Business Continuity: An introduction

PurposeThe sole purpose of Business Continuity

is to Maintain a minimum level of service

while Restoring the organization to business as usual

Who needs it? Everyone

Commerce and industry need it to protect the customer base

Charities need it to assure continued funding Government agencies need it to assure

continued funding and existence Managers need it to assure their positions

The differenceThe difference between Business

Continuity and Disaster Recovery Business Continuity is PROACTIVE; its focus is to

avoid or mitigate the impact of a risk Disaster Recovery is REACTIVE; its focus is to

pick up the pieces and to restore the organization to business as usual after a risk occurs

Disaster Recovery is an integral part of a Business Continuity plan

Why Business Continuity?An organization which fails to provide a

minimum level of service to its clients following a disaster event may not have a business to recover

Customers may go to a competitor Funding may disappear A need may be re-evaluated and deemed

unnecessary

What to protectBusiness functions

Functions which provide products or services Critical support functions

Functions without which the Business Functions cannot function (e.g. Facilities, IT)

Corporate level support functions Functions required for effective operation of

Business Functions (e.g. HR, Finance)

Most important resource

Personnel

Why people?

Although there are other critical resources, the actual product or service in most organizations depends on actions performed by, and decisions made by, people.

Who is involved? In a word, EVERYONE

Executive management Mid-level managers Line personnel Support personnel Vendors Municipal Emergency Management

Management involvement Executive management

Support is required for successful plan Provides high-level overview of organization’s

operation Provides long-range planning to assure the

Business Continuity plan compliments the organization’s Business Plan

Mid-level managers

Provide departmental direction Provide department-level overviews Provide an insight into external (to the

department/function) interdependencies Offer suggestions on how to enhance critical

business processes Identify risks

Line personnel

Provide operational details Offer suggestions on how to enhance critical

business processes Identify risks

Support personnel

Provide information about services which assure the critical Business Functions can be performed at a minimum level of service or better

Provide information about protecting resources

Support may include Accounts receivable Accounts payable Communications Documentation Facilities Finance Human Resources IT/MIS Janitorial Legal Mail Room Marketing Public relations Sales

Vendors Vendors provide services and

products

Courier services and mail Communications (telephone, fax, email) Insurance (business, health, property) Necessities (municipal services) Utilities (electricity, fuel)

Emergency Management Municipal Emergency management

must be included in the plan to

Assure personnel safety Mitigate damage from risks Train personnel to avoid risks and to protect

themselves and the organization

No man – or department – is an island

Protect all to protect oneIn order to protect any single Business

Function, the enterprise must be protected.

There are too many easily identifiable dependencies to create successful “function-only” or “resource-only” plans.

Aircraft accident Bond rating Civil unrest Communications Competition Customer failure (K-Mart) Debris Drought Electrical failure Epidemic

Espionage Fire Flood Hacked database HazMat incident Heat Hurricane Ice Industry image (airlines)

A few risks

Internet failure Intranet failure IT/MIS Legal action Lender reluctance Local statues Loss of key personnel Rail accident Recession Regulatory agenciesReputation

Snow State law Stock value Tornado Traffic accident Vendor failure Wildfire Work action Ubiquitous “other”

A few more risks

Rating a riskNot all risks present the same danger to

an organization

Risks are rated based on Probability of occurrence Impact on the organization

Risk optionsAvoid the risk

Usually the most expensive option Required by some 24*7*365 operations

Mitigate the risk Less expensive than avoidance Reduces the impact of the “inevitable”

Absorb the risk The process or product is antiquated anyway

The plan – Part 2

Create business continuation processes Create organization recovery processes Create a training program Establish a plan maintenance procedure Train, train, and train some more

Business continuationBusiness continuation processes are designed

so the organization maintains “at least a minimum level of service” to assure there will be a business to recover

Each Business and Support function must have a continuation plan

How quickly the process must be functioning depends on the maximum allowable outage

Recover the businessThis may be in multiple stages:

Recovery to a minimum level of service Recovery to business as usual

There may be intermediate stages between the two recovery stages shown above

Training programThe training program has two primary

goals:

To assure personnel will be able to efficiently and effectively respond following a disaster event

To develop self-confidence in the personnel to perform their assigned functions

MaintenanceA plan that lacks maintenance quickly

becomes a “non-plan”

Plan maintenance is based on the calendar Plan maintenance is based on “trigger” events

Personnel change Process, procedure change Etc.

Creating a planDo it yourself

Can you think of everything? Can you think objectively? Who will review your plan?

Call a professional Experience Network to help think of almost everything Only objective is to create a successful plan

Plan Purpose Scope

Business Continuity Plan (BCP)

Provide procedures for sustaining essential business operations while recovering from a significant disruption

Addresses business processes; IT addressed only in the context of supporting business process

Business Recovery (or Resumption) Plan (BRP)

Provide procedures for recovering business operations immediately following a disaster

Addresses business processes; not IT-focused

Continuity of Operations Plan

Establish procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days

Addresses subset of an organization’s missions deemed critical; not IT-focused

Continuity of Support Plan

Establish procedures and capabilities for recovering a major application or general support system

Similar to IT contingency plan; addresses IT system disruption; not business process focused

Disaster Recovery Plan (DRP)

Provide detailed procedures to facilitate recovery of capabilities at an alternate site

Often IT-focused; limited to major disruptions with long-term effects

Incident Response Plan

Define strategies to detect, respond to, and limit consequences of malicious cyber incident

Focuses on information security responses to incidents affecting systems and/or networks

Occupant Emergency Plan

Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat

Focuses on personnel and property particular to the specific facility; not business- or IT-focused

1) Develop a business continuity / disaster recovery plan

- Establish a disaster-recovery team of employees who know your business best, and assign responsibilities for specific tasks. - Identify your risks (kinds of disasters you're most likely to experience). - Prioritize critical business functions and how quickly these must be recovered.

- Establish a disaster recovery location where employees may work off-site and access critical back-up systems, records and supplies.

- Obtain temporary housing for key employees, their families and pets.

- Update and test your plan at least annually.

2) Alternative operational locations

Determine which alternatives are available. For example:

- A satellite or branch office of your business.- The office of a business partner or even an

employee.- Home or hotel.

3) Backup site.

Equip your backup operations site with critical equipment, data

files and supplies:

- Power generators. - Computers and software. - Critical computer data files (payroll, accounts payable and

receivable, customer orders, inventory). - Phones/radios/TVs. - Equipment and spare parts. - Vehicles, boats and spare parts. - Digital cameras. - Common supplies. - Supplies unique to your business (order forms, contracts, etc.). - Basic first aid/sanitary supplies, potable water and food.

4) Safeguard your property

Is your property prepared to survive a hurricane or other disaster:

- Your building? - Your equipment? - Your computer systems? - Your company vehicles? - Your company records? - Other company assets?

5) Contact information

Do you have current and multiple contact information (e.g., home and cell phone numbers, personal e-mail addresses) for:

- Employees? - Key customers? - Important vendors, suppliers, business

partners? - Insurance companies? - Is contact information accessible electronically

for fast access by all employees?

6) Communications

Do you have access to multiple and reliable methods of communicating with your

employees:

- Emergency toll-free hotline? - Website? - Cell phones? - Satellite phones? - Pagers? - BlackBerry(TM)? - Two-way radios? - Internet? - E-mail?

7) Employee preparation

Make sure your employees know:

- Company emergency plan. - Where they should relocate to work. - How to use and have access to reliable methods of

communication, such as satellite/cell phones, e-mail, voice mail, Internet, text messages, BlackBerry(TM), PDAs.

- How they will be notified to return to work. - Benefits of direct deposit of payroll and subscribe to

direct deposit. - Emergency company housing options available for them

and their family.

8) Customer preparation

Make sure your key customers know:

- Your emergency contact information for sales and service support (publish on your website).

- Your backup business or store locations (publish on your website).

- What to expect from your company in the event of a prolonged disaster displacement.

- Alternate methods for placing orders. - Alternate methods for sending invoice

payments in the event of mail disruption.

9) Evacuation order

When a mandatory evacuation is issued, be prepared to grab and

leave with critical office records and equipment:

- Company business continuity / disaster recovery plan and checklist.

- Insurance policies and company contracts. - Company checks, plus a list of all bank accounts, credit cards,

ATM cards. - Employee payroll and contact information. - Desktop/laptop computers. - Customer records, including orders in progress. - Photographs/digital images of your business property. - Post disaster contact information inside your business to alert

emergency workers how to reach you. - Secure your building and property.

10) Cash management

Be prepared to meet emergency cash-flow needs:

- Take your checkbook and credit cards in the event of an evacuation.

- Keep enough cash on hand to handle immediate needs. - Use Internet banking services to monitor account

activity, manage cash flow, initiate wires, pay bills. - Issue corporate cards to essential personnel to cover

emergency business expenses. - Reduce dependency on paper checks and postal service

to send and receive payments (consider using electronic payment and remote deposit banking services).

11) Post-disaster recovery procedures

- Consider how your post-disaster business may differ from today.

- Plan whom you will want to contact and when. - Assign specific tasks to responsible employees. - Track progress and effectiveness. - Document lessons learned and best practices.