Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans


Published on

A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans

  2. 2. Creating a Business Continuity Plan Presenter: Kevin Williams Principal – SRIIA Technologies Consulting Services Austin, TX 512.694.0237
  3. 3. Learning Objectives  After participating in this session, you will be able to:  Understand the goals of Business Continuity Planning  Understand the components of a Business Continuity plan  Begin your Business Continuity Planning project 11/19/2013
  4. 4. What is a Business Continuity Plan? • • • Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity Source: 11/19/2013
  5. 5. Remember this Terrible Day? • Hurricane Katrina • Hurricane Katrina was the deadliest and most destructive Atlantic tropical cyclone of the 2005 Atlantic hurricane season. It was the costliest natural disaster, as well as one of the five deadliest hurricanes, in the history of the United States. Among recorded Atlantic hurricanes, it was the sixth strongest overall. Total property damage was estimated at $81 billion (2005 USD), nearly triple the damage brought by Hurricane Andrew in 1992. 11/19/2013
  6. 6. FEMA Grant Helps Restore New Orleans' Katrina-Damaged Archives • Release date: FEBRUARY 3, 2012 - Release Number: 1603-963 • NEW ORLEANS, La. -- The Federal Emergency Management Agency announced today approximately $1.7 million in public assistance funding to restore New Orleans Notarial Archives’ book volumes and historical records damaged during Hurricane Katrina. • “The Katrina-affected materials contain the original evidence of transactions involving land transfers, business agreements, mortgages, estates, agency rulings and other agreements relating to Orleans Parish properties. The volumes, which date from approximately 1965 to 2005, are critical for use in title examinations and serve as a rich supply of primary source materials for historical research on their period. 11/19/2013
  7. 7. Dilbert on Disaster Recovery Is this your current plan? 11/19/2013
  8. 8. What is a BCP? • It is a plan that gives a recovery team the information it needs to: • • • Recover from a disaster Continue the business operations Return to normal operations 11/19/2013
  9. 9. How is the BCP Used? • • • • As a ready reference for all information needed during the recovery phase following a disaster Lists strategies & priorities for recovery Lists contact information for recovery assistance & personnel Outlines the stages and flow of the recovery process 11/19/2013
  10. 10. General Overview • General Overview of the Organization • • • • • • • Managers & contact information Assembly sites—evacuation & alternate BCP coordinators & contact information Recovery site information Critical dependencies Important deadlines Important agreements 11/19/2013
  11. 11. General Overview (cont’d) • Recovery Strategies • • • • Address the priority that you wish to use to recover your information assets Include the identification of the assets, their location, and why important Establish the strategy to follow for several days during the recovery Uses the Vital Records plan to establish those priorities. 11/19/2013
  12. 12. Initial Response / Escalation Procedures • Notification checklist • • Who do you call? What are their numbers? In what priority do you call? • • • • • Declaration Procedures Initiate Evacuation Procedures • • • • Security / 911 Building Management? Department Manager? Account for all Personnel Alert recovery site Assess severity of situation Activate Recovery Team 11/19/2013
  13. 13. Declaration Procedures • • • • Determine procedures for when to declare a disaster Determine who can declare a disaster Establish local, regional Authorities and contact info If you must activate a hotsite, make sure these persons can also activate that site through the vendor 11/19/2013
  14. 14. Organizational Recovery Teams – Roles & Responsibilities • Management Team - Planning • • • • • Appoints business recovery coordinator to oversee plan development & maintenance Confirms essential functions & acceptable downtime for recovery efforts Approves alternate site / relocation decisions Sets test objectives—requirements to be met Reviews test results, ensures corrective measures are detailed and actions taken 11/19/2013
  15. 15. Alternate Site • Notification • • • • • • Personnel Applications support / tech support Administrative areas (mail, etc.) Key customers Critical vendors Periodically report status to management 11/19/2013
  16. 16. Alternate Site (cont’d) • First, consider the following issues risk managers commonly address in developing alternate site strategies as part of overall business continuity planning programs: • • • Employee comfort. Risk managers are growing more concerned and increasingly thoughtful about employees during crises. Location, location, location. Alternate site solutions that require significant travel can necessitate substantial expense in providing employee transportation and remote accommodations. Fast recovery time balanced with a reasonable budget. Customers are looking to restore their data and business functions promptly, but without placing undue strain on financial resources. Internal 'hot sites' are preferred by some corporations, but after staffing and accounting for space and technology upgrades, can wind up costing significantly more. 11/19/2013
  17. 17. Establish Requirements • Requirements Matrix – lists of what you need • • How much staffing required? Equipment needed? Make, Model & Speed • • • • Computers, fax machines, data lines, printers Desks, chairs, cabinets, etc. Forms, office supplies Software needed? (This is where Cloud Computing, SaaS type services become very tactical in a compelling BCP.) • • Any software critical to your function, not commonly found in other departments Help to bring it up and running – tech support people 11/19/2013
  18. 18. Business Critical Records • Where are they located? • • • Can anyone find them– firemen, 1st responders, etc.? Can you contact off-site storage? • • • • Best practices suggest CRM records management (Working with your hard-copy and digital storage providers is critical for successful BCP planning). Do you know what to order? Keep a list of your business critical records, locations, accessibility with your BCP Keep it updated! 11/19/2013
  19. 19. Establish Recovery Procedures • • Procedures to Activate Teams Establish new telecommunications • • • • Platform restoration • • • Voice recovery Data recovery Vendor connectivity Server applications Desktop applications / WAN Retrieval of Business Critical Records 11/19/2013
  20. 20. Establish Recovery Procedures • Reconstruction Procedures • • • • • Interim operating procedures Validating restored applications Identifying & re-entering lost transactions Processing backlogged work Alternate processing procedures • • • Logon procedures Voice mail instructions Printer selections, etc. 11/19/2013
  21. 21. Develop Calling Lists • You will need help to recover—don’t be afraid to ask for help • • • • Applications support – vendors, companies Personnel – others at your company / office who might be able to help Customers need to be informed- (Public Service Announcements for government offices) Vendors – can supply needed materials, equipment 11/19/2013
  22. 22. Creating a Business Continuity Plan Tactical Discussions 11/19/2013
  23. 23. Deciding goals for operational continuity? • • • • What are your organizations key business processes? How long can your org survive without these operations business process? Do manual methods make time to restore less critical? Do you have any processes with very little tolerance for downtime? 11/19/2013
  24. 24. Decide Criteria for invoking the plan • • What is the maximum amount of time a process can be unavailable before action must be taken? At what point does the cost of executing the plan become secondary to the outage? 11/19/2013
  25. 25. Critical Business Process Recovery Section • • • • • • Critical Business Process Workflow Physical Plant Related Recovery Plans IT Related Recovery Plans People Related Recovery Plans Assignments and Execution Preconditions / Preventative Plans 11/19/2013
  26. 26. Critical Business Process Workflows • • • Use the process workflow that was developed through a “Discovery” methodology as outlined in the earlier sections Make sure the workflow shows enough detail that someone who isn’t you can understand! Be sure to identify critical systems and applications used in the transactions
  27. 27. Physical Location Recovery Related Plans • • • • • • Office space? Lights? Heat / AC? Power? Water? Delivery Transportation? 11/19/2013
  28. 28. IT Related Recovery Plans • • • • • Hardware? Power? Internet? Email? Phone Service? • Applications (got media and a license key?) • Data Recovery from Backup? (Do you have backups offsite?) • Tech support contact information?
  29. 29. Technology Time out: Consider Hosting, ASP or SaaS • • • Consider preventing server disasters by owning and maintaining as few as possible Consider a provider that will be contractually bound to 99%+ uptime for your critical services without your efforts Ideas to look into: • • ASP or SaaS from your software vendor Rackspace (Managed service provider) 11/19/2013
  30. 30. People Related Recovery Plans • • • • • Who knows how to contact vendors? Who knows how to cut payroll checks? Who knows how to process credit card payments? Is there more than one person who can perform each critical business transaction? Do you have cell phone numbers to reach employees / volunteers / service providers?
  31. 31. Assignments and Execution • • • • • • What steps need to be taken to restore this process? Who has the authority with vendors to do so? Who has the required knowledge or training? Is there a backup operator to execute this plan if the primary is unavailable or unreachable? Who can make the decision to enact the plan? Assign roles and communicate expectations to staff 11/19/2013
  32. 32. Required Preconditions / Preventative Plans What needs to be part of your regular operating plan to enable your disaster recovery plans? • Set these actions in motion as part of your finished recovery plan Example: • Its really hard to restore from backup tapes if they are burned in an office fire or submerged under water. • 11/19/2013
  33. 33. Technology Time out: Cloud Backup Solutions Example of cost : Amazon S3 $0.15 / GB / month • Don’t want to “Roll your own” try one of these: • • • •
  34. 34. Testing The Plan • • • • Test each business process in your section when finished and at least annually after that! Make sure that your interactions with your vendors work as planned Streamline your plan based on your test results It is unlikely your plan will work exactly as you have planned it, do not be disappointed and focus on making corrections for the next test. 11/19/2013
  35. 35. Plan Maintenance Review your business processes at least annually • Update the processes for changes in how things work Examples: • Did you add new software applications? • Add new vendors you rely on? • Are there new processes or services to constituents you need to protect? •
  36. 36. Resources • Technical References – • PRISM DR Reference Disaster Planning: What Organizations Need to Know to Protect Their Tech (Webinar) Disaster Planning: FEMA Reference ARMA Resources ARMA Resources • • • • • • 11/19/2013