This document discusses business continuity planning and argues that organizations can and should develop their own continuity plans internally rather than relying on expensive external consultants. It provides examples of past crises that organizations did not plan for. The author argues that common excuses for not planning like "it will never happen to us" are misguided. The approach presented simplifies continuity processes and strategies, views it as an extension of normal operations, and develops the program internally with existing staff and systems rather than consultants. Benefits include plans being low-cost, effective, actionable, and internally managed rather than dependent on consultants. The author provides examples of organizations that successfully used this approach and offers to help organizations develop their own continuity program.
4. The question
- Joplin Missouri prior to May 22, 2011
-City of Detroit prior to filing for bankruptcy in 2013
- State of Louisiana prior to 2005 (Hurricane Rita)
- Haiti prior to 2010 (Earthquake)
- Gulf coast prior to March 2010 (BP Oil Spill)
- Financial industry prior to 2008
- City of New Orleans prior 2005 (Hurricane Katrina)
“Why should we plan for something that
will never happen?”
- State of Arizona prior to July 2013
- Japan prior to 2011 (Earthquake and Tsunami)
- Asia prior to 2004 (Indian Ocean Tsunami)
- Technology industry prior to 2000
- Philippines prior to 2013 (Typhoon)
- New York City prior October 2012 (Hurricane Sandy)
- State of Colorado prior to September 2013
- Pentagon prior to 2001
5. The problem
The business continuity planning discussion over the last 10 years.
“A crisis will
never happen
to us”
“There isn’t
any real value
in it”
“It’s too
complicated”
“We have more
important
things to worry
about right
now”
“It’s too
expensive”
“We are
too big to
fail”
6. The problem with consultants
In many ways, consultants and business continuity firms are the
problem.
They incorrectly
identified threats and
risks
They try to convince
you that you can’t do it
alone
They make it too
complex to execute
They often forget about
incident management
They are expensive or
they charge recurring
support fees
They offer industry
standards that don’t fit
or sell tools that don’t
work
7. How we got here
INEVOLVE SB was started as a direct result of the problems experienced by it’s founder: Business
continuity plans were being written with the consulting company in mind, not the organization the plans
were supposed to be for. As a result, they were and are costly, confusing and are not actionable. After
spending a decade watching this practice devolve into a costly and ineffective method for customers,
INEVOLVE SB was founded to change it.
Over 20 years of experience in the Business Continuity and Disaster
Recovery Industry
Designed, developed and implemented continuity programs and plans
for the federal government and private sector organizations
Founder and CEO
Mike Minzes
Directed and developed both low budget and multi-million dollar
business continuity and disaster recovery programs
Developed business continuity plans and programs for:
Continuity Partners:
INEVOLVE SB is a member of the National Preparedness
Coalition
8. What is business continuity
Simply put, business continuity is the activity performed by an organization to
ensure that critical business functions will be available to customers.
9. What is business continuity
Business continuity is what you do when incident response fails
10. How we solve the problem
View business continuity as an extension of operations
Internalize business continuity and disaster recovery to make it an
organizational effort.
Design, develop and implement the program WITH the organization, not for
it.
Develop an organizational understanding of business continuity, rather
than have the organization memorize a step-by-step process.
Provide free training and resources to support program leads in the
management of the lifecycle.
11. How we view business continuity
Business continuity is really just a change in thinking
Define the organization’s critical services.
Define the essential functions.
Define the critical staff that supports essential functions.
Define the critical staff support requirements.
Strategies and plans are then built around this information
12. We simplify the processes
Critical
Services
Essential
Functions
Critical
Staff
Critical Support
Elements
Having this information about your organization is 90% of the work
Continuity
Strategy
Documentation
The remaining 10% is planning
13. We simplify the strategies
Crisis Management
Crisis
management
team (CMT)
convenes
Incident
occurs
CMT assesses
incident based
on IRT reports
Decision to
activate or not
made
IRT assesses
situation and
reports status
to CMT
Recovery plans
activated or not
based on CMT
decision
Incident Response
Incident
response team
(IRT) convenes
Manage and control incidents before they become disasters
14. We simplify the design, build and implementation
Internal Teams
Crisis Management
Team
Incident Response
Team
Emergency
Relocation Group
Disaster Recovery
Team
Team are made up of
internal staff
Support Systems
Action Plans
Crisis Management
Plan
Incident Response
Plans
Enterprise Recovery
Plan
Lifecycle
Management Plan
Document
Management
System
Business
Impact
Analysis
System
Incident
Management
System
Change
Management
System
Built on internal
systems at no
additional cost
15. We make it yours
Who knows the organization better than those who are
employed by it?
Nobody knows the organization better that the people who keep it running day-to-day.
In order to make business continuity cost effective and actionable, it needs to be in
the hands of the people who are providing services to the organization’s customers
on a daily basis.
16. Notable use cases for this method
Atlanta Public School District
The Atlanta Public School District, with over 54,000 students, 3,000
staff and more than one hundred facilities used this method
successfully to design, develop and implement the district’s business
continuity and disaster recovery program.
Coast Guard Telecommunication and Information Systems Command (TISCOM)
The United States Coast Guard used this method to develop and
support the TISCOM IT disaster recovery program that supports the
Coast Guard’s secret and sensitive but unclassified (SBU) networks
nationwide.
The Defense Logistics Agency (DLA)_
The Defense Department’s Logistics Agency uses this method to
maintain their existing disaster recovery programs across the country.
17. What we will do for your organization
Develop and implement an actionable business
continuity program that includes:
Establishing a crisis
management capability
Establishing an incident
management capability
Establishing internal roles
that maintain the program
Creating action plans that
supports critical services
Establishing lifecycle
management processes
Developing a crisis
communication plan
Developing document
management systems at no
additional cost
Developing continuity
management systems at no
additional cost
18. What we will do for your organization
Develop and implement an actionable business
continuity program that includes:
Provide training that is
geared towards the
program
Providing storage media for
plans and documents
Providing exercise and
execution training
Providing support
documentation
Establish a “Not to Exceed”
line for any additional
purchase requirements
Submission of program to
accreditation agency for
certification
19. Certification and accreditation
Program certification through state and federal
emergency management agencies
A business continuity program that is certified by an official accreditation organization
is considered a gold standard in the industry.
We develop business continuity programs to certification standards and submit it for
accreditation.
If the program is rejected for certification, we will return at no cost to the organization,
address the shortfalls and resubmit it.
20. Benefits of this approach
Simple and easy to follow
Action plans are written in a way that
is easy to understand and follow
Low cost
Cost to design, develop and
implement is below the industry
average and there are no long term
consulting support contracts required
Effective and actionable
Plans are proven effective through
tests, drills, exercises, and then
certified by an official accrediting
agency
Internalized processes
Business Continuity and
Disaster Recovery Program
are managed using
organizational staff, not
consulting firms
21. “If you plan for everything, you will be
prepared for anything”