Business Continuity Overview Beverley A. Retjos Senior Manager WW SWG Security & Controls 03/12/07
Business Continuity Management (BCM) Process of ensuring that a business is prepared to survive any disruption that threatens its ability to provide products and services Plans minimize the effect of any disruption to those critical services resulting in a significant loss (temporary or permanent) of human resource and/or critical skill base caused by Threat Physical site incident Natural or manmade disaster Human-based incident Bottom line: Protect IBM s Employees, visitors and others working at IBM sites Revenue stream Brand image Page 2
How did SWG approach Business Continuity? SWG approached Business Continuity by answering the following questions: 1. What is the scope (what to protect ourselves from)? 2. What do we need to protect (which are our critical processes)? 3. What are our tolerable losses? 4. How long could our critical processes stay unavailable? 5. What applications and services support the critical processes (Information Technology, Voice Services, etc)? 6. How long can we operate manually before we need access to the applications and services? 7. What is our current capability to meet our business recovery requirements (Information Technology and business processes)? 8. What strategies do we need to establish to meet our business recovery requirements (must balance costs with losses)? 9. What procedures must we have to provide a viable recovery capability? 10. How are we going to maintain our recovery capability? Page 3
IBM BRCS approach to Business Continuity Planning Phase 1 Phase 2 Phase 3 Identify Critical Business Process TRP Technology Recovery Procedures - define scope of the emergency event - identify business recovery objectives - determine IT recovery requirements - define process linkages - identify process recovery timeframes - identify data loss threshold Assess Current IT Capabilities - data backup & recovery - telecommunication network - hardware configuration & linkages - forward recovery capability - operational procedures Develop strategies to bridge gaps Management Response BCP - recovery scripts for IT systems - local area network - wide area network - voice & fax - evaluation / declaration procedures - incident management tasks Business Contingency Procedures - initial manual procedures - recovering lost transactions - enter collected data - process business as usual Capability / Maintain / Test Page 4
SWG Business Continuity Common Process Page 5
Business Continuity Plan for a Pandemic Avian Flu 1. What is the business criteria for determining which processes are critical and need to be recovered and which processes can be deferred Must continue to meet our legal and regulatory requirements Must continue to pay employees Will defer all management reporting for xx period of time 2. Identification of assumptions on which the BCP will be based Plan for 50% staff absences for periods of about 12 week period Overall, a pandemic wave will last about 12 weeks followed by a 12 week recovery with another 12 week wave Page 6
Business Continuity Plan for a Pandemic Avian Flu 3. Identification of the critical business processes 4. Identification of business and IT requirements, e.g. staff, vital records, voice services, IT systems 5. Recovery time objectives for business processes and technology 6. Identification of approach to be used to resume critical business processes 7. Identification of interdependencies with other IBM departments 8. Identification of interdependencies with other external business partners 9. Location for alternate processes site for critical technology In case a building is quarantined, can IT be managed remotely? If so, for how long? 10. Location of alternate work areas 11. Documentation of contingency procedures Are there existing plans that can be leveraged? 12. Identification of critical information such as External Emergency Number, External Contact List (Vendors, Business Partners) Emergency Operation Center locations, Business Unit Contingency Teams, Vital Records Crisis Management Team Page 7
Business Continuity Plan for a Pandemic Avian Flu 13. Linkages to other Business Continuity Plans 14. What policies and procedures do we need to create to keep the pandemic from affecting our employees and/or facilities once it arrives? 15. What policies and procedures do we need to create to contain the illness once it affects an IBM employee and/or facility? How will we track the occurrence? What reporting will be required outside of IBM? 16. What criteria will we use for agreeing to return to business as normal including internal communications with staff and externally with related agencies? 17. What are the procedures for managing the return to business as normal? Page 8
Business Continuity Plan for a Pandemic Avian Flu 18. How do we handle HR issues? Health and safety of IBM employees (e.g. employees may not want to go to particular locations due to safety concerns) Employees looking after people who become sick Employees who need to look after children because schools have been closed Employees who cannot work from home 19. How do we handle Facilities? Restriction of access for both customer, business partners and employees How do we secure a building that has been closed by RESO/CMT? What is IBM s criteria for closing a facility? 20. How will we communicate to employees, customers and business partners Page 9
SWG Pandemic Planning Team Structure AIM AIM SWG WW Tivoli Tivoli Business Infrastructure Beverley Retjos Valerie Westphal IM IM Rational PLM PLM WPLC WPLC Page 10
Business Continuity Plan Template Review TABLE OF CONTENTS 1.0 Plan Overview 1.1 Objectives 1.2 Secondary Objectives 1.3 Organization Charts 1.0 Plan Overview Business Continuity/Pandemic Planning at [site] is designed to provide for the continuity or rapid restoration of our critical business processes. While this program prepares the organization for the unexpected, it also provides an opportunity to document the relevant information that is required to respond to a single point or magnitude of failure. [This plan must contain, (or point to) all critical information related to keeping the business up and operational during the crisis. It must comply with all Data privacy laws both in the US and Outside the US.] 1.1 Objectives The intent at the <site> is to focus on continuation of IBM s critical business processes, or in the case of a pandemic, support for IBM s customers where the critical resources are located at <addresses of sites covered>. The goal of the plan is to identify needed teams, systems, applications and communication plans in the event of a severe outage or pandemic emergency. 1.2 Secondary Objectives Reduce confusion during any chaotic period by having a defined course of action Identify those systems that require priority scheduling Establish the personnel responsible for critical system recovery 1.3 Organization Charts All organization charts will be generated using IBM Bluepages Organization Chart Builder Page 11
Business Continuity Plan Template Review TABLE OF CONTENTS 2.0 Plan Scope 2.1 In Scope 2.2 Out of Scope 2.0 Plan Scope 2.1 In Scope The Plan document is limited to specified aspects of recovery and continuity of business operations pertaining to this site, and for those products and applications residing at this site. This Plan is classified as a Business Continuity Plan and not a plan for Disaster Recovery. It is a best effort to establish communications among Key Personnel and to ensure Mission Critical Applications and systems are available during an extended period of business disruption due to a severe outage or pandemic emergency. 2.2 Out of Scope This Plan does not address Vital Business Processes (VBPs). <Brand> and/or SWG Executive Management may choose the option to test the contents of this Plan. A designated Alternative Recovery Site that is remote from <site> has not been identified for this Plan. If an Alternative Recovery Site is needed during an extended period of business interruption, IBM RESO and/or SWG executives will be responsible for locating and arranging suitable facilities. Page 12
Business Continuity Plan Template Review TABLE OF CONTENTS 3.0 Dependencies 3.1 Corporate or SWG Dependencies 3.2 Local Dependencies (site) 3.3 External Dependencies 3.4 Dependencies on other Business Continuity or Disaster Plans 3.0 Dependencies 3.1 Corporate or SWG Dependencies <Insert dependencies of this plan for services, hardware, personnel, plans, etc. from IBM Corporate teams or Software Group> 3.2 Local Dependencies (site) <Insert dependencies of this plan for services, hardware, personnel, plans, etc. from the local site> 3.3 External Dependencies <Document all third party dependencies both in the US and outside the US. This includes working with the appropriate contact to make sure the contract with the 3rd Party includes provisions for support during the severe outage or pandemic emergency. If no provisions are documented in the contract this needs to be addressed with the BU executive> 3.4 Dependencies on other Business Continuity or Disaster Plans <List all other plans with which this plans interlocks by name and where the plans are located> Name of Plan Owning Group or Contact Location of Plan Page 13
Business Continuity Plan Template Review TABLE OF CONTENTS 4.0 Risks and Gaps 4.0 Risks and Gaps <List all risks and any gaps that currently exist for meeting dependencies, and include mitigation plan location(s) for gaps, risks, etc. Include full filename for documents referenced.> Risk Owner Mitigation Plan Target Closure Page 14
Business Continuity Plan Template Review TABLE OF CONTENTS 5.0 Triggers for Plan Activation 5.1 Bravo Level 5.2 Charlie Level 5.3 Delta Level 5.0 Triggers for Plan Activation This Business Continuity Plan may be activated in either an Alert or Crisis/Emergency situation and is activated in Declared severe outage or pandemic situation. This activation process may be initiated internally by IBM-< > personnel and coordinated with various business process teams or the notification may come directly from the Crisis & Emergency Response Program. The <name of this document> Business Continuity Plan executive <list name of executive> then activates the appropriate < > personnel. 5.1 Bravo Level Triggers: Level 4; News of external businesses beginning to alter operations Response: Daily monitoring for degrading services Infrastructure communications with respect to Infrastructure via WWCC alerts Validation of currency of critical personnel systems, and applications lists. Corresponds to Monitor level: There is sufficient information or the severity of the circumstances does not merit moving to an Alert or Crisis/Emergency status or to a formal declaration of an emergency situation. This may require some modification to daily scheduled workloads, but no mobilization of the business continuity team will be required. 5.2 Charlie Level Trigger: Impacts being seen on the delivery of operations to IBM Response: Put a Change Freeze on the infrastructure and applications to ensure greatest stability to existing apps Corresponds to Alert level. The situation is severe but the scope of the incident does not merit moving to Crisis/Emergency Status or the formal declaration of an emergency situation. The situation has the potential to escalate into a crisis/emergency or disaster situation. The < > Business Continuity team will be activated for monitoring and response activities. Page 15
Business Continuity Plan Template Review TABLE OF CONTENTS 5.0 Triggers for Plan Activation 5.1 Bravo Level 5.2 Charlie Level 5.3 Delta Level 5.3 Delta Level Trigger: Sustained impacts on the delivery of operations or large employee absenteeism Response: Activation of the Business Continuity Plan Focus on critical business processes ONLY. All non-critical business processes will be suspended Continue running services with non-critical business services disabled Corresponds to Crisis/Emergency level. Situation is severe and most likely will require formal declaration. The full IBM Crisis Management Team and appropriate members of the < > Management team and Site Executive will be activated to execute response/recovery activities. Contingency plans will be executed and technical and business continuity teams will be mobilized. Additional Levels: Business Continuity The severity of the situation requires formal business continuity declaration. The full IBM CMT and appropriate members of the < > Management team and Site Executives will be activated to execute response/recovery activities. Formal declarations will be made at recovery locations, contingency plans will be executed and technical and support recovery teams will be mobilized to recovery sites. Systems will be recovered at an alternate site if necessary. Full mobilization of the business continuity team is declared. IBM SWG and IGS Management declare supporting functions to be in RECOVERY MODE of operation. The scenario for this type of response is the loss of a building on the <site> site or loss of personnel. Restoration Following the incident, the appropriate teams and IBM CMT will execute relocation or restoration activities at a recovery site to be determined. Page 16
Business Continuity Plan Template Review TABLE OF CONTENTS 6.0 Business Continuity Steps and Process Flow 6.1 Define Timeframe 6.2 Process Implementation Decision 6.3 Business Continuity Communications Plan 6.4 Additional Assumptions 6.5 Overall BCP Process Steps 6.6 BCP Process Exit Note: Business Continuity Plans could be superseded by government or local authority directives 6.0 Business Continuity Steps and Process Flow General Assumptions 6.1 Define Timeframe Upon initial report of a severe outage or pandemic emergency, the Crisis Management Team (CMT) is convened to define the timeframe and need for full plan execution (Delta or Crisis/Emergency level). 6.2 Process Implementation Decision The CMT assesses the safety of current environmental conditions and advises the Site executive, who will make the decision to invoke the business continuity process. <Insert business continuity plan process criteria> 6.3 Business Continuity Communications Plan <Define high level communications plan for your site. Communications plan should contain the steps to be executed to contact key personnel, and key personnel should be identified, with contact information reference external flowchart for guidance> 6.4 Additional Assumptions At applicable buildings in <site>, access is restricted to essential personnel. People resources are limited due to safety/environmental conditions. <Insert additional assumptions as necessary> 6.5 Overall Business Continuity Plan Process Steps <List the high level process steps which are executed upon process implementation. For each task, describe the task, the responsible role, and the steps to be taken. Detailed steps for specific teams are located in Appendix A.> 6.6 Business Continuity Plan Process Exit Definition of steps for returning to business as usual. <Insert steps for returning control of business operations to normal owners, including who is responsible for each step, triggers, and timeframes for the events> Page 17
Business Continuity Plan Template Review TABLE OF CONTENTS 7.0 Critical Resources 7.1 Systems and Applications 7.2 Key Personnel 7.3 How to Get Infrastructure Help 7.0 Critical Resources 7.1 Systems and Applications <List all critical business applications. Include server name, building and room number. If IGA owned/supported application, replace building and room number with IGA.> 7.1.1 List of Critical Applications Application Name Server Name Location Building/Room Number 7.1.2 Mitigation Plans <Define Mitigation or Backup plans for each of the critical applications or processes if the systems become unreachable or unusable for any reason or unavailability of key personnel. Include steps and/or location of information> 7.1.3 Procedures for Identifying Configuration, Backup and Restore of Critical Applications <Identify all hardware configuration of critical hardware and software (including 3rd party software). Define procedures for backing up and restarting critical applications.> Page 18
Business Continuity Plan Template Review TABLE OF CONTENTS 7.0 Critical Resources 7.1 Systems and Applications 7.2 Key Personnel 7.3 How to Get Infrastructure Help 7.2 Key Personnel BCT (Business Continuity Team) Team designated as accountable for conducting contingency plan(s) walkthroughs. This team may be comprised of (or a combination of): IGA Business Resiliency and Continuity Services (BRCS) representatives IGA Delivery Service representatives BC Coordinator Application interface Asset owner Network operations Technical support Administrative support Disaster assessment/equipment and facilities Management team 7.3 How to Get Infrastructure Help Getting Telephone Support Getting Technical Assistance Retrieving Critical Records from Storage <Insert or point to procedures for each> Page 19
Business Continuity Plan Template Review TABLE OF CONTENTS 8.0 Process for New Acquisitions 9.0 Test Plan 8.0 Process for New Acquisitions Upon the acquisition of a company, a decision will be made on inclusion of the acquired company in an existing or individual site plan. 9.0 Test Plan <Document walkthrough, technical reviews, etc.> Page 20
Business Continuity Plan Template Review TABLE OF CONTENTS Appendix A. Detailed Tasks - Teams Identified in Section 7.2 A.1 Tasks for Crisis Response Team A.2 Tasks for Pandemic Plan Team A.3 Tasks for Site Business Management Team A.4 <site> Administrative Management Team A.5 <site> Back-up Plans Team A.6 <site> Level 3 Teams Task # Description Complete (Y/N) <For each appendix item, a table such as the one above is suggested> Page 21
Questions SWG Global e-business Transformation Page 22