Presentation to Tarong Energy Nov 05

Document Sample
Presentation to Tarong Energy Nov 05 Powered By Docstoc
					Business Continuity Planning
A practical guide
 Adam Lawrence, Director Terrorism Risk
     o Ross Campbell & Associates Crisis Management &
     o Business resilience strategies
          –   Clients in 25 countries
          –   Workshops & reviews
          –   Preparedness audits
          –   Executive training
          –   Corporate plans & enterprise-wide programs
          –   Simulation exercises, walk-through rehearsals, capability tests
          –   Alignment of Crisis Management, Business Continuity, issues
              management, emergency management
     o   Managing the worst-case scenario

    o Introduction – case studies and context
    o Business Continuity Management – an overview
    o Identifying plausible disruption scenarios
    o Business Impact Analysis
    o Response-Resumption-Recovery
    o BC Plan - the essentials
    o Leadership and governance
    o Rehearsing the plan and capability testing

     o   Raise awareness
     o   Enhance capability of QUESTNET member institutions
         in responding to and recovering from a major
     o   QLD Government initiative to protect Mass Gathering
         Infrastructure in light of the threat of terrorism

    Video compile

Terrorism – HSBC (Bank)

o   Istanbul, Turkey
o   20 November 2003
o   Car bomb
o   26 killed
o   450 wounded
Utilities failure – US power outage
       “In just three minutes, starting
         at 4.10pm, 21 power plants
                  shut down”
              CNN, 14 August 2003
    Telco infrastructure failure

 „Telstra says more than 16,000 of its network
cables were accidentally severed in the past 12
               The Age, 25 July 2005

    Data centre failure

    „Multiple failures at a datacentre run by CSC
    left hospital trusts without access to patient
     administration systems for up to five days‟

 , 13 Sep 2006

     o   Began in Asia February 2003
     o   Within weeks reported in 25 countries
     o   Impact on airlines, tourism industry
     o   Impact on businesses with operational links to
     o   Learnings for Avian „flu preparedness?

 Crisis/disaster impacts
     o People harmed
     o Disruption to operations
     o Asset damage
     o Loss of reputation
     o Loss of customer/public support
     o Financial loss
     o Increased regulation
     o Increased insurance premiums
     o Legal action
     o Destabilisation of senior management

 Monash shootings 2002

     ABC Interviewer “…no amount of training can equip you
                for what happened yesterday?”

 Vice-Chancellor “…we had a crisis management exercise
 of something similar to this about three months ago, which
          actually helped us through all of this…”

                   ABC Radio, October 2002

What is Business Continuity?

     „The uninterrupted availability of all key resources
          supporting essential business functions‟
                      (ANAO, 2000)

   Keeping the wheels of business in motion following a
      material disruption (irrespective of the cause)

Key strategic risk – that an organisation is unable to remain
 Related disciplines
     o Emergency Management
     o ICT Disaster Recovery (service disruption, data loss)
     o Salvage and recovery (damaged hard-copy files)
     o Issue Management (public perception/reputation)
     o Government response
     o Crisis Management – the worst-case scenario (during
       the acute/emergency phase of response) ~

     “A crisis is an adverse situation that has the potential to
       cause serious harm to people, operations, assets,
                   earnings, reputation or brand”

 Common capability gaps
     o Plans lacking fundamental components ~ WHO-
     o Unspecified or vague (contingency) roles and tasks
     o Lack of pre-designated alternative venues
     o Alternative/back-up venues in same precinct
     o   Ill-equipped contingency venues
     o   Lack of alternate/deputy (contingency) roles
     o   Un-rehearsed plans & call-out procedures
     o   No pre-designated spokesperson
     o   No documented Business Impact Analysis (BIA)

 Common capability gaps (cont.)
     o Insufficient understanding of or linkages to
       government response
     o Sole reliance on mobile telephones to co-ordinate the
       response (prone to failure)
     o Insufficient protocols for communication with staff,
       visitors, students
     o Recovery times (RTOs) not specified
     o Lacking 24/7 remote access to HR/vendor contact
     o Lack of confidence in documented plans – too much

 Critical success factors
     o   Learn from the experience of others
          – address the common capability gaps
     o   Clear command structure
          – Have a group that has authority to invoke recovery
            plans and management strategic ramifications (Crisis
            Management Team)
     o   Clear communication & reporting channels (between
         Head Office and subordinate entities including first
     o   Identify alternative command venue/s and contingency
         work accommodation
     o   Ensure adequate incident notification and call-out

 Other challenges
     o   Extreme stress
     o   Cause may be beyond your control (3rd party
     o   Determining peoples‟ whereabouts/safety
     o   Implications of rapid and intrusive media
     o   Rumours and innuendo – bad news travels fast
     o   Panic/hysteria
     o   Aspects of government response may be beyond your
          – Understand the rights/obligations of all responders
          – Jurisdictional responsibility

 Operational Risk Assessment
     o What does the organisation depend on to operate?
     o What can happen?
     o When, where and how?
     o What are the critical processes or assets?
     o Workshop hypothetical scenarios
     o Interviews with principal staff/department heads
     o Site inspection (ideally by third party)
     o Event/media monitoring, industry briefs, case studies
       - learn from the experiences of others

 Identifying disruption scenarios
     Consider worst-case (total loss) disruption scenarios ~
       o Loss of building
       o Loss of precinct
       o Denial of access to building for a limited time
       o Loss of ICT (data)
       o Loss of ICT (voice)
       o Loss of vital (non-electronic) records
       o Loss of key staff
       o Loss of key dependencies
       Source: APRA Prudential Standard APS 232 Business Continuity

 Business Impact Analysis (BIA)
     o   Undertaken for all key business processes ~
          –   Call management
          –   Service activations
          –   Service restorations
          –   Escalation management
          –   Vendor management
     o   Sets recovery processes, in the event of a high-impact
         disruption/loss (outage)
     o   Establish a scenario as an aid to planning ~
          – Physical event, e.g. fire, flood, earthquake, terrorist
          – Assume worst case, e.g. total destruction of workplace
            and primary ICT resources
 What would happen if?
     o   Work with “business owner” or departmental
         representatives ~
          – Workshop/group approach
          – One-on-one interviews
     o   Determine Maximum Acceptable Outage (MAO) ~
          – Maximum time it will take before an outage threatens an
            organisation achieving its business objectives
          – Max survival time before recovery procedures must
     o   Qualify consequences/costs of impacts ~
          – By timeframes (1 day, 1 week, 1 month)
          – Simple narrative/description
          – Formal risk rating (negligible-extreme)
 Recommended reading - BIA
     o   Better Practice Guide Business Continuity
         Management – Keeping the wheels in motion, ANAO
         2000 (
     o   Has excellent BIA Worksheet template
     o   Example impact/risk analysis matrix

 Example workshop approach (BIA)
Denial of access for a limited time ~
  o Multiple cases of Legionella infection are attributed to
    the data-centre building
  o Victims include a number of maintenance vendors (2
    are critically ill)
  o Management become aware of the situation during
    business hours
  o Health authorities order the evacuation of all non-
    essential staff and visitors
  o The water-coolers are shut down and samples taken
    for testing
  o Disinfection action begins (will take several days)

 Part 2 – Escalation
     o   A day later ~ the presence of a hazardous strain of
         Legionella bacteria is lab-confirmed
     o   Health authorities are advising anyone with symptoms
         (fever, cough, breathlessness, chest pain, diarrhoea)
         to seek medical attention and undergo tests
     o   Building will remain closed for at least 3 days to allow
         for Health Authority/Work Cover investigation and the
         identification of other potential victims
     o   Only a limited number of building services staff and
         specialist contractors are permitted to have access

 Part 3 – Implications
     o   No air conditioning for up to 10 days
     o   Very limited staff access (to treat hazard only)

 Phases of response
     o   Preparedness
     o   Response – emergency protection of people and
         property (to limit the impacts)
     o   Resumption/continuity – “immediate fixes” to begin
         interim operations
     o   Recovery – steps for achieving full operational
         normality (pre-disruption)

     o   Protection of people and property
          – Evacuation/hold-in place procedures
          – Automated fire suppression
          – Actions of emergency services
     o   Processes to limit impact on critical services
          – e.g. back-up power fail-over
          – Standard service disruption procedures
     o   Incident escalation/notification to governing entity
     o   Call-out of governing entity (Crisis Management
     o   Setting up Command Centre

     o   Relocation of staff to alternative venue (e.g.
         commercial DR site)
     o   Source alternative office accommodation
     o   Diversion of telephones
     o   Data recovery from back-up tapes
     o   Restoration of desktop environment, email, network
         access etc
     o   Work from home strategy
     o   Emergency procurement of replacement infrastructure
     o   Stakeholder communication - staff, vendors, students,
         creditors, insurers, media etc
     o   Key issue - remote access to BCP with planning data

     o Specialist salvage and recovery - site clean-up
     o Rebuild primary site or seek new premises?
     o Sourcing new vendor/s
     o Long term project effort
     o People issues: retention/recruitment

 BC Plan - the essentials
     o Sample full table of contents
     o First Response Flowchart
     o Sample Role Checklist - Team Leader
     o Sample Threat/Risk Response Guidelines
     o Sample Business Unit Recovery Plan
        – APRA compliant disruption scenarios
     o   Sample ICT Disaster Recovery Plan table of contents

 Crisis Leadership: The Challenge
     o Managing information overload
     o What‟s going on? ~ maintaining situational awareness
     o What should I do?
     o Communication bottlenecks
     o Public/customer perceptions/expectations?
     o Internal perceptions/expectations?
     o Expectations of higher office/regulators/authorities?

     o   “Tales of great strategies derailed by poor execution
         are all too common”

 Human Response to Stress
     o   Perception of situation (as a threat)
     o   Expectations of own ability to cope
     o   Fight or flight response ~
          – Calm/confident in facing situation (“fight”), or
          – Avoiding it (“flight”)
     o   Positive leadership influence on others
          – Sound judgment, decisive action
     o   Impaired judgement
          – indecision
          – poor execution of contingencies

                                Commercial Issues
                                •Record of Incident
Recovery                                                     •   Roles accountabilities
•   Short term operations
                                                             •   Resources available
•   Long term recovery goals
                                                             •   Training requirements
•   Documented BCP
                                                             •   Documented
•   Integration with DRP

                                                                 External Affairs
                                                                 •   Ministerial liaison
                                                                 •   Interviews
                                                                 •   Media releases
                                                                 •   Media management on site
Employees and Next of Kin                                        •   Community relations
• Communicate                                                    •   Business relations
• Training
• Delivering the message        Communications
                                • Control centre
                                • Communications equipment
                                • Call centre interface
 Crisis Leadership: What it takes
     o   Calmness/confidence in tackling the
     o   Sound judgement
     o   Decisiveness
     o   Regular communication with stakeholders
     o   Trust, delegation ~ allow yourself time to think
     o   Have a special team to support you
     o   Treat the stressors and build confidence

     The solution?
      o Have a single, organisation-wide framework
        for all occasions
      o Ensure full alignment of BC, ICT DR,
        emergency procedures, security and other
        contingency plans
      o Simple, concise checklists
      o Train, rehearse/validate, review and revise

    Crisis Management Team
                                                      TEAM LEADER
                                                    • Leadership
                                                    • Call-out decision                               Spokesperson
                                                    • Key stakeholder liaison                         • Media face
                                                    • Goal setting                                    • Media conferences
                                                    • Prioritising work                               • One face once message

                        External                                      Commercial                              ICT Coordinator
                                          Human                                      Response
Recovery                Affairs           Resources                   Services
                                                                                     •Contact with scene      • CMT support
                                                                                     •Monitor situation       • CMT venue set-up
• BCP interface         • Media           • Internal communication    • Regulatory
                                                                                     •Advise team             • ICT DR interface
• Office relocation       management      • Tracking victims          • Legal
                                                                                     •Emergency control       • Vendor liaison
• Alt premises          • HQ advice       • Employee records          • Insurance
                                                                                     •Evacuation              • Salvage recovery
• Identify & allocate   • News releases   • Next of kin liaison       • Customers
                                                                                                              • Procurement
  resources to          • Community and   • Welfare                   • Suppliers
  achieve goals           government      • Counselling               • Maintain
                          relations                                   records
 Team Structure
     o Manageable span of control (5-7 direct reports)
     o Resist temptation to include additional direct reports ~
       less is more
     o Having a larger, flatter structure means~
         – More stress to Team Leader, and
         – Less efficient interaction between team members
     o Distinguish contingency functions from status/rank and
       day-to-day role
         – Select best person for the job
         – Not everyone has to be involved

Testing the capability
     o   HB 221 BCM guidelines ~
         – Planning template
     o Desktop “walk-throughs”
     o Individual component testing (e.g. IT DR)
     o Fully integrated tests with third party service

Scenario planning & exercises
     o Decide on participants - site, business unit
       and/or senior leadership team?
     o Decide on desired outcome - general
       awareness building, compliance, plan
       orientation, evaluation of performance, full
       functional test
          – Resources to be tested - people, IT, vital records
            (hardcopy/electronic), facilities, internal
            dependencies, external dependencies
          – Exclusions
     o   Decide on threat/risk scenario
Scenario planning & exercises
     o Develop theoretical sequence of events - as
       situation unfolds - not in relation to planned
       response actions
     o Consider possible reaction of key stakeholders
       ~ media, employees/contractors, students,
       investors, families, authorities, commercial
       partners, suppliers etc
     o Write script
     o Establish the cast - who will play what roles

Scenario planning & exercises
     o Establish how the “situation” will be
       communicated to participants
     o Recommend real-time game play without too
       much fictitious background material

 Recommended reading
     o HB 221:2003 Business Continuity Management
     o ANAO better practice guide Business Continuity
       Management – Keeping the wheels in motion
     o APRA Prudential Standard 232


Shared By: