Implementing a Business Continuity / Disaster Recovery Plan

1. Developing a Business
Continuity Plan . . . . .
More Than Disaster
Recovery!
April 19, 2010
UHY / MMA
Business Survival Series

2. 4/19/2010
Webinar Focus . . . .
• Understanding the components of Business
Continuity Planning and resulting “Business
Continuity Plan” (BCP)
• Conducting a BCP Gap Analysis/Risk Assessment
• Developing and implementing your BCP
• Establishing a Disaster Recovery Plan (DRP)
• Testing your BCP, DRP and associated controls
UHY Advisors, Inc.
• UHY Advisors, Inc. is the 15th largest professional services
firm in the U.S.
• Provide Business Advisory, Audit and Tax services to a
wide variety of companies and industries.
• 20 offices located through the U.S., with Michigan offices
in Southfield and Sterling Heights.
• UHY International Limited (UHYI), is one of the largest
accounting firms in the world with 198 offices in 65
countries and approximately 6,300 employees.
1

3. 4/19/2010
Definitions . . .
1. Business Continuity Planning (BCP):
The creation and validation of a practiced logistical plan for
how an organization will recover and restore critical functions
within a predetermined time after a disaster or extended
disruption.
2. Disaster Recovery (DR):
The process, policies and procedures related to preparing for
recovery after a natural or human-induced disaster. Disaster
recovery includes planning for resumption of business
operations. Disaster Recovery includes physical facilities,
equipment, applications, data, hardware, communications (such
as networking) and other critical business processes.
Definitions . . .
3. Risk Tolerance Level (RTL):
A process by which a company determines the risks, vulnerability
p y p y , y
and impact analysis of various disaster scenarios on critical
business processes and/or activities. RTL incorporates:
– Assessing and prioritizing business functions, processes,
activities, etc.
– Identifying interdependencies between critical operations,
departments, personnel and services
– Identifying potential impacts of uncontrolled, non-specific
events on business functions, processes, activities, etc.
2

4. 4/19/2010
Definitions . . .
4. Recovery Point Objective (RPO):
The acceptable time delay associated with systems, data and/or
p y y ,
process before the loss of an activity become critical.
5. Recovery Time Objective (RTO):
The acceptable amount of time to restore a designated business
function.
6. Probable Maximum Business Interruption Loss (PML):
Losses, based on worst-case scenario, that result from a business
interruption. . .Function of Seriousness and Duration
BCP – Why Bother?
1. Stability:
Su
Survival rate for companies that encounter a d saste
a ate o co pa es t at e cou te disaster
without a business continuity plan is less than 10%!
Only 6% of companies suffering from a catastrophic
loss survive, while 43 % never reopen and 51 % close
within two years.
2. Financial:
- C ti
Contingency Pl
Planning Research pegs the average hourly
i R h th h l
downtime cost at $18,000 for a small business.
- Assume they are off by 90% . . .that’s:
$1,800/hr . . .$7,200/24 hrs . . .$50,400/wk
3

5. 4/19/2010
BCP – Why Bother?
3. It Makes Good Business Sense!
• Uncovers core business weaknesses
• Addresses visible and concealed areas of
concern
• Strengthens customer perception
• Separates your company from competition
Proactive
BCP – A Strategy
• BCP as an Offensive/Competitive Strategy . . .
1.
1 Helps your company stand out from others:
Business Continuity Standards are coming!
ISO 27001, Austrian Standard HB 221:2003, NFPA 1600,
PAS 56, BS25999 . . . .
2. Creates a business which operates its systems at the
optimum levels:
Flexible with the ability to quickly identify and respond
to challenges, threats and disasters.
3. Builds a Resiliency into your operation:
Hardened systems fail less often and return more
quickly from day-to-day glitches.
4

6. 4/19/2010
BCP – UHY Perspective
• From our perspective . . .
– BCP process involves the recovery, resumption,
recovery resumption
and maintenance of the entire business . . More
than just IT and Data.
– Restoration of IT systems and electronic data is
important . . but . . recovery of these system will
not always be enough to restore operations.
– BCP involves the prioritization of
business objectives and critical
operations that are essential for
recovery.
BCP – UHY Perspective
5

7. 4/19/2010
BCP – Protection From???
Material Shortages
Natural Disasters
Delivery
Delays Product
Business Liability
Strikes Continuity
Terrorist
- Protection From – Activities
?
Client/Customer
Insolvency
Power Failure
Technological
Developments Computer
Viruses
Example of a Risk Map
BCP – Protection From???
6

8. 4/19/2010
Business Continuity Planning
Critical Steps
Step 1
Assessment
• Objectives Include:
1. Raising Awareness
2. Involving All Business Units / Departments
3. Involving All Personnel
4. Identifying the Critical Interactions Between
People, Processes and Departments . . .
• Examine the company as a whole for conditions
and processes that are critical for seamless
d th t iti l f l
business operations . . . a Threat Analysis.
• Plan is to provide management with a complete
picture of processes, dependencies and threats.
7

9. 4/19/2010
Step 2
Risks, Vulnerabilities & Impact Analysis
• Impact Analysis:
Assessment of operations to understand and identify
A t f ti t d t d d id tif
precisely what functions, activities, elements, etc.
would be impacted should there be a disruption or
disaster
• Risk Assessment:
Determining the potential losses from a threat verses
the cost of protective measures against the value of
protecti e meas res al e
the asset.
How Much Do We Spend to Protect?
RISK / COST / ROI
Step 2
Risks, Vulnerabilities & Impact Analysis
• UHY’s approach is to utilize a Risk Tolerance
Level (RTL) strategy to combine, Ri k
L l t t t bi Risks,
Vulnerabilities and Impacts.
• TRL incorporates a FMEA (Failure Mode & Effects
Analysis) format with:
- SEVERITY (impact on your business)
- FREQUENCY / OCCURANCE
- Impact on your Customer(s)
• Scale is 1 to 10 for each:
1 = No Impact / Never Occurs
10 = Critical Impact / Daily Occurrence
8

10. 4/19/2010
Step 2
Risks, Vulnerabilities & Impact Analysis
• RTL # Reaction Plan:
Less than 20
No corrective action and/or additional controls are required.
20 to 40
Risk control(s), including control method, process and frequency should be reviewed to identify
reaction steps/actions needed to ensure business continuity.
41 to 60
Risk control(s), including control method, process and frequency should be improved to
incorporate actions that will lead to a reduction in the RTL #.
61 to 80
Risk control(s), including control method, process and frequency indicate a concern regarding
business continuity. Control should be improved to reduce the RTL #.
Greater than 80
Represents a Business Continuity concern. The Risk and associated Control(s) must be improved
by implementing actions that will reduce the RTL #.
Step 3
Recovery – Strategies & Actions
• Recovery Window . . . Specific period in which
losses become intolerable.
l b i t l bl
- The shorter the window, the more recovery
resources need to be in place and ready.
- For longer windows, the recovery resources can
be put into place following the interruption.
• It is critical the recovery resources be:
- Identified
- Listed / Documented
- Pre-Arranged / Pre-Planned
- Tested
9

11. 4/19/2010
Step 3
Recovery – Strategies & Actions
• Disaster / Interruption Levels:
Level I:
L lI Interruption, i.e., Power is Out
I t ti i P i O t
Time Frame - 1 hour, 4 hours, >24 hours
Level II: Vacate the Facilities, i.e., Fire
Time Frame - 1 day, 1 week, 1 month
Level III: Facilities Gone, i.e., Tornado
Time Frame - Immediate Actions
Business Resumption
• Establish Recovery Action Checklist for each
scenario . . .Action Steps and Responsibilities
Step 3
Recovery – Strategies & Actions
• Recovery plans must:
1. Identify the
1 Id tif th resources required t resume b i
i d to basic
level of business operations.
2. Document skills, equipment, procedures, steps,
etc. required by each department/activity.
3.
3 Specify authority roles and responsibilities to
authority,
ensure that actions and tasks are managed,
completed and communicated.
10

12. 4/19/2010
Step 4
Interdependencies
• Predominate Recovery Goal . . .to re-establish
essential day-today b i
ti l d t d business f
functions before
ti b f
consequential effects occur.
• Key concerns:
- What’s the priority and sequence of recovery?
- What should be first, second, third, etc.
- Which functions are dependant on interacting
p g
functions?
• Interaction or Process Flow Diagrams can be used
to identify dependencies . . . .
Risk Mapping / Interactions
Step 5
Training and Awareness
• Employees need to know and understand:
1. The fundamental requirements of your Business
1 Th f d t l i t f B i
Continuity Plan . . . Who, What, Where, When, Etc.
2. The documented recovery action steps and their
role and responsibilities . . . Where do I go?
What do I do? What don’t I do?
3. The reaction plan based on who is available.
• Employee training should be provided on at least
an annual basis. Records should be retained.
11

13. 4/19/2010
Step 6
Testing Plans
• BCP testing should be based on the importance of the
business process to the both the company and to the
customer base.
• The testing process should be structured to:
– Incorporate and address the identified risk levels
– Assign and designate roles and responsibilities for testing
and reporting
– Demonstrate that the business continuity strategy and
recovery action steps have the ability to sustain the
business until operations can be re-established
Step 6
Testing Methods
• Testing methods vary from simple to complex . . . Depends on the
Risk and Business Process complexity.
• Level I - Structured Walk-Through:
Used as a training tool and as a test to determine fundamental
compliance.
• Level II - Walk-Through Simulation Test:
Choose a specific event . . apply the established recovery actions.
• Level III - Functional Test:
Performing actual recovery processes as defined in the company’s
Recover Action Checklists.
• Level IV - Full-Scale Test:
Real-life emergency is simulated as closely as possible.
12

14. 4/19/2010
Step 7
Maintenance / Sustainability
• The final step in developing and implementing a
BCP/DRP is “maintenance” to ensure sustainability and
maintenance
effectiveness.
• The resulting BCP/DRP Manual is a living document
that must be kept up-to-date:
– This document defines the policies and sets out the
steps, recovery actions, roles, guidance, etc. for disaster
recovery.
recovery
– This document must reflect changes in business, staffing,
processes, technologies, etc.
– Reviewed and updated on at least an annual basis.
BCP/DRP Manual . . .Format
13

15. 4/19/2010
Business Continuity – Cost/Benefit
• BCP entails costs . . . .There is no rule of thumb for the level
of costs involved. Depends on:
- The nature of the possible losses
- The potential impact
- The probability of the risks occurring
• Fundamentals apply . . . The tighter the safety net and the
greater the availability, the higher the costs.
• Example . . . Idle production costs and damage to a
company’s i image as a result of business interruption are
f i i i
compared with the preventive and reactive expenses
involved in BCP.
Remember the earlier slide . . . .minimum of
$1,800/hour!
Cost/Benefit Example
• Suppose we are considering the installation of a backup
generator so that our servers can continue operation in the
event of an extended power failure.
• Assume that we lose on average $50k for each extended
power failure, and on average there are two such failures
a year. The backup generator will prevent all such failures.
• Calculate the Annualized Loss Expectancy (ALE) by
multiplying the Annual Rate of Occurrence(ARO) by the
Single Loss Expectancy (SLE):
i ( )
ALE = ARO * SLE = 2 * $50k = $100k
14

16. 4/19/2010
Cost/Benefit Example
ALE = ARO * SLE = 2 * $50k = $100k
• If the annualized cost (taking into account depreciation,
training, and maintenance) of our backup generator is:
1. Less than $100k . . .we should install the generator.
2. Greater than 100k . . .we should accept the risk and
not buy the generator.
• Business continuity plan is a countermeasure (like the
backup generator) its value can be established using the
same technique.
BCP . . . .Cost-Benefit
• A Business Continuity Plan reduces the probability of
failure.
- Assume that it reduces the probability of failure
from 5% to 3%.
- Assume the company is worth $20 million.
- The value of our Business Continuity program is
worth the difference between these two valuations,
or $400 000
$400,000.
• Is a reduction of failure probability from 5% to 3%
unrealistic? It might be substantially more!
15

17. 4/19/2010
BCP . . . Just Thoughts . . .
• Insurance:
- BCP regulates the preventive and reactive action to be
taken in a crisis situation.
- Business interruption insurance covers the consequential
financial loss of a hazard (e.g. a fire).
- By paying standing charges, the cost of necessary loss
minimization measures and the profits lost, business
interruption insurance contributes to the company’s
economic recovery following a crisis
crisis.
• Questions . . . .Do We Have:
1. The Right Coverage?
2. Enough Insurance?
BCP . . . Just Thoughts . . .
• The object of business interruption insurance is to cover the
consequential loss(es) arising from a business disaster.
• Business interruption insurance essentially covers three
main areas:
1. The net profit that would have been made if there had
been no consequential loss.
2. The normal standing charges that still have to be paid
and cannot be reduced.
3. The (loss minimization) costs incurred in order to reduce
the duration and extent of the business interruption loss.
Terms to Understand - PML & SUM INSURED
16

18. 4/19/2010
BCP . . . To Do List
Determine RISKs and Business Impact for critical processes
Define Business Recovery objectives priorities, and expectations
objectives, priorities
Define critical, time-sensitive functions and systems
Incorporate changes into the plan
Establish the Disaster Recovery Team
Conduct employee training to test and understand the plan
Test the plan periodically . . .make amendments to the plan
Conduct Business Continuity Audits
Improve processes to minimize exposure during disruptions
Optimize operational strategies to mitigate against threats
Questions?
THANK YOU!
Alan Lund
UHY Advisors, Inc.
Southfield, Michigan 48034
(248) 204-9447
Alund@uhy-us.com
17