Prepared by Rod Davis, ABCP
September, 2014
Disaster – an event, which causes the loss of an
essential service, or part of it, for a length of time
which imperils mission achievement.
(Andrew Hiles, Business Continuity: Best Practices)
Rationale for Business Continuity Planning
If an ice storm struck a data center rendering several critical IT services unavailable?
If an unencrypted laptop hosting proprietary information, financial or human resources data were stolen?
If an unsecured data server, workstations, and other equipment were confiscated from an overseas branch office?
If a terrorist attack targeted an overseas operations center?
If a pandemic threatened global operations for your business?
Rationale for Business Continuity Planning
The occurrence of some events could cause a temporary disruption of mission-critical services.
Some scenarios could actually result in long-term loss of mission-critical capacity.
The ‘unthinkable’ might include shutdown of programs or business segments supported by these services.
Rationale for Business Continuity Planning
43%
51%
6%
Never reopen
Close within two years
Survive long-term
Organizations that experience major data loss without disaster recovery plans*
* Cummings, Haag, & McCubbrey (2005). Management Information Systems for the Information Age. Rationale for Business Continuity Planning
Disaster Recovery Planning
Business Continuity Planning
Crisis Management
Emergency Management
Business Continuity Theory
Business Continuity Planning
a management approved strategic and comprehensive
capability of an organization to plan for and respond
to events and conditions in order to continue business
operations*.
It is the most proactive risk management discipline.
Business Continuity Theory
Business Continuity Planning
* The International Consortium for Organizational Resilience, CS SS BCM 3030
1.) Risk Assessment
2.) Business Impact
Analysis
3.) Risk Mitigation
Strategy
4.) Business Continuity
Plan Development
5.) Training, Testing & Auditing
6.) Business Continuity
Plan Maintenance
Business Continuity Theory
Natural/Environmental Threats
• Fire
• Flood
• Hurricane
• Winter storm
• Pandemics
• Tornado
• Lightning
• Drought
• Earthquake
• Volcano
• Tsunami
Human Threats
• Fire (accidental or arson)
• Cyber-attack
• Data theft or loss
• Extortion
• Terrorist attack
• Sabotage/Vandalism
• Workplace violence
• Civil unrest & war
• Chemical or biological hazard
Infrastructure Threats
• Power grid failure
• Petroleum supply disruption
• Food or water contamination
• Public utility failure(water, sewer, etc.)
• Heating/Cooling system failure (affects IT & people)
• Public transport disruption
Assess the threat landscape and determine relevant threats.
Business Continuity Theory
Risk Assessment
Threat Assessment
• Compile a list of relevant threats; relevant = historical, contemporary, or emerging
Probability Assessment
• Example: High frequency of electrical storms = high probability of lightning strike
Vulnerability Assessment
• Example: Lack of lightning / surge suppression = high vulnerability to a lightning strike.
Business Continuity Theory
Risk Assessment
Business Continuity Theory
A process designed to identify and quantify impacts resulting from disruptive events and disaster scenarios.
Results include:
List of mission-critical functions, processes, & roles;
Recovery priorities and their interdependencies
Recovery Time Objectives (RTOs) for these priorities
Business Impact
Analysis
Create a list of the mission’s
functional areas.
Assemble subject matter experts.
Identify mission-critical functions,
processes, and roles.
Determine the impact on mission
of ‘outage’.
Establish the ‘Maximum
Tolerable Outage’.
Identify any external/ internal
dependencies.
Business Continuity Theory
Business Impact
Analysis
Protect Data and
Operations Essential to
Recovery
HR records, IT Recovery
Documentation, Corporate Databases
Network Operations, Essential IT
Dependencies
Voice & Data Communications
Networks
Business Continuity Theory
Risk Mitigation
Strategy
Determine Recovery Options
Work at home for key
employees
Alternate work-site
Alternate site for mission-critical IT operations
Business Continuity Theory
Risk Mitigation
Strategy
• Response and Recovery
• Vital Records, Databases, IT ServicesPriorities
• Designated Roles and Responsibilities
• Contact InformationTeams
• Recovery of Mission-Critical IT Services
• Replacement of Critical EquipmentProcedures
• Plan Activation: Transition Point from Emergency Response to Plan Activation
• Declaration: Disruptive Event to DisasterCriteria
Business Continuity Theory
Business Continuity
Plan Development
Business Continuity Theory
Plan should designate teams, roles, responsibilities;
Plan should include actions required on a timeline basis … response, recovery, & restoration;
Particular attention should be given to protection and restoration of mission-critical processes and services.
Business Continuity
Plan Development
Business Continuity
Plan
Testing
• Tests Information Technology & Telecommunications dependencies to find design flaws
Exercises
• Reveals potential points of failure in the Business Continuity Plan
Training
• Develops familiarity with the Business Continuity Plan and competence in its execution.
Business Continuity Theory
Training, Testing & Auditing
Establish Audit
Points to Monitor
Monitor Exercises &
Tests
Feedback to Business
Continuity Coordinator
Modify Business
Continuity Plan
Business Continuity Theory
Business Continuity
Plan Maintenance
Project Initiation
Risk Assessment
Business Impact Analysis
Mitigation Strategy
Development
Business Continuity Plan Development
Training, Testing, Auditing
Business Continuity Plan
Maintenance
Business Continuity Planning is ...
project oriented
iterative
ongoingmulti-phased
requires testing
Business Continuity Theory