Enterprise Business Continuity Management

1
EnterpriseBusiness Continuity Management

• Utilizing Collaboration in
• The state of Washington
• Business Continuity Program
• Small Agency Presentation August 21, 2006
• Judy Sweet, CBCP
• Washington State Enterprise Business Continuity
  Program Manager

2
Business Continuity Program Purpose

• The State of Washington must maintain confidence
  of its constituents, and ensure continued
  operation of vital government services when an
  incident has caused, or has the potential to
  cause, significant consequences.
• The Business Continuity Program will provide the
  framework to develop an enterprise approach and
  coordinate agency efforts to minimize business
  interruptions, and create a state of readiness,
  so that agencies can respond to and recover from
  events, resuming vital services as quickly as
  possible.

3
Business Continuity Milestones

• Enterprise Executive Symposium
  6/2005
• Enterprise BC Software Tool Installed
  7/2005
• Business Continuity Initiative Project Kickoff
  8/2005
• Statewide BC Work-sessions Begin
  9/2005
• Regular BC Work-sessions Concluded
  6/2006
• Statewide BC Program Sustaining BC Model
• Statewide BIA
• Statewide COOP Development
• Enterprise Solution Development
  

4
Business Continuity Planning Objectives

• Minimize service interruptions, to acceptable
  levels
• Understand your agency services
• Collaborate with other agencies
• Incorporate Best Practices
• Utilize common planning framework
• Identify high impact areas
• Based on risk intelligence
• Execute an Enterprise strategy to prioritize and
  mitigate risk.
• Account for dependencies across agencies
• Capitalize on economies of scale

80 Business and 20 Technology
5
Business Continuity Management (BCM)Answers . . .

• What is an incident / disruption / disaster?
• What are the impacts over time?
• How much loss can be tolerated?
• Risk Threshold, Tolerance
• What can be mitigated?
• Work-around, Enterprise solutions
• How to reestablish business services?
• Activate response plans
• What is required?
• Resources, time, people/skill sets, procedures,
  dollars
• How much is enough?
• Balance options Proactive verses Reactive

6
Bottom Line BCM Program Umbrella

• Sustain Protect
• People
• Property
• Information
• Operations
• Gov. Services

BCM provides a balance between acceptable
potential losses and acceptable onetime and
annual costs.
7
Business Continuity

• Investments in business continuity should be
  prioritized based on analysis of risks and
  impacts over time.
• Create Value in Operability.
• Be Positioned to be successful.

8
BIA Snapshot of Business Drivers
9
Sample Business Impact Analysis Deliverable

• A typical graph showing impact vs. recovery
  time, which visually assists with risk mitigation
  prioritization.

WSP Computer Dispatch
Prison Control System
Dam Inspection Services
Drinking Water Safety
HAZMAT
State Payroll
Militarys Dispatched Resources
Firearms Licensing
Impact
State Warrants
3 days
5 days
24 hrs
12 hrs or lt
2 days
Time
10
Notional Business Continuity Event Life Cycle
Normal Operations
Capability
Time
11
Notional Business Continuity Event Life Cycle
Service Disruption Occurs
Normal Operations
Problem Mgmt Response
Recovery
Capability
Time
Proactive BC Activities
Reactive BC Activities
Modified U.S. DoD graphic
12
Business Continuity Planning (Will incorporate
NIMS requirements)
13
Types of Plans?
Vital Service Response Plan
COOP Plan
Incident Mgmt Plan
Business Continuity Plan

• Continuity of Operations (COOP) Plan
• Incident Management Plan
• Business Continuity Plan
• Vital Service Response Plans
• Lets put this into perspective!

14
Business Continuity Plan Types Relationships
Continuity of Operations (COOP) Plan
The Continuity of Operations (COOP) Plan is the
roadmap for the highest level of planning within
an agency.

• Alternative Facilities
• Vital Records and Databases
• Human Capital
• Tests, Training, Exercises

• ID of Essential Functions
• Delegations of Authority
• Orders of Succession
• Interoperable Communications

From More General

• Address Full Spectrum of Threats Hazards

to
Incident Management Plan (Sometimes referred to
as Problem or Crisis Management Plan)

• An Agency-wide Perspective
• Repeatable Process Practices
• Incident Alerting, Reporting, Tracking Status

• Involves Investigation, Diagnoses
• Assembly of Incident Command System (ICS)
• ICS Draws on Response Plan(s)) for Resolution

Business Continuity Plan

• An Agency-wide Perspective
• Global Risk Mitigations, Contingencies and
  Responses for Business Operations

Vital Service Response Plan for B
Vital Service Response Plan for . . . n
Specific
Vital Service Response Plan for A

• Specific Action Plan

• Specific Action Plan

• Specific Action Plan

15
Business Continuity Plan Types Relationships
Continuity of Operations (COOP) Plan
The Continuity of Operations (COOP) Plan is the
roadmap for the highest level of planning within
an agency.

• Alternative Facilities
• Vital Records and Databases
• Human Capital
• Tests, Training, Exercises

• ID of Essential Functions
• Delegations of Authority
• Orders of Succession
• Interoperable Communications

From More General

• Address Full Spectrum of Threats Hazards

to
Incident Management Plan (Sometimes referred to
as Problem or Crisis Management Plan)

• An Agency-wide Perspective
• Repeatable Process Practices
• Incident Alerting, Reporting, Tracking Status

• Involves Investigation, Diagnoses
• Assembly of Incident Command System (ICS)
• ICS Draws on Response Plan(s) for Resolution

Business Continuity Plan

• An Agency-wide Perspective
• Global Risk Mitigations, Contingencies and
  Responses for Business Operations

Vital Service Response Plan for B
Vital Service Response Plan for . . . n
Specific
Vital Service Response Plan for A

• Specific Action Plan

• Specific Action Plan

• Specific Action Plan

16
Business Continuity Plan Types Relationships
Continuity of Operations (COOP) Plan
The Continuity of Operations (COOP) Plan is the
roadmap for the highest level of planning within
an agency.

• Alternative Facilities
• Vital Records and Databases
• Human Capital
• Tests, Training, Exercises

• ID of Essential Functions
• Delegations of Authority
• Orders of Succession
• Interoperable Communications

From More General

• Address Full Spectrum of Threats Hazards

to
Incident Management Plan (Sometimes referred to
as Problem or Crisis Management Plan)

• An Agency-wide Perspective
• Repeatable Process Practices
• Incident Alerting, Reporting, Tracking Status

• Involves Investigation, Diagnoses
• Assembly of Incident Command System (ICS)
• ICS Draws on Response Plan(s) for Resolution

Business Continuity Plan

• An Agency-wide Perspective
• Global Risk Mitigations, Contingencies and
  Responses for Business Operations

Vital Service Response Plan for B
Vital Service Response Plan for . . . n
Specific
Vital Service Response Plan for A

• Specific Action Plan

• Specific Action Plan

• Specific Action Plan

17
Business Continuity Plan Types Relationships
Continuity of Operations (COOP) Plan
The Continuity of Operations (COOP) Plan is the
roadmap for the highest level of planning within
an agency.

• Alternative Facilities
• Vital Records and Databases
• Human Capital
• Tests, Training, Exercises

• ID of Essential Functions
• Delegations of Authority
• Orders of Succession
• Interoperable Communications

From More General

• Address Full Spectrum of Threats Hazards

to
Incident Management Plan (Sometimes referred to
as Problem or Crisis Management Plan)

• An Agency-wide Perspective
• Repeatable Process Practices
• Incident Alerting, Reporting, Tracking Status

• Involves Investigation, Diagnoses
• Assembly of Incident Command System (ICS)
• ICS Draws on Response Plan(s) for Resolution

Business Continuity Plan

• An Agency-wide Perspective
• Global Risk Mitigations, Contingencies and
  Responses for Business Operations

Vital Service Response Plan for B
Vital Service Response Plan for . . . n
Specific
Vital Service Response Plan for A

• Specific Action Plan

• Specific Action Plan

• Specific Action Plan

18
Business Continuity Plan Types Relationships
Continuity of Operations (COOP) Plan
The Continuity of Operations (COOP) Plan is the
roadmap for the highest level of planning within
an agency.

• Alternative Facilities
• Vital Records and Databases
• Human Capital
• Tests, Training, Exercises

• ID of Essential Functions
• Delegations of Authority
• Orders of Succession
• Interoperable Communications

From More General

• Address Full Spectrum of Threats Hazards

to
Incident Management Plan (Sometimes referred to
as Problem or Crisis Management Plan)

• An Agency-wide Perspective
• Repeatable Process Practices
• Incident Alerting, Reporting, Tracking Status

• Involves Investigation, Diagnoses
• Assembly of Incident Command System (ICS)
• ICS Draws on Response Plan(s) for Resolution

Business Continuity Plan

• An Agency-wide Perspective
• Global Risk Mitigations, Contingencies and
  Responses for Business Operations

Vital Service Response Plan for B
Vital Service Response Plan for . . . n
Specific
Vital Service Response Plan for A

• Specific Action Plan

• Specific Action Plan

• Specific Action Plan

19
(No Transcript)
20
Collaborative Roles in Enterprise Business
Continuity Planning
Enterprise BC Program Office State of WA

• Subject Matter Expertise
• Standards Practices
• Tools and Templates
• Planning Assistance
• Reporting
• Meeting Compliances

Enterprise Risk Vulnerabilities Status

• Governance
• Policies
• Practices
• Planning Priorities
• Decision Packages

Enterprise Level Planning
1 Enterprise BC Program Office
Planning for Worst-Case Scenarios _at_ Enterprise
(Shared Command) Level

• Risk Mitigations, Contingencies, Responses,
  Recoveries

Agency B
_at_Agency A Level

• BC Developed Capabilities
• Planning For Worst-Case Scenarios _at_ Agency
  Perspective
• CONOPS / COOP NIMS Rqmts
• Risk Mitigations, Contingencies, Responses,
  Recoveries

• BC Developed Capabilities
• Planning For Worst-Case Scenarios _at_ Agency
  Perspective
• CONOPS / COOP NIMS Rqmts
• Risk Mitigations, Contingencies, Responses,
  Recoveries

Agency Level Planning

• BC Instilled across Agency in all Business
  Practices
• BC Exercises Updates (NIMS Rqmts)
• On-going Training

• BC Instilled across Agency in all Business
  Practices
• BC Exercises Updates (NIMS Rqmts)
• On-going Training

150 Agencies, Boards and Commissions
eBRP BC Tool

• Vital Service C
• Risk Mitigations
• Contingencies
• Responses
• Recoveries

• Vital Service F
• Risk Mitigations
• Contingencies
• Responses
• Recoveries

Estimated 200-500 Vital Services
Vital Service Level Planning
1 Enterprise BC Software Administrator
eBRP BC Tool Repository
eBRP BC Tool Repository
Component Plans
lt-------------------------------------------------
--------------------------------------------------
--------------------------------------------------
------gt
21
Inherent Benefits of an Enterprise Business
Continuity Program

• Maintain Commonality
• Develop a Repeatable Process
• Achieve Agency and State Business Objectives
• Share Best Practices
• Rank Priorities
• Mitigate Risk
• Identify Dependencies
• Develop Incident Response/Recovery Plans
• Form Partnerships
• Identify Enterprise Solutions
• Implement Cost/Benefit Contingencies

22
Evolution of Business Continuity Management In
Washington State
Academy Initiative
Effort

• Begin Agency BC Planning
• Refine Framework Templates / Tools
• ID Agency Risks Thresholds
• ID Service Needs
• ID Resolve Issues

BCM Program

• Foster a Repeatable Approach
• ID Agencys Enterprise Risk Thresholds
• Collaborate Prioritizing Needs
• Implement Enterprise Solutions
• Incorporate Incident Management

Time
23
Whats Next?

• Continue development of the BC Framework
  (templates, tools, best practices) Within the BC
  Program
• Apply the BIA across all agencies to
• Identify where the State could best invest
  reduce risk
• Ties to Continuity of Operations COOP (HLS
  NIMS Rqmt)
• Transition to a new Business Continuity Culture
• Setup a Business Continuity Management (BCM)
  Program
• Establish governance along with Roles and
  Responsibilities
• Address Continuity of Operations (COOP) with
  agencies
• Join with EMD efforts providing info on NIMS
  Emergency Response
• Promote Agency/Enterprise collaboration to best
  achieve objectives

24
Participating Agencies

• Department of Personnel
• Department of Corrections
• Department of Health
• Department of Licensing
• Department of Information Services
• Department of Transportation
• Retirement Systems
• Social and Health Services
• Department of Ecology
• Health Care Quality Authority

• Liquor Control Board
• Labor and Industries
• Military Department
• Office of Financial Management
• State Treasurer
• Public Disclosure Commission
• Washington State Patrol
• Clark County
• King County
• City of Seattle

25
Questions?
26
Contact Information

• Judy Sweet, CBCP
• Enterprise Business Continuity Management (BCM)
  Program Manager
• Department of Information Services
• e-mail judys_at_dis.wa.gov (360) 902-3560