Ohio Conference for Payroll Professionals Disaster Recovery
Speaker Bruce E. Phipps CPP 2011 APA Payroll Man of the Year Principal Product Manager US Legislative Analyst ORACLE Corporation bruce.phipps@oracle.com 1-610-729-3586
Agenda Business Continuity Planning Business Impact Analysis Plan Development Plan Execution
Blank slide for images and graphics
5 Why Plan for a Disaster
Recent Natural Disasters Hurricane Sandy October 22 31, 2012 North American Blizzards November 7-10, 2012 December 17-22, 2012 December 25-28, 2012 Blizzard of 2013 Winter Storm Nemo/Blizzard of 2013 Boston Marathon
Business Continuity Planning Planning focuses on the recovery, resumption, and maintenance of the entire business, not just the technology component.
Business Continuity Plan A plan is a comprehensive written plan to maintain or resume business in the event of a disruption; the focus is on recovery capability of business operations and technology components as needed.
Business Continuity Program It is the ongoing management and governance processes supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of operations through planning, exercising/testing, training, maintenance and assurance.
Emergency Response Plan (ERP) Emergency Response Plan (ERP) Describes the steps to be followed during and immediately after any event that may endanger the lives of employees or cause a business interruption requiring immediate action by management. (Fire/Life/Safety or First Responders)
Crisis Response or Management Plan (CRP/CMP) Describes the process for managing the response to an emergency event which threatens business operations; including the ability to communicate with employees, customers, shareholders, vendors and the media.
Disaster Recovery Plan (DRP) Describes the process to recover from major processing interruptions; focus includes the continuity of IT components, systems, networks, applications, and data.
Business Continuity Elements First bullet starts here
Business Continuity Management Practices Process Management Risk Assessment Business Impact Analysis Recovery Strategies Plan Procedures & Development
Business Continuity Management Practices Training & Awareness Plan Testing & Exercising Audit, Maintenance, & Certification Lessons Learned
The Process Executive level sponsorship Sufficient resources and reporting structure Policies and procedures Periodic reporting to exec management
Assessing the Risk Threats Inside & Outside Organization Natural, Technological, Human-Caused, Operational Vulnerabilities & Poor Processes Probability a threat occurs and triggers a vulnerability that impacts operations
Business Impact Analysis BIA provides the foundation for Risk mitigation and cost Recovery alternative analysis Plan development Maintenance, testing and exercising
Critical Paths Impact to Business
Determining Impact Who? Across the Enterprise All functional areas The Right Participants Provide Assessment Knowledge of Implications Reference Specifics Executive Level Input is Critical
Determining Impact How? Comprehensive View of Worst Case Scenario Functions and Processes Critical and essential Impacts over time Prolonged Outage Operational and financial issues Resource dependencies People and technology Outage tolerance Loss of functionality Backlog Impact of loss data Impact: Staff, Facility, Technology, Information
Recovery Objectives Recovery Time Objectives (RTO) How long can we go without? Recovery Point Objectives (RPO) How much data can we lose? Required Resources People, workspace, IT, records, supplies, etc.
Business Impact Analysis: 4 Ws + H Who needs to be involved What needs to be done Why it needs to be done Where it needs to be done How it will be done
Recovery Alternatives Risk Assessment & BIA help in identifying potential recovery alternatives One size does not fit all Many alternatives should be considered Balance of risk acceptance and cost Management decides the alternatives to be used
Recovery Windows First bullet starts here Bullets are Futura Std Heavy, Black, 32 pt. Sub-bullets are Futura Std Medium 28 pt. Text slides are sentence case, flush left
Recovery Cost Balancing First bullet starts here Bullets are Futura Std Heavy, Black, 32 pt. Sub-bullets are Futura Std Medium 28 pt. Text slides are sentence case, flush left
Plan Development Response: Responding to the event Resumption: Resuming critical and essential functions Limited Service Offering 60%??? Recovery: Resumption of non-critical functions Full / Near-full Service Offering 90%??? Restoration: Back to the Norm
Plan Elements Right People. Right Place. Right Time. Team structure Employee rosters Tasks/Functions Vendors/Non-Vendors Locations Resources (supplies/other items) Miscellaneous
Types of Plans Crisis Management or Response Plan Business Continuity/ Recovery/ Resumption Plan Disaster Recovery Plan Pandemic or Workforce Continuity Plan
Crisis Management Plan The Action Plan Command and Control Detailed Checklists for Management Decision-Making Following a Disaster (Human & Facilities Related) Policies & Procedures Facilities Evacuation, Assessment, Movement Human Resources - Sick Leave, Worker s Compensation, Privacy Media Handling Call Trees/Lists Employees, Customers, Vendors & Media Notification scripts and priorities
Business Continuity Plan Alternate Step-by-Step Procedures for operating critical business functions on-site & offsite after a disaster Minimal Operational Resources to maintain operations with a minor reliance on people and IT Pre-Position Operational Resources at alternate sites Communication and contact information
Disaster Recovery Plan Illustrates how IT supports the business Step-by-step procedures to ensure the recovery of each critical component of the IT infrastructure Hardware Data (electronic and paper) Applications Telecommunications Specialized Equipment Supplies Communication and contact information
Pandemic Plans Workforce Continuity Workforce: Reduced workforce available Duration of the pandemic ( waves vs. returning to normal ) SARS Technology: H5N1 H1N1 Social distancing (telecommunting vs. dislocation) Facilities cleanliness and supplies Delays in service Increase usage in suburban areas Financial Services: Supply Chain: Internal, external, business partners, government Impact on smaller and international institutions Impact on time sensitive and complex functions Stress on the Health Care System Degraded service levels Operational infrastructure
Plan Testing - Why? Determine unknowns Testing and exercising verifies plan Creates awareness & readiness
Testing & Exercising Test at least once a year Systems, applications, data recovery, and telecommunications Work area / offsite facility Work Around procedures Document tests Identify gaps Identify mitigating solutions Update plans
Testing & Exercising Checklist Verify back up tapes are at offsite Walkthrough Fire drill Table Top Simulated chemical spill Component Call tree drill or work from home Functional Verify transaction processing via DR application or ability to work at offsite facility
THANK YOU Bruce E. Phipps CPP 2011 APA Payroll Man of the Year Principal Product Manager US Legislative Analyst ORACLE Corporation bruce.phipps@oracle.com 1-610-729-3586