Post on 19-Jun-2015
description
BUSINESS CASE FOR ENTERPRISE
CONTINUITY PLANNING
© 2014
Developed and Presented by: William Godwin 3/4/2014
Value
Safeguard business viability
Enhance corporate responsibility
Establishes Strategic, Financial and Organizational Drivers for Business Continuity
Strategic Drivers: Accounts for business portfolio, geographic footprint, and changes in operations, consumer base or market
Financial Drivers: Accounts for missed financial targets, budgeting, penalties/fees, loss in production, potential downgrade of credit rating
Organizational Drivers: Accounts for new or change in executive structure or vision and garners support.
Establishes a business continuity program on principle of continuous improvement
Scope
Position/Posture Organization
Risk Appetite
Determine organization tolerance to risk exposure
Business Impact Analysis
Determine criticality of departments/divisions and supporting resources
Threat Analysis
Analyze Operational and IT Threats
Business Continuity Requirements
Identify key requirements
Develop Strategy, Plan, and Exercise
Develop/Foster Continuous Improvement Opportunities
Organization Position/Posture
Develop strategy for implementation. Output from Risk Appetite exercise (Ref. slide #5)
Garner support from organization leadership
Large/Enterprise organizations may have multiple COOs, CIOs, CFOs, and CEOs or Presidents
Obtain operations leadership buy-in
Once you have executive leadership buy-in, Operation Managers will need to be made aware of their roles and expectations
Develop Enterprise standards to communicate and establish organization requirements for continuity planning
Determine & Establish Risk Appetite
Businesses may implement appropriate level of contingency operations based on the risk appetite.
Various approaches for determining risk appetite have been established. Best practices approach focus on Quantitative and/or Qualitative methods.
Quantitative methods evaluate negative effects a threat may have on areas where “values” may be effectively measured. For example, damage to achieve financial targets, ability to pay debts and penalties.
Qualitative methods evaluate negative effects a threat may have on areas where “values or non-tangibles” may be effectively measured. For example, damage to Brand, reputation, customer satisfaction and Regulatory Compliance.
Business Impact Analysis
Categorize and analyze criticality of business
department/divisions
Create priority list of most sensitive business functions
Create priority list of support resources
Human Resources
Information Technology Resources
Establish contingency requirements
Identify and implement mitigating or compensating
controls to reduce risk
Threat Analysis
Identify and analyze Operational and IT Threats
Threats may be both of human and non-human nature
Evaluate likelihood or probability a threat source could attack a weakness
Evaluate the impact an organization would experience in the event the threat source attacks a weakness
Identify mitigating controls for each weakness to reduce residual risk
Business Continuity Requirements
Identify regulatory compliance requirements
Must implement no matter the business risk appetite
Examples: PCI-DSS, Critical Infrastructure, HIPAA, SOX,
GLBA, other sensitive regulated information
Identify Business Continuity Requirements for critical
areas of operation
Develop priority list for remaining non-critical areas
of operation
Develop Strategy, Plan, and Exercise
Develop Continuity Strategy
Leverage output of Risk Appetite analysis
Ensures coverage of most critical departments/divisions
Develop Continuity Standards/Requirements
Critical Departments/Divisions
Develop Business Continuity Plan
Develop IT Contingency Plan
Develop Disaster Recovery Plan
Develop Incident Response and Management Plan
Develop/Foster Continuous Improvement
Opportunities
Identify success/fail requirements
Identify metrics applicable to the organization to
measure. Examples such as…
Support contract time requirements met
Response time of key contingency/disaster personnel
Recovery time of system after outage
Equipment failure rates
And many more…
Implementation Schedule
Schedule to implement depends on the organization’s…
risk appetite,
current continuity structure,
number of IT support systems,
resources to execute strategy
ability to implement, and
number of critical functions
On average, organizations implementing Contingency Planning activities in critical divisions/departments should expect approximately 1 year level of effort.
Mitigate scheduling conflicts by…
Isolate to critical divisions/departments
Ensure resources available and scheduled
Conclusion
Aids organization leaders to identify and assign
priority to business units based on criticality
Enables effective financial planning for support of
critical business units
Ensures compliance with regulatory requirements
Optimize support contracts for systems supporting
critical business units
Well established continuity roles and responsibilities