This presentation outlines the basics behind Business Continuity planning and management. Targeted to CEO's, CFO's and CIO's, this presentation emphasizes the processes and the need to make BCP/M part of the Enterprise's fabric.
2. Presentation Outline
ISO Principles of Risk Management
Disaster Recovery vs Business Continuity
vs.
Unexpected Events
Business Continuity and Risk Avoidance
Planning and Management
Break
Development, Implementation and Exercise
Return on Investment
Business Continuity as an Operational Process
2
3. ISO Principles of Risk Management
Should create value
Must be an integral part of organizational processes
g p g p
Must be part of decision making
Should explicitly address uncertainty and assumptions
Is
I systematic and structured
d d
Should be based on the best available information
Should be customizable
Takes into account human factors
Is transparent and inclusive
Is dynamic, iterative and responsive to change
Is continually improved and enhanced
Must be continually or periodically re assessed
re-assessed
3
5. Disaster Recovery vs. Business
Continuity
Disaster Recovery
The processes involved in restoring a business to normal
operation after its operations have been partially or completely
interrupted by some event
Business Continuity Planning
Planning to keep your business operating through an
unexpected event
Business Continuity Management
Managing the sustaining key business components, bridging the
g g g y p g g
event
Discussion
5
6. Is Business Continuity Planning
Necessary?
Compelling Factors
Regulatory requirements
Competitive requirements
Customer impact
Investor impact
Potential litigation
Does Company Size M
D C Si Matter?
?
Is BCP for large companies only?
Bottom Line
Keep business functioning and
Protect Company assets (
p y (human, IP, infrastructure)
, , )
6
8. What Constitutes a Disaster or
Business Continuity Interruption?
Catastrophic Events
Location destroyed
Distribution center destroyed
D b d d
Headquarters destroyed
Event Rising From:
Supply Chain disruption
Smoke/Fire
Cyber attack
Terrorism
Earthquake
Affects of nearby disaster (RR tanker derails; Fukushima)
Social di
S i l disturbance (people are hurt and facility is crime scene)
b ( l h d f ili i i )
Be careful of playing the odds
Virginia’s last earthquake: over 100 years ago; until August, 2011
8
9. Example Disruption Scenarios
Level 1 — Loss of secondary function
Loss of SaaS provider (Outsourced Accounting System) $
Level 2 — Technology offline
Loss of local computing environment
p g
Level 3 — Distribution network impact
Loss of warehouse (physical goods) Cost
Level 4 — Regional command and control
Loss of entire division
Level 5 — Disaster
Loss of entire company $$$$
9
11. Business Continuity
Overview
Business initiative, not an Information Technology initiative
Must keep key revenue streams operating
Need a vulnerabilities list (highest to lowest)
Risk avoidance
Total Risk Avoidance
Replicated facility (higher cost)
Minimal Risk Avoidance
Essential operational systems (lower cost)
Balancing act
11
13. List Vulnerabilities
Remember S.W.O.T. analysis
Strengths — your Company may have an effective logistics
network that can sustain loss of a warehouse with little or no
impact to continuing operations
Weaknesses — li areas where the C
W k list h h Company is most
i
vulnerable to interruptions ordered by business impact
Opportunities — you may be able to consolidate operations
pp y y p
for the short term, or take advantage of unused space in a
lesser-used building in the event of facility loss
Threats — including those listed under Example Disruptive
Scenarios, natural disasters (floods, hurricanes, tornados,
earthquakes), etc.
13
14. Other Vulnerability Assessment Tools
Risk Identification Risk Analysis
Brainstorming Dependency modeling
Questionnaires Event tree analysis
Business studies assessing both Real Option Modeling
internal and external factors
i l d lf (Valuation)
(V l i )
which can influence operations Decision making under
Industry benchmarking conditions of risk and
Scenario analysis uncertainty
i
Risk assessment workshops Measures of central tendency
and dispersion (descriptive
Incident investigation
statistics)
i i )
Auditing and inspection
PEST (Political, Economic,
HAZOP (Hazard & Operability Social,Technological) analysis
Studies)
14
15. Total Risk Avoidance
How much is too much?
Total Replication of all operational systems
Example U.S. Postal Service (two of five Data Centers)
Discussion.
15
16. Minimal Risk Avoidance
Essential Systems
Payroll (time clocks)
y ( )
Inventory and Order
Management
E-mail (communication)
( )
5 Business Days
A/R
A/P
Shipping
Is this i ht?
I thi right?
16
17. Balancing Act
Objective: Determine What You Need
Total Risk Avoidance
Fully Redundant Systems and Operations
Facilities
Inventory
Shipping/Receiving
Minimal Risk Avoidance
Select functions deemed essential
Some disruption in service is acceptable
p p
Discussion
17
19. Managing the Risk
High-level planning
Develop the plan and publish it
Implementation and exercise
When is the plan considered complete?
19
20. Getting Started: Objectives
Your Company’s Business Continuity and Needs
Define what business continuity means for your company
Determine what you need in order to maintain it
Take nothing for granted
g g
Review all operational concerns
Review both internal and external factors
Discovery process budget
Determine a rough order of magnitude budget for the
discovery process
Fund it
Discussion: how can this be done?
20
21. High level
High-level Planning
Engage management and build the BCP team
CEO, COO, CFO,
CEO COO CFO CIO
Name business and technology leaders as BCP stakeholders
Create a standard Charter for the project
p j
Make it an Enterprise project
Agree on a single individual as the owner with an understudy
Assign a project manager
Isolate Continuity targets
Essential business functions (use a risk matrix)
Scrutinize pitfalls/darlings/issues
21
22. Project Charter
A Project Charter:
Lists reasons for undertaking the project
Solidifies objectives and constraints of the project
Provides directions concerning the solution
Gives names and titles of the main stakeholders
Enumerates in-scope and out-of-scope items
D
Dictates as a high-level risk management plan
h hl l k l
Serves as a communication plan
Targets project benefits Project Charters are used to:
Authorize a project
Authorizes high-level budget Aid with resource management
and spending authority Focus overall scope
22
23. Risk Matrix Example
Helps isolate potential interruptions in service
Link this to affected operations service continuity plan
Threat Probability (P) Impact (I) Risk = P x I
Hurricane %
80% 1 80%
%
Flooding – Internal 80% 1 80%
Severe Storms 25% 1 25%
Flooding – External 80% 0.2 16%
Wind Storm 10% 1 10%
Tornado 10% 1 10%
Terrorism 10% 1 10%
Fire – Internal 10% 1 10%
Fire – External 10% 1 10%
Earthquake 1% 1 1%
23
24. Plan Components
Establish objectives for the plan. Examples include:
Run payroll within 24 hours of event
Ship product within 48 hours of the event
Essential personnel
p
List personnel required for managing the processes
List backup personnel, in the event the primary personnel are
directly ff t d b th
di tl affected by the event t
Calendar/Timeline
Create a calendar to pinpoint specific timing of actions
List important dates such as payroll, monthly close, and other
recurring events that can influence the required availability
24
25. Systems Recovery
What systems are crucial to maintain continuity?
Payroll and time clocks?
Inventory and Order management?
Shipping and Receiving?
Email?
All of the above?
Be
B careful of purportedly autonomous systems
f l f dl
Question from the shipping manager:
“Since FedEx has supplied my shipping stations, and they are able to
Since
print shipping manifests, is it okay to go ahead and ship product even if
the inventory and fulfillment systems are offline?”
Do you think it’s okay?
it s
25
26. Data Recovery
Differences between System and Data Recovery
Systems are the substrate that manage and present data
Data carries the information
Data Recovery Point Objective
y j
How old is the data that can be recovered?
Where is the backup stored? Offsite, or still on-site?
When was the last validation that data could be recovered?
Data Recovery Time Objective
How long will it take to recover?
Will data be recovered to the point just prior to the event?
What about data that is lost?
26
29. Develop the Overall Plan
Stakeholders
List their area’s essential business functions
List alternatives for each business function in a matrix
Plan for functions without immediate alternatives
Assess alternatives for strategic functions
Example: if a warehouse goes offline, can product ship from other
warehouses? Include the estimated cost difference.
Document a process flow for decision making and emergency
decision-making
response.
Ensure everyone knows who is in charge
Establish
E bl h a single-point of contact f media relations and ensure all
l f for d l d ll
responses are funneled through them
Do not depend on making good decisions inside the tornado
29
30. Develop the Execution Plan
Formulate Business Continuity Management Plan
Assign point individuals to manage specific areas of operation
Ensure everyone has a backup
Establish action plans for:
p
Running day-to-day operations
Contacting insurance companies and managing distributions
Recovering from the interruption. Include vendors to source
product, infrastructure and services
Crisis communications to keep staff updated as changes occur
30
31. Implementation and Exercise
Train for the exercise:
Notify participants of it, No plan survives the battle field.
— Helmuth von Moltke
Stage it, and
Implement it!
Implement it in stages:
p g
First , work out what you thought would happen
Adjust the plan based on what actually happens
Common misconception: you can’t exercise everything in the plan
can t
Yes, you can
You may choose not to, because of disruption or cost
Choose a cycle for exercise, and stick to it.
exercise it
Minimal: annual (has drawbacks)
Optimal: quarterly
Super-optimal: continual (
S i l i l (may apply to specific processes only)
l ifi l )
31
32. When is the Plan Considered Complete?
Never
Business Continuity is not a Project
It’s a program
It’s an operational p
p process
It’s a strategy
It exists as long as your business does
Each exercise should reflect an updated plan
Exercising the plan is like putting on a play
Remember your lines
Discussion
32
34. Quote #1
A Grudge Buy or Providing ROI?
“The f
“Th fact that most organizations are unlikely to
h i i lik l
ever use the full extent of the services they have
paid for has, i the past, made disaster
id f h in h d di
[recovery] something of a ‘grudge buy’ and not
something that most companies are eager to
hi h i
spend money on.”
ITWEB
September 25, 2001
34
35. Quote #2
Probability or Availability?
“…the
“ h probabilities associated b corporate
b bili i i d by
management with the occurrence of most
disasters are so low that the expected value of
di l h h d l f
most disaster recovery programs does not begin
to cover the costs required to implement
h i d i l
(or purchase) them.”
William Cappelli
Disaster Recovery Program Costing: The Missing Element
from GIGA
January 22, 1998
35
36. Quote #3
Bottom Line or Bottomless Pit?
“Recovery services don’t add anything to the
“R i d ’ dd hi h
bottom line, but the consequences of not
having l in l
h i a plan i place can b disastrous.”
be di ”
Dave Linacre
Managing Director
IBM Business Continuity and Recovery Services
36
37. Reasons ROI Is Not Calculated
Difficulties in making the calculation
Not a financial decision
Lack of commitment to the process
Not an important issue
Bottom Line:
Should it take a disaster to recover your investment?
y
37
38. Calculating Return on Investment
Calculated on projects with fixed costs and an end date
Business Continuity starts as a project but becomes an on
project, on-
going operational program
Cost vs. Time to Ownership: hard to calculate
The project has high development costs up-front
The project’s long tail never ends (constant updates as new systems
and changes to business processes occur)
Value Perspective: possible to calculate
Complex calculation (host of factors including loss of productivity)
Moderate calculation (risk register)
Simple calculation (loss by specific system)
Cost of Downtime
38
39. The Cost of Downtime
Tangible Costs Intangible Costs
Lost Revenue Lost Opportunity
Lost Wages Employee Retention
Remedial Labor Costs Loss in Share Value
Lost Inventory Goodwill
Marketing Costs Brand Damage
Bank Fees / Penalties
Legal Costs
39
40. Example Costs of Doing Nothing
Average Hourly Costs of Downtime
Airline Reservations: $ 89,500
Retail Catalog: $ 90,000
Infomercials / P
I f i l Promotion:
i $ 199 500
199,500
Retail Banking: $1,000,000
Retail Brokerage:
R t il B k $6,500,000
$6 500 000
40
42. Implementing Business Continuity
What Not To Do?
Treat BCP like a one-time project
one time
Turn BCP into a Compliance Program
What To Do?
Weave the program into processes as a forethought, not an
afterthought
Make
M k BCP part of the operational fabric
t f th ti l f b i
Validate progress with each Business Continuity exercise
Grow Business Continuity as your business grows
42
43. ISO Principles of Risk Management
and Business Continuity
Should create value Should be customizable
BCP creates value by ensuring continued BCP can be customized as changes in the
business operation business dictate
Must be an integral part of organizational Takes i
T k into account human factors
h f
processes BCP ensures that the plan addresses capabilities
BCP is an operational process and is therefore of people who can facilitate (or hinder) business
integral to the organization continuity
Must be part of decision making Is transparent and inclusive
p
BCP is strategic, and therefore part of BCP is transparent and inclusive by ensuring
decision making that stakeholders are fully involved in every
aspect of the process
Should explicitly address uncertainty and Is dynamic, iterative and responsive to
assumptions
p change
BCP inherently addresses uncertainty and BCP changes as the business grows and
assumptions expands
Is systematic and structured Is continually improved and enhanced
BCP is a systematic and structured process BCP is an operational process that
that grows with the business
h ih h b i continually improves as the business grows
Should be based on the best available Must be continually or periodically re-
information assessed
BCP is based on the best available information BCP is continually re-assessed as changes occur
at its inception, and it is continually updated in the business.
i th b i
43