690 likes | 1.19k Views
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme. European Commission-Directorate-General Home Affairs. EFFECTIVE BUSINESS CONTINUITY MANAGEMENT.
E N D
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme. European Commission-Directorate-General Home Affairs EFFECTIVE BUSINESSCONTINUITY MANAGEMENT PROJECT: “DEVELOPMENT OF TOOLS NEEDED TO COORDINATE INTER-SEKTORAL POWER AND TRANSPORT CIP ACTIVITIES AT A SITUATION OF MULTILATERAL TERRORIST THREAT. INCREASE OF THE CAPACITY OF KEY CIP OBJECTS IN BULGARIA - HOME/2010/CIPS/AG/019” WORKSHOP: “Business Continuity Management (BCM) of the Nuclear Power Plant (NPP) System. Modeling and Procedures Development of Advanced System for Security and Water Channel Protection (ASSWCP) of the NPP” KOZLODUY NPP, 05 of JUNE, 2012 ASSOCIATED PROFESSOR KIRIL STOICHEV, PhD
Business Continuity in the 1960’s Batch Processing Mainframe computers began to automate routine manual functions Excessive downtime could create huge processing backlogs Regular system backups were critical Manual contingency procedures were also essential
Business Continuity in the 1970’s On-line Processing Users became connected to the mainframe via CRT’s, shortening the processing cycle Any downtime could immediately disrupt operations Manual contingency procedures were becoming impractical Maintaining ‘high availability’ networks was becoming critical
Business Continuity in the 1980’s Distributed Processing Disaster Recovery Planning (DRP) for data centers became practical But processing began to move out of the data centers, onto mid-range computers and standalone PC’s Distributed processing, and the use of EDI (electronic data interchange), shortened business cycles further Disaster Recovery Planning became more complex and more critical
Business Continuity in the 1990’s The Desk Top Revolution The proliferation of networked PC’s placed technology on everyone’s desk top High speed digital networks and the internet permitted global connectivity Tolerance for downtime diminished rapidly while vulnerability escalated Disaster Recovery Planning evolved into Business Continuity Planning
Business Continuity in the 21st Century e-COMMERCE As demonstrated by Y2K, dependence upon technology has become absolute e-Commerce has created new business opportunities and new risks The business impact of even minor disruptions can be disastrous 24/7 availability of technology is now the accepted norm
Business Continuity in the 21st Century Heightened Threats Since 9/11, everyone knows that now even the unimaginable is possible SARS outbreaks in China, Hong Kong and Canada have raised the spectre of widespread employee illness or quarantine Major power blackouts in the US and Canada, Italy, and elsewhere have demonstrated the fragility of critical infrastructures The catastrophic tsunami of 2004 and the 2010 earthquake in Haiti demonstrated the power and unpredictability of Mother Nature H1N1 caused international concern, and the threat of a Flu Pandemic still looms in the future
Heightened Expectations The catastrophic collapses of Enron, Arthur Andersen, Worldcom, etc. have resulted in higher standards for risk management and executive accountability Sarbanes-Oxley (SOX), HIPAA, Basel II, and a score of other regulations have made good governance and effective risk management a boardroom priority As an essential component of risk management and good governance, BCP can no longer be considered optional Business Continuity in the 21st Century
There are few business continuity standards around the world, mainly as it is still considered to be a relatively new concept. Due to this gap in the market, the British BS 25999 standard become very popular in the past few years. However, within the standards/ legislation/ regulatory guidance that exists around the world, many make reference to business continuity management (BCM), although they do not necessarily use the same terminology. Towards a Business Continuity Standard
Some standards that exist are: •NFPA 1600 – US National Fire Protection Association, developed from dealing with fire and looks at business continuity from a denial of access perspective •ISO 17799 – a standard for information security management systems that manages and minimizes threats to information •ISO 22399 – guidelines for incident awareness and operational continuity management •AS/NZS 4360:2004 – shared by Australia/New Zealand, provides risk management guidelines •SPRING TR 19 – Singapore technical reference to BCM, which mainly deals with the technical aspects of systems •The King II report of Corporate Governance – these South African guidelines for risk management look at BCM from a governance perspective Business Continuity Standards
BS 25999 and ISO 22301 A standard approach to Business Continuity Management (BCM) has been suggested for decades. Prototype draft standards have been published, but never really quite gained the momentum to succeed. This void has therefore been obvious and glaring for a long time. However, this landscape finally changed dramatically late in 2006, with the publication of the first part of BS 25999, a code of practice for business continuity management. The concept of the standard itself has also been on the table for quite a long time. BSI published a draft standard known as PAS56 back in 2003. This was largely for public comment: the normal process adopted by BSI as part of the development of its major standards. In 2006 a draft version of BS25999-1 was published, again for public comment. Eventually, in November of that year, the standard was finally born, with a fanfare of announcements, conferences and podcasts. Business Continuity Standards
A similar process followed in November 2007 when the second and final part of the standard was published. ISO 22301 As with so many BSI standards, an ISO standard eventually began to emerge: ISO 22301. Although the influence of other standards is clear, the foundation is based upon BS25999-2. It is currently under development, with expected publication date late in 2011 or early in 2012. Business Continuity Standards
The Business ContinuityProfession I still think cloning our employees would have worked.
The Business Continuity Profession Business Continuity has become a recognized professional discipline, with its own: Certification Bodies Disaster Recovery Institute International (DRII.org) Business Continuity Institute (TheBCI.org) National Inst. for Business Continuity Mgt. (NIBCM.org) Trade Journals Disaster Recovery Journal (DRJ.com) Contingency Planning & Management (ContingencyPlanning.com) Continuity Forum(ContinuityForum.com) Continuity Insights (ContinuityInsights.com)
The Business Continuity Profession (cont) • Disaster Recovery Institute International (DRII.org) • ABCP (Associate Business Continuity Planner) • CBCP (Certified Business Continuity Professional) • MBCP (Master Business Continuity Professional) • Business Continuity Institute (TheBCI.org) • ABCI (Associate of the Business Continuity Institute) • MBCI (Member of the Business Continuity Institute) • FBCI (Fellow of the Business Continuity Institute) • National Institute for Business Continuity Management (NIBCM.org) • ACM (Associate Continuity Manager) • CCM (Certified Continuity Manager) 17
The Business Continuity Profession (cont) • Websites of interest: • ContinuityCentral.com • Hundreds of free articles • Disaster-Resource.com • Free annual print magazine and articles • DRJ.com - Disaster Recovery Journal • Wide range of resources and links • Annual Conferences – San Diego and Orlando • Email Discussion Lists • http://finance.groups.yahoo.com/group/continuity/ • http://finance.groups.yahoo.com/group/discussbusinesscontinuity/ • http://finance.groups.yahoo.com/group/bcconsultants/ • http://bcmix.collectivex.com • http://www.linkedin.com
The Business Continuity Profession (cont) • Major BCP associations: • USA – Association of Contingency Planners • ACP-International.com • Canada - Disaster Recovery Information Exchange • DRIE.org • Caribbean – Caribbean Association of Business Continuity Professionals • CABCP.com
The Business Continuity Profession (cont) ConferencesandTradeJournals • DisasterRecoveryJournal(DRJ.com) • Widerangeofresourcesandlinks • Free,quarterlyprintmagazine • Semi-annualConferences–SanDiegoandOrlando • ContingencyPlanning&Management(ContingencyPlanning.com) • CPMEastandCPMWest • ContinuityInsights(ContinuityInsights.com) • ContinuityInsightsManagementConference
What is aBusiness Continuity Plan? Activity Details Activity Lists Off-site Materials Team Members Requirements Strategy Overviews Your Organization Business Continuity Plan
What is a Business Continuity Plan? • At a high level, a Business Continuity Plan is a combination of: • defined strategies and detailed procedures for system recovery • defined strategies and detailed procedures for business resumption • a formal team structure for executing the applicable procedures and managing the crisis • all advance arrangements required to support the above
What is a Business Continuity Plan? • At a detailed level, a Business Continuity Plan is: • a documented series of activities (Business Resumption Plan) that may need to be performed by designated teams to recover systems and/or resume critical business functions following a disruptive incident
What should the detailed plans contain? • Strategy overview for each incident type (or ‘disaster scenario’) • Each Team’s plan should contain: • List of minimum recovery requirements • Team membership and contact info. • Off-site materials list and other supporting documentation • Activity lists (organized by phase and scenario) • Activity details
What is an Activity? • An activity is the ‘Operating Unit’ of the plan • Each activity describes: • What has to be done • How it can be done • Who can do it • What is needed to do it • Where it can be performed from • When it can start • How long it should last • When it should end • Each activity represents a logical, self-contained unit of work that may need to be performed by a single team for a given scenario
What is a Phase? There are typically five phases A phase is a grouping of activities used to provide a logical structure for each team’s plan Each phase represents a critical stage in the Operations Resumption plan
Phase 1 – Initial Response & Assessment 1. Initial Response & Assessment Take any immediate actions warranted by the event Assess the impact of the event on operations
Phase 2 – Interim Contingency Measures Implement short term measures to limit the impact of the event Such as transferring work to staff at another location, or having key staff work from home 2. Interim Contingency Measures 1. Initial Response & Assessment
Phase 3 – Resource Provisioning Provide the minimum resources needed to resume operations at an alternate location Such as desks, phones, PC’s, printers, servers, system connectivity, electronic data, etc. 3. Resource Provisioning 2. Interim Contingency Measures 1. Initial Response & Assessment
Phase 4 – Operations Resumption Resume an acceptable level of operations at the alternate location May require relocation of staff, recreation of lost data, processing of backlog, etc. 4. Operations Resumption 3. Resource Provisioning 2. Interim Contingency Measures 1. Initial Response & Assessment
Phase 5 – Return to Normal Complete all actions required to resolve the event Transfer staff back to original location and resume normal operations 5. Return To Normal 4. Operations Resumption 3. Resource Provisioning 2. Interim Contingency Measures 1. Initial Response & Assessment
Phases of an Operations Resumption Plan 5. Return To Normal Note: Depending upon the nature and duration of the event, some or all of the departments may be able to return to normal without executing phase 3 & 4 2. Interim Contingency Measures 1. Initial Response & Assessment
The Keys to Success • Plan development is not rocket science, but … • every department must follow a consistent methodology to ensure the plans will work, and work together, when required • plans must be documented in sufficient detail that they may be executed even in the absence of the primary expert • standard formats and terminology must be used to avoid misinterpretation and facilitate maintenance • The use of templates or software tools alone will not ensure these goals are met
The Keys to Success (cont) The keys to successful plan development are: Commitment from all departments Selection of the right peopleto develop each team’s plan Practical training of those people in the plan development process
BCP Definition “BCP,” or Business Continuity Planning, is an effort within a company to ensure that Critical Business Functions continue to be performed during a wide range of emergencies, including localized acts of nature, accidents, and technological or attack-related emergencies (the terms Business Continuity Planning and Business Continuity Management are generally used interchangeably)
Business Continuity BCP is defined as the activities of… individual companies and their business units… that ensure their critical business functions are performed… from primary or alternate operating sites… during any emergency or situation that may disrupt normal business operations.
The Purpose of a Business Continuity Plan When a company is faced with a continuity event, the BCP will: Provide for continuation of critical business functions Enable a rapid response to any emergency situation BCP is different from ordinary emergency plans. It goes a step further to ensure delivery of the most critical services even when personnel, equipment and resources are missing or not working.
BCP Overview: Planning Considerations BCP plans must: Be capable of implementation anytime, with and without warning. Provide full operational capability for critical business functions not later than 12 hours after activation, often sooner. Be capable of sustaining operations for up to 30 days or longer. Include regularly scheduled Testing and Training.
Initiate the BCP Process The BCP Process starts with leadership’s serious consideration, then support, of the idea.
Perform Risk Analysis/Capabilities Survey First, look at the types of hazards your company might face .... Floods, fires, severe weather, computer virus attacks, sabotage, pandemic? What are the likely results of those kinds of events? Power outages? Computer failures? Radio or telephone systems failures? Personnel who can’t reach key facilities?
Identify Critical Business Functions This is the hardest part of the process. Not every business service you provide will be needed in certain emergencies. Your critical functions become the core of the plan. What you do from here on will support those critical functions….. Critical functions are the nuts and bolts of the BCP Plan They form the basis for determining resource requirements: Staff Vital information/critical systems Equipment Supplies and services Facilities
BCP Plan Development, Review, and Approval Identify work sites and plans that may have to change in an emergency Look at who will do what, and when those things will be done Develop procedures to use to make sure the plan works. Discuss how to protect vital information and property Decide who is responsible for what, and when they will be given authority to make decisions Create plans to provide backup support, called succession plans
Train Personnel Check the knowledge, skills and abilities of all personnel Provide training so everyone is sure they are ready for emergencies Train on procedures for emergencies that occur with warning, and without warning Training is a key to being ready
Test the Plan How ready are you? Test the equipment Exercise abilities to see if we can do what we said we could do Carry out drills to make sure that every individual, in all areas, is sure of personal capabilities and personal responsibilities in the event of an emergency
Keep the Plan Up-To-Date Conduct drills Evaluate drills Drills and evaluations will aid us in developing improvement plans and help us change our plan to make it better All of this keeps your plan up-to-date and flexible to change, realizing that you are only as good as your next opportunity to show it
BCP plans must: Be effective with and without warning. Take an all-hazard approach. Include alternate facilities. Have critical business functions operational within an acceptable amount of time. Be able to sustain operations for an extended timeframe. Plans and Procedures Plans and Procedures
What Happens During a BCP event? During normal duty hours— Emergency Relocation Group (ERG) personnel will depart to their designated alternate sites Non-ERG personnel will be directed to proceed to their homes or to other facilities to await further guidance After normal duty hours— Information on BCP activation will be accomplished through: News media announcements Management chain and phone trees Email Radio Company website
Why do BCP? Disaster can strike without warning. Planning what to do in advance is an important part of being prepared. BCP planning means you might need to do fewer things. It means you might do things at a new location. It means you might do things with different personnel. What you get in the end is a real plan for keeping your people safe, your company still working and your recovery safe and effective as you resume normal operations.
Benefits of BCP Planning Reduce or mitigate disruptions that would have previously forced closures and the delay of client services. Ensure the provision of alternate facilities.