Prepared by Rod Davis, ABCP, MCSA November, 2011
Disaster an event, which causes the loss of an essential service, or part of it, for a length of time which imperils mission achievement. (Andrew Hiles, Business : Best Practices) Rationale for Business Planning
If a terrorist attack targeted a major overseas center? If an ice storm struck a data center rendering several critical IT services unavailable? If an unsecured data server, workstations, and other equipment were confiscated from an overseas center? If a laptop carrying unencrypted data were stolen, potentially compromising personnel and projects? Rationale for Business Planning
The occurrence of some events could cause a temporary disruption of mission-critical services. Some scenarios could actually result in long-term loss of mission-critical capacity. The unthinkable might include disruption or shutdown of programs that these services and capacity support. Rationale for Business Planning
Organizations that experience major data loss without disaster recovery plans* Survive long-term 6% Close within two years 51% Never reopen 43% * Cummings, Haag, & McCubbrey (2005). Management Information Systems for the Information Age. Rationale for Business Planning
Business Planning Crisis Management Emergency Management Disaster Recovery Planning Business Planning
Business Planning a management approved strategic and comprehensive capability of an organization to plan for and respond to events and conditions in order to continue business operations*. It is the most proactive risk management discipline. * The International Consortium for Organizational Resilience, CS SS BCM 3030
6.) Business Plan Maintenance 1.) Risk Assessment 5.) Training, Testing & Auditing 2.) Business Impact Analysis 4.) Business Plan Development 3.) Risk Mitigation Strategy
Risk Assessment Natural/Environmental Threats Fire Flood Hurricane Winter storm Pandemics Tornado Lightning Drought Earthquake Volcano Tsunami Human Threats Fire (accidental or arson) Cyber-attack Data theft or loss Terrorist attack Sabotage/Vandalism Workplace violence Civil unrest & war Chemical or biological hazard Infrastructure Threats Power grid failure Petroleum supply disruption Food or water contamination Public utility failure (water, sewer, etc.) Heating/Cooling system failure (affects IT & people) Public transport disruption Assess the threat landscape and determine relevant threats.
Risk Assessment Threat Assessment Determine the most relevant threats; i.e., pick from the list which threats you should evaluate. Probability Assessment High frequency of electrical storms = high probability of lightning strike. Vulnerability Assessment Lack of lightning rod or surge protection = high vulnerability to a lightning strike.
Business Impact Analysis A process designed to identify and quantify impacts resulting from disruptive events and disaster scenarios. Results include: List of mission-critical functions, processes, & roles; Recovery priorities and their interdependencies Recovery Time Objectives (RTOs) for these priorities
Business Impact Analysis Create a list of the mission s functional areas. Assemble subject matter experts. Identify missioncritical functions, processes, and roles. Identify any external/ internal dependencies. Establish the Maximum Tolerable Outage. Determine the impact on mission of outage.
Risk Mitigation Strategy HR records, IT Recovery Documentation, Corporate Databases Network Operations, Essential IT Dependencies Protect Data and Operations Essential to Recovery Voice & Data Communications Networks
Risk Mitigation Strategy Work at home for key employees Alternate site for missioncritical IT operations Determine Recovery Options Alternate work-site
Business Plan Development Priorities Response and Recovery Vital Records, Databases, IT Services Teams Designated Roles and Responsibilities Contact Information Procedures Recovery of Mission-Critical IT Services Replacement of Critical Equipment Criteria Plan Activation: Transition Point from Emergency Response to Plan Activation Declaration: Disruptive Event to Disaster
Business Plan Development Plan should designate teams, roles, responsibilities; Plan should include actions required on a timeline basis response, recovery, & restoration; Particular attention should be given to protection and restoration of mission-critical processes and services.
Training, Testing & Auditing Testing Tests Information Technology & Telecommunications dependencies to find design flaws Exercises Reveals potential points of failure in the Business Plan Training Develops familiarity with the Business Plan and competence in its execution. Business Plan
Business Plan Maintenance Modify Business Plan Establish Audit Points to Monitor Feedback to Business Coordinator Monitor Exercises & Tests
Business Planning is... Project Initiation project oriented ongoing Business Plan Maintenance Risk Assessment multi-phased Training, Testing, Auditing Business Impact Analysis requires testing Business Plan Development Mitigation Strategy Development iterative