2016 PA Statewide Payroll Conference Disaster Recovery

Go to APAcongress.org for more details about the biggest

payroll event of the year

Speaker

Bruce E. Phipps CPP

Vice President – American Payroll Association

2011 APA Payroll Man of the Year

Principal Product Manager

US Legislative Analyst

ORACLE Corporation bruce.phipps@oracle.com

610-729-3586

Disaster Recovery

“The best way to explain the importance

of disaster planning is this; get up

from your desk right now, walk out the

door and know that everything you left

behind is destroyed. Then tomorrow,

go back to work.”

(Bob Weaver, US Secret Service)

Blank slide for images and graphics

Agenda

Disaster Recovery vs. Business Continuity

Key Components to Disaster Recovery & Business Recovery

Comprehensive Business Continuity

Business Continuity Planning Cycle

Business Continuity Recovery Plan

Payroll Business Continuity Recovery Plan

8

Why Plan for a Disaster

Recent Natural Disasters

Hurricane Sandy October 22 – 31, 2012

North American Blizzards

• November 7 - 10, 2012

• December 17 - 22, 2012

• December 25 - 28, 2012

Blizzard of 2013

• Winter Storm Nemo/Blizzard of 2013

Boston Marathon

Disaster Recovery vs Business Continuity

Disaster Recovery focuses on the plan to reestablish operations by protecting the “Tools” of the business…

• Systems and Hardware

• Data integrity and back-up

• Facilities and security

• Data Flow

• People resources and documentation

Disaster Recovery Plan

Illustrates how IT supports the business

Step-by-step procedures to ensure the recovery of each critical component of the IT infrastructure

• Hardware

• Data (electronic and paper)

• Applications

• Telecommunications

• Specialized Equipment

• Supplies

Communication and contact information

Business Continuity keeps the business running during a disaster…

• Provides location to perform work

• Enables staff to resume work or provide for subsititutes

• Enables systems and hardware to be deployed or interim solutions placed in operation

• Completes the functions of payroll department

Disaster Recovery vs Business Continuity

Types of Disasters

Catastrophic climate or geological events

Government economic crisis

Political unrest

Labor walkouts or strikes

Security breaches

Computer attacks

System failures

Worker relocation

Why It Is Important to Plan

Disruptions can have serious impact

Missed or late payrolls

• Potential federal, state, and local violations

• Contractual breach – unions

• Employee morale and productivity

Late third-party payments

Late tax and regulatory filing

Late posting of General Ledger data

Plan Development

Response: Responding to the event

Resumption: Resuming critical and essential functions

• Limited Service Offering – 60%???

Recovery: Resumption of non-critical functions

• Full / Near-full Service Offering – 90%???

Restoration: “Back to the Norm”

Key Components to Disaster Recovery

Create Comprehensive Recovery Plans

Identify communications with

a delivery plan

Involve Senior Leadership

Establish government,

civil authorities, and private sector contacts before an event occurs

Ensure plan is communicated to team

Key Components to Disaster Recovery

Emergency Management: Able to continue critical business processes within a predetermined period following a disaster or other business interruption

Continuity Planning: Able to resume normal business processes within a predetermined period following a disaster or other business interruption

Business Continuity Elements

First bullet starts here

Payroll Business Continuity Team

Include functional subject matter experts and project management resources

Include reps from:

• Human Resources/Payroll

• Benefits/Compensation

• Legal/Public Affairs

• Finance/Treasury

• Communications

• Operations & Information Technology (IT)

Business Continuity Planning

Business Impact Analysis

Risk Assessment

Recovery Strategy

Plan Implementation

Exercising Validation

RTO/RPO in Business Continuity Planning

RPO (Recovery Point Objective)

Amount of data,

measured in time,

that can be lost in

a disaster

• Consider if there is a means to reconstruct the lost data

• Need to look at what risks you will bear for the costs

Business Impact Analysis

Foundation for business continuity planning

programs

• Determine Recovery Time Objectives (RTOs)

• How long can we go without _____?

• Recovery Point Objectives (RPOs) based on their corresponding functions

• How much data can we afford to loose?

• Realize the current state of recovery preparedness and established workarounds

• Evaluate recovery resource requirements

Business Recovery Strategy

Identify Business Functions, RTOs & RPOs

Determine IT Network and System Requirements for current and future years

Design a Displacement Strategy

Educate Business Units on roles and responsibilities to build plans

Maintain & Exercise Business Recovery Plans

Business Continuity Recovery Scenarios

Disaster - Event which renders company’s facility unusable or inaccessible for a period of time estimated to exceed “xx” calendar days

Worst-Case Interruption – Company’s facilities are totally unusable or inaccessible and there is no salvageable equipment, data, documentation, etc.

Business Continuity Recovery Scenarios

Less-Severe Interruption – Ability to resume operations because of the plan identification structure for each time-sensitive operation, information system & support area

Localized Emergency – Equipment vendors & local utility companies able to replace computer & communications hardware & telephone circuits in “xx” calendar days

Business Continuity Recovery Components

Documentation Files – Required for resumption/recovery purposes; backed up off-site and/or electronically imaged

Computer Files – Required to implement resumption of Mainframe, WAN & PC/LAN operating environments and /or support time-sensitive business operations; backed up off-site

Business Continuity Recovery Components

Backup Storage Locations – Backup items for resumption/recovery stored on/off-site or quickly obtained or created from other identified sources

Internal and External Contacts – Information necessary to quickly complete internal & external contacts required during resumption; documented/maintained in plan

Business Continuity Recovery Components

Cloud Computing – Applications hosted by vendor in the “cloud” are accessed through the Internet along with data files

Recovery Windows

Recovery Cost Balancing

Business Continuity Recovery System Interfaces

Bank for ACH files

Tax authorities – federal, state, local

Benefit providers – health, 401(k), etc

Third party vendors – outsource providers

Distribution vendors – printing and distribution

Union organizations

Business Continuity Recovery System Interfaces

Time and attendance application

Payroll application/ERP

Benefits application

Accounting system

Banking application

Tax application

ESS/MSS application

Business continuity Recovery Components

Communication devices to feed various forms of communications receipt

• Home/Cell Phone – off-duty and emergency response personnel (include text messages)

• Work Phone - emergency response on duty

• Fax Machine – Transmit information to remote sites

• Laptop/Smart Devices – access to remote servers, SAAS

• Printer – document notification responses/reports

Payroll Business Continuity Recovery – In Action

Step 1 – Senior Payroll Management to meet to identify:

• Functions and Processes – Critical and essential

• Projected impacts on payroll processing

• Impacts over time – Prolonged Outage

• Operational and financial issues

• Expected timeline of displacement of people and technology

• Outage tolerance – Loss of functionality

• Backlog – Impact of loss data

• Impact: Staff, Facility, Technology, Information

Payroll Business Continuity Recovery – In Action

Step 2 – Senior Payroll Management and key payroll personnel establish alternate work area(s)

• Set up work spaces & equipment

• Create shift schedules & confirm staffing roles

• Set initial plan for following 2 weeks

• Evaluate employee “assistance plan” needs

• Confirm sufficient resources for those who will work from home or alternate location

• Technology – Hot Spots or Air Cards

Payroll Business Continuity Recovery Planning

Building the plan

• Create a Disaster Recovery Plan binder

• Establish approval process to initiate all security access to senior payroll operations

• Include system support analysts on phone tree

• Define risks and plan for mitigation & response

• Store off-site supplies critical to complete payroll processing

• Inventory and identify critical supplies and equipment for payroll processing

• Ensure your plan includes third party vendors and suppliers

• Identify three components of your operations – input, process, and output

Input, Process, and Output

Input

• Setting up employee income and deduction records

• Pay Adjustments

• Time Data

• Tax Records

• Upload spreadsheets

Process

• Process data in application

• Validate payroll data

• Bank transfer processing

• Validate general ledger data

• Calculate gross to net

• Generate tax deposits and filing

Output

• Checks/advices

• Third Party Payments

• Tax Returns and payments

• Files for internal organizations

• Reconciliations

• Reports (internal/external)

Testing Plan Elements

Right People. Right Place. Right Time.

Team Structure

Employee Roosters

Tasks/Functions

Vendors/Non-Vendors

Locations

Resources (supplies/other items)

Miscellaneous

Plan Testing - Why?

Determine unknowns

Know the unknowns

Testing and exercising verifies plan

Creates awareness & readiness

Testing & Exercising

Test at Least once a year

• Systems, applications, data recovery and telecommunications

• Work area/offsite facilities

• Work around procedures

Document tests

• Identify gaps

Why it needs to be done?

Testing & Exercising

Checklists – Verify backup tapes are offsite and current

Walkthrough – Fire Drill

Tabletop – Chemical Spill

Component – Call tree drill or work from home

Verify transactional processing via working from offsite facility or location

Types of Plans

Crisis Management or Response Plan

Business Continuity/ Recovery/ Resumption Plan

Disaster Recovery Plan

Pandemic or Workforce Continuity Plan

Crisis Management Plan

The Action Plan • Command and Control • Detailed Checklists for Management

Decision-Making Following a Disaster (Human & Facilities Related)

Policies & Procedures • Facilities Evacuation, Assessment,

Movement • Human Resources - Sick Leave,

Worker’s Compensation, Privacy • Media Handling

Call Trees/Lists • Employees, Customers, Vendors &

Media • Notification scripts and priorities

Business Continuity Plan

Alternate Step-by-Step Procedures for operating critical business functions on-site & offsite after a disaster

Minimal Operational Resources to maintain operations with a minor reliance on people and IT

Pre-Position Operational Resources at alternate sites

Communication and contact information

Pandemic Plans Workforce Continuity

SARS H5N1 H1N1

Workforce:

• Reduced workforce available

• Duration of the pandemic (“waves” vs. “returning to normal”)

• Social distancing (telecommunting vs. dislocation)

• Facilities cleanliness and supplies

Financial Services:

Impact on smaller and international institutions

Impact on time sensitive and complex functions

Technology:

Delays in service

Increase usage in suburban areas

Supply Chain:

Internal, external, business partners, government

Stress on the Health Care System

Degraded service levels

Operational infrastructure

THANK YOU

Bruce E. Phipps CPP Vice President – American Payroll Association

2011 APA Payroll Man of the Year

Principal Product Manager

US Legislative Analyst

ORACLE Corporation bruce.phipps@oracle.com

610-729-3586