Developing a Business Continuity Plan..... More Than Disaster Recovery! April 19, 2010 UHY / MMA Business Survival Series
Webinar Focus.... Understanding the components of Business Continuity Planning and resulting Business Continuity Plan (BCP) Conducting a BCP Gap Analysis/Risk Assessment Developing and implementing your BCP Establishing a Disaster Recovery Plan (DRP) Testing your BCP, DRP and associated controls UHY Advisors, Inc. UHY Advisors, Inc. is the 15 th largest professional services firm in the U.S. Provide Business Advisory, Audit and Tax services to a wide variety of companies and industries. 20 offices located through the U.S., with Michigan offices in Southfield and Sterling Heights. UHY International Limited (UHYI), is one of the largest accounting firms in the world with 198 offices in 65 countries and approximately 6,300 employees. 1
Definitions... 1. Business Continuity Planning (BCP): The creation and validation of a practiced logistical plan for how an organization will recover and restore critical functions within a predetermined time after a disaster or extended disruption. 2. Disaster Recovery (DR): The process, policies and procedures related to preparing for recovery after a natural or human-induced disaster. Disaster recovery includes planning for resumption of business operations. Disaster Recovery includes physical facilities, equipment, applications, data, hardware, communications (such as networking) and other critical business processes. Definitions... 3. Risk Tolerance Level (RTL): A process by which a company determines the risks, vulnerability and impact analysis of various disaster scenarios on critical business processes and/or activities. RTL incorporates: Assessing and prioritizing business functions, processes, activities, etc. Identifying interdependencies between critical operations, departments, personnel and services Identifying potential impacts of uncontrolled, non-specific events on business functions, processes, activities, etc. 2
Definitions... 4. Recovery Point Objective (RPO): The acceptable time delay associated with systems, data and/or process before the loss of an activity become critical. 5. Recovery Time Objective (RTO): The acceptable amount of time to restore a designated business function. 6. Probable Maximum Business Interruption Loss (PML): Losses, based on worst-case scenario, that result from a business interruption...function of Seriousness and Duration BCP Why Bother? 1. Stability: Survival rate for companies that encounter a disaster without a business continuity plan is less than 10%! Only 6% of companies suffering from a catastrophic loss survive, while 43 % never reopen and 51 % close within two years. 2. Financial: - Contingency Planning Research pegs the average hourly downtime cost at $18,000 for a small business. - Assume they are off by 90%...that s: $1,800/hr...$7,200/24 hrs...$50,400/wk 3
BCP Why Bother? 3. It Makes Good Business Sense! Uncovers core business weaknesses Addresses visible and concealed areas of concern Strengthens customer perception Separates your company from competition Proactive BCP A Strategy BCP as an Offensive/Competitive Strategy... 1. Helps your company stand out from others: Business Continuity Standards are coming! ISO 27001, Austrian Standard HB 221:2003, NFPA 1600, PAS 56, BS25999.... 2. Creates a business which operates its systems at the optimum levels: Flexible with the ability to quickly identify and respond to challenges, threats and disasters. 3. Builds a Resiliency into your operation: Hardened systems fail less often and return more quickly from day-to-day glitches. 4
BCP UHY Perspective From our perspective... BCP process involves the recovery, resumption, and maintenance of the entire business.. More than just IT and Data. Restoration of IT systems and electronic data is important.. but.. recovery of these system will not always be enough to restore operations. BCP involves the prioritization of business objectives and critical operations that are essential for recovery. BCP UHY Perspective 5
BCP Protection From??? Material Shortages Natural Disasters Delivery Delays Strikes Client/Customer Insolvency Business Continuity Product Liability Terrorist - Protection From Activities? Power Failure Technological Developments Computer Viruses Example of a Risk Map BCP Protection From??? 6
Business Continuity Planning Critical Steps Step 1 Assessment Objectives Include: 1. Raising Awareness 2. Involving All Business Units / Departments 3. Involving All Personnel 4. Identifying the Critical Interactions Between People, Processes and Departments... Examine the company as a whole for conditions and processes that t are critical for seamless business operations... a Threat Analysis. Plan is to provide management with a complete picture of processes, dependencies and threats. 7
Step 2 Risks, Vulnerabilities & Impact Analysis Impact Analysis: Assessment of operations to understand d and identify precisely what functions, activities, elements, etc. would be impacted should there be a disruption or disaster Risk Assessment: Determining the potential losses from a threat verses the cost of protective e measures against the value of the asset. How Much Do We Spend to Protect? RISK / COST / ROI Step 2 Risks, Vulnerabilities & Impact Analysis UHY s approach is to utilize a Risk Tolerance Level (RTL) strategy t to combine, Risks, Vulnerabilities and Impacts. TRL incorporates a FMEA (Failure Mode & Effects Analysis) format with: - SEVERITY (impact on your business) - FREQUENCY / OCCURANCE - Impact on your Customer(s) Scale is 1 to 10 for each: 1 = No Impact / Never Occurs 10 = Critical Impact / Daily Occurrence 8
Step 2 Risks, Vulnerabilities & Impact Analysis RTL # Reaction Plan: Less than 20 No corrective action and/or additional controls are required. 20 to 40 Risk control(s), including control method, process and frequency should be reviewed to identify reaction steps/actions needed to ensure business continuity. 41 to 60 Risk control(s), including control method, process and frequency should be improved to incorporate actions that will lead to a reduction in the RTL #. 61 to 80 Risk control(s), including control method, process and frequency indicate a concern regarding business continuity. Control should be improved to reduce the RTL #. Greater than 80 Represents a Business Continuity concern. The Risk and associated Control(s) must be improved by implementing actions that will reduce the RTL #. Step 3 Recovery Strategies & Actions Recovery Window... Specific period in which losses become intolerable. - The shorter the window, the more recovery resources need to be in place and ready. - For longer windows, the recovery resources can be put into place following the interruption. It is critical the recovery resources be: It is critical the recovery resources be: - Identified - Listed / Documented - Pre-Arranged / Pre-Planned -Tested 9
Step 3 Recovery Strategies & Actions Disaster / Interruption Levels: Level I: Interruption, ti i.e., Power is Out Time Frame - 1 hour, 4 hours, >24 hours Level II: Level III: Vacate the Facilities, i.e., Fire Time Frame - 1 day, 1 week, 1 month Facilities Gone, i.e., Tornado Time Frame - Immediate Actions Business Resumption Establish Recovery Action Checklist for each scenario...action Steps and Responsibilities Step 3 Recovery Strategies & Actions Recovery plans must: 1. Identify the resources required to resume basic level of business operations. 2. Document skills, equipment, procedures, steps, etc. required by each department/activity. 3 Specify authority roles and responsibilities to 3. Specify authority, roles and responsibilities to ensure that actions and tasks are managed, completed and communicated. 10
Step 4 Interdependencies Predominate Recovery Goal...to re-establish essential day-today d business functions before consequential effects occur. Key concerns: - What s the priority and sequence of recovery? - What should be first, second, third, etc. - Which functions are dependant on interacting functions? Interaction or Process Flow Diagrams can be used to identify dependencies.... Risk Mapping / Interactions Step 5 Training and Awareness Employees need to know and understand: 1. The fundamental requirements of your Business Continuity Plan... Who, What, Where, When, Etc. 2. The documented recovery action steps and their role and responsibilities... Where do I go? What do I do? What don t I do? 3. The reaction plan based on who is available. Employee training should be provided on at least an annual basis. Records should be retained. 11
Step 6 Testing Plans BCP testing should be based on the importance of the business process to the both the company and to the customer base. The testing process should be structured to: Incorporate and address the identified risk levels Assign and designate roles and responsibilities for testing and reporting Demonstrate that the business continuity strategy and recovery action steps have the ability to sustain the business until operations can be re-established Step 6 Testing Methods Testing methods vary from simple to complex... Depends on the Risk and Business Process complexity. Level I - Structured Walk-Through: Used as a training tool and as a test to determine fundamental compliance. Level II - Walk-Through Simulation Test: Choose a specific event.. apply the established recovery actions. Level III - Functional Test: Performing actual recovery processes as defined in the company s Recover Action Checklists. Level IV - Full-Scale Test: Real-life emergency is simulated as closely as possible. 12
Step 7 Maintenance / Sustainability The final step in developing and implementing a BCP/DRP is maintenance to ensure sustainability and effectiveness. The resulting BCP/DRP Manual is a living document that must be kept up-to-date: This document defines the policies and sets out the steps, recovery actions, roles, guidance, etc. for disaster recovery. This document must reflect changes in business, staffing, processes, technologies, etc. Reviewed and updated on at least an annual basis. BCP/DRP Manual...Format 13
Business Continuity Cost/Benefit BCP entails costs....there is no rule of thumb for the level of costs involved. Depends on: - The nature of the possible losses - The potential impact - The probability of the risks occurring Fundamentals apply... The tighter the safety net and the greater the availability, the higher the costs. Example... Idle production costs and damage to a company s image as a result of business interruption i are compared with the preventive and reactive expenses involved in BCP. Remember the earlier slide....minimum of $1,800/hour! Cost/Benefit Example Suppose we are considering the installation of a backup generator so that our servers can continue operation in the event of an extended power failure. Assume that we lose on average $50k for each extended power failure, and on average there are two such failures a year. The backup generator will prevent all such failures. Calculate the Annualized Loss Expectancy (ALE) by multiplying the Annual Rate of Occurrence(ARO) by the Single Loss Expectancy (SLE): ALE = ARO * SLE = 2 * $50k = $100k 14
Cost/Benefit Example ALE = ARO * SLE = 2 * $50k = $100k If the annualized cost (taking into account depreciation, training, and maintenance) of our backup generator is: 1. Less than $100k...we should install the generator. 2. Greater than 100k...we should accept the risk and not buy the generator. Business continuity plan is a countermeasure (like the backup generator) its value can be established using the same technique. BCP....Cost-Benefit A Business Continuity Plan reduces the probability of failure. - Assume that it reduces the probability of failure from 5% to 3%. - Assume the company is worth $20 million. - The value of our Business Continuity program is worth the difference between these two valuations, or $400,000. 000 Is a reduction of failure probability from 5% to 3% unrealistic? It might be substantially more! 15
BCP... Just Thoughts... Insurance: - BCP regulates the preventive and reactive action to be taken in a crisis situation. - Business interruption insurance covers the consequential financial loss of a hazard (e.g. a fire). - By paying standing charges, the cost of necessary loss minimization measures and the profits lost, business interruption insurance contributes to the company s economic recovery following a crisis. Questions....Do We Have: 1. The Right Coverage? 2. Enough Insurance? BCP... Just Thoughts... The object of business interruption insurance is to cover the consequential loss(es) arising from a business disaster. Business interruption insurance essentially covers three main areas: 1. The net profit that would have been made if there had been no consequential loss. 2. The normal standing charges that still have to be paid and cannot be reduced. 3. The (loss minimization) costs incurred in order to reduce the duration and extent of the business interruption loss. Terms to Understand - PML & SUM INSURED 16
BCP... To Do List Determine RISKs and Business Impact for critical processes Define Business Recovery objectives, priorities, and expectations Define critical, time-sensitive functions and systems Incorporate changes into the plan Establish the Disaster Recovery Team Conduct employee training to test and understand the plan Test the plan periodically...make amendments to the plan Conduct Business Continuity Audits Improve processes to minimize exposure during disruptions Optimize operational strategies to mitigate against threats Questions? THANK YOU! Alan Lund UHY Advisors, Inc. Southfield, Michigan 48034 (248) 204-9447 Alund@uhy-us.com 17