Business Continuity Planning Donna Curran, Director Audit and Risk Management February, 2014
Agenda Business Continuity Defined The Importance of a Plan Determining the Costs Business Impact Analysis MTO, RTO and RPO Business Continuity Plan Components Roles & Responsibilities Governance Disaster Scenario Planning Training Workshop 2
3
The Importance of a Plan When responding to any crisis or emergency, it is critical to make sure everyone knows who is in charge and what specific tasks have to be completed A BCP is an important part of the toolkit that is used to employ your clients trust and confidence Your clients expect that your company has a high degree of resilience to unplanned/potential business interruptions 4
Determining the Costs By the numbers: 93% of companies that lost their data for 10 days or more filed for bankruptcy within one year of the disaster, and 50% filed for bankruptcy immediately 1 20% of small to medium businesses will suffer a major disaster causing loss of critical data every 5 years 2 This year, 40% of small to medium businesses that manage their own network and use the Internet for more than e-mail will have their network accessed by a hacker, and more than 50% won t even know they were attacked 3 1. National Archives &Records Administration in Washington 2. Richmond House Group 3. Gartner Group 5
Business Impact Analysis The purpose of Business Impact Analysis Business Impact Analysis (BIA) is an essential component of a BCP; Contains an exploratory component to reveal any vulnerability, and a planning component to develop strategies for minimizing risk Identify and document the critical services for each department Ability to restore normal operations quickly, effectively and with minimal impact on the organization's credibility Business Impact Analysis is about assigning the right resources to the most critical areas of the business in the event of a disaster 6
Core Elements of a BIA The BIA document should include the following analysis: Overview of the business function Impacts of an extended interruption Interdependencies External service providers that the function is dependent on External groups that are dependent on the business function Internal department dependencies Time of greatest risk 7
Core Elements of a BIA continued Infrastructure and resource requirements Vital records Impact on organization due to interruption of business function Direct lost revenue Direct loss of productivity costs Direct company costs (out of pocket) Direct client loss ($) Legal & compliance Reputation Human resources needed to resume the business function Voluntary suspension 8
MTO, RTO and RPO MTO Maximum Tolerable Objective RTO Recovery Time Objective RPO Recovery Point Objective 9
Core Components of the Plan Plan activation Procedures Overview & scope Organization Roles and responsibilities Processes Processes Roles & Responsibilities Activation BIA Procedures Overview & Scope Organization 10
Roles and Responsibilities BCP Coordinator Management Team Leader Admin Support HR Recovery Team Leader Facility Team Leader Legal Communications Finance Equipment & Supplies 11
What About the Board? 12
Disaster Scenario Planning All The Things That Can Go Wrong HUMAN TECHNICAL NATURAL Biological Contamination Bomb Threat Civil Disorder/Riot Explosion Hacking/Virus Attack Chemical Spill Terrorism Chemical Spill Communications Failure Gas Leaks Heating, Ventilation, Air Conditioning Failure Malfunction or Failure of Hardware Power Failure or Fluctuation Epidemic/Pandemic Fire Flooding Earthquake Tornadoes / Extreme Storm 13
Training, Training, Training Crisis Response Team Manager Employee Tabletop Simulation 14
Business Continuity Workshop The goal, in the event of an unplanned disruption, is to be resilient 15
Tabletop Exercise definition This is a facilitated group analysis of an emergency situation in an informal, stress-free environment. The Tabletop Exercise is designed for examination of operational plans, problem identification, and in-depth problem solving. 16
Objectives Apply common response plans, policies and procedures, to the exercise scenario Collaborate and brainstorm about how you would respond to a business interruption Validate common sequences of decisions, procedures and tasks Familiarize participants with recovery roles and responsibilities 17
Ground Rules Accept all facts as presented in the scenario Everyone is free to contribute Silence indicates agreement There are no right or wrong answers to any question, discussion is encouraged Finding problems in a test is a good thing not a bad thing 18
SCENARIO BACKGROUND 19
Background Discussion Given the information presented in the background, is there any cause for concern for the company? Would this type of information normally be raised to the attention of executive and/or management? Who would be responsible for monitoring this situation over the weekend in case anything changes? 20
Saturday 12:00pm 12:00pm It has been raining steadily since 5:00pm on Friday and someone in the building has reported a small leak coming from the ceiling on the 3 rd floor 1:00pm 4:00pm Building maintenance can t find where the leak is coming from, but has put a bucket underneath the leak Additional leaks are found on both the 2 nd and 3 rd floors, but the source of the leak still has not been determined 21
Discussion Questions Who should be notified of the leaks? If any, decisions need to be made, who would makes those decisions? What actions need to be taken? 22
Saturday 8:00pm 8:00pm 8:30pm For the past couple of hours the rain has come down like a tropical rain storm. Streets have started to flood as the storm drains are overflowing from the runoff Reports have confirmed that both the Bow and Elbow rivers have flooded their banks and that flood levels are likely to exceed the City s 1 in 100 year flood plans 10:00pm Significant flooding is reported in the basement of the office building 23
24
Discussion Questions Who needs to be informed of the new developments? Is this a disaster situation at this point? When does the management team need to be called? 25
Saturday 11:00pm 26
Saturday 11:00pm 11:00pm Water is found in the computer operations area and at least 2 systems have sustained water damage and shorted out 11:30pm Building maintenance has determined that the roof of the building has been damaged, allowing significant water to seep through the building 27
Discussion Questions Who is authorized to call the crisis response team together? Where would you find the Business Continuity Plan? Who performs the damage assessment? Who is authorized to activate the Business Continuity Plan? Who needs to be contacted to advise that the Business Continuity Plan has to be activated? 28
Monday 8:00am 8:00pm 8:30pm 10:00pm 1:00pm The media have started calling and would like to know what impact the damage has had on the company Clients are calling to get a briefing on the situation to understand any impact it may have on their services The management team is informed that the media has been calling employees at home to find information about what has happened The executive is informed that it could take up to six weeks to complete repairs on the building and offices 29
Discussion Questions Who is responsible for speaking to the media? Who needs to approve the communications being released to the media? How do you ensure only authorized people are speaking to the media? 30
2 Weeks Post-Incident All business functions have been restored to at least 90% capacity You have received confirmation that 50% of the paper records have been damaged beyond repair Repairs to the office building has begun and is on schedule to be completed in another 4 weeks 31
Discussion Questions Once the renovations are complete, how do you prioritize the restoration of business functions? Who is in charge of coordinating the return of business functions? 32
Discussion Questions Once the renovations are complete, how do you prioritize the restoration of business functions? Who is in charge of the coordinating the return of business functions? 33
A Final Thought Plans are nothing Planning is everything -- Dwight Eisenhower 34
Your Thoughts 35
Questions Donna.Curran@celero.ca 36