Transcript No Slide Title

Business Continuity Planning
Overview,
Regulations and the Growing
Significance of Automated BC
Solutions
Presented by
Steve Kokol, Vice President of International Sales
Strohl Systems Group, Inc.
[email protected]
September 2006
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What is a Disaster?
•
•
•
A disaster is a sudden, unplanned calamitous event that creates
the inability on an organisation’s part to provide the critical
business functions for some predetermined period of time and
which results in great damage or loss. (DRI International)
The time factor which determines whether a service interruption
is an inconvenience or a disaster will vary from organization to
organization.
The type, timing and severity of any business disruption is
unpredictable.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Disasters are never on our calendar
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Disasters. . . But we can prepare for them
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Business Continuity Planning – Defined
•
An ongoing programme to ensure prudent risk reduction and to
resume key business operations before unacceptable impacts and
losses are incurred.
•
•
Business continuity bridges the gap between disaster and recovery
Whatever the scenario, business continuity identifies weak links in
the flow of information and builds systems and procedures to
eliminate downtime.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Business Continuity Planning
•
•
BCP v. DR
– BCP grew out of DR
– Disaster Recovery tends to focus on data
– BCP focuses on the entire Business and Business Units
– BCP takes a more proactive stand
BCP programme elements include
– Program authorization (a Business Impact Analysis and a
commitment by executive management)
– Business Continuity Plan development (response, resumption,
recovery and crisis management)
– Recovery Plan (and the regular maintenance of this plan)
– Availability and survivability components such as UPS and
redundant telecommunication systems.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Proactive v. Reactive
•
•
Business Continuity Planning
– Proactive Process
– By having a BCP, organisations seek to prevent interruption
of mission critical services
– BCPs generally cover most or all of an organization’s critical
business processes and operations
Disaster Recovery Planning
– Reactive Process
– More technical plans that are developed for specific groups
within an organization to allow them to recover a specific
business application
– Areas requiring specific DRP’s include IT, call centers, and
distribution centers
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
A Business Continuity Programme is
NOT:
•
•
•
A project
A one time task with a fixed duration
Just about data
• BCP must be an on-going, living programme with
commitment from Top Management.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
What drives BCP Acceptance in a particular country versus
another?
– Country Culture
• Risk Avoidance
• Laissez-faire
• To some extent - Technological Advancement
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
•
BCP Acceptance Worldwide
What drives BCP Acceptance in a particular country versus
another?
– Presence of BCI, DRII or other organisations promoting BCP
Standards – BCI Country Representatives – www.thebci.org
• http://www.thebci.org/worldwideoffices.htm
– Both BCI and DRII offer BCP certification
Australia
Belgium
Caribbean
Canada
China
Denmark
France
Germany
Greece
Hong Kong
India
Indonesia
Israel
Italy
Japan
Malaysia
Middle East
New Zealand
Norway
Pakistan
Philippines
Republic of Ireland
Russian Federation
Singapore
South Africa
Sweden
The Netherlands
United Kingdom
UAE
United States
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
What drives BCP Acceptance in a particular country versus
another?
– Propensity to experience frequent natural disasters
• Typhoons
• Earthquakes
• Floods
• Monsoons
– Country Specific Regulations
– Industry Regulations
– Corporate Governance Laws
– Avian Pandemic / SARS
– War / Terrorism
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Type of Threats
•
Acts of nature
•
Man-made disruptions/disasters
•
Failure of infrastructure or technology
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Ability to Recover versus BCP Maturity
Ability
to
Recover
No
Documented Tested Trained Maintained
Plan
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Four Elements of a Business Continuity Program
Keep the plan up-to-date
Assure strategy reflects
the business’ needs
On-going testing
Trained recovery teams
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Integrated Business Continuity Program
CORPORATE
RISK MGT
TECHNOLOGY
RECOVERY
CRISIS
COMMUNICATIONS
PLAN
EMERGENCY
RESPONSE
CORPORATE
CRISIS
MGT
PROCESS
RECOVERY
RISK
MITIGATION
BUSINESS
RECOVERY
INFRASTRUCTURE
RECOVERY
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Business Continuity Planning Budget
BUDGET ELEMENTS:
• Hot Site Contracts
• Hardware
• Media Storage
• Software
• Staff
• Education
• Testing
FACTORS INFLUENCING THE PERCENTAGE
OF BCP BUDGET
• Executive Commitment • Geographical Disbursement
• Industry Regulations
• Industry
• Revenues and Profits
• RTO
• Availability Goals - Protection of Data versus Operations
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Which department in your organization is ultimately
responsible for business continuity planning?
40
35
Percent of Responses
30
25
2002
2003
2006
20
15
10
5
0
IT
Financial
Risk
Security
BCP Dept
Other
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What is the title of the executive sponsor
of your organization's BCP program?
35
Percent of Responses
30
25
20
2002
2003
2006
15
10
5
0
Manager
VP
CIO
CFO
CEO/Pres.
Other
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Recovery Time Objective
The RTO (Recovery Time Objective) is
the Timeframe in which a Business
Function must resume a Level of
Service that will Prevent Unacceptable
Financial and/or Operational Impacts
from being Incurred by the
Organization.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Protection of Data versus Protection of
Operations
Protect the Data:
•
– Research and Development – Pharmaceutical
– Downtime not as important as protection against lost data
• Retesting to meet documented regulatory requirements
Isn’t the protection of data always most important ?
Maintaining Continuous Operations:
• Manufacturing and Supply Chain
• Cost of stopped product line can cost Millions per hour.
• Also need to look “upstream” to ensure suppliers’ maintain
continuous operations through a formal BCP.
• Philips Electronics fire at Chip Plant
• Nokia v. Ericsson (one did a better job than the other
because of their tested BCP plan)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Define the Cost of an Outage
Data – 99% availability = 88 hours each year that
computing resources are unavailable
Average Cost of an outage according to Gartner:
USD $42,000 per hour for mission critical applications
$3,600,000 lost each year due to unplanned downtime
For companies that rely 100% on technology
such as online brokers, e-commerce
companies and traders, hourly downtime
risks can be $1,000,000 or more !
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Define the Cost of an Outage
•
It must be measured in more than just $$
– Why do I need a BCP programme if I have insurance?
• Insurance only covers the financial considerations
• Need a plan to stay in business
– 50% of companies that experience a significant interruption or
disruption in service who do not have tested, up-to-date BCP
Plan go out of business within one year of this interruption or
disaster
– Can often recover from the financial impact, but can you recover
from the lost of market share and customer confidence?
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Regulations drive Acceptance
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
UK Financial Services Authority
Basel II Accord
European Central Bank
Bank of Russia
SAMA – Saudi Arabian Monetary Agency
De Nederlandsche Bank
Monetary Authority of Singapore
Hong Kong Monetary Authority
Bank of Thailand
NYSE Rule 446
Quality Standards ISO 17799, BS 7799
ISO Crisis Management Standards – ISO studying – May 2006
BS 25999 – BCM Planning – In Progress – August 2006
Australian Standards - AS 4444, AS/NZS 4360, HB 221
British Standards – PAS 56
UK Civil Contingencies Bill of 2005
– Insurance Regulations
– Corporate Governance
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
UK Financial Services Authority (FSA)
– Independent non-governmental body, given statutory powers
by the UK Financial Services and Markets Act of 2000
(responsibility transferred to FSA from the Bank of England)
• Her Majesty’s Treasury appoints the FSA Board
• Banks, Financial Services, Securities and Futures
• Combined Code – Directors must annually conduct a
review of the group’s effectiveness system of internal
controls and report to the shareholders that they have
done so. (No requirement to publish this review)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
UK Financial Services Authority (FSA)
– Guidance on Business Continuity (SYSC 3.2.19 [G]):
• “A firm should have in place appropriate arrangements, having
regard to the nature, scale and complexity of its business, to
ensure that it can continue to function and meet its regulatory
obligations in the event of an unforeseen interruption. These
arrangements should be regularly updated and tested to ensure
their effectiveness”
– www.fsa.gov.uk/
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
New Basel Capital Accord (Basel II) – issued by the Bank for
International Settlements (BIS) www.bis.org
– Originally issued the Basel Capital Accord (Basel I) in 1988
– applied minimum capital reserve standards to the banking
industry (8%)
– January 2001 – Proposal for new Basel Accord to replace
1988 standard
– Initial goal was to finalise by 2004 – pushback from the
banking community, fearful that they could not comply)
– Implementation by year-end 2006, (or possibly later)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide – Basel II
•
New Basel Capital Accord (Basel II)
– Three Pillars of Basel II
• Capital Standards
• Supervisory Review
• Market Discipline
– Operational Risk addressed in all three pillars
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide – Basel II
•
New Basel Capital Accord (Basel II)
– Banks that can demonstrate “sound practices for the management and
supervision of operational risk” will be able to reduce their capital
reserves, freeing up large amounts of additional funds for investment.
• Sound Practices for the Management of Operational Risk
– Operational Risk: “the risk of loss resulting from inadequate or
failed internal processes, people and systems, or from external
events”
– Developing an Appropriate Risk Management Environment
» Principle 7: Banks should have in place contingency
and business continuity plans to ensure their ability to
operate on an ongoing basis and limit losses in the
event of severe business disruption
• Basel II places emphasis on internal controls and risk management
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
New Basel Capital Accord (Basel II)
– Once finalised, each Nation may make amendments to their
domestic versions of Basel II
– Companies wanting to reduce their operational reserves
must show a 5 year track record of compliance to be able to
reduce these reserves.
– Basel II should not simply be viewed as a compliance
initiative, but as an opportunity for change!
– www.bis.org/publ/bcbsca.htm
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
•
BCP Acceptance Worldwide
ECB – European Central Bank – June 2006
– Three-year deadline for the introduction of stricter business
continuity planning and crisis management procedures
– Payments system operators, key suppliers and participants should have well-defined strategies and monitoring
mechanisms for dealing with major outages aimed at the
recovery and resumption of critical functions within the same
settlement day.
– Systems should also have a secondary, geographically
separate site, capable of independent operation in the event
of failure at the primary facility.
– June 2009 compliance with revised standard
– http://www.ecb.int/pub/pdf/other/businesscontinuitysips2006
en.pdf
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Standard of the Bank of Russia – January 2006
– Ensuring information security of the organizations of the banking
system of Russian Federation
• 9.6. Business continuity management and disaster recovery
– Organization should develop and deploy the plan of
business continuity management and disaster
recovery.
– The plan and corresponding business processes should
be reviewed on the regular basis and updated (e.g. after
significant changes in operational activities, organizational
structure, business processes and information systems).
– The effectiveness of documented procedures of recovery
should be periodically checked and tested (at least twice
per year). All staff involved into the plan execution and DR
procedures should be familiarized with the plan
– As a methodological basis for the plan development
common international standards of Business continuity
management (like BSI PAS-56) could be used.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
SAMA – Saudi Arabian Monetary Agency
– 2006
• Currently seeking guidance in setting BCP standards
from their member banks
• http://www.sama.gov.sa/
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
De Nederlandsche Bank
– 2005 – Business Continuity Assessment Framework
• Assist firms to benchmark their BCP activities
• Framework will be introduced to other firms within the
“Euro-zone”
• Each firm must have a BCP plan approved by
management board or senior management
• Advisable to have the BCP plan assessed by by the
internal audit department
• The Assessment framework contains a total of 10 criteria
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
•
BCP Acceptance Worldwide
Monetary Authority of Singapore
– June 2003 – Guidelines on Risk Management Practices – Business
Continuity
• The guidelines will serve as a standard for financial institutions
and raise their awareness and preparedness by having in place
effective and comprehensive BCP
• Institutions are encouraged to adopt these principles and
implement BCP that is commensurate with the institution’s
nature, scale and complexity of business activities
• MAS will, in the course of its supervision of institutions, review
the BCP implementations
• Board and Senior Management should be responsible for
the BCP preparedness of their institution
• Institutions should embed BCP into their business-as-usual
operations, incorporating sound BCP practices
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Monetary Authority of Singapore
– June 2003 – Guidelines on Risk Management Practices –
Business Continuity
• Institutions should test their BCP regularly, completely
and meaningfully
• Institutions should develop recovery strategies and set
recovery time objectives for critical business functions
• Institutions should understand and appropriately mitigate
interdependency risks of critical business functions
• Institutions should plan for wide-area disruptions
• Institutions should practice a separation policy to mitigate
concentration risk of critical business functions
– www.mas.gov.sg/regulations/download/BCMGuidelines.pdf
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Hong Kong Monetary Authority
– New BCP policy established in December 2002
• Sets out the HKMA’s supervisory approach to business
continuity planning (BCP)
– www.info.gov.hk/hkma/eng/bank/spma/index.htm
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
The Bank of Thailand – November 2005
– Requirement of an IT Contingency Plan – BOT Notification No 19532548
– Restore IT systems of Financial Institutions “within a suitable period”
– Maintain customer and stakeholder confidence in financial
institutions’ services
– Board of Directors of each Financial Institution must establish a written
policy statement and guide for preparing the IT Contingency plan
– Functional and full scale tests must be conducted at least once per
year
– BOT recognized that IT plan is part of the BCP plan. BOT is in the
process of issuing guidance for the preparation of business continuity
plans.
– www.bot.or.th
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
NASD 3500 Series-Emergency Preparedness (3510 and 3520) and NYSERule 446 Business Continuity Rules
– Approved by the US SEC - April 2004
– NASD and NYSE member organizations must develop and maintain
a written business continuity and contingency plan
– Must conduct, at minimum, and annual review…in light of changes to the
organization’s operations, structure, business or location
– Plan must address
• Data back-up and recovery or mission critical systems
• Alternate communications between customers and the firm
• Alternate communications between the firm and its employees
• Financial and operational risk
• Alternate Physical location of employees
• Communication with Regulators
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
NASD and NYSE Business Continuity Rules
– NASD and NYSE member also required to disclose to its
customers a summary of its business continuity plan that
addresses how the member intends to respond to potential
disruptions of varying scope
– Must designate a senior officer to approve the Plan and be
responsible for the annual review and emergency contact
person(s)
– NASD providing a template for small businesses and a repository
to hold BCP plans:
http://www.nasdr.com/business_continuity_planning.asp
– http://www.sec.gov/news/press/2004-53.htm
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Quality Standards ISO 17799, BS 7799-2:2002
– International Organization for Standardization (ISO)
– British Standards Institute – Specification for Information
Security Management
• BS7799 is the most widely recognized security standard
in the world.
– Best practices in information security
• Code of practices (ISO)
• Specification for Information Security Management (BS)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Quality Standards ISO 17799, BS 7799-2:2002
– ISO17799 is organized into ten major sections, each
covering a different topic or area:
• 1. Business Continuity Planning - The objectives of
this section are: To counteract interruptions to
business activities and to critical business
processes from the effects of major failures or
disasters.
– www.iso.org
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
ISO Crisis Management Standards
– ISO Technical Committee (ISO/TC) studying – May 2006
– Mission of ISO/TC 223 is to develop International Standards
or other ISO deliverables that will improve preparedness
before a crisis, coordination during a crisis and
reconstruction and remedial action afterwards.
– Scope of crisis management is broad, spanning everything
from preparation, analyses, forecasts and development of
systems to education, drills and evaluation.
– Next Meeting – November 2006
– www.iso.org
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Quality Standards BS 25999
– Code of practice for business continuity management
• Draft for public comment ended August 2006
– Part 1: Code of practice for business continuity
management;
– Part 2: Specification for business continuity management
• Part 2 specifies the process for achieving certification
that business continuity capability is appropriate to the
size and complexity of an organization.
– www.bsi-global.com/bs25999
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
•
•
Australian Standard - Security Standards - AS 4444
– Key Controls 1:
• Information Security Policy document
– Key Controls 2:
• Business Continuity Planning
AS/NZS 4360 – Risk Management Standards
Business Continuity Management Handbook – HB 221:2003
– www.standards.com.au/catalogue/script/search.asp
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
British Standards – PAS 56
•
Publicly Available Specification 56
– “Guide to Business Continuity Management”
– March 2003 – Published by the British Standards Institute and
sponsored by the BCI
• Based on the BCI’s Good Practiced guide
• Pre-Standard which may form the basis for an eventual
standard
– Envisioned that organizations who already have processes in
place will be asked at some point by their stakeholders to
confirm that they comply with PAS 56
– Provides a framework for incident anticipation and response
evaluation techniques and criteria
– Provides recommendations for good practice
– www.thebci.org/pas56.html
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
UK Civil Contingencies Bill of 2005
•
•
UK Drafted the Act in January 2004
Became a UK Regulation in early 2005
– Addresses various natural and man-made threats, emergencies
or disasters
– Requires “Responders” to perform contingency planning, risk
assessment and maintain plans that “…if an emergency occurs
the person or body is able to continue to perform his or her
functions”
– Responders:
• Category 1: County Councils, District Councils, Police,
Fire Health, Environmental
• Category 2: Utilities, Transport, Health and Safety
– http://www.parliament.the-stationeryoffice.co.uk/pa/cm200304/cmbills/014/2004014.htm
– Self Assessment tool: http://www.auditcommission.gov.uk/emergencyplanning/index.asp
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Insurance Regulations
– A documented and tested BCP plan is a requirement of
many insurance firms
• Precondition of Insurance
• Premiums lower for sound, mature, tested BCP
programs.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Other Factors
– Have experienced a disaster in the past – have “felt the pain”
• Power Outages Worldwide
– Mandate for BCP plans from other corporations with whom you
are doing business
• Supply chain - diversify
– Competitive Advantage
– Avian Pandemic / SARS
– Fear factor
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Corporate Governance
– WorldCom, Enron, Ansett Airlines, “dot-gones”
• Directors being held directly responsible for Business Continuity Plans
– USA: Sarbanes-Oxley Act of 2002
• Increased standards for corporate governance, transparency and
accountability
• Section 404 focuses on BCP and Operational risk
– Executives must review internal controls and publish the
results of the review
• Section 409 focuses on prompt disclosure
– Executives are required to disclose to the public, on an urgent
basis, information on material changes in their financial condition
or operations
• Only applies to publicly traded companies
– Does apply to Non-USA companies that are listed in the USA
– Effective for US companies 15 June 2004 and 15 April 2005,
depending on the size of the business
– Effective for non US companies in 2005
• http://www.soxlaw.com/s802.htm
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Acceptance Worldwide
•
Corporate Governance
– The Turnbull Report – 1999 – Institute of Chartered Accountants in
England and Wales (ICAEW) – provides guidance to Directors on the
“Combined Code of the Committee on Corporate Governance”
• Compliance is a prerequisite for being listed on the London Stock
Exchange
– Higgs Report – Role of the Board Proposed to be combined into the UK’s
“Combined Code”
• http://www.dti.gov.uk/cld/non_exec_review/pdfs/higgsreport.pdf
– King Report on Corporate Governance (King 2): South Africa
• Company must protect stakeholders from effects of the worst disasters
• Places BCP responsibility at the Board of Directors level
• Formal risk assessment at least once per year
– Australian Stock Exchange – Principles of Good Corp Governance
– Australia – AS 8000-2003 Principles of Corporate Governance
– Upcoming Malaysia Regulations for listed companies
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Business Continuity Planning
•
•
•
•
•
The Business Impact Analysis
Plan Development
Plan Testing
Incident Management
Emergency Notification
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What is a Business Impact Analysis?
•
A business impact analysis (BIA) is the foundation for all business
continuity planning programs.
– It prioritizes your business units and critical processes so that
you can identify the timeframes in which they need to be
recovered
– It helps executive management develop strategies for
managing continuity and recovery
•
Without this knowledge, making the right decisions to protect your
company's assets is tenuous if not impossible.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What is a Business Impact Analysis
(BIA)?
•
Objective, management-level analysis tool
•
Objective, not subjective
•
Deals in Roubles, € , $, £, etc. and business terms that managers
understand
•
Uses data provided by business function managers, not project
team
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What kind of information does a BIA
provide?
•
Financial impacts
•
Operational impacts
•
Extraordinary expenses
•
Current state of preparedness
•
Recovery resource requirements
•
Competitive Analysis
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Questions to be Answered
•
•
•
•
•
What is the magnitude of the potential financial & operational
impacts and exposures?
How quickly do they escalate over time?
What are the business function interdependencies?
What is the dependence on technology?
What resources are required to recover each function?
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
MS Excel is NOT the Answer to your BIA
•
BIA surveys must be designed so they are easy for the recipient to
understand and use.
•
You must be able to send the BIA surveys and collect the data in a number
of ways:
– Interviews
– E-mail
– Over the Internet
•
You must be able to validate the data that recipients enter into the survey
•
You must be able to easily change the survey to meet the demands of
various business departments
•
You must be able to easily consolidate the BIA data and provide automated
reporting
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
The Goal of Business Continuity Planning
•
•
•
•
•
•
Protect employees, members, etc. . . PEOPLE!! through
controlled emergency recovery.
Define service alternatives for accomplishing critical
applications.
Minimize the extent of interruption.
Limit financial losses and hardships.
Establish customer confidence in a company’s ability to
maintain operations.
Satisfy federal and state compliance regulations.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What’s in a Business Continuity Plan?
Responsibilities
Containment
Assessment
Organization
Escalation
Notification
Actions
Administration
The “PLAN”
Alternate Facilities
Recovery Inventories
1. _______
2. _______
3. _______
4. _______
Priorities
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Time-Frames
Assumptions
•
A major disruption will occur
•
Planning will be for “worst case” scenario
•
Recovery will be executed using only pre-positioned resources and
materials from off-site storage
•
Recovery readiness is a form
of insurance
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Plan Development
Software &
Data Backups
Equipment
People
Hardware
Recovery Processes
Transportation
Vital Records
Locations
Voice & Data
Communications
Special Forms
& Documentation
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Functions
LAN
Applications
Travel
Arrangements
Public/Media
Relations
Security
Salvage
FacilitiesElectrical &
Mechanical
Vital Records
FacilitiesBuilding(s)
PC Support
Recovery
Management
Personnel
Issues
Emergency
Purchase
Voice
Communications
FacilitiesFurnishings
Computer
Hot Site(s)
Damage
Assessment
Accts. Recv.
Operations
Mfg. Assembly
Operations
General Acctg.
Operatons
LAN
Hardware
Legal
LAN
Software
I/S
Software
Data
Communications
Distribution
Center Opns.
I/S
Applications
Executive Offices
Operations
Shipping &
Receiving Opns.
Accts. Payable
Operations
Insurance
Data
Preservation
Off-Site
Storage
I/S
Hardware
Travel Advances
Inventory Control
Operations
Payroll
Operations
I/S
Operations
Accts. Payable
Operations
Alternate
Bus. Unit Site(s)
Human Resources
Operations
Mfg. Tooling
Operations.
General Counsel
Operations
Marketing &
Advertising Opns
Sales
Operations
Mfg. Production
Scheduling Opns.
Clerical &
Secretarial
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Mfg. Quality
Assurance Opns.
STROHL PR4
STANDARD
PR4
R ESTORATION
R ECOVERY
Repair/restore facilities and contents
Return "Home"
Recover all other operations
R ESUMPTION
Resume time-sensitive operations
at alternate site
R ESPONSE
Manage crisis
Contain damage
Activate Recovery Organisation
PREVENTION
Protect corporate assets
Manage risks
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
The Recovery Cycle
RECOVERY & RESTORATION
 Long-term Continuity
 Repair/ Replace
 Migration
 Resume “Normal” Service
RESPONSE
RESUMPTION
 Assessment
 Initial
 Short-term Continuity
 Escalation
 Declaration
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Why New Requirements for BCP?
•
What’s Changed?
– New threats
– New technology
•
As a result there is more regulatory focus on business
resumption and a greater emphasis on testing and maintenance
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Why New Requirements for BCP?
•
•
•
•
•
Requirement for enterprise-wide planning
Recovery time objectives – becoming shorter and shorter
Interdependency
Technology dependence outside the organization
Importance of HR
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Why New Requirements for BCP?
•
•
Old Assumptions – in the past a business could assume that if
the main office was in NY, and the backup was in Chicago, the
staff would just fly to the backup location in the event of an
unplanned disruption
New Perspectives – No one ever planned for all airlines being
grounded – but it happened.
Source: FFIEC IT Handbook Presentation
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
What is a BCP Plan?
A collection of resources, actions, procedures, and
information that is developed, tested, and held in readiness
for use in the event of a major disruption in business
operations.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Technology Recovery
•
Computer Processing:
• Mainframes/Mini-Computers
• Client/LAN/Servers
• PCs/Terminals
•
Voice Communications:
•
•
•
•
•
•
•
Consoles
PBX
Telephones
FAX Machines
Data Communications
Internet Operations (e-business)
Special Equipment
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
MS Word is NOT the Answer to your
BCP Plans
•
BCP plans are dynamic, constantly changing
– Need to be updated regularly
•
Extremely difficult and time consuming to continually update information in
MS Word
– Employee Changes, Company Structural reorganisations, application
changes
– Need the power and flexibility of a BCP plan built on a relational
database
•
Plans from various business units should be consolidated to provide a
corporate, global, enterprise BCP plan
– No way to do this with MS Word
– Specialised planning solutions provide for the development of an
organizational plan hierarchy for summarization and drill down
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Test, Test, Test
•
•
•
You have done your BIA
You have created a great BCP plan
Now, how are you going to test it?
– Simulated disaster
• Start small, then expand to include larger portions of
your company, finally moving to coordination with
vendors, suppliers and your local community
• Automated Tool to help collect and analyze the results of
a test
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Before and After the Test
•
•
•
Pre-test Meeting with Disaster Recovery Team
– Identify objectives and the members of the team
– Verify RTOs
Post Test Review
– Original RTOs versus Actual Recovery Times
– Review Infrastructure Problems
– Review Data Issues
– Identify changes to the plan based on documents issues
discovered during the test
Test, Test, Test
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
MS Project is NOT the Answer to your
Incident Management Needs
•
Incident Management is dynamic with many uncertainties
– Must be linked to your BCP Plan
•
As the Incident Changes, we must manage those changes
•
Plans from various business units should be integrated to act as the
basis for your incident management and needs
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Do you have a plan in place to contact employees prior to a known
disaster ?
90
80
Percent of Responses
70
60
50
2005
40
30
20
10
0
Yes
No
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
If your organisation was to experience a Regional or National
disaster, do you feel your plan would be able to withstand widescale communication failures?
53
52
Percent of Responses
51
50
49
2005
48
47
46
45
Yes
No
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
When was the last time you tested your call tree?
30
Percent of Responses
25
20
15
2005
10
5
0
Within the Within the Within the
last month
last six
last year
months
Over one
year ago
Never
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Covering All the Bases
1) Utilise a well documented Emergency Notification plan
2) Leverage technology
3) Test your Emergency Notification plan
4) Test your Emergency Notification plan again
5) Establish accurate Emergency Notification reports
6) Implement corrective actions in your Emergency
Notification Plan
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Increased Need for Effective Crisis
Communications
GOALS
•
•
•
•
•
Centralise control of the incident
Control the message
Avoid speculation and misinformation
Set pace and tone for resolution
Protect people first; assets second
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Developing a Communications Plan
An effective plan allows you to focus on solving problems and
communicating appropriately.
Pre-Crisis
+Warn
+Protect
+Prevent
Mid-Crisis
+Update
+Repair
Post-Crisis
+Recover
+Assure
+Improve
Emergency Notification useful before, during, and after disasters
Not just a disaster recovery (after the disaster has struck) tool
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Best Practices
• Automate!
• Eliminate rumor
• Prevent loss of
important information
• Speed
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Manual Call Trees are NOT the Answer
to your Emergency Notification Plans
•
•
•
Informing your stakeholders of a disruption in service or disaster
– Automate the process
Contact Emergency Response Personnel, suppliers, general
employee population
Contact via phone, Mobile, Pager, SMS, e-mail all simultaneous
and within a specified Service Level Agreement (SLA)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Summary
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Trends
•
•
•
Increased Standards
– Industry
– Country
– Corporate Governance
Globalization of BCP
– Enterprise Continuity Planning
Greater visibility of Business Continuity Planning issues at the
Managing Director and “C” levels of the organization
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP Trends
•
•
•
•
BCP expanding outside of its traditional IT boundaries
Move toward resiliency (zero down time) versus recovery
Move toward disaster prevention versus disaster recovery
BCP is increasingly becoming integrated with corporate functions
– Leading organizations integrating business continuity with risk
management
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP – A Coordinated Effort
•
Business Continuity Planners should work with:
– Emergency Response Plans (typically owned by facilities
managers)
– Disaster Recovery Plans (typically an IT responsibility)
– Corporate Crisis Management (typically the responsibility of
corporate security)
– External Communications (typically the responsibility of the
corporate communications organization)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
BCP – An Ongoing, Living Process
•
•
•
•
BCP is not a project or one time event
Must be coordinated throughout an organization and include
external dependencies.
Enterprise Continuity Planning – a Corporate Function
We must not only meet regulatory requirements….
– …we must strengthen corporate governance as a means of
gaining competitive advantage in today’s global economy.
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Strohl Systems
For the past 18 years, Strohl Systems has been
devoted exclusively to the business of providing the
world’s finest business continuity planning software
and services to a worldwide market.
LDRPS, Strohl’s Business Continuity planning tool,
is the cornerstone of the Strohl Systems
organization.
It offers:
 a proven methodology
 an existing support network
 an extensive user community
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Industries Served - USA
 9 out of 10 securities firms
 5 out of 6 telecommunication companies
 4 out of 5 U.S. insurance companies
 4 out of 5 financial institutions
 4 out of 5 household goods producers
 4 out of 5 aerospace and defense companies
 3 out of 5 general retailers
 6 out of 10 commercial banks
 3 out of 5 computer makers
 4 out of 6 energy companies
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Industries Served
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Strohl Systems, Inc.
Worldwide organization dedicated solely to Business Continuity
Planning solutions
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Successful Program
IBM S/370
Laptop computer
IBM PS/2
Trained
Personnel
Up-to-Date
Plan
Strategy
Testing
Business Continuity!!!
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Strohl’s Worldwide Presence – August 2006
37 Distributors and Reseller covering 79 Countries
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]
Questions?
?
? ?
? ?
?? ??
??
?
?
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • [email protected]