What’s & Why’s of Business Continuity Planning (BCP)

1. Business Continuity Planning
Developing a Readiness Strategy that is
Actionable and Easy to Implement

2. Overview:
1. The What’s & Why’s of Business Continuity Planning (BCP)?
2. Understanding Risk and the Impact on Your Business
• Recoverability
• Usability
3. The BCP Life Cycle- It Doesn’t Have to Be Complicated
• Getting Started
• Creating & Re-Evaluating BCP Plans-Keep It Simple
• Risk Assessment
• Strategic Planning
• Plan Creation, Test, Train, & Maintenance
4. Summary-BCP Today & Tomorrow
2

3. Disruptions to Your Business…How Do You React?
3

4. 4

5. What is Business Continuity Planning (BCP)?
A process whereby businesses ensure the recovery of critical
business operations, including services to customers when
confronted with adverse events such as natural disasters,
technological failures, human error, or other unplanned
incidents.
5

6. What is Business Continuity Planning (BCP)?
More simply described…
It is a coordinated strategy involving plans and procedures
that assures your Clients that you have the ability to
continually meet their needs following an unplanned
business disruption.
6

7. What is Business Continuity Planning (BCP)?
BCP is a process to ensure that the necessary steps are taken to:
• Identify the impact of potential losses.
• Maintain viable response and recovery strategies and plans.
• Ensure continuity of products/services, through testing-rehearsal
exercises, training, and maintenance.
IDENTIFY INCIDENT BUSINESS PLAN
RISKS RESPONSE RECOVERY UPDATES
7

8. Why Have a Business Continuity Plan?
• Maintain continuity of operations, stay in business!
• Maintain customer service
• Relocate critical operations quickly
• Minimize financial losses
• Reduce disruptions to critical operations
• Achieve an orderly recovery
• Comply with legal, contractual, audits, and
government regulations
8

9. Why Have a Business Continuity Plan?
• Reduce reliance on key personnel
• Protect assets
• Increase the safety of all personnel
• Minimize decision making during the recovery
• Reduce delays during the recovery process
• Provide a sense of security
• Limit potential exposure and reduce legal liability
• Provide organizational stability
9

10. Recoverability
The most important recoverability requirements are often
defined by your customers (internally and externally). What
are their expectations?
•Addresses requirement needs of clients and prospects.
Business Continuity Planning and program maintenance is
not an option with customers.
•Must be an ‘Actionable’ plan. Continued availability of your
services and support that is verifiable.
•Distinguishes You from your competitors.
10

11. Usability
Is the implementation of the Plan easy to understand by everyone?
1. Can Executive Management & Crisis Team easily assess the
emergency?
2. Do Department heads understand their roles during an incident?
3. Does the Plan prioritize the most critical business functions?
(Controls unnecessary documentation)
4. Are testing/training programs in place to review overall readiness?
5. Are procedures developed for manual processing? (Is
recoverability dependent on systems availability?)
6. Can procedures be followed by someone outside the critical
function? (You cannot expect availability of all subject matter
experts during an incident)
11

12. Getting Started…
• Do you have someone in your organization who is assigned
with the responsibility for Business Continuity Planning?
• Does Business Continuity Planning have sponsorship at the
Executive level?
• Has your company identified which systems and processes
are essential to the survival of your business to deliver its core
services?
• Has your company determined how quickly essential systems
and processes need to be back in operation following an
unplanned incident.
12

13. Creating and Re-Evaluating BCP Plans…Keep it Simple
Phase 1: The Risk Assessment Phase which establishes the risk
framework. The Risk Assessment will identify the primary threats to day-
to-day operations identified through the identification of potential internal
and external risks in each defined area.
Phase 2: Activities include the development of Alternative Recovery
Strategies. The project team will identify the most likely recovery
strategies in which to mitigate risk.
Phase 3: Activities includes documentation of the Business Continuity
Plans, Plan Maintenance, Training and Testing Exercises. In addition, a
process will be developed as part of the maintenance to continually re-
evaluate the risk to day-to-day operations.
13

14. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/ • What is in place today
Awareness Strategies
• Define the Business Continuity
Plan Project Objectives and
Requirements, Scope and Cost
Maintaining/
Updating • Executive Support Planning
• Identify BCP Team Assignments
• Establish Business Continuity
Policies Crisis
Exercise/Testing
Communications
14

15. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/ • Identify client servicing needs
Awareness Strategies
and current regulation
requirements
• Site/Operational
assessment/interviews
Maintaining/
Updating (Business Impact Analysis) Planning
• What are the hazards/
threats/vulnerabilities? (Risk
Assessment)
Exercise/Testing Crisis
• Key personnel interviews Communications
15

16. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/
Awareness Strategies
• Where will we go
• How will we operate
Maintaining/
Updating Planning
• What will we do for our employees
Exercise/Testing Crisis
Communications
16

17. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/ Strategies
Awareness • Create Business Continuity Plans
• Crisis Management-Incident
Response
Maintaining/
Planning
Updating
• Site/Operational Recovery
• IT/Systems Recovery
Crisis
Exercise/Testing
Communications
17

18. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/ • Who approves the messages and Strategies
Awareness when they are published
• How will we communicate to
media
Maintaining/ Planning
Updating • How will we communicate with
employees
• How will we communicate with
customers
Exercise/Testing Crisis
Communications
18

19. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/ Strategies
Awareness
• How often do we test
• Who will be involved
Maintaining/ • What are the objectives
Updating Planning
• Follow-up and lessons learned
• Tabletop Exercise for developed
Exercise/Testing Crisis
Plans
Communications
19

20. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/
Awareness Strategies
• Who is responsible
• How often should it be updated
Maintaining/
Planning
Updating
• How do we communicate changes
to the Plan
Crisis
Exercise/Testing Communications
20

21. Business Continuity Planning Life Cycle
Discovery-
Project Initiation Functional
Requirements
Training/
Awareness Strategies
• Training people for preparedness
• Home
Maintaining/ • Work
Updating Planning
• Understand their roles in recovery
• Understand the Business
commitment to employees and Crisis
Exercise/Testing clients Communications
21

22. Elements of an ‘Actionable’ BCP Program
1. Risk Evaluation Results and Controls
2. Business Continuity Defined Strategies
3. Emergency Response and Operational Procedures
4. Business Continuity Plans (Site /Dept), IT DR Plans
5. Testing & Exercises
6. Awareness & Training Program
7. Public Relations & Crisis Communication Procedures
8. Coordination with Public Authorities
22

23. BCP Ongoing Approach
Process vs. Project
• Annual Risk Assessment/BIA, plus Plan Reviews.
• Efforts for Next Year identified before budget cycle.
• Annual testing of at least some aspect of the plan.
• BCP Coordination ongoing.
23

24. Summary: Business Continuity Today
Focus On:
•Assessing impacts and risks.
•Establish crisis management response protocols to react
to disruption.
•Developing business recovery strategies that respond to
assessed risks and impacts.
•Testing strategies for viability, effectiveness, and to
ensure solutions meet requirements.
24

25. Summary: Business Continuity Tomorrow
Evolve the Business Continuity Program to:
•Utilize program as a way to establish risk controls
•Incorporate the program as part of business-as-usual and an
extension of normal operations rather than a reactive project.
25

26. Mark E. Madar
Director of Corporate Risk Management and Quality Assurance
Mark is the Director of Corporate Risk Management and Quality Assurance of CBIZ, Inc. With 20 years of
experience, he has demonstrated significant abilities in strategic planning, Corporate IT Management, IT
Compliance, Operations and Systems Consulting leadership roles. Leveraging a business background with both
Operational & IT expertise, he has successfully managed the development and implementation of strategic enterprise
system rollouts, business process re-engineering, and merger and acquisition migrations. Prior to joining CBIZ, Mark
worked with a variety of financial, insurance, technology, and corporate banking companies including large
organizations such as Moen Inc., Key Bank, AmeriTrust, State Farm and Fortune Brands.
Most recently, he provides Corporate IT Governance support across the CBIZ organization and Business Continuity
Planning oversight for the CBIZ Risk & Advisory practice. This includes the management of business resumption
and disaster recovery planning, business impact analysis, IT policies and controls, security site audits, due diligence
evaluations, regulatory compliance with state and federal agencies, and system quality control reviews. Mark has
EDUCATION
been involved with large Sarbanes Oxley and Y2000 evaluation/implementation projects for publically traded • B.B.A Economics, Case Western
companies. Reserve University
Active in the professional space, he is a recurring member of the Internal Technology Leaders Forum interacting with
the CIO’s of many of the largest Accounting firms across the country. Firms discuss strategic planning and technical PROFESSIONAL CERTIFICATIONS
 Project Management Certification, PMI
best practices, system and support requirements, policies, expense management and IT compliance. Mark is a
recurring speaker on IT Compliance & Data Security topics including regulatory requirements, information handling, PROFESSIONAL ASSOCIATIONS
IT policies and procedures, and disaster recovery planning. Other memberships includes active participation in the • Member, ITA-Internal Tech Leaders
Cleveland CIO Forum and Executive Summit, presented by Premier TCE and SIMS as well the Information Security • Member, MIS Institute-Information
Security
MIS Institute. Mark has also completed Business Resumption Planning and System Administration training through • Member, CIO Forum-SIMS
SunGard. He currently serves on various local non-profit board of directors.

27. CBIZ Risk & Advisory Services
For more information please contact us at:
Mark Madar,
Director of Corporate Risk Management & Quality Assurance
(216) 525-1956/(866) 956-1983
mmadar@cbiz.com
or
RASInfo@cbiz.com
www.cbiz.com/ras