Business Continuity Planning


Published on

Business Continuity Planning

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Continuity Planning

  1. 1. Business JW JW T T JW Disaster T Continuity Recovery Planning (BCP) Planning (DRP) Fundamentals Fundamentals Fundamentals Wilson John John Wilson Wilson John Copyright © 2004 T. John Wilson & Associates P/L Copyright © 2004 T. John Wilson & Associates P/L
  2. 2. Business Continuity Planning – JW T What is it ? In broad terms it is a plan to cater for continuing in business, in the event of a major disaster, both from a business process and ICT recovery perspective. By definition, it is a Business Plan, which encompasses similar terms such as: – Disaster Recovery Planning (usually IT environment) – Risk Assessment/Management – Contingency Planning It is supported by two AS/NZS Standards: – AS/NZS 4360:1995 for Risk Management – AS/NZS 4444:1996 for Business Continuity Planning Copyright © 2004 T. John Wilson & Associates P/L
  3. 3. Why do we need to Plan for Disasters JW T ? We need to assess the potential risks to the organisation, which could result in disasters or emergency situations We need to consider all the possible incident types, and the impact they may have on the organisation’s ability to continue in business We need to plan for resuming business (not just ICT), in the event of a disaster 40% of major companies that experience a serious disaster go out of business within one year WHY ? Copyright © 2004 T. John Wilson & Associates P/L
  4. 4. Answer JW T Earthquake The process of resuming normal business is: • Too Traumatic • Too Difficult • Too Expensive There has been little or no Planning & Preparation to minimise the impact of a Disaster Copyright © 2004 T. John Wilson & Associates P/L
  5. 5. JW T What is a Disaster ? Act of God: Earthquake e.g. Kobe, Turkey Cyclone/Hurricane e.g. Florida Floods e.g. Nyngan, Bangladesh Bushfires e.g. Australia, California Act of Man: Accident e.g. Plane Crash, Train Crash Terrorism e.g. World Trade Centre, Bali Sabbotage e.g. Network Hacking, Staff Grievance Copyright © 2004 T. John Wilson & Associates P/L
  6. 6. BCP in Perspective JW T For a business to continue/survive after a disaster, 3 main preparatory disciplines are needed: – Business Impact, Risk Assessment & Management (ongoing) – Business Continuity Planning (non-IT & ongoing) – Disaster Recovery Planning (IT only & ongoing) A business ignores these at its peril !!! Copyright © 2004 T. John Wilson & Associates P/L
  7. 7. BCP/DRP Becoming Mandatory – JW T WHY ? Other than Employees, Information/Data is a company’s most valuable asset – this may be computerised or on paper. Can the business continue operating manually, if computers are not available ? Business is becoming increasingly dependent on computerisation and technology Auditors are demanding it Insurers are demanding it Shareholders are holding management responsible for having it Copyright © 2004 T. John Wilson & Associates P/L
  8. 8. Requirements for JW T Getting Something Done The knowledge of how to do it The skill to do it The time in which to do it The desire/motivation to do it Problem: Requirements may be for Constructive or Destructive reasons Motivating Factor: The individual’s Attitude or Frame of Mind Copyright © 2004 T. John Wilson & Associates P/L
  9. 9. Pyramid of Needs JW T (Abraham Maslow, in the 1920’s) I am Motivation making Self-Actualisation the best Theory of myself Respect of family, friends etc. Esteem Acceptance by family, friends & workmates Love Needs Safety (physical) and Safety from Worry Safety Needs Food, Warmth, Shelter, Sex Psychological Theory: “Once needs have been met at Needs one particular level, they cease to be motivators” Copyright © 2004 T. John Wilson & Associates P/L
  10. 10. Start with Management by: JW T Getting their commitment & support by: Educating them on the changing/increasing role of IT Explaining the risks & implications to them Identifying the cost of not having a BCP/DRP Getting them involved in initial planning Getting their commitment – both financial & People Making BCP/DRP a Corporate Policy Copyright © 2004 T. John Wilson & Associates P/L
  11. 11. Corporate Policy Guidelines should: JW T Demonstrate that management is serious about BCP/DRP Involve Legal, Financial and Audit departments to reinforce it Emphasise the importance of corporate procedures and data and the need to protect it Define the minimum requirements to allow the business to recover after a disaster Be delivered to all employees concerned in an authorative manner Copyright © 2004 T. John Wilson & Associates P/L
  12. 12. AS/NZS 4444:1996 (Section 9) states that JW T a BCP should cover: Identification/Prioritisation of critical business processes Identification of potential impact of various types of disaster on business activities Identification & Agreement of responsibilities and emergency arrangements Documentation of agreed processes and procedures Education of staff in the execution of these procedures Testing of the BCP Ongoing updating of the BCP Copyright © 2004 T. John Wilson & Associates P/L
  13. 13. Perspectives of Business JW T Continuity Planning: The following perspectives should be central to creating a BCP: Prevention: What can be done to minimize the likelihood of a crisis ? Detection: What can be done to ensure timely detection of a crisis ? Correction: What can be done to ensure optimum response to recovering from a crisis ? Copyright © 2004 T. John Wilson & Associates P/L
  14. 14. Phases of JW T Business Continuity Planning To begin with, it is imperative to focus on the “Minimum” requirements to allow the business to continue – avoid a Rolls Royce solution which becomes too costly and impractical to implement and maintain. Then focus on: Risk Assessment Business Impact Analysis Strategy Planning & Agreement Plan Development Testing/Maintenance Copyright © 2004 T. John Wilson & Associates P/L
  15. 15. Risk Assessment JW T This is the first step towards a Business Continuity Plan (BCP) Ideally it should be a Management Workshop which identifies the Critical Business Processes & Risks which the business faces (both IT & non-IT), and the likelihood of them happening These risks should then be placed in descending order of priority/seriousness These should be documented for later input to the BCP and be part of Risk Management Policy …..see next slide Copyright © 2004 T. John Wilson & Associates P/L
  16. 16. Risk Assessment Table JW T A Risk Assessment Table, including Target Recovery Timescales, should be prepared, containing the following headings: – Risk Ref No (in descending order of priority) – Description – Extent (of loss to the business) – ODDS (of occurring) – Low, Medium, High or Extreme – Impact (on the business) - L, M, H or E – Risk (of it happening) - L, M, H or E – Maximum Allowable Outage (Days) – BCP Action (Xref to appropriate section) Business Processes rated H or E should be given highest priority Note: This table should logically follow the Overview in the BCP itself Copyright © 2004 T. John Wilson & Associates P/L
  17. 17. Risk Management JW T AS/NZS 4360:1999 Standard definition: “ The systematic application of management policies, procedures and practices to the tasks of identifying, analyzing, assessing, treating and monitoring risk” The standard also recommends the scope to cover an interruption period of 0 - 14 days. A period longer than that is significantly less probable Copyright © 2004 T. John Wilson & Associates P/L
  18. 18. Business Impact Analysis JW T Management need to have structured analythical information on: – Critical business activities & associated computer systems – Critical timeframes for each activity – Consequences (Direct & Indirect) of these activities being unavailable – Mimimum resources required for each activity Copyright © 2004 T. John Wilson & Associates P/L
  19. 19. Strategy Planning & Agreement JW T Management should workshop, identify & agree the strategies for Business Continuity in the event of a disaster Multiple strategies may be needed depending on size and business nature of the organisation Alternative manual processes may be needed if IT environment is not available Minimum requirement is to enable business to continue operating Copyright © 2004 T. John Wilson & Associates P/L
  20. 20. Plan Development JW T (Typical Contents) Action Plans: Basic instructions for incident containment, communications policies, notification guidelines General Supporting Policies: Operation, Maintenance, Testing, Training & Distribution of the plan Background Information: Decisions on which BCP is based – agreed definitions, scope, scenarios considered and relationship to IT DRP Checklists and Forms Recovery Strategies: Documentation for recovery and resumption of critical business processes, including personnel involved Contact Details: of all key personnel who would be involved in the execution of the BCP. Copyright © 2004 T. John Wilson & Associates P/L
  21. 21. JW T BCP Essentials BCP outputs can vary depending on the size and complexity of the business, however…. To be effective any BCP must be kept as simple as possible and must still address two major areas: 1. Logistics: High level information on:- Where to recover to; business priorities; plan activation; checklists 2. Operational: Pre-existing procedures/processes which may require manual operation to address the needs of Business Continuity Planning Copyright © 2004 T. John Wilson & Associates P/L
  22. 22. JW T BCP Minimum Essentials Every BCP must address at a minimum: – Initial recovery and/or continuity of business operations – Activities necessary to maintain operations in crisis mode – Return of the business operations to the original locations/state (resumption procedures) Copyright © 2004 T. John Wilson & Associates P/L
  23. 23. Putting it into Action JW T Testing the plan is essential – otherwise it is hypothetical A role-playing workshop involving key personnel is a good approach to testing Focus on the manual requirements for Business Continuity e.g. ensure key suppliers are involved: – Spare cheque books at bank – Stock of company letterhead, order books, invoices at print supplier Copyright © 2004 T. John Wilson & Associates P/L
  24. 24. JW T Summary BCP Focus needs to be on Minimum Requirements to keep business operating Remember it is an interim arrangement – not permanent Apply the KISS principle - keep it basic and simple, otherwise it will be unworkable Keep the planning at management level, otherwise interest groups get involved, making it unworkable Ensure the BCP gets updated to reflect changes in the business Copyright © 2004 T. John Wilson & Associates P/L
  25. 25. JW T Q st i on ? p pens ! …. just in case ! v er ha pared – e it ne be pr e Let’ s hop …. Bu t let’s Copyright © 2004 T. John Wilson & Associates P/L