Transcript Document

Expect the Unexpected: Are We Clearly Prepared?
Disaster Preparedness I
Lessons Learned
Don Hall
Thomson Prometric
Council on Licensure, Enforcement and Regulation
2006 Annual Conference
Alexandria, Virginia
Thomson Prometric
Thomson Prometric is the leading
global provider of comprehensive
testing and assessment services.
We deliver standardized tests for
600 client programs, in 26
languages, over the Web or through
a global network of 3,200 testing
centers in 135 countries.
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Continuity Management at Prometric
Thomson Prometric has defined a
comprehensive Business Continuity
Management (BCM) program that
provides for contingency operations that
will ensure the continuity of services
provided to our clients, candidates, and
channel testing partners using
established “best practices” to
safeguard the interest of our clients,
reputation, brand, and revenue.
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Best Practices
• Disaster Recovery Institute Int’l (DRII)
• Business Continuity Institute (BCI)
– Promote a common knowledge and
standards for BCM
– Certify individuals in the discipline
– As such, in 1997, DRII, together with
BCI, published the Professional Practices
for Business Continuity Planners as the
industry's international standard.
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Professional Practices
•
•
•
•
•
•
•
•
•
•
Pre-Planning
Project Initiation and Management
Risk Evaluation and Control
Business Impact Analysis
Planning
Developing Business Continuity Strategies
Emergency Response & Operations
Develop and Implement Business Continuity Plans
Post-Planning
Awareness and Training Programs
Maintenance and Exercising Business Continuity Plans
Public Relations and Crises Communications
Coordination with Public Authorities
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Professional Practices
Pre-planning
• Project Initiation and Management
• Risk Evaluation and Control
• Business Impact Analysis
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Project Initiation and Management
• Define Scope, Objectives, Policies and Critical
Success Factors
• Establish the need for BCP
• Communicate the need for BCP
• Involve Executive Management
• Establish a Steering Committee or Task Force
• Develop the Budget
• Identify Planning Team(s) and Responsibilities
• Develop and Coordinate Action Plans
• Develop Ongoing management and
documentation requirements for BCM
• Report to Senior Management Team
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Risk Evaluation and Control
•
•
•
•
•
Identify the threats
Eliminate threats, if possible
Estimate probability of threats
Perform Risk Analysis
Identify costs to reduce risks
– Spend resources on risks most likely to occur
80/20 Rule (1897, Vilfredo Pareto)
• Implement controls to reduce risks
• Exercise, evaluate, and make changes as
needed to reduce the impact of risks
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Business Impact Analysis (BIA)
• Establish the value of each
organizational resource as they
relate to the function of the whole
• Provide the basis for identifying the
critical resources required to
develop your business recovery
strategy
• Establish order of priority for
restoration
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Professional Practices
Planning
• Developing Business Continuity
Strategies
• Emergency Response & Operations
• Develop and Implement Business
Continuity Plans (BCP/COOP)
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Develop Business Continuity Strategy
• Identify the Enterprise Requirements
• Identify strategies, costs, advantages,
and disadvantages for each
– Compare internal and external
•
•
•
•
Identify strategies for functional areas
Assess strategies using BIA results
Perform Costs/Benefits Analysis
Consolidate Continuity and Recovery
Strategies Across the Enterprise
– Consolidate workspace recovery sites
– Enterprise-level plans for media and
communications
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Emergency Response and Operations
• Identify Types of Emergencies and the Response
– Fire, Flood, HAZMAT, etc…
• Identify Components of Emergency Response
– Reporting procedures (internal/external)
– Pre-incident preparation
– Emergency Actions (evacuation, firefighting, notifications,
etc…)
– Facility Stabilization
– Damage mitigation
– Testing procedures and responsibilities
• Develop Detailed Emergency Response Procedures
–
–
–
–
Protection of Personnel
Containment of the Incident
Assessment of effect
Decide optimum actions
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Emergency Response and Operations
• Identify Command and Control Requirements
–
–
–
–
Design and equip the Emergency Operations Center (EOC)
Define Command and Decision Authority roles
Communications vehicles (radio, e-mail, messengers, etc)
Logging and documentation methods
• Develop Command and Control Procedures
–
–
–
–
–
Opening the EOC
Security for the EOC
Scheduling the EOC teams (24 hour operations)
Management of the EOC
Closing the EOC
• Emergency Response and Triage
• Salvage and Restoration
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Develop Business Continuity Plans
• Advanced planning that is necessary to ensure
the continuity of critical functions for an
organization
• Putting in place supporting infrastructure and
resources to respond to a disaster event
• Implement procedures to reduce the risk of
identifiable threats
• Develop plans that cover all events that result in
the total or partial destruction of a facility, or
create an inability to perform essential functions
• Create plans that include procedures, equipment,
and personnel for both automated and manual
procedures.
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Professional Practices
Post-Planning
• Awareness and Training Programs
• Maintenance and Exercising
Business Continuity Plans
• Public Relations and Crises
Communications
• Coordination with Public Authorities
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Awareness and Training
• Components of the COOP/BCP
• Why is BCP important to them!
• Who is the Business Continuity
Coordinator
• Where to find more information
• When is it exercised
• How is the COOP activated
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Maintenance and Exercising BCP
Maintenance
• Monthly
– Call-trees
– Personnel data
• Quarterly
– Plan review
• As needed
– Organizational Change
– Process Change
– Technology Change
• Exercise
– Before (exercise preparation/plan review)
– After (lessons learned)
• Annually
– BIA
– Corporate Strategic Direction
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Maintenance and Exercising BCP
Exercise
• Validate your plans
• Familiarity with BCP procedures
– Reduce decisions, confusion, and recovery time
– Reduced costs at time of recovery!
• Exercise Types
– Walk-through (paper-based)
– Simulation
– Operational
• Exercise Guidance
–
–
–
–
–
Start small
Detailed procedures should be followed closely
Should include backup data (restores) and call-trees
Conduct surprise tests (very risky, only a few)
Use “actual” but not “live” data
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Crises Communications
• Escalation
– Disaster declaration criteria
– Problem Identification and Escalation
• when is it a disaster
– Contact Lists
– Initial Response Items
• Primary Notifications
– BC Coordinator, SMT, CMT/IMT
– BC Teams
– Damage Assessment Teams
• Secondary Notifications
–
–
–
–
Other employees
Customers
Public
Suppliers
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Crises Communications
• Public Relations
– Issue initial Press Release
“canned response”
– Establish a schedule for Press
Conferences
– Communicate the name of “official”
spokesperson
– Be prepared for all “audiences”
(internal, external, media, agencies)
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Coordination with External Agencies
• Identify applicable laws and regulations and
determine impact
• Identify statutory industry requirements
• Ensure your plans meet all statutory and
regulatory requirements
– work with statutory agencies as appropriate
• Identify and coordinate with agencies
supporting BCP aims
– Identify and develop procedures with external agencies
providing disaster assistance (financial and resources)
• Develop exercises with external agencies
– Establish exercise objectives
– Coordinate and execute exercises
– Debrief and report on exercises to include action plans
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia
Speaker Contact Information
Don Hall, Director Business Continuity
Thomson Prometric
1000 Lancaster Street,
Baltimore, MD 21202
Phone 443-923-8000
E-mail [email protected]
Website www.prometric.com
Presented at the 2006 CLEAR Annual Conference
September 14-16 Alexandria, Virginia