Business Continuity Planning: Bridging the Gap Between IT and Business Steve Burns, President EverGreen Data Continuity, Inc. sburns@evergreen-data.com 1
The Hard Facts One-third of businesses don t include a recovery sequence for business functions.... META Group Nearly half of the organizations that lose data as a result of a disaster never re-open and are out of business within 2 years... University of Texas, Center for Research on IS 2
Why Do Plans Fail? The answer is in the question It s a plan, not a program Programs are living and threaded throughout the organization The wrong recovery strategy was chosen It worked for IT, but not the business The technology in the plan is no longer used 3
Continuous Operations vs. Disaster Recovery Disaster recovery is traditionally an IT responsibility Covered IT infrastructure and network communications Business functions require continuous operations How do you bridge the gap? 4
Work Backwards Throw out the traditional way of thinking First Define business requirements and priorities Then Map requirements to infrastructure that supports it applications, systems, voice, networks, data center as an entity 5
How? Conduct a BIA independent of the IT staff BIA from a financial standpoint is only half the story Outage Tolerance Operational Dependency 6
The Business Perspective Get the business perspective on IT usage Perform functions Create critical prioritization of assets and IT infrastructure based on business need Viewpoints Financial Tolerance Dependency 7
IT Recoverability Conduct a Risk Assessment independent of the business staff Review all applications, systems, data centers, storage, high availability, security and disaster preparedness Define true recoverability of the IT infrastructure 8
There is a GAP! Most organizations have a tremendous gap between the time business units say they need critical functions live and how fast the IT staff says they can actually recover the functions. 9
How Do You Close the Gap? Set up a Recovery Task Force Business leaders that identify critical resources, assets and priorities IT leaders that identify system requirements and recovery procedures for critical systems Responsibility to identify interdependencies and their links Reports must outline 4-5 levels of priority 10
Defining Interdependencies Two-Phased Approach Business Process Dependencies Matrix Functions, not departments Two-way dependency IT Dependencies Matrix Recovery procedures of each system, application Two-way dependency 11
Business Continuity Planning Matrix Business Recovery Needs IT Recovery Needs Aligned by RTO and RPO 12
Formulating Recovery Strategies Multiple options hot site, cold site, internal, etc. Blend of: Best technological solution to close the gap from an IT perspective Solutions within budget constraints Close the GAP as much as you can in Year 1 of a 3 year plan to mitigate your risks 13
Business Continuity Planning Goal is to provide an actionable and streamlined Business Continuity Plan for the recovery of business operations and supporting IT Define all organizations, locations, applications, systems, assets Define recovery team structures and responsibilities 14
Business Continuity Workshop Introduce the program to business leaders Business units begin to formulate continuous operation procedures Review recovery procedures with individual business units 15
IT Workshops Introduce project to IT participants Formulate recovery procedures for applications, servers, networks, etc. Review recovery procedures with individual IT participants 16
Emergency Management Workshop Define emergency management team hierarchy Command center procedures Incident response procedures Recovery site activation procedures Communications plans Transportation plans Continuous operation management 17
Final Planning Pieces Develop change management process from an enterprise perspective Assist with management program approval and buy-in Integrate the plan with current business processes 18
Your Business Continuity Plan Chapter 1 BCP Overview Chapter 2 Potential Impacts Chapter 3 Recovery Phases & Organization Chapter 4 EMT and DRC Recovery Team Tasks Chapter 5 IT Recovery Plans Chapter 6 Business Unit Recovery Plans Appendices detailing Command Centers, Contact Lists, Recovery Requirements, Emergency Plans and a Glossary of Terms 19
Plan Testing Disaster simulation and workgroup recovery done together Identify test objectives for IT and business units Document post test report 20
Plan Maintenance Develop programs for all components in program, including risk assessments, BIA, plans and testing Teach BCP Coordinator and other critical staff to successfully manage, update and maintain the overall program 21
Critical Responsibilities Business Unit and IT Leaders (at least one per unit) Provide documentation Attend workshop(s) Define continuous operations for critical processes Manage tasks/responsibilities related to program Timely information turnaround Plan reviews/tabletop exercise Incorporation of change management 22
Pain Points Communication is Key Project Manager and Project Coordinators Lack of Understanding Why are you here, why do you want to know? Timeliness of turnaround When do you need this by? Process, Process, Process Standardize on all data output across the organization Tread Lightly Know your audience Experience Sometimes it s what they don t say 23
It s Easy if You Know How To... Communication is Key Weekly/bi-weekly scheduled reviews Lack of Understanding Pre-engagement summaries and notification schedules Checklists Timeliness of turnaround Defined escalation processes Process, Process, Process Standardize data gathering, analysis and reporting Tread Lightly Coordination of resources with project and unit coordinators Experience Create the best team possible 24
Recipe for Success Internal Software to manage the program Business Continuity program manager Business Continuity Planner 1-2 Administrators for program Internal sponsor from management Or Outsource the entire program to Experts Software Program Management Planners and Administrators at Your Location Monthly Managed Service Fees 25
26