Business continuity planning

1

IntroductionIntroduction

2BCP/DRP

Course ObjectivesCourse ObjectivesBy the end of this course, you will learn

� The meaning of BCP and DRP

� Risk Assessment

� Business Impact Analysis

� BCP and DRP development process

3BCP/DRP

Course ContentsCourse Contents� Introduction

� Section I: BCP and DRP Overview

� Section II: Project Initiation

� Section III: Risk Assessment

� Section IV: Business Impact Analysis

� Section V: Risk Mitigation Strategy

� Section VI: Plan Design and Development

� Section VII: Testing and Training

� Section VIII: Plan Maintenance

� Summary

4BCP/DRP

2

Section 1

BCP/DRP Overview

5BCP/DRP

Section I - Introduction

Section I ObjectivesIn this section we will cover

� Defining Business Continuity and Disaster Recovery

� Cost of Planning

� Types of Disasters

� BCP and DRP Steps

6BCP/DRP


Defining Business Continuity and Disaster Recovery

� Business Continuity Planning is a methodology to create and validate a plan for maintaining continuous business operations, before, during and after any type of disaster.

� Addresses the ability to continue operations under any disaster scenario

� BCP deployment varies widely from company to company, and one organization from another. There is no one size fits all� Some cannot tolerate any down time� Some may have greater tolerance for down time� Some may have variable down time tolerance level depending on the

time …� The type and size of business determines the final plan� The cost of business disruption vs. investing in BCP

BCP/DRP 7


Defining Business Continuity and Disaster Recovery

� Disaster Recovery is part of Business Continuity

� Deals with an impact of an event

� DR involves

� Stopping the effects of the disaster as quickly as possible

� Minimize the damage,

� Save as much as possible

� Addressing the immediate aftermath

BCP/DRP 8

3

Section I – Introduction

Business components in BCP

As any project, BCP development includes

� People:People are responsible for developing and implementing the

BC/DR Plan

� Process: Processes maintain an orderly flow of business operations

� Technology (and Infrastructure):Understanding how technology is used in the business

operations

� Each of these must be addressed in BCP

BCP/DRP 9


People in BC/DR Planning

� To develop and implement an effective BCP, you need people across the organization/department

� Getting key people in the company to be involved in developing the plan is essential

� Identifying key people to implement the plan is equally important

� Planning and implementation phases

� Planning phase - you need people to develop the Plan

� Implementation phase (during and after disaster) - you need people who perform the plan.

BCP/DRP 10


Process in BC/DR Planning

� Process also, has two phases� Planning,� Implementation

� Companies have processes for running their business “smoothly”. It could be well documented or not

� When disaster occurs, the normal established process is interrupted.� Then the question is:

� How quickly can you recover from a disaster and get the business up and running?

� This depends on the process you developed in the BCP/DRP.� Disaster response varies on the type of disaster and your Plan has to

develop a process for handling various types of disasters.� The eventual Recovery or Failure is dependent on your BCP/DRP

BCP/DRP 11


Technology (Infrastructure) in BC/DR Planning

� Need to understand what happens to your technology components on different types of disasters

� Which elements are venerable to what type of disaster

� (e.g. Power Outage, flood, virus …)

� Your BCP/DRP may provide you a business case to change/upgrade the technology deployed. Or may require to redesign your network……

BCP/DRP 12

4

Section I Introduction

Considering BCP

� Having DR plan for infrastructure only (switches, routers, cell tower,..) is not sufficient

� Equally important – you have to understand how the whole company conducts its business

� departments or business units write DRP from their perspective only

� For effective BC and DR planning need to look at it from the top

� You need to involve representatives from each and allbusiness units.

BCP/DRP 13


Cost of Planning� Companies do not invest in projects that don’t generate revenue or

increase the bottom line.� Funds are limited - Competing against projects that add to bottom line

is difficult� Mgmt tends to defer BCP - “may be next year “…, � What do you have to support your argument for BCP development?

� Large business customers require you to have BCP to do business with� Impact on revenue growth

� Improves business process and operational savings� Potential disaster without a mitigating plan causes significant financial

loss� There could be legal liability implication from the customer

� e.g. customer data loss without proper BCP

� Could be required by law – depending the type of business you are running

BCP/DRP 14


Cost of Planning, cont’d� The Cost of Planning must be balanced with the cost of

taking risk. (auto insurance)

� Do not try to cover every disaster scenarios

� Create a plan for events most likely to happen and most likely to have critical impact on your business operations

� Bad plan is worse than no plan

BCP/DRP 15


Cost of Planning, cont’d

� After a major disaster 40% of businesses go out of business within 5 years.

� In 1993 WTC 42% (150/350) went out of business

� In 2001 majority of businesses were back up and in operation within days.

BCP/DRP 16

5


Types of Disasters� Location – the location of business determines what type

of disaster likely to happen.

� As a starting point make your BCP team come up with the list of disasters that are most likely to happen.

� Disasters can be divided in three categories� Natural

� Man-made

� Accidents

BCP/DRP 17


Types of Disasters - Natural� Weather related

� Avalanche, Snow, � Heavy rain, Floods� Drought� Fire� Strom� Hurricanes� Tornado

� Geological� Earthquake� Tsunami� Volcano� Landslide

BCP/DRP 18


Types of Disasters - Man-made� Fire

� Cyber attack

� Riot

� Product tampering

� Explosion

� Threat

� Theft

BCP/DRP 19


Types of Disasters - Accidents� Transportation

� Infrastructure� Electricity

� Gas

� Water

� Sewer

� Information system infrastructure� Communications infrastructure failure

� Systems failures

� Building collapse

BCP/DRP 20

6


Protecting Data during a disaster

� When disaster occurs – chaos

� Businesses become venerable to theft and fraud (internal and external)

� After disaster People, Process and Technology are in disarray

� Need to develop method to prevent fraud or theft.

(This could also be used for normal and emergency operation)

BCP/DRP 21


Managing Access – During Disaster� Managing Access during disaster should be part of

BC/DR Plan

� Access to Data

� Who should have access to data and systems during disaster?

� Too restrictive access or open to all access have problems.

� Restrictive – person/s may not be available during emergency

� Open – loss of accountability, theft …

� Physical access to the building/systems

BCP/DRP 22


BCP and DRP Steps� There are 7 basic steps to develop a good plan

1. Project Initiation –� Deals with the process of creating a project plan for BC/DR

activities

2. Risk Assessment –� The process of looking the risks the company faces.

� Covers all potential risks, determine the likelihood of a particular disaster occurring

3. Business Impact Analysis (BIA)� Deals with the potential impacts of these risks to the Business.

4. Risk Mitigation Strategy� Addresses on how the identified risk and its impact can be

tolerated, reduced or avoided

BCP/DRP 23


BCP and DRP Steps - cont’d5. Plan Development

� Outline the methodology to follow for plan development

6. Training and Testing

� Addresses:

� Training people on how to implement the plan

� Running drills, exercises, simulations and reviews

� Testing the Plan

7. Plan Maintenance

� Plan needs to be maintained, updated, validated regularly and after the event.

BCP/DRP 24

7

Section I

The Seven Steps

� Each of these steps will be covered in detail in the following sections.

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

25BCP/DRP

Section 1:

SummaryIn this section we

� Defined Business Continuity and Disaster Recovery

� Identified Business Components

� Identified Types of Disasters

� Identified the steps required for successful BC/DR plan and implementation

26BCP/DRP

Section II

Project Initiation

27BCP/DRP

Section II

Section ObjectivesIn this section we will cover the first Step in BCP/DRP

Project Initiation

28BCP/DRP

8

Section II

Project Initiation

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

29BCP/DRP

Introduction – Project Initiation

� Project is a defined set of tasks with clear objectives, requirements and goals and with start and end points.

� BC/DC planning process should be handled as a project plan and BC and DR are projects.

� In this section we will discuss the process of create a project plan for BR/DC and the elements that contribute to successful completion of the project.

(In general, as a PM you can follow your own Project Management methodology and also the unique needs of your company)

BCP/DRP 30

Introduction – Project Initiation

� What are the factors to make a successful BC/DR plan?

� What are Project Plan Components?

� Who are Key Contributors?

BCP/DRP 31

Project Initiation - Success Factors

� Executive Support

� User Involvement

� Experienced Project Manager

� Clearly Defined Project Objectives

� Clearly Defined Project Requirements

� Clearly Defined Scope

� Shorter Schedule

� Clearly defined PM Process

BCP/DRP 32

9

Success Factors – Executive Support

As any project Executive support is the main factor for the success of BCP/DRP development.

� If the top management is convinced the business need for the project – you will get all the support in every corner.

� BC/DR planning project involves people from all areas of the business.

� You need to pull away people from other projects

� Some departments/organizations may not buy BC/DR project and resist to participate.

BCP/DRP 33

Success Factors – Executive Support - cont’d

� How do you get executive support?� Start with your immediate management for 100% support� Communicate clearly and convincingly.

� Executives understand business and finance not technology

� Prepare presentations � Formatted to the intended audience. (know your audience before

hand)� Non technical, clear and conscience� Help them to understand the need for and make the right decision.

� If possible, provide rough cost estimate of the project and how long it will take.

� What if the decision is No?� …..

BCP/DRP 34

Success Factors – Executive Support – cont’d.

� What if the Executive Management decision is No?

� There are still things you can do help start the process

� You can incorporate BC/DR in your organization project plans that you can control

� If you are implementing new technology or upgrading or expanding the current systems you can include BC/DR concepts in the requirement. Specially backup and redundancy can be included as part of the business operations.

BCP/DRP 35

Success Factors – User Involvement

� As any project end-user involvement is critical

� The processes being developed should be done with the end-users input and collaboration.

� For BC/DR Planning there are two types of users� Who will be involved in the planning the BC/DR project, and

� Who will implement the plan when the event occurred (could be the same or other group of people)

� The latter should be involved in training and testing phase.

� Need to involve a key personnel from start to finish

BCP/DRP 36

10

Success Factors– Experienced Project Manager

� This is critical project and its successes depend on primarily putting well experienced PM

� Pick experienced Project Manager who

� Has formal Project Management training

� Has understanding what it takes to get it done

� Experienced PM is more effective for BC/DR planning (it involves people at all levels and various organizations)

BCP/DRP 37

Success Factors – Clearly Defined Project Objectives

Clearly Defined Project Objectives

� Helps to define the Plan to your unique business needs

� Helps identify most important and less important areas to allocate time and resources accordingly

� Insures all functional areas are covered and brings critical people together to develop the objectives

� How?� List your business functional areas

� Invite key people from those areas to help define the objectives

� Get agreement from all functional areas on prioritizing objectives

BCP/DRP 38

Success Factors – Clearly Defined Project Requirements

� Developing clear and complete requirement is the difference between success and failure

� Objectives are what you want to accomplish� Requirements are how to accomplish those objectives� Clear requirement before the project work begins is critical and saves

rework.

� Requirements have three categories� Business requirement – to determine what the business needs to

survive an event� Functional requirement – details which processes, methods and

resource need to be available during and after an event� Technical requirement – identify technology equipment and

business applications requirement

� The more detailed requirement the better.

BCP/DRP 39

Success Factors – Clearly Defined Scope

� Scope is the total amount of work to be accomplished.

� This is dependent on the Project Objectives.

� Clearly defined project objectives derive a clearly defined scope

� Scope is susceptible to changes as Project Planning progresses.

� There could be a scenario where it may be necessary that additional functions may be identified. In this case a high-level project objective and scope will be added.

BCP/DRP 40

11

Success Factors – Shorter Schedule

� Shorter schedules with more milestones produce successful result� BC/DR planning is a comprehensive look at the business and its

processes to determine its critical functions and emergency procedures.

� It is better to break it down into smaller projects� One project plan for each functional area and one master plan

� Longer schedules –� people lose interest� Move to other projects or replaced

� Milestones help you to:� gauge the progress� stay on budget� be on schedule� stay on Scope

BCP/DRP 41

Success Factors – Clearly Defined PM Process

� PM should have a set of methods, procedures and associated documents or use a well-defined project management process.

� Select a process and use it start to finish

BCP/DRP 42

Project Plan Components� Project Definition

� Project Team

� Project Organization

� Project Planning

� Project Implementation

� Project Tracking

� Project Close Out

BCP/DRP 43

Project Plan Components - Project Definition

� It is a starting point of the project. To get clear understanding of the project and its expected result the following need to be defined or identified� Problem Statement

� Mission statement

� Potential solutions

� Requirements and Constraints

� Success criteria

� Project Proposal – after selection of the best solution write a brief project proposal

� Estimates

� Project Sponsor - who has authority to approve, fund and support the project.

BCP/DRP 44

12

Project Plan Components – Forming the Project Team

� Create Project Team – early

� When forming the team –� Look Company’s organizational chart to help you identify

geographical locations, functional departments and organizations

� Technical – people with technical specialties from different business units, in addition to IT, should be included.

� Logistical – responsible for logistics and purchasing should be included

� Political/PR – people who are responsible that reassure key customers and stakeholders during and after a crisis should be included

BCP/DRP 45

Project Plan Components – Project Organization

� Addresses on how to organize and run the project. It includes

� Project Objectives,

� Project Requirements,

� Project Parameters

� Project Infrastructure

� Project Processes

� Project Communications Plan

BCP/DRP 46

Project Plan Components – Project Organization

� Project Objectives� Using the project solution developed in the Project Definition stage,

need to develop specific Project Objectives for BC/DR plan� Business Continuity Plan – focuses on sustaining business activities. It

can be written for specific business process or for all key business processes

� Continuity of Operations Plan – focuses on restoring mission-critical operations in an alternate location for an extended period of time

� Disaster Recovery Plan – focuses on restoration of key business processes immediately after a disaster

� Crisis Communication Plan – focuses on providing on consistent and clear communications with employees, customers and stakeholders

� Occupant Emergency Plan – focuses on building and facility safety, specifically to building occupants

�

BCP/DRP 47

Project Plan Components – Project Organization cont’d

� Project Requirements� Write well defined project requirements based on the

objectives discussed above.� Project requirement defines functional and technical

requirement

� Project Parameters� These are scope, budget , schedule and quality� They are interrelated - changing one impacts the others� Scope is the total amount of work to complete the project� Create scope statement – assumptions, included and not

included in the project based on the objectives� Project Parameters need to be ranked from least flexible to

most flexible (usually least is budget)

BCP/DRP 48

13

Project Plan Components – Project Organization cont’d� Project Infrastructure

� It is the tools and resources you have/need to develop BC/DR project

� Project Processes� Need to establish processes and procedures, and proper documentation to run

the project� Team Meetings (how, when, where to conduct meetings)� Reporting (minutes for the team and status for sponsors)� Escalation (problems)� Project Progress (how to track)� Change Control (how to capture and address changes within the company)� Quality Control

� Project Communication Plan� Need to develop proper communication method on the activities and progress

of the BC/DR plan to sponsor and all organizations and departments that have stake

BCP/DRP 49

Project Plan Components – Project Planning

� Key elements in project planning process� Developing Work Breakdown Structure (WBS)

� list of outcomes to be accomplished to complete the project

� The top level WBS can follow this structure

� Risk Assessment

� Business Impact Analysis

� Risk Mitigation Strategy Development

� Emergency Preparation

� Training and Testing

� Maintenance

� Critical Path� Describes how long the project will take and identifies critical and

non-critical tasks

BCP/DRP 50

Project Plan Components – Project Implementation

� How do you manage changes occur in the middle of BC/DR planning development? Any changes in the departments occurring should be assessed on their impact to BC/DR planning� Managing Progress

� Need to develop a method to keep track on the changes occurring in departments/organization that are being covered under the BC/DR plan

� Address how their work impacts the project� Address how your project impacts their work

� Managing Change� Plans are always subject to change� Need to develop Change management process�

BCP/DRP 51

Project Plan Components – Project Tracking

� Need to develop project tracking system to track project progress, schedules, budget ….

� Create project major and minor milestones to track the project progress compared to the schedule

� Major milestones can be set for each Phase of the Project

� Minor Milestones for significant tasks within the phase.

� This information should be available to all team members

BCP/DRP 52

14

Project Plan Components – Project Close Out

The last steps when the Project is completed

� BC/DR plan should be kept up to date under maintenance plan.

� Regular review of the plan (yearly)

� Walk-through of the BC and DR steps defined

� Regular testing

� There has to be some org/department that you can hand off the project and own the maintenance aspect of it.

� Conduct post-project review for “lessons learned”.

BCP/DRP 53

Key Contributors and Responsibilities

� Who are or should be key contributors to BC/DR plan and what should their roll be?

� List the business units and select representatives � Sample list – it is different from one company to another

� Information Technology� Human Resources� Facility� Security� Finance� Legal� Warehouse� Purchasing� Logistics� Marketing and Sales� Public Relations

BCP/DRP 54

Key Contributors and Responsibilities – cont’d

� Select representative from each organization or group listed� Depending the size of the department the numbers vary.

� The following criteria can be used for Business units the BC/DR focuses� Experience with working cross departmental team

� Ability to communicate effectively

� Ability to work well with wide variety of people

� Experience with critical business and technology systems

� Project management leadership

BCP/DRP 55

Requirements Definition

� Business, Functional and Technical requirements are part of Project Definition (discussed earlier)

� Business requirements define the scope of the project

� Functional requirements define what the plan does to accomplish business requirements

� Technical requirements define how these business and functional requirements will be met.

BCP/DRP 56

15

Requirements Definition – Business Requirements

� The first step in developing BR/DR project requirement is to define Business Requirements.

� Need to understand critical areas of the business.

� Need to know what questions to ask, and how to ask to determine if the business is critical or not

� Scenario based question provide better result than asking users if the business or system is critical or not.

� Develop a list of “what-if” scenario questions

BCP/DRP 57

Requirements Definition – Functional Requirements

� Functional requirements describe what functions or features must be available.

� Functional requirements state the need for a method or process to be available to meet the business requirement.

� Need to develop a ranking mechanism to each requirement to determine the criticality of the system for ongoing

operations of the business.

� Very-High, High, Normal, Low

BCP/DRP 58

Requirements Definition – Technical Requirements

� Technical requirements define how functional and business requirements are met, mainly with technology.

� Technical requirements help to:

� assess if the current technology meets BC/DR requirement

� define new technology solution if the current does not meet the requirement

� determine that the current technology in place can be utilized in different way to meet the requirement

BCP/DRP 59

Section II:

Summary – Project Initiation

In this section

� Defined the factors to make a successful BC/DR plan

� Identified Project Plan Components

� Indentified Key Contributors to BC/DR plan

� Defined business, function and technical requirements

60BCP/DRP

16

Section III

Risk Assessment

61BCP/DRP

Section III

Section ObjectivesIn this section we will cover the 2nd Step in BCP/DRP

Risk Assessment

62BCP/DRP

Section IIISection III

Risk AssessmentRisk Assessment

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

63BCP/DRP

Section III

Introduction – Risk Assessment

� In this section we will cover the concept and practical application of risk management from BC/DR point of view.

� Identify types of risks companies and businesses face.

� Define risk avoidance, reduction, acceptance and transferring.

� Identify risk management methods

BCP/DRP 64

17

Risk Management

� Risk Management is a topic that covers the management of all types of risks to a company. (We will cover only risks that are directly related to BC/DR planning.)

� Managing Risk is “the process of identifying, controlling, eliminating or minimizing uncertain events that may affect businesses”

� Risk Management Process is assessing the potential and analyzing the trade-off (opportunity cost) of a particular risk. It is very important to understand the opportunity cost of a threat.

BCP/DRP 65

Section III

Risk Management

� Risk can be defined as

� Risk = Threat + Likelihood + Vulnerability + Impact

(risk is a combination of threat, the likelihood of the threat occurring, vulnerability of the company and the impact of the threat on the company)

BCP/DRP 66

Section III

Risk Management Process

� The basic steps of risk management process� Threat Assessment – a process of identifying threats that

can negatively impact the company and its source� Vulnerability Assessment – analyzes how vulnerable,

susceptible and exposed a system/business is to a particular threat and the likelihood of the threat occurring

� Impact assessment – analyzes the magnitude of the impact of the threat on the system/business

� Risk mitigation strategy – addresses the four strategies of risk mitigation and their associated cost� Risk Reduction� Risk Avoidance� Risk Acceptance� Risk Transfer

BCP/DRP 67

Risk Management – People, Process, Technology and Infrastructure

� For every risk/threat being considered its impact on the four business components should be addressed

� If a particular threat occurred,

� What is the impact on people and how do they react?

� How does it impact the business process?

� What is the impact on Technology?

� What is the impact on the Infrastructure (internal and external)?

BCP/DRP 68

18

Risk Assessment Components

� There are three Risk Assessment Components� Threat Assessment

� Vulnerability Assessment

� Impact Assessment (will be covered in the next section)

BCP/DRP 69

Vulnerability Assessment

Threat Assessment

Impact Assessment

DR development phase

Risk Assessment Components – Threat Assessment

� Risk assessment begins with the assessment of all potential threats and an analysis of those threats.

� Threat’s impact on People, Process, Technology and Infrastructure (business components)

� Threat assessment includes� Information gathering� Identifying and listing potential threats

� Natural Threats� Human Threats� Infrastructure Threats

� Threat assessment methodology� Quantitative� Qualitative

BCP/DRP 70

Threat Assessment – Information Gathering

� There are different methods of collecting data about company’s risks:� Questionnaires: to collect data from specific groups or

people

� Interviews: interviews with SMEs - important specially if the SME cannot be part of the BC/DR planning team

� Document reviews: Reviewing corporate and organizational documents helps to identify threats, threat sources and vulnerabilities

� Research: Internal and External:� Internal: data about the past business interruptions

� External: data on the frequency of earthquake, storm, ….

BCP/DRP 71

Threat Assessment – Identifying and Listing Threats

� Natural Threats - threats caused by natural phenomenon.� Fire

� Flood

� Winter Storm

� Drought

� Earthquake

� Tornados

� Hurricanes

� Tsunamis

� Volcanoes

� Pandemics

BCP/DRP 72

19


� Human Threats: that are caused by human act.

� Fire

� Theft, Sabotage, Vandalism

� Labor Disputes

� Terrorism

� Chemical/Biological Hazards

� War

� Cyber Threats

BCP/DRP 73


� Infrastructure Threats: mainly external issues you have no control over

� Building Failure

� Public Transportation Disruption

� Loss of Utilities

� Oil Shortage

� Food or water contamination

� Regulatory or Legal changes

BCP/DRP 74

Risk Assessment Components – Threat Assessment – Threat Checklist

Threat ChecklistNatural Threats

FireFloodWinter Storm …

Human Caused ThreatsFireTheft, Sabotage

Labor Disbutes…..

Infrastructure Threats

Building failureNon IT Equipment FailureHeating/Cooling Failure

Public Transportation Disruption

IT Specific ThreatsCyber Threats

Equipment FailureLoss of Data …

BCP/DRP 75

Risk Assessment Components – Risk Assessment Table

BCP/DRP 76

Item No Threat Name Threat Source

VulnerabilityRating

Likelihood Rating

Existing Controls

Impact Rating

Overall Risk Rating

001 Fire Internal

002 External

003 Flood Internal

20

Risk Assessment – Threat Assessment Methodology

� There are two types of methodologies to evaluate the various threats being considered

� Quantitative Threat Assessment

� Quantitative method is using hard numbers to represent threats, vulnerabilities and impacts

� Qualitative Threat Assessment

� Qualitative method is using relative values used to represent threats, vulnerabilities and impacts

BCP/DRP 77

Risk Assessment – Quantitative Threat Assessment

� e.g. Building power outage threat caused by Lightening

BCP/DRP 78

Threat Power Outage

Threat Source Lightning

Impact Power outage for two days

Likelihood ?

Vulnerability ?

Impact Cost ?

Risk Cost ?


� Threat Likelihood – Let us say, using information gathering methods discussed earlier found that there is one major outage every other year. So the likelihood of getting one every year is 50%

� Vulnerability - if there is power outage due to lightning, there is 100% chance for a loss of power for 48 hours

� Impact Cost:� Lose of sales (2 days) = $50,000.00

� Cost (expense) due to outage = 5,000.00

� impact cost = $55,000.00

� Risk Cost = Likelihood * Vulnerability * Impact cost� 50% * 100% * $55,000.00 = $27,500.00

BCP/DRP 79


� Now you have the information available to decide on what type of risk mitigation strategy to follow for Power Outage threat caused by Lightning.

BCP/DRP 80

Threat Power Outage



Likelihood 50%

Vulnerability 100%

Impact Cost $55,000.00

Risk Cost (yearly) $27,500

21

Risk Assessment – Qualitative Threat Assessment

� Qualitative assessment uses words instead of values.

� Define Qualitative Value Scale

BCP/DRP 81

Value Level

1 Extremely Low

2 Very Low

3 Low

4 High

5 Very High

6 Extremely High


� Same example used for Quantitative Method� Threat Likelihood – using information gathering method

discussed earlier found that there is one major outage every other year. So you can say the likelihood of getting one every year is “High (4)”

� Vulnerability - if there is power outage due to lightning, the chance of losing of power for two days is “Extremely High (6)”

� Impact Cost: the total cost of revenue loss and expenses incurred is “Low (3)

� Risk Cost: is the average value of Likelihood, Vulnerability and Impact cost

� (4 + 6 + 3)/3 = 4.3 ~ 4 (High)

BCP/DRP 82


� Now you have the information available to develop a risk mitigation strategy for Power Outage threat caused by Lightning.

BCP/DRP 83

Threat Power Outage



Likelihood 4 (High)

Vulnerability 6 (Extremely High)

Impact Cost 3 (Low)

Risk Cost (yearly) 4 (High)

Risk Assessment Components – Risk Assessment Table

BCP/DRP 84

� Update the Risk Assessment Table

Item No

Threat Name Threat Source

Vulnerability Likelihood Existing Controls

Impact Overall Risk

001 Fire Internal

002 External

003 Flood Internal

004 Power Outage Lightening Extremely-High

High None High

22

Risk Assessment Components – Vulnerability Assessment

� Vulnerability is weakness, exposure or susceptibility to threats.� Vulnerabilities can be exploited intentionally or triggered

unintentionally.� The result of Threat assessment becomes input to Vulnerability

assessment.� People, Process, Technology and Infrastructure are

vulnerable to threats. � For each threat, each business component will be considered for

vulnerability assessment � How vulnerable are people (the staff , customers …) to the threat

presented?� How vulnerable is the business process to the threat?� How vulnerable is the technology in place to the threat?� How vulnerable is the infrastructure to the threat?

BCP/DRP 85

Risk Assessment Components – Vulnerability Assessment

� Vulnerability assessment can be qualitative or quantitative (mainly qualitative – High, Medium, Low). It addresses “how vulnerable the business component is”

� Information gathering:� Questionnaires,

� Interviews,

� Document reviews and

� Research.


BCP/DRP 86

Risk Assessment

� From Threat and Vulnerability assessments we collected the following information needed for the next phase

� Potential Threat Sources

� Likelihood of the threat occurring

� Vulnerability of the company

� A preliminary Risk value


BCP/DRP 87

Section III:


� Defined Risk Management concept

� Covered the Risk Management processes.

� Identified Risk Assessment components.

� Information gathering methods

� Defined Threat and Vulnerability Assessment methods

88BCP/DRP

23

Section IV

Business Impact Analysis

89BCP/DRP

Section IV

Section ObjectivesIn this section we will cover the third Step in BCP/DRP

Business Impact Analysis

90BCP/DRP

Section IVSection IV

Business Impact AssessmentBusiness Impact Assessment

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

91BCP/DRP

Section IV

Introduction – Business Impact Assessment

In this section we will:

� Define Business Impact Assessment (BIA) concepts

� Identify critical business processes

� Determine disruption impact - including financial, operational and legal

� Define business recovery requirements

BCP/DRP 92

24

Business Impact Assessment

� BIA is identifying critical processes to the on-going business operations and to understand the disruption of these processes’ impact on the business.

� The primary purposes of BIA are� Understanding and identifying the organizations critical

business objectives

� Determine the time it takes to resume business functions after disruption

� Assess the impact of disruption on critical business functions and set priorities

� Provide information for which recovery strategy can be developed

BCP/DRP 93

Business Impact Assessment – Impact category

� First step is to clearly define a category to assess business process criticality.

BCP/DRP 94

Category Function Label

1 Critical Mission-Critical

2 Essential Vital

3 Necessary Important

4 Desirable Minor

Business Impact Assessment – Impact category

� Mission-Critical business processes are the ones that have serious impact in the company’s operations.

� Vital business processes are also the processes considered critical, but can be tolerated until Mission-Critical processes are restored

� Important business processes are the ones that does not stop the company from operating in the near term but have long-term impact.

� Minor business processes are processes that can be restored at a later time after recovery is completed.

BCP/DRP 95

Business Impact Assessment – Recovery Time

Recovery Time Requirements

� Maximum Tolerable Downtime (MTD) or Maximum Tolerable Outage (MTO): The maximum down time the business can tolerate a particular business process or function outage. MTD is the combination of systems recovery time and work recovery time. MTD = RTO + WRT.

� Recovery Time Objective (RTO): The time available to recover disrupted systems

� Work Recovery Time (WRT): the time it takes to get critical business functions up and running after systems recovered.

� Recovery Point Objective (RPO): The amount or extent of data loss be tolerated by the critical business systems.

BCP/DRP 96

25

Business Impact Assessment – RTO

Recovery Window

BCP/DRP 97

Category Function Label RTO

1 Critical Mission-Critical 0-12 hours

2 Essential Vital 13-24 hours

3 Necessary Important 1-3 days

4 Desirable Minor > 3 days

BIA – impact evaluation

� After risks and threats identified (previous section), the business impact must be evaluated for� Business functions: activities – sales, marketing, manufacturing

� Business processes: how these activities occur or get done

� IT systems: how these business processes are carried out –computer systems, applications, automated systems

� The impact should also be considered for upstream and downstream functions

BCP/DRP 98

BIA – Identifying Business Functions� Create a list of functional areas of the business.

� Start with common business functions listed below, and add from organizational chart� List of Business functions

� Information Technology� Operations� Human Resources� Finance� Legal� Facilities/Security� Marketing and Sales� Manufacturing� Warehouse� ….

� Contact SMEs for to discuss the critical business functions� With the help of SMEs, list all departments, divisions, under each

heading.

BCP/DRP 99

BIA – Gathering Data� The next step is to collect data for the each business functional areas listed. (processes

and criticality)� Data collection methodologies:

� Questionnaires:� Interviews:� Workshops:� Documents and research.

� sample questions:� What single point of failures exist?� What are upstream and downstream risks to your business function?� What workaround would you use for your business process?� What is the minimum number of staff you need?� What is the maximum tolerable down time?� What are the key skills and knowledge required to recover your business process?� How would this business function in a recovery site?� ….

BCP/DRP 100

26

BIA – Determining the Impact of disruption� The next step is to determine the impact for each business

functional areas, then assign criticality rating.� The impact can include:

� Financial: loss of revenue, lost sales, salaries and wages paid.� Customers: loss of customers – go to competitors� Suppliers: lose of suppliers� Employees: impacted by the disaster (injury, ….� PR: lose of thrust� Legal: unable to meet legal and regulatory requirement� Operational: Business operations being disrupted� HR: The impact on the staff on handling the disaster� Investors: may lose confidence.� Competitive Advantage:

BCP/DRP 101

BIA – Criticality Matrix

� After data collection, assign criticality rating.

BCP/DRP 102

Business Function Business Process Criticality

Human Resources Payroll Mission-critical

New Hire Important

Finance Accounts Receivable Mission-critical

Accounts Payable Mission-critical

Tax filings Mission-critical

Marketing and Sales Sales Calls Vital

Sales Training Minor

BIA Findings Report� The next step to write the BIA findings report based on the information collected. The

report should include:� Key Business functions and processes� Process and resource interdependence� IT dependencies� Criticality� Impacts on operations� Recovery time requirements� Recovery Resources� SLA� Technology� Work-around procedures� Financial impact� Legal impact� Competitive impact� Investor impact� Customer impact� ….

BCP/DRP 103

Section IV:


� Defined BIA

� Identified Business functions and processes

� Learned on how to gather BIA information and to prepare BIA Reports

104BCP/DRP

27

Section V

Risk Mitigation Strategy Development

105BCP/DRP

Section V

Section Objectives

In this section we will cover the fourth Step in BCP/DRP

Risk Mitigation Strategy Development

� Types Risk Mitigation Strategies

� Risk Mitigation Process.

� Backup and Recovery considerations.

106BCP/DRP

Section VSection V

Risk Mitigation StrategyRisk Mitigation Strategy

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

107BCP/DRP

Introduction – Risk Mitigation Strategy

� Risk Mitigation is a process of taking steps to reduce the effects of an event.

� Developing the Risk Mitigation Strategy is the last step in Risk Management activity for BC/DR Plan development

� Inputs:� Risk Assessment (threat and vulnerability assessment)

� BIA

� Output:� Risk Management Strategy Plan

BCP/DRP 108

28

Risk Mitigation Strategies

� There are four types of Risk Management Strategies.

� Risk Acceptance

� Risk Avoidance

� Risk Limitation

� Risk Transference

BCP/DRP 109

Risk Mitigation Strategies – Risk Acceptance

� Risk Acceptance: Accepting risk does not reduce its impact.

� There are many reasons companies choose risk acceptance� The primary is Cost. Accepting the risk can be less costly than

implementing mitigation strategies.

� Small companies do it more often.

� It is the least expensive option for near term and the most expensive when disaster happens.

BCP/DRP 110

Risk Mitigation Strategies – Risk Avoidance

� Risk Avoidance is the opposite of Risk Acceptance.

� In BC/DR plan, it is an action that avoids any exposure to a risk (example deploying fully redundant systems).

� It is the most expensive of all mitigation strategies, but has significant impact in reducing cost of down time and recovery.

� This is one of the options to be considered for mission-critical business functions.

BCP/DRP 111

Risk Mitigation Strategies – Risk Limitation

� Risk Limitation is a method of limiting the exposure to threat by taking action.

� Does not stop the system from failure but helps to recover in a timely manner.

� e.g. daily backup of data.

� It falls between Risk Avoidance and Risk Acceptance.

� The cost varies depending the options implemented.

BCP/DRP 112

29

Risk Mitigation Strategies – Risk Transference

� Risk Transference is a method of transferring the risk to a third party. Paying another company to assume the risk.

� e.g. Buying insurance, outsourcing payroll services.

� Risk Transference has an ongoing cost (e.g. service fee).

BCP/DRP 113

Risk Mitigation Process

� The next step is to select appropriate options in order to develop comprehensive strategy.

� Recovery Requirements

� Recovery Options

� Recovery Cost

BCP/DRP 114

Risk Mitigation Process – Recovery Requirements

� Recovery Requirements are developed for critical business process identified in BIA report.

� Include � Recovery Time

� Cost of recovery

� Processes required

� Identify the resources and associated cost to help determine the mitigation strategy.

BCP/DRP 115

Risk Mitigation Process – Recovery Options

� Recovery Options are developed for each critical business process identified in BIA report.

� There are three options� As-needed

� Prearranged

� Preestablished

� The cost and time to implement these options varies

� Each option must be reviewed in terms of MTD for each critical business process. � (e.g. If you have a requirement to have an alternate site for IT

services, all options must be considered)

BCP/DRP 116

30

Recovery Options – As-needed

� As-needed option

� takes longer time to deploy

� may cost more (depending on the disruption type)

� Resources and services are acquired after the event occurred.

� There is additional risk of not being able to get the Resources at all.

BCP/DRP 117

Recovery Options – Prearranged

� Prearranged option requires making arrangements and contractual agreement with suppliers and service providers – for equipment and services to be provided within specified period.

� In addition to the cost of equipment and services, there is a recurring cost.

BCP/DRP 118

Recovery Options – Pre-established

� Pre-established recovery option is setting up an alternate site that can be activated after the disaster. The site is only used for recovery option.

� The site must be kept up-to-date to reflect the current environment of the actual site

� There is a cost for building the site and up keep.

� Shorter recovery time than the other options.

BCP/DRP 119

Developing Risk Mitigation Strategy

� Risk Mitigation Strategy steps

� Gather recovery data

� Compare cost and capability options

� Select the mitigations options for each business process – acceptance, avoidance, limitation, or transference

� Select the recovery options

� Based on the above information can develop a document that outlines the cost, capability, effort, quality of each option considered

BCP/DRP 120

31

IT Recovery Options

� When developing IT Systems Risk Management Strategy – need to consider the latest technology available today.

� As technological developments are fast paced (specially for IT), the system currently in operation/production can be outdated, you may even consider to replace or upgrade the system.

� Or, if you already have BC/DR plan developed a few years ago can be invalid due to technological advancement; you need to revise the BC/DR plan more often than the other business functions.

BCP/DRP 121

IT Recovery Options –Alternate Sites� Considering an alternate site. Common options

� Fully Mirrored Site: a fully redundant site that mirrors the live site. � Provides high availability� Can also be used for load balancing.

� Hot Site: with an identical configuration that can be operational within 4 hours.

� Warm Site: Fully or partially equipped site and can be operational within hours being restored from backup data. The facility can be used for less critical functions during normal business operation.

� Mobile Site: A self contained unit that can be transported to establish an alternate work site.

� Cold Site: A site that is started up after the disruption occurred. It is the least expensive but has the longest recovery time.

� Reciprocal Site: It is an arrangement made with other companies that have similar operations.

BCP/DRP 122

Section V:

SummaryIn this section we covered

� Types Risk Mitigation Strategies

� Risk Mitigation Process.

� Backup and Recovery Considerations.

123BCP/DRP

Section VI

BC/DR Plan Development

124BCP/DRP

32

Section VI

Section ObjectivesIn this section we will cover the fifth Step in BCP/DRP

Business Continuity/Disaster Recovery Plan Development

� Business Continuity and Disaster Recovery phases

� Define BC/DR Teams.

� Define BC/DR activity checklists

125BCP/DRP

Section VISection VI

Plan DevelopmentPlan Development

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

126BCP/DRP

Introduction – BC/DR Plan Development

� The plan needs to state risks, vulnerabilities, potential impacts to mission-critical business functions and associated mitigation strategies.

� From the previous sections we have� Identified risks,

� Assessed vulnerabilities

� Determined potential impacts on business

� Identified mission critical business functions

� Developed mitigation strategies

� Next is to determine and develop a guideline on when, how and by whom are these strategies implemented

BCP/DRP 127

BC/DR Plan Phases

� Business Continuity and Disaster Recovery Phases

BCP/DRP 128

Recovery Phase

Activation Phase

Business Continuity

Phase

Maintenance/Review Phase

33

BC/DR Plan – Activation Phase

� Activation Phase addresses the time during and immediately after a business disruption

� Activation includes� Initial Response

� Problem assessment

� Escalation

� Disaster declaration

� Plan implementation

BCP/DRP 129

BC/DR Plan – Activation Phase – Disaster Levels

Defining the disaster type and level. • There should be clearly defined disaster level to help you

determine the types of activation and recovery process to follow.� Major Disaster: has major impact on business. It disrupts all

or most of the critical business operations. Such as the destruction of the entire facility. It occurs rarely.

• Intermediate Disaster: the impact is less than major. It impacts one or more mission-critical business functions. Business operations will experience significant disruption.

• Minor Disaster: It is a type of disaster occurs more often and impacts only a single business operations. It is an Isolated incident, and normal business operations will not be interrupted.

BCP/DRP 130

BC/DR Plan – Activation Phase – BR/DR Teams

• Notification of the disaster to the following BC/DR Teams. They will handle/respond to disaster by implementing procedures outlined in the BC/DR Plan � Crisis Management Team

� Damage Assessment Team

� Notification Team

� Emergency Response Team

� Business Continuity Leader

� Crisis Communication Team

� Resource and Logistics Team

� Risk Assessment Team

BCP/DRP 131

BC/DR Plan –TriggersTrigger defines when an alternate plan or method should be

implemented• Activation Trigger: For each Disaster Level, need to have clearly

defined triggers. Based on the Initial Assessment - determine the disaster level and activate the part of BC/DR Plan that addresses the issue.

• Transition Trigger: a trigger to move from one phase to another • Activation to Recovery Phase: it is triggered after the initial

evaluation from Damage assessment team, CMT is on the scene and the selected BC/DR plan is activated

• Recovery to Continuity Phase: This is triggered after the disaster (event) is under control and the effects have been addressed.

• Business Continuity to Normal Operations: this is triggered when things are back to “normal”.

BCP/DRP 132

34

BC/DR Plan – Recovery Phase

• Recovery Phase is started immediately after the disaster occurred and contained. The event could still be continuing.

BCP/DRP 133

BC/DR Plan – Business Continuity Phase

• Business Continuity phase starts after Recovery phase is done and the steps to get back normal operating conditions are determined.

• It addresses

• How business operations can resume on temporary locations

• The work-around needed

• The transition back to normal operations from temporary location

BCP/DRP 134

BC/DR Plan – Maintenance/Review Phase

Maintenance Phase occurs whether the BC/DR is activated or not. It deals with reviewing, evaluating and revising the plan.

• If activated, has to be done after the completion of Recovery Activity.

• Evaluate how the plan performed in the light of actual event.

• Revise the document on the lessons learned.

• Regular/scheduled plan review to insure the document still current and valid.

• During Operational changes: all changes in the business operations and processes should will be handled in Change Control

BCP/DRP 135

BC/DR TeamsCreating BC/DR Teams : people should be selected base on the skills, and

expertise for the task they be assigned.• Crisis Management Team:

• have representatives from all business units• Have expertise to deal with major business disruption• In charge for activating, implementing and managing BC/DR plan

• Damage Assessment Team(s):• from key areas of business units.• Can be multiple Teams• Mobile, immediate availability

• Operations Assessment Team(s):• Who can assess the immediate impact on operations

• IT Team:• have expertise in system administration and other IT related activities

• Administrative Support Team:• Who can handle administrative tasks

BCP/DRP 136

35

BC/DR Teams cont’d

• Transportation and Relocation Team:• Who can address transportation and relocation needs for people and equipment

• Media Relations Team:• Who can provide information about the disruption to employees, media,

investors, customers, suppliers

• Human Resource Team:• Who handle employees needs during disaster, hiring additional staff

• Legal Affairs Team:• Who can address the legal concerns of the company

• Physical Security Team:• Who can handle physical safety of the people, building.• Who can handle access control to the building

• Procurement Team:• Handles equipment and services purchasing

BCP/DRP 137

BC/DR Contact Information

• Contact Information should include the following and be stored where it can be readily available under a disaster condition. • The list should include

• Management• Key Operations Staff• BC/DR Team members• Suppliers, vendors• Key customers• Emergency number• Others as needed

• This information should be maintained regularly and kept up-to-date.

BCP/DRP 138

BC/DR Plan Change Control

• Need to develop a method to:• update the BC/DR Plan when change occurs in the organization

that has impact on the plan

• E.g. Adding new departments, upgrading systems, changing operational process ….

• monitor and track changes in BC/DR Plan (version control)

• Revision history table

• distribute the BC/DR plan to interested parties

BCP/DRP 139

Emergency Response and Recovery• Emergency Management

• Simple rule - Assigning roles• Emergency Response Plan

• Emergency Response is the immediate response to the incident• The Plan is derived from the risks identified• Some of Emergency Response tasks are:

• Protect personnel• Contain the incident• Engage ERT and CMT• Assess impact • Notification

• Develop a basic plan that covers variety of emergencies that contains• Roles and Responsibilities• Tools and equipment• Resources• Actions and procedures

BCP/DRP 140

36

Emergency Response Team (ERT)

• Set up ERT with defined roles and responsibilities

• The ERT leader is responsible for activating and coordinating emergency response

• If CMT and ERT are two separate teams the ERT leader should be a member of CMT.

• Emergency Response and Disaster Recovery can go in parallel

• ERT members should be trained and regularly exercise on the tasks they are responsible for.

BCP/DRP 141

Crisis Management Team (CMT)• CMT is responsible for making high-level decisions,

coordinating efforts and determining the appropriate responses• The team leaders for various activities in the BC/DR should be a

member of CMT• CMT oversees ERT and DRT• ERT leader should be a member of CMT and report the activities

to CMT regularly• CMT coordinates the activities related to initiating DR efforts• CMT role ceases when business continuity begins and it

transitions the business operations to normal management.• Need to create a hand-over criteria for transfer responsibility to

normal operations.

• If alternate facility is setup, CMT is responsible for overseeing disaster recovery and business continuity activities

BCP/DRP 142

Crisis Management Team (CMT)

• All Crisis related communications are originated or approved by CMT.

• It helps to insure correct and consistent information being release/communicated

• It keeps the CMT in the loop

• HR representative should be a member of the CMT.• Addresses needs of employees

• Can hire, select and manage additional temporary staff (if needed).

• Representative from legal departments should be a member. Helps to address/handle legal and insurance related issues

• Representative form financial department should be a member to assess the status of the company and insure bills are dispersed in timely manner.

BCP/DRP 143

Disaster Recovery - checklists

• Checklists help make the right decision and responders understand the steps to take.• Activation Checklists: Activation checklist can be used to

determine if, how and when to activate BC/DR Plan. Identify all activities and triggers should take place before and during the plan activation. • Initial Response Checklist

• Damage Assessment Checklist

• Disaster Declaration and Notification Checklist

• Recovery Checklists: identify all the activities should take place during recovery phase• General Recovery Checklist

• Inspection, Assessment and Salvage Checklist

BCP/DRP 144

37

Business Continuity - checklists• Business continuity begins when disaster recovery ends. • Involves limited business operations.• Involves work-around solutions while systems and resource are fully

restored• The most critical aspect of BC is determining what should be restored,

salvaged or replaced.• BC checklists help to insure the required systems are in place and

functional• Resuming Work checklist• HR checklist• Insurance and Legal checklist• Production and Operations checklist• Resuming Operations checklist• Using Existing Facility checklist• New Facility checklist• Transition to Normalized Activities checklist

BCP/DRP 145

Section V:


� Studied Business Continuity and Disaster Recovery phases

� Defined BC/DR Teams.

� Defined BC/DR activity checklists

146BCP/DRP

Section VI

Testing and Training

147BCP/DRP

Section VI

Section ObjectivesIn this section we will cover the fifth Step in BCP/DRP

Testing and Training

� Training for

� Emergency Response

� Disaster Recovery

� Business Continuity

� Testing BC/DR Plan.

148BCP/DRP

38

Section VISection VI

Testing and TrainingTesting and Training

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

149BCP/DRP

Testing and Training� After BC/DR Plan is developed the next step is to test the

plan effectiveness and train the implementers for the specific roles assigned

BCP/DRP 150

Section VI

Training for Emergency Response� ERT members should be trained in the emergency response

activities described in the BC/DR Plan

� the basic CPR training should be part of all emergency responders training.

� Specialized skills training may be required

� Refresher training should be taken regularly

� ERT leader is responsible for ensuring the members are trained

151BCP/DRP

Section VI

DR and BC Testing/Training� Four methods of plan testing

� Paper Walk-through� Functional exercise� Field exercise� Full interruptions

� Training can be coordinated with testing� The objective of the training is to understand the plan and

� how to activate,� when to activate, and� how to implement the steps defined

� Everyone involved in the BC/DR implementation needs to understand their roles and responsibilities

152BCP/DRP

39

Section VI

DR and BC Testing/Training Cont’d� Testing the plan

� Verifies the validity of the steps developed

� Provides training to implementers

� Identifies gaps and flaws in the plan, so can be revised

� Determines the cost and feasibility

� Before Testing –

� develop Test Evaluation Criteria

� After completion –

� write recommendation based on the result

153BCP/DRP

Section VI

DR and BC Testing – Paper Walk-through

� A Paper walk-through should be scheduled once a year. � Steps to run paper walk-through

� Develop Realistic Scenarios

� Develop Evaluation Criteria

� Provide copies of the plan to CMT

� Divide participants by Team

� Use Checklists for key processes

� Take Notes

� Identify Additional Training needs

� Develop Summary and Lessons Learned

� Revise DR/BC Plan if needed.

154BCP/DRP

Section VI

DR and BC Testing – Functional Exercise

� A functional exercise is to test some of the plan’s functionality.

� Done with very minimal or no impact to mission-critical business operations.

� Functional exercises can be used as a training mechanism.

� Follow similar steps covered in Paper walk-through

155BCP/DRP

Section VI

DR and BC Testing – Field Exercise� Field exercises should be done with simulated realistic

scenario.

� Can be with specific organization or department

� Can also be coordinated with the local/city emergency responders.

� Provides hands-on training.

� Helps to evaluate/assess the performance of CMT and DRT members

156BCP/DRP

40

Section VI

DR and BC Testing – Full Interruption Test

� Full Interruption activates all components of the Plan and interrupts mission-critical functions.

� Can be run with specific organization(s) or department(s)

� Can also be coordinated with the local/city emergency responders.

� Very expensive to run the test.

157BCP/DRP

Section VI


� Studied BC/DR Plan testing and training

158BCP/DRP

Section VII

Plan Maintenance

159BCP/DRP

Section VII

Section ObjectivesIn this section we will cover the last Step in BCP/DRP

cycle

Plan Maintenance

� Change Management

� Maintenance Activities

160BCP/DRP

41

Section VIISection VII

Plan MaintenancePlan Maintenance

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

161BCP/DRP

Section VII

Plan Maintenance – Change Management

� Plan Maintenance’s critical part is controlling and keeping up with changes to make the document current and viable.

� The major reasons for change or revising the plan are: � IT Change

� Operations

� Corporate

� Regulatory

162BCP/DRP

Section VII

Plan Maintenance – Change Control Methods

� Monitoring – implement a step in each business/function operational procedure to include “if change impacts on BC/DR – submit change request”

� Regular review of organizational changes, current employment status and department of each BC/DR Team members.

� Ensure that everyone uses the latest version of the Plan

163BCP/DRP

StepsSteps

Project Initiation

Risk Assess-ment

BIARisk

Mitigation Strategy

Plan Develop-ment

Testing and

Training

Plan Main-

tenance

164BCP/DRP

Date post:	01-Dec-2015
Category:	Documents
Upload:	alemseged-habtamu
View:	36 times
Download:	2 times