Transcript Business Continuity / Disaster Recovery from a Business

Business Continuity /
Disaster Recovery from a
Business Perspective
Dan Esser, CBCP, FLMI
109 Haywood Ct.
Columbia, MO 65203
573-234-2948
[email protected]
Not just Computer Back-Up
• IT functionality - limited usefulness if the
rest of the business is not present.
• Today’s primary discussion - non-IT
functionality.
2
What you get to take with you
• An overview of BCP Structure and
Techniques.
• A set of questions you can ask in your
business to help you gauge preparedness.
• Some Tools and Resources that may be
useful.
3
Disaster Fact
• Out of every FIVE businesses that suffer a
major disaster,
• TWO will never reopen and
• A THIRD will fail within 2 years.
[DRI International]
4
BCP Like Life Insurance?
• Uses up resources.
• Only pays off if something bad happens.
• Costs every year - Never Finished
5
Kinds of Risks / Dangers
• Natural
• Proximity
• People
• Environmental
6
Natural Risks
• Earth
• Wind
• Fire
• Water
7
Proximity Risks
• Government Buildings
• Airports / Heliports
• Industries using Chemicals or
Flammables
• Trains
• Highways
8
Risks from People
• Disease
• Bomb Threats
• Workplace Violence
• Cyber Attacks
9
Environmental Risks
• Asbestos
• PCB’s
• Mold / Sick Building Syndrome
• Piled up Paper
• Ongoing Construction
10
BCP as Advance Planning
• Business Continuity Planning is at least
partially the art of making all the decisions
that can be made in advance of a disaster.
11
BCP - Four Major Components
Life/Safety
BIA
EM & R
Departmental
Recovery
12
BCP - Four Major Components
Life/Safety
Plan
13
BCP - Four Major Components
Business
Impact
Analysis
14
BCP - Four Major Components
Emergency
Management
& Response
15
BCP - Four Major Components
Departmental
Recovery
16
RTO’s, RPO’s & Declaration
Info Tech RTO
Disaster
Event
Catch-up Processing
Disaster
Declaration
Department RTO
GAP
Reconstruct
WIP & Lost
Stockpiled
Transaction Input
Normal Business
Activities
Pre-Processing Opportunity
17
How Important is Information
Technology?
• If you can only afford to protect one thing
in your business, protect your data. You
will not recover without it.
• Just don't expect that alone to save you from
a disaster.
18
Functionality is the Issue
• A business must regain process functionality.
• Computers are just a tool.
• They make things faster, but they are not the
business.
19
Scenario
• You are a Progressive Organization.
• Your Data is Backed up and Off Site Daily.
• You can Recover from any Disaster that
Dares to hit you.
20
Scenario
• You are a Progressive Organization.
NOT
• Your Data is Backed up and Off Site Daily.
• You can Recover from any Disaster that
Dares to hit you.
21
Scenario - 2
• A disaster event – fire, flood, anthrax,
something – has made your primary
business location unusable, either
permanently, or for a long time…
22
Good News - Maybe
• You already have the answers.
• Here are some of the questions to assist
your planning process.
23
Management Organization
• Where is the default meeting place for
senior managers if telephones are
unavailable?
• Is there a succession plan if several senior
managers are killed in the disaster?
24
Management Organization
• Who would face the media and regulatory
authorities?
• Is he or she prepared to do so?
• Is there a backup person?
• Do all others know to NOT talk to the
media?
25
Management Organization
• How many days can the company be
completely “down” before serious business
repercussions are inevitable? (loss of
customers, employees, regulatory
intervention)
26
Notification
• How would you contact employees,
suppliers, key customers, etc. without
access to your business records?
27
Infrastructure
• How much space would you need and how
quickly could it be acquired?
• What space is available today in your city?
• Who is in charge of office layout, furniture,
wiring, etc. …and who backs them up if
they are made unavailable by the disaster?
28
Resource Requirements
• Who has purchasing authority?
• Who is the purchasing backup?
• How quickly would the company need
replacement resources? Day 1, day 3, etc.?
– Do you know where to get those resources in
the quantities you need on a rush basis?
– Have you ever tested whether or not those
suppliers can deliver on a rush basis?
29
Resource Requirements
• What custom documents and forms does the
company have where the entire supply is on
site? (checks, envelopes, letterhead,
invoices)
30
Advance Agreements
• Who is in charge of liaison with fire, police
or other emergency authorities?
• Who is his/her backup?
– Have you met with those authorities to
determine their protocols in emergencies and
establish a liaison relationship with them?
31
Advance Agreements
• Does the company have arrangements with
its telephone carrier to place messages on
inbound lines until they can be answered?
– What messages will you use?
– Who will the telephone carrier recognize as
having the authority to institute them or make
changes?
32
Emergency Operations
• How would the company go about setting
up an Emergency Operations Center?
• Who would staff the EOC?
• Do you have EOC supplies already off site?
(Sample list in packet)
33
Emergency Operations
• Which critical business functions need to be
up and running first?
– How long can functions be down before the
company incurs regulatory scrutiny and
penalties?
– How long can functions be down before
customers abandon you for another supplier?
– What can you do to mitigate this?
34
Financial Preparation
• Are emergency lines of credit in place and
the authority to access them clearly
delineated?
• Does the company have arrangements with
its bank(s) to continue repetitive payments
for a short time?
35
Financial Preparation
• Are corporate accounting records and
processes backed up and documented off
site? (Key people may not be available
after a disaster.)
• Does the company have manual
disbursement procedures?
36
Salvage
• Did you know that wet records could be
freeze-dried and often saved?
• Do you have an agreement with someone
who does that kind of work?
• Do you know who does that kind of work?
(See list at end)
37
Salvage
• Information from hard drives of smoke or
water damaged PC’s can also be retrieved
by experts.
38
Mail
• Mail handling operations are often
overlooked. What would the company do
about lost mail, both incoming and
outgoing?
• Is there a plan to get mail flowing in an
orderly fashion after a disaster?
39
Security
• How easy is it for a non-employee to get
into your office today?
• How would you maintain security at your
primary site until salvage could be carried
out?
40
Departmental Readiness
• Who is the recovery coordinator for each
department and what preparations have they
made?
• What are those things that each department
needs that may be “below the radar” of
corporate planners and not easily
obtainable?
41
Departmental Readiness
• Have the departments taken any steps to
safeguard those things? – Every Department
should consider what kind of problems an
“off-site box” at a remote storage facility
could save them.
42
Departmental Readiness
• Has each department determined how to
recover work-in-progress?
• Does each department know what resources
it requires to resume business operations?
(How many computers, desks, chairs, file
cabinets, fax machines, printers, copiers,
phones, etc.?)
43
Departmental Readiness
• How quickly would each Department need
replacement resources? How much on day
1, day 3, day 5, etc.? (This is how you build
the company list.)
44
Departmental Technology
• Is the operating department responsible for
replacing desktop technology or is IT?
Does everyone understand that?
• Have you written into your plan the
minimum hardware/software configuration
you require for desktop workstations?
45
Resources
• For Clean Up / Restoration
– BMS Catastrophe – (www.bmscat.com)
– ServiceMaster (www.servicemasterclean.com/)
• Mobile Office Space / Data Centers / Equipment
– Agility Recovery Solutions (www.agilityrecovery.com)
– Sungard (www.sungard.com)
– Rental Systems (www.rentsys.com)
46
Resources
• Business Continuity Education and
Certification
– DRI International (www.drii.org)
• Professional Journals – Articles and links to
vendors
– Disaster Recovery Journal (www.drj.com)
– Contingency Planning & Management
(www.contingencyplanning.com)
47
Resources
• Workplace Violence Resources
– Occupational Safety & Health Administration
(http://www.osha.gov/SLTC/workplaceviolence/)
– National Institute for Occupational Safety and Health
(http://www.cdc.gov/niosh/violcont.html)
– Minnesota Department of Labor & Industry – Workplace
Violence Prevention Resources
(http://www.doli.state.mn.us/violence.html)
– USDA Handbook on Workplace Violence Prevention and
Response
(http://www.usda.gov/news/pubs/violence/wpv.htm)
48