Business Continuity Workshop Final

3,045 views

Published on

Business Continuity Planning Workshop for the Dayton Chapter of the Construction Financial Management Association

Published in: Business, Education
  • Be the first to comment

Business Continuity Workshop Final

  1. 1. Business Continuity Planning Presented by Bill Lisse, CISSP, CISA, CGEIT, GPCI, GHSC, Security+ SME Manager, Technology & Risk Management Jack Lohbeck, CPA Director, Business Consulting
  2. 2. Increasing Competition & Risks • Businesses are constantly at risk for interruptions to their operations, any of which can have devastating consequences • Gartner reports that two out of five organizations that experience a disaster go out of business within five years • A speedy recovery from interruption is imperative to staying solvent as a business
  3. 3. Business Continuity • “The process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change.” Disaster Recovery Institute International’s Glossary of Industry Terms
  4. 4. Planning for Disruptions • If you do not develop and implement a business continuity (BC) plan and disaster recovery (DR) procedures, one that is able to bring its business back up in as short a time as possible, the potential for lost revenue can add up to millions of dollars within several days
  5. 5. Common Roadblocks • Over confidence - “It can’t happen to me” • Over extension - don’t feel you have the time, personnel or other resources to devote to comprehensive contingency planning • Over reaching - reaching too far and wide; makes the process overwhelming and seem impossible • Over planning - several contingency plans for specific situations or departments which become uncoordinated
  6. 6. Business Continuity Management (BCM) • BCM is a process that applies to any business, small or large, that helps to manage the risks that threaten its survival • The objective is to identify the hazards that may affect critical functions or activities and to ensure that these can be reduced or responded to in an effective way
  7. 7. Reasons for BCP • Loss or Injury to Personnel • Compliance • Loss of Revenue • Damage to Critical Resources • Loss of Customers • Reputation Damage • Civil and Criminal Liabilities
  8. 8. Communications Infrastructure Critical People Machinery & Equipment BCP Resource Scope Office Materials Work Areas Critical Records
  9. 9. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  10. 10. Business Continuity Management • Risk Management • Business impact analysis (BIA) • Classification of operations and criticality analysis • Document the BC plan and DR procedures • Training & Awareness • Testing • Ongoing Monitoring & Plan Maintenance
  11. 11. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  12. 12. Risk Management
  13. 13. Risks Threats Impacts Probability What can go wrong? How likely is an adverse What are the - Human (Intentional or outcome? consequences of the accidental) event? - Natural Events Foundation History - Analytical Tools - Technology Maturity - Knowledge/Experience
  14. 14. Threats - Examples • Labor Disruptions • Lack of Materials • Shortages • Pandemics • Delays • Strikes and disputes • Supplier breach • Accidents • Facilities • Workplace Violence • Fire • Natural Disasters • Black/Brown Outs • Tornado • Equipment • Hurricane • IT Failures • Earthquake • Communications • Floods failures • Equipment Failures
  15. 15. Threat Vulnerability Exposure Opportunity
  16. 16. Risk Management Question High Impact Medium Impact Low Impact What is the impact of Direct Peripheral No correlation the function on correlation to correlation to to revenue revenue generation? revenue revenue What is the impact on Entire company One or more Select users other projects? departments throughout the company What is the cost to Material to the Material to a Peripheral overcome disruptions? company departmental or departmental project budget or project budget How will it impact Direct impact Peripheral impact No impact customers or on revenue on revenue prospects? generation or generation or end-customer end-customer support support Which business Any external Critical internal Non-critical processes will be facing processes internal affected? processes processes
  17. 17. Potential Business Consequences • Inability to maintain critical customer services • Damage to your market share, image, reputation or brand • Failure to protect the company assets (including intellectual property and personnel) • Fraud • Failure to meet legal or regulatory requirements • Financial loss
  18. 18. Risk Management • Risk Responses • Mitigate • Accept • Avoid • Transfer
  19. 19. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  20. 20. Business Impact Assessment • The BIA is the most critical process in the development of a DR strategy • provides the business requirements used to develop the plan (focus resources) • Typical Areas • Identify critical business processes • Determine the disruptions & probability • Impact of disruptions on business • Determine Loss Exposures
  21. 21. Business Impact Analysis • A Business Impact Analysis Helps Organizations: • Identify and prioritize risks • Identify requirements • Identify the extent of financial impact • Identify the extent of operational impact
  22. 22. Business Impact Analysis The process of analyzing all core business functions and establishing an optimized timetable for recovery.  Maps data flow  Identify maximum tolerance for downtime  Identify interdependencies  Determine the recovery priorities of the organization Provides baseline for:  Justification for costs associated with recovery  Developing recovery strategies  Developing Support Level Agreements
  23. 23. Business Impact Analysis End-User Questionnaire Highlights:  Department Overview  Workflow Interdependencies  Computer Resources  Application Impact Analysis
  24. 24. Department Overview 1. Identify department, location, and at least  Department Overview two representatives from each department.  Workflow Interdependencies 2. Develop a comprehensive list of  Computer Resources applications used in the department. 3. Describe the business function(s) of the  Application Impact Analysis department. 4. Gather information about the department’s daily business hours, revenues generated, transaction volume, and any peak or high demand periods.
  25. 25. Workflow Interdependencies  Identify the departments and organizations  Department Overview that send work to the department.  Workflow Interdependencies  Determine what routes or channels of communication are used to send that  Computer Resources incoming work and estimate the percentage  Application Impact Analysis that comes via each route or channel.  Gather the same information in #1 and #2 for work sent by the department.
  26. 26. Computer Resources 1. Gather information on the computing  Department Overview equipment in the department and how it is  Workflow Interdependencies used. 2. Begin exploring the reliance that the  Computer Resources department has on the computing  Application Impact Analysis equipment, e.g., What data entry backlog would there be if it was unavailable for one day?
  27. 27. Application Impact Analysis 1. Basic description of each application,  Department Overview including what it does, what business functions it supports, if it handles PHI, and  Workflow Interdependencies who the department contacts are for the  Computer Resources application.  Application Impact Analysis 2. Estimate the level of departmental business interruption associated with the application being unavailable through various time thresholds. 3. Estimate the associated data entry backlog that would result and how many staff hours it would take to eliminate the backlog.
  28. 28. Application Impact Analysis 1. Evaluate the downtime procedures  Department Overview associated with the application, asking  Workflow Interdependencies questions like have the procedures been used before?, how did they work, and how  Computer Resources long can the department function using  Application Impact Analysis them? 2. Evaluate any regulatory, legal, financial, customer service, and public image problems that could arise as a direct or indirect result of the application being unavailable through various time thresholds.
  29. 29. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  30. 30. Business Continuity Strategy • Market Structure & Budget • Data and system backup and restore • System & Data failover, redundancy • System vulnerabilities & threats • Disruptions to internal systems, telecommunications, applications, Web access • Operation of environmental systems • Natural disasters and other interruptions
  31. 31. Business Continuity Strategy • Transfer Control/ Function • Relocate of staff • Manual or alternative • Work from home • Shut down • Hot Site or dedicated • Warm Site • Cold or Shell Site
  32. 32. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  33. 33. Business Continuity Plan • Considerable effort and time are necessary to develop the initial BCP • Effective documentation and procedures are extremely important in a BCP • Well-written plans reduce the time required to read and understand the procedures • Result in a better chance of success if the plan has to be used. • Significantly reduce maintenance time and effort.
  34. 34. Business Continuity Plan • An overarching plan of the company to be able to recover from a disaster and to resume normal business processes in as little time as possible • The BCP is made up of many “sub-plans”: • Emergency Response Plan • Disaster Recovery Plan • Public Affairs Plan • Occupant Emergency Plans
  35. 35. Business Continuity Plan • Within a BCP, you have some key components: • Assessment: A way to identify threats (BIA - more on this later) • Evaluation: The likelihood and impact of each threat • Preparation: For contingent operations • Mitigation: The reduction or elimination of risks • Response: The response to minimize the impact of an emergency • Recovery: The return to normalcy
  36. 36. Business Continuity Plan
  37. 37. Business Continuity Plan • A document stating • Who and What (systems, Equipment, records and facilities) are required • When they are required • Where to operate your business for an indefinite period • A standard format for the procedures should be used for consistency, conformity, and maintenance • Standardization is especially important if several people write the procedures
  38. 38. Business Continuity Plan • Two basic formats are used to write the plan: background information and instructional information. • Background information should be written using indicative sentences • Instructions should use an imperative style (issue directions)
  39. 39. Business Continuity Plan • Helpful tips in writing the BCP: • Be specific. Write the plan with the assumption it may be implemented by personnel unfamiliar with the function and operation. • Use short, direct sentences, and keep it simple. Long sentences can overwhelm or confuse the reader. • Use short paragraphs. Long paragraphs can be detrimental to reader comprehension. • Use active voice verbs in present tense. Passive voice sentences can be lengthy and may be misinterpreted. • Use descriptive verbs. Non-descriptive verbs such as “make” and “take” can cause procedures to be wordy. • Avoid jargon. • Use position titles (rather than personal names of individuals) to reduce maintenance and revision requirements. • Develop uniformity in procedures to simplify the training process and minimize exceptions to conditions and actions. • Identify events that can occur in parallel, and events that must occur sequentially.
  40. 40. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  41. 41. BCP Testing • Plan Audit • Passive Walk Through • Scenario Workshop • Physical Test • Live Simulation Test
  42. 42. BCP Testing • Dependencies • Frequency • Test Plan Development • Test Procedures • Test Results • Management and Staff Awareness
  43. 43. BCM Cycle Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  44. 44. BCP Maintenance • It is important that the plan be continually maintained and updated. Business continuity plans should include specific maintenance responsibilities and procedures. The major considerations in this process include: • Maintenance frequency • Change factors • Maintenance responsibilities • Distribution considerations
  45. 45. BCP Maintenance • The recovery procedures for each team should be updated at minimum on a yearly basis and should also be updated following major organizational changes • Telephone lists and other inventories should be updated at least quarterly • The plan should also be reviewed and updated when there are major changes in technology • A plan maintenance form can be used to record and control all maintenance changes, additions or modifications to the plan
  46. 46. BCP Maintenance • It is important to recognize factors that may change the business continuity plan: • Procedural changes • Organizational structure changes • Personnel changes/turnover • Physical changes (e.g., facilities) • Technology changes • Recovery requirements changes testing issues
  47. 47. BCM Cycle - Summary Risk Stage 5 Management Stage 1 Business Continuity Business Plan Testing Impact Analysis BCP Maintenance Stage 4 Stage 2 Business Business Continuity Continuity Plan Strategy Stage 3
  48. 48. Keys to Success • Link Business and IT Processes • Develop a comprehensive DR plan based on realistic threats • Keep DR procedures current • Test the DR plan – don’t view as an exam; it is quality improvement exercise • BC goals should be realistic • Clearly define DR roles, responsibilities and ownership • Have a clear data backup strategy • Communicate!
  49. 49. Resources • Disaster Response Institute International (DRII) – http://www.drii.org • Business Continuity Institute (BCI) - http:// www.thebci.org/ • Disaster Response Journal – http://www.drj.com • NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf • Continuity Central http:// www.continuitycentral.com/info.htm • Federal Financial Institutions Examination Council Business Continuity Handbook http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_contin
  50. 50. Conclusion • Don’t wait till a disaster occurs • Even with a small budget, prudent steps can be taken • ensuring good backups • establishing roles and responsibilities • effective planning • new technologies may also be leveraged to make recovery more affordable
  51. 51. Questions? • Bill Lisse - (937) 853-1490 • Email - wlisse@battellecpas.com • Jack Lohbeck - (937) 853-1423 • Email – jlohbeck@battellecpas.com

×