Page 1
Neil Jarvis Head of IT Security & IT Risk DHL Page 2
From reputation to data loss - how important is business continuity? Neil Jarvis Head of IT Security (EMEA) DHL Logistics IT Security Taking Care of Business Page 3
Objectives Understanding why we have Continuity and Disaster Recovery Planning Outline in Developing a Business Continuity Plan Any Other Questions? Page 4
Business Continuity Planning Planning to ensure the continuation of operations in the event of a catastrophic event. Business continuity planning goes beyond disaster recovery planning to include the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs, and operations in the event of unexpected interruptions. Page 5
Why do we have Continuity and Disaster Recovery Planning? To protect our business and that of our customers To reduce unnecessary disruption of our work activities To fulfil our obligations to our clients To ensure if a problem occurs, in the Supply Chain or Client Production, we have a process to resolve the consequences. For us to plan for the unexpected! Page 6
Continuity Management Efficiency of Business Continuity Plan and Measures Proactive Measures Business Continuity Plan Event Crisis Management Reactive Measures Recovery time Contingency Plan Back to Normal Disaster Recovery Plan Recovery With Continuity Planning Business Continuity Recovery Without Continuity Planning time Page 7
Definitions Business Continuity Is managing the risks to business operations from disruptions. Business Continuity Planning: Is how a company prepares for future incidents that could jeopardize the Company and its long-term health. (Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses) Business Continuity Plan: Documents how the company will recover and restore, partially or completely, interrupted critical function(s) within a predetermined time after a disaster or extended disruption. Continuity Management: Is the management process to help the development of Business Continuity Plans), Disaster Recovery Pans and ensuring that plans are matched, effective and tested. Disaster recovery Planning: Is the process of regaining access to the data, hardware/software and services necessary to resume critical business operations after a natural, accidental or human induced disaster. Disaster Recovery Plan: Documents how access to data, hardware/software and services necessary to resume critical business operations, after a disaster, will be undertaken to achieve the requirements of the Business, (as defined in the Business Continuity Plan). Page 8
Definitions Recovery Time Objective The period from when a disaster is declared to full recovery of critical functions. How long can the operation function without the system. This may require operations to be switched to standalone or paper based processes. The Business Continuity Plan must define the systems which must be restored and the timescale for restoration Recovery Point Objective The point in time to which data must be restored in order to resume processing. The Business Continuity Plan must define the amount of data that is required for the operation to continue after a disaster. Maximum Tolerable Downtime The maximum period for which the system can be down before there is a significant impact on the business Page 9
Business Continuity Process Assess - identify and triage all threats (BIA) Evaluate - assess likelihood and impact of each threat Prepare plan for contingent operations Mitigate - identify actions that may eliminate risks in advance Respond take actions necessary to minimize the impact of risks that materialize Recover return to normal as soon as possible Page 10
Business Impact Assessment Identify critical systems, processes and functions; Establish an estimate of the maximum tolerable downtime (MTD) for each business process Assess the impact of incidents that result in a denial of access to systems, services or processes; and, Determine the priorities and processes for recovery of critical business processes Page 11
BIA Review Factors Likelihood of Occurrence Impact of Outage on Operations System Interdependence Revenue Risk Personnel and Liability Risks Page 12
Risk Analysis Matrix High Medium Low Low Medium High Area of Major Concern Severity of Consequence Page 13
Prioritise Risk Factors Personal Safety Risk Services Risk Operational Risk Revenue Risk Liability Risk Good Will (Societal) Risk Page 14
It s Not Enough Just to Plan Use focus groups and brainstorming Seek what can go wrong Find alternate plans & manual work arounds Find innovative solutions to risks Contingency plans must be exercised Hold table top exercises for disasters Conduct fire drills of plans Train staff for action during emergencies Page 15
Scenario Testing Develop various scenarios and test your plans against these Don t develop plans specifically for scenarios Page 16
Other Thoughts Functionality - provides an acceptable level of service Practicality - is reasonable in terms of the time and resources needed to acquire, test, and implement the plan Cost Benefit - cost is justified by the benefit to be derived from the plan Page 17
Any Other Questions? Page 18
Page 19