Transcript Slide 1
© 2012 Financial Operations Networks LLC
Prepare for a Disaster: Business Continuity Planning & Best Practices
About Your Presenter
Debbie Vander Bogart
Senior Director, Finance General Manager, Shared Service Center, Levis Strauss & Co.
Debbie joined Levi Strauss & Co. as Senior Director and Finance General Manager of the Shared Services Center. She was formerly Director of Payables and Cash Processes, Gap Inc. Debbie began her career at Gap as a finance manager, soon handling merchandise procure- to-payment responsibilities. Prior to joining Levi Strauss & Co., at Gap Inc. she had responsibility for all payables processes including real estate, travel accounting, and trade finance, where she implemented Web-based travel settlement and p-cards. In addition, she had responsibility for the Cash Processes organization, allowing process oversight for revenue through disbursement for all Gap Inc. brands. From the procure-to-pay perspective Debbie has been a driving force for adoption of best practices and scaling technology to grow with the company. Through Gap’s ERP implementation and adoption of additional best practices, Debbie guided Payables and Cash Processes toward eliminating paper documents, using advancing technology solutions to scale with Gap’s continued growth to provide additional competitive advantage for the company. www.TheAPNetwork.com
Business Continuity Planning
(Source: Wikipedia)
• Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan.
• The intended effect of BCP is to ensure Business continuity , which is an ongoing state or methodology governing how business is conducted.
www.TheAPNetwork.com
Business Continuity Planning
(Cont’d.)
• In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.
• BCP may be a part of an organizational learning effort that helps reduce operational risk associated with lax information management controls. This process may be integrated with improving information security and corporate reputation risk management practices.
www.TheAPNetwork.com
that’s a lot of words… I thought this session would help me make it simple?!?!
It will!! Let’s keep going … www.TheAPNetwork.com
What is Business Continuity Planning REALLY?
A Business Continuity Plan should be a blueprint of how to keep your business running in the event of a disruption or disaster.
www.TheAPNetwork.com
The BCP Cycle
For simplicity … break the process into 5 basic parts • Analysis • Design • Implementation • Testing • Maintenance www.TheAPNetwork.com
Step ONE: Analysis
• Perform Business Impact Analysis and Risk Assessment • Determine size and scope of plan • Use templates to capture critical business functions and resource needs – adapt from TAPNs templates • Interview functional leaders/staff to eliminate assumptions and gaps www.TheAPNetwork.com
Toolkit on TAPN: Adapt, Don’t Reinvent!
www.TheAPNetwork.com
Sample Template: Adapted
Department/Function 1) Critical Business Process 2) Critical Business Tasks
Please list the primary and most critical tasks related to this business function.
1 2 3 4 3) Key Contacts
Please list the primary contacts for this business process (LS&CO. and/or outside vendors)
Name Work Phone Number Home Phone Number 1 2 3 4
Please list the primary contact for your top 5 customers (based upon revenue).
Cell Phone Number Other Information Company Name Key Contact Phone Number 1 2 3 4 4) Business Function Dependencies:
List any dependencies that support this critical processes (in priority order).
1 2 3 4 Other What operations do outside resources perform to assist this function (e.g. do you outsource check printing, report distribution, nightly processing, batch processing, master CD production, etc.)? How often? (i.e. hourly, daily, monthly, etc.)?
www.TheAPNetwork.com
Sample Template
(Cont’d.)
5) Operational Detail: Do you have any peak periods for this process?
Peaks: Annually Quarterly Monthly Describe Peak Periods Weekly Daily Request Approximate Total Number of Personnel Supporting this Function 6) Business Function Information:
In the event your business function experiences an interruption (e.g. work area, phones, systems and software applications become suddenly unavailable) what manual processes or 'work around' procedures could be performed, if any, until systems are restore
1 How long could you operate in a manual mode before systems become available? (Consider the amount of backlogged and missing data.) Are there written procedures for operating in a manual mode?
2 3 4 When were the procedures for operating in a manual mode last updated?
What additional resources are needed to perform your mission critical business processes manually? (I.E. additional staff, forms, phone, manual accounting, log sheets, etc.?) 5 In the event of a disruption , there may be some "lost data or transactions". Describe what data and/or applications support your critical functions. 6 7 8 9 If lost data could not be recovered, what is the potential impact to your business function and on the entire company?
Does your department store critical data or information on desktop or laptop? Do you back up this data? How?
Do you rely on data (information) that is not electronic? Specify the data and the type of media (ie. contracts, forms, personnel records, etc.)?
Do you rely on specialized or unique equipment (including applications) to perform your critical processes? If yes, list equipment.
10 Regulatory Summarize exposures and risks that Senior management should be aware of in the event of a disruption: 7) Process Flow Information: Identify and explain any specific legal, regulatory, contractual, and compliance issues or consequences (e.g. government agency obligations, customer contracts, Service Level Agreements etc.): Legal Contractual Compliance 8) Timeframe for Recovery RTO RECOVERY TIME OBJECTIVE is the period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day).
In your opinion, what is the RTO for this business function? Please insert RTO in one box below.
< 1 Day < 2 Days < 5 Days < 10 Days Do you rely on computers and telephone for this process?
30 Days +
www.TheAPNetwork.com
Step TWO: Design
• Keep it simple and easy to use • Don’t reinvent the wheel, adapt from others • Plan elements should include: ― Scope and Objective ― Crisis team structure, roles & responsibilities ― Emergency contact information ― List of critical business functions, their recovery objectives and required resources ― Recovery work facility arrangements ― Activation plan and process flow ― Defined testing and maintenance procedures • Use TAPN’s toolkit!!!
www.TheAPNetwork.com
Step THREE: Implementation
• Train Crisis Team and other critical staff • Educate and inform internal and external business partners • Ensure critical function plans are in effect ― procedures updated ― vital records stored ― ALL staff trained • Launch on-going employee awareness program www.TheAPNetwork.com
Step FOUR: Testing
• Start small, prioritize tests by risk • Various levels & methods of testing; tabletop/checklist, simulation/walkthrough, functional drill, full scale interruption • Any gaps discovered during testing should be documented for inclusion in the next testing & maintenance cycle • Testing should be performed at least on an annual basis, more is always better • Management should review and understand the final results of testing www.TheAPNetwork.com
Step FIVE: Maintenance
• Plan manager should ensure all documentation is current – recommend quarterly • Ensure minimum of 1 test per year, if you break it into parts you can test ‘pieces’ throughout the year, but try to bring it all together at least once per year • The sub-documentation that supports the plan, such as desktop procedures or system documentations should be stored in multiple locations off-site from the facility and the servers to ensure access • Don’t put it on a shelf and forget it!!!
www.TheAPNetwork.com
Wisdom for BCP (a.k.a. Best Practices)
• Assign a plan manager, its an accountability thing!
• Define a Crisis Team with structure and roles • A BCP is a living document, update it regularly • Don’t try for the “perfect BCP,” it’ll be outdated by the time it’s published • Testing of critical functions should be done at least annually • Plan documents should be easily accessible www.TheAPNetwork.com
Wisdom for BCP
(Cont’d.)
• Don’t use complicated terminology, make it as clear and simple as possible • Test scenarios should be meaningful and realistic • Involve stakeholders in every step of the process www.TheAPNetwork.com
Helpful Links &Resources
TAPN
http://theaccountspayablenetwork.com/html/index.php
Continuity Central
http://www.continuitycentral.com/index.htm
Continuity Insights
http://www.continuityinsights.com/
Business Continuity Institute
http://www.thebci.org/ www.TheAPNetwork.com
Questions
www.TheAPNetwork.com
Thank You!
© 2012 Financial Operations Networks LLC