Business Continuity

Document Sample
Business Continuity Powered By Docstoc
					Business Continuity: An introduction
 The sole purpose of Business Continuity is to
  Maintain a minimum level of service while
  Restoring the organization to business as usual
              Who needs it?

 Commerce and industry need it to protect the customer
 Charities need it to assure continued funding
 Government agencies need it to assure continued
  funding and existence
 Managers need it to assure their positions
                 The difference
 The difference between Business Continuity and
  Disaster Recovery
   Business Continuity is PROACTIVE; its focus is to avoid
    or mitigate the impact of a risk
   Disaster Recovery is REACTIVE; its focus is to pick up
    the pieces and to restore the organization to business as
    usual after a risk occurs
 Disaster Recovery is an integral part of a Business
 Continuity plan
                 Why Business Continuity?
 An organization which fails to provide a minimum
  level of service to its clients following a disaster
  event may not have a business to recover

   Customers may go to a competitor
   Funding may disappear
   A need may be re-evaluated and deemed
              What to protect
 Business functions
   Functions which provide products or services
 Critical support functions
    Functions without which the Business Functions cannot
     function (e.g. Facilities, IT)
 Corporate level support functions
    Functions required for effective operation of Business
     Functions (e.g. HR, Finance)
Most important resource

                  Why people?

 Although there are other critical resources, the actual
 product or service in most organizations depends on
 actions performed by, and decisions made by, people.
               Who is involved?
             In a word, EVERYONE

 Executive management
 Mid-level managers
 Line personnel
 Support personnel
 Vendors
 Municipal Emergency Management
             Management involvement
              Executive management

 Support is required for successful plan
 Provides high-level overview of organization’s
 Provides long-range planning to assure the Business
  Continuity plan compliments the organization’s
  Business Plan
                  Mid-level managers

 Provide departmental direction
 Provide department-level overviews
 Provide an insight into external (to the
  department/function) interdependencies
 Offer suggestions on how to enhance critical business
 Identify risks
                   Line personnel

 Provide operational details
 Offer suggestions on how to enhance critical business
 Identify risks
                Support personnel

 Provide information about services which assure the
  critical Business Functions can be performed at a
  minimum level of service or better
 Provide information about protecting resources
                          Support may include
   Accounts receivable
   Accounts payable
   Communications
   Documentation
   Facilities
   Finance
   Human Resources
   IT/MIS
   Janitorial
   Legal
   Mail Room
   Marketing
   Public relations
   Sales
         Vendors provide services and products

 Courier services and mail
 Communications (telephone, fax, email)
 Insurance (business, health, property)
 Necessities (municipal services)
 Utilities (electricity, fuel)
         Emergency Management
Municipal Emergency management must be
included in the plan to

 Assure personnel safety
 Mitigate damage from risks
 Train personnel to avoid risks and to protect themselves
  and the organization
No man – or department – is an island
              Protect all to protect one
 In order to protect any single Business Function, the
  enterprise must be protected.

 There are too many easily identifiable dependencies to
 create successful “function-only” or “resource-only”
                                A few risks

   Aircraft accident                    Espionage
   Bond rating                          Fire
   Civil unrest                         Flood
   Communications                       Hacked database
   Competition                          HazMat incident
   Customer failure (K-Mart)            Heat
   Debris                               Hurricane
   Drought                              Ice
   Electrical failure                   Industry image (airlines)
   Epidemic
                            A few more risks

   Internet failure                 Snow
   Intranet failure                 State law
   IT/MIS                           Stock value
   Legal action                     Tornado
   Lender reluctance                Traffic accident
   Local statues                    Vendor failure
   Loss of key personnel            Wildfire
   Rail accident                    Work action
   Recession                        Ubiquitous “other”
   Regulatory agencies
   Reputation
                 Rating a risk
 Not all risks present the same danger to an

   Risks are rated based on
       Probability of occurrence
       Impact on the organization
                   Risk options
 Avoid the risk
    Usually the most expensive option
    Required by some 24*7*365 operations
 Mitigate the risk
    Less expensive than avoidance
    Reduces the impact of the “inevitable”
 Absorb the risk
    The process or product is antiquated anyway
              The plan – Part 2

 Create business continuation processes
 Create organization recovery processes
 Create a training program
 Establish a plan maintenance procedure
 Train, train, and train some more
                 Business continuation
 Business continuation processes are designed so the
  organization maintains “at least a minimum level of
  service” to assure there will be a business to recover
 Each Business and Support function must have a
  continuation plan
 How quickly the process must be functioning depends
  on the maximum allowable outage
           Recover the business
 This may be in multiple stages:

   Recovery to a minimum level of service
   Recovery to business as usual
    There may be intermediate stages between the two
    recovery stages shown above
              Training program
 The training program has two primary goals:

   To assure personnel will be able to efficiently and
    effectively respond following a disaster event
   To develop self-confidence in the personnel to perform
    their assigned functions
 A plan that lacks maintenance quickly becomes a

   Plan maintenance is based on the calendar
   Plan maintenance is based on “trigger” events
       Personnel change
       Process, procedure change
       Etc.
                   Creating a plan
 Do it yourself
    Can you think of everything?
    Can you think objectively?
    Who will review your plan?
 Call a professional
    Experience
    Network to help think of almost everything
    Only objective is to create a successful plan
         Plan                           Purpose                                          Scope
Business Continuity     Provide procedures for sustaining essential        Addresses business processes; IT
                        business operations while recovering from a        addressed only in the context of
Plan (BCP)              significant disruption                             supporting business process

Business Recovery (or   Provide procedures for recovering business         Addresses business processes; not
                        operations immediately following a disaster        IT-focused
Resumption) Plan
Continuity of           Establish procedures and capabilities to           Addresses subset of an
                        sustain an organization’s essential, strategic     organization’s missions deemed
Operations Plan         functions at an alternate site for up to 30 days   critical; not IT-focused

Continuity of Support   Establish procedures and capabilities for          Similar to IT contingency plan;
                        recovering a major application or general          addresses IT system disruption; not
Plan                    support system                                     business process focused

Disaster Recovery       Provide detailed procedures to facilitate          Often IT-focused; limited to major
                        recovery of capabilities at an alternate site      disruptions with long-term effects
Plan (DRP)
Incident Response       Define strategies to detect, respond to, and       Focuses on information security
                        limit consequences of malicious cyber              responses to incidents affecting
Plan                    incident                                           systems and/or networks

Occupant Emergency      Provide coordinated procedures for                 Focuses on personnel and property
                        minimizing loss of life or injury and protecting   particular to the specific facility; not
Plan                    property damage in response to a physical          business- or IT-focused
 1) Develop a business continuity / disaster recovery plan

  - Establish a disaster-recovery team of employees who know your
     business best, and assign responsibilities for specific tasks.
   - Identify your risks (kinds of disasters you're most likely to
   - Prioritize critical business functions and how quickly these must
     be recovered.
  - Establish a disaster recovery location where employees may work
    off-site and access critical back-up systems, records and supplies.
  - Obtain temporary housing for key employees, their families and
  - Update and test your plan at least annually.
 2) Alternative operational locations
   Determine which alternatives are
   available. For example:

 - A satellite or branch office of your business.
 - The office of a business partner or even an
 - Home or hotel.
 3) Backup site.
    Equip your backup operations site with critical equipment, data
     files and supplies:

   - Power generators.
   - Computers and software.
   - Critical computer data files (payroll, accounts payable and
      receivable, customer orders, inventory).
   - Phones/radios/TVs.
   - Equipment and spare parts.
   - Vehicles, boats and spare parts.
   - Digital cameras.
   - Common supplies.
   - Supplies unique to your business (order forms, contracts, etc.).
   - Basic first aid/sanitary supplies, potable water and food.
 4) Safeguard your property
   Is your property prepared to survive a
    hurricane or other disaster:

  - Your building?
  - Your equipment?
  - Your computer systems?
  - Your company vehicles?
  - Your company records?
  - Other company assets?
 5) Contact information
   Do you have current and multiple contact
   information (e.g., home and cell phone
   numbers, personal e-mail addresses) for:

  - Employees?
  - Key customers?
  - Important vendors, suppliers, business
  - Insurance companies?
  - Is contact information accessible electronically
    for fast access by all employees?
 6) Communications
   Do you have access to multiple and reliable
   methods of communicating with your employees:

  - Emergency toll-free hotline?
  - Website?
  - Cell phones?
  - Satellite phones?
  - Pagers?
  - BlackBerry(TM)?
  - Two-way radios?
  - Internet?
  - E-mail?
 7) Employee preparation
   Make sure your employees know:

  - Company emergency plan.
  - Where they should relocate to work.
  - How to use and have access to reliable methods of
    communication, such as satellite/cell phones, e-mail,
    voice mail, Internet, text messages, BlackBerry(TM),
  - How they will be notified to return to work.
  - Benefits of direct deposit of payroll and subscribe to
    direct deposit.
  - Emergency company housing options available for them
    and their family.
 8) Customer preparation
    Make sure your key customers know:

  - Your emergency contact information for sales
    and service support (publish on your website).
  - Your backup business or store locations
    (publish on your website).
  - What to expect from your company in the
    event of a prolonged disaster displacement.
  - Alternate methods for placing orders.
  - Alternate methods for sending invoice
    payments in the event of mail disruption.
 9) Evacuation order
    When a mandatory evacuation is issued, be prepared to grab and
    leave with critical office records and equipment:

   - Company business continuity / disaster recovery plan and
   - Insurance policies and company contracts.
   - Company checks, plus a list of all bank accounts, credit cards,
      ATM cards.
   - Employee payroll and contact information.
   - Desktop/laptop computers.
   - Customer records, including orders in progress.
   - Photographs/digital images of your business property.
   - Post disaster contact information inside your business to alert
      emergency workers how to reach you.
   - Secure your building and property.
 10) Cash management
     Be prepared to meet emergency cash-flow needs:

  - Take your checkbook and credit cards in the event of an
  - Keep enough cash on hand to handle immediate needs.
  - Use Internet banking services to monitor account
    activity, manage cash flow, initiate wires, pay bills.
  - Issue corporate cards to essential personnel to cover
    emergency business expenses.
  - Reduce dependency on paper checks and postal service
    to send and receive payments (consider using electronic
    payment and remote deposit banking services).
 11) Post-disaster recovery procedures

  - Consider how your post-disaster business may
    differ from today.
  - Plan whom you will want to contact and when.
  - Assign specific tasks to responsible employees.
  - Track progress and effectiveness.
  - Document lessons learned and best practices.

Shared By: