BCP vs. DRP Ed Waldschmidt ewaldschmidt@brotherhoodmutual.com 260-481-5361 October 9,2012 Agenda What is BCP? Does BCP have anything to do with DRP? Who should manage these functions? Lessons learned in Katrina. Can a Katrina type disaster happen here? What is BCP. • BCP stands for Business Continuity Planning • With BCP, one plans for what happens in a disaster type scenario. • Does a disaster type scenario always impact the computer • How do I keep the doors open and the lights on? What is BCP- cont. • What would one do if the computer is running fine, but the office is impacted? • What are your critical functions? Not necessarily IT related. • Can and are these functions manual? • Speaking of manual, are your processes documented? • Can you piece together your business? Does BCP have anything to do with DRP • One word answer, maybe • BCP deals with business functions and impact analysis • BCP should belong to the business side • DRP belongs to IT and should be driven by the business. This is definitely a new way of thinking. Does BCP have anything to do with DRP • One needs to get into the details of the departments • In BCP, the user departments learn RTO (recovery time objective) and RPO (recovery point objective) • The shocker to the point above is that they do not mean the same. This takes diligence • Designing a BCP plan takes time. • Aon was lucky during Katrina – only 13 employees in New Orleans • What if Chicago? Ouch. • How does your employees react in a crisis situation? BIA, BCP, DRP WHAT?? • What is in BIA? Business Impact Analysis. • Determine critical functions of business not applications • On the critical functions of business determine what is the impact if this function is not performed Day 1, Day 2, Day 3 and so on. • Determine the RPO and RTO of each function. Recovery Point Objective and Recovery Time Objective respectively BIA,BCP,DRP WHAT (cont) • Your BIA drives the rest of the plans. Make sure you put time here. • Next in plan building, create your Business Continuity Plan from your BIA. • The BCP will document the who, the what, and the why of the recovery effort. • After the BCP document is created, then this document drives the DRP. Considerations Local disasters – only impact the local community Regional disasters – Katrina impacted a 750 square mile area. 9/11 although local impacted more regional. Eastern Seaboard. National disasters - War or attacks Considerations (cont) • Employees who are impacted by disaster really don’t care about work like they did prior to the disaster. • Be willing to work with less than full staff and critical employees might be impacted. • Manual processes will be missed. • Procedures will be out of date • No time for micro managing. Other issues • • • • Phone lists will be out of date. HR records are not kept up Communication avenues may not work Mail is one often overlooked problem, and include in this next day deliveries. • Local deliveries. New Orleans Day 2 9/11 & Katrina thoughts • At Aon during 9/11, the New York office had to go through the phone book to see if they recognized any clients names. This happened because their plan was on the 102 floor of tower 1 burning up. No other copies. • Katrina – New Orleans office could not forward phones because call forwarding had to be done at the office in the city which was under water. 9/11 & Katrina thoughts (cont) • Mail could not be forwarded because the USPS was not ready for this type of disaster. This includes overnights. • Text message was the only communication is available for the employees in the New Orleans office. Set up a conference bridge. • Make sure Senior Management leaves impacted area. • Have HR on board. 9/11 & Katrina thoughts (cont) • Remember paper • Plans need to be offsite • Data recovery media not local. New Orleans office used Iron Mountain in New Orleans and this facility was under water. • Travel restrictions. • Can a Katrina type disaster happen in Fort Wayne?