Date post: | 16-Feb-2016 |
Category: |
Documents |
Upload: | prasad-kshirsagar |
View: | 9 times |
Download: | 0 times |
Business Continuity: An introduction
PurposeThe sole purpose of Business Continuity
is to Maintain a minimum level of service
while Restoring the organization to business as usual
Who needs it? Everyone
Commerce and industry need it to protect the customer base
Charities need it to assure continued funding Government agencies need it to assure
continued funding and existence Managers need it to assure their positions
The differenceThe difference between Business
Continuity and Disaster Recovery Business Continuity is PROACTIVE; its focus is to
avoid or mitigate the impact of a risk Disaster Recovery is REACTIVE; its focus is to
pick up the pieces and to restore the organization to business as usual after a risk occurs
Disaster Recovery is an integral part of a Business Continuity plan
Why Business Continuity?An organization which fails to provide a
minimum level of service to its clients following a disaster event may not have a business to recover
Customers may go to a competitor Funding may disappear A need may be re-evaluated and deemed
unnecessary
What to protectBusiness functions
Functions which provide products or services Critical support functions
Functions without which the Business Functions cannot function (e.g. Facilities, IT)
Corporate level support functions Functions required for effective operation of
Business Functions (e.g. HR, Finance)
Most important resource
Personnel
Why people?
Although there are other critical resources, the actual product or service in most organizations depends on actions performed by, and decisions made by, people.
Who is involved? In a word, EVERYONE
Executive management Mid-level managers Line personnel Support personnel Vendors Municipal Emergency Management
Management involvement Executive management
Support is required for successful plan Provides high-level overview of organization’s
operation Provides long-range planning to assure the
Business Continuity plan compliments the organization’s Business Plan
Mid-level managers
Provide departmental direction Provide department-level overviews Provide an insight into external (to the
department/function) interdependencies Offer suggestions on how to enhance critical
business processes Identify risks
Line personnel
Provide operational details Offer suggestions on how to enhance critical
business processes Identify risks
Support personnel
Provide information about services which assure the critical Business Functions can be performed at a minimum level of service or better
Provide information about protecting resources
Support may include Accounts receivable Accounts payable Communications Documentation Facilities Finance Human Resources IT/MIS Janitorial Legal Mail Room Marketing Public relations Sales
Vendors Vendors provide services and
products
Courier services and mail Communications (telephone, fax, email) Insurance (business, health, property) Necessities (municipal services) Utilities (electricity, fuel)
Emergency Management Municipal Emergency management
must be included in the plan to
Assure personnel safety Mitigate damage from risks Train personnel to avoid risks and to protect
themselves and the organization
No man – or department – is an island
Protect all to protect oneIn order to protect any single Business
Function, the enterprise must be protected.
There are too many easily identifiable dependencies to create successful “function-only” or “resource-only” plans.
Aircraft accident Bond rating Civil unrest Communications Competition Customer failure (K-Mart) Debris Drought Electrical failure Epidemic
Espionage Fire Flood Hacked database HazMat incident Heat Hurricane Ice Industry image (airlines)
A few risks
Internet failure Intranet failure IT/MIS Legal action Lender reluctance Local statues Loss of key personnel Rail accident Recession Regulatory agenciesReputation
Snow State law Stock value Tornado Traffic accident Vendor failure Wildfire Work action Ubiquitous “other”
A few more risks
Rating a riskNot all risks present the same danger to
an organization
Risks are rated based on Probability of occurrence Impact on the organization
Risk optionsAvoid the risk
Usually the most expensive option Required by some 24*7*365 operations
Mitigate the risk Less expensive than avoidance Reduces the impact of the “inevitable”
Absorb the risk The process or product is antiquated anyway
The plan – Part 2
Create business continuation processes Create organization recovery processes Create a training program Establish a plan maintenance procedure Train, train, and train some more
Business continuationBusiness continuation processes are designed
so the organization maintains “at least a minimum level of service” to assure there will be a business to recover
Each Business and Support function must have a continuation plan
How quickly the process must be functioning depends on the maximum allowable outage
Recover the businessThis may be in multiple stages:
Recovery to a minimum level of service Recovery to business as usual
There may be intermediate stages between the two recovery stages shown above
Training programThe training program has two primary
goals:
To assure personnel will be able to efficiently and effectively respond following a disaster event
To develop self-confidence in the personnel to perform their assigned functions
MaintenanceA plan that lacks maintenance quickly
becomes a “non-plan”
Plan maintenance is based on the calendar Plan maintenance is based on “trigger” events
Personnel change Process, procedure change Etc.
Creating a planDo it yourself
Can you think of everything? Can you think objectively? Who will review your plan?
Call a professional Experience Network to help think of almost everything Only objective is to create a successful plan
Plan Purpose Scope
Business Continuity Plan (BCP)
Provide procedures for sustaining essential business operations while recovering from a significant disruption
Addresses business processes; IT addressed only in the context of supporting business process
Business Recovery (or Resumption) Plan (BRP)
Provide procedures for recovering business operations immediately following a disaster
Addresses business processes; not IT-focused
Continuity of Operations Plan
Establish procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days
Addresses subset of an organization’s missions deemed critical; not IT-focused
Continuity of Support Plan
Establish procedures and capabilities for recovering a major application or general support system
Similar to IT contingency plan; addresses IT system disruption; not business process focused
Disaster Recovery Plan (DRP)
Provide detailed procedures to facilitate recovery of capabilities at an alternate site
Often IT-focused; limited to major disruptions with long-term effects
Incident Response Plan
Define strategies to detect, respond to, and limit consequences of malicious cyber incident
Focuses on information security responses to incidents affecting systems and/or networks
Occupant Emergency Plan
Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat
Focuses on personnel and property particular to the specific facility; not business- or IT-focused
1) Develop a business continuity / disaster recovery plan
- Establish a disaster-recovery team of employees who know your business best, and assign responsibilities for specific tasks. - Identify your risks (kinds of disasters you're most likely to experience). - Prioritize critical business functions and how quickly these must be recovered.
- Establish a disaster recovery location where employees may work off-site and access critical back-up systems, records and supplies.
- Obtain temporary housing for key employees, their families and pets.
- Update and test your plan at least annually.
2) Alternative operational locations
Determine which alternatives are available. For example:
- A satellite or branch office of your business.- The office of a business partner or even an
employee.- Home or hotel.
3) Backup site.
Equip your backup operations site with critical equipment, data
files and supplies:
- Power generators. - Computers and software. - Critical computer data files (payroll, accounts payable and
receivable, customer orders, inventory). - Phones/radios/TVs. - Equipment and spare parts. - Vehicles, boats and spare parts. - Digital cameras. - Common supplies. - Supplies unique to your business (order forms, contracts, etc.). - Basic first aid/sanitary supplies, potable water and food.
4) Safeguard your property
Is your property prepared to survive a hurricane or other disaster:
- Your building? - Your equipment? - Your computer systems? - Your company vehicles? - Your company records? - Other company assets?
5) Contact information
Do you have current and multiple contact information (e.g., home and cell phone numbers, personal e-mail addresses) for:
- Employees? - Key customers? - Important vendors, suppliers, business
partners? - Insurance companies? - Is contact information accessible electronically
for fast access by all employees?
6) Communications
Do you have access to multiple and reliable methods of communicating with your
employees:
- Emergency toll-free hotline? - Website? - Cell phones? - Satellite phones? - Pagers? - BlackBerry(TM)? - Two-way radios? - Internet? - E-mail?
7) Employee preparation
Make sure your employees know:
- Company emergency plan. - Where they should relocate to work. - How to use and have access to reliable methods of
communication, such as satellite/cell phones, e-mail, voice mail, Internet, text messages, BlackBerry(TM), PDAs.
- How they will be notified to return to work. - Benefits of direct deposit of payroll and subscribe to
direct deposit. - Emergency company housing options available for them
and their family.
8) Customer preparation
Make sure your key customers know:
- Your emergency contact information for sales and service support (publish on your website).
- Your backup business or store locations (publish on your website).
- What to expect from your company in the event of a prolonged disaster displacement.
- Alternate methods for placing orders. - Alternate methods for sending invoice
payments in the event of mail disruption.
9) Evacuation order
When a mandatory evacuation is issued, be prepared to grab and
leave with critical office records and equipment:
- Company business continuity / disaster recovery plan and checklist.
- Insurance policies and company contracts. - Company checks, plus a list of all bank accounts, credit cards,
ATM cards. - Employee payroll and contact information. - Desktop/laptop computers. - Customer records, including orders in progress. - Photographs/digital images of your business property. - Post disaster contact information inside your business to alert
emergency workers how to reach you. - Secure your building and property.
10) Cash management
Be prepared to meet emergency cash-flow needs:
- Take your checkbook and credit cards in the event of an evacuation.
- Keep enough cash on hand to handle immediate needs. - Use Internet banking services to monitor account
activity, manage cash flow, initiate wires, pay bills. - Issue corporate cards to essential personnel to cover
emergency business expenses. - Reduce dependency on paper checks and postal service
to send and receive payments (consider using electronic payment and remote deposit banking services).
11) Post-disaster recovery procedures
- Consider how your post-disaster business may differ from today.
- Plan whom you will want to contact and when. - Assign specific tasks to responsible employees. - Track progress and effectiveness. - Document lessons learned and best practices.