Business Continuity / Disaster Recovery David Shimberg, CBCP What is a Disaster? “A business disaster is that point in time after the “cause” when you can not provide your customers and users with the minimum level of services they need and expect” Why doesn’t everyone Plan? The Human Element The “it’s not going to happen to me” view or philosophy. We have a tendency to view concerns from a “life span” and personal experience aspect. – – – – It hasn’t happed yet… Not on Manager’s list of goals We’ll get to it Looks to BIG! Where do we start? You practice this at home…. You may not have thought of them as contingency plans, but at home you have: Smoke alarms Carbon monoxide alarms Family escape plans with meeting place Battery radio, flash lights Homeowners’ or Renters’ Insurance Anti Virus and firewall software Fire extinguishers and home sprinkler systems Info on the web at: American Red Cross or FEMA web sites for additional emergency information and advice Why have a Business Plan ? According to research data kept at the National Archives & Records Administration in Washington, DC: Nearly 90% of all small businesses don't have a continuity plan in place Only 43% of businesses suffering a disaster ever recover sufficiently to resume business Of those that do reopen, only 29% are still operating two years later 93% of businesses that lost their data-center for more than 9 days filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for more than 9 days filed for bankruptcy immediately. Continuity Plans Components Awareness of Roles and Responsibilities – Who will do what? Employees and staff are critical. Pandemic is an extreme example of a disaster where employee resources will be very limited! Defined recovery time objectives Risk Management to identify & reduce risks Alternate Processes (telecommuting, distance learning) Alternate recovery locations Off-site storage of critical media and non-media items Written plans, reviewed & updated regularly Frequent plan exercises Major Business Continuity Activities Complete BIA (Business Impact Analysis) 1. Identify processes & prioritize by criticality 2. Determine survival requirements 3. Determine RTOs (Recovery Time Objective) Develop Response/Recovery Strategy: 1. How will event be handled immediately? 2. How will recovery be handed (achieve survival mode)? 3. What tasks must be accomplished to achieve recovery? Develop Teams/Call Lists 1. Identify key players (and alternates) and organize teams to accomplish identified tasks 2. Develop and test notification call lists/trees BC Activities…cont’d Identify Critical Equipment, Vendors, Documents 1. Identify critical infrastructure/servers (networks, telecom, etc) 2. Identify equipment needs for (day 1, day 3, etc …) 3. Identify critical vendors (who will supply recovery equipment, etc.) 4. Identify vital records (what records if lost would cripple or hinder recovery?) Document Plans 1. Appropriate information is included, attached, or referenced, facilitating a successful response, recovery, and restoration of services 2. Plans are frequently reviewed and updated on a scheduled basis BC Activities…cont’d Exercise Plans 1. Conduct plan walk through, referencing tasks, call lists, attachments, etc 2. Conduct IT exercise, confirming application recovery meets survival needs 3. Participate in Integrated Exercise with other business units testing call trees, application and process dependencies and work- arounds meet RTOs 4. Update Plan with lessons learned, following exercise Business Continuity Efforts Include: Directing BIA and planning efforts with Business Units Awareness programs (risk reduction) Employee security & safety Coordinating BC exercises Participating in info security reviews Coordinating with local emergency agencies Managing plan tracking and evaluation Business Continuity Plans must be useful Make sure the plans that protect each of us is more than …….. Successful Business Continuity Planning helps ensure that employees and the interests of owners and customers are protected. Sponsorship is Key to Success Board of Directors or Senior executives (president, vice presidents, officers) must identify BCP a priority. Executives and senior managers must actively support the BCP Process. Business Recovery Coordinators (BRCs) within business units / departments must be actively involved, developing, implementing, and exercising BC plans, and accept ownership of their plans. Communication is Critical Employees, customers, business partners must know key information about your plan if your plan is to work. Plans must be periodically reviewed in team meetings and shared with new team members. Secret Plans won’t work! Communication….. Contact information for all team members must be current Make sure employees have Emergency Wallet Cards with key phone numbers, etc Plans must include: – Clear chains of authority – Clear listing of tasks, roles and responsibilities – DR conference lines or standing communication tools – Standing meetings (times, numbers) – Alternate meeing locations – Centralized communication facility (VM, web site, etc…) Off Site Storage is Critical ! When a facility is lost or inaccessable, all items inside are no longer available. What is needed in off site storage if you had to recover from scratch PC backup media must be stored off-site? Critical, non-media, documents and materials must be available in an off-site location, accessble by appropriate indviduals or teams during a disaster or exrecise. Key personnel must know where off-site storage items are located and to where items will be shipped (Hotsite, Incident Command Center or remain in off-site storage?) Exercises Test plan concepts and procedures frequently Identify tasks or components that do not work as expected. Identify missing tasks or contacts Reinforce individual and team roles and responsibilties Confirm and reinforce dependent interractions with other teams Increase BCP Awareness Employees Prepare themselves by: Attending sessions on BC planning Having a personal emergency plan for your family Understanding your role in your unit’s BCP plan Knowing where and who to call in an emergency (Emergency Wallet Card) Keeping emergency contact information current Participating in BC/DR exercises Challenging the status quo. If something doesn’t seem right, Question it! Supply Chain Considerations Premier, Inc – largest healthcare group purchasing organization is working with hospitals and suppliers to identify critical areas in a disaster and actions to improve response: Communications Coordination Supplies & Distribution Transportation Communications Explore alternate and multiple communication methods; VOIP, satellite, multiple cellular providers, etc. Creation of deeper communication guides; office, work, home, cell numbers. Creation of formal call-trees. Apply for TSP Authorization code to ensure priority in restoring telecommunications access and GETS program access to bypass overloaded phone circuits. Coordination Clear, advanced identification of individual roles and responsibilities. Creation of national internet site to serve as clearinghouse for information sharing and communication. Include other stakeholders in design sessions. Supplies & Distribution Creation of “core product supply lists” based on type of disaster. ER auto-substitution rules; (eg. 20cc syringe substituted with 30cc). Greater coordination among suppliers. “Emergency ship to’s” Supplies & Distribution Create Mobile fuel storage depots and mobile supply stations. Get pre-authorization from Fed’s governing authority to ship to effected locales. Create contingencies for all routes, including airdrop emergency plan. Re-think “lean inventory” model for critical supplies & perishables. Create NYC model of “integrated command center”. Pandemic Considerations Incubation period: 1 to 3 weeks Viral shedding greatest in 1st 2 days Viral shedding 0.5 to 2 days before symptoms Children shed more virus and longer than adults Each case of influenza infects two more cases Slow spread, decrease illness and death, buy time – Antiviral treatment and isolation for people with illness – Quarantine for those exposed – Social distancing – Vaccine when ready Depends on which virus Unprepared Impact Prepared Weeks Options for Prevention & Control Immunization Respiratory hygiene/cough etiquette Hand hygiene Contact avoidance – Social Distancing Antivirals Strategic National Stockpile HHS Pandemic influenza preparedness strategy and plan International surveillance Domestic Surveillance Vaccines and Antivirals Communication State and Local Preparedness 11 Supplements with detailed guidance Pandemic Influenza Preparedness Considerations Being able to work may be difficult – Plans for working at home – Adopt practices and sick-leave policies to encourage sick employees to stay home Schools may be closed – Child care planning Transportation Home supplies (good for power outages and disasters) – Non perishables, water, flashlights/batteries, medicine Infection Control Measures Healthcare facility, workplace, home, community Reduce transmissions – Masks – Cough etiquette – Hand hygiene Contact interventions – Teleconferences vs meetings – Social distancing (no handshaking, 3 feet away) – Liberal non-punitive leave policy to care for family and self Respiratory protection: Masks or N95 Respirators? Season flu – CDC recommends masks Pandemic – WHO recommends – masks for routine care – N95 for aerosol generating procedures (fit testing required by OSHA) Pandemic – HHS recommends – Masks for close contact BCP Planning Resource Contingency Planning Association of the Carolinas (CPAC) – www.cpaccarolinas.org Disaster Recovery Journal – www.drj.com/groups/drj6.html Disaster Recovery Institute International (DRII) – www.drii.org/ DHS - www.ready.gov/ FEMA - www.fema.gov/ Institute for Business & Home Safety (IBHS) – www.ibhs.org/business_protection/ Premier Safety Institute – www.premierinc.com/quality-safety/tools-services/safety/index.jsp BCP Planning Resource 9th Annual Symposium Thursday, Nov 30 - Fri Dec 1, 2006 Charlotte Marriott Executive Park, Charlotte, NC Preparing for the Coming Storm Bridging the Preparedness Gap $225 members and $275 non-members Topics and presentations include: • • • • • • • • Pandemic Preparedness How Los Angeles, CA is bridging the gap between the public and private sectors Changes in the BC Profession Practical tips and lessons learned on conducting Business Impact Analysis Considerations in establishing Incident Command Making sure your continuity planning process will actually meet your needs Participate in a panel discussion with experts Register early to get a place in the 3-hour pandemic mock exercise (limited to 104) www.cpaccarolinas.org