Business Continuity Workshop Final

Business Continuity Planning Presented by Bill Lisse , CISSP, CISA, CGEIT, GPCI, GHSC, Security+ SME Manager, Technology & Risk Management Jack Lohbeck , CPA Director, Business Consulting

Increasing Competition & Risks Businesses are constantly at risk for interruptions to their operations, any of which can have devastating consequences Gartner reports that two out of five organizations that experience a disaster go out of business within five years A speedy recovery from interruption is imperative to staying solvent as a business

Business Continuity “The process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change.” Disaster Recovery Institute International’s Glossary of Industry Terms

Planning for Disruptions If you do not develop and implement a business continuity (BC) plan and disaster recovery (DR) procedures, one that is able to bring its business back up in as short a time as possible, the potential for lost revenue can add up to millions of dollars within several days

Common Roadblocks Over confidence - “It can’t happen to me” Over extension - don’t feel you have the time, personnel or other resources to devote to comprehensive contingency planning Over reaching - reaching too far and wide; makes the process overwhelming and seem impossible Over planning - several contingency plans for specific situations or departments which become uncoordinated

Business Continuity Management (BCM) BCM is a process that applies to any business, small or large, that helps to manage the risks that threaten its survival The objective is to identify the hazards that may affect critical functions or activities and to ensure that these can be reduced or responded to in an effective way

Reasons for BCP Loss or Injury to Personnel Compliance Loss of Revenue Damage to Critical Resources Loss of Customers Reputation Damage Civil and Criminal Liabilities

People Materials Critical Records Office Work Areas Critical Machinery & Equipment Communications Infrastructure BCP Resource Scope

BCM Cycle Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Risk Management Business Impact Analysis Business Continuity Strategy Business Continuity Plan Business Continuity Plan Testing BCP Maintenance

Business Continuity Management Risk Management Business impact analysis (BIA) Classification of operations and criticality analysis Document the BC plan and DR procedures Training & Awareness Testing Ongoing Monitoring & Plan Maintenance

Risks How likely is an adverse outcome? What can go wrong? - Human (Intentional or accidental) - Natural Events What are the consequences of the event? Probability Threats Impacts Foundation History - Analytical Tools - Technology Maturity - Knowledge/Experience

Threats - Examples Labor Disruptions Pandemics Strikes and disputes Accidents Workplace Violence Natural Disasters Tornado Hurricane Earthquake Floods Lack of Materials Shortages Delays Supplier breach Facilities Fire Black/Brown Outs Equipment IT Failures Communications failures Equipment Failures

Vulnerability Threat Opportunity Exposure

Risk Management Non-critical internal processes Critical internal processes Any external facing processes Which business processes will be affected? No impact Peripheral impact on revenue generation or end-customer support Direct impact on revenue generation or end-customer support How will it impact customers or prospects? Peripheral departmental or project budget Material to a departmental or project budget Material to the company What is the cost to overcome disruptions? Select users throughout the company One or more departments Entire company What is the impact on other projects? No correlation to revenue Peripheral correlation to revenue Direct correlation to revenue What is the impact of the function on revenue generation? Low Impact Medium Impact High Impact Question

Potential Business Consequences Inability to maintain critical customer services Damage to your market share, image, reputation or brand Failure to protect the company assets (including intellectual property and personnel) Fraud Failure to meet legal or regulatory requirements Financial loss

Risk Management Risk Responses Mitigate Accept Avoid Transfer

Business Impact Assessment The BIA is the most critical process in the development of a DR strategy provides the business requirements used to develop the plan (focus resources) Typical Areas Identify critical business processes Determine the disruptions & probability Impact of disruptions on business Determine Loss Exposures

Business Impact Analysis A Business Impact Analysis Helps Organizations: Identify and prioritize risks Identify requirements Identify the extent of financial impact Identify the extent of operational impact

Maps data flow Identify maximum tolerance for downtime Identify interdependencies Determine the recovery priorities of the organization Business Impact Analysis The process of analyzing all core business functions and establishing an optimized timetable for recovery. Provides baseline for: Justification for costs associated with recovery Developing recovery strategies Developing Support Level Agreements

Business Impact Analysis End-User Questionnaire Highlights: Department Overview Workflow Interdependencies Computer Resources Application Impact Analysis

Department Overview Department Overview Workflow Interdependencies Computer Resources Application Impact Analysis Identify department, location, and at least two representatives from each department. Develop a comprehensive list of applications used in the department. Describe the business function(s) of the department. Gather information about the department’s daily business hours, revenues generated, transaction volume, and any peak or high demand periods.

Workflow Interdependencies Department Overview Workflow Interdependencies Computer Resources Application Impact Analysis Identify the departments and organizations that send work to the department. Determine what routes or channels of communication are used to send that incoming work and estimate the percentage that comes via each route or channel. Gather the same information in #1 and #2 for work sent by the department.

Computer Resources Department Overview Workflow Interdependencies Computer Resources Application Impact Analysis Gather information on the computing equipment in the department and how it is used. Begin exploring the reliance that the department has on the computing equipment, e.g., What data entry backlog would there be if it was unavailable for one day?

Application Impact Analysis Department Overview Workflow Interdependencies Computer Resources Application Impact Analysis Basic description of each application, including what it does, what business functions it supports, if it handles PHI, and who the department contacts are for the application. Estimate the level of departmental business interruption associated with the application being unavailable through various time thresholds. Estimate the associated data entry backlog that would result and how many staff hours it would take to eliminate the backlog.

Application Impact Analysis Department Overview Workflow Interdependencies Computer Resources Application Impact Analysis Evaluate the downtime procedures associated with the application, asking questions like have the procedures been used before?, how did they work, and how long can the department function using them? Evaluate any regulatory, legal, financial, customer service, and public image problems that could arise as a direct or indirect result of the application being unavailable through various time thresholds.

Business Continuity Strategy Market Structure & Budget Data and system backup and restore System & Data failover, redundancy System vulnerabilities & threats Disruptions to internal systems, telecommunications, applications, Web access Operation of environmental systems Natural disasters and other interruptions

Business Continuity Strategy Transfer Control/ Function Relocate of staff Manual or alternative Work from home Shut down Hot Site or dedicated Warm Site Cold or Shell Site

Business Continuity Plan Considerable effort and time are necessary to develop the initial BCP Effective documentation and procedures are extremely important in a BCP Well-written plans reduce the time required to read and understand the procedures Result in a better chance of success if the plan has to be used. Significantly reduce maintenance time and effort.

Business Continuity Plan An overarching plan of the company to be able to recover from a disaster and to resume normal business processes in as little time as possible The BCP is made up of many “sub-plans”: Emergency Response Plan Disaster Recovery Plan Public Affairs Plan Occupant Emergency Plans

Business Continuity Plan Within a BCP, you have some key components: Assessment: A way to identify threats (BIA - more on this later) Evaluation: The likelihood and impact of each threat Preparation: For contingent operations Mitigation: The reduction or elimination of risks Response: The response to minimize the impact of an emergency Recovery: The return to normalcy

Business Continuity Plan A document stating Who and What (systems, Equipment, records and facilities) are required When they are required Where to operate your business for an indefinite period A standard format for the procedures should be used for consistency, conformity, and maintenance Standardization is especially important if several people write the procedures

Business Continuity Plan Two basic formats are used to write the plan: background information and instructional information. Background information should be written using indicative sentences Instructions should use an imperative style (issue directions)

Business Continuity Plan Helpful tips in writing the BCP: Be specific. Write the plan with the assumption it may be implemented by personnel unfamiliar with the function and operation. Use short, direct sentences, and keep it simple. Long sentences can overwhelm or confuse the reader. Use short paragraphs. Long paragraphs can be detrimental to reader comprehension. Use active voice verbs in present tense. Passive voice sentences can be lengthy and may be misinterpreted. Use descriptive verbs. Non-descriptive verbs such as “make” and “take” can cause procedures to be wordy. Avoid jargon. Use position titles (rather than personal names of individuals) to reduce maintenance and revision requirements. Develop uniformity in procedures to simplify the training process and minimize exceptions to conditions and actions. Identify events that can occur in parallel, and events that must occur sequentially.

BCP Testing Plan Audit Passive Walk Through Scenario Workshop Physical Test Live Simulation Test

BCP Testing Dependencies Frequency Test Plan Development Test Procedures Test Results Management and Staff Awareness

BCP Maintenance It is important that the plan be continually maintained and updated. Business continuity plans should include specific maintenance responsibilities and procedures. The major considerations in this process include: • Maintenance frequency • Change factors • Maintenance responsibilities • Distribution considerations

BCP Maintenance The recovery procedures for each team should be updated at minimum on a yearly basis and should also be updated following major organizational changes Telephone lists and other inventories should be updated at least quarterly The plan should also be reviewed and updated when there are major changes in technology A plan maintenance form can be used to record and control all maintenance changes, additions or modifications to the plan

BCP Maintenance It is important to recognize factors that may change the business continuity plan: Procedural changes Organizational structure changes Personnel changes/turnover Physical changes (e.g., facilities) Technology changes Recovery requirements changes testing issues

BCM Cycle - Summary Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Risk Management Business Impact Analysis Business Continuity Strategy Business Continuity Plan Business Continuity Plan Testing BCP Maintenance

Keys to Success Link Business and IT Processes Develop a comprehensive DR plan based on realistic threats Keep DR procedures current Test the DR plan – don’t view as an exam; it is quality improvement exercise BC goals should be realistic Clearly define DR roles, responsibilities and ownership Have a clear data backup strategy Communicate!

Resources Disaster Response Institute International (DRII) – http://www.drii.org Business Continuity Institute (BCI) - http:// www.thebci.org / Disaster Response Journal – http:// www.drj.com NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf Continuity Central http:// www.continuitycentral.com/info.htm Federal Financial Institutions Examination Council Business Continuity Handbook http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf

Conclusion Don’t wait till a disaster occurs Even with a small budget, prudent steps can be taken ensuring good backups establishing roles and responsibilities effective planning new technologies may also be leveraged to make recovery more affordable

Questions? Bill Lisse - (937) 853-1490 Email - wlisse@battellecpas.com Jack Lohbeck - (937) 853-1423 Email – jlohbeck@battellecpas.com

Business Continuity Workshop Final

More Related Content

What's hot

Viewers also liked

Similar to Business Continuity Workshop Final

Recently uploaded

Business Continuity Workshop Final

Editor's Notes