Business Continuity Planning For Research and Development Organizations

1
Business Continuity PlanningFor Research and
Development Organizations
Presented by Steve Davis, Principal, DavisLogic
All Hands Consulting
2
Stuff Happens
How should you help your company maintain
"business continuity" in the wake of disaster?
3
Are You Ready For Anything?
Eighty-one per cent of CEOs say that their
company's plans were inadequate to handle the
myriad of issues arising from the World Trade
Center tragedy
4
Disaster Causes EffectsCommon Causes

• Natural Hazards
• Ice Storm
• Earthquake
• Wind
• Flood
• Lightning
• Snow
• Frost

• Man-made Hazards (Deliberate)
• Theft
• Violence
• Fraud
• Arson
• Malicious Damage
• Strike

5
Disaster Causes EffectsCommon Causes

• Man-made Hazards (Deliberate)
• Riot
• Bomb Damage
• Bomb Hoax
• Terrorists
• Hacking

• Man-made Hazards (Accidental)
• Operator Error
• Explosion
• Fire
• Water Leaks
• Fire Extinguisher Discharge

6
Disaster Causes EffectsCommon Effects

• Man-made Hazards (Indirect)
• Power Failure
• Telecommunications Failure
• Smoke Damage
• Fire Suppression Agents
• Hardware/Software failure

7
Disaster Causes EffectsCommon Effects

• Denial of Service
• Data Loss
• Loss of Personnel
• Loss of System Function
• Lack of Information

• Denial of Access
• Compromised or Corrupted Data
• Damaged Environment
• Productivity Loss

8
Disaster Causes EffectsCommon Effects

• Loss of Control
• Loss of Communication
• Interrupted Cash Flow
• Loss of Image

• Loss of Market Share
• Costs of Repair
• Cost of Recovery
• Lower Morale
• Loss of Profits

9
Special Considerations

• Animals
• Evacuation - where
• Ongoing care and feeding
• Bites/Scratches
• Hazardous Materials
• Bio Hazards
• Radiation
• Chemicals

• Alternate Space
• Wet Labs
• Power Needs
• Containment

10
Terminology
Business Continuity Planning
11
What is BusinessContinuity Planning?

• Planning to ensure the continuation of
  operations in the event of a catastrophic event.

Business continuity planning includes the
actions to be taken, resources required, and
procedures to be followed to ensure the continued
availability of essential services, programs, and
operations in the event of unexpected
interruptions.
12
Business Continuity Planning
13
BC Plan Components
14
Create a Business Continuity Management Team

• Lead by Top Management
• Project BoD Monitors
• Regular Status Reporting to Management
• Broad-based
• Awareness for Everyone

Key Players Senior Officials Facilities/Safety Ris
k Management Legal Finance/Budget Procurement
15
Business Continuity Process

• Assess - identify and triage all threats (BIA)
• Evaluate - assess likelihood and impact of each
  threat
• Mitigate - identify actions that may eliminate
  risks in advance
• Prepare plan for contingent operations
• Respond take actions necessary to minimize the
  impact of risks that materialize
• Recover return to normal as soon as possible

16
Building a BCP Plan
17
Business Impact Assessment

• The purpose of the BIA is to
• Identify critical systems, processes and
  functions
• Establish an estimate of the maximum tolerable
  downtime (MTD) for each business process
• Assess the impact of incidents that result in a
  denial of access to systems, services or
  processes and,
• Determine the priorities and processes for
  recovery of critical business processes.

18
BIA Review Factors

• All Hazards Analysis
• Likelihood of Occurrence
• Impact of Outage on Operations
• System Interdependence
• Revenue Risk
• Personnel and Liability Risks

19
Risk Analysis Matrix
High
Probability of Likelihood
Medium
Area of Major Concern
Low
Low
Medium
High
Severity of Consequence
20
Developing Business Continuity Strategies

• Understand alternatives and their advantages,
  disadvantages, and cost ranges, including
  mitigation and mutual aid as recovery strategies.
• Identify viable recovery strategies with business
  functional areas.
• Consolidate strategies.
• Identify off-site storage requirements and
  alternative facilities.
• Develop business unit consensus.
• Present strategies to management to obtain
  commitment.

21
Contingency Planning Process Phases

• Assessment - organizing the team, defining the
  scope, prioritizing the risks, developing failure
  scenarios
• Planning - building contingency plans,
  identifying trigger events, testing plans, and
  training staff on the plan
• Plan Execution - based on a trigger event,
  implementing the plan (either preemptively or
  reactively)
• Recovery - disengaging from contingent operations
  mode and restarting primary processes of normal
  operations by moving from contingency operations
  to a permanent solution as soon as possible.

22
Evaluating Alternatives

• Functionality - provides an acceptable level of
  service
• Practicality - is reasonable in terms of the time
  and resources needed to acquire, test, and
  implement the plan
• Cost Benefit - cost is justified by the benefit
  to be derived from the plan

23
Emergency Management Planning

• Work with local and regional disaster agencies
  and business associations
• Assess special problems with disasters
• Loss of lifelines
• Emergency response
• Review and revise existing disaster plans
• Look for new areas for disaster plans
• Include Disaster Recovery Planning

24
Elements of a Good Plan

• Prevention, Response, Recovery, Remediation,
  Restoration
• Top Priorities addressed first

25
Elements of a Good Plan

• Action Plan responsibilities clearly defined
• Communication alternatives are considered
• Redundancies are in place

26
Elements of a Good Plan

• Product sources are identified
• Personnel sources are identified

27
Keys to Success

• Vulnerabilities Clearly Identified
• Comprehensive Plan in Place
• Plan Understood, Communicated and Updated
• Tested quarterly
• Adequately funded

28
Disaster Alert If you have advanced warning

• People come first. Provide assistance. Note
  special needs.
• Move or secure vital records/high priority items
  if it can be done safely.
• Screw plywood over windows or use tape to reduce
  shattering.
• Verify master switch shut-off (water, gas,
  electricity) by trained staff.
• Secure outdoor objects.

29
Disaster Alert If you have advanced warning

• Move items away from windows and below-ground
  storage into water-resistant areas.
• Wrap shelves and storage units in heavy plastic
  sealed with waterproof tape.
• Take Emergency Contact Lists, insurance and
  financial data, inventory, emergency plan and
  supplies with you.
• Give instructions on returning to work.

30
Safety First!

• Remain calm. Alert staff to potential hazards.
• Look for loose or downed power lines. Avoid area
  and report problems to local utility.
• Look for electrical damage sparks, broken/frayed
  wires, burning smell. Turn off electricity at
  main switch if you can without risk.
• Shut off water.
• If you smell gas, open a window and immediately
  leave the building. Turn off gas if trained to do
  so. Call gas company at once.
• Do not reenter the building until declared safe
  by security or emergency management officials.

31
Getting Started Off-Site

• Gather staff off-site to assign tasks and review
  priorities.
• Establish a Command Center.
• Create a secure salvage area with necessary
  materials.
• Notify officials of the extent of damage.
• Establish alternative work sites.
• Appoint a PIO to report conditions to public and
  employees.
• Verify amount and terms of insurance, government
  assistance, potential funding.
• Contact service providers for disaster recovery
  equipment and services.
• Arrange for repairs as needed.

32
Stabilize the Building and Environment

• Do not enter without proper personal protective
  equipment.
• Identify structural hazards. Brace shelves.
  Remove debris.
• Stabilize vital equipment or experiments.
• Reduce temperature and humidity at once to
  prevent mold. Use air conditioning or commercial
  dehumidification.
• In cool, low-humidity weather open windows, use
  circulating fans. If mold is already present, do
  not circulate air.
• Do not turn on heat unless required.
• Remove standing water and empty items containing
  water remove wet carpets and furnishings.

33
Documentation

• Once it is safe to enter the building, make a
  preliminary tour of all affected areas.
• Do not move objects without documenting their
  condition.
• Use a camera to record the condition of property.
  Make sure images clearly record damage. Make
  notes and voice recordings to accompany
  photographs.
• Keep written records of contacts with insurance
  agents and other investigators, and decisions on
  retrieval and salvage.
• Make visual, written and voice records for each
  step of salvage procedures.

34
Retrieval And Protection

• Leave undamaged items in place if the environment
  is stable and area secure. If not, move them to a
  secure, environmentally controlled area.
• If no part of the building is dry, protect all
  objects with loose plastic sheeting.
• Separate undamaged from damaged items.
• Until salvage begins, maintain each group in the
  same condition you found it i.e., keep wet items
  wet, dry items dry, and damp items damp.
• Retrieve all pieces of broken objects and label
  them.
• Check items daily for mold. If mold is found,
  handle objects with extreme care and isolate
  them.

35
Damage Assessment

• Notify insurance representative - You may need an
  on-site evaluation before taking action.
• Make a rough estimate of the area affected and
  the extent and nature of damage. A detailed
  evaluation can slow recovery now.
• Look for threats to worker safety or collections.
  Determine status of security systems.
• Look for evidence of mold. Note how long the
  materials have been wet and the current inside
  temperature and relative humidity.
• Documenting the damage is essential for insurance
  and will help you with recovery.

36
Salvage Priorities

• Irreplaceable items and related documentation.
• Vital information employee and accounting
  records, succession lists, inventories, and data.
  
• Other items that directly support your mission.
• Items that are unique, most used, most vital for
  research, most representative of subject areas,
  least replaceable or most valuable.
• Items most prone to continued damage.
• Materials most likely to be successfully
  salvaged.

37
Indoor Air Quality

• Failure to remove contaminated materials and to
  reduce moisture and humidity can present serious
  long-term health risks.
• Standing water and wet materials are a breeding
  ground for microorganisms, such as viruses,
  bacteria, and mold.
• They can cause disease, trigger allergic
  reactions, and continue to damage materials long
  after the flood.
• Source EPA

38
Some DR Questions

• Do you have an alternate person for every key
  function?
• Do the Fire and Police departments have pre-plans
  including key contact information?
• Are your key technology rooms protected from
  "falling" water?
• Do each of your locations have emergency
  cabinets, first-aid kits, and disaster supplies?
  
• Do you have off-site storage of critical
  documents like contact information and forms?

39
Emergency Response Action StepsThe first 48
hours can make the difference.

• Safety First!
• Getting Started Off-Site
• Stabilize the Building Environment
• Documentation
• Retrieval Protection
• Damage Assessment
• Salvage Priorities
• Adapted from FEMA handout contains details.

40
For More Information

• Contact
• Steve Davis, Principal
• DavisLogic All Hands
• Steve_at_DavisLogic.com
• DavisLogic.com
• AllHandsConsulting.com