Creating the Resilient Corporation Business Continuity Planning and Pandemics Presented by: Eric Millard, Delivery Manager, Business Continuity and Recovery Services, Hewlett-Packard 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Business Continuity and Risk Management Items to address in continuity planning The differences with pandemics Creating a pandemic resilient corporation
What is business continuity & availability today? It is A way of doing business and continuing to stay in business A plan to ensure business processes including those of suppliers and service providers are always available to meet critical needs It is the ultimate control mechanism It is not A specific product or technology or service A project with a beginning and an end Just disaster recovery or high availability Ensuring business processes
What risks does your business face? high impact Pandemic natural disaster- fire, flood, adverse weather man made disaster- terrorism, malicious damage security breach- hacker denial of service attack virus attack internal security/fraud People or process error poor change management software failure power/ network failure hardware failure low planned downtime application failure low frequency high
Business continuity A risk management imperative corporate governance risk management business continuity business resilience business recovery
Agenda: Business Continuity and Risk Management Items to address in continuity planning The differences with pandemics Creating a pandemic resilient corporation
The business process is the driver Organisation Critical Business Processes People IT Applications Infrastructure Premises Equipment Vital Records
How long can you last without a process? high financial impact cost optimal balance How strong is the competition? How loyal are your customers? How easy would it be for them to switch? low short time long recovery cost The longer the recovery time, the greater the financial impact The shorter the recovery time, the greater the recovery cost
What scenario do you want to protect against? Denial of access to: Metro Area Postcode City Block Site Building Floor
7 steps to developing your recovery capability 1. Current Situation 2. Business Impact Analysis 3. Risk Assessment 4. Define Strategy 5. Design Solution 6. Select or Build Solution 7. Document Plan and Test
Invocation Who can invoke? Under what conditions Who goes where? Voice systems Issues of working from home Currently supported? Remote access infrastructure Comms Contact OH&S
Agenda: Business Continuity and Risk Management Items to address in continuity planning The differences with pandemics Creating a pandemic resilient corporation
Background Influenza pandemics have occurred every 10-50 years. They happen when a new influenza ('flu) virus strain develops which can spread easily from person to person. Because it is new, humans have little or no immunity to the virus. The "Spanish 'flu" of 1918-1919 was the most severe pandemic of the last century, killing up to 40 million people worldwide. The most recent influenza pandemic, the "Hong Kong 'flu", occurred in 1968 and was far milder, causing an estimated 1 million deaths worldwide. There is concern among scientists that the outbreak of H5N1 avian influenza that began in birds in Asia in the late 1990s could change to a form that is easily spread from person to person, and so cause a new pandemic of human influenza. The probability of this occurring is unknown, but is probably at its highest level in several decades. Source: NSW Health
Considerations In a severe pandemic, we might expect: that the pandemic virus may spread rapidly vaccines, antiviral agents and antibiotics to treat secondary infections to be in short supply. It will take several months before any vaccine becomes generally available medical facilities to be stressed sudden and potentially significant shortages of personnel to provide essential community services due to widespread illness the effect of influenza on individual communities to be sustained over a long period of time, even compared to other natural disasters. Source: NSW Health
What we learned with SARS Early splitting of work forces and quarantining Restricted access to continuity centre Twice daily temperature checks for all staff at site Additional cleaning to maintain high sanitary standard Optional face masks Increased absenteeism due to fear, quarantine orders and child-care arrangements Increased costs (temperature checks, cleaning, etc)
Agenda: Business Continuity and Risk Management Items to address in continuity planning The differences with pandemics Creating a pandemic resilient corporation
Understand how resilient you are Best-in-class internal control system Best in class cost structure Regular BCP rehearsals Resilient Business differentiator Security plans regularly tested Defined, mature processes AS/NZ 4360 Mature processes Isolated process improvement activity Planning for change Durable Internal controls tested Security and DR plans regularly tested Reliable IT ITIL mature Clearly defined internal controls Understand business needs and processes Some process training Incident management Downtime issues Poor processes Very weak internal controls Off-site DR and backup Mitigating risk is a focus Change management Stable No security policies Reactive reporting Monitoring and reporting tools used Delicate Fragile IT cost reduction Right people in the right place at the right time No KPIs Security and DR plans in place PIRs used Internal controls defined IT too expensive No documentation No continuity plan, does backups
How do you create a resilient corporation? Step 1: Assess where you are today Step2: Develop a crossfunctional team Step 3: Design and agree an improvement plan Resilient Durable Stable Delicate Fragile Step 4: Operationalise the improvement plan
The starting point Recovery Readiness Assessment
Summary Continue to benchmark and evolve Commit to improvement project and measure results Design an improvement plan Partner with business Assess current risks and upside Resilient Durable Stable Delicate Fragile