So, you have a continuity plan and perhaps even think you have resiliency covered? Think again!
About more than just theoretical “best practices”, the deck was originally presented as a key note for CPM West 2007. It covers the semenal role of strategic vision and the vital importance of executives’ risk exposure perspective. Practicioners’ and senior executives’ eyes alike are opened to the realities of what it takes to be truly prepared and capable of responding in an all-hazards approach as an integral part of enterprise-wide risk management (ERM). This presentation looks at pragmatic cures for the “hardening of the attitudes” disease prevalent in too many boardrooms that results in the 10 most common mistakes corporate and governmental entities at all levels face when attempting to plan and implement viable resiliency programs.
15. BII: adequate for these or not? Risk Event Percent Affected Business Impact Power outage 88% High Telecom failure 57% Medium to High Hardware failure 56% Low to High Natural disaster 55% Medium to Very High Human error 53% Low to High Software failure 48% Low to High Service provider failure 39% Medium to High IT Security breach 36% Medium to Very High Facility move 33% Medium to High Terrorists' Acts 21% Medium to Very High Physical Security Breach 18% Medium to Very High Fire 12% Medium to Very High
And… In keeping with that thought… Lets find out exactly what we will look at today.
Why apocalyptic How to avoid
Eisenhower quote vs Shane & John M approach Are key responders fully aware of the org’s dependency and has the org made plans to take care of their special needs What about critical responders who are temporarily unavailable or impaired What is your org’s policy on impaired persons in an emergency?
BCP Activities include: Customer, partner, supplier communications and manual workarounds; possible alternate quarters DRP activities include: data recovery, server recovery, network re-routing, hot site spin up, etc. Tell the oilwell fitting company story Mention other domains Why apocalyptic and how to avoid
All these functions, and probably more, need BC addressed, though as I said, DR for us is a more critical role than for some others firms What about support functions we take for granted, mail and other deliveries, custodial, etc.
CPM surveyed the Fortune 5000 in 2004 and some 2800 respondents reported these results. 30% of all businesses that have a major fire go out of business within a year. 70% fail within 5 years. ( Research by Gartner Group ) 93% of companies that lost their works-in-progress data for 10 days or more due to a disaster, filed for bankruptcy within 1 year of the disaster. ( National Archives & Records Administration, Washington DC ) 50% of businesses that found themselves without data recovery from PCs for this same time period filed for bankruptcy immediately. ( National Archives & Records Administration, Washington DC ) What about a pandemic, has your org started any research or planning around Avian Flu mutating to a human infectious form? What about falling water? Will your BII cover the expensive decorations that adorn HQ?
You need to know where to get replacement employees or contract workers who can take up the slack in such a situation. If your systems are so customized that such workers can’t be found, then you’ve identified another key vulnerability for your organization. Many planners simply assume that because of the nature of their organization (bank, nursing home, etc), the utility companies will assign them a high priority in their recovery operations. During the 2004 hurricane devastation in Florida, many nursing home operators - who simply assumed that they had the same priority as hospitals - found out that they were actually lower-level in priority than most businesses. Find out BEFORE disaster strikes! Most diesel-powered generators only have about a three-day supply of fuel in their supply tanks. Often, during a disaster, areas become inaccessible to fuel trucks for longer periods of time than that, and alternate plans need to be drawn up for that eventuality. Many organizations are dependent upon air deliveries of key items. An example would be drug companies who are delivering test samples for clinical trials. These deliveries were completely disrupted after 9/11 when the entire air fleet of the country was grounded. Another example would be organizations who have arranged for air delivery of replacement computers in a disaster–just the time when airports might be closed. Alternative means of transportation need to be identified in advance to cover these eventualities.
Mention article coming out and prez at DRJ FW 06 on IS meeting Homeland security
All lines represent all the EI brands’ contribution. Green is Business As Usual, Orange is impact of the 50% loss of Hotels.com (complete outage time of 15 days, plus less than 100% operation time, plus damage to brand) and red is the impact of the 50% loss of Expedia.com (complete outage time of 30 days, plus less than 100% operation time, plus damage to brand)
Recovery Costs Factor exponential growth over time curve source; Sir Andrew Hiles, the British Continuity Institute and the British Standards Institute 2002. Actual $ figures sourced from Expedia FP&A 2005
Discuss loss of ability to purchase and pay Coordination with local jurisdiction’s emergency services and EPD
The less mitigation/prep/training is undertaken, the organization’s coping level is lower and makes the Disaster Realm larger.
As more mitigation/prep/training is undertaken, the organization’s coping level rises and makes the Disaster Realm smaller.
Repository and corporate memory of lessons learned Nearby risks?
Up front costs + RTO costs + Additional recovery costs = total cost / impact Include cost to manage brand impact (advertising, coupons, marketing…) Investing more up front reduces other costs
I thought about alternately titling this slide…”And the regulators shall inherit the earth”. I know you all realize that is not even all the pertinent heavy hitter regs, for instance FACTA, FISMA, GLBA are not even covered here!