Business Continuity / Disaster Recovery from a

Business Perspective

Dan Esser, CBCP, FLMI109 Haywood Ct.

Columbia, MO 65203573-234-2948

DEsser5@aol.com

2

Not just Computer Back-Up

• IT functionality - limited usefulness if the rest of the business is not present.

• Today’s primary discussion - non-IT functionality.

3

What you get to take with you

• An overview of BCP Structure and Techniques.

• A set of questions you can ask in your business to help you gauge preparedness.

• Some Tools and Resources that may be useful.

4

Disaster Fact

• Out of every FIVE businesses that suffer a major disaster,

• TWO will never reopen and

• A THIRD will fail within 2 years.

[DRI International]

5

BCP Like Life Insurance?

• Uses up resources.

• Only pays off if something bad happens.

• Costs every year - Never Finished

6

Kinds of Risks / Dangers

• Natural

• Proximity

• People

• Environmental

7

Natural Risks

• Earth

• Wind

• Fire

• Water

8

Proximity Risks

• Government Buildings

• Airports / Heliports

• Industries using Chemicals or Flammables

• Trains

• Highways

9

Risks from People

• Disease

• Bomb Threats

• Workplace Violence

• Cyber Attacks

10

Environmental Risks

• Asbestos

• PCB’s

• Mold / Sick Building Syndrome

• Piled up Paper

• Ongoing Construction

11

BCP as Advance Planning

• Business Continuity Planning is at least

partially the art of making all the decisions

that can be made in advance of a disaster.

12

BCP - Four Major Components

BIA

Life/Safety

DepartmentalRecovery

EM & R

13

BCP - Four Major Components

Life/SafetyPlan

14

BCP - Four Major Components

Business Impact Analysis

15

BCP - Four Major Components

Emergency Management & Response

16

BCP - Four Major Components

DepartmentalRecovery

17

RTO’s, RPO’s & Declaration

Disaster Event

Disaster Declaration

Department RTO

Info Tech RTO

Reconstruct WIP & Lost

Stockpiled Transaction Input

Normal Business Activities

Catch-up Processing

GAP

Pre-Processing Opportunity

18

How Important is Information Technology?

• If you can only afford to protect one thing in your business, protect your data. You will not recover without it.

• Just don't expect that alone to save you from a disaster.

19

Functionality is the Issue

• A business must regain process functionality.

• Computers are just a tool.

• They make things faster, but they are not the business.

20

Scenario

• You are a Progressive Organization.

• Your Data is Backed up and Off Site - Daily.

• You can Recover from any Disaster that Dares to hit you.

21

Scenario

• You are a Progressive Organization.

• Your Data is Backed up and Off Site - Daily.

• You can Recover from any Disaster that Dares to hit you.

NOTNOT

22

Scenario - 2

• A disaster event – fire, flood, anthrax,

something – has made your primary

business location unusable, either

permanently, or for a long time…

23

Good News - Maybe

• You already have the answers.

• Here are some of the questions to assist

your planning process.

24

Management Organization

• Where is the default meeting place for

senior managers if telephones are

unavailable?

• Is there a succession plan if several senior

managers are killed in the disaster?

25

Management Organization

• Who would face the media and regulatory authorities?

• Is he or she prepared to do so?

• Is there a backup person?

• Do all others know to NOT talk to the media?

26

Management Organization

• How many days can the company be

completely “down” before serious business

repercussions are inevitable? (loss of

customers, employees, regulatory

intervention)

27

Notification

• How would you contact employees,

suppliers, key customers, etc. without

access to your business records?

28

Infrastructure

• How much space would you need and how quickly could it be acquired?

• What space is available today in your city?

• Who is in charge of office layout, furniture, wiring, etc. …and who backs them up if they are made unavailable by the disaster?

29

Resource Requirements

• Who has purchasing authority? • Who is the purchasing backup?• How quickly would the company need

replacement resources? Day 1, day 3, etc.? – Do you know where to get those resources in

the quantities you need on a rush basis?– Have you ever tested whether or not those

suppliers can deliver on a rush basis?

30

Resource Requirements

• What custom documents and forms does the

company have where the entire supply is on

site? (checks, envelopes, letterhead,

invoices)

31

Advance Agreements

• Who is in charge of liaison with fire, police

or other emergency authorities?

• Who is his/her backup?

– Have you met with those authorities to

determine their protocols in emergencies and

establish a liaison relationship with them?

32

Advance Agreements

• Does the company have arrangements with its telephone carrier to place messages on inbound lines until they can be answered? – What messages will you use?

– Who will the telephone carrier recognize as having the authority to institute them or make changes?

33

Emergency Operations

• How would the company go about setting

up an Emergency Operations Center?

• Who would staff the EOC?

• Do you have EOC supplies already off site?

(Sample list in packet)

34

Emergency Operations

• Which critical business functions need to be up and running first?– How long can functions be down before the

company incurs regulatory scrutiny and penalties?

– How long can functions be down before customers abandon you for another supplier?

– What can you do to mitigate this?

35

Financial Preparation

• Are emergency lines of credit in place and

the authority to access them clearly

delineated?

• Does the company have arrangements with

its bank(s) to continue repetitive payments

for a short time?

36

Financial Preparation

• Are corporate accounting records and

processes backed up and documented off

site? (Key people may not be available

after a disaster.)

• Does the company have manual

disbursement procedures?

37

Salvage

• Did you know that wet records could be

freeze-dried and often saved?

• Do you have an agreement with someone

who does that kind of work?

• Do you know who does that kind of work?

(See list at end)

38

Salvage

• Information from hard drives of smoke or

water damaged PC’s can also be retrieved

by experts.

39

Mail

• Mail handling operations are often

overlooked. What would the company do

about lost mail, both incoming and

outgoing?

• Is there a plan to get mail flowing in an

orderly fashion after a disaster?

40

Security

• How easy is it for a non-employee to get

into your office today?

• How would you maintain security at your

primary site until salvage could be carried

out?

41

Departmental Readiness

• Who is the recovery coordinator for each

department and what preparations have they

made?

• What are those things that each department

needs that may be “below the radar” of

corporate planners and not easily obtainable?

42

Departmental Readiness

• Have the departments taken any steps to

safeguard those things? – Every Department

should consider what kind of problems an

“off-site box” at a remote storage facility

could save them.

43

Departmental Readiness

• Has each department determined how to

recover work-in-progress?

• Does each department know what resources

it requires to resume business operations?

(How many computers, desks, chairs, file

cabinets, fax machines, printers, copiers,

phones, etc.?)

44

Departmental Readiness

• How quickly would each Department need

replacement resources? How much on day

1, day 3, day 5, etc.? (This is how you

build the company list.)

45

Departmental Technology

• Is the operating department responsible for

replacing desktop technology or is IT?

Does everyone understand that?

• Have you written into your plan the

minimum hardware/software configuration

you require for desktop workstations?

46

Resources

• For Clean Up / Restoration– BMS Catastrophe – (www.bmscat.com)

– ServiceMaster (www.servicemasterclean.com/)

• Mobile Office Space / Data Centers / Equipment– Agility Recovery Solutions (www.agilityrecovery.com)

– Sungard (www.sungard.com)

– Rental Systems (www.rentsys.com)

47

Resources

• Business Continuity Education and Certification– DRI International (www.drii.org)

• Professional Journals – Articles and links to vendors– Disaster Recovery Journal (www.drj.com)

– Contingency Planning & Management (www.contingencyplanning.com)

48

Resources

• Workplace Violence Resources– Occupational Safety & Health Administration

(http://www.osha.gov/SLTC/workplaceviolence/)

– National Institute for Occupational Safety and Health (http://www.cdc.gov/niosh/violcont.html)

– Minnesota Department of Labor & Industry – Workplace Violence Prevention Resources (http://www.doli.state.mn.us/violence.html)

– USDA Handbook on Workplace Violence Prevention and Response (http://www.usda.gov/news/pubs/violence/wpv.htm)