Continuity Planning An Overview… 1 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc. (608) 246-1442 bscott@glhec.org 2 What Is Continuity Planning? To begin answering that question let’s define an incident… Simply stated, an incident can be any accidental or intentional event that causes significant disruption to a company’s operation for a period of time. 3 So Why Do Continuity Planning? You do Continuity Planning to provide a planned and controlled method of anticipating and responding to those incidents that are likely to interrupt key business activities. 4 Continuity Planning Is a business owned and driven activity that can provide the strategic and operational framework to review the way your organization provides its products and services and increase its resilience to disruption, interruption or loss. 5 Continuity Planning By doing so your continuity plan should help you ask and answer the following: What would my financial losses be and how can I avoid them? What legal requirements do I need to meet? How can I avoid loss of market share? How can I protect the safety of my assets, including employees ? How can I mitigate negative publicity? 6 The Continuity Planning Life-Cycle There are five basic steps that should be followed when developing a continuity plan: 1. 2. 3. 4. 5. Analyze your business Assess the risks Develop your strategy Develop your plan Rehearse the plan Due to the rapidly changing nature of business conditions the process is not static, but cyclical. 7 Analyze Your Business • This is the first stage of the business continuity planning life-cycle because it is necessary to understand from the start exactly where your business is vulnerable. • You will need the fullest possible understanding of the important processes of your business and between you, your customers and suppliers. • This stage of the process will also help to gain the involvement and understanding of other people and departments. 8 Assess the risks… There are two aspects to every risk to your organization: • How likely is the risk to happen? • What effect will it have on your organization? Continuity Planning will provide a framework for assessing the impact of each one. 9 Assess the risks… Many organizations usually define their assessment in terms of cost. For example: • How much could you afford to lose if an incident prevented you from doing business for days, weeks or months? • How would employees, business partners, suppliers, customers and potential customers react if your business received adverse publicity because you were unprepared for an incident? 10 Assess the risks… There are three ways to work with the information you have gathered to provide an assessment of the risks. Ask 'what if?' questions. Ask what the worst-case scenario is. Ask what functions and people are essential, and when. 11 Develop Your Strategy… Whatever type of organization you are, you will probably choose one of the following strategies: • • • • • Accept the risks – do/change nothing. Accept the risks, but make a mutual arrangement with another business or a business continuity partner to ensure that you have help after an incident. Attempt to reduce the risks. Attempt to reduce the risks and make arrangements for help after an incident. Reduce all risks to the point where you should not need outside help. 12 Develop Your Strategy… Your attitude to risk will be partly based on the costs of delivering effective business continuity. When working these out, remember to include both money and people's time. 13 Develop Your Plan… Once your strategy has been decided upon, the plan can be put in place. Business continuity management plans will look different for different organizations. However, most good continuity plans share some important features: • • • • • • Make it clear who needs to do what, and who takes responsibility for what. You should always include backups to cover key roles. Use check lists that people can easily follow. Include clear instructions for the crucial first hours after an incident. Include a list of things that can be thought about after the first hours. A plan of how often, when and how you will review your plan to make sure it is always a 'living document'. 14 Develop Your Plan… A good plan will be simple without being simplistic. You will never be able to plan in detail for every possible event. Remember that people need to be able to react quickly in an emergency: stopping to read lots of detail will make that more difficult. 15 Exercise Your Plan… • A Continuity Plan is a living document and sometimes, you only discover any weaknesses it has when you put it into action. • Exercises help you confirm that your plan will be cohesive and robust if you ever need it. 16 Exercise Your Plan… Exercises are also good ways to train staff that have business continuity responsibilities. Possible ways to exercise the plan include: • Paper-based exercises (table-top exercises) • Telephone tree call outs • Functional exercise • Surprise exercises You need to develop strategies that enable you to check the entire plan with minimum cost and disruption to day-to-day processes. 17 Continuity Planning Remember: • People are your most important asset. • Murphy does EXIST!!! • The Boy Scouts got it right… BE PREPARED… • It can’t hurt! 18