Deloitte & Touche LLP
ISACA Business Continuity Management Lifecycle
1Copyright © 2009 Deloitte Development LLC. All rights reserved.
AgendaIntroductions 12:00 – 12:05
Overview of Business Continuity 12:05 – 12:20
Business Continuity Lifecycle 12:20 – 12:35
Module 1: Analyze 12:35 – 1:05
Break 1:05 – 1:10
Module 2: Develop 1:10 – 1:30
Module 3: Implement 1:30 – 1:50
Issues 1:50 – 2:55
Q&A 2:55 – 2:05
OVERVIEW OF BUSINESS CONTINUITY
2
3Copyright © 2009 Deloitte Development LLC. All rights reserved.
What is Business Continuity Management (BCM)?
• Business Continuity Management:– “The ability and readiness to manage business interruptions, in order to provide
continuity of services at a minimum acceptable level and to safeguard the financial and competitive position in the short and longer term. It includes the organization in place to determine the continuous adaptation to changing risks, changing environment, and coordination of regular training and testing.”
• Viability– Keeping the company in business
• Earnings/Profit Protection– Protecting the Enterprise’s Financial Commitments
• Continuing New Business– Preserving the ability to sell in the marketplace
• Brand Protection– Avoiding public embarrassment and loss of credibility
Business Continuity Objectives
4Copyright © 2009 Deloitte Development LLC. All rights reserved.
What is BCM? (cont.)
• Elements include– Principles of Risk Management – Design and implementation of Crisis Management and Emergency
Operations Programs– Planning for recovery and continued availability of operations during
disruptive events– Designing and implementing business process manual procedures
for use during a disruption– Designing and implementing secure, fail-proof (fault-tolerant)
systems for continuous availability– Designing and implementing threat prevention and detection systems– Encompasses development of procedures, acquisition of resources,
testing, and maintenance
5Copyright © 2009 Deloitte Development LLC. All rights reserved.
Crisis event timeline
Incident
NormalOperations
Time
RestorationPeriod
Hour “0” RecoveryBegins
Back to Normal
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. R
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The
image
cannot
be
di
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have eno
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. R
The image cannot be displayed. Your computer may not have enough me
The image cannot be displayed. Your computer may not have enough me
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file agai
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the re
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
The image can
The image cannot be displayed. Your comput…
The image cannot be displa
The
image
c
The
image
c
The image can
Emergency Response
The image cannot be displayed. Your computer may not have enough memor…
The
image
c
The image cannot be displayed. Your computer may not have enough memo …
The
image
c
The
image
c
The
image
c
The
image
c
The image cannot be displa
IT-DR Plans activated Business Continuity Plans activated
Recovery PeriodResponse Period
Damage Assessment
Recovery in Place
Crisis Management Plan activated
EVOLUTION OF BCM
6
7Copyright © 2009 Deloitte Development LLC. All rights reserved.
Evolution of BCM
• The future towards a “Resilient Enterprise” – Companies are seeking a paradigm shift in their business continuity
program – from a responsible organization to one that is able to predict and isolate events before adverse effects occur.
Vision
BackupsMaking exact
copies of electronic data
Disaster Recovery
Plan Plan for the
recovery of data processing
facilities
Business Continuity
Management Building
availability into management
processes
Predictive Modeling
Anticipating the effects of
emergencies before they happen
Contingency Plan
Procedures to follow after
operational mishaps
ResilienceHardening the
enterprise against many foreseeable emergencies
Continuous Availability
Automatic rollover of information
systems
Business Continuity
PlanPlan for
recoveringBusiness
operations
Bus
ines
s Va
lue
8Copyright © 2009 Deloitte Development LLC. All rights reserved.
Evolution of BCM (cont.)
• A Model of Risk to Business Continuity – Companies are seeking an approach that is business oriented focusing on the business process
instead of applications. Companies are seeking measures based on business risk instead of event
Empirical Data• Legal and regulatory
• Political and economic • State of affairs
• Industry-wide insights• Geo-political risk
• Assessment
Subject Matter Skilled
• Geo-political risk skilled• Economists
• Forums• Executives from
• Diverse industries• Networks
Company Activities• Risk analysis
• Investment analysis• Interviews with key leaders/management
• Focus Groups• Process subject matter experts
• Company strategy• Known weaknesses
Impacts of Scenarios
Scenarios and Threats• People• Process
External Sources Internal Sources
Continuous Threat Monitoring
• Technology• Infrastructure
• Partners• Market and Economic
Reality Check• Assess response and mitigation plans• Redefine/Bolster test criteria• Reevaluate priorities of risk
• Enhanced monitoring and mitigation technique
• More preventive and responsive plans
Business Impact to Regulatory Requirements
9
10Copyright © 2009 Deloitte Development LLC. All rights reserved.
Impact of regulatory requirements Industry Regulation Impact on Business Continuity Management
Many Publicly Traded Companies
Sarbanes-Oxley • Guidelines for corporate governance and oversight of accounting and audit practices as well as financial record retention
SEC Policy • Regulates self-regulatory organizations operating trading markets, ECNs and important "shared systems" such as market data feeds
• Mandates recovery/resumption by next business day • Business continuity plans, geographic diversity, and industry wide test of
capacity and connectivity with counterparties
ISO 17799 • Require a BCM process implementation and implementation of a acceptable level of preventative and recovery controls
HealthcareHIPAA • Requires data backup, DR and emergency mode operation plan
• Requires reasonable and appropriate measures relative to the size, complexity and resources of the organization
FDA • Establishes the requirements for electronic records and electronic signatures
Government
FISMA and Executive Order on Critical Infrastructure Protection in the Information Age, 16 October 2001
• Mostly emphasizes data security rather than BC and DRAn important need to be addressed is the requirement that government is open and running during a crisis
COOP and COG • Establishes minimum planning considerations for federal government operations
NIST and Contingency Planning Guide for Information Technology Systems
• Defines detailed recommendations from NIST, requiring contingency, DR and COOP plans
• Mandatory security controls will become a federal standard by the end of 2005. NIST 800-53A will provide assessment guidelines that are closely aligned to the controls listed in NIST 800-53
Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005
As used in this document, “Deloitte” means Deloitte LLP. Please see www.deloitte.com/us/aboutfor a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
11Copyright © 2009 Deloitte Development LLC. All rights reserved.
Industry Regulation Impact on Business Continuity Management
Finance
FFIEC • Specifies that directors and managers are accountable for organization-wide contingency planning and for “timely resumption of operations in the event of a disaster”
Gramm Leach Bliley • Requires banks, insurance companies, brokerages, and other financial institutions to establish administrative, technological, and physical safeguards to determine the confidentiality and integrity of customer records and information. Financial institutions are required to establish measure to monitor and manage security systems
Basel II, Basel Committee on Banking Supervision, Sound Practices for Management and Supervision, 2003
• Requires that banks put in place BC and DR plans to determine continuous operation and to limit losses
Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, 2003
• More focused on systemic risk than individual enterprise recovery. Requires BCP to be upgraded and tested to incorporate risks discovered as a result of the World Trade Center disaster
EFA • Requires federally chartered financial institutions to have a demonstrable BCP to determine prompt availability of funds
NASD 3510/3520 and NYSE Rule 446
• Mandates securities firms to establish Business Continuity Plans for critical systems and to determine compliance with many aspects of the regulation including senior management review and approval, customer disclosure, and maintenance of Business Continuity Plans
SEC Rule 17a4 • Requires securities firms to preserve electronic records in a non-rewriteable, non-erasable format with a focus on archival practices for email systems and instant messaging
Business impact to regulatory requirements (cont.)
Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005
12Copyright © 2009 Deloitte Development LLC. All rights reserved.
Business impact to regulatory requirements (cont.)Industry Regulation Impact on Business Continuity Management
Utilities
GASB • Requires a BCP to determine that agency mission continues in time of crisis.
NERC • Recovery plans currently voluntary.
Includes BC in information security standards for the industry-government partnership (guided by Critical Infrastructure Protection Committee [CIPC]).
FERC • Mandates recovery plans.
RUS 7 CFR Part 1730, 2005 • Emergency restoration plan required as condition of continued borrowing.
Telecommunications Act of 1996, Section 256, Coordination for Interconnectivity
• Requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by carriers and other providers.
Chemical Facilities Security Act
• Mandate chemical operators to craft vulnerability assessments and site security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants.
Chemical Facilities Security Act
• Mandate chemical operators to craft vulnerability assessments and site security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants.
Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005
Business Continuity Management Life Cycle
13
14Copyright © 2009 Deloitte Development LLC. All rights reserved.
Business Continuity Management Life Cycle
The Deloitte & Touche Approach to Business Continuity Management
Analyze Develop Implement
Continuous Improvement / Quality
Current StateAssessment
Risk Assessment
Business Impact Analysis
Governance
Availability/Recoverability
Strategies
Procedures
Resource Acquisition/
Implementation
Training
Testing
The Deloitte & Touche Approach to Business Continuity Management
Analyze Develop Implement
Continuous Improvement / Quality Assurance
Current StateAssessment
Risk Assessment
Business Impact Analysis
Governance
Availability/Recoverability
Strategies
Procedures
Resource Acquisition/
Implementation
Training
Testing
Module 1ANALYZE
15
16Copyright © 2009 Deloitte Development LLC. All rights reserved.
Current State Assessment
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
ObjectiveTo assess the organization’s current BCM program status including identifying any existing gaps and provide a quick, high-level report card based on observations and interviews.
Overview A current state assessment examines each major component important to
a BCM program. It includes the following:
• Evaluate the current BCM program
• Determine where the organization is currently on a “lagging” to “leading edge” maturity scale
• Compare with industry peer status (optional depending on scope and availability of information)
• Align BCM program objectives with management’s goals andobjectives
17Copyright © 2009 Deloitte Development LLC. All rights reserved.
Current State Assessment
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Key ConsiderationsThe current state assessment framework could be organized into the following 15 components.
• Leadership/Governance
• Regulatory/Industry Compliance
• Crisis Management
• Business Process/Work Recovery Plans
• Centralized IT Recovery Plans
• Distributed IT Recovery Plans
• Desktop-Technology Plans
• Data Communications
• Voice Communications
• Data/Vital Records
• Facilities/Infrastructure
• Third-Party Continuity
• Testing
• Training
• Life Safety
18Copyright © 2009 Deloitte Development LLC. All rights reserved.
Partial Sample Current State Assessment Summary
Tech
nolo
gy
Facilities / Infrastructure
IT Disaster Recovery
Telecommunications
Data / Vital Records
Awareness of need to support
alternate workspace,relocation, and utilities
backup/ recovery
Awareness of need to support
alternate workspace,relocation, and utilities
backup/ recovery
Many single points of failure.
Limited awareness of the impact of full
technology outage
Many single points of failure.
Limited awareness of the impact of full
technology outage
Single telecomm provider.
Limited awareness of the impact of full telecomm outage
Single telecomm provider.
Limited awareness of the impact of full telecomm outage
Building security/safety plans exist; limited business requirements
Building security/safety plans exist; limited business requirements
Risk analysis performed. Redundancy built in for
power, some redundancy in place for key
technology components
Risk analysis performed. Redundancy built in for
power, some redundancy in place for key
technology components
Recovery strategy addresses partial
telecomm redundancy with
limited recoverability
Recovery strategy addresses partial
telecomm redundancy with
limited recoverability
Facilities plans indevelopment. Utilities
backup/recovery planned, not
fully implemented
Facilities plans indevelopment. Utilities
backup/recovery planned, not
fully implemented
Technology Assessmentfull. Mitigation of risk. IT Recovery sites identified
Technology Assessmentfull. Mitigation of risk. IT Recovery sites identified
Recovery strategy addresses partial
telecomm redundancy with
limited recoverability
Recovery strategy addresses partial
telecomm redundancy with
limited recoverability
Recovery plans addressmany aspects of IT.
Examining electronic vaulting, journaling,
data replication solutions
Recovery plans addressmany aspects of IT.
Examining electronic vaulting, journaling,
data replication solutions
Recovery plans addressmany telecomm
requirements and areincorporated into annual
testing
Recovery plans addressmany telecomm
requirements and areincorporated into annual
testing
Exploration andimplementation of Public
/Private response
cooperation
Exploration andimplementation of Public
/Private response
cooperation
Leading technologies implemented providing
data and system redundancy from
separate locations
Leading technologies implemented providing
data and system redundancy from
separate locations
Leading telecommunicationstechnologies such as Internet, cellular, and
radio frequency are built into recovery plans
Leading telecommunicationstechnologies such as Internet, cellular, and
radio frequency are built into recovery plans
Category 1 – Lagging 2 – Awareness 3 – Partial Implementation 4 – Implemented 5 – Leading
Facilities plans implemented to support
resiliency. UPS, and diesel generators. Annual
testing.
Peop
le
Life Safety
Training and Awareness
Absence of BCP Training and Awareness ProgramAbsence of BCP Training and Awareness Program
Evacuation routes and emergency medical procedures posted
Evacuation routes and emergency medical procedures posted
IT Department andBusiness Unit are trained to execute
recovery plan activities
IT Department andBusiness Unit are trained to execute
recovery plan activities
Periodically conduct evacuation drills and medical emergency
training. Floor wardens established
Periodically conduct evacuation drills and medical emergency
training. Floor wardens established
Regular BCP Training sessions conducted.
BCP training manuals distributed to key
employees
Regular BCP Training sessions conducted.
BCP training manuals distributed to key
employees
Annual testing of evacuation and medical emergency procedures. Drills and Emergency Response coordinated with local authorities
Annual testing of evacuation and medical emergency procedures. Drills and Emergency Response coordinated with local authorities
BCP Training program established includes
regular employee contact and continuous improvement
BCP Training program established includes
regular employee contact and continuous improvement
Integrated evacuation and medical testing
between Crisis Management, Business Units, IT, Facilities, and
external parties
Integrated evacuation and medical testing
between Crisis Management, Business Units, IT, Facilities, and
external parties
Pro-active BCP Training Process including
factoring in BCP / BCM into design and implementation
Pro-active BCP Training Process including
factoring in BCP / BCM into design and implementation
Absence of Life Safety measures. No evacuation routes posted or evacuation drills performed
Inconsistent data retention and offsite Storage program in
place.
Inconsistent data retention and offsite Storage program in
place.
Data backups stored offsite. Frequencies and
methods driven by IT system and application
requirements
Data backups stored offsite. Frequencies and
methods driven by IT system and application
requirements
Data backups taken for many platforms:
operating sys apps and data and tested at
remote site. Imaging program in place
Data backups taken for many platforms:
operating sys apps and data and tested at
remote site. Imaging program in place
Examining methods for minimizing potential data
loss and providing duplicate copies of data
at multiple sites
Examining methods for minimizing potential data
loss and providing duplicate copies of data
at multiple sites
Leading technologies such as elect. vaulting, journaling, mirroring are implemented. Duplicate
copies of all data is maintained.
Leading technologies such as elect. vaulting, journaling, mirroring are implemented. Duplicate
copies of all data is maintained.
Current State Assessment
19Copyright © 2009 Deloitte Development LLC. All rights reserved.
Sample Current State Continuum
Management
Technology
Buildings
Category
Process
Leadership / Governance
Sub-Category
Regulatory / Industry Compliance
Crisis Management
Business Process / Work Recovery
Centralised Information Technology
Testing (validation)
Third Party Continuity
Distributed Information Technology
Current/Goal State Ratings
Data / Vital Records
Training
Backup Site
Primary Site
Voice Communications
Data Communications
1 - Lagging 2 - Awareness 3 - Partially Implemented 4- Implemented 5 - Leading
LegendLife Safety
Current State Goal State
People
G
GC
GC
GC
GC
GC
G
GC
GC
GC
GC
GC
GC
GC
GCGC
G
C
Current State Assessment
20Copyright © 2009 Deloitte Development LLC. All rights reserved.
Risk Assessment
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Objective
Overview A risk assessment is a broad analysis of the potential hazards,
threats, and perils that can disrupt the continuity of the organization’s business processes
A list of inherent risks and the likelihood of occurrence is developed based on natural and man-made events known to the area and the organization’s industry
Existing experience is gathered through Internet research and select interviews
Based on existing mitigating measures and implemented, an overall “residual risk” rating is developed
Risk avoidance solutions will be recommended by the project team to mitigate gaps between the residual risk and an estimated risk tolerance for the organization
To assess existing business continuity threats and recommend solutions to further mitigate vulnerability where appropriate.
21Copyright © 2009 Deloitte Development LLC. All rights reserved.
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Key Considerations Identification of credible threats
Site specific history of threat occurrences
Risk• The exposure to loss, injury, and/or major business disruption
• Types of Risk include:
1. Inherent Risk – risk that any business is exposed to, involving multiple threats that can impact the company’s ability to perform major business processes. These risks have a potential negative impact on business resources including people, assets and information. Companies can implement additional measures to either prevent their occurrence or mitigate their impact
2. Residual Risk – risk that remains after taking into account the organization's existing mitigation measures. Businesses may not be able to completely remove residual risk. Business continuity plans are usually implemented in an effort to deal with the residual risk, reducing the threats to a level that is acceptable to management
Risk Assessment
22Copyright © 2009 Deloitte Development LLC. All rights reserved.
Inherent Risk
Residual Risk
Risk Assessment
THREATS INHERENTRISK
CONSEQUENCESFOR RESOURCES
• Natural• Accidental• Deliberate• Technical
+ =Level 1• Confidentiality• Availability• Integrity• Accuracy• Completeness
Level 2• Strategy• Transaction• Compliance• Reputation• Other
• People• Assets• Information• Customers• Vendors• Other Stakeholders• Other
INHERENTRISK
RESIDUALRISK- =CONTROLS
• Preventing Controls• Mitigating Controls
23Copyright © 2009 Deloitte Development LLC. All rights reserved.
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Risk Assessment ApproachGeneral risk is based on NFPA 1600 which grouped risk into three categories:
Natural Events – risk driven by natural or act of God
Technological Events – risk driven by technology, broadlydefined
Human Events – event driven by acts of specific individualsboth internal and external to the organization
Specific risk is further assessed based on: Infrastructure Single Points of Failure (SPOF)
Reliance on few individuals
Reliance on third parties
Risk Assessment
www.nfpa.org
24Copyright © 2009 Deloitte Development LLC. All rights reserved.
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Sample of Threat List Group by Threat Categories
Threat Types/ Causes Examples
Health Bioterrorism – Anthrax, Plague, etcPandemicTraveler’s HealthFood/Water Safety
Chemical HazardWorkplace injuriesRadiation emergencies
Natural FloodingEarthquakeHurricaneLandslide
SandstormSnow / Ice StormTornadoWind Storm
Man-Made Bomb ThreatComputer Crime/TheftInadvertent DisclosureFireFraud HackingHuman Error – Administration Neglect / Data Entry
Extortion / EmbezzlementLoss of Key PersonnelNon-Compliance (Ignorance or Willful) Riot / Civil DisorderSabotage Labor StrikeTheft / Loss
Technological Alteration of DataAlteration of SoftwareDisclosure Hardware Failure
Malicious Code Software Error Telecom OutageVandalism\Cyber-vandalism
Infrastructural Power Failure/FluctuationHazardous Material Spill Emanations
FireWater Pipe Leak/BurstTelecom Outage
Risk Assessment
25Copyright © 2009 Deloitte Development LLC. All rights reserved.
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Sample Threat Chart
Risk Assessment
26Copyright © 2009 Deloitte Development LLC. All rights reserved.
Business Impact Analysis
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Objective
Overview A Business Impact Analysis (BIA) is the cornerstone of a BCM program. It
identifies the impacts as a function of time resulting from a major unplanned disruption to one or more business processes
It provides measurable metrics to assist management with the business case for making the appropriate investment in business continuity solutions
It identifies external and internal interdependencies of business functions, technologies, and services and analyzes the overall impact of outages to determine appropriate solutions. It also leverages a structured approach and tools and templates provide an enterprise view of business impacts
To establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for major business processes based on a structured approach to estimate financial and operational impacts associated with disruptions. RTO is the business tolerance for operational down time and RPO is the maximum allowable data loss. The BIA is also be used to identify the resource requirements necessary to meet RTO and RPO.
27Copyright © 2009 Deloitte Development LLC. All rights reserved.
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Key ConsiderationsSample Results from a BIA
• Identify the RTO and RPO for each major business process
• Identify existing departmental business continuity and disaster recovery capabilities – including departmental recovery capabilities
• Business functions within each department deemed critical by management
• Information flow of operations within each department and location and any interdependencies between them
• Existing business resources that support these functions including, but not limited to, information technology, electronic and paper-based vital records, hardware, software, telecommunications, etc
• Resources within each department deemed necessary for the various disruption scenarios discussed
• Ability to meet regulatory compliance issues at the time of a disaster
• Minimum operating requirements are your organization’s key operating resource dependencies; they must be replicated at alternate recovery facilities, including people, vital records, communications, facilities, equipment and IT infrastructure
Business Impact Analysis
28Copyright © 2009 Deloitte Development LLC. All rights reserved.
Identification of dependencies
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Business Impact Analysis
3rd Parties(Vendors, Customers,
Service Providers)
Human Resources
Technology(Application, Data, Infrastructure)
Equipment
Building(Facilities / Utilities)
29Copyright © 2009 Deloitte Development LLC. All rights reserved.
The types of impacts of disruption for an organization are grouped by:
Quantitative Financial in nature; where dollar values or ranges can be estimated
Examples are
– Revenue loss; fines; cash flow; account receivables; accounts payable discounts; legal liability; loss of productivity; etc
Operational and Qualitative More difficult to quantify; obtained by estimating impacts based on a ranking scale from minimal to significant
Examples are
– Customer Service; Human Resource; employee morale; confidence; legal; social and corporate image; credibility; etc
Measuring Financial Impact
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Business Impact Analysis
30Copyright © 2009 Deloitte Development LLC. All rights reserved.
The Most Significant Quantitative Impacts for a Commercial Enterprise:
Revenue Impacts – Sales revenue, professional fees or other financial losses that can be estimated based on an hourly cost of operational downtime or the chronological loss of data records. Revenue loss should be understood as a one-time financial loss tied to a single event. One time revenue impacts should be measured separately from the loss of future revenue tied to the permanent loss of customers who have become dissatisfied as a result of the business disruption and have chosen to take their business elsewhere
Productivity Impacts – Can be quantified by estimating the percentage change in effectiveness (i.e. reduction in normal work product) for a business function relative to operational downtime and/or the chronological data/records loss. Assuming normal productivity of a group of workers to be 100%, the organization can estimate how productivity can degrade during downtime or based on data/record loss. One approach could be to multiply this percentage of productivity loss against a full time resource pay rate for each employee within a business function to quantify the cost of productivity loss for that function over time
Measuring Financial Impact
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Business Impact Analysis
31Copyright © 2009 Deloitte Development LLC. All rights reserved.
The Most Significant Financial Impacts for a Commercial Enterprise:
Market Share Loss – Are losses from customers who are so dissatisfied from the business disruption that they permanently take their business to another company. This results in a future revenue loss. To calculate such losses
1. First, estimate the number of customers that may be permanently lost related to operational downtime and/or chronological data record loss. This number will likely grow as operational downtime and/or chronological record loss grows.
2. Second, the organization must be able to define the average lifetime of a typical customer in months or years.
3. Last, multiply these variables by an estimate of the average monthly revenue per customer. This quantifies future revenue losses due to permanent customer loss
Regulatory Fines and Sanctions – Depending on the enterprise, potential liabilities for non-compliance with applicable regulations can range from minor to disastrous.
Measuring Financial Impact
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact Analysis
Business Impact Analysis
32Copyright © 2009 Deloitte Development LLC. All rights reserved.
Auditing Module 1
Risk Assessment:• Does a risk assessment exist, when was it last updated and what
facilities or business functions does it cover?• Has a residual risk been assigned to each threat with mitigation
strategies and single points of failure (SPOF)?• Has it been reviewed and accepted by senior management?Business Impact Analysis:• Does a BIA exist and when was the last time it was updated? • Does a prioritized list, including recovery timeframes of business
functions or units and applications exist and have they been reviewed and accepted by senior management?
• Have interdependencies been outlined, including other business functions or units, facility, personnel, equipment, technology and vendors?
• Have quantitative and qualitative impacts been identified?
BREAK
33
Module 2DEVELOP
34
35Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Governance
Objective
Overview Business Continuity Governance oversight includes senior management’s
involvement in the overall program. The governance program should involve the BCM steering committee, program standards and guidelines, monitoring and updating standards, Board reporting, budget approval, and goal setting
BCM proposals should highlight that our demonstrated methodology includes a structured approach to Governance to further distinguish us from our competition
To introduce key BCM governance practices; to explain the operational and functional roles and responsibilities of management; to promote a successful BCM program
36Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Key Considerations Must identify a senior management champion. A visible corporate
sponsor is an influencer in the budgeting process.
Integrate effective governance as much as possible into organization’s leadership structure; the goal is to embed BCM in the corporate culture. Understand the strategic business continuity goals. Refer to any business availability and recovery priority requirements developed as part of a BIA. The governance process should include the triggers to re-evaluate this information when business change occur
Reassess staffing levels. It is common that an organization has staff dedicated to business continuity. Assessing the staffing structure should be based on the governance model developed to determine that the program can meet expectations.
Identify primary and secondary resources to fill roles. This is critical and ideally includes BCM responsibilities within the formal performance appraisal process
Develop BCM policies and roles and responsibilities that make business continuity a key accountability throughout the organization
Governance
37Copyright © 2009 Deloitte Development LLC. All rights reserved.
Governance ApproachConsist of both regulatory and organizational structure
Governance Decision Framework
Monitoring & Control• What qualitative benchmarking
should be performed?• How should periodic BCM progress
reports be created and reviewed?• What corrective action should be
taken as key findings are made?• How should the organization
determine corrections take place?
Coordination & Compliance• What process should be used to
determine compliance with BCM standards and obligations
• How should Corporate BCM coordinate recovery activities between organizational units?
Allocating Capital• How should limited resources be
efficiently allocated?• What capital is available for
investment?• What criteria should be used to
dictate BCM investment decisions?• What process should be used to
review expenditures?
Leadership• What is the overall direction for the
business and related IT within the corporation?
• What are the cultural values regarding risk management?
• How should key stakeholders be represented?
Planning• What should the corporate
business recovery strategy include?
• What should be the corporate IT recovery goals?
• How should BCM program management be measured?
Policy• What should the fundamental BCM
operating principles be?• What internal BCM standards, rules
and protocols are needed?
BCM GovernanceDecisions
Governance
38Copyright © 2009 Deloitte Development LLC. All rights reserved.
Governance Approach On Policy DevelopmentA company policy must contain enough information to carefully reflect your organization’s BCM program. It should include the sections listed below; use the following sample company policy as your guide.
• Policy Introduction• Authority• Scope• Audience• Governance Policy
– Purpose– Scope– Governance structure business objectives– Governance framework (refer to module 2.2)– Program administration roles & responsibilities– Crisis management roles & responsibilities
• Business Continuity Policy Statements (“Thou Shall”) for:–Assessment
•BIA•Critical ratings
• Crisis management– Team activation & escalation– Damage assessment– Crisis management plan
• Employee response & communication for events occurring DURING business hours
– Evacuation & assembly– Crisis calling procedures– Staff & corporate communications
• Crisis management (continue)• Employee response & communication for events occurring AFTER
business hours– Crisis calling procedures– Staff & corporate communications
• Command post• Crisis communications• Business recovery plan activation procedures• Plan distribution
– Business recovery plan– Testing
• Types• Calendar & frequency• Strategy
–Assumptions– Objectives– Success criteria– Retesting/Post-test activities
– Maintenance• Schedule triggers• Unscheduled triggers
– Monitoring & reporting– Training– Awareness
• Compliance• Non-compliance• Communication• Technology & Tools
Governance
39Copyright © 2009 Deloitte Development LLC. All rights reserved.
Governance Approach to Governance FrameworkA successful business continuity governance model must align the business continuity lifecycle to accountable resources within the organization’s structure. The Governance Framework includes a RACI matrix that assigns cross-functional responsibilities. The following is a sample of the RACI Governance Framework that highlights the value of a RACI matrix:
• (R) Responsible – Doing the work• (A) Accountable – The buck stops here• (C) Consulted – Adds input• (I) Informed – Kept abreast of activities
Milestone/Task Technologist Business Dept. Head
Business Continuity
Coordinator
Chief Information
Officer
Chief Risk Officer
Identify System Outage
R C I A I
Assess Situation C I C R A
Accept Disaster Declaration
I R C I A
Invoke Life Safety Procedures
I I R C A
Governance
40Copyright © 2009 Deloitte Development LLC. All rights reserved.
Governance ApproachGovernance Structure
Audit Committee
Business AreaLeaders
Board of Directors
Executive Management Team
Business Continuity Management
CorporateSupport Team
CorporateInformation Technology
Recovery
Business AreaContinuity Teams
Human Resources
Facilities
Media Relations
Legal
Risk Mgt.
Other
Regulatory Agencies
Governance
41Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Availability/Recovery Strategies
ObjectiveTo recommend tactical and strategic solutions to enable the organization to meet availability and recoverability objectives established during the Business Impact Analysis. Recommended alternatives are based on criteria developed to be compatible with organization’s risk tolerance.
Overview Compile a list of potential solutions that meet RTO and RPO’s accepted by
management
Develop selection criteria and order of importance based on key operational, cost, and risk attributes to assist with the selection approach
Establish management expectations regarding the level of detail necessary in the alternative definition and costs in order to obtain directional approval
If rapid recovery is not required, relocation, restoration and rebuilding may be appropriate strategies
42Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Key Considerations There are no universal solutions when designing availability and
recoverability strategies.
Consider legal and regulatory requirements, as well as company policies and culture
Consider both the formal organization of a company as well as the informal delegation of authority when defining solutions
Consider operational enhancements that may result from a solution in addition to its recovery capabilities. For example, if data networks need to be resilient, it may be value added to provide voice network resiliency as well, even if the RTO does not require the same. If both travel over the same physical facilities, conduits, carriers, frames, etc, the recovery of data communications will allow recovery of voice communications at minimal incremental cost
Eliminate non viable alternatives from consideration as soon as possible
Availability/Recovery Strategies
43Copyright © 2009 Deloitte Development LLC. All rights reserved.
Availability/Recovery Strategies Practical Approach
Strategic Drivers
Build on Strengths & Reduce Limitations
ContinuityProcessDesign
ExecutiveAlignment and Buy-In
LeadingPractices
Industry & Market Trends
• Strategic Drivers are the considerations (network, people, etc.) to be factored in when looking at recovery capability from both a risk avoidance and business continuity point of view.
• Understand strengths and limitations of the current environment
• Understanding Business Needs
• Consolidation and globalization
• Increased regulatory scrutiny• Threat from intentional acts
of terrorism• Reduced tolerance for
downtime
• Leading Business Practices
• Achieving high-quality performance based on cost-benefit analysis
Recommended Solutions
Business Process Needs based on
BIA and Risk Analysis
Availability/Recovery Strategies
44Copyright © 2009 Deloitte Development LLC. All rights reserved.
• Business Process• Facility• Technical - Desktop• Technical – Centralized and
Distributed• Voice• Data Network• Electronic Data• Vital Hard Copy Records
• Testing and Maintenance• Training and Awareness• Governance• Crisis Management• Third-party• Life Safety• Regulatory
The list below describes 15 categories that may require a strategy to recover from a major unplanned disruption. This list is meant to be suggestive rather than exhaustive.
Availability/Recovery Strategies
45Copyright © 2009 Deloitte Development LLC. All rights reserved.
Cos
t of S
olut
ion
Time To Functional Availability
MobileFacility
RemoteAccess
DedicatedWorkspace
Acquisition
Dedicated Facility with Quick Ship for Desktop Technology
CommercialWork Area
Pre-stagedWorkspace
Dedicated Facility & Infrastructure Supporting
Providing Immediate Access to a Replicated Work Environment
Shared Vendor Facility with Desktop Technology (PC and
Voice)
Third Party Offices with Critical IT Connectivity
Vendor Shipped Facility Configured for Quick Set-up
Leading EffortTime of Disaster
Acquisition
Continuum ofAvailability Strategies
$$$
WeeksMinutes HoursSeconds Days
Range of Recovery Alternatives for Business Function Availability
Availability/Recovery Strategies
46Copyright © 2009 Deloitte Development LLC. All rights reserved.
Summary Description of Business Function Availability Alternatives
Description Relative Cost Recovery Time
Remote Server Clustering with Application Load Balancing and/or
Intelligent Fail-Over ProcessingZero to 8 Hours
Floor space: $$$$Infrastructure: $$$$ Network: $$$$ Total Cost: $$$$
Remote Server Clustering with Manual Fail-Over Requiring
Operator Intervention
Restoration of Application Processing to Pre-Staged Network
and Dedicated IS Infrastructure
Restoration of Application Processing to Pre-Staged Network
and Limited IS Infrastructure
Restoration of IS to Pre-Staged Facility & Utility. Infrastructure Acquired at Time of Disaster
Leading Effort At Time of Disaster to Acquire Facility & Infrastructure.
Data Restored From Tape Backup
4 Hours to 24 Hours
12 Hours to 72 Hours
4 Hours to 5 Days
3 Days to 10 Days
5 Days to 21 Days
Pre-stagedWorkspace
CommercialWork-area
DedicatedWorkspace
RemoteAccess
MobileFacility
Acquisition
Floor space: $$$$Infrastructure: $$ Network: $$$ Total Cost: $$$
Floor space: $$$$Infrastructure: $ Network: $$$Total Cost: $$$
Floor Space: N/AInfrastructure: $$$ Network: $$ Total Cost: $$
Floor Space: $$$ Infrastructure: $$ Network: $$Total Cost: $$
Floor Space: N/A Infrastructure: N/A Network: N/A Total Cost: N/A
Availability/Recovery Strategies
47Copyright © 2009 Deloitte Development LLC. All rights reserved.
Cos
t of S
olut
ion
Time To Functional Availability
Cold-Site
Warm-Site
Hot-Site
Acquisition
Pre-Staged Facility, IT Equipment, & Network (shared or dedicated)
Manual Fail-Over
Automatic Fail-Over
Dedicated Facility & Infrastructure Supporting
Automated Fail-OverAnd Application Load-Balancing
Dedicated Facility & Infrastructure Supporting Manual
Fail-Over
Pre-Staged Facility, Utility, & Network, Awaiting Equipment Delivery (shared or dedicated)
Facility, Utility, &Environmental Only
Leading EffortTime of Disaster
Acquisition
Continuum ofAvailability Strategies
$$$
WeeksMinutes HoursSeconds Days
Range of Recovery Alternatives for IT Application Availability
Availability/Recovery Strategies
48Copyright © 2009 Deloitte Development LLC. All rights reserved.
Summary Description of Availability Alternatives
Description Relative Cost Recovery Time
Remote Server Clustering with Application Load Balancing and/or
Intelligent Fail-Over ProcessingZero to 60 Minutes
Storage: $$$$Hosts: $$$$ Network: $$$$ Facilities: $$$$
Remote Server Clustering with Manual Fail-Over Requiring
Operator Intervention
Restoration of Application Processing to Pre-Staged Network
and Dedicated IS Infrastructure
Restoration of Application Processing to Pre-Staged Network
and Limited IS Infrastructure
Restoration of IS to Pre-Staged Facility & Utility. Infrastructure Acquired at Time of Disaster
Leading Effort At Time of Disaster to Acquire Facility & Infrastructure.
Data Restored From Tape Backup
60 Minutes to 12 Hours
12 Hours to 72 Hours
48 Hours to 5 Days
96 Hours to 14 Days
10 Days to 30 Days
Automatic Fail-Over
Manual Fail-Over
Hot-Site
Warm-Site
Cold-Site
Acquisition
Storage: $$$$Hosts: $$$$ Network: $$$ Facilities: $$$$
Storage: $$$Hosts: $$$ Network: $$$Facilities: $$$
Storage: $$Hosts: $$ Network: $$ Facilities: $$$
Storage: N/A Hosts: N/A Network: $Facilities: $$$
Storage: N/A Hosts: N/A Network: N/A Facilities: N/A
Availability/Recovery Strategies
49Copyright © 2009 Deloitte Development LLC. All rights reserved.
Cos
t of S
olut
ion
Chronological Point in Time for Data Recovery
Electronic Vaulting
Remote Journaling
Stand-ByDatabase
TraditionalData
Recovery
Tape Based Backup & Recovery
(daily, weekly, monthly)
Transaction Replication
To Remote Facility
Remote Data-BaseReplication with
Electronic Journaling AsynchronousReplication
Synchronous Mirroring
Real-Time Data Volume Mirroring (no data loss)
Bulk Data Transfer(time/event driven)
Continuum of Data Recovery Strategies
Near Real-Time DataReplication (withlimited data loss)
ZeroMinutesHours
Days Seconds
$$$
Range of Recovery Alternatives for Data Recovery
Availability/Recovery Strategies
50Copyright © 2009 Deloitte Development LLC. All rights reserved.
Summary Description of Data Recovery AlternativesDescription Relative Cost Data Recovery PointReal-Time Remote
Disk Volume Mirroring(equivalent to remote RAID-1)
TraditionalData
Recovery
Zero Data Loss
Electronic Vaulting
Remote Journaling
Stand-ByDatabase
AsynchronousReplication
Synchronous Mirroring
Near Real-Time Remote Disk Volume Mirroring
or Data Replication
Remote Transaction Journaling or Vaulting as
Applied To a Standing Database
Remote Transaction Data Recovery Near to Point of Failure
Bulk Data Transfer to Remote Tape/Disk as
Triggered By Time or Event
Weekly, Nightly or Intra-Day Backup To Off-Line Tape Media That
Is Manually Moved Off-Site
Data Recovery Within Seconds to Minutes of Last
Transaction, Track Change, or Other Delta
Data Recovery Within Seconds or Minutesof Point of Failure
Data Recovery Within Seconds or Minutesof Point of Failure
Data Recovery Within Minutes or Hoursof Point of Failure
Data Recovery WithinHours or Days
Of Point of Failure
Storage: $$$$Hosts: $$$ Network: $$$$ Tape: N/A
Storage: $$$$ Hosts: $$$ Network: $$$$ Tape: N/A
Storage: $$$ Hosts: $$ Network: $$$Tape: $
Storage: $$ Hosts: $$ Network: $$$Tape: $
Storage: $$Hosts: $ Network: $$ Tape: $
Storage: $Hosts: $ Network: $ Tape: $$
Availability/Recovery Strategies
51Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
BCM Plans & Documentation
Objective
Overview Documented procedures to enable emergency response and recovery
teams to understand and perform their recovery tasks
Types of plans include:
– Emergency Response
– Business Continuity/IT-DR
–Crisis Management
–Pandemic
Plans should be action oriented and provide a level of detail so that individuals less familiar with the task will be able to accomplish it
Plans should include 24 X 7 internal and external contacts to facility timely decision making and recovery
To detail the required people, processes, procedures and infrastructure necessary based on the recovery strategy selection to meet RTO’s and RPO’s developed in the BIA and accepted by management
52Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Crisis Management PlanRoles & Responsibilities (RACI Chart)Crisis Command Center
Declaration ProceduresEvent ManagementProblem ResolutionCoordination with local/state/federal authorities
Communication PlansCommunity Response ActionsMedia Coordination and SpokespersonsDamage Assessment
Emergency Response PlanRoles & ResponsibilitiesLife SafetyCoordination with First Responders and Local Authorities
Disaster Recovery PlanRoles & Responsibilities (RACI Chart)Information Technology Infrastructure RecoveryApplication RecoveryData Recovery & Synchronization
BCM Plans & Documentation
53Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Business Continuity PlanRoles & Responsibilities (RACI Chart)Procedural Work-AroundsFacilities Personnel Support/ReplacementContact Information
ToolsEstablished Word TemplatesStrohl Systems LDRPS/eBRP/BPSI Notification – Everbridge, Envoy, MIR3, Others
BCM Plans & Documentation
54Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Key Considerations Documented plans should be flexible, adaptable and easy to
follow, exercise, and maintain
Methods of building plans includes
• Specialized BCP software application
• Document repository system
• MS Word based plan templates
Determine life safety procedures are addressed for employees and visitors
Include communication methods to be use including email, cell phones, pages, radio, etc. Define any tracking tools needed to document the situation, actions taken and upcoming decision points
BCM Plans & Documentation
55Copyright © 2009 Deloitte Development LLC. All rights reserved.
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Components of a plan include:• Roles & Responsibilities of who executes the plan and what is needed
to recover, resume and restore business function
• Alternate location to recover critical business processes and shared services
• Elapsed expected timeframes for business functions to be operational and key milestones for the recovery and business resumption
• Detail tasks and supporting information and procedures for recovery
• BCP plans will likely have multiple teams with specific roles and responsibilities. Examples include:
– Crisis Management Team
– Damage Assessment Team
– IT Functional Recovery Teams
– Business Function Teams
Refer to the next page for a description of the response and recovery timeline that plans must address
BCM Plans & Documentation
56Copyright © 2009 Deloitte Development LLC. All rights reserved.
PHASE 1EmergencyResponse
to Disruption
PHASE 2Mobilization/Failover to
Recovery Site
PHASE 3Environment
Restoration at Alternate Site
PHASE 4Application
Restoration at Alternate Site
PHASE 6Business Function
Restoration
IT Recovery Operations
Mobilize ITRecovery
Team
Business Recovery Operations
RestoreWorkspace& Manage Backlog
Restore ITSystems,
Applications,and Data
ValidateSystem &
ApplicationIntegrity
ExecuteContingencyWork AroundProcedures
PHASE 5Data-Flow
Restoration & Recreation
Manual Data
Re-Entry & Validation
RecreateLost
Transactions& Data
Recovery Voice & Data Network
MobilizeBusinessRecovery
Team
VitalVitalRecordsRecords& Data& Data
EVENT
Recovery Point Recovery Time
Re-Synch& ResumeBusiness
Operations
Backlogged Transactions
BCM Plans & Documentation
57Copyright © 2009 Deloitte Development LLC. All rights reserved.
The broad preparation strategy leverages ten key components which are critical to sustaining operations during a pandemic crisis including supply chain, distribution and retail.
Implement a Pandemic Planning and Coordination Unit (PPCU) as part of the existing Business Continuity Planning (BCP) function
Increase awareness and knowledge about influenza prevention and treatment through clear, consistent, medically accurate information
Develop and maintain valuable partnerships with trading partners and critical stakeholders such as unions and public health agencies
Communicate the response plan and approach to employees and families, customers, suppliers, and partners
Identify organizational and technical infrastructure requirements to minimize the potential disruption resulting from a pandemic
Leadership/Decision MakingLeadership/Decision Making
EducationEducation
Public/Private PartnershipsPublic/Private Partnerships
CommunicationCommunication
TeleworkingTeleworking
Identify likely threats in order to decrease the risk of threat occurrence and contain damageDevelop risk mitigation policies and procedures
Identify core staff and functions and establish policies and procedures during the pandemic
Review demand, distribution, and production plans and link strategies with key trading partners to determine that critical business processes are maintained
Review contracts with health plans and provider networks to determine coverage and provision of services such as vaccinations and access to medical facilities
Risk and LegalRisk and Legal
HR Policies & ProceduresHR Policies & Procedures
Trading PartnersTrading Partners
Employee WellnessEmployee Wellness
Develop policies and processes to maintain operational effectiveness during a pandemicKey Business ProcessesKey Business Processes
Key Components
Pandemic Planning
58Copyright © 2009 Deloitte Development LLC. All rights reserved.
Auditing Module 2
Governance:• Does someone own the program? Is there a steering committee that
oversees the overall program?• Do BCM policies and procedures exist?Strategies:• Are the current business and technical strategies that are in place
appropriate?Plans:• Do plans exist for critical business functions and
applications/infrastructure?• Do they meet recovery timeframe requirements?• Do they include procedures defining what to do in the event of a facility,
technology, equipment, personnel, or vendor outage?
Module 3IMPLEMENT
59
60Copyright © 2009 Deloitte Development LLC. All rights reserved.
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
Resource Acquisition & Implementation
ObjectiveTo provide project management assistance for the implementation of BCM infrastructure and processes and the organizational rollout of the overall BCM program
Overview Provide BCM coordination with the implementation and
rollout of recovery strategies, plans, and ongoing quality confirmation and process improvement
Provide a structured approach and guidance for the tracking of multiple project initiatives and coordination for a successful program implementation
61Copyright © 2009 Deloitte Development LLC. All rights reserved.
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
Training & Awareness
ObjectiveTo develop an ongoing awareness and training program to support and improve an organization’s BCM capability. The training and awareness should be integrated with other company programs and become an integral part of the company’s overall organizational culture.
Overview BCM awareness and communications should effectively involve and communicate with many key stakeholders in order to successfully support the BCM program
Successful BCM program implementation occurs when everyone involved in the process is aware of and enabled to fulfill their BCM responsibilities
62Copyright © 2009 Deloitte Development LLC. All rights reserved.
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
Key Considerations
Objectives of any awareness communication should be:
– Promote the vision and purpose of the BCM program and its benefits to stakeholder groups
– Actively enlist, engage, and inform all identified stakeholders to participate to the level necessary to achieve BCM goals
– Build energy and momentum within business units to promote and support the BCM program
Training & Awareness
63Copyright © 2009 Deloitte Development LLC. All rights reserved.
Key ConsiderationsA big picture view of the communications and education strategy:
Business Continuity
Management
Compelling, Shared Vision
Measures,Milestones
& Evaluation
Power & PoliticsPower & Politics
Communications& Engagement
Training& Performance
Support
OrganizationalInfrastructure& Processes
Stakeholders with authority, power and/or influence lead and visibly support the communication & education effort
Articulation of a compelling, shared vision and business imperative for BCM communication & education
Associates are well-informed about BCM
Establishment of short- and long-term measures of success
Development of a framework that supports ongoing BCM communication & education
Key employees are enabled to perform their BCM roles and responsibilities
BCM Program Communications & Education Strategy
Training & Awareness
64Copyright © 2009 Deloitte Development LLC. All rights reserved.
Training ApproachTraining Roles and ResourcesLarge global organizations may want to include a formal BCM training program to educate local BCM coordinators and recovery team members. If this is the case, the program may require resources described below:
Training Developers
• Training developers are responsible for creating all course content and related materials for both classroom and computer-basedtraining courses
– Review existing documentation to identify gaps– Engage business units as required to leverage current training infrastructure and tools– Work with BCM Team to develop course content, training scripts, case studies and exercises– Develop instructional material (instructor / participant), CPL documentation and exercises
Training Manager
• The training manager is responsible for overseeing overall CPL education and learning effort:– Validate and fine-tuning of training strategy and plan– Develop and managing work plan – Provide direction and leadership around course development and delivery– Provide direction and overall leadership around quality review process – Coordinate training the trainers on presentation and facilitation skills, as necessary– Manage and resolving issues as they arise– Recommend approach, tools and standards to support continuous improvement – Managing training budget
Trainers
• Professional trainers facilitate CPL training to assist the BCM team in training delivery• BCM team members support the development of CPL training by serving as SME’s and by serving as co-leads to professional
trainers – Support training developers as required to develop course outlines and instructional materials– Work with trainers to co-lead training – Gather feedback from the CPL community and providing input to the training team through the appropriate channels
Facilities & Materials
• The logistics necessary to prepare both training facilities and materials are listed below:– Reserve training rooms and setup with proper equipment and connectivity– Order and install all training equipment– Arrange for material reproduction and delivery to the classrooms
Training & Awareness
65Copyright © 2009 Deloitte Development LLC. All rights reserved.
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
Testing
Objective
Overview Testing is a critical component of BCM in uncovering
problems with exist plans for improvements
Involve management goal setting and results reporting to help determine problem resolution discovered from testing is corrected
Testing BCM plans regularly is an effective approach to keeping plan information current and in sync with the every changing business needs
To provide guidance in the development of a broad integrated testing program that includes business work-area recovery, data center recovery, and emergency communications
66Copyright © 2009 Deloitte Development LLC. All rights reserved.
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
Key Considerations Develop and/or revise a testing strategy annually or when an organization
experiences a major business change. The testing process provides a roadmap describing the methods and frequency of test execution during the next 12 month period including specific test dates, key success criteria, and establish responsibilities for leading test planning and execution activities
Often test time with commercial recovery vendors must be scheduled at least twelve months in advance
Adopt a testing approach that designs and executes tests consistent with actual recovery during an actual interruption
It is critical that a test does not create a major disruption to ongoing business activities
A formal review should be conducted after all tests to share lessons learned and to develop an action plan for plan improvement
Testing
67Copyright © 2009 Deloitte Development LLC. All rights reserved.
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
Testing Approach
There are four types of tests outlined, they are:
• Work-Area Recovery Test
• Data Center Recovery Test
• Emergency Communications Test
• Table-Top Walk-Through Test
Testing
68Copyright © 2009 Deloitte Development LLC. All rights reserved.
Continuous Improvement/QA
Develop
6Plans & Documentations
4Governance
5Availability/Recoverability
Strategies
Implement
7Resource Acquisition &
Implementation
9Testing
8Training
10Continuous Improvement & Quality Assurance
Analyze
1Current StateAssessment
2Risk Assessment
3Business Impact
Analysis
# Refers to it’s respective module which this training is organized
ObjectiveTo develop an ongoing process to enable an organization to maintain and constantly improve their BCM program with procedures to support a goal of “Zero Defects”Overview• A business continuity plan is bound to have
defects after its initial implementation (e.g.,issues overlooked or unknown during plan development, to shortcomings that only become apparent after testing, to business and technology changes that occurred since the plan was first drafted and to common misunderstandings introduced into every development process).
• The purpose of continuous improvement and quality assurance is to identify and rectify defects, and identify and implement process improvements in the BCM program
69Copyright © 2009 Deloitte Development LLC. All rights reserved.
Key ConsiderationsDetermine if internal or external auditors, risk management, or if any independent groups have performed an assessment or gap analysis of the organization’s BCM program. Gather data and determine the status of recommendations for corrective action
There are four major components for consideration in a continuous improvement and quality assurance program:
Continuous Improvement – A process instituted by the organization’s BCM program to recognize areas in which business continuity plans, tools, procedures or any other aspect of the program require enhancement and to make the necessary changes
Root Cause Analysis – A process by which shortcomings are noted and the underlying reasons for the defects are identified and rectified
Quality Assurance – A process performed by an entity independent of the BCM program to determine that standards are followed and that the plans, tools, etc not only remain effective, but improve over time. Improvement in this case may mean shortened RTO’s, less latency in RPO’s, timelier updates to plans, a greater number of business functions included in the plan, etc.
Change Management – A process involving many sectors of the organization’s operations in which changes to the business are reflected in the plan and changes in the plan are reflected in the organization’s normal business operations
Continuous Improvement/QA
70Copyright © 2009 Deloitte Development LLC. All rights reserved.
Auditing Module 3
Training:• Does a training program exist and how often do training sessions occur?• Are key personnel included in the training sessions?Testing:• Does a testing strategy exist? • Are all CM, ER, critical BCPs and IT-DR plans tested?• Do testing plans exist?• Are results from the tests documented and if so, are the results reflected
in the plans?Continuous Maintenance/QA:• What sort of maintenance and change control procedures are in place?• Are all aspects of the program updated on a regular basis?
ISSUES
71
72Copyright © 2009 Deloitte Development LLC. All rights reserved.
Top issues we have identified
1. Reliance: Relying on a BCM plan can lead to a false sense of security and potential business failure if the plan is not updated regularly and fully tested. In addition, recovery personnel must be trained on plan execution and employees must be aware of the plan's provisions.
2. Scope: Companies often limit the scope of their efforts to systems recovery. Business continuity planning requires consideration of both business process and systems recovery.
3. Prioritization: A formal process prioritizing key business processes is a critical step that often does not get its due attention by senior management. Without prioritization, a plan may recover less-than-critical business processes rather than the ones crucial for survival.
4. Plan Update: Formal mechanisms are not in place to force a plan update on a regular basis or when significant systems or business process change occurs.
5. Ownership: Senior management often appoints the wrong person to manage the BCM process; someone with the power to lead, influence, support, prioritize, and organize the project should be named.
6. Communications: Communications issues are often overlooked. Formal plans to contact employees, vendors, business partners, and clients often lack specific communications strategies. Strategies to address how these groups obtain recovery status updates is often inadequate.
7. Security: Information systems security controls are often disregarded during plan development, resulting in a greater risk exposure during recovery operations.
8. Public Relations: Practitioners often fail to plan for public relations and investor considerations, therefore missing the opportunity to limit perceived impact by the public and investors.
9. Insurance: Many BCMs fail to adequately plan to support the filing of insurance claims resulting in delayed or reduced settlements.
10. Service Evaluation: Many companies poorly evaluate recovery products (hot site, cold site, and planning software), relying on vendor-supplied information. This often leads to a solution that may not adequately address a company's needs.
73Copyright © 2009 Deloitte Development LLC. All rights reserved.Presented by: 73September 25 - 27,
2006
Helpful sites
• The Institute of Internal Auditors (IIA)http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag10/
• Disaster Recovery Institute International (DRII) http://www.drii.org/
• Business Continuity Insights (BCI) http://www.thebci.org/
• National Fire Protection Associationhttp://www.nfpa.org/assets/files/pdf/nfpa1600.pdf
74Copyright © 2009 Deloitte Development LLC. All rights reserved.
Q&A
75Copyright © 2009 Deloitte Development LLC. All rights reserved.
Contact informationM.J. Vaidya, Senior Manager, CISSPDeloitte & Touche LLPEmail: [email protected]: 516-445-9434
76Copyright © 2009 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.