Trusted Advisor to Hundreds of Clients<br />Manufacturing, <br />Distribution & Trade<br />Insurance<br />Healthcare<br />Financial Services<br />Aurora<br />Bellin Hospital<br />Brookdale Senior Living<br />Briggs Medical Services Company<br />CuraScripts<br />Evanston Northwestern Healthcare<br />Extendicare Health Services<br />Father Martin Ashley<br />Florida Hospital<br />Froedtert<br />Global Health Direct<br />Loyola Physicians Foundation <br />Memorial Healthcare Systems<br />Northwestern Medical Faculty Foundation<br />St. Mary's Hospital<br />Thedacare <br />University of Wisconsin Hospital & Clinics <br />Bank of America <br />BB&T<br />Chase Bank <br />CNL Financial<br />Equity Investments<br />Fifth Third Bank<br />Fort Dearborn Associates <br />GunnAllen Financial<br />Lexis Nexis<br />Mitsubishi UFJ Securities <br />The Northern Trust Company <br />Trustco Bank<br />U.S. Bank <br />Wachovia <br />Angus Palm<br />AIT Worldwide Logistics<br />DB Aviation<br />Focus Products Group<br />Haworth <br />Hub Group <br />Kawasaki <br />Masco Corporation<br />NITCO<br />Pampered Chef <br />PepsiAmericas, Inc. <br />Rockwell Collins<br />Santa’s Best <br />SPX Corporation<br />Toyota Motor Sales <br />TTX <br />WMS Gaming<br />Zebra Technologies<br />AJ Gallagher <br />AON <br />BCBS Association <br />BCBS of North Carolina <br />BCBS of Tennessee <br />CNA Insurance <br />CUNA Mutual<br />First Penn <br />Hannover Life Re<br />HUB International<br />Markel Insurance <br />SUA Insurance<br />United Healthcare<br />Zurich Life/Chase <br />Utilities<br />Media and Entertainment<br />Consumer Products<br />Services<br />Ascent Media <br />CBS<br />Lionsgate Films<br />NBC Universal<br />New Regency Films<br />Playboy<br />Scholastic Book Publishing<br />Screen Actors Guild<br />Sony Pictures Entertainment<br />Sun Times<br />Universal Music Group<br />CoAdvantage <br />Grant Thornton <br />H & R Block <br />Hewitt Associates, Inc. <br />Illinois Facilities Fund<br />Jefferson Wells International <br />Lettuce Entertain You Enterprises <br />Starcom MediaVest Group <br />The BECO Group <br />Verio <br />Arch Communications <br />Ameritech <br />Anixter<br />Duke Energy <br />Nicor<br />Santee Cooper<br />Sprint<br />Coca-Cola Company <br />Culver's <br />Family Dollar Stores <br />Follett <br />Kohl's Corporation <br />Kraft Foods, Inc. <br />Land of Nod <br />Peapod <br />ShopKo <br />
Today’s Reality<br />“Only 38% of Fortune 1000 C-level executives surveyed in an independent study believe their companies are ‘very effective’ at identifying and managing all potentially significant risks that could negatively impact business, operational or financial performance.” – based upon a survey commissioned by Protivity<br />Not all disasters are caused by external uncontrollable factors in fact 80% of all declared disasters are internal to the organization.<br />Many enterprises mistakenly view business continuity management as an insurance policy that they will never need to place a claim against because of their “it won’t happen to me” mentality.<br />High-profile events such as the Sept. 11 attacks, the failures of firms such as Enron and WorldCom, and the 14 August 2003 blackout in the U.S. Northeast and Canada are focusing government and regulatory attention on changes in corporate governance, transparency and wider issues of enterprise risk management. This attention and these changes will affect business continuity management.<br />“Well managed companies manage risk well.”<br />6<br />
The Evolution of Business Continuity<br /><ul><li> Early 1990’s and before… seen as synonymous with IT Disaster Recovery
Fast forward to the evolution of e-commerce and the real-time enterprise …. greater demands on business continuity management, often driven by external factors such as regulations</li></li></ul><li>Disaster Recovery and Business Continuity Perspective<br />Just one part of…<br />Disaster RecoveryPlanning<br />Business ContinuityPlanning<br />The process of making plans that will ensure the critical business functions can withstand a variety of emergencies, hazards, and vulnerabilities<br />A comprehensive statement of consistent actions to be taken before, during, and after a disruptive event that causes a significant loss of information system resources<br /><ul><li>Not just information technology, but all core business functions
Not just catastrophic disasters, but all potential causes of damage</li></li></ul><li>Business Continuity Management Today<br /><ul><li>Shift from Disaster Recovery to Business Continuity Management
Business Continuity Management is a critical concern for high level enterprise managers
Business Continuity Management is vital to maintaining business reputation and investor confidence</li></li></ul><li>10<br />DRJ 2007 Trends in Business Continuity Survey<br />
11<br />“Well Managed Companies Manage Risk Well”<br />Into Which Category Could Your Firm Fall?<br />% of Firms With No Disaster Plan Who Survive Catastrophe<br />40% FailWithin 5 Years<br />Only 20%Survive!<br />40% Never Reopen<br />
12<br />Billion Dollar US Weather Disasters 1980-2007<br />
Business Continuity Objectives<br />Business Continuity Planning is the advance preparation necessary to facilitate executive command and control to minimize loss and ensure continuity of critical business functions of the organization in the event of a disaster.<br />The objectives of the BCP are to:<br />Ensure that the organization and IT is prepared to:<br /><ul><li>Respond to emergencies or disruptive events
Mitigate their impacts before and after an event</li></ul>Assure that each datacenter is prepared to activate the resumption and support of critical IT services.<br />Continue/resume time-sensitive business operations for the critical and essential application systems required to support business operations.<br />
The objectives of the BCP Project are to:<br />Provide ability to initiate restoration procedures of critical computer processing and data communications capabilities quickly following a declared disaster.<br />Restore critical operating systems, application systems, business functions and data communications according to the recovery time objectives.<br />Achieve each of the above objectives in a timely, efficient, and cost effective manner.<br />Return to a permanent operating environment as quickly as possible.<br />Comply with Sarbanes-Oxley Section 404:<br /><ul><li>Requires companies to establish an infrastructure design to preserve and protect records from destruction, loss and unauthorized alteration or other misuse.</li></ul>Business Continuity Objectives<br />
Business and IT Relationships Relative to BCP<br />The Role of IT<br />The Role ofthe Business<br /><ul><li>Create adequate data quality and backup processes, including offsite storage, or hot-sites.
Establish adequate physical security mechanisms to preserve vital network and hardware components.
Set up methodologies (authentication, authorization, etc.) for treatment of sensitive data.
Administer systems, including up-to-date inventory, software versions and patches, and media storage.
Contribute important information about criticality, tolerance, vulnerability
Establish how core business processes can be performed at an alternative location or using alternative systems
Make sure disaster communications processes are in place, e.g., phone trees, alerts, etc.
Ensure that BC liaisons have been established.
Nominate 1st Response Team, Recovery Team, Process Owners, and Reserve Team Members.</li></li></ul><li>Conducting a Business Impact AnalysisAn 11 step process…<br />To start, we need to collect information:<br />Identify Business Unit and IT Participants <br />Develop the questionnaire. The BIA is not an exercise in “Yes” and “No” answers; the purpose is to draw information from the source that is useful to the stated objectives.<br />Obtain updated organizational charts, workflow diagrams, operating procedures, etc. that may assist in establishing organizational structure and business unit recovery priority.<br />Conduct interviews and collate questionnaire submissions<br />
Conducting a Business Impact AnalysisAn 11 step process…<br />Identify the impact categories that are important to your organization. <br /><ul><li>It is important to capture both the quantitative (i.e. tangible) and the qualitative (i.e. intangible) impacts. Choose impact levels using the most significant peak period for each business process/function. This may be at the end of a month, quarter or year, or according to seasonal trends.
Establish a scale for quantifying the operational impacts. For example, a scale of 1 – 4 could be used with the following definitions: 1 = no impact, 2 = moderate impact, 3= serious impact and 4 = severe impact. Another scale to consider would be using a Low (L), Medium (M) or High (H) Impact scale for quantifying the impacts over each time period.</li></li></ul><li>Conducting a Business Impact AnalysisAn 11 step process…<br />Determine recovery point objectives (RPO’s). The RPO is the amount of data required to recover to a known point in time.<br />Determine recovery time objectives (RTO’s). Based upon the financial and operational impacts, determine the RTO. RTO’s are used as the basis for the development of recovery strategies, and risk mitigation techniques<br />Determine the recovery capacity objectives (RCO’s). The RCO is the percentage of total capacity required to resume operations at a minimal or temporary basis<br />
Conducting a Business Impact AnalysisAn 11 step process…<br />Identify the intangible impacts that make up the significant risk exposures to the organization. One intangible impact may be that the organization will lose employees and jeopardize recovery efforts if employees aren’t paid in a timely manner.<br />Where possible, contracted service level agreements and any associated penalties should be identified, along with legal or regulatory penalties. Force majeure clauses should be reviewed as well, as some insurance carriers have specific guidelines designed to protect organization.<br />
Conducting a Business Impact AnalysisAn 11 step process…<br />Financial impacts to the organization as a result of process unavailability can be applied to each function. The BIA seeks to identify both direct and indirect financial impacts. Consider the many types of revenue loss for the organization as some may not truly be a loss but deferred income.<br />
Conducting a Business Impact AnalysisAn 11 step process…<br />Develop the potential financial loss exposure: <br />First, get the REVENUE figures for the last year by month. Take the biggest revenue generating month and divide by the number of work days. <br />Second, get the figures on EXPENSES per month (wages, rent, fixed expenses, etc) and do the same thing. <br />Third, add in any potential REGULATORY FINES or anything else that could be added. Understand that some revenue may be recouped at different times, and some expenses will be higher (especially if employees have to go to overtime to make up the backlog for example), but it at least gives an example of a starting point from which to further refine.<br />More on this in a moment, but first…<br />
Conducting a Business Impact AnalysisAn 11 step process…<br />Analyze and document results, impact categories and potential financial loss to confirm recovery priorities and business unit recovery sequence.<br />Conduct workshops to gain consensus and validate responses, especially the RTO’s, and communicate any ancillary benefits to executive management, for example: streamlining operations, identifying outdated technologies, unrealistic spending, business process improvement, outsourcing opportunities, single points of failure, etc.<br />
Potential Financial Loss Exposures…<br />Average Loss/Hr<br /><ul><li>Retail: $1.1M
Telecommunications: $2.0M</li></ul> “Back of the Envelope” Sample Loss Exposure<br />Taken from the 2007* Annual Report<br />REVENUE ≈ $6.15M<br /> EXPENSES ≈ $6.91M<br />Annualized Loss Exposure ≈ $13M<br /> Monthly ≈ $1.08M<br /> Daily (assume 30 days) ≈ $ 36,000<br /> Hourly (assume 24 hours) ≈ $1,500 <br />
24<br />How to Get Started <br />A FEW WAYS AN ORGANIZATION CAN START A SUCCESSFUL BUSINESS CONTINUITY MANAGEMENT PROGRAM<br /><ul><li>Achieve Senior Management Buy-in - Enterprises with best business continuity and disaster recovery practices have a corporate culture espousing availability, an understanding of the costs associated with business process outages, and a realization that following a well-defined process when disaster strikes is significantly better (resulting in less downtime and costs) than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing.
Perform an Informal Business Impact Analysis and Risk Assessment - Business continuity and disaster recovery planners should interview line-of-business (LOB) managers to determine the impact on business processes if specific sites or resources should become unavailable.
Understand Current Efforts – Your organization may currently have a DR plan in place, or all too often, recovery procedures exist inside the heads of administrators. either of these is the case, it is important to understand several key characteristics of the current efforts, such as: when the last time a drill was executed, who ran the drill, was it successful, what were the lessons learned, and has it had any continued impact on the organization.
Establish a BCP Strategy - Develop a go-forward roadmap for a successful process, business unit, IT, and executive sponsored initiatives. The strategy includes frameworks for methodology, information architecture, key performance indicators and project management.</li></li></ul><li>Seasoned and Certified Project Team<br /><ul><li>John Janachowski