This presentation outlines the basics behind Business Continuity planning and management. Targeted to CEO's, CFO's and CIO's, this presentation emphasizes the processes and the need to make BCP/M part of the Enterprise's fabric.

1. Risk Management
Business Continuity Planning and Management

2. Presentation Outline
 ISO Principles of Risk Management
 Disaster Recovery vs Business Continuity
vs.
 Unexpected Events
 Business Continuity and Risk Avoidance
 Planning and Management
Break
 Development, Implementation and Exercise
 Return on Investment
 Business Continuity as an Operational Process
2

3. ISO Principles of Risk Management
 Should create value
 Must be an integral part of organizational processes
g p g p
 Must be part of decision making
 Should explicitly address uncertainty and assumptions
 Is
I systematic and structured
d d
 Should be based on the best available information
 Should be customizable
 Takes into account human factors
 Is transparent and inclusive
 Is dynamic, iterative and responsive to change
 Is continually improved and enhanced
 Must be continually or periodically re assessed
re-assessed
3

4. Disaster Recovery
vs.
Business Continuity

5. Disaster Recovery vs. Business
Continuity
 Disaster Recovery
 The processes involved in restoring a business to normal
operation after its operations have been partially or completely
interrupted by some event
 Business Continuity Planning
 Planning to keep your business operating through an
unexpected event
 Business Continuity Management
 Managing the sustaining key business components, bridging the
g g g y p g g
event
 Discussion
5

6. Is Business Continuity Planning
Necessary?
 Compelling Factors
 Regulatory requirements
 Competitive requirements
 Customer impact
 Investor impact
 Potential litigation
 Does Company Size M
D C Si Matter?
?
 Is BCP for large companies only?
 Bottom Line
 Keep business functioning and
 Protect Company assets (
p y (human, IP, infrastructure)
, , )
6

7. Unexpected Events

8. What Constitutes a Disaster or
Business Continuity Interruption?
 Catastrophic Events
 Location destroyed
 Distribution center destroyed
D b d d
 Headquarters destroyed
 Event Rising From:
 Supply Chain disruption
 Smoke/Fire
 Cyber attack
 Terrorism
 Earthquake
 Affects of nearby disaster (RR tanker derails; Fukushima)
 Social di
S i l disturbance (people are hurt and facility is crime scene)
b ( l h d f ili i i )
 Be careful of playing the odds
 Virginia’s last earthquake: over 100 years ago; until August, 2011
8

9. Example Disruption Scenarios
 Level 1 — Loss of secondary function
 Loss of SaaS provider (Outsourced Accounting System) $
 Level 2 — Technology offline
 Loss of local computing environment
p g
 Level 3 — Distribution network impact
 Loss of warehouse (physical goods) Cost
 Level 4 — Regional command and control
 Loss of entire division
 Level 5 — Disaster
 Loss of entire company $$$$
9

10. Business Continuity
and
Risk Avoidance

11. Business Continuity
Overview
 Business initiative, not an Information Technology initiative
 Must keep key revenue streams operating
 Need a vulnerabilities list (highest to lowest)
 Risk avoidance
 Total Risk Avoidance
 Replicated facility (higher cost)
 Minimal Risk Avoidance
 Essential operational systems (lower cost)
 Balancing act
11

12. Keep Key Revenue Streams Operating
 Reduce or eliminate revenue stream interruptions by:
 Keeping supply chain moving
 Filling orders to key customers
 Receiving payments
 Paying key invoices
12

13. List Vulnerabilities
 Remember S.W.O.T. analysis
 Strengths — your Company may have an effective logistics
network that can sustain loss of a warehouse with little or no
impact to continuing operations
 Weaknesses — li areas where the C
W k list h h Company is most
i
vulnerable to interruptions ordered by business impact
 Opportunities — you may be able to consolidate operations
pp y y p
for the short term, or take advantage of unused space in a
lesser-used building in the event of facility loss
 Threats — including those listed under Example Disruptive
Scenarios, natural disasters (floods, hurricanes, tornados,
earthquakes), etc.
13

14. Other Vulnerability Assessment Tools
Risk Identification Risk Analysis
 Brainstorming  Dependency modeling
 Questionnaires  Event tree analysis
 Business studies assessing both  Real Option Modeling
internal and external factors
i l d lf (Valuation)
(V l i )
which can influence operations  Decision making under
 Industry benchmarking conditions of risk and
 Scenario analysis uncertainty
i
 Risk assessment workshops  Measures of central tendency
and dispersion (descriptive
 Incident investigation
statistics)
i i )
 Auditing and inspection
 PEST (Political, Economic,
 HAZOP (Hazard & Operability Social,Technological) analysis
Studies)
14

15. Total Risk Avoidance
 How much is too much?
 Total Replication of all operational systems
 Example U.S. Postal Service (two of five Data Centers)
 Discussion.
15

16. Minimal Risk Avoidance
 Essential Systems
 Payroll (time clocks)
y ( )
 Inventory and Order
Management
 E-mail (communication)
( )
 5 Business Days
 A/R
 A/P
 Shipping
 Is this i ht?
I thi right?
16

17. Balancing Act
 Objective: Determine What You Need
 Total Risk Avoidance
 Fully Redundant Systems and Operations
 Facilities
 Inventory
 Shipping/Receiving
 Minimal Risk Avoidance
 Select functions deemed essential
 Some disruption in service is acceptable
p p
 Discussion
17

18. Planning and Management

19. Managing the Risk
 High-level planning
 Develop the plan and publish it
 Implementation and exercise
 When is the plan considered complete?
19

20. Getting Started: Objectives
 Your Company’s Business Continuity and Needs
 Define what business continuity means for your company
 Determine what you need in order to maintain it
 Take nothing for granted
g g
 Review all operational concerns
 Review both internal and external factors
 Discovery process budget
 Determine a rough order of magnitude budget for the
discovery process
 Fund it
 Discussion: how can this be done?
20

21. High level
High-level Planning
 Engage management and build the BCP team
 CEO, COO, CFO,
CEO COO CFO CIO
 Name business and technology leaders as BCP stakeholders
 Create a standard Charter for the project
p j
 Make it an Enterprise project
 Agree on a single individual as the owner with an understudy
 Assign a project manager
 Isolate Continuity targets
 Essential business functions (use a risk matrix)
 Scrutinize pitfalls/darlings/issues
21

22. Project Charter
A Project Charter:
 Lists reasons for undertaking the project
 Solidifies objectives and constraints of the project
 Provides directions concerning the solution
 Gives names and titles of the main stakeholders
 Enumerates in-scope and out-of-scope items
 D
Dictates as a high-level risk management plan
h hl l k l
 Serves as a communication plan
 Targets project benefits Project Charters are used to:
 Authorize a project
 Authorizes high-level budget  Aid with resource management
and spending authority  Focus overall scope
22

23. Risk Matrix Example
 Helps isolate potential interruptions in service
 Link this to affected operations service continuity plan
Threat Probability (P) Impact (I) Risk = P x I
Hurricane %
80% 1 80%
%
Flooding – Internal 80% 1 80%
Severe Storms 25% 1 25%
Flooding – External 80% 0.2 16%
Wind Storm 10% 1 10%
Tornado 10% 1 10%
Terrorism 10% 1 10%
Fire – Internal 10% 1 10%
Fire – External 10% 1 10%
Earthquake 1% 1 1%
23

24. Plan Components
 Establish objectives for the plan. Examples include:
 Run payroll within 24 hours of event
 Ship product within 48 hours of the event
 Essential personnel
p
 List personnel required for managing the processes
 List backup personnel, in the event the primary personnel are
directly ff t d b th
di tl affected by the event t
 Calendar/Timeline
 Create a calendar to pinpoint specific timing of actions
 List important dates such as payroll, monthly close, and other
recurring events that can influence the required availability
24

25. Systems Recovery
 What systems are crucial to maintain continuity?
 Payroll and time clocks?
 Inventory and Order management?
 Shipping and Receiving?
 Email?
 All of the above?
 Be
B careful of purportedly autonomous systems
f l f dl
 Question from the shipping manager:
“Since FedEx has supplied my shipping stations, and they are able to
Since
print shipping manifests, is it okay to go ahead and ship product even if
the inventory and fulfillment systems are offline?”
Do you think it’s okay?
it s
25

26. Data Recovery
 Differences between System and Data Recovery
 Systems are the substrate that manage and present data
 Data carries the information
 Data Recovery Point Objective
y j
 How old is the data that can be recovered?
 Where is the backup stored? Offsite, or still on-site?
 When was the last validation that data could be recovered?
 Data Recovery Time Objective
 How long will it take to recover?
 Will data be recovered to the point just prior to the event?
 What about data that is lost?
26

27. Break

28. Development,
Development Implementation
and Exercise

29. Develop the Overall Plan
 Stakeholders
 List their area’s essential business functions
 List alternatives for each business function in a matrix
 Plan for functions without immediate alternatives
 Assess alternatives for strategic functions
 Example: if a warehouse goes offline, can product ship from other
warehouses? Include the estimated cost difference.
 Document a process flow for decision making and emergency
decision-making
response.
 Ensure everyone knows who is in charge
 Establish
E bl h a single-point of contact f media relations and ensure all
l f for d l d ll
responses are funneled through them
 Do not depend on making good decisions inside the tornado
29

30. Develop the Execution Plan
 Formulate Business Continuity Management Plan
 Assign point individuals to manage specific areas of operation
 Ensure everyone has a backup
 Establish action plans for:
p
 Running day-to-day operations
 Contacting insurance companies and managing distributions
 Recovering from the interruption. Include vendors to source
product, infrastructure and services
 Crisis communications to keep staff updated as changes occur
30

31. Implementation and Exercise
 Train for the exercise:
 Notify participants of it, No plan survives the battle field.
— Helmuth von Moltke
 Stage it, and
 Implement it!
 Implement it in stages:
p g
 First , work out what you thought would happen
 Adjust the plan based on what actually happens
 Common misconception: you can’t exercise everything in the plan
can t
 Yes, you can
 You may choose not to, because of disruption or cost
 Choose a cycle for exercise, and stick to it.
exercise it
 Minimal: annual (has drawbacks)
 Optimal: quarterly
 Super-optimal: continual (
S i l i l (may apply to specific processes only)
l ifi l )
31

32. When is the Plan Considered Complete?
 Never
 Business Continuity is not a Project
 It’s a program
 It’s an operational p
p process
 It’s a strategy
 It exists as long as your business does
 Each exercise should reflect an updated plan
 Exercising the plan is like putting on a play
 Remember your lines
 Discussion
32

33. Return on Investment

34. Quote #1
A Grudge Buy or Providing ROI?
“The f
“Th fact that most organizations are unlikely to
h i i lik l
ever use the full extent of the services they have
paid for has, i the past, made disaster
id f h in h d di
[recovery] something of a ‘grudge buy’ and not
something that most companies are eager to
hi h i
spend money on.”
ITWEB
September 25, 2001
34

35. Quote #2
Probability or Availability?
“…the
“ h probabilities associated b corporate
b bili i i d by
management with the occurrence of most
disasters are so low that the expected value of
di l h h d l f
most disaster recovery programs does not begin
to cover the costs required to implement
h i d i l
(or purchase) them.”
William Cappelli
Disaster Recovery Program Costing: The Missing Element
from GIGA
January 22, 1998
35

36. Quote #3
Bottom Line or Bottomless Pit?
“Recovery services don’t add anything to the
“R i d ’ dd hi h
bottom line, but the consequences of not
having l in l
h i a plan i place can b disastrous.”
be di ”
Dave Linacre
Managing Director
IBM Business Continuity and Recovery Services
36

37. Reasons ROI Is Not Calculated
 Difficulties in making the calculation
 Not a financial decision
 Lack of commitment to the process
 Not an important issue
 Bottom Line:
Should it take a disaster to recover your investment?
y
37

38. Calculating Return on Investment
 Calculated on projects with fixed costs and an end date
 Business Continuity starts as a project but becomes an on
project, on-
going operational program
 Cost vs. Time to Ownership: hard to calculate
 The project has high development costs up-front
 The project’s long tail never ends (constant updates as new systems
and changes to business processes occur)
 Value Perspective: possible to calculate
 Complex calculation (host of factors including loss of productivity)
 Moderate calculation (risk register)
 Simple calculation (loss by specific system)
 Cost of Downtime
38

39. The Cost of Downtime
Tangible Costs Intangible Costs
 Lost Revenue  Lost Opportunity
 Lost Wages  Employee Retention
 Remedial Labor Costs  Loss in Share Value
 Lost Inventory  Goodwill
 Marketing Costs  Brand Damage
 Bank Fees / Penalties
 Legal Costs
39

40. Example Costs of Doing Nothing
Average Hourly Costs of Downtime
 Airline Reservations: $ 89,500
 Retail Catalog: $ 90,000
 Infomercials / P
I f i l Promotion:
i $ 199 500
199,500
 Retail Banking: $1,000,000
 Retail Brokerage:
R t il B k $6,500,000
$6 500 000
40

41. Business Continuity as an
Operational Process

42. Implementing Business Continuity
 What Not To Do?
 Treat BCP like a one-time project
one time
 Turn BCP into a Compliance Program
 What To Do?
 Weave the program into processes as a forethought, not an
afterthought
 Make
M k BCP part of the operational fabric
t f th ti l f b i
 Validate progress with each Business Continuity exercise
 Grow Business Continuity as your business grows
42

43. ISO Principles of Risk Management
and Business Continuity
 Should create value  Should be customizable
 BCP creates value by ensuring continued  BCP can be customized as changes in the
business operation business dictate
 Must be an integral part of organizational  Takes i
T k into account human factors
h f
processes  BCP ensures that the plan addresses capabilities
 BCP is an operational process and is therefore of people who can facilitate (or hinder) business
integral to the organization continuity
 Must be part of decision making  Is transparent and inclusive
p
 BCP is strategic, and therefore part of  BCP is transparent and inclusive by ensuring
decision making that stakeholders are fully involved in every
aspect of the process
 Should explicitly address uncertainty and  Is dynamic, iterative and responsive to
assumptions
p change
 BCP inherently addresses uncertainty and  BCP changes as the business grows and
assumptions expands
 Is systematic and structured  Is continually improved and enhanced
 BCP is a systematic and structured process  BCP is an operational process that
that grows with the business
h ih h b i continually improves as the business grows
 Should be based on the best available  Must be continually or periodically re-
information assessed
 BCP is based on the best available information  BCP is continually re-assessed as changes occur
at its inception, and it is continually updated in the business.
i th b i
43

44. Questions

45. Sources
 DRI International
 Continuity Central
 Continuity Insights 2011 Conference
 Disaster Recovery Resources
 Disaster Recovery World
 PilotOnline.com
 Humbach, Rob “Disaster Recovery: Finding ROI Without the Disaster,” 2003
Rob. Disaster Disaster,
 A Risk Management Standard, AIRMIC, ALARM, IRM: 2002
 Wikipedia (various subject articles)
© 2010 — 2011, The Arrington Group, Inc.
g p
This presentation has been uploaded to SlideShare as a marketing instrument for the services of The Arrington Group, Inc.
The Arrington Group respectfully requests that you not use this presentation, or specific content from it, without express permission from
The Arrington Group, Inc. Therefore, no person, organization or other entity should use this presentation, or specific content from it, as or in
their own presentation. If you would like to use aspects of this presentation, or have questions regarding this one, please direct your inquiry to
Cody.Shive@The-Arrington-Group.com.
The Arrington Group, Inc. does, however, grant you the right to cite this presentation, or aspects of it, as a bibliographical reference.
Therefore, if you use this presentation for your research, please include the following citation:
Shive, Cody. “Business Continuity Planning and Management." The Arrington Group, Inc. SlideShare, 14 Dec. 2011. Web. 14 Dec. 2011.
All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain.
45