Business Continuity and Disaster Planning

Similar documents
EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Desktop Scenario Self Assessment Exercise Page 1

BUSINESS CONTINUITY PLAN OVERVIEW

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Table of Contents... 1

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Planning

Business Continuity Planning and Disaster Recovery Planning

Creating a Business Continuity Plan for your Health Center

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

BUSINESS CONTINUITY PLAN

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

A Guide to Business Continuity Planning

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity Planning (800)

Business Continuity Plan

Building a strong business continuity plan

Business Resiliency Business Continuity Management - January 14, 2014

The Business Continuity Maturity Continuum

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Business Unit CONTINGENCY PLAN

Business Continuity and Disaster Recovery Planning

Unit Guide to Business Continuity/Resumption Planning

Temple university. Auditing a business continuity management BCM. November, 2015

Protecting your Enterprise

Overview of how to test a. Business Continuity Plan

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

NCUA LETTER TO CREDIT UNIONS

Business Continuity Planning for Risk Reduction

Continuity of Business

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Business Continuity Planning Preparing Your Organization

Business Continuity Planning for Schools, Departments & Support Units

7 Steps to Healthcare Strategic Planning

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Business Continuity Planning. Presentation and. Direction

Disaster Recovery Planning Process

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

The PNC Financial Services Group, Inc. Business Continuity Program

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

CISM Certified Information Security Manager

How To Manage A Disruption Event

Business Continuity Management

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Continuity Management

Fundamentals of Business Continuity Planning Have a Plan!

PBSi Business Continuity Planning

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

Business Continuity Planning in IT

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

BUSINESS CONTINUITY PLANNING GUIDELINES

Business Continuity Policy

Business Continuity Management

Disaster Recovery Planning

BCP and DR. P K Patel AGM, MoF

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity Policy

Mastering Disaster A DATA CENTER CHECKLIST

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Business Continuity Management

Business Continuity and Disaster Recovery Policy

BUSINESS CONTINUITY PLANNING

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

IT Disaster Recovery and Business Resumption Planning Standards

Intel Business Continuity Practices

Developing a Business Continuity Plan... More Than Disaster

D2-02_01 Disaster Recovery in the modern EPU

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

Business Continuity Management Policy

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE

Coping with a major business disruption. Some practical advice

Cisco Disaster Recovery: Best Practices White Paper

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

BUSINESS CONTINUITY POLICY

Interactive-Network Disaster Recovery

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

Business Continuity Planning Instructions

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Performance Indicators for Disaster Recovery

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

BUSINESS CONTINUITY PLAN. Specific Issues for Public Health Emergencies. Guidelines for Air Carriers

How to Prepare for an Emergency: A Disaster and Business Recovery Plan

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Transcription:

WHITE PAPER Business Continuity and Disaster Planning A guide to preparing for the unexpected Robert Drewniak Director, Strategic & Advisory Services

Disasters are not always the result of high winds and rain. In the past two years, 52% of businesses experienced an unforeseen interruption, and the vast majority (81%) of these interruptions caused the business to be closed for one or more days. Source: 2009 Disaster Recovery & Business Continuity Survey As healthcare s reliance on technology increases, so does the need to ensure that critical systems and processes can be recovered quickly after operational interruption and/or disaster. As a result, Business Continuity Planning (BCP) is becoming a priority. This is not just an IT issue. CEOs, CIOs, risk managers, compliance officers and security officers are becoming more aware of the need to take strategic and proactive actions to protect their organizations. By developing and implementing a comprehensive Business Continuity Plan (BCP), the organization can minimize its overall risk of outages, operational down time and loss, resulting in improved patient care reliability and operational stability. Industry Semantics There are various industry terms to describe the effort to mitigate the negative effect of interruptions on operations: Business Resumption Planning, Disaster Recovery Planning, Crisis Management and Business Continuity Planning. Although each is a bit different as outlined below, all require a plan, a process and ongoing training to be effective. A Business Resumption Plan typically describes how to resume operations after a disruption or critical event. A Disaster Recovery Plan primarily deals with recovery of information technology and services assets after a disastrous interruption. Both plans imply an outage in critical operations or services and are essentially reactive in nature. Crisis Management refers to how an organization will deal with the emergency, disaster or catastrophe during the event. The focus at this stage is to carry on through the crisis, and to mitigate its effects during it. Recently there has been a move from Business Resumption Planning to Business Continuity Planning, acknowledging that in the healthcare environment, it s not sufficient to resume critical services; they must be provided continuously. Disaster Recovery and Crisis Management focus on rebuilding or alleviating the effects of a disaster, emergency or catastrophe. Business Continuity Planning focuses on sustaining the delivery of services for ongoing operations. If your healthcare organization has a well-structured BCP, it can continue to provide mission-critical services, regardless of the nature of the interruption. The Business Continuity Plan A Business Continuity Plan (BCP) is a collection of policies, procedures, protocols and information that is developed and maintained for use in the event of a business interruption. The BCP outlines the steps the organization will be required to take to quickly carry on business and operations. The BCP should 2

clearly describe the enabling processes required for operations, safety and workflow. The benefits of the BCP are far reaching: from patient safety, compliance and risk avoidance to employee and patient confidence. The basic elements of a well-planned BCP include a set of practical and realistic steps that begin with the identification of mission-critical systems and processes, and are followed by the actions needed to effectively continue the operations from an interruption/disaster to normal operations. Since most interruptions are isolated to specific areas geographies, departments, facilities, etc., the BCP should not be focused solely on organization-wide scenarios. Plans need to be developed and maintained for the huge variety of interruptions that may occur. Lastly, the BCP involves more than restoring information technology. It is a plan for operational continuity and should ensure that all critical operations are maintained when faced by an interruption. Developing a Plan The process in the development and maintenance of a BCP includes the five steps identified in the diagram to the right: Analysis, Solution Design, Implementation, Testing and Acceptance and Maintenance. Although the names for these steps may vary from organization to organization, each is critical for the successful development and implementation of a BCP. 1. Impact Analysis Maintenance Testing and Acceptance Analysis Business Continuity Planning Processes Implementation There are a few specific analyses that need to be performed prior to developing a BCP: Solution Design Business Impact Analysis (BIA): The objective of the BIA is to identify and distinguish between critical and non-critical operational functions, activities and/or processes. (In healthcare, functions related to patient safety would be considered critical, for example.) The results of the BIA will include recovery requirements for each critical function. Threat Analysis: This is a list of potential threats to ongoing operations and the recommended steps to recover from each. Threats include fire, flood, earthquake, sabotage, cyber attack, hurricane, utility outage, etc. Recovery Requirements Documentation and Review: Upon completion of the BIA, the operational and technical requirements are documented and reviewed. Reviewers should include senior leaders to operational end users. All stakeholders should be represented and engaged throughout the plan development process. This review ends with acceptance and sign-off on the documented requirements. Dependency Analysis: It is important to identify the internal and external dependencies of critical services. 3

Internal dependencies include employee availability, corporate assets, (equipment, facilities, computer applications, data, tools, vehicles), and support services (finance, human resources, security and information technology support). External dependencies include suppliers, any external corporate assets (equipment, facilities, computer applications, data, tools, vehicles), and support services (facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety services). 2. Solution Design The purpose of the solution design phase is to identify the most cost effective restoration solution that meets the requirements from the impact analysis stage. For IT applications, this is commonly expressed as: The minimum application and application data requirements The time frame in which the minimum application and application data must be available 3. Implementation Implementation is the execution of the design elements that have been identified in the previous steps. Although testing can occur throughout the BCP development, the unit testing that takes place during components of the implementation should not take the place of organizational testing. 4. Testing and Acceptance Testing is a critical step in the planning process to ensure organizational acceptance and readiness. It ensures that the business continuity solution satisfies the organization s restoration needs. Testing may include: Testing of moves to primary and secondary sites Operational manual processes cross over Disaster command center call back If the BCP fails to meet expectations, check for insufficient and/or inaccurate data or requirements, design discrepancies, or solution implementation errors. 5. Maintenance The BCP is a living document and will need to be reviewed and maintained on a periodic, scheduled basis. Maintenance of the BCP plan/document can be divided into three activities: 1. Confirmation of the information in the document and training for staff members whose roles are identified as critical for response and restoration. 2. Periodic testing and validation that the technical solutions are in fact available and appropriate for recovery operations. 3. Testing and validation to ensure documented operational services for the organization remain unchanged for continuous operations. These should be performed on a scheduled biannual or annual maintenance cycle. 4

BCP Strategic Benefits Well-planned organizations survive with limited impact when interruptions occur, while those that do not plan for these incidents may place their institution in jeopardy. Disasters can and will strike at any time. They may come in multiple forms. They can happen one at a time or all at once. Planning and testing of the identified solutions make the critical difference between successfully managing an incident within acceptable parameters and having a situation that may take days or longer to fix. It is important that each staff member understands and knows his/her specific task and role during a disruption. This requires consistent and frequent staff training on the processes and solutions outlined in the BCP. Frequent reviews are also required to keep the plan updated. This preparedness is critical to the strategic goals of any healthcare organization. A BCP: helps healthcare organizations fulfill their moral responsibility to protect patients, employees, the community and the environment facilitates compliance with regulatory requirements of federal, state and local agencies enhances an organization s ability to increase patient safety, reduce financial losses, regulatory fines, loss of market share, damages to equipment, or disruption to service delivery in the event of a business interruption reduces exposure to civil or criminal liability in the event of an incident enhances an organization s image and credibility with patients, employees, clients, funders, vendors and the community may reduce the organization s insurance premiums BCP Critical Success Factors 1. Governance, leadership, and sponsorship Ensure that a governance structure (i.e., committee) is in place that will ensure senior management commitment and define senior management roles and responsibilities. The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the BCP. It also implements the BCP, coordinates activities, approves the BIA survey, oversees the creation of continuity plans and reviews the results of quality assurance activities. 2. User involvement Remember that the BCP is more than the IT department; all organizations, units and departments should be involved in the development of the plan, from the impact analysis through testing and implementation. Ownership by all staff is needed. Staff s solid understanding and knowledge of the process is imperative for success. 3. Training and testing BCPs can be smoothly and effectively implemented if and when all employees are briefed on the contents and are properly trained on their individual responsibilities. Continuous training updates and testing should be 5

developed and scheduled to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the only method for validating a plan. 4. Acceptance As part of the quality assurance and acceptance process, reviews of the BCP should assess the plan's accuracy, relevance and effectiveness. It should also uncover areas that need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. Reviews should be coordinated with operational staff, knowledgeable managers and the BCP steering committee. 5. Communication Ensure that there is a BCP communication plan. The communication process ensures that all employees and affected personnel will have updated information. The communication plan should include links to training and specific organizational unit updates when the BCP is modified and updated. There is no such thing as over communicating when it comes to addressing the BCP. In my experience, people have the best intentions of putting together a great BCP. Then, resources and time become challenging constraints that hinder the process. However, based on industry and personal experience, it only takes one incident to put business continuity planning on the short list of priorities. Don t be caught with a skeleton plan; it could place your organization at great (and unnecessary) risk. About Hayes Hayes is ranked Top Professional Services Firm by KLAS,* and has won multiple Best in KLAS awards since 2005. Hayes is also ranked in Healthcare Informatics Top 100 and Inc. 5000 s list of fastest growing companies. Hayes consultants are subject-matter experts in IT strategic planning, revenue cycle improvement, system implementation and optimization, interoperability and business and clinical operational efficiency. Hayes also offers software solutions to improve efficiency and productivity. To learn more about Hayes services, visit www.hayesmanagement.com or call us at 617-559-0404. * Source: www.klasresearch.com. 2010 Top 20 Best in KLAS Awards: Software & Professional Services. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information