Business Continuity Planning
A practical guide
Adam Lawrence, Director Terrorism Risk
ROSS CAMPBELL & ASSOCIATES
Introduction
Ross Campbell & Associates Crisis Management &
Recovery
o Business resilience strategies
o
–
–
–
–
–
–
–
o
2
Clients in 25 countries
Workshops & reviews
Preparedness audits
Executive training
Corporate plans & enterprise-wide programs
Simulation exercises, walk-through rehearsals, capability tests
Alignment of Crisis Management, Business Continuity, issues
management, emergency management
Managing the worst-case scenario
Agenda
Introduction – case studies and context
o Business Continuity Management – an overview
o Identifying plausible disruption scenarios
o Business Impact Analysis
o Response-Resumption-Recovery
o BC Plan - the essentials
o Leadership and governance
o Rehearsing the plan and capability testing
o
3
Purpose
o
o
o
4
Raise awareness
Enhance capability of QUESTNET member institutions
in responding to and recovering from a major
disruption
QLD Government initiative to protect Mass Gathering
Infrastructure in light of the threat of terrorism
Video compile
5
Terrorism – HSBC (Bank)
o
o
o
o
o
Istanbul, Turkey
20 November 2003
Car bomb
26 killed
450 wounded
Utilities failure – US power outage
“In just three minutes, starting
at 4.10pm, 21 power plants
shut down”
CNN, 14 August 2003
Telco infrastructure failure
‘Telstra says more than 16,000 of its network
cables were accidentally severed in the past 12
months’
The Age, 25 July 2005
8
Data centre failure
‘Multiple failures at a datacentre run by CSC
left hospital trusts without access to patient
administration systems for up to five days’
ComputerWeekly.com, 13 Sep 2006
9
SARS
o
o
o
o
o
10
Began in Asia February 2003
Within weeks reported in 25 countries
Impact on airlines, tourism industry
Impact on businesses with operational links to
Asia
Learnings for Avian ‘flu preparedness?
Crisis/disaster impacts
People harmed
o Disruption to operations
o Asset damage
o Loss of reputation
o Loss of customer/public support
o Financial loss
o Increased regulation
o Increased insurance premiums
o Legal action
o Destabilisation of senior management
o
11
Monash shootings 2002
ABC Interviewer “…no amount of training can equip you
for what happened yesterday?”
Vice-Chancellor “…we had a crisis management exercise
of something similar to this about three months ago, which
actually helped us through all of this…”
ABC Radio, October 2002
12
What is Business Continuity?
‘The uninterrupted availability of all key resources
supporting essential business functions’
(ANAO, 2000)
Keeping the wheels of business in motion following a
material disruption (irrespective of the cause)
Key strategic risk – that an organisation is unable to remain
operational
Related disciplines
o
o
o
o
o
o
Emergency Management
ICT Disaster Recovery (service disruption, data loss)
Salvage and recovery (damaged hard-copy files)
Issue Management (public perception/reputation)
Government response
Crisis Management – the worst-case scenario (during
the acute/emergency phase of response) ~
“A crisis is an adverse situation that has the potential to
cause serious harm to people, operations, assets,
earnings, reputation or brand”
14
Common capability gaps
o
o
o
o
Plans lacking fundamental components ~ WHOWHAT-WHERE-WHEN-WHERE-HOW-WHY
Unspecified or vague (contingency) roles and tasks
Lack of pre-designated alternative venues
Alternative/back-up venues in same precinct
Ill-equipped contingency venues
o Lack of alternate/deputy (contingency) roles
o Un-rehearsed plans & call-out procedures
o No pre-designated spokesperson
o No documented Business Impact Analysis (BIA)
o
15
Common capability gaps (cont.)
o
o
o
o
o
o
16
Insufficient understanding of or linkages to
government response
Sole reliance on mobile telephones to co-ordinate the
response (prone to failure)
Insufficient protocols for communication with staff,
visitors, students
Recovery times (RTOs) not specified
Lacking 24/7 remote access to HR/vendor contact
details
Lack of confidence in documented plans – too much
information
Critical success factors
o
Learn from the experience of others
– address the common capability gaps
o
Clear command structure
– Have a group that has authority to invoke recovery
plans and management strategic ramifications (Crisis
Management Team)
o
o
o
17
Clear communication & reporting channels (between
Head Office and subordinate entities including first
responders)
Identify alternative command venue/s and contingency
work accommodation
Ensure adequate incident notification and call-out
procedures
Other challenges
o
o
o
o
o
o
o
Extreme stress
Cause may be beyond your control (3rd party
dependency)
Determining peoples’ whereabouts/safety
Implications of rapid and intrusive media
Rumours and innuendo – bad news travels fast
Panic/hysteria
Aspects of government response may be beyond your
influence
– Understand the rights/obligations of all responders
– Jurisdictional responsibility
18
crisismanagement.com.au
Operational Risk Assessment
What does the organisation depend on to operate?
o What can happen?
o When, where and how?
o What are the critical processes or assets?
o Workshop hypothetical scenarios
o Interviews with principal staff/department heads
o Site inspection (ideally by third party)
o Event/media monitoring, industry briefs, case studies
- learn from the experiences of others
o
21
Identifying disruption scenarios
Consider worst-case (total loss) disruption scenarios ~
o Loss of building
o Loss of precinct
o Denial of access to building for a limited time
o Loss of ICT (data)
o Loss of ICT (voice)
o Loss of vital (non-electronic) records
o Loss of key staff
o Loss of key dependencies
Source: APRA Prudential Standard APS 232 Business Continuity
Management
22
Business Impact Analysis (BIA)
o
Undertaken for all key business processes ~
–
–
–
–
–
o
o
Call management
Service activations
Service restorations
Escalation management
Vendor management
Sets recovery processes, in the event of a high-impact
disruption/loss (outage)
Establish a scenario as an aid to planning ~
– Physical event, e.g. fire, flood, earthquake, terrorist
attack
– Assume worst case, e.g. total destruction of workplace
and primary ICT resources
23
What would happen if?
o
Work with “business owner” or departmental
representatives ~
– Workshop/group approach
– One-on-one interviews
o
Determine Maximum Acceptable Outage (MAO) ~
– Maximum time it will take before an outage threatens an
organisation achieving its business objectives
– Max survival time before recovery procedures must
commence
o
Qualify consequences/costs of impacts ~
– By timeframes (1 day, 1 week, 1 month)
– Simple narrative/description
– Formal risk rating (negligible-extreme)
24
Recommended reading - BIA
o
o
o
25
Better Practice Guide Business Continuity
Management – Keeping the wheels in motion, ANAO
2000 (www.anao.gov.au)
Has excellent BIA Worksheet template
Example impact/risk analysis matrix
Example workshop approach (BIA)
Denial of access for a limited time ~
o Multiple cases of Legionella infection are attributed to
the data-centre building
o Victims include a number of maintenance vendors (2
are critically ill)
o Management become aware of the situation during
business hours
o Health authorities order the evacuation of all nonessential staff and visitors
o The water-coolers are shut down and samples taken
for testing
o Disinfection action begins (will take several days)
26
Part 2 – Escalation
o
o
o
o
27
A day later ~ the presence of a hazardous strain of
Legionella bacteria is lab-confirmed
Health authorities are advising anyone with symptoms
(fever, cough, breathlessness, chest pain, diarrhoea)
to seek medical attention and undergo tests
Building will remain closed for at least 3 days to allow
for Health Authority/Work Cover investigation and the
identification of other potential victims
Only a limited number of building services staff and
specialist contractors are permitted to have access
Part 3 – Implications
o
o
28
No air conditioning for up to 10 days
Very limited staff access (to treat hazard only)
Phases of response
o
o
o
o
29
Preparedness
Response – emergency protection of people and
property (to limit the impacts)
Resumption/continuity – “immediate fixes” to begin
interim operations
Recovery – steps for achieving full operational
normality (pre-disruption)
Response
o
Protection of people and property
– Evacuation/hold-in place procedures
– Automated fire suppression
– Actions of emergency services
o
Processes to limit impact on critical services
– e.g. back-up power fail-over
– Standard service disruption procedures
o
o
o
30
Incident escalation/notification to governing entity
Call-out of governing entity (Crisis Management Team)
Setting up Command Centre
Resumption
Relocation of staff to alternative venue (e.g.
commercial DR site)
o Source alternative office accommodation
o Diversion of telephones
o Data recovery from back-up tapes
o Restoration of desktop environment, email, network
access etc
o Work from home strategy
o Emergency procurement of replacement infrastructure
o Stakeholder communication - staff, vendors, students,
creditors, insurers, media etc
o Key issue - remote access to BCP with planning data
o
31
Recovery
o
o
o
o
o
32
Specialist salvage and recovery - site clean-up
Rebuild primary site or seek new premises?
Sourcing new vendor/s
Long term project effort
People issues: retention/recruitment
crisismanagement.com.au
BC Plan - the essentials
o
o
o
o
o
o
o
34
WHO-WHAT-WHEN-WHERE-HOW (WHY)
Sample full table of contents
First Response Flowchart
Sample Role Checklist - Team Leader
Sample Threat/Risk Response Guidelines
Sample Business Unit Recovery Plan
– APRA compliant disruption scenarios
Sample ICT Disaster Recovery Plan table of contents
Crisis Leadership: The Challenge
Managing information overload
o What’s going on? ~ maintaining situational awareness
o What should I do?
o Communication bottlenecks
o Public/customer perceptions/expectations?
o Internal perceptions/expectations?
o Expectations of higher office/regulators/authorities?
o
o
35
“Tales of great strategies derailed by poor execution
are all too common”
Human Response to Stress
o
o
o
Perception of situation (as a threat)
Expectations of own ability to cope
Fight or flight response ~
– Calm/confident in facing situation (“fight”), or
– Avoiding it (“flight”)
o
Positive leadership influence on others
– Sound judgment, decisive action
o
Impaired judgement
– indecision
– poor execution of contingencies
36
Commercial Issues
•Legal
•Risk
•Insurance
•Customers
•Record of Incident
Response
Recovery
•
•
•
•
•
•
•
•
Short term operations
Long term recovery goals
Documented BCP
Integration with DRP
Roles accountabilities
Resources available
Training requirements
Documented
CRISIS
MANAGEMENT
External Affairs
•
•
•
•
•
•
Employees and Next of Kin
• Communicate
• Training
• Delivering the message
Communications
• Control centre
• Communications equipment
requirements
• Call centre interface
37
Ministerial liaison
Interviews
Media releases
Media management on site
Community relations
Business relations
Crisis Leadership: What it takes
o
o
o
o
o
o
o
38
Calmness/confidence in tackling the
unexpected
Sound judgement
Decisiveness
Regular communication with stakeholders
Trust, delegation ~ allow yourself time to think
Have a special team to support you
Treat the stressors and build confidence
The solution?
Have a single, organisation-wide framework
for all occasions
o Ensure full alignment of BC, ICT DR,
emergency procedures, security and other
contingency plans
o Simple, concise checklists
o Train, rehearse/validate, review and revise
o
39
Crisis Management Team
TEAM LEADER
• Leadership
• Call-out decision
• Key stakeholder liaison
• Goal setting
• Prioritising work
Recovery
• BCP interface
• Office relocation
• Alt premises
• Identify & allocate
resources to
achieve goals
External
Affairs
• Media
management
• HQ advice
• News releases
• Community and
government
relations
Human
Resources
Commercial
Services
• Internal communication
• Tracking victims
• Employee records
• Next of kin liaison
• Welfare
• Counselling
• Regulatory
• Legal
• Insurance
• Customers
• Suppliers
• Maintain
records
Spokesperson
• Media face
• Media conferences
• One face once message
Response
•Contact with scene
•Monitor situation
•Advise team
•Emergency control
•Evacuation
ICT Coordinator
• CMT support
• CMT venue set-up
• ICT DR interface
• Vendor liaison
• Salvage recovery
• Procurement
Team Structure
Manageable span of control (5-7 direct reports)
o Resist temptation to include additional direct reports ~
less is more
o Having a larger, flatter structure means~
– More stress to Team Leader, and
– Less efficient interaction between team members
o Distinguish contingency functions from status/rank and
day-to-day role
– Select best person for the job
– Not everyone has to be involved
o
41
crisismanagement.com.au
Testing the capability
o
HB 221 BCM guidelines ~
– Planning template
Desktop “walk-throughs”
o Individual component testing (e.g. IT DR)
o Fully integrated tests with third party service
providers
o
43
Scenario planning & exercises
Decide on participants - site, business unit
and/or senior leadership team?
o Decide on desired outcome - general
awareness building, compliance, plan
orientation, evaluation of performance, full
functional test
o
– Resources to be tested - people, IT, vital records
(hardcopy/electronic), facilities, internal
dependencies, external dependencies
– Exclusions
o
44
Decide on threat/risk scenario
Scenario planning & exercises
Develop theoretical sequence of events - as
situation unfolds - not in relation to planned
response actions
o Consider possible reaction of key stakeholders
~ media, employees/contractors, students,
investors, families, authorities, commercial
partners, suppliers etc
o Write script
o Establish the cast - who will play what roles
o
45
Scenario planning & exercises
Establish how the “situation” will be
communicated to participants
o Recommend real-time game play without too
much fictitious background material
beforehand
o
46
Recommended reading
o
o
o
47
HB 221:2003 Business Continuity Management
ANAO better practice guide Business Continuity
Management – Keeping the wheels in motion
APRA Prudential Standard 232
crisismanagement.com.au