Business Continuity Management Planning

Presented by Brian Vines June 17

th

, 2008

2

Overview

I.

II.

II.

Getting Started Assess your most critical business components Clear definition of what you need to protect III. Categorize and prioritize business functions IV. Developing Your Business Continuity Plan V.

Conclusion VI. Questions

3

Getting Started

Focus on three categories of protection to help survive a disaster: Human Resources Physical Resources Business Operations

4

Getting Started – Human Resources

Human Resources • • • • Protect your employees and customers from injury on your premises.

Consider the possible impact a disaster may have on your employees’ ability to return to work Alternate staffing plans – How do you ensure your business stays functional when a large percent of your staff is unable to come to work?

Consider how your customers can reach you or receive your goods and/or services

5

Getting Started – Physical Resources

Physical Resources • • • • • Natural Hazards – i.e. hurricanes, flood, freezing weather Building structure Interior, exterior components Proximity exposures Building control (own or lease)

6

Getting Started – Business Operations

• • Business Operations Critical Inputs – things needed to do your job Critical Outputs – things you produce that others want or need to do their job • • Don’t assume!

A customer will patiently wait for your output. If your output is critical to their operations and you can’t produce, they will go somewhere else.

Just because you may be well-prepared, a supplier of a critical input of yours is ready for a disaster. If they are interrupted, you will be too.

7

Assess your most critical business components

To create a complete business continuity plan, you Need to assess the impact of interruption on four components: • People • Physical Property • Systems • Data

8

Assess your most critical business components

People How will you notify, evacuate, transport and care for employees? Including paying them

9

Assess your most critical business components

Physical Property What equipment will you need?

How will you store it?

Where will you store it?

Assess your most critical business components

Systems (e.g. Hardware, software, email, phone systems) What portions of your computer and telecommunications infrastructure must be duplicated immediately?

Does immediately mean in a minute, an hour, or a day?

10

Assess your most critical business components

Data What data is critical to run your business?

How will you recover critical data that’s lost?

11

Clear definition of what you need to protect

• Define your core competencies What makes you unique?

People Product Service Process Method 12

Categorize and prioritize business functions

• What functions are necessary to sustain your core competencies?

• PRIOR TO A DISASTER, determine a sequence of restoring critical functions 13

Business Impact Analysis (BIA)

A BIA is designed to: • Analyze function performed in a business unit • What can effect my business?

• How will it effect my business?

• Financial implications (revenue generating) • Operational impact (supports production of products or services) • Reputation (Product recalls, SLAs) 14

Business Impact Analysis

Supporting the BIA • Identifies business operations dependencies: - Computer equipment – mainframes and other operating systems - Communications – Voice & Data - Information & records – Electronic & Paper 15

Business Impact Analysis

Supporting the BIA • Dependencies: Consider possible crisis scenarios - Internal & External - Non-availability of physical property - Outside Services - Internal/External attacks - Major natural disasters 16

Developing your Business Continuity Plan

The value of a well-documented, comprehensive plan: • Companies prefer to do business with companies that have business continuity plans. Many cases, customers are demanding to review business continuity plans.

• Companies with tested plans increase chances of “surviving” by approximately 70% over companies without tested plans.

Be prepared to meet your employee’s and customer’s needs regardless of the situation

17

Developing your Business Continuity Plan

18 Facts : • • • • • • • Businesses with no plan: 43% never reopen.

WTC 1993 Bombing: 150 companies never reopened (43%).

Hurricane Andrew 1992: 80% of businesses without a plan failed in 2 years.

2005 London Bombing: 70% of those with a plan identified that the plan needed changes.

Katrina created a new definition of disaster: city destroyed, no roads, utilities, government infrastructure, etc. Years to recover.

70% of all businesses that close for one month either never reopen or fail in three years.

Most companies that lose their computer system for 10 days or more fail.

Developing your Business Continuity Plan

Lessons: • • • • • No mail delivery for weeks or months Local phone service may not work as well as cellular service Utility companies bankrupted due to inability to collect revenue for services Loss of essential services such as schools, hospitals, police & fire departments impact business community ability to keep employees Businesses with more than one location were more likely to survive than the with a single location. 19

Developing your Business Continuity Plan

20 What causes businesses to fail?

• 68% Human error.

• 25% Technology failure.

• 5% Natural disaster.

• 2% Intentional causes.

Many companies fall into a trap of planning only for “failures on a grand scale” when it is the smaller interruptions that cause most problems.

Developing your Business Continuity Plan

You can insure for property damage from most perils, and you can insure for business interruption, but you cannot insure for: • Market share loss • Business relationships with vendors • Regulatory compliance failure • Increased insurance cost • Increased cost when operations resume • Replacement, restoration, recovery costs not adjusted for inflation • Severance and unemployment insurance cost • Loss of employees • Cost of equipment and facilities used during recovery • Delayed accounts payable and receivable during recovery • Loss of financial support and impaired cash flow • Impaired communications with customers, vendors, etc.

• Loss of goodwill and community support 21

Developing your Business Continuity Plan

Analyze your alternate facility needs and options: • Can employees seamlessly work from home or another location?

• Do I need a pre-determined alternate facility?

Mirror site (duplicate systems at remote site. Immediate “fail over”) - Hot site (equipment and resources needed to restore business) - Cold site (does not have the equipment available to restore, only the physical space) - Warm site (has some of the necessary equipment. The business would have to decide what should be on-hand) Utilize alternate “work-around”. (Computer system replaced with manual processing) 22

Developing your Business Continuity Plan

Data Collection: A comprehensive plan will require a certain amount of data to be collected and stored. • Inventory all IT resources (PCs, servers, software, etc. Include minimum hardware requirements, configuration and version information) • Determine which documents are essential and should be duplicated and sent to offsite storage.

• Contact critical vendors and suppliers about their business continuity plans.

23

Developing your Business Continuity Plan

24 Provisions for Safety: Employees are your most valuable Asset.

• Create evacuation and shelter-in-place plans for employees • Develop and post evacuation routes • Ensure any individuals that need evacuation assistance are considered in the planning • Designate primary and secondary assembly locations outside of the building that are a minimum distance away from the building of 1.5 times the building height (collapse zone) • Designate pre-determined shelter-in-place locations • Create a phone-tree so employees can be notified of an emergency.

• Consider having an employee emergency number that can be used by employees to report their status or request assistance during a major crisis. • Test, test & test

Developing your Business Continuity Plan

Resiliency Planning: Expect the unexpected • Have plans for an alternate telecommunication provider • Emergency backup generator in case of a power outage. (have written service level agreements with fuel provider) • Have pre-determined plans for alternate work site and equipment. (if possible, allow employees to occasionally telecommute will make organization more resilient) • Consider locations of employees. Examine costs/benefits of having a satellite location. 25

Developing your Business Continuity Plan

Resiliency Planning: Expect the unexpected • Document imaging can be invaluable in recovery • Meet with critical vendors annually to discuss their recovery operations and locations.

• Develop relationships with contractors, vendors outside of your immediate region 26

Developing your Business Continuity Plan

Review computer data backups: • Critical data should be backed up at least daily and stored offsite.

Document resiliency processes: • Create manual processes to be used if computers are unavailable. • A paper system is not as efficient as a computer process, but it would allow for business to function 27

Developing your Business Continuity Plan

Crisis Communications: The need to communicate during an emergency is critical to the success of plan: • Consider the need to communicate with: Employees and their families, customers, media, neighboring businesses Family Communications - Have employees consider how they would communicate with their families if separated in a crisis - Arrange for an out-of-town contact for all family members to call in a crisis Designate a place to meet family members in case they can’t get home in a crisis 28

Developing your Business Continuity Plan

Crisis Communications: Notification • Create a phone-tree so employees can be notified of an emergency.

• Consider having an employee emergency number that can be used by employees to report their status or request assistance during a major crisis.

• Inform employees of procedures and post emergency telephone numbers near each telephone and other prominent locations. 29

Developing your Business Continuity Plan

Final Plan Preparations: • Prepare a list of contact information for key personnel with their responsibilities during a crisis.

• Ensure at least one backup person assigned to each responsibility in the event someone is unavailable at the time of crisis.

• Test the plan. Tests should include: drills, tabletop exercises, manual workarounds, component testing (one business process failure) and full testing (worst-case scenario) 30

Developing your Business Continuity Plan

Plan Implementation and Ongoing Maintenance: • Ensure hard copies of the plan are kept off site • The plan must be tested at least once a year in order to gauge your ability to continue operations and reassess effectiveness • Incorporate business continuity into your change management process to determine the level of impact to your operation’s ability to recover. Living process – Only as good as the last time it was reviewed and exercised.

31

Testing the plan

• Start simple (Tabletop exercises, employee/team emergency numbers) • Build up to combined exercises (evacuation drills, component testing) • Full recovery tests 32

Conclusion

• All organizations, regardless of size, need a thorough, tested plan for an interruption in their ability to do business.

• Events over last 10-15 years (1993 bombing, Y2K, 9/11, SARS, 2005 hurricanes) caused organizations to be more prepared. • Planning should anticipate widespread disasters in addition to everyday interruptions.

• Consider decentralization as a way to provide better resiliency. 33

34 Questions?

Disclaimer

The information provided in these materials is of a general nature, based on certain assumptions. The content of these materials may omit certain details and cannot be regarded as advice that would be applicable to all businesses. As such, this information is provided for informational purposes only. Readers seeking resolution of specific safety, legal or business issues or concerns regarding this topic should consult their safety consultant, attorney or business advisors. The background presented is not a substitute for a thorough loss control survey of your business or operations or an analysis of the legality or appropriateness of your business practices. The information provided should not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) will be an appropriate legal or business practice. Further, The Hartford does not warrant that the implementation of any view or recommendation will result in compliance with any health, fire, or safety standards or codes, or any local, state, or federal ordinance, regulation, statute or law (including, but not limited to, any nationally recognized life, building or fire safety code or any state or federal privacy or employment law). The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations, operations or practices are safe or healthful, or are in compliance with any law, rule or regulation.

35