Post on 16-Mar-2018
Business Continuity Planning
Presentation and
Direction
Thomas Bronack, president
Data Center Assistance Group, Inc.
15180 20th Avenue
Whitestone, NY 11357
Phone: (718) 591-5553
Email: bronackt@dcag.com
What is Business Continuity Planning?
Planning to ensure the continuation of
operations in the event of a catastrophic
event.
Business continuity planning goes beyond disaster recovery planning
to include:
• the actions to be taken,
• resources required, and
• procedures to be followed to ensure the continued availability of
essential services, programs, and operations in the event of
unexpected interruptions.
4/19/2012 Business Continuity Presentation 2
Key Elements
• Disaster Recovery
• Business Recovery
• Contingency Planning
• Crisis Management
4/19/2012 Business Continuity Presentation 3
Business Continuity Plan
• Identify Risks - Triage to assess all processes
All business functions
Data
Suppliers
Infrastructure
• Develop Plans for Everything
• Test and Exercise the Plans
• Layer Business Plan & Disaster Plan
4/19/2012 Business Continuity Presentation 4
Create a Business Continuity
Management Team
• Lead by Top Management.
• Project Monitored by the Board
of Directors.
• Regular Status Reporting to
Management.
• Broad-based Planning Project.
• Awareness for Everyone.
Key Players
Senior Officials
Internal Audit
Risk Management
Legal
Finance/Budget
Procurement
Safety
Others?
4/19/2012 Business Continuity Presentation 5
Business Continuity
Process
• Assess - identify and triage all threats (BIA)
• Evaluate - assess likelihood and impact of each threat
• Prepare – plan for contingent operations
• Mitigate - identify actions that may eliminate risks in advance
• Respond – take actions necessary to minimize the impact of risks that materialize
• Recover – return to normal as soon as possible
4/19/2012 Business Continuity Presentation 6
Project Reporting/Tracking
• Use summary reports for management
Measurable and quantifiable progress
Risk rating
Prioritization
Regular reporting (weekly or bi-weekly)
Sort on priority, progress, time-to-completion
4/19/2012 Business Continuity Presentation 7
BIA Review Factors
All Hazards Analysis
Likelihood of Occurrence
Impact of Outage on Operations
System Interdependence
Revenue Risk
Personnel and Liability Risks
4/19/2012 Business Continuity Presentation 8
Process Inventory and Triage The purpose of the BIA is to:
Identify critical systems, processes and functions;
Establish an estimate of the maximum tolerable
downtime (MTD) for each business process
Assess the impact of incidents that result in a denial of
access to systems, services or processes; and,
Determine the priorities and processes for recovery of
critical business processes.
4/19/2012 Business Continuity Presentation 9
Prioritize Risk Factors
Personal Safety Risk
Services Risk
Operational Risk
Revenue Risk
Liability Risk
Good Will (Societal) Risk
4/19/2012 Business Continuity Presentation 10
Risk Analysis Matrix
High
Medium
Low Low Medium High
Area of
Major
Concern
4/19/2012 Business Continuity Presentation 11
Risk Risk Numeric
Factor Rating Score
Degree of H 8 Process must function for core operations
Organizational M 6 Process required for daily settlement
Dependence L 3 Process is not critical to daily operations
Probability H 0 Probability > 0.5 that alternative process will work
of Successful M 2 Probability < 0.5 that alternative process will work
Alternative L 3 No plans for alternative process
Dependence H 5 Business functions depend highly on process
on M 3 Business functions depend somewhat
Automation L 1 Manual operation possible w/o penalty
Criticality of H 4 Critical business function - core process
Business M 2 Secondary line-of-business
Process L 0 Not a critical process
Explanation
BCP Risk Rating Methodology
Risk Rating Methodology
4/19/2012 Business Continuity Presentation 12
What Are External Risks?
External Risks are risks presented by
factors outside the enterprise; these
include: – risk present in natural disaster,
– labor strife,
– the possible failures of business partners,
– suppliers,
– public utilities,
– transportation,
– telecommunications, and
– other businesses.
4/19/2012 Business Continuity Presentation 13
Ris
k
High
Low
Threat Areas
Ap
pli
cati
on
s
Infr
astr
uctu
re
Exte
rnal
Facto
rs
Risk Areas
4/19/2012 Business Continuity Presentation 14
Review External Dependencies
Suppliers
Subcontractors
Vendors
Your
Organization
Clients /
Customers
Conduit
Organizations
Infrastructure Dependence (power, telecom, etc.)
System Up Time (computing, data,networks, etc.)
4/19/2012 Business Continuity Presentation 15
Loss of Lifelines
• What will we do if there is no power?
• No phone service?
• No Water?
• Government services?
• How will the public react?
4/19/2012 Business Continuity Presentation 16
Emergency Management
Planning
• Work with local and regional disaster agencies
• Assess special problems with disasters
Loss of lifelines
Emergency response
• Review and revise existing disaster plans
• Look for new areas for disaster plans
• Include Disaster Recovery Planning
4/19/2012 Business Continuity Presentation 17
Contingency Planning Issues
• Power and Telecommunication Failures
• System Failures
• Natural Disasters
• Local Emergencies
• Workplace Violence
• Supply Chain Disruptions
4/19/2012 Business Continuity Presentation 18
Contingency Planning Process Phases
Assessment - organizing the team, defining the scope, prioritizing the risks, developing failure scenarios
Planning - building contingency plans, identifying trigger events, testing plans, and training staff on the plan
Plan Execution - based on a trigger event, implementing the plan (either preemptively or reactively)
Recovery - disengaging from contingent operations mode and restarting primary processes of normal operations by moving from contingency operations to a permanent solution as soon as possible.
4/19/2012 Business Continuity Presentation 19
Develop Scenarios
• How bad will the “big one” be? – Extended Power, Water, or Telecom Outages?
– Supply Chain Disruptions?
– Civil unrest?
• Develop various scenarios and pick
which ones to plan for.
4/19/2012 Business Continuity Presentation 20
Evaluating Alternatives
• Functionality - provides an acceptable level
of service
• Practicality - is reasonable in terms of the
time and resources needed to acquire, test,
and implement the plan
• Cost Benefit - cost is justified by the benefit
to be derived from the plan
4/19/2012 Business Continuity Presentation 21
It’s Not Enough
Just to Plan
• Use focus groups and brainstorming
Seek “what can go wrong”
Find alternate plans & manual work arounds
Find innovative solutions to risks
• Contingency plans must be exercised
Hold table top exercises for disasters
Conduct “fire drills” of plans
Train staff for action during emergencies
4/19/2012 Business Continuity Presentation 22
Trigger Event
Occurs
Execute Plan
Execution
Event Ends Activate Recovery
Plan
Recovery
Develop Plans
Planning
Identify Event
Triggers
Develop
Scenarios
Conduct Risk
Assessment
Risk Scoping &
Prioritization
Assessment
Test Plans
Organize Risk
Assessment
Team
Train on Plans
Contingency Planning Phases
4/19/2012 Business Continuity Presentation 23
Risk Management Formula
Risk Assessments
+
Contingency and Recovery Planning
+
Validation and Training
Due Diligence
Best Practices
Good Business
Judgement
4/19/2012 Business Continuity Presentation 24