2016.04.06.Business Continuity Planning
-
Upload
ndelaurentis -
Category
Documents
-
view
92 -
download
0
Transcript of 2016.04.06.Business Continuity Planning
![Page 1: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/1.jpg)
Business Continuity Planning –
Preparing Your Organization
Nicholas De Laurentis, CRM, IGP
1
![Page 2: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/2.jpg)
Objectives
• Understand the importance of Business Continuity
Planning
• Know basic terms used and roles involved in
Business Continuity Planning
• Understand the steps and relationship of initial
Business Continuity Planning and continuous
review and maintenance
2
![Page 3: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/3.jpg)
3
![Page 4: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/4.jpg)
Information Governance Programs
Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition
4
Operational
Regulatory
![Page 5: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/5.jpg)
• An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.
Protection
• An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.
Availability
5
![Page 6: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/6.jpg)
DR is to BC as RIM is to IG
• Business Continuity is the entire process of planning how to recover from a disaster or significant interruption to normal business operations.
• We regard this process as developing plans and procedures in advance of an event that would allow our critical business functions to continue to operate at acceptable levels.
Business Continuity
• The process, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to an organization after a natural or human-induced disaster.
• Focus is on recovering IT capabilities, processes, and services.
Disaster Recovery
6
![Page 7: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/7.jpg)
Importance of Business
Continuity Planning
7
70% of businesses involved in a major fire fail within 3 years (Chubb)
One out of two businesses never return to the marketplace following a major disaster (AXA)
Within 2 years after Hurricane Andrew in Florida (1992), 80% of affected companies that lacked a
BCP went out of business (FEMA)
![Page 8: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/8.jpg)
Internal and External Threats
Natural Disasters
• Earthquake
• Hurricane
• Flood
Accidents• Fire
• Utility Outage
Malicious
• Sabotage
• Terrorism
• Cyber Attack
Market
• Suppliers
• Competitors
• Consumer Trends
Political • Legislation
8
![Page 9: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/9.jpg)
Why is BCP Important?Board of Director Expectations
• We have expectations placed on us by the Board of Directors.
Customer Expectations
• In order for us to meet our mission statement of helping our customers manage the risks of everyday life, recover from the un-expected and realize their dreams, we need to have Business Continuity Plans (BCP) in place so that we can be available in their time of need.
Regulatory Requirements
• As an Insurance Company and Financial Institution, we have regulatory requirements with the Office of the Comptroller of the Currency (OCC), Department of Insurance (DOI) as well as other regulatory bodies.
9
![Page 10: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/10.jpg)
FFEIC BCP ObjectivesThe business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components;
Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery;
Business continuity planning includes the integration of the institution's role in financial markets;
Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and
Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing.
10
![Page 11: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/11.jpg)
FFEIC BCP Process
•BIA
•Threat Scenarios
•Analyze Threat Impact
•Prioritizing Disruptions
•GAP Analysis vs. Policies & Procedures
•BIA and RA
•Specific Steps
•Flexible to Respond
•Various Threats
•Minimize Disruptions
•Prioritization and Depend. of Busn. Process
•Potential Impact of Disruptions
•Leg/Reg Requirements
•Est. Downtime & Acceptable Loss
•RTOs, RPOs, Crit. Path
•BIA, RA, RM Testing
•Enterprise-wide Testing Program
•Assign Roles & Responsibilities
• Annual Test/Exercise
•Evaluate by Leadership & Independent Party
Risk Monitoring and Testing
Business Impact
Assessment
Risk Assessment
Risk Management
11
![Page 12: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/12.jpg)
BCP Components
• Personnel;
• Communication;
• Technology issues;
– Hardware - mainframe, mid-range, servers, network, end-
user;
– Software - applications, operating systems, utilities;
– Communications (network and telecommunications);
– Data files and vital records;
– Operations processing equipment; and
– Office equipment.
12
![Page 13: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/13.jpg)
BCP Components (cont.)
• Facilities;
• Electronic payment systems;
• Liquidity concerns;
• Financial disbursement;
• Manual operations; and
• Other considerations.
13
![Page 14: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/14.jpg)
Key Roles in BCP
Enterprise Business Continuity
Communicates strategic decisions to
Department BRCs
Provide process and tool training for BUTLs
and BRCs
Provide Exercise Assistance
Business Recovery
Coordinator (BRC)
BRCs are located in the Field and in each
Corporate Dept to coordinate/communicate activities associated
with BCP
Corporate BRCs are responsible for a
specific Dept, while BRCs in the Field are
responsible for a particular location
Business Unit Team Leader
(BUTL)
BUTLs are responsible for maintenance/
update of Business Unit BCP, periodic plan exercises, and execution of plan at
time of disaster
BUTLs are also known as plan owners
14
![Page 15: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/15.jpg)
Annual BCP Cycle
15
0.
Plan Development
1.
Review
2.
Exercise
3.
Update
4.
Verification
![Page 16: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/16.jpg)
0. Plan Development
The goal of business continuity planning is to reduce the impact of any
disruptive event to a manageable level. Plans are developed to:
• Organize recovery of business units and/or processes.
• Establish team leadership responsibilities and design team structures.
• Document key information for the plan, including call trees, recovery
procedures, work area requirements and prioritization, vital records, key
contacts, etc.
Each BRC is responsible for ensuring that all BCPs are in place and current.
Continued plan development is critical for plans to be effective. The required
annual review of the BCP must be completed within a window and consists of:
1. Plan Review
2. Plan Exercise
3. Plan Update
4. Plan Verification 16
![Page 17: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/17.jpg)
1. Plan Review
1. Review the roles and responsibilities of a BRC or BUTL
and the Business Continuity Annual Plan Review process.
2. Read through a printed copy of your plan, or navigate
through each section in BCP tool used. Make note of any
information currently contained in the plan that needs to
be verified, updated, or removed, as well as any
information that must be added.
3. If your plan encompasses multiple functional areas,
consider contacting subject matter experts in each of
those areas to ensure the plan adequately addresses their
recovery needs. If necessary, gather additional material
for those areas and incorporate the information into your
plan.
17
![Page 18: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/18.jpg)
2. Plan Exercise
Some of the objectives of the Plan Exercise are:
• Evaluate the recovery procedures to ensure accuracy.
• Verify the ability of recovery teams to activate their plans and recover their
critical functions.
• Identify cross-functional interdependencies with other business units.
• Identify plan deficiencies and document information changes that require
plan modification.
• Evaluate whether recovery plans have been properly maintained and
updated to reflect actual recovery needs.
Annual exercises are performed to include all associates who have recovery
responsibilities under the BCP. Each BRC should establish an exercise cycle
that increases in scope and complexity over time.
18
Table TopWalk
ThroughMock
ExerciseIT DR
ExerciseActual Event
![Page 19: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/19.jpg)
3. Plan Updates
• Based on changes identified during the annual plan review
and/or exercise process, the BUTL updates the BCP and
any related documentation in the plan.
• Updates to vital records, contact information, documented
procedures, equipment needs, skillset requirements,
vendor information, hardware and software requirements,
19
![Page 20: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/20.jpg)
4. Plan Verification
• Plan Verification is the final phase of the business
continuity planning process. This ensures business
continuity plans are accurate and compliant with company
standards.
• Each business unit is required to submit review verification
documentation within 3 months from the date each
business unit plan expires. Each plan must be reviewed in
terms of accurate content, some level of exercise is
performed, and updates are made to the plan based upon
the plan review and exercise discoveries.
20
![Page 21: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/21.jpg)
Additional Resources
• Federal Financial Institutions Examination Council
(FFIEC) IT Examination Handbook -
http://ithandbook.ffiec.gov/
• Federal Emergency Management Agency (FEMA) -http://www.fema.gov/media-library/assets/documents/89510
21
![Page 22: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/22.jpg)
FEMA BCP Process
22
![Page 23: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/23.jpg)
BCP Overview
23
![Page 24: 2016.04.06.Business Continuity Planning](https://reader033.fdocuments.us/reader033/viewer/2022052706/58ed567d1a28ab8b618b46b1/html5/thumbnails/24.jpg)
Questions?
24