OSU Enterprise Continuity Planning
Download
Report
Transcript OSU Enterprise Continuity Planning
BCP 101
David Lindstedt PhD, PMP, CBCP
The Ohio State University
All content (except for those slides with the Strohl Systems™ logo) is the intellectual property of The Ohio State University.
The Ohio State University
60,347 Students
29,019.5 FTEs (39,120 headcount)
927 Buildings (5 campuses)
15,893 Acres
SunGard’s LDRPS (hosted)
Shared by 10 Ohio universities
Administered by OSU
465 OSU plans, 995 total plans
501 OSU users, 880 total users
(Ohio) BCP Federation
Agenda:
Continuity Planning Overview
OSU Program Methodology
Quick Topics:
Pandemic Flu Planning
Ready-at-Home
Current BCP Research
Continuity Planning Overview
What is Business Continuity Planning?
The ability to maintain operations and
services in the face of a disruptive event
What Is at Risk?
Branding / reputation
Confidence (parents, Board, etc.)
Course offerings
Donations / development
Funding / grants / revenue
Infrastructure
Intellectual capital
Jobs / positions
Lines of business
Patient care
Research (existing and future)
Service offerings
(Basically, whatever you do…)
Continuity Planning Objective
It’s A Race Against
Time…
Somewhere in Time….
… a Disaster Lurks !
RTO
Plan & Prepare
Respond
&
Recover
Quickly
DANGER ZONE
Lose Research
Lose Reputation
Lose Revenues
Primary Objectives
Protect resources, revenue,
reputation, research, etc.
Control chaos and improve
reactions
Improve self-sufficiency
Reduce recovery time / costs
Bottom line: Keep the
University operational
Aero Med helicopter crashed into the roof
of Spectrum Health (Grand Rapids)
Potential Secondary Benefits*
Closer alignment with business goals
Increased credibility
Improved customer service / loyalty
Quality improvements
Expense reduction
Transparency of costs and benefits
[Team building]
[Eliminated / mitigated risks]
[Improved budget planning / justification]
*Source: Continuity Insights and HP’s Executive Business Continuity Study (2005)
Current Industry Drivers
Federal Legislation
Attacks / Natural Disasters
Public Law 110-53
Sarbanes-Oxley
USA Patriot Act
HIPAA
(Higher Education Opportunity
Act of Public Law 110-315)
(Federal Grant / Endowment
Regulations)
Virginia Tech, DSU, NIU
Northeastern seaboard power
outage
West coast forest fires
Hurricanes
9/11
Business Strategy
Secondary Benefits
OSU Program Methodology
Putnam County: 2007 OSU Extension Office Flood
Brief ECM Program History
External auditors: OSU must undertake enterprise
continuity planning
2004: Pilot groups started
2005: Key operational units started
2006: Pandemic flu planning initiated
2007: President’s Cabinet made recommendation
Current governance:
BCP Advisory Board: 70 cross-university members
BCP Steering Committee: 15 major area coordinators
Phase One Focus: Response
Initial response for your unit
Concentrates on the first 4 hours
(approximately) following an incident
Localized (not regional) incident
Core components:
Evacuation and Shelter-in-Place procedures
(BEAP)
Site Event Management (SEM) Plan
“Rolodex” of contact information
Teams and tasks to effectively manage the situation
Alternate locations
Phase Two Focus: Recovery
Recovery of critical
processes
What processes / functions
will you continue?
Identify, score, and prioritize
processes
(Business Impact Analysis)
How will you continue?
Loss of staff
Loss of applications / equipment
Loss of building
Phase Three Focus: Resumption
Resumption of
operations
Asset requirements
Information technology
requirements
Information security
Restoration approach
Exercise preparation
2008 Windstorm
Quick Topic #1
PANDEMIC FLU PLANNING
Core Components
BCP Plans
Hygiene
Sanitation
Work-at-Home
Capabilities
Ready-atHome Planning
Graphic: 2009: ems-solutionsinc.com
Helpful Categorizations
Graphic: 2009: ems-solutionsinc.com
Quick Topic #2
READY-AT-HOME
Make a commitment to prepare
It is essential that you commit to taking
steps to prepare your family and home
now
Take small steps or large steps, but
START!
21
Core Components
Talk to your family, friends, neighbors,
coworkers, etc.
Download a family preparedness plan
template, and fill it out
Stock Up at Home
Prepare “Go” bag
Critical supplies
Finances and records*
•Available at http://www.operationhope.org/effak/effak_english.pdf
Quick Topic #3
CURRENT BCP RESEARCH
What We Have
Case Studies
Anecdotes:
◦
◦
Best practices (based on?!?)
◦
◦
◦
“…following a well-defined process when disaster strikes is required to
ensure business operations recovery” (p.3)*
“BCM can be used to redesign business and IT processes to maintain and
enhance profitability and competitive advantage… BCM’s impact extends
well beyond the ‘dollar value’ of recovery from a business disruption” (p.
3)**
GPG07 (BCI)
Professional Practices for Business Continuity Professionals (DRII)
Note: “Frameworks are available, but none are widely perceived as a
complete set of industry-neutral best practices” (p. 1)**
Standards
*Witty, Roberta (2008) “Business Continuity Management Defined, 2008”, Gartner Research Article, No G00159707
**Witty, Roberta (2008) “Top-Five Issues and Research Agenda, 2008: The Business Continuity Manager”, Gartner Research Article, No
G00156456
The Sum Total of BCP Research
U.S. Bureau of Labor and Statistics:
◦
◦
? Neal Rawls, 2002 ?
◦
“…it has been estimated that 90% of companies unable to resume
business operations within five days of a disaster are out of
business within one year”*
Knight and Pretty, 1998**
◦
43% of businesses experiencing a major disruption never resume
51% shut down within 2 years
Shareholder value increases for companies that effectively survive
crises
londonprepared.gov.uk
◦
“Around half of all businesses experiencing a disaster with no
effective plans for recovery fail within the following 12 months”
*Neal Rawls, Continuity Central Security Columnist & Author, writing about "Avoiding Disaster," by John Laye, 2002. Quoted from:
http://www.continuitycentral.com/news01149.htm
**Knight, Rory and Deborah J. Pretty (1998), Value at Risk: The Effects of Catastrophes on Share Price, Risk Management, 45(5), 3, 94 1
Conclusions from Mel Gosling and Andrew Hiles
“7. Statistics differ in specifying whether or not companies that
failed had a DRP/BCP and those that specified companies without a
BCP/DRP do not identify how many companies who had one,
failed”*
“8. Is the 80% Myth busted? I’m less confident than I was, but still
not sure. Even secondary evidence has some value. Certainly a new,
objective and disciplined survey would help.” (Italics mine)*
“Without …an associated analysis of whether or not the businesses
that failed did so because of a disaster, and whether or not they had
an up to date BCP, it is impossible to come up with estimates of the
percentage of businesses that failed as a result of not having
introduced BCM.”**
*Gosling, Mel and Hiles Andrew, “Business continuity statistics: where myth meets fact,” Continuity Central, 24th April
2009, http://www.continuitycentral.com/feature0660.html
**Gosling, Mel and Hiles Andrew, “SMEs – Stop the Preaching,” Continuity Magazine, Jan/Feb 2009
A Watershed Moment in the Industry?
Not enough executive support
Not enough budget
No seat in the Board Room
No agreed-upon standard
No established Return on Investment
(ROI)
THANK YOU!!!
Questions?
Comments?
[email protected]
Appendix A: Higher Education
Major Disasters, 1999-2008
2000: Residence
Hall Fire
Seton Hall
University
3 deaths and 54 injuries
2001: Tropical
Storm Allison
The University of
Texas School of
Medicine
Loss of medical research
and disruption of future
research efforts
$205 million
2002: Laboratory
Fire
The University of
California Santa
Cruz
Loss of irreplaceable Human
Genome Project research
$4-5million
2008: Tornado
Kansa State
University
Building damage
$6-7 million
2008: Flooding
Indiana
University
Damage to football field and
several buildings; major
roadways closed
2008: Flooding
University of
Iowa
Extensive flood damage to
the campus
Exceeding
$700 million
2008: Hurricane Ike
University of
Texas Medical
Branch at
Galveston
Extensive flood damage to
the campus
$710 million
And significant
staffing cuts
Appendix B: Katrina’s Effect on
Universities*
Institution
Damage in
$
Student Housing / Classes
Class
Resumption Date
Dillard
$400 million
700 students living &
classes in Hilton Hotel
January ’06
(50% enrollment)
Southern
[$350
million]
45 modular trailers; 400-unit
trailer park for housing
’06 = trailers
’07 = main campus
(66% enrollment)
Tulane
$150 million
150 students housed in
cruise ship
January ’06
(88% enrollment)
UNO
[$104
million]
December ’05
(66% enrollment)
**Higher Education Totals:
• $1.2 billion in estimated physical damage to the campuses
• Potential losses of $230 million in tuition
• Hundreds of millions more in salaries and benefits paid to faculty and staff not working
*Source: “Recovering by Degrees” by Kathy Gray, Columbus Dispatch, 6/18/06
**Source: “Adding up the Damage”, Inside Higher Ed, 11/14/05
Appendix C: Additional Statistics
Around half of all businesses experiencing a disaster with no
effective plans for recovery fail within the following 12 months*
Banks, investors, insurers, customers and suppliers will take a
company that has a business continuity plan much more
seriously**
93% of companies that suffer a significant data loss are out of
business within five (5) years***
In the decade after Columbine, the U.S. saw 80 more school
shootings****
The U.S. Bureau of Labor and Statistics reports:
43% of businesses experiencing a major disruption never resume
51% shut down within 2 years*****
*http://www.londonprepared.gov.uk/businesscontinuity/essentialdocs/ -- 2009
**http://www.londonprepared.gov.uk/businesscontinuity/faqs/#4 – 2009
***US Bureau of Labor -- 2006
**** James, Susan Donaldson, “Surviving Columbine: What We Got Wrong,” abcnews.go.com/Health/MindMoodNews/story?id=7363898&page=1
-- 2009
***** U.S. Bureau of Labor and Statistics -- 2006