Transcript The Ethics of Business Continuity Planning

Shane Creel Ph.D., CCEP
LEED Green Associate
Director, Risk Management & Sustainability
Texas A&M University-Kingsville
Back to Business: Planning for Disasters
2. The Benefits of Desktop Procedures
3. Disaster Recovery
4. Chaotic Ethical Decisions
1.
“While no one wants to dwell on the thought of
impending disaster, prudent planning can give you piece
of mind knowing that you have prepared your family or
company as well as possible.”
U.S. Department of State
 External disruption
 Mother Nature –Wildfire, Flood, Hurricane
 Utilities – Electrical, telecom, and water
 Human Behavior – Terrorists, psychos, hackers
 Internal disruption
 Facility problems – fire, leaky roofs
 Equipment failures – server crash
 Disgruntled staff
 Staff illness/death
http://www.texasprepares.org/survivingdisaster.htm
 Will historical information be required in order to




process new information?
Are necessary forms available?
Are cross-trained personnel available?
Is there an alternate work site available?
(Remote Access)
Do you know all of the players?
 Historical Information
a) Meta Data Files
 Common fields such as personal identifiers
b) Linked Data Files
 Excel spreadsheets
 Data mining from external sources
c)
Hard copy information
 Forms
a)
Do you have backups and who knows how to manually
fill them out.
Scenario: Your cashier is very proficient using the
computerized system. The establishment looses access to
the server which operates your ordering and cash
handling. Everything else is functional. Will you have to
close the business because no one knows how to manually
conduct an order/process?
 Cross-trained personnel
This is very important but often difficult to
accomplish.
b) Here is the normal though process: “If I teach
someone else what I know, why would the
organization continue to need me?”
c) We have to get past this way of thinking. Some of us
here might not wakeup in the morning. Is there
someone else that you have trained to do your job?
d) The more others know the easier your job becomes.
a)
 Alternate work site (Remote Access)
a) Can your operations be conducted elsewhere?
b) Can your employees telecommute?
c) What if your building is no longer standing?
 All the players
Do you have employee recall information?
b) Do you have an Disaster Recovery Organization
available? The Texas A&M System contracts with
Cotton USA for Disaster Recovery Assistance.
c) Where are you on the priories list for you energy
provider?
d) Have you met with all of the players to establish
contact if nothing else?
a)
 Desktop procedures defined:
A set of instructions covering those features of
operations which lend themselves to a definite or
standardized procedure, for preventing business
disruption, without loss of effectiveness with the
flexibility necessary in special situations retained.
The Cradle to Grave Process.
 Why do we need desktop procedures?
1.
2.
3.
4.
5.
Prevent business disruption.
Promote uniformity & consistency across
organizations.
Maintain smooth operations.
Employee transition.
Provide protection in the event of an audit.
 Identify the how do I’s

Write a recipe for each
 Identify the what, how, when, where, and who?
 These are the items we have committed to memory or
that have become second nature.
 Desktop procedures are a subset of business
continuity.
 Disaster recovery is the process, policies and
procedures related to preparing for recovery or
continuation of technology infrastructure critical to an
organization after a natural or human-induced
disaster. Disaster recovery is a subset of business
continuity.
 Most large companies invest as much as 25% of their
IT budget on disaster recovery planning, with the aim
of avoiding larger losses in the event that the business
cannot continue to function due to loss of IT
infrastructure and data.
 “MARC” (Minimum Acceptable Recovery
Configuration).
 High-level facilities/People/Equipment/Telecom
 Recovery Time Objectives (RTO).
 The time period after a disaster at which business
functions need to be restored.
 Recovery Point Objectives (RPO).
 The age of files that must be recovered from backup
storage for normal operations to resume.
 Funding Gap.
 Funding differential required to recover. Is there reserve
funding available?
 An organization’s Information Security revolves
around the attitude of the employees.
 Loose lips sink ships!
 How to protecting organizational information.
 A viable Records Retention Schedule.
 Texas State Records Retention Schedule
https://www.tsl.state.tx.us/slrm/recordspubs/rrs4.html
 Implement Information Security Programs focusing on
technology and operations.
 Provide Information Security awareness training.
 Provide user authentication.
 Decisions are at the heart of leader success, and at
times there are critical moments when they can be
difficult, perplexing, and nerve-racking. However, the
boldest decisions are the safest.
Dr. Hossein Arsham
Merrick School of Business
University of Baltimore
 Supported by behavioral decision theory which:
 Accepts a world with bounded rationality and views the
decision maker as acting only in terms of what he/she
perceives about a given situation.
 Fits with a chaotic world of uncertain conditions and
limited information.
 Encourages satisficing (good enough)decision making.
 The 3Rs of Chaotic Ethical Decision Making:
1.
Rationing of resources
 Who gets what first?
2.
Restriction of access
 Texas is working to establish First Responder Credentialing.
3.
Responsibility
 Environmental
 Social
 Organizational
 The Ethical Dilemma:
 A situation in which the decision maker must decide
whether or not to do something that, although risky yet
beneficial (for the greater good) given the situation, may
be considered unethical and perhaps illegal.
 Things to consider:
1. Would I make the same decision if my family were
involved?
2. What is the personal impact of the decision?
3. Will I be able to sleep to night?
 Present a unified front to primary and secondary
stakeholders.
 Primary: employees, customers, investors, and
shareholders, as well as governments and communities
that provide necessary infrastructure.
 Secondary: media, trade associations, and special
interest groups.
 This demonstrates to the public that the situation is
under control and prevents further panic. Additionally,
your stakeholders are less likely to loose confidence in
the organization.
 Emergency Management Institute
Continuity of Operations Awareness Course
http://training.fema.gov/EMIWeb/IS/is546.12.asp
[email protected]
O: (361)592-2237
C: (361)219-4526