Business Continuity Planning

Presentation and

Direction

Thomas Bronack, president

Data Center Assistance Group, Inc.

15180 20th Avenue

Whitestone, NY 11357

Phone: (718) 591-5553

Email: bronackt@dcag.com

What is Business Continuity Planning?

Planning to ensure the continuation of

operations in the event of a catastrophic

event.

Business continuity planning goes beyond disaster recovery planning

to include:

• the actions to be taken,

• resources required, and

• procedures to be followed to ensure the continued availability of

essential services, programs, and operations in the event of

unexpected interruptions.

4/19/2012 Business Continuity Presentation 2

Key Elements

• Disaster Recovery

• Business Recovery

• Contingency Planning

• Crisis Management

4/19/2012 Business Continuity Presentation 3

Business Continuity Plan

• Identify Risks - Triage to assess all processes

All business functions

Data

Suppliers

Infrastructure

• Develop Plans for Everything

• Test and Exercise the Plans

• Layer Business Plan & Disaster Plan

4/19/2012 Business Continuity Presentation 4

Create a Business Continuity

Management Team

• Lead by Top Management.

• Project Monitored by the Board

of Directors.

• Regular Status Reporting to

Management.

• Broad-based Planning Project.

• Awareness for Everyone.

Key Players

Senior Officials

Internal Audit

Risk Management

Legal

Finance/Budget

Procurement

Safety

Others?

4/19/2012 Business Continuity Presentation 5

Business Continuity

Process

• Assess - identify and triage all threats (BIA)

• Evaluate - assess likelihood and impact of each threat

• Prepare – plan for contingent operations

• Mitigate - identify actions that may eliminate risks in advance

• Respond – take actions necessary to minimize the impact of risks that materialize

• Recover – return to normal as soon as possible

4/19/2012 Business Continuity Presentation 6

Project Reporting/Tracking

• Use summary reports for management

Measurable and quantifiable progress

Risk rating

Prioritization

Regular reporting (weekly or bi-weekly)

Sort on priority, progress, time-to-completion

4/19/2012 Business Continuity Presentation 7

BIA Review Factors

All Hazards Analysis

Likelihood of Occurrence

Impact of Outage on Operations

System Interdependence

Revenue Risk

Personnel and Liability Risks

4/19/2012 Business Continuity Presentation 8

Process Inventory and Triage The purpose of the BIA is to:

Identify critical systems, processes and functions;

Establish an estimate of the maximum tolerable

downtime (MTD) for each business process

Assess the impact of incidents that result in a denial of

access to systems, services or processes; and,

Determine the priorities and processes for recovery of

critical business processes.

4/19/2012 Business Continuity Presentation 9

Prioritize Risk Factors

Personal Safety Risk

Services Risk

Operational Risk

Revenue Risk

Liability Risk

Good Will (Societal) Risk

4/19/2012 Business Continuity Presentation 10

Risk Analysis Matrix

High

Medium

Low Low Medium High

Area of

Major

Concern

4/19/2012 Business Continuity Presentation 11

Risk Risk Numeric

Factor Rating Score

Degree of H 8 Process must function for core operations

Organizational M 6 Process required for daily settlement

Dependence L 3 Process is not critical to daily operations

Probability H 0 Probability > 0.5 that alternative process will work

of Successful M 2 Probability < 0.5 that alternative process will work

Alternative L 3 No plans for alternative process

Dependence H 5 Business functions depend highly on process

on M 3 Business functions depend somewhat

Automation L 1 Manual operation possible w/o penalty

Criticality of H 4 Critical business function - core process

Business M 2 Secondary line-of-business

Process L 0 Not a critical process

Explanation

BCP Risk Rating Methodology

Risk Rating Methodology

4/19/2012 Business Continuity Presentation 12

What Are External Risks?

External Risks are risks presented by

factors outside the enterprise; these

include: – risk present in natural disaster,

– labor strife,

– the possible failures of business partners,

– suppliers,

– public utilities,

– transportation,

– telecommunications, and

– other businesses.

4/19/2012 Business Continuity Presentation 13

Ris

k

High

Low

Threat Areas

Ap

pli

cati

on

s

Infr

astr

uctu

re

Exte

rnal

Facto

rs

Risk Areas

4/19/2012 Business Continuity Presentation 14

Review External Dependencies

Suppliers

Subcontractors

Vendors

Your

Organization

Clients /

Customers

Conduit

Organizations

Infrastructure Dependence (power, telecom, etc.)

System Up Time (computing, data,networks, etc.)

4/19/2012 Business Continuity Presentation 15

Loss of Lifelines

• What will we do if there is no power?

• No phone service?

• No Water?

• Government services?

• How will the public react?

4/19/2012 Business Continuity Presentation 16

Emergency Management

Planning

• Work with local and regional disaster agencies

• Assess special problems with disasters

Loss of lifelines

Emergency response

• Review and revise existing disaster plans

• Look for new areas for disaster plans

• Include Disaster Recovery Planning

4/19/2012 Business Continuity Presentation 17

Contingency Planning Issues

• Power and Telecommunication Failures

• System Failures

• Natural Disasters

• Local Emergencies

• Workplace Violence

• Supply Chain Disruptions

4/19/2012 Business Continuity Presentation 18

Contingency Planning Process Phases

Assessment - organizing the team, defining the scope, prioritizing the risks, developing failure scenarios

Planning - building contingency plans, identifying trigger events, testing plans, and training staff on the plan

Plan Execution - based on a trigger event, implementing the plan (either preemptively or reactively)

Recovery - disengaging from contingent operations mode and restarting primary processes of normal operations by moving from contingency operations to a permanent solution as soon as possible.

4/19/2012 Business Continuity Presentation 19

Develop Scenarios

• How bad will the “big one” be? – Extended Power, Water, or Telecom Outages?

– Supply Chain Disruptions?

– Civil unrest?

• Develop various scenarios and pick

which ones to plan for.

4/19/2012 Business Continuity Presentation 20

Evaluating Alternatives

• Functionality - provides an acceptable level

of service

• Practicality - is reasonable in terms of the

time and resources needed to acquire, test,

and implement the plan

• Cost Benefit - cost is justified by the benefit

to be derived from the plan

4/19/2012 Business Continuity Presentation 21

It’s Not Enough

Just to Plan

• Use focus groups and brainstorming

Seek “what can go wrong”

Find alternate plans & manual work arounds

Find innovative solutions to risks

• Contingency plans must be exercised

Hold table top exercises for disasters

Conduct “fire drills” of plans

Train staff for action during emergencies

4/19/2012 Business Continuity Presentation 22

Trigger Event

Occurs

Execute Plan

Execution

Event Ends Activate Recovery

Plan

Recovery

Develop Plans

Planning

Identify Event

Triggers

Develop

Scenarios

Conduct Risk

Assessment

Risk Scoping &

Prioritization

Assessment

Test Plans

Organize Risk

Assessment

Team

Train on Plans

Contingency Planning Phases

4/19/2012 Business Continuity Presentation 23

Risk Management Formula

Risk Assessments

+

Contingency and Recovery Planning

+

Validation and Training

Due Diligence

Best Practices

Good Business

Judgement

4/19/2012 Business Continuity Presentation 24