BCP/DRP Consultancy Project- An approach
By D V Ramamohan
Global Head of IT Consultancy Practice
3i Infotech Ltd
Agenda

Overview of BCM- BCP/DRP ?
 Approach to Execution of BCP/DRP
Assignments
 Interaction
2 - Confidential
What is BCM…………..


Business Continuity Management is an holistic
management process that identified potential
impacts that threaten an organization and
provides a framework for building resilience and
capability for an effective response that
safeguards the interest of its key stakeholders,
reputation, brand and value creating activities.
Business continuity means maintaining the
uninterrupted availability of all key business
resources required to support essential business
activities.
3 - Confidential
What is BCP/DRP?


The difference between business continuity and disaster
recovery is not a ‚what' but a ‚whose'.
This holistic view of business continuity management
differs from what many managers traditionally term
Disaster Recovery Planning which has been closely, if not
solely, associated with information technology. By
changing the focus, the emphasis is placed on the whole
business, not just on technology issues alone. This
reinforces the concept of continuity of all key processes,
extending beyond information technology systems,
important though they are in modern business.
4 - Confidential
Why BCP-DRP….
Threats to Availability
DATA CORRUPTION
COMPONENT FAILURE
APPLICATION FAILURE
USER ERROR
MAINTENANCE
SITE OUTAGE
5 - Confidential
Goals of Disaster Recovery Planning
Disaster scenarios and Recovery Strategies:
1. “Building on fire / Shambles”
Alternate Site, Hot site vendor, Data vaulting
2. Facility stands inaccessible
Remote connectivity, tape libraries
3. Facility accessible, physical failure
Redundant systems, HW Vendor SLA’s
4. Facilitate & equip operational, logical failure
Standards, Documented procedures, security
6 - Confidential
Why DRP?.....Few statistics

Major disasters:

9/11attack, UK bombings, Flooding in Mumbai,
Earthquake in Indonesia
 Other statistics:






% of Hardware failure
(Research shows 80%)
% of Operational error
Cost per hour of downtime? - $ 78000
Average incidents per hour? 9
Hours per incidents? 4.2 hrs
Downtime cost per year? $ 2,970,000
Source: Contingency Planning Research conducted on 450 fortune 1000 companies
7 - Confidential
Let us execute an DRP assignment…
8 - Confidential
What will be scope of work

Subjects:

IT Systems/Applications/Data
 Data Centre/Facilities/Services
 People

Technical/Functional:





Disaster Recovery Strategy and Solutions
Disaster Recovery Plan and Procedures
Implementation Guidance to implement proposed
solutions
Testing the Plan
Training
9 - Confidential
What will be the deliverables….

Business Impact Study Analysis and Risk
Assessment Report
 Disaster Recovery Strategy vis-à-vis Scenarios
 DR Solution Architecture
 DR Team Organization and Roles
 Disaster Recovery Plan and Procedures
 Setting up Disaster Recovery Site, if need be
 Test Plans/ Mock drills reports
 Maintenance Plan
 Training
10 - Confidential
What should be the Approach……..
Project Management Methodology:
Your own….
 Kick off meeting
 Execution
 Closure meeting

Execution of assignment:

Step one: Key IT Assets identification and RA

Step two: Business impact analysis (BIA)

Step three: Design continuity treatments


Step four: Document the Plans
Step Five: Implement continuity treatments

Step Six: Test and maintain the plan

Step Seven: Training
11 - Confidential
Step one: Key IT Assets identification and RA
12 - Confidential
Asset identification…
Obtain/inventory the key assets
Hardware
System Software
Applications
Data
People
Facilities/Services
Perform Risk Analysis
Qualitative
Quantitative
Judgemental
13 - Confidential
Risk Assessment and Management
Asset Identification
And valuations
Identification of
vulnerabilities
Asset Identification
And valuations
Identification of
threats
Business Riks
Rating/Ranking
Of Risks
14 - Confidential
Level of
Acceptable Risk
Step Two: Business Impact Analysis
15 - Confidential
Business Impact Analysis
Establish the Organization’s Recovery requirements
Requirements defined by Business Units
Identify and Define Critical Business Processes
Identify Systems
Identify Recovery Timeframes and Recovery
objectives for each process
IT Department’s involvement is the enabler for the
Plan
16 - Confidential
Step Three: Design Continue treatments
17 - Confidential
Recovery objectives
Wks
Days
Hrs
Mins
Secs
Secs
Mins
Hrs
Days
Wks
Data Loss
Downtime
(Recovery Point Objective)
(Recovery Time Objective)
Mirroring / Replication
Clustering
Backup
Restore from Disk
Vaulting
Restore from Tape
18 - Confidential
Step Four: Document the plans
19 - Confidential
Document Plans
Organization of the Teams
Detailed Procedures – Technical & Manual
Workarounds
Emergency Response Flow
Emergency Contact Lists
Crash Kits
20 - Confidential
BCP Team Organization
Business Continuity Committee
(Management Authorization)
Execution Teams
BCP Team Leader
BCP Spokesperson
Emergency
Action Team
Damage
Asst. &
Salvage Team
Internal Auditor
Relocation
Team
21 - Confidential
IT
Team
Admin,
Security &
Support Team
Operations
Team
Documentation should
cover
Risk Management
Environmental Management
Emergency Management
Crisis Management
IT Disaster Recovery
Knowledge Management
Facility Management
Human Management
Supply Chain Management
Security and Privacy
Health and Safety
Communications PR
Enterprise business process, people and technology
22 - Confidential
Step Five: Implement Continue Treatments
23 - Confidential
Step six: Test/Exercise the plans
24 - Confidential
Test/Exercising the Plans
Controlled Test of Procedures
Structured Walkthroughs
Desktop Tests
Simulation Test
Partial Technical Tests
Full Scale Tests
Allows Management to understand:
Inaccuracies
Omissions
Apply Lessons Learned
Revise Procedures & Incorporate into the Plan
25 - Confidential
Step six: Training…
26 - Confidential
Training……….
Create Corporate Awareness of Developed
Plans
Team needs to be made knowledgeable of their
role
Training Primary & Alternates Contacts
Awareness on task handling (JD) for Team
“Management Support is Key for any BCP-DR Activity”
27 - Confidential
Few websites…




www.pas56.com Guide for BCM
www.thebci.org for BC Guidelines
www.bsi-global.com for BS25999 (Replacement
of PAS 56)
www.iso.org/iso/catalogue_detail?csnumber=4
1532 for ISO/IEC 24762:2008
28 - Confidential
Interaction
29 - Confidential