your Company may have an effective
logistics network that can sustain loss of a warehouse
with little or no impact to continuing operations
 Weaknesses — list areas where the Company is most
vulnerable to interruptions ordered by business impact
 Opportunities — you may be able to consolidate
operations for the short term, or take advantage of
unused space in a lesser-used building in the event of
facility loss
 Threats — including those listed under Example
Disruptive Scenarios, natural disasters (floods,
hurricanes, tornados, earthquakes), etc.

14. 14
Other Vulnerability Assessment Tools
 Brainstorming
 Questionnaires
 Business studies assessing
both internal and external
factors which can influence
operations
 Industry benchmarking
 Scenario analysis
 Risk assessment workshops
 Incident investigation
 Auditing and inspection
 HAZOP (Hazard &
Operability Studies)
 Dependency modeling
 Event tree analysis
 Real Option Modeling
(Valuation)
 Decision making under
conditions of risk and
uncertainty
 Measures of central
tendency and dispersion
(descriptive statistics)
 PEST (Political, Economic,
Social,Technological)
analysis
Risk Identification Risk Analysis

15. 15
Total Risk Avoidance
 How much is too much?
 Total Replication of all operational systems
 Example U.S. Postal Service (two of five Data Centers)
 Discussion.
Internet
San Mateo
Data Center
Eagan
Data Center
Copied to
Eagan
Copied to
San Mateo

16. 16
Minimal Risk Avoidance
 Essential
Systems
 Payroll (time clocks)
 Inventory and Order
Management
 E-mail
(communication)
 5 Business Days
 A/R
 A/P
 Shipping
 Is this right?
Accounts
Receivable
Payroll
Accounts
Payable
Inventory and
Order
Management
Shipping
E-mail
Business Functions Essential 5 Business Days
Payroll
Inventory and
Order
Management
Shipping
E-mail
Accounts
Receivable
Accounts
Payable

17. 17
Balancing Act
 Objective: Determine What You Need
 Total Risk Avoidance
 Fully Redundant Systems and Operations
 Facilities
 Inventory
 Shipping/Receiving
 Minimal Risk Avoidance
 Select functions deemed essential
 Some disruption in service is acceptable
 Discussion

18. Planning and Management

19. 19
Managing the Risk
 High-level planning
 Develop the plan and publish it
 Implementation and exercise
 When is the plan considered complete?

20. 20
Getting Started: Objectives
 Your Company’s Business Continuity and Needs
 Define what business continuity means for your company
 Determine what you need in order to maintain it
 Take nothing for granted
 Review all operational concerns
 Review both internal and external factors
 Discovery process budget
 Determine a rough order of magnitude budget for the
discovery process
 Fund it
 Discussion: how can this be done?

21. 21
High-level Planning
 Engage management and build the BCP team
 CEO, COO, CFO, CIO
 Name business and technology leaders as BCP
stakeholders
 Create a standard Charter for the project
 Make it an Enterprise project
 Agree on a single individual as the owner with an
understudy
 Assign a project manager
 Isolate Continuity targets
 Essential business functions (use a risk matrix)
 Scrutinize pitfalls/darlings/issues

22. 22
Project Charter
A Project Charter:
 Lists reasons for undertaking the project
 Solidifies objectives and constraints of the project
 Provides directions concerning the solution
 Gives names and titles of the main stakeholders
 Enumerates in-scope and out-of-scope items
 Dictates as a high-level risk management plan
 Serves as a communication plan
 Targets project benefits
 Authorizes high-level budget
and spending authority
Project Charters are used to:
 Authorize a project
 Aid with resource
management
 Focus overall scope

23. 23
Risk Matrix Example
Threat Probability (P) Impact (I) Risk = P x I
Hurricane 80% 1 80%
Flooding – Internal 80% 1 80%
Severe Storms 25% 1 25%
Flooding – External 80% 0.2 16%
Wind Storm 10% 1 10%
Tornado 10% 1 10%
Terrorism 10% 1 10%
Fire – Internal 10% 1 10%
Fire – External 10% 1 10%
Earthquake 1% 1 1%
 Helps isolate potential interruptions in service
 Link this to affected operations service continuity
plan
Backup site for Coastal
Office Operations
Temporary Relocation
for Key (or all) Staff
Coastal Operations BCP
Rebuild/Repair
Return to Normal
Operation

24. 24
Plan Components
 Establish objectives for the plan. Examples include:
 Run payroll within 24 hours of event
 Ship product within 48 hours of the event
 Essential personnel
 List personnel required for managing the processes
 List backup personnel, in the event the primary personnel
are directly affected by the event
 Calendar/Timeline
 Create a calendar to pinpoint specific timing of actions
 List important dates such as payroll, monthly close, and
other recurring events that can influence the required
availability

25. 25
Systems Recovery
 What systems are crucial to maintain continuity?
 Payroll and time clocks?
 Inventory and Order management?
 Shipping and Receiving?
 Email?
 All of the above?
 Be careful of purportedly autonomous systems
 Question from the shipping manager:
“Since FedEx has supplied my shipping stations, and they are
able to print shipping manifests, is it okay to go ahead and ship
product even if the inventory and fulfillment systems are
offline?”
Do you think it’s
okay?

26. 26
Data Recovery
 Differences between System and Data Recovery
 Systems are the substrate that manage and present data
 Data carries the information
 Data Recovery Point Objective
 How old is the data that can be recovered?
 Where is the backup stored? Offsite, or still on-site?
 When was the last validation that data could be
recovered?
 Data Recovery Time Objective
 How long will it take to recover?
 Will data be recovered to the point just prior to the event?
 What about data that is lost?

27. Break

28. Development, Implementation
and Exercise

29. 29
Develop the Overall Plan
 Stakeholders
 List their area’s essential business functions
 List alternatives for each business function in a matrix
 Plan for functions without immediate alternatives
 Assess alternatives for strategic functions
 Example: if a warehouse goes offline, can product ship from
other warehouses? Include the estimated cost difference.
 Document a process flow for decision-making and
emergency response.
 Ensure everyone knows who is in charge
 Establish a single-point of contact for media relations and
ensure all responses are funneled through them
 Do not depend on making good decisions inside the tornado

30. 30
Develop the Execution Plan
 Formulate Business Continuity Management Plan
 Assign point individuals to manage specific areas of
operation
 Ensure everyone has a backup
 Establish action plans for:
 Running day-to-day operations
 Contacting insurance companies and managing
distributions
 Recovering from the interruption. Include vendors to
source product, infrastructure and services
 Crisis communications to keep staff updated as changes
occur

31. 31
Implementation and Exercise
 Train for the exercise:
 Notify participants of it,
 Stage it, and
 Implement it!
 Implement it in stages:
 First , work out what you thought would happen
 Adjust the plan based on what actually happens
 Common misconception: you can’t exercise everything in the
plan
 Yes, you can
 You may choose not to, because of disruption or cost
 Choose a cycle for exercise, and stick to it.
 Minimal: annual (has drawbacks)
 Optimal: quarterly
 Super-optimal: continual (may apply to specific processes only)
No plan survives the battle
field.
— Helmuth von Moltke

32. 32
When is the Plan Considered Complete?
 Never
 Business Continuity is not a Project
 It’s a program
 It’s an operational process
 It’s a strategy
 It exists as long as your business does
 Each exercise should reflect an updated plan
 Exercising the plan is like putting on a play
 Remember your lines
 Discussion

33. Return on Investment

34. 34
Quote #1
A Grudge Buy or Providing ROI?
“The fact that most organizations are
unlikely to ever use the full extent of the
services they have paid for has, in the past,
made disaster [recovery] something of a
‘grudge buy’ and not something that most
companies are eager to spend money on.”
ITWEB
September 25, 2001

35. 35
Quote #2
Probability or Availability?
“…the probabilities associated by corporate
management with the occurrence of most
disasters are so low that the expected value
of most disaster recovery programs does not
begin to cover the costs required to
implement
(or purchase) them.”
William Cappelli
Disaster Recovery Program Costing: The Missing Element
from GIGA
January 22, 1998

36. 36
Quote #3
Bottom Line or Bottomless Pit?
“Recovery services don’t add anything to the
bottom line, but the consequences of not
having a plan in place can be disastrous.”
Dave Linacre
Managing Director
IBM Business Continuity and Recovery Services

37. 37
Reasons ROI Is Not Calculated
 Difficulties in making the calculation
 Not a financial decision
 Lack of commitment to the process
 Not an important issue
 Bottom Line:
Should it take a disaster to recover your investment?

38. 38
Calculating Return on Investment
 Calculated on projects with fixed costs and an end
date
 Business Continuity starts as a project, but becomes an
on-going operational program
 Cost vs. Time to Ownership: hard to calculate
 The project has high development costs up-front
 The project’s long tail never ends (constant updates as new
systems and changes to business processes occur)
 Value Perspective: possible to calculate
 Complex calculation (host of factors including loss of
productivity)
 Moderate calculation (risk register)
 Simple calculation (loss by specific system)
 Cost of Downtime

39. 39
The Cost of Downtime
 Lost Revenue
 Lost Wages
 Remedial Labor Costs
 Lost Inventory
 Marketing Costs
 Bank Fees / Penalties
 Legal Costs
 Lost Opportunity
 Employee Retention
 Loss in Share Value
 Goodwill
 Brand Damage
Tangible Costs Intangible Costs

40. 40
Example Costs of Doing Nothing
 Airline Reservations:
 Retail Catalog:
 Infomercials /
Promotion:
 Retail Banking:
 Retail Brokerage:
$ 89,500
$ 90,000
$ 199,500
$1,000,000
$6,500,000
Average Hourly Costs of Downtime

41. Business Continuity as an
Operational Process

42. 42
Implementing Business Continuity
 What Not To Do?
 Treat BCP like a one-time project
 Turn BCP into a Compliance Program
 What To Do?
 Weave the program into processes as a forethought, not
an afterthought
 Make BCP part of the operational fabric
 Validate progress with each Business Continuity exercise
 Grow Business Continuity as your business grows

43. 43
ISO Principles of Risk Management
and Business Continuity
 Should create value
 BCP creates value by ensuring
continued business operation
 Must be an integral part of organizational
processes
 BCP is an operational process and is
therefore integral to the organization
 Must be part of decision making
 BCP is strategic, and therefore part of
decision making
 Should explicitly address uncertainty and
assumptions
 BCP inherently addresses uncertainty
and assumptions
 Is systematic and structured
 BCP is a systematic and structured
process that grows with the business
 Should be based on the best available
information
 BCP is based on the best available
information at its inception, and it is
continually updated
 Should be customizable
 BCP can be customized as changes in the
business dictate
 Takes into account human factors
 BCP ensures that the plan addresses
capabilities of people who can facilitate (or
hinder) business continuity
 Is transparent and inclusive
 BCP is transparent and inclusive by
ensuring that stakeholders are fully involved
in every aspect of the process
 Is dynamic, iterative and responsive to
change
 BCP changes as the business grows and
expands
 Is continually improved and enhanced
 BCP is an operational process that
continually improves as the business
grows
 Must be continually or periodically re-
assessed
 BCP is continually re-assessed as changes
occur in the business.

44. Questions

45. 45
Sources
 DRI International
 Continuity Central
 Continuity Insights 2011 Conference
 Disaster Recovery Resources
 Disaster Recovery World
 PilotOnline.com
 Humbach, Rob. “Disaster Recovery: Finding ROI Without the Disaster,”
2003
 A Risk Management Standard, AIRMIC, ALARM, IRM: 2002