340 likes | 587 Views
CORPORATE RESILIENCE A Primer on Business Continuity Protecting the Capability to Deliver Products & Services Under a Wide Range of Adverse Conditions Rick Wilson ( rwilson@hammer.net ) 610-378-1149. Presentation Overview. Differentiating Disaster Recovery & Business Continuity.
E N D
CORPORATE RESILIENCEA Primer on Business ContinuityProtecting the Capability to Deliver Products & Services Under a Wide Range of Adverse ConditionsRick Wilson (rwilson@hammer.net) 610-378-1149
Differentiating Disaster Recovery & Business Continuity Disaster Recovery Business Continuity Business Processes Sr. Management Level Products / People / Profits Supply Chain Sustainability Human Communications Product / Service Recovery Company Performance Cross-Functional Organizational Resilience • Backups • Operational Level • Hardware • Storage Recovery • Telecommunications • Computer Recovery • Technical Performance • Single Discipline • Infrastructure Resilience
Business Continuity Management • Why Listen to This Talk? • As a Manager – How Do I Ensure Timely Delivery of Product & Services? • As an Employee – Where Do I Fit? How Can I Contribute? • In Between Jobs? – New Discipline, Founded in IT – BUT Broader • Business Continuity Management will: • Focus on Business Activities • Identify WHICH Vulnerabilities Must Be Addressed – Not ALL • Analyze How Value is Created and Maintained in an Organization • Be a Discipline That Does NOT Go Away • Business Evolves • Company Organization’s Change • Technology Accelerates Work Processes • Customers Migrate • Products are Added, Improved and/or Die • Emphasize the Need for Resilience in Business Processes • Be Applicable to Any Company
Business Continuity • Evolution of Business Continuity • 1970’s Disaster Recovery Sites • DP / MIS – Tactical in Nature • Hard to justify significant investment – for an event you hope never happens • 1980’s Business Impact Analysis • Shift the focus to the ‘Impact on Business’ • Broaden the scope to include business risks and operational interruptions • 1990’s Drop the Reference to ‘DR’ • Rebrand to Business Continuity – more upbeat then recovery • Standards evolving - Skill sets coalescing – Certifications emerged • Y2K demonstrated dependence on single points of failure / single supplier • 2000’s Codifying BCM (Business Continuity Management) • Part of the “Family of Management Systems” standards • PAS56 in UK, NFPA 1600 in US, Handbooks in Australia and Asia • Regulators: FSA in UK, APRA in Australia, Federal Reserve in USA • Then 9/11 – Brought Business Continuity to the forefront • National Standards and ISO 22399
Business Continuity Objectives • Business Continuity Defined • Business Continuity Management (BCM) is a holistic process that identifies potential threats to an organization and the impact to business operations that those threats, if realized, might cause. • BCM provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of key stakeholders, organizational reputation, brand and value creating activities. • Objective: • Sustain Operations Through Non-Specific, • Uncontrolled Environmental Events • Prepare for the impact of interruptions in Power, Flood, Storms, whatever … • Ensure the survival of the organization, protect its assets and control financial loss • Minimize losses TO customers and the loss OF customers • Facilitate the resumption of operations • Provide for the safety of personnel and public – before, during & after a disruption
Business Continuity Lifecycle Business Continuity Lifecycle – from Business Continuity Institute
Business Continuity Disaster Recovery is an IT Process --------- Business Continuity Protects the Business • BIA – Business Impact Analysis Assesses Time-Critical Processes Across the Organization Determines RTO / RPO for Each Process Ranks the Processes by Urgency Defines the Prioritized Recovery Path • BCP – Business Continuity Plan Strategic BCP – Sr. Management & Incident Management Team Tactical BCP – Line Management for Delivery of Products & Services Operational BCP – Staff level Execution of Specific Recovery Steps • Business Continuity provides the organization with the capability to continue to deliver the products & services essential to the existence of the firm.
Business Continuity Management – Lifecycle BUSINESS CONTINUITY MANAGEMENT Program Progression: Exercise, Maintain & Review BCM Embedding BCM in the Organization Developing & Implementing a BCM Response - Build the BCPs Determining a BCM Strategy Decide the “What, How, When” BCM Program Management Understanding the Organization Create the Policy & BIA
Hazard Matrix • Defines the expected threats that could conceivably occur • Projects probability of occurrence and severity to the organization • Used by individual Departments to refine the threats they could experiencein preparing their specific Continuity Recovery Plans.
BIA – Business Impact Analysis • Factors In Calculating Impact • Value of the Asset (Function) • Overall Impact if Asset is Lost • Tangible Impact • Reduced Productivity • Increased Expense • Delay in Collecting $ • Reduced Income • Fines / Penalties • Loss of Information • Intangible Impact • Loss in Reputation • Loss in Trust • Public Safety • Regulatory • Competitive Edge • Compute Criticality [1-100] • Sort to Arrive at Critical Path Top 10 Processes ? Score Each Process Critical, High, Medium, Low
Tactical Continuity Recovery Plans • Department Continuity Recovery Plan - SAMPLE • Evacuation and Fire Safety Plan • Incident task list to follow • Instructions on communications in crisis • Emergency GO-BELT makeup • Building Wardens • Building Evacuation Diagram • Department Staff Call List • Emergency Services Contact List • Alternate locations & staff assignments • Critical tasks to execute & task timing • Contact list for Key team members • Contact list for Key customers (optional) • Essential equipment list & software list • Supplies list • Vendors list • Vital records list
Allocation of Departments Across Alternate Sites • Conducted Physical Inspection & Assessment • Inspected Remote Sites • Power Reliability • Availability of Generator • Distance From Corporate • Distance From Operations • Bathrooms / Kitchen • Flooding or Septic Issues • Hotels Nearby • Food Stores Nearby • Parking available • Mass Transit Nearby • Tables / Chairs • # People Accommodated • Technology In Place ?
Allocation of Departments Across Alternate Sites • Allocated Departments to Alternate Sites • Departments Across the TOP – Facilities DOWN the Side • Staff Size: Normal / Emergency – Home Location • Primary Alternate Site w/ People Count – Secondary & Tertiary Site Choices • Requisite Upgrades of Technology Noted • Total Counts – PRIMARY, SECONDARY, TERTIARY Usage (not shown)
Applications Per Department • Inventory Applications Used by Each Department • Usage Level – High, Medium, Low • Client / Server or Web Based • Application Name • Departments Used • How to Make the Application Available
Business Continuity Management – Lifecycle First Iteration First Iteration of BCM INITIAL BC PROJECT OBJECTIVE: Complete a Full BCM Lifecycle Each Step Builds on Previous Exercise, Maintain & Review BCM Embedding BCM in the Organization Developing & Implementing a BCM Response - Build the BCPs Determining a BCM Strategy Decide the “What, How, When” BCM Program Management ? Understanding the Organization Create the Policy & BIA
Business Continuity Maturity Model Awareness & Effectiveness Increase with Each Iteration A W A R E N E S S Improve the Organization’s Capability to Deliver Products & Services Improve Organizational Resilience EFFECTIVENESS
Embedding Business Continuity In the Organization • GOALS • Ensure All Information in the Plan is Verified • Ensure All Plans are Rehearsed • Ensure All Relevant Personnel are Exercised • BCM Maturity • Strive to Embed Business Continuity in the Organization • Awareness Initiatives • Specialized Training • Exercises – Table Top & Full Rehearsals • Make BCM inherent in the Organization’s Normal Management Processes • After the Initial Iteration [End of Year 1] • Review BIAs for Changes in Assumptions • Update Department CRPs for Alternate Locations, Department Coordinators, etc. • Revisit Dynamic Data in Departmental Documents • Verify Status of Lessons Learned from Past Events
Embedding Business Continuity In the Organization • AWARENESS INITIATIVE • Ensure Each Department Is Oriented to Business Continuity • Identify 15 Metrics Reflecting – BCM Awareness & BCM Effectiveness • Attributes from Business Continuity Institute’s Good Practice Guidelines
Embedding Business Continuity In the Organization • AWARENESS INITIATIVE • Met with Each Department – Reviewed Awareness Attributes • Scale of 0 – 75 Graphed as - 37 to +37
Embedding Business Continuity In the Organization • EXERCISING THE BCP • A BCP Cannot be Considered Reliable - Until it is Exercised • Objectives: • Develop Competence within the Staff • Install Confidence in their Ability to Execute • Impart Knowledge Essential in Time of Crisis • Focus on • MAXIMUM Benefit of Exercise MINIMUM Disruption to Business • Types of Exercises • Table Top Simulations • Full Rehearsals (Evacuate the Building) • Real-Life Exercise Example
Business Continuity Maturity BCM throughout the Organization Continuous Improvement Engage Supply Chain In BC Exercise Embedding BCM Program in the Organization Demonstrate Effectiveness in Audit Program Managed Effectively BCM Documentation Current Activities Able to be Monitored Responsibilities Clearly Assigned Preparedness Ensured
QUESTIONS • Build and Use YourBusiness Continuity Plan