Effective Business Continuity Program Frameworks. Peter R. Laz, MBCP

Similar documents

Professional Practice Eight - Business Continuity Plan Exercise, Audit, and Maintenance

The PNC Financial Services Group, Inc. Business Continuity Program

HSEM Emergency Management Director s Qualification Curriculum, Emergency Management Certification and Elected/Appointed Officials Certificate Programs

Why Should Companies Take a Closer Look at Business Continuity Planning?

The PNC Financial Services Group, Inc. Business Continuity Program

Business Continuity Standards A Primer

Business Resiliency Business Continuity Management - January 14, 2014

Disaster Recovery Policy

Program Management: Opportunity or CLM?

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

The State Of Business Continuity Preparedness

Intel Business Continuity Practices

Fundamentals of Business Continuity Planning Have a Plan!

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight

Subject Area 9 Public Relations and Crisis Coordination

Enterprise Data Governance

Business Continuity Management Charter

Assessing the Appropriate Level of Project, Program, and PMO Structure

Practical Approaches to Achieving Sustainable IT Governance

Domain 1 The Process of Auditing Information Systems

Strategic Planning. Key Initiative Overview

Solihull Clinical Commissioning Group

Successful Implementation of Enterprise-Wide Information Governance

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Chapter 13. Training, Exercises & Review

Medicaid Enterprise Data Governance Approach. MESConference August 21, 2012 Rashmi Menon, Deloitte Consulting LLP

Capability Maturity Model Integrated (CMMI)

Best-in-Class Crisis Preparation:

Business Continuity Planning for Risk Reduction

Project Management Guidelines

Preparing for the Convergence of Risk Management & Business Continuity

How To Understand The Market For Disaster Recovery

Based on 2008 Survey of 255 Non-IT CEOs/Executives

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

UNIVERSITY FLU PANDEMIC PLAN Preparation, Management and Recovery

The seven essential practices for effective business continuity management

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

Appendix 3 Disaster Recovery Plan

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

Business Continuity for Cyber Threat

26/09/2013 Peter Ravnholt -

Incident Management Team The Eight Step Implementation Model. The 8 Step

WHITE PAPER December, 2008

External Supplier Control Requirements BCM

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

U.S. Nuclear Regulatory Commission. Plan of Action Strategic Workforce Planning

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Tips and techniques a typical audit programme

ESKITP6036 IT Disaster Recovery Level 5 Role

ACMP Certification Committee. Methods for Demonstrating Competency

Business Continuity and Disaster Recovery Planning

Chapter 1: An Overview of Emergency Preparedness and Business Continuity

Information Security Program CHARTER

CMMI KEY PROCESS AREAS

Ten Critical Steps. for Successful Project Portfolio Management. RG Perspective

Business Continuity and Disaster Planning

TRENDS IN BUSINESS CONTINUITY AND CRISIS COMMUNICATIONS SURVEY

Snohomish County PUD. Service Management Journey. Chris Thorpe Tina Myren June 16, 2010

Creating a Customer Advisory Board Overview and Checklist by Clearworks

The Final Quality Gate: Software Release Readiness. Nancy Kastl, CSQA Kaslen Group, Inc. (630)

Director of Asset Management and Repairs

IT Project Governance. Chris Cruz, Deputy Agency Information Officer

PROJECT MANAGEMENT SURVEY

MINNESOTA STATE POLICY

CAFM APPLICATION and CRITERIA. Give yourself a competitive edge

Maximizing Business Value Through Effective IT Governance

BCM Data Research within a Business Intelligence Dashboard

How To Understand The State Of Business Continuity Preparedness

Regulatory Compliance Oversight

- SAMPLE CUSTOMIZED REPORT - Business Continuity Program Benchmark Report

Establishing a Data and Information Governance Program at the Cancer Institute NSW. Data Governance 2012 Narelle Grayson

CFABAI132 Inform and facilitate organisational decision-making

Business Continuity Management Program Maturity Report - SAMPLE -

Pandemic Accord Continuity Exercise Series

Digital Marketing Specialist

The Surprising Truth About Your DR Maturity Level

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Audit of the Disaster Recovery Plan

Driving Change through Clinical Informatics Dorothy DuSold, MA 1

IT Cost Reduction. Doing More with Less. Anita Ballaney, Vishwanath Shenoy, Michael Gavigan. Strategic IT cost reduction - Doing More with Less

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

B U S I N E S S C O N T I N U I T Y P L A N

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Revitalizing Your CRM Initiative. Why the Need to Revitalize?

Business Unit CONTINGENCY PLAN

Process Guide. Release Management. Service Improvement Program (SIP)

Overview. FedRAMP CONOPS

Business Continuity & Recovery Plan Summary

NIST Cybersecurity Framework & A Tale of Two Criticalities

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

Project Management Office (PMO) Charter

Disaster Recovery Planning. By Janet Coggins

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Continuity of Operations Actions

Virginia Commonwealth University School of Medicine Information Security Standard

Transcription:

Effective Business Continuity Program Frameworks Peter R. Laz, MBCP

Agenda Session Objectives Successful BC Program Framework Critical Success Factors 2

Session Objectives Review the differences between: Program Plan Project Communicate experiential insight of components that make BC Programs effective Provide tangible illustrations of critical BCProgram elements 3

Survey Snapshot How many of your enterprise-wide BC Programs have the CIO as the Executive Sponsor? Organizational placement affects program maturity and funding Programs that report to non-it executives are more mature and receive increased funding than those reporting to IT executives DRJ and Isurus Survey (December 2008) 4

Survey Snapshot How many face challenges in planning, developing, implementing and maintaining enterprise-wide BC Programs? Significant progress in establishing some elements of a BC Program has been made Approx 70% of respondents noted their biggest challenge is effective and efficient BC Program Management DRJ and Isurus Survey (December 2008) 5

Definitions Program Ongoing initiative with a collection of policies and processes that are linked to strategic objectives Project Temporary endeavor to plan, organize and manage resources to complete specific goals Plan Set of documented, intended actions through which one expects to achieve a goal 6

Business Continuity Components Business Continuity Program Framework: Policy, Governance & Reporting Plan Types Incident Management Emergency Response Technolog y Recovery Business Recovery Pandemic Assemble the decision-makers Collect information Coordinate all response, recovery & restoration activity Communicate information to all stakeholders Life/Safety Personnel Headcount Damage Assessment Maintain or recover IT Services Maintain or recover business functions Invoke alternate procedures during no/limited IT Services or input from suppliers or dependent departments Maintain mission-critical processes during extended high absenteeism rates 7

Guiding Principles Comprehensive Sponsored Assigned Impact Driven Flexible Ongoing Professional Considers all potential hazards and all potentially affected stakeholders Requires support, involvement and funding from the executive management team Plan development, maintenance and exercises are a business unit managers responsibility Standards for plan content, updates and exercises are relative to the degree of impact on business operations, finances and/or regulatory compliance Requires creative and innovative approaches; especially when the specifics of the situation cannot be predetermined Continuous process requiring regular review, planning and updating Based on education, training,experience, ethics, wisestewardship and continuous improvement 8

Organizational Jurisdiction Executive Sponsor CxO Purpose of Advisory Council: Provide executive sponsorship, direction and funding to program Program Owner VP/ Director Business Continuity Advisory Council Approve strategic direction of program Review program status & present state of readiness to Executive Management BC Program Office Approve corporate-level policy changes Plan Owners Plan Owners Mission of BC Program Office: Develop/maintain policies, procedures, standards, methodology, tools Recommend strategic direction Assist groups with plan development Coordinate exercises, training & assurance programs Perform quality reviews 9

Framework Manual Amalgamation of standards NFPA 1600 ITIL/ITSCM PS: Prep Governance Executive Sponsorship Program Management Plan Ownership Compliance Program Requirements Plan Attestation Readiness Reporting Scope Global Data Centers Big DR / Little DR Standards Scope Compliance Governance 10

Corporate Policy Statement Key Elements: Maintain a viable Business Continuity Program All business units are required to develop and maintain recovery plans All business units are required to submit an annual attestation statement to the Business Continuity Program Office Business Continuity Program Office is required to submit an annual statement of recovery readiness/program status 11

Plan Attestation Annual signatures attesting requirements have been met and program is being maintained according to expectations Built into Annual Program Status Reporting Business Continuity Program Executive Sponsor (Program Sign-off) Business Continuity Program Owner (Program Attestation) Recovery Plan Owner (Plan Attestation) Recovery Plan Owner (Plan Attestation) Recovery Plan Owner (Plan Attestation) Recovery Plan Owner (Plan Attestation) 12

Recovery Readiness Reporting Annual presentation to Executives & Board of Directors State of Recovery Readiness How prepared is <the company> to effectively & efficiently meet recovery objectives? Status of compliance with regulations and standards What are the applicable regulatory requirements and is <the company> in compliance? Which units are non-compliant with content, maintenance, exercise or certification standards? Level of exercises performed What was the level of success & issues identified during exercises? Program challenges What are inhibitors to providing/maintaining a viable continuity program? Planned program enhancements What program enhancements are underway or planned? 13

Responsibilities R = Responsible A = Accountable C = Consulted I = Informed 14

Capability Disclosure Statement An Executive Summary document for distribution to clients, prospects and suppliers that verifies a management program exists and describes the level of recoverability that clients can expect Executive Sponsor, Program Owner and Plan Owners have been assigned Responsibilities of the BC Program Office Business Continuity Council exists and the purpose of that group Highlights Corporate Business Continuity Policy Vision and Mission Statements Standards for plan content, update and exercise frequencies Annual Program Status Report presented to Executive Management Describe current recovery capabilities stating when critical services will be available 15

Training and Awareness Educate Communicate Validate Integrate Conduct special training for for key employees Conduct a campaign of of regular, periodic communication that start with the new-hire process Involve as as many employees as as possible in in the testing program Build recovery considerations into business processes and procedures 16

Issue Tracking Document & Report all BC/DR issues Monitor through resolution Maintained by BC Program Office Monthly reporting to management Relational database Issue Category/# Notification Tabletop Relocation Planning Incident Issue Description Date Opened Date Closed Target Close Date Owner Status 17

Change Management Change in an organization (relative to BC/DR) is best managed by ensuring processes are in place to identify, document and develop plans addressing those changes Background Study Project Definition System Requirements Change Control Initial recovery requirements included Recovery requirements understand, documented, and validated Recovery capacity included in in detailed system design Recovery capability in in place prior to to implementation 18

Standards Tier 1 Tier 2 Plan Updates 6 mos 12 mos Notification Exercise 3 mos 6 mos Table Top Exercise 12 mos 12 mos Relocation Exercise 6 mos 12 mos Attestation Statement 12 mos 12 mos Note: While these are examples of generally used standards, it is most important that you select and commit to a specific period of time in which you will conduct these tasks on an ongoing basis specific to your organization s requirements. 19

Most Critical Success Factors Align Business Continuity Program to enterprise business objectives Executive sponsorship and active involvement Institutionalize program elements Budget commitment and visibility Proper organizational placement Apply project management disciplines Base recovery strategy and capability on accurate and validated business requirements Executive commitment to a centralized repository Exercise the way you would recover Establish and maintain partnerships with public sector Continuously expand your knowledge Your business environment and regulations BC/DR practices and tools 20

Peter R. Laz, MBCP plaz@forsythe.com