Business Contingency Planning

advertisement
Association of Contingency Planners
Dedicated to the evolution of Business Continuity
Greater Tampa Bay Chapter
Business Contingency
Planning
Steve Elliot & Allen Patrick
Association of Contingency Planners
Greater Tampa Bay Chapter
www.gtbacp.com
Association of Contingency Planners
Dedicated to the evolution of Business Continuity
Greater Tampa Bay Chapter
The Association of Contingency Planners
(ACP) is a national, not-for-profit professional
association with members from the business
continuity, emergency management, and
disaster recovery professions. Our members
represent the private and public sectors, as
well as higher education, faith-based, and
non-profit organizations across the country.
What is Business Continuity?
Business Continuity/Preparedness
Planning – What’s Important
Overview – Planning Elements
1.
2.
3.
4.
5.
6.
7.
8.
9.
Lay out a program plan… a vision
Management Support
Risk Analysis
Incident Response Planning
Recovery Planning
Training & Awareness
Exercises
Maintenance
Supplemental Info… resource links &
suggestions
Continuity and Preparedness
Basic Definition:
A business preparedness and continuity
program aims to prevent or mitigate,
respond effectively to, and recover
from the effects of business disrupting
events.
Emphasize personnel safety!
Management Support
Key Points:
– Secure support from the top level
manager/executive … Ask what keeps them awake
at night;
– Obtain an executive level manager as a
sponsor/champion and lead for a steering
committee;
– Establish a budget and planning team;
– Arrange for an announcement to the organization
endorsing the program, summarizing your role, and
explaining the organization’s involvement
expectations – both budget and participation.
Respect People’s Time
Even with upper management’s
endorsement, respect people’s
time and their need to balance
continuity/preparedness
planning priorities with their
primary business priorities!
Pragmatic approach…
Apply “practical due diligence” when
establishing a business continuity program.
Initially, program needs to focus on the key
planning elements:
1) Reliable Communication
2) Preparedness, Response, and Recovery
Teams
3) Team Tasks and Responsibility Lists
(Recommend plan templates for consistency
and clarity. Adapt plans to size or
complexity of the organization.)
Pragmatic approach…
Apply “practical due diligence” when
maturing a business continuity program:
1) Prioritize and implement projects in phases
based upon the best use of time and
money; defer capabilities of marginal
use… Lay out a maturity roadmap;
2) Program should be scalable. Processes
should be scalable;
3) Operational structure and tools should
conform to day-to-day business model
as much as possible.
Risk Assessment – Threat &
Vulnerability Assessment
– Threat and Vulnerability Assessment
• Keep it simple;
• Develop a strawman assessment;
• Engage stake holders such as: Facilities, Security,
HR, IT, Finance, Supply Chain, core business
managers, etc. to build on the strawman;
• Target at a Site/Facility-level (or sites/facilities if in the
same geographical area and similar in operation) if
possible; Process level if necessary;
• For mitigation leverage basic prevention, early
warning, and mitigation infrastructure, e.g. fire
suppression, security, fire alarms, evacuation plans,
data backups, backup power, etc.
Risk Assessment
– Threat and Vulnerability Assessment
• Keep it simple
• Site/Facility-level (or sites/facilities if in the same
geographical area and similar in operation) if
possible
– Business Impact Analysis
• Key info: What are the critical business
processes and what is their recovery order
• What are the critical operational and
infrastructure processes that need to be
recovered in order to recover the critical
business processes… and what is their recovery
www.emsa.ca.gov/disaster/files/kaiser_model.
order
Risk Detail
Above added as Comments in each Risk cell. Event label entered in comment to clarify relationship of comment to the risk to
which it applies.
Risk Assessment: Business Impact Analysis
(BIA) - Before you start…
Understand how the results of the BIA are going
to be used and make sure each question
relates to that purpose.
• Primary objective: What are the critical core
business processes and recovery priorities;
• Secondary: (RTO & RPO) Return Time
Objective & Return Point Objective;
• Tertiary: Core business process
dependencies (Optionally, these can be
identified in the recovery planning process.)
Risk Assessment: Business Impact Analysis
(BIA) - Before you start…
Last thing you want to hear from management
after you present the results is: “OK, now tell
us something we didn’t already know.”
Lesson learned – Find out what management
doesn’t know up front. If they already know
what it is you need to know… get it from them
before putting the organization through the
BIA process.
Response Plan
Based upon the Threat and Vulnerability
Assessment, supplemented with regulatory
requirements, establish an Incident
Response/Emergency Plan
– Establish an Incident Response/Management Team
(IRT);
– Address the top level threats and regulatory
requirements;
– Include contact information for the IRT and key
outside support organizations, e.g. law
enforcement, fire & rescue, response & restoration
suppliers, etc.;
Response Plan
– Include key infrastructure maps, e.g. water valves,
electrical panels, gas shut-offs, HAZMAT & other
emergency supplies, etc.;
– Provide employee-level response guidance, e.g.
incident reporting, alarm activation, evacuation,
employee accounting, etc.;
– Make the plan available at appropriate level to
audience…
Samples: Campus or building flip charts
and employee hang tags or wallet cards
Response to Recovery Transition
Response & Recovery Oversight
Damage Assessment
Response
Recovery
Recovery Plan
Develop a strategy for each critical business and
operational process…
– Strategy could include more than one option… like
a football playbook… use the recovery option
appropriate to the situation;
– Continuance doesn’t necessarily mean resuming in
the same or a centralized alternate facility… For
large enterprises could mean deferring to personnel
performing the same function at another location;
Temporarily outsourcing; Individuals working
remotely with notebook computers & cell phones;
etc. – TEST
Recovery Plan
Plan components…
– Recovery team(s) with a team lead(s) and
alternates and contact information
– Engagement process and communication methods
– Meeting location w/alternates – team operation
center
– Alternate operations options
– Recovery responsibility & task lists
Awareness and Training…
Establish an awareness program for
all levels, e.g. Execs, Planners and
various teams’ members,
employees, contractors, visitors…
Awareness and Training…
Key Points:
– Employees as a whole, e.g. Newsletter
announcements, emails, and articles, posters,
wallet cards & hang tags, workshops, on-line
training, family preparedness
(http://www.ready.gov), etc.
– Individual teams, e.g. walk-through exercises, team
reviews, function-level incident exercises, rotate
planning maintenance role, etc.
– Community responders, e.g. periodic meetings,
facility walk-throughs, participation in awareness
week-type activities, etc.
– Management
Engage Senior Mgmt.
Refresh Management
Support…
Back to Step one
Association of Contingency Planners
Dedicated to the evolution of Business Continuity
Greater Tampa Bay Chapter
Nationally, ACP represents 2700
members in 44 different Chapters
around the United States. In addition we
have a growing virtual population of
members from around the globe.
Association of Contingency Planners
Dedicated to the evolution of Business Continuity
Greater Tampa Bay Chapter
Our local Chapter is made up of 80
members from organizations like
Raytheon, Raymond James, Franklin
Templeton, HSN, TECO, Tech Data,
Valpak, USF, County and City
governments, credit unions, the Red
Cross, the YMCA, various consulting
firms and vendors, etc.
Association of Contingency Planners
Dedicated to the evolution of Business Continuity
Greater Tampa Bay Chapter
Typical monthly programs include:
County Emergency Operations Center
Local Media Outlets
National Weather Service
US Coast Guard
DHS / FEMA / State Emergency Management
Behind the scenes at sports venues / museums / attractions
Public Information Officer & Emergency Management leaders
Table-top Training Exercise / Disaster Simulation Game
Public-Private Partnerships (Red Cross, United Way, Regional
Planning Councils)
Hospital / Healthcare Emergency Management
Tours of Interesting Local Businesses
Lessons Learned from Econ. Dev. & Recovery Agencies
Questions?
For more information about the
Greater Tampa Bay Chapter of the
Assoc. of Contingency Planners,
please visit: www.gtbacp.com
Resources…
Threat (Hazard) & Vulnerability template (Consider
listing all threats in one worksheet to facilitate
criticality rank comparisons.)
www.emsa.ca.gov/disaster/files/kaiser_model.xls
SafetyInfo.com - Response/Emergency Planning
4 STEPS IN THE PLANNING PROCESS - For
Details See:
http://www.safetyinfo.com/guests/Emergency%20Pl
anning%20-%204%20Step%20Planning.htm
Resources…
Flip chart model:
http://police.wvu.edu/emergency_flip_chart
Business Continuity Maturity Model – Virtual Corp’s free open
access maturity and sustainability tool…
http://virtual-corp.net/html/bcmm.html
Leadership and the importance of communication in the midst
of crisis interview with Rich Irwin, former Senior Special
Operations Program Officer in the CIA:
http://www.bulletproofblog.com/2010/10/21/bulletproofinterview-special-%E2%80%93-richard-irwin-on-effectivecrisis-management-and-preparedness/
Download