Business Impact Analysis Bia Template Banking by gck10622

VIEWS: 631 PAGES: 92

More Info
									            Business Continuity Planning
                      Overview,
             Regulations and the Growing
            Significance of Automated BC
                      Solutions

                                                Presented by
                              Steve Kokol, Vice President of International Sales
                                           Strohl Systems Group, Inc.
                                          skokol@strohlsystems.com
                                                 September 2006

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                            What is a Disaster?
  •    A disaster is a sudden, unplanned calamitous event that creates
       the inability on an organisation’s part to provide the critical
       business functions for some predetermined period of time and
       which results in great damage or loss. (DRI International)
  •    The time factor which determines whether a service interruption
       is an inconvenience or a disaster will vary from organization to
       organization.
  •    The type, timing and severity of any business disruption is
       unpredictable.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
       Disasters are never on our calendar




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
  Disasters. . . But we can prepare for them




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
            Business Continuity Planning – Defined

          •    An ongoing programme to ensure prudent risk reduction and to
               resume key business operations before unacceptable impacts and
               losses are incurred.




          •    Business continuity bridges the gap between disaster and recovery
          •    Whatever the scenario, business continuity identifies weak links in
               the flow of information and builds systems and procedures to
               eliminate downtime.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                        Business Continuity Planning
        •    BCP v. DR
              – BCP grew out of DR
              – Disaster Recovery tends to focus on data
              – BCP focuses on the entire Business and Business Units
              – BCP takes a more proactive stand
        •    BCP programme elements include
              – Program authorization (a Business Impact Analysis and a
                commitment by executive management)
              – Business Continuity Plan development (response, resumption,
                recovery and crisis management)
              – Recovery Plan (and the regular maintenance of this plan)
              – Availability and survivability components such as UPS and
                redundant telecommunication systems.


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                          Proactive v. Reactive
  •    Business Continuity Planning
        – Proactive Process
        – By having a BCP, organisations seek to prevent interruption
          of mission critical services
        – BCPs generally cover most or all of an organization’s critical
          business processes and operations
  •    Disaster Recovery Planning
        – Reactive Process
        – More technical plans that are developed for specific groups
          within an organization to allow them to recover a specific
          business application
        – Areas requiring specific DRP’s include IT, call centers, and
          distribution centers


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
              A Business Continuity Programme is
                            NOT:
          •    A project
          •    A one time task with a fixed duration
          •    Just about data
          • BCP must be an on-going, living programme with
            commitment from Top Management.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
          •    What drives BCP Acceptance in a particular country versus
               another?
                – Country Culture
                    • Risk Avoidance
                    • Laissez-faire
                    • To some extent - Technological Advancement




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
       •    What drives BCP Acceptance in a particular country versus
            another?
             – Presence of BCI, DRII or other organisations promoting BCP
               Standards – BCI Country Representatives – www.thebci.org
                • http://www.thebci.org/worldwideoffices.htm
             – Both BCI and DRII offer BCP certification
                Australia                  Belgium                   Caribbean
                Canada                     China                     Denmark
                France                     Germany                   Greece
                Hong Kong                  India                     Indonesia
                Israel                     Italy                     Japan
                Malaysia                   Middle East               New Zealand
                Norway                     Pakistan                  Philippines
                Republic of Ireland        Russian Federation        Singapore
                South Africa               Sweden                    The Netherlands
                United Kingdom             UAE                       United States
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
       •    What drives BCP Acceptance in a particular country versus
            another?
             – Propensity to experience frequent natural disasters
                 • Typhoons
                 • Earthquakes
                 • Floods
                 • Monsoons
             – Country Specific Regulations
             – Industry Regulations
             – Corporate Governance Laws
             – Avian Pandemic / SARS
             – War / Terrorism




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                             Type of Threats
         •    Acts of nature

         •    Man-made disruptions/disasters

         •    Failure of infrastructure or technology




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
             Ability to Recover versus BCP Maturity



       Ability
         to
      Recover




                       No
                            Documented Tested Trained Maintained
                       Plan




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
 Four Elements of a Business Continuity Program



           Keep the plan up-to-date
                                                                             Assure strategy reflects
                                                                             the business’ needs




             On-going testing

                                                              Trained recovery teams

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
           Integrated Business Continuity Program


                                                EMERGENCY
                                                                               RISK
                   CORPORATE                     RESPONSE
                                                                            MITIGATION
                    RISK MGT




                                               CORPORATE
                                                 CRISIS                          BUSINESS
                 TECHNOLOGY
                                                  MGT                           RECOVERY
                  RECOVERY




                                                                          INFRASTRUCTURE
                CRISIS                        PROCESS
                                                                             RECOVERY
            COMMUNICATIONS                   RECOVERY
                PLAN




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
             Business Continuity Planning Budget
                BUDGET ELEMENTS:
                • Hot Site Contracts                            • Staff
                • Hardware                                      • Education
                • Media Storage                                 • Testing
                • Software

          FACTORS INFLUENCING THE PERCENTAGE
          OF BCP BUDGET
        • Executive Commitment • Geographical Disbursement
        • Industry Regulations       • Industry
        • Revenues and Profits       • RTO
        • Availability Goals - Protection of Data versus Operations

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
         Which department in your organization is ultimately
           responsible for business continuity planning?
                                       40

                                       35

                                       30
                Percent of Responses




                                       25

                                       20                                                         2002
                                                                                                  2003
                                       15                                                         2006


                                       10

                                       5

                                       0
                                            IT   Financial   Risk   Security   BCP Dept   Other



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                     What is the title of the executive sponsor
                                      of your organization's BCP program?
                                     35

                                     30

                                     25
              Percent of Responses




                                     20                                                  2002
                                                                                         2003
                                     15
                                                                                         2006

                                     10

                                      5

                                      0
                                          Manager   VP   CIO   CFO   CEO/Pres.   Other



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                              Recovery Time Objective
          The RTO (Recovery Time Objective) is
            the Timeframe in which a Business
             Function must resume a Level of
          Service that will Prevent Unacceptable
           Financial and/or Operational Impacts
                from being Incurred by the
                       Organization.


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
     Protection of Data versus Protection of
                   Operations
     Protect the Data:
          – Research and Development – Pharmaceutical
          – Downtime not as important as protection against lost data
                • Retesting to meet documented regulatory requirements
     •   Isn’t the protection of data always most important ?
      Maintaining Continuous Operations:
              • Manufacturing and Supply Chain
                     • Cost of stopped product line can cost Millions per hour.
                     • Also need to look “upstream” to ensure suppliers’ maintain
                     continuous operations through a formal BCP.
                           • Philips Electronics fire at Chip Plant
                                  • Nokia v. Ericsson (one did a better job than the other
                                  because of their tested BCP plan)
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                         Define the Cost of an Outage
          Data – 99% availability = 88 hours each year that
          computing resources are unavailable
         Average Cost of an outage according to Gartner:
         USD $42,000 per hour for mission critical applications

         $3,600,000 lost each year due to unplanned downtime

          For companies that rely 100% on technology
          such as online brokers, e-commerce
          companies and traders, hourly downtime
          risks can be $1,000,000 or more !
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                     Define the Cost of an Outage
       •    It must be measured in more than just $$
              – Why do I need a BCP programme if I have insurance?
                  • Insurance only covers the financial considerations
                  • Need a plan to stay in business
              – 50% of companies that experience a significant interruption or
                disruption in service who do not have tested, up-to-date BCP
                Plan go out of business within one year of this interruption or
                disaster
              – Can often recover from the financial impact, but can you recover
                from the lost of market share and customer confidence?




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                  BCP Acceptance Worldwide
       •    Regulations drive Acceptance
              –   UK Financial Services Authority
              –   Basel II Accord
              –   European Central Bank
              –   Bank of Russia
              –   SAMA – Saudi Arabian Monetary Agency
              –   De Nederlandsche Bank
              –   Monetary Authority of Singapore
              –   Hong Kong Monetary Authority
              –   Bank of Thailand
              –   NYSE Rule 446
              –   Quality Standards ISO 17799, BS 7799
              –   ISO Crisis Management Standards – ISO studying – May 2006
              –   BS 25999 – BCM Planning – In Progress – August 2006
              –   Australian Standards - AS 4444, AS/NZS 4360, HB 221
              –   British Standards – PAS 56
              –   UK Civil Contingencies Bill of 2005
              – Insurance Regulations
              – Corporate Governance

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
              BCP Acceptance Worldwide
  •    UK Financial Services Authority (FSA)
        – Independent non-governmental body, given statutory
          powers by the UK Financial Services and Markets Act of
          2000 (responsibility transferred to FSA from the Bank of
          England)
            • Her Majesty’s Treasury appoints the FSA Board
            • Banks, Financial Services, Securities and Futures
            • Combined Code – Directors must annually conduct a
              review of the group’s effectiveness system of internal
              controls and report to the shareholders that they have
              done so. (No requirement to publish this review)




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
  •    UK Financial Services Authority (FSA)
        – Guidance on Business Continuity (SYSC 3.2.19 [G]):
           • “A firm should have in place appropriate arrangements, having
             regard to the nature, scale and complexity of its business, to
             ensure that it can continue to function and meet its regulatory
             obligations in the event of an unforeseen interruption. These
             arrangements should be regularly updated and tested to ensure
             their effectiveness”
        – www.fsa.gov.uk/




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                     BCP Acceptance Worldwide
        •    New Basel Capital Accord (Basel II) – issued by the Bank for
             International Settlements (BIS) www.bis.org
              – Originally issued the Basel Capital Accord (Basel I) in 1988
                 – applied minimum capital reserve standards to the banking
                 industry (8%)
              – January 2001 – Proposal for new Basel Accord to replace
                 1988 standard
              – Initial goal was to finalise by 2004 – pushback from the
                 banking community, fearful that they could not comply)
              – Implementation by year-end 2006, (or possibly later)




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
            BCP Acceptance Worldwide – Basel II
        •    New Basel Capital Accord (Basel II)
              – Three Pillars of Basel II
                 • Capital Standards
                 • Supervisory Review
                 • Market Discipline
              – Operational Risk addressed in all three pillars




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
        BCP Acceptance Worldwide – Basel II
    •    New Basel Capital Accord (Basel II)
          – Banks that can demonstrate “sound practices for the management and
            supervision of operational risk” will be able to reduce their capital
            reserves, freeing up large amounts of additional funds for investment.
              • Sound Practices for the Management of Operational Risk
                  – Operational Risk: “the risk of loss resulting from inadequate or
                     failed internal processes, people and systems, or from external
                     events”
                  – Developing an Appropriate Risk Management Environment
                        » Principle 7: Banks should have in place contingency
                          and business continuity plans to ensure their ability to
                          operate on an ongoing basis and limit losses in the
                          event of severe business disruption
              • Basel II places emphasis on internal controls and risk management



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
       •    New Basel Capital Accord (Basel II)
             – Once finalised, each Nation may make amendments to their
               domestic versions of Basel II
             – Companies wanting to reduce their operational reserves
               must show a 5 year track record of compliance to be able to
               reduce these reserves.
             – Basel II should not simply be viewed as a compliance
               initiative, but as an opportunity for change!
             – www.bis.org/publ/bcbsca.htm




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                 BCP Acceptance Worldwide
        •    ECB – European Central Bank – June 2006
              – Three-year deadline for the introduction of stricter business
                continuity planning and crisis management procedures
              – Payments system operators, key suppliers and participants -
                should have well-defined strategies and monitoring
                mechanisms for dealing with major outages aimed at the
                recovery and resumption of critical functions within the same
                settlement day.
              – Systems should also have a secondary, geographically
                separate site, capable of independent operation in the event
                of failure at the primary facility.
              – June 2009 compliance with revised standard
              – http://www.ecb.int/pub/pdf/other/businesscontinuitysips2006
                en.pdf
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
         •    Standard of the Bank of Russia – January 2006
               – Ensuring information security of the organizations of the banking
                  system of Russian Federation
                   • 9.6. Business continuity management and disaster recovery
                        – Organization should develop and deploy the plan of
                           business continuity management and disaster
                           recovery.
                        – The plan and corresponding business processes should
                           be reviewed on the regular basis and updated (e.g. after
                           significant changes in operational activities, organizational
                           structure, business processes and information systems).
                        – The effectiveness of documented procedures of recovery
                           should be periodically checked and tested (at least twice
                           per year). All staff involved into the plan execution and DR
                           procedures should be familiarized with the plan
                        – As a methodological basis for the plan development
                           common international standards of Business continuity
                           management (like BSI PAS-56) could be used.

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                 BCP Acceptance Worldwide
        •    SAMA – Saudi Arabian Monetary Agency
              – 2006
                 • Currently seeking guidance in setting BCP standards
                   from their member banks
                 • http://www.sama.gov.sa/




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
       •    De Nederlandsche Bank
             – 2005 – Business Continuity Assessment Framework
                • Assist firms to benchmark their BCP activities
                • Framework will be introduced to other firms within the
                  “Euro-zone”
                • Each firm must have a BCP plan approved by
                  management board or senior management
                • Advisable to have the BCP plan assessed by by the
                  internal audit department
                • The Assessment framework contains a total of 10 criteria


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
       •    Monetary Authority of Singapore
             – June 2003 – Guidelines on Risk Management Practices – Business
               Continuity
                • The guidelines will serve as a standard for financial institutions
                  and raise their awareness and preparedness by having in place
                  effective and comprehensive BCP
                • Institutions are encouraged to adopt these principles and
                  implement BCP that is commensurate with the institution’s
                  nature, scale and complexity of business activities
                • MAS will, in the course of its supervision of institutions, review
                  the BCP implementations
                • Board and Senior Management should be responsible for
                  the BCP preparedness of their institution
                • Institutions should embed BCP into their business-as-usual
                  operations, incorporating sound BCP practices
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
       •    Monetary Authority of Singapore
             – June 2003 – Guidelines on Risk Management Practices –
               Business Continuity
                • Institutions should test their BCP regularly, completely
                  and meaningfully
                • Institutions should develop recovery strategies and set
                  recovery time objectives for critical business functions
                • Institutions should understand and appropriately mitigate
                  interdependency risks of critical business functions
                • Institutions should plan for wide-area disruptions
                • Institutions should practice a separation policy to mitigate
                  concentration risk of critical business functions
             – www.mas.gov.sg/regulations/download/BCMGuidelines.pdf
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
        •    Hong Kong Monetary Authority
              – New BCP policy established in December 2002
                 • Sets out the HKMA’s supervisory approach to business
                   continuity planning (BCP)
              – www.info.gov.hk/hkma/eng/bank/spma/index.htm




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
        •    The Bank of Thailand – November 2005
              – Requirement of an IT Contingency Plan – BOT Notification No 1953-
                2548
              – Restore IT systems of Financial Institutions “within a suitable period”
              – Maintain customer and stakeholder confidence in financial
                institutions’ services
              – Board of Directors of each Financial Institution must establish a written
                policy statement and guide for preparing the IT Contingency plan
              – Functional and full scale tests must be conducted at least once per
                year
              – BOT recognized that IT plan is part of the BCP plan. BOT is in the
                process of issuing guidance for the preparation of business continuity
                plans.
              – www.bot.or.th

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                  BCP Acceptance Worldwide
       •    NASD 3500 Series-Emergency Preparedness (3510 and 3520) and NYSE-
            Rule 446 Business Continuity Rules
             – Approved by the US SEC - April 2004
             – NASD and NYSE member organizations must develop and maintain
                a written business continuity and contingency plan
             – Must conduct, at minimum, and annual review…in light of changes to the
                organization’s operations, structure, business or location
             – Plan must address
                 • Data back-up and recovery or mission critical systems
                 • Alternate communications between customers and the firm
                 • Alternate communications between the firm and its employees
                 • Financial and operational risk
                 • Alternate Physical location of employees
                 • Communication with Regulators

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                  BCP Acceptance Worldwide
       •    NASD and NYSE Business Continuity Rules
             – NASD and NYSE member also required to disclose to its
               customers a summary of its business continuity plan that
               addresses how the member intends to respond to potential
               disruptions of varying scope
             – Must designate a senior officer to approve the Plan and be
               responsible for the annual review and emergency contact
               person(s)
             – NASD providing a template for small businesses and a repository
               to hold BCP plans:
               http://www.nasdr.com/business_continuity_planning.asp
             – http://www.sec.gov/news/press/2004-53.htm

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
         •    Quality Standards ISO 17799, BS 7799-2:2002
               – International Organization for Standardization (ISO)
               – British Standards Institute – Specification for Information
                 Security Management
                   • BS7799 is the most widely recognized security standard
                     in the world.
               – Best practices in information security
                   • Code of practices (ISO)
                   • Specification for Information Security Management (BS)



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
        •    Quality Standards ISO 17799, BS 7799-2:2002
              – ISO17799 is organized into ten major sections, each
                covering a different topic or area:
                  • 1. Business Continuity Planning - The objectives of
                    this section are: To counteract interruptions to
                    business activities and to critical business
                    processes from the effects of major failures or
                    disasters.
              – www.iso.org




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
        •    ISO Crisis Management Standards
              – ISO Technical Committee (ISO/TC) studying – May 2006
              – Mission of ISO/TC 223 is to develop International Standards
                or other ISO deliverables that will improve preparedness
                before a crisis, coordination during a crisis and
                reconstruction and remedial action afterwards.
              – Scope of crisis management is broad, spanning everything
                from preparation, analyses, forecasts and development of
                systems to education, drills and evaluation.
              – Next Meeting – November 2006
              – www.iso.org

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
        •    Quality Standards BS 25999
              – Code of practice for business continuity management
                  • Draft for public comment ended August 2006
              – Part 1: Code of practice for business continuity
                management;
              – Part 2: Specification for business continuity management
                  • Part 2 specifies the process for achieving certification
                    that business continuity capability is appropriate to the
                    size and complexity of an organization.
              – www.bsi-global.com/bs25999


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
               BCP Acceptance Worldwide
       •    Australian Standard - Security Standards - AS 4444
             – Key Controls 1:
                 • Information Security Policy document
             – Key Controls 2:
                 • Business Continuity Planning
       •    AS/NZS 4360 – Risk Management Standards
       •    Business Continuity Management Handbook – HB 221:2003
             – www.standards.com.au/catalogue/script/search.asp




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                 British Standards – PAS 56
        •    Publicly Available Specification 56
              – “Guide to Business Continuity Management”
              – March 2003 – Published by the British Standards Institute and
                sponsored by the BCI
                  • Based on the BCI’s Good Practiced guide
                  • Pre-Standard which may form the basis for an eventual
                    standard
              – Envisioned that organizations who already have processes in
                place will be asked at some point by their stakeholders to
                confirm that they comply with PAS 56
              – Provides a framework for incident anticipation and response
                evaluation techniques and criteria
              – Provides recommendations for good practice
              – www.thebci.org/pas56.html
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
           UK Civil Contingencies Bill of 2005
      •    UK Drafted the Act in January 2004
      •    Became a UK Regulation in early 2005
            – Addresses various natural and man-made threats, emergencies
              or disasters
            – Requires “Responders” to perform contingency planning, risk
              assessment and maintain plans that “…if an emergency occurs
              the person or body is able to continue to perform his or her
              functions”
            – Responders:
                • Category 1: County Councils, District Councils, Police,
                  Fire Health, Environmental
                • Category 2: Utilities, Transport, Health and Safety
            – http://www.parliament.the-stationery-
              office.co.uk/pa/cm200304/cmbills/014/2004014.htm
            – Self Assessment tool: http://www.audit-
              commission.gov.uk/emergencyplanning/index.asp
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
       •    Insurance Regulations
             – A documented and tested BCP plan is a requirement of
               many insurance firms
                 • Precondition of Insurance
                 • Premiums lower for sound, mature, tested BCP
                   programs.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                BCP Acceptance Worldwide
        •    Other Factors
              – Have experienced a disaster in the past – have “felt the pain”
                 • Power Outages Worldwide
              – Mandate for BCP plans from other corporations with whom you
                are doing business
                 • Supply chain - diversify
              – Competitive Advantage
              – Avian Pandemic / SARS
              – Fear factor




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                     BCP Acceptance Worldwide
   •    Corporate Governance
          – WorldCom, Enron, Ansett Airlines, “dot-gones”
             • Directors being held directly responsible for Business Continuity Plans
          – USA: Sarbanes-Oxley Act of 2002
             • Increased standards for corporate governance, transparency and
               accountability
             • Section 404 focuses on BCP and Operational risk
                  – Executives must review internal controls and publish the
                     results of the review
             • Section 409 focuses on prompt disclosure
                  – Executives are required to disclose to the public, on an urgent
                     basis, information on material changes in their financial condition
                     or operations
             • Only applies to publicly traded companies
                  – Does apply to Non-USA companies that are listed in the USA
                  – Effective for US companies 15 June 2004 and 15 April 2005,
                     depending on the size of the business
                  – Effective for non US companies in 2005
             • http://www.soxlaw.com/s802.htm
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                 BCP Acceptance Worldwide
    •    Corporate Governance
          – The Turnbull Report – 1999 – Institute of Chartered Accountants in
            England and Wales (ICAEW) – provides guidance to Directors on the
            “Combined Code of the Committee on Corporate Governance”
              • Compliance is a prerequisite for being listed on the London Stock
                Exchange
          – Higgs Report – Role of the Board Proposed to be combined into the UK’s
            “Combined Code”
              • http://www.dti.gov.uk/cld/non_exec_review/pdfs/higgsreport.pdf
          – King Report on Corporate Governance (King 2): South Africa
              • Company must protect stakeholders from effects of the worst disasters
              • Places BCP responsibility at the Board of Directors level
              • Formal risk assessment at least once per year
          – Australian Stock Exchange – Principles of Good Corp Governance
          – Australia – AS 8000-2003 Principles of Corporate Governance
          – Upcoming Malaysia Regulations for listed companies

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
              Business Continuity Planning
  •    The Business Impact Analysis
  •    Plan Development
  •    Plan Testing
  •    Incident Management
  •    Emergency Notification




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
  What is a Business Impact Analysis?
    •    A business impact analysis (BIA) is the foundation for all business
         continuity planning programs.
          – It prioritizes your business units and critical processes so that
            you can identify the timeframes in which they need to be
            recovered

           – It helps executive management develop strategies for
             managing continuity and recovery

    •    Without this knowledge, making the right decisions to protect your
         company's assets is tenuous if not impossible.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
            What is a Business Impact Analysis
                          (BIA)?
      •    Objective, management-level analysis tool
      •    Objective, not subjective
      •    Deals in Roubles, € , $, £, etc. and business terms that managers
           understand
      •    Uses data provided by business function managers, not project
           team




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
           What kind of information does a BIA
                         provide?
       •    Financial impacts

       •    Operational impacts

       •    Extraordinary expenses

       •    Current state of preparedness

       •    Recovery resource requirements

       •    Competitive Analysis

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                          Questions to be Answered
          •    What is the magnitude of the potential financial & operational
               impacts and exposures?
          •    How quickly do they escalate over time?
          •    What are the business function interdependencies?
          •    What is the dependence on technology?
          •    What resources are required to recover each function?




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
        MS Excel is NOT the Answer to your BIA
    •    BIA surveys must be designed so they are easy for the recipient to
         understand and use.
    •    You must be able to send the BIA surveys and collect the data in a number
         of ways:
           – Interviews
           – E-mail
           – Over the Internet
    •    You must be able to validate the data that recipients enter into the survey
    •    You must be able to easily change the survey to meet the demands of
         various business departments
    •    You must be able to easily consolidate the BIA data and provide automated
         reporting



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
      The Goal of Business Continuity Planning
  •    Protect employees, members, etc. . . PEOPLE!! through
       controlled emergency recovery.
  •    Define service alternatives for accomplishing critical
       applications.
  •    Minimize the extent of interruption.
  •    Limit financial losses and hardships.
  •    Establish customer confidence in a company’s ability to
       maintain operations.
  •    Satisfy federal and state compliance regulations.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
    What’s in a Business Continuity Plan?

                                                                                                Containment
                                                                                                Assessment
                           Responsibilities              Organization                           Escalation
                                                                                                Notification

                                                                                      Actions
     Administration


                                              The “PLAN”


                                                                       1. _______
  Alternate Facilities                                                 2. _______
                                                                       3. _______          Time-Frames
                                                                       4. _______
                                  Recovery Inventories                   Priorities
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                             Assumptions
        •    A major disruption will occur
        •    Planning will be for “worst case” scenario
        •    Recovery will be executed using only pre-positioned resources and
             materials from off-site storage
        •    Recovery readiness is a form
             of insurance




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                             Plan Development

                                Software &                   Equipment
                               Data Backups
                                                                                    People
         Hardware



                                          Recovery Processes
  Transportation
                                                                                      Vital Records




                 Locations                  Voice & Data                   Special Forms
                                           Communications                 & Documentation
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                                     Functions
                                                                                     LAN
                                                                                 Applications
                                                                                                                                              Inventory Control
                                                                                                                                                 Operations
                                                                                                         Public/Media
             Travel                                                                                       Relations
                                                   Security                                                                           Data
         Arrangements
                                                                                                   Facilities-                    Preservation
                  Salvage                                     Vital Records                       Electrical &
                                     Facilities-                                                  Mechanical
                                     Building(s)
                                                                                                                                   I/S
                                                                        PC Support
                                                                                                                              Applications
                                              Recovery                                                  Facilities-
               Personnel                     Management                                                Furnishings
                Issues                                                           Voice                                                         LAN
                                                                             Communications                                                  Hardware
          Emergency                               I/S                                                                     Off-Site
           Purchase                            Hardware                                                                   Storage
                                                               Computer
                      Travel Advances                          Hot Site(s)
                                                                                   Mfg. Assembly                             Executive Offices
                                                                                    Operations                                  Operations
                                                          Damage
                                                        Assessment                                           Legal
                      Accts. Recv.
                       Operations                                                  LAN
                                                                                 Software                                                    Shipping &
                                                                                                                                           Receiving Opns.
                                                       Accts. Payable
                                                        Operations
                                                                                                                 Accts. Payable
          Insurance                        I/S                                                                    Operations
                                        Software                           Alternate
                                                                        Bus. Unit Site(s)
                   Data
               Communications
                                                                                              Mfg. Tooling
                                                                                              Operations.                           Mfg. Production
                                                                  Human Resources                                                  Scheduling Opns.
                                             Payroll                 Operations
                   Distribution             Operations
                   Center Opns.
                                                                                    General Counsel
                                                                                      Operations                             Clerical &
                                               I/S                                                                           Secretarial
                                            Operations               Marketing &                          Sales                              Mfg. Quality
               General Acctg.                                      Advertising Opns                     Operations                         Assurance Opns.
                Operatons



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                                                          STROHL PR4
                                                                          STANDARD
     PR4           R ESTORATION                                Repair/restore facilities and contents
                                                               Return "Home"

                                                               Recover all other operations
                      R ECOVERY

                                                               Resume time-sensitive operations
                   R ESUMPTION                                 at alternate site

                                                               Manage crisis
                                                               Contain damage
                    R ESPONSE                                  Activate Recovery Organisation

                                                               Protect corporate assets
                                                               Manage risks
                 PREVENTION



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                           The Recovery Cycle
                                                               RECOVERY & RESTORATION
                                                                Long-term Continuity
                                                                Repair/ Replace
                                                                Migration
                                                                Resume “Normal” Service




              RESPONSE                                                  RESUMPTION
               Assessment                                               Initial
               Escalation                                               Short-term Continuity
               Declaration


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
          Why New Requirements for BCP?
  •    What’s Changed?
       – New threats
       – New technology

  •    As a result there is more regulatory focus on business
       resumption and a greater emphasis on testing and maintenance




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
          Why New Requirements for BCP?
  •    Requirement for enterprise-wide planning
  •    Recovery time objectives – becoming shorter and shorter
  •    Interdependency
  •    Technology dependence outside the organization
  •    Importance of HR




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
          Why New Requirements for BCP?
  •    Old Assumptions – in the past a business could assume that if
       the main office was in NY, and the backup was in Chicago, the
       staff would just fly to the backup location in the event of an
       unplanned disruption
  •    New Perspectives – No one ever planned for all airlines being
       grounded – but it happened.




                                              Source: FFIEC IT Handbook Presentation




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                      What is a BCP Plan?

            A collection of resources, actions, procedures, and
       information that is developed, tested, and held in readiness
           for use in the event of a major disruption in business
                                 operations.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                     Technology Recovery
        •    Computer Processing:
                     • Mainframes/Mini-Computers
                     • Client/LAN/Servers
                     • PCs/Terminals
        •    Voice Communications:
                     •   Consoles
                     •   PBX
                     •   Telephones
                     •   FAX Machines
        •    Data Communications
        •    Internet Operations (e-business)
        •    Special Equipment




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
             MS Word is NOT the Answer to your
                        BCP Plans
    •    BCP plans are dynamic, constantly changing
           – Need to be updated regularly
    •    Extremely difficult and time consuming to continually update information in
         MS Word
           – Employee Changes, Company Structural reorganisations, application
             changes
           – Need the power and flexibility of a BCP plan built on a relational
             database
    •    Plans from various business units should be consolidated to provide a
         corporate, global, enterprise BCP plan
           – No way to do this with MS Word
           – Specialised planning solutions provide for the development of an
             organizational plan hierarchy for summarization and drill down


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                 Test, Test, Test
  •    You have done your BIA
  •    You have created a great BCP plan
  •    Now, how are you going to test it?
        – Simulated disaster
           • Start small, then expand to include larger portions of
             your company, finally moving to coordination with
             vendors, suppliers and your local community
           • Automated Tool to help collect and analyze the results of
             a test




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                    Before and After the Test
          •    Pre-test Meeting with Disaster Recovery Team
                – Identify objectives and the members of the team
                – Verify RTOs
          •    Post Test Review
                – Original RTOs versus Actual Recovery Times
                – Review Infrastructure Problems
                – Review Data Issues
                – Identify changes to the plan based on documents issues
                  discovered during the test
          •    Test, Test, Test




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
           MS Project is NOT the Answer to your
               Incident Management Needs
    •    Incident Management is dynamic with many uncertainties
           – Must be linked to your BCP Plan
    •    As the Incident Changes, we must manage those changes
    •    Plans from various business units should be integrated to act as the
         basis for your incident management and needs




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
        Do you have a plan in place to contact employees prior to a known
                                    disaster ?


                                    90
                                    80
                                    70
             Percent of Responses




                                    60
                                    50
                                                                                    2005
                                    40
                                    30
                                    20
                                    10
                                    0
                                         Yes                     No



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
          If your organisation was to experience a Regional or National
         disaster, do you feel your plan would be able to withstand wide-
                          scale communication failures?

                                     53

                                     52

                                     51
              Percent of Responses




                                     50

                                     49                                             2005
                                     48

                                     47

                                     46

                                     45
                                          Yes                    No



+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                     When was the last time you tested your call tree?

                                    30

                                    25
             Percent of Responses




                                    20

                                    15
                                                                                               2005
                                    10

                                    5

                                    0
                                         Within the Within the Within the   Over one   Never
                                         last month  last six  last year    year ago
                                                     months


+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                       Covering All the Bases

         1) Utilise a well documented Emergency Notification plan
         2) Leverage technology
         3) Test your Emergency Notification plan
         4) Test your Emergency Notification plan again
         5) Establish accurate Emergency Notification reports
         6) Implement corrective actions in your Emergency
                Notification Plan




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
       Increased Need for Effective Crisis
               Communications
  GOALS
  •    Centralise control of the incident
  •    Control the message
  •    Avoid speculation and misinformation
  •    Set pace and tone for resolution
  •    Protect people first; assets second




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
       Developing a Communications Plan
       An effective plan allows you to focus on solving problems and
       communicating appropriately.

                    Pre-Crisis                 Mid-Crisis                Post-Crisis

               +Warn                      +Update                    +Recover
               +Protect                   +Repair                    +Assure
               +Prevent                                              +Improve




       Emergency Notification useful before, during, and after disasters
         Not just a disaster recovery (after the disaster has struck) tool

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                  Best Practices

  • Automate!
  • Eliminate rumor
  • Prevent loss of
    important information
  • Speed




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
   Manual Call Trees are NOT the Answer
   to your Emergency Notification Plans
   •    Informing your stakeholders of a disruption in service or disaster
         – Automate the process
   •    Contact Emergency Response Personnel, suppliers, general
        employee population
   •    Contact via phone, Mobile, Pager, SMS, e-mail all simultaneous
        and within a specified Service Level Agreement (SLA)




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                            Summary




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                    BCP Trends
          •    Increased Standards
                – Industry
                – Country
                – Corporate Governance
          •    Globalization of BCP
                – Enterprise Continuity Planning
          •    Greater visibility of Business Continuity Planning issues at the
               Managing Director and “C” levels of the organization




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                    BCP Trends
          •    BCP expanding outside of its traditional IT boundaries
          •    Move toward resiliency (zero down time) versus recovery
          •    Move toward disaster prevention versus disaster recovery
          •    BCP is increasingly becoming integrated with corporate functions
                – Leading organizations integrating business continuity with risk
                  management




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                 BCP – A Coordinated Effort
          •    Business Continuity Planners should work with:
                – Emergency Response Plans (typically owned by facilities
                  managers)
                – Disaster Recovery Plans (typically an IT responsibility)
                – Corporate Crisis Management (typically the responsibility of
                  corporate security)
                – External Communications (typically the responsibility of the
                  corporate communications organization)




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
        BCP – An Ongoing, Living Process
          •    BCP is not a project or one time event
          •    Must be coordinated throughout an organization and include
               external dependencies.
          •    Enterprise Continuity Planning – a Corporate Function
          •    We must not only meet regulatory requirements….
                – …we must strengthen corporate governance as a means of
                  gaining competitive advantage in today’s global economy.




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
           Strohl Systems
             For the past 18 years, Strohl Systems has been
             devoted exclusively to the business of providing the
             world’s finest business continuity planning software
             and services to a worldwide market.

             LDRPS, Strohl’s Business Continuity planning tool,
             is the cornerstone of the Strohl Systems
             organization.
             It offers:
                          a proven methodology
                          an existing support network
                          an extensive user community
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
            Industries Served - USA
         9 out of 10 securities firms
         5 out of 6 telecommunication companies
         4 out of 5 U.S. insurance companies
         4 out of 5 financial institutions
         4 out of 5 household goods producers
         4 out of 5 aerospace and defense companies
         3 out of 5 general retailers
         6 out of 10 commercial banks
         3 out of 5 computer makers
         4 out of 6 energy companies
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                     Industries Served




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                  Strohl Systems, Inc.
                Worldwide organization dedicated solely to Business Continuity
                                       Planning solutions




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                                     Successful Program


                       IBM S/370




                                   Laptop computer


           IBM PS/2




                      Strategy                                  Up-to-Date           Trained
                                                                   Plan              Personnel




                                                                             Business Continuity!!!
                                                      Testing
+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
     Strohl’s Worldwide Presence – August 2006

37 Distributors and Reseller covering 79 Countries




+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com
                                   Questions?



          ? ?                      ?                        ?? ??
                                                            ??    ?
          ? ?
                                                                ?

+1 610 768-4120 • (800) 634-2016 • www.strohlsystems.com • info@strohlsystems.com

								
To top