Solving the Business Continuity Puzzle

Solving the Business Continuity Puzzle Chris Copeland Assoc. Business Continuity Professional (ABCP) January 11, 2011

Session Overview Topics we will cover today: 1. Defining Business Continuity (BC) & Disaster Recovery (DR) 2. Why BC & DR are Important 3. BC / DR Organizations 4. DRII 10 Professional Practices within BCP 5. Where To Go Next End goal: To share DR / BC general concepts, help you gauge where your needs or interests are within those concepts and give you some direction of where to go to get more information and direction in those areas.

Defining BC and DR Business Continuity (BC) - A program which develops, exercises and maintains plans to enable the organization to: - respond to a disruption with minimum harm to life and resources - recover, resume and restore functions within time frames which ensure continuing viability - provide crisis communications to all stakeholders A Business Continuity program will answer the following questions: 1. What is a disaster? 2. How much loss can be tolerated? 3. What are the options? 4. How are business functions reestablished? 5. What are our risks? 6. What is the risk mitigation cost?

Defining BC and DR Disaster Recovery (DR) - The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site. A Disaster Recovery Plan will answer the following questions: 1. What are the company s critical technology services? 2. What resources (people, parts, data) and procedures are needed to recover? 3. What are the recovery time & point objectives (RTO / RPO)?

Why is BC & DR Important Computer Associates Study Based on results from 200 companies across North America, it reveals that the average respondent suffers 10 hours of IT downtime a year. During these periods of downtime, respondents estimate that their ability to generate revenue is reduced by nearly a third (29 percent) Even after service is restored to critical systems, businesses experience an additional 7.5 hours of compromised operation because of the time it takes to recover lost data. 71 percent of companies surveyed said that the IT services affected by outages were mission-critical. The departments most likely to experience downtime were operations (62 percent), finance (48 percent) and procurement (39 percent). Small companies suffer the most during periods of downtime, showing the least ability to generate revenue (39 percent compared to 19 percent for medium-sized companies and 28 percent for large companies). A similar pattern emerged during recovery time (23 percent for small companies, 11 percent for medium and 18 percent for large).

Why is BC & DR Important Symantec Study Major causes of downtime: When asked what caused their organization to experience downtime over the past five years, respondents reported their outages were mainly from system upgrades, power outages and failures and cyber attacks. Specifically: - 72 percent experienced an outage from system upgrades, resulting in 50.9 hours of downtime. - 70 percent experienced an outage from power outages and failures, resulting in 11.3 hours of downtime. - 63 percent experienced an outage from cyber attacks over the past 12 months resulting in 52.7 hours of downtime. The study also showed a gap between those organizations that experience power outages and failures and those who have conducted an impact assessment for power outages and failures: Surprisingly, only 26 percent of respondents organizations have conducted a power outage and failure impact assessment. CA Technologies has published the results of an independent study revealing that North American businesses are collectively losing $26.5 billion in revenue each year as a result of slow recovery from IT system downtime.

Why is BC & DR Important If risk of downtime and impacts are not enough, there are approximately 60 regulations or standards for US companies that prescribe BC / DR practices be followed:

Why is BC & DR Important

BC / DR Organizations Disaster Recovery Institute International (DRII) Est. 1988 www.drii.org Business Continuity Institute (BCI) Est. 1994 www.thebci.org National Emergency Management Association Est. 1974 www.nemaweb.org ASIS International British Standards Institution

DRII: 10 Professional Practices in BCP 1. Program Initiation and Management 2. Risk Evaluation and Control 3. Business Impact Analysis 4. Business Continuity Strategies 5. Emergency Response and Operations 6. Business Continuity Plans 7. Awareness and Training Programs 8. Business Continuity Plan Exercise, Audit and Maintenance 9. Crisis Communications 10.Coordination with External Agencies

Program Initiation and Management Establish the need for a Business Continuity Management (BCM) Program, including resilience strategies, recovery objectives, business continuity, operational risk management considerations and crisis management plans. Do we care if something hits us? Key Focus Points: A) Obtain Executive Sponsorship for a BC Program B) Identify a BC coordinator and the BC team C) Define roles & responsibilities D) Establish a project plan and set expectations

Risk Evaluation and Control Determine the risks (events or surroundings) that can adversely affect the organization and its resources (people, facilities, technologies) due to business interruption; the potential loss of such events can cause and the controls needed to avoid or mitigate the effects of those risks. What could possibly hit us? Key Focus Points: A) Understand management s risk-tolerance level B) Identify threats, risks, and vulnerabilities to your organization C) Establish mitigating controls (a cost benefit analysis will be required to justify the investment in controls)

Business Impact Analysis Identify the impacts resulting from business interruptions that can affect the organization and techniques that can be used to quantify and qualify such impacts. Identify time-critical functions, their recovery priorities, and interdependencies so that recovery time objectives can be established and approved. How bad will it hurt? Key Focus Points: A) Identify critical business functions B) Quantify and qualify costs of downtime C) Establish recovery time and point objectives a. RTO how long will it take us to restore service? b. RPO how old will the data be when we restore service? D) Provide cost justification for recovery Sample BIA link is found in the reference section

Business Continuity Strategies Leverage the outcome of the BIA and Risk Evaluation to develop and recommend business continuity strategies. The basis for these strategies is both the recovery time and point objectives in support of the organization s critical functions. How do we avoid getting knocked down? Key Focus Points: A) Identify scope B) Define continuity and recovery strategies

Emergency Response and Operations Identify an organizations readiness to respond to an emergency in a coordinated, timely and effective manner. Develop and implement procedures for initial response and stabilization of situations until the arrival of authorities having jurisdiction (if/when). What do I do after I get hit? Key Focus Points: A) Identify communication processes / procedures B) Define actions to be taken by employees C) Document answers to the following questions: - What should I do in an emergency? - What do I tell customers? - Where do I go? - How do I communicate?

Business Continuity Plans Design, develop, and implement Business Continuity Plans that provide continuity and/or recovery as identified by the organization s requirements. Key Focus Points: A) Identify the how to section of the strategies previously defined B) Document disaster recovery plans Sample DR Plan is found in the reference section.

Awareness and Training Programs Prepare a Program to create and maintain corporate awareness and enhance the skills required to develop and implement Business Continuity Management. Tell folks we have a plan, what the plan is, and where to go find it when they forget it. This can be a very involved program or a very simple process, whichever is best for your organization.

Business Continuity Plan Exercise, Audit and Maintenance Establish an exercise/testing program which documents plan exercise requirements including the planning, scheduling, facilitation, communications, auditing and post review documentation. Establish maintenance program to keep plans current and relevant. Establish an audit process which will validate compliance with standards, review solutions, verify appropriate levels of maintenance and exercise activities and validate the plans are current, accurate and complete. The goal of DR testing is to determine what doesn t work like we thought it would. Key Focus Points: A) An untested plan is equal to not having a plan B) If your test was 100% successful the first 10 attempts, something s wrong C) Table-tops and walk-throughs are a good start D) Perform self-assessments with a scorecard

Crisis Communications & Coordination with External Agencies Crisis Communications Develop and document the action plans to facilitate communication of critical continuity information. Coordinate and exercise with stakeholders and the media to ensure clarity during crisis communications. Coordination with External Agencies Establish applicable procedures and policies for coordinating continuity and restoration activities with external agencies (local, regional, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes and regulations.

Next Steps for Your BC/DR Planning Assessment Questions: What are my interests or needs in the BC space? Does my organization have a BC program? How mature is my organization s program? Have we ever tested our BC or DR plans? Are the majority of the employees aware of our BC or DR plans? What can our organization do to be better prepared for a disaster?

References and Tools References: https://www.drii.org http://www.drj.com http://www.thebci.org http://www.continuitycentral.com DRII BCLE 2000 course materials Tools (examples): BCP Checklists: http://www.drj.com/new2dr/samples/devchecklistdrj.doc DR Plan: http://www.drp.msu.edu/documentation/stepbystepguide.htm Risk Assessment Forms: armyrotc.missouri.edu/pdfs-docs/forms/risk_assesment.doc BIA Questionnaire: www.acpoc.com/events/.../samplebiaquestionnaire_2008-10-08.doc Emergency Response Forms: http://www.drj.com/new2dr/eoc-sample-e_pearce.pdf Vendor BCP Questionnaire: http://www.drj.com/new2dr/toolchest/vendorquestions.doc