Transcript RIMS Receiving & Inspection

Business Continuity/Preparedness Planning –
What’s Important
Florida Gulf Coast ARMA
January 13, 2015
Overview – Planning Elements
1.
2.
3.
4.
5.
6.
7.
8.
9.
Lay out a program plan… a vision
Management Support
Risk Analysis
Incident Response Planning
Recovery Planning
Training & Awareness
Exercises
Maintenance
Supplemental Info… resource links & suggestions
Continuity and Preparedness
Basic Definition:
A business preparedness and continuity program aims to prevent
or mitigate, respond effectively to, and recover from the
effects of business disrupting events.
Emphasize personnel safety!
Management Support
Key Points:
– Secure support from the top level manager/executive … Ask
what keeps them awake at night;
– Obtain an executive level manager as a sponsor/champion
and lead for a steering committee;
– Establish a budget and planning team;
– Arrange for an announcement to the organization endorsing
the program, sumarizing your role, and explaining the
organization’s involvement expectations – both budget and
participation.
Even with upper management’s endorsement,
respect people’s time and their need to
balance continuity/preparedness planning
priorities with their primary business
priorities!
Management Key Plan Components…
If you have nothing else, before you get started…,
– Establish a management level incident support team
list and a way for its members to communicate.
(Else, make sure the existing one is current.)
– Establish an incident response team and a basic
incident response plan… just in case something
happens tomorrow! Keep it simple but
effective…plenty to cobble from on the internet.
Communication
Communication is the most critical component of an
effective business continuity/ preparedness plan.
Even the best response and recovery plans are
crippled without and any plan’s weaknesses and
exceptional circumstances can be managed more
effectively with reliable, effective
communications. Assuring communications,
therefore, is the absolute first planning priority
when developing business continuity plans.
Pragmatic approach…
Apply “practical due diligence” when establishing a
business continuity program. Initially, program
needs to focus on the key planning elements:
1) Reliable Communication
2) Preparedness, Response, and Recovery Teams
3) Team Tasks and Responsibility Lists
(Recommend plan templates for consistency and clarity.
Adapt plans to size or complexity of the
organization.)
Pragmatic approach…
Apply “practical due diligence” when maturing a business
continuity program:
1) Prioritize and implement projects in phases based
upon the best use of time and money; defer
capabilities of marginal use… Lay out a maturity
roadmap;
2) Program should be scalable. Processes should be
scalable;
3) Operational structure and tools should conform to
day-to-day business model as much as possible.
Risk Assessment
Two primary components:
1. Threat & Vulnerability Assessment
2. Business Impact Analysis
Risk Assessment – Threat & Vulnerability Assmt.
– Threat and Vulnerability Assessment
• Keep it simple;
• Develop a strawman assessment;
• Engage stakeholders such as: Facilities, Security, HR, IT,
Finance, Supply Chain, core business managers, etc. to
build on the strawman;
• Target at a Site/Facility-level (or sites/facilities if in the
same geographical area and similar in operation) if
possible; Process level if necessary;
• For mitigation leverage basic prevention, early warning,
and mitigation infrastructure, e.g. fire suppression,
security, fire alarms, evacuation plans, data backups,
backup power, etc.
Risk Assessment
– Threat and Vulnerability Assessment
• Keep it simple
• Site/Facility-level (or sites/facilities if in the same geographical
area and similar in operation) if possible
– Business Impact Analysis
• Key info: What are the critical business processes and what is their
recovery order
• What are the critical operational and infrastructure processes that
need to be recovered in order to recover the critical business
processes… and what is their recovery order
www.emsa.ca.gov/disaster/files/kaiser_model.xls
Above added as Comments in each Risk cell. Event label entered in comment to clarify relationship of comment to the risk to which it applies.
Risk Assmt: The Business Impact Analysis (BIA)Before you start…
Understand how the results of the BIA are going to be used
and make sure each question relates to that purpose.
• Primary objective: What are the critical core business
processes;
• Secondary: (RTO & RPO) Return Time Objective & Return
Point Objective;
• Tertiary: Core business process dependencies (Optionally,
these can be identified in the recovery planning process.)
Risk Assmt: Business Impact Analysis (BIA)- Before you start…
Last thing you want to hear from management after you present
the results of a BIA is: “OK, now tell us something we didn’t
already know.”
Lesson learned – Find out what management doesn’t know up
front. If they already know what it is you need to know… get it
from them before putting the organization through the BIA
process. Ask a “when it comes to disruptive events, what keeps
you awake at night” type question.
Risk Assessment – Business Impact Analysis
Business Impact Analysis (BIA)
– Primary objective: What are the critical core business processes
and what is their recovery priority;
– What are the critical operational processes and infrastructure that
need to be recovered in order to recover the critical business
processes… and what is their recovery order.
Examples:
– A headquarters operation looking at several geographically
separate sites with different core business processes may want to
look at a high level BIA, by function, and across the entire
enterprise or region.
– Regional operations with more than one local site may want to
prioritize and know in advance which operations receive first
priority for recovery resources among those regional sites.
– Single site needs to know core business recovery priorities and
their dependencies.
The Response Plan
Based upon the Threat and Vulnerability Assessment,
supplemented with regulatory requirements, establish an
Incident Response/Emergency Plan
– Establish an Incident Response/Management Team (IRT);
– Address the top level threats and regulatory requirements;
– Include contact information for the IRT and key outside support
organizations, e.g. law enforcement, fire & rescue, response & restoration
suppliers, etc.;
– Include key infrastructure maps, e.g. water valves, electrical panels, gas
shut-offs, HAZMAT & other emergency supplies, etc.;
– Provide employee-level response guidance, e.g. incident reporting, alarm
activation, evacuation, employee accounting, etc.;
– Make the plan available at appropriate level to audience…
Incident Response/Emergency Plan Staging
Key entry points, guard stations (grab & go bags), toplevel exec, incident commanders
Samples: Campus or building flip
charts and employee hang tags or
wallet cards
The Recovery Plan
Develop Recovery Plan(s)… could be one plan or multiple plans,
depending upon organization’s complexity. (Multiple = Scalable)
– The difference and transition between response process and
recovery process needs to be clear… Damage assessment
transition;
– Need to have a management level incident support team that
establishes (guided by the critical core business process
recovery priorities) priorities; arranges supplemental
resources, communicates to corporate management,
shareholders, customers, media, etc.
Recovery Plan
Develop a strategy for each critical business and operational
process…
– Strategy could include more than one option… like a
football team’s playbook… use the recovery option
appropriate to the situation;
– Continuance doesn’t necessarily mean resuming in the
same or a centralized alternate facility… For large
enterprises could mean deferring to personnel performing
the same function at another location; Temporarily
outsourcing; Individuals working remotely with notebook
computers & cell phones; etc. - TEST
– As appropriate arrange in advance for alternate locations;
data and system restoration of service, backup equipment
& cross-trained staff, records, reciprocal agreements, etc.
Recovery Plan
Plan components…
–
–
–
–
–
–
Recovery team(s) with a team lead and alternates
Engagement process and communication methods
Meeting location w/alternates – team operation center
Alternate operations options
Recovery responsibility & task lists
Dependencies – Identify and plan alternatives
• Critical skills/personnel
• Critical equipment and assets
• Critical processes
• IT applications, data, and records - backup & recovery
• Critical suppliers
• Operational supplies
Recovery Plan
Plan components (continued)…
– Damage assessment process
– External Communications: Management, customers, &
suppliers
– External department responsibilities summary list
Awareness and Training…
Establish an awareness program for all levels, e.g.
Execs, Planners and various teams’ members,
employees… even suppliers
Awareness and Training…
Key Points:
– Employees as a whole, e.g. Newsletter announcements, emails, and
articles, posters, wallet cards & hang tags, workshops, on-line training,
family preparedness (http://www.ready.gov), etc.
– Individual teams, e.g. walk-through exercises, team reviews, functionlevel incident exercises, rotate planning maintenance role, etc.
– Community responders, e.g. periodic meetings, facility walk-throughs,
participation in awareness week-type activities, etc.
– Suppliers/vendors, e.g. periodic supplier certification process that
includes preparedness; include suppliers in exercises
– Senior and Corporate Management; e.g. include in activation exercises;
Have serve on steering committee, Management tag-ups, etc.
Program Exercises and Maintenance
Keep teams and plans current:
– Perform planned exercises and perform “what ifs” after actual events perform after action reviews – assign actions and track to closure;
– Use non-incident specific plan walk-through process to assure plans
are current and relevant – assign actions and track to closure;
– Planners should be alert for changes that could affect plans;
– Set periodic review and exercise goals & send reminders and track goal
achievements to closure;
– Track exercises, drills, awareness events, etc.
– Track program component completion progress
Hurricane Season – June 1 thru
Nov. 30
5 - 4 Days Out…
7/17/2015
7-5 Days Out…
7/17/2015
5 - 4 Days Out…
7/17/2015
Approx. 3 Days Out…
7/17/2015
7/17/2015
7/17/2015
Wrap-up & after action review…
Hurricane X Animation (Link to NOAA Graphics Animated Archives)
7/17/2015
Program Exercises and Maintenance
Refresh Management Support… Back
to Step one
Maturity Level…
Avoid the temptation to try and jump to highest level of maturity
or detail:
– Build a foundation and leverage any foundation you might already
have;
– Build a vision of where you want the program to go;
– Layout a plan on how to get there.
From: Business Continuity Maturity Model © Copyright Virtual Corp. 2004-2005
B. Allen Patrick, CRM, CBCP, CDIA+
Manager, Admin & Mail Services
727.302.4244
[email protected]
Supplemental info…
Resources…
Flip chart model: Univ of W Virginia Campus Police
http://police.wvu.edu/r/download/186163
Kaiser Permanente Hazard & Vulnerability template
(Consider listing all threats in one worksheet to facilitate
criticality rank comparisons.)
http://www.calhospitalprepare.org/hazard-vulnerabilityanalysis
Business Continuity Maturity Model – Virtual Corp’s free
open access maturity and sustainability tool…
http://virtual-corp.net/html/bcmm.html
Blank Slide…