Business Continuity Management

1
Business Continuity Management

• IFMA Suncoast Chapter
• Thursday, May 15, 2008

Presented By Paula Green
2
Seminar Objectives

• Overview of Business Continuity Management
• The Status of Business Continuity
• The Business Continuity Model
• Pre-Planning
• Facilities
• Finance
• Communications/Data
• HR/Employees
• External Customers
• Business Continuity Planning Resources
• 5. Real Life Examples
• 6. Q A

3
Overview of Business Continuity Management (BCM)

• A company has the
  responsibility
• first
  to the employees safety and
• 
  security, then to the operations,
• and
  finally to the financial situation.
• Lloyd's Director of Worldwide Markets says,
  "Today's business leaders
• know that the likelihood of a costly risk
  management failure is high.
• Yet while it is encouraging that boards are now
  spending more time
• and resources on risk management, this research
  clearly shows that
• businesses accept they should be doing more to
  recognize and prepare
• for the potentially crippling risks that they
  face.

4
Overview of Business Continuity Management

• With new areas of risk emerging and experts
  predicting that the impact of man-made and
  natural catastrophes will become more severe, the
  research found that
• Over half of companies had at least one 'near
  miss' failure to
• manage risk.
• The amount of time boards are spending on risk
  management has
• risen four-fold in the past three years.
  Although fewer than 30 of
• the Fortune 2000 companies actually have a
  BC plan in place that
• extends beyond IT.
• Boards are now assessing a wider range of
  risks in the light of
• corporate scandals and regulatory
  intervention, terrorist attacks,
• and weather related disaster.

5
Overview of Business Continuity Management

• Defining Business Continuity and Disaster
  Recovery
• Terms are often lumped together, but they are
  different.
• A solid business continuity plan is often
  required to make a
• disaster recovery plan viable.
• Business Continuity the ability to keep
  vital business operations running in the
  event of failure in the existing infrastructure.
  
• When part of the existing infrastructure
  fails.the ability to
• resume operations within a given time period.
  (Power failures,
• network failures, data integrity issues, human
  error, etc.)
• Disaster Recovery is when the infrastructure
  is significantly
• impacted and is no longer available. Most often
  a major natural
• disaster or other act of God.
• How can you anticipate and quantify business
  risks that could impact your companys ability to
  meet its financial objectives?

6
Overview of Business Continuity Management

• Plan for more than the Perfect Storm
• 44 Hardware a system component
  failsservers, switches, disk drives, etc.
• 32 Human Error either a mistake in a
  configuration setting or issuing a wrong command.
• 14 Software and Firmware Errors operating
  systems hanging, introduction of new applications
  to servers, etc.
• 7 Virus/Security Breach often from system
  users downloading files from unsecured sites.
• 3 Natural Disasters

7
The Status of Business Continuity

• Crisis Management Planning
• Which of these statements best describes the
  current state of your organizations crisis
  management plan?
• Responsible executives are identified but there
  is no formal crisis management plan or assigned
  roles and responsibilities.
• Crisis management and emergency response team
  members are identified and a crisis command
  center has been established.
• Crisis management and emergency response team
  plans are informal and partially tested.
• Crisis management and emergency management team
  plans are tested at least quarterly.
• Interpretation Organizations are spending their
  investment in formal crisis management programs
  and are incorporating these plans into their
  testing programs.

8
The Status of Business Continuity

• Management Tolerance Core Recovery Times
• If your core business function operations are
  interrupted, what is your organizations
  tolerance for downtime (i.e. recovery time
  objectivesRTOs) for your most critical
  activities?
• Zero tolerance for downtime
• Less than 2 hours
• Two to eight hours
• Eight to 24 hours
• 24 72 hours
• 72 hours to five days
• Greater than 5 days
• Interpretation Tolerance for downtime continues
  to decline in most organizations, with recovery
  time objectives for core business functions being
  established in hours, not days.
• A conservative estimate pegs the hourly cost
  of downtime for computer networks at 42,000.

9
The BCM Model

• Many companies have strong BCPs that identify the
  process to manage a crisis or disaster, which
  focuses on the loss of a facility
• or technology. But all of these plans are
  dependent upon people.
• The success of these BCPs requires an intact and
  available
• workforce.
• Modern businesses are consolidating facilities.
  
• Duplicity has been eliminated in order to
  reduce expenses and
• increase bottom line.
• Fewer people to do more work creating a
  specialized worker that
• is difficult to replace.
• Desk procedures and training materials are not
  documented or
• distributed which makes training replacements
  difficult in a short
• timeframe.
• The increased trend in outsourcing entire
  business functions,
• especially to overseas firms, presents
  different geographical,
• cultural, logistical, communications and
  employee risks.

10
The BCM Model

• What are the priorities of your organization?
  Corporate goals? (revenue, communications,
  customers, accounting, etc.)
• There are 5 areas of focus within the Continuity
  Plan
• Key Department Pre-Planning
• Facilities
• Communications/Data
• Financial
• HR/Employees
• The development, testing, and implementation of a
  continuity plan involves multiple departments
  within an organization who work together as a
  team. The success of the entire plan depends on
  each departments contribution, participation,
  and execution of the plan.
• Facilities Management Finance
• Risk Management Human Resources
• IT

11
The BCM Model

• Key Department Pre-Planning
• Develop easily understood written procedures
• that support your companys policies.
  Create
• a BCP manual.
• 2. Detail who is responsible for completion and
  any pertinent
• notes. Check off every completed item.
• 3. Who are your key players? What if your key
  players are absent?
• Who calls the emergency? Who is the
  decision-maker on
• unforeseen circumstances? Who is on the
  ground?
• 4. Identify a key spokesperson for the company.

12
The BCM Model

• Facilities - Pre Occurrence
• Develop multiple plans based on the type or scale
  of the disaster including an alternate plan for
  each.
• Review and assess any new or additional security
  requirements needed for buildings, plants, IT
  systems, etc.
• Maintain emergency kits on site, including food,
  water, flashlights and batteries, medical kit, a
  source of heat and a source of communication.
  Make sure people can exist in facility for 3
  days.
• Consider immediate needs, such as new or
  additional office space, warm or cold recovery
  centers.
• 
  

13
The BCM Model

• Facilities Pre Occurrence
• 5. Establish plan for alternate postal
  deliveries if necessary.
• Pre-select vendor partners prior to disaster.
• 7. Dry Run and modify the plan consistently.
• 
  
  

14
The BCM Model

• Financial Pre Occurrence
• Determine whether insurance policies are
  available covering, for example, key
  individuals, other life, property, business
  interruption and disability. Make sure key
  personnel understand and review insurance
  coverage.
• Consider setting up a separate department
  internally to isolate costs associated with
  disaster (for insurance purposes) with
  centralized review.
• Assess your financial status. What is
• your cash position? Cash burn rate?
• Immediate cash needs? Can you access
• the cash?
• Determine assistance available, such as
• credit lines, disaster loans and grants.

15
The BCM Model

• Communications/Data Pre Occurrence
• Ascertain the extent of your communications
  network. Which systems are available post
  disaster? Who has access? How fast can all data
  be restored?
• Keep backup programs and duplicate records
  (financial statements, accounts receivable,
  client information, etc.) at a different, safe
  site. Consolidated, centralized storage with
  storage networking combined with a disk-based
  backup.
• Consider network issues. Can critical technology
  partners be affected?

16
The BCM Model

• Communications/Data Pre Occurrence
• Determine when the last back-up took place. What
  if all power to the data center was lost?
• No system is infallible. Have a back-up plan.
  What if you only have backup tapes and all the
  hardware is gone..how do you recover?
• Determine assistance available, hardware and
  software.

17
The BCM Model

• HR/Employees Pre Occurrence
• Talk to employees about a home emergency kit
  with enough supplies to last 3 days.
• All employees need to understand their potential
  roles within the company continuity plan.
• Distribute two copies of the complete plan to all
  key employees one copy for home, one copy for
  the office.
• Decide how your company will handle paying wages,
  carrying health insurance to reduce the time
  employees are in a state of uncertainty.
• Distribute disaster recovery information to all
  employees in the form of wallet cards or other
  means that are easily accessible (800, text
  messaging, intranet site, etc.)

18
The BCM Model

• HR/Employees Safety During Occurrence
• Execute the Call Tree.
• Identify impacted employees and work to
• locate all employees.
• Identify employees traveling, determine a
• means of communication, consider security
• issues and review travel plans and
  requirements.
• Determine external assistance available, such as
  people and expertise.

19
The BCM Model

• HR/Employees Safety During Occurrence
• Understand the needs of employees families to
  determine whether any support is needed that the
  company can provide. May include extended
  family.
• Organize a system for staying in touch with key
  employees.
• Review and assess any new or additional security
  requirements needed for employees.
• Determine whether temporary housing may be
  needed.
• Assess transportation issues.

20
The BCM Model

• HR/Employees Post Occurrence
• Consider employees, benefits and
• HR issues. Are alternate means of
• payroll delivery necessary?
• Consider health and disability insurance issues,
  life insurance, personal leave, and cash loans or
  advances to employees.
• Consider behavioral issues, such as grief
  counseling, productivity and back-to-normal plan.
  How can you assist your employees working the
  disaster to decompress.
• Can employees be redeployed?

21
The BCM Model

• External Customers Pre Occurrence
• Develop your plan with protecting your companys
  image in mind current customer commitments, new
  customers, communications, etc.
• Identify current and potential clients,
  suppliers, vendors, strategic
• partners, etc.
• Add a force majeure clause to existing contracts,
  customer
• agreements, and vendor programs.
• Communication of the plan is key for customers as
  well as suppliers
• Potential limitations
• Availability and ship times
• Staffing incl. temporary staffing
• Changes in procedures or policies
• Emergency contact procedures
• Alternate communications

22
The BCM Model

• External Customers Post Occurrence
• Assess business status.
• Can you operate right now?
• Determine immediate or pending deadlines,
• due dates, customer and supplier needs.
• Look at operational risks, such as
  work-in-progress, cancellations,
• no-shows, refunds, lost revenues and
  undeliverable materials.
• Understand the operational risks of customers and
  suppliers. Work together where possible to
  minimize the risks to all parties.
• Have you reviewed the BC plans of your
  vendor/suppliers? Have you incorporated their
  recovery objectives into your service level
  agreements?
• 5. Contact competitors. Consider outsourcing
  production to them so you can meet the needs of
  your customers.

23
Business Continuity Planning Resources

• National Information
• Disaster Recovery Journal - DRJ is free. Monthly
  podcasts, international/educational webinars,
  articles, bookstore, semi- annual educational
  conference. www.drj.com
• Disaster Recovery World - Downloadable resource
  for BC templates. BCP, Audit Checklist Risk
  Analysis can be purchased.
• www.disasterrecoveryworld.com
• Disaster Resource Guide - Crisis/Emergency Mgmt.
  business continuity info. Lists Directory of
  Consultants (Meet the Pros) with BCM Vendors by
  category and Whitepapers. The Continuity e-Guide
  is a weekly update of the Disaster Resource
  Guide. www.disaster-resource.com
• IFMA - www.ifma.org

24
Business Continuity Planning Resources

• National Information (cont.)
• Continuity Insights Virtual seminars, annual
  educational conference, bi-monthly magazine
  free E-newsletter. Need to register, but free.
  www.continuityinsights.com
• Modular Building Institute Short/Long term
  modular office space. www.mbinet.org
• Contingency Planning Annual conference,
  educational e-newsletter monthly. Archived
  articles. www.contingencyplanning.com
• Employee Relocation Council Assistance in
  workforce mobility. International. www.erc.org
• Office Business Centers Assoc. International
  Short/Long term office space with business center
  capabilities. www.obcai.org

25
Business Continuity Planning Resources

• National Information (cont.)
• Hot Sites www.availability.sungard.com or
  www.agilityrecoverysolutions.com
• Federal Emergency Management Association (FEMA)
  www.fema.gov
• Buildings.com Information for facilities
  managers. www.buildings.com
• National Institute for Occupational Safety and
  Health - Emergency response resources articles.
  www.cdc.gov/niosh/topics/emergency.html
• Continuity Central Overview of BC Industry,
  News Headlines, how to get started, specific
  disaster recovery steps. www.continuitycentral.co
  m

26
Business Continuity Planning Resources

• Ready.Gov - www.ready.gov/america/local/fl.html
• Get a Kit (preparation)
• Make a Plan (template)
• Education (what you can do to prepare)
• Citizen Corp - www.citizencorps.gov/ - List of
  County and Local Councils (Hillsborough County
  Council listed)
• Mission is to harness the power of every
  individual through education, training and
  volunteer services to make communities safer,
  stronger and better prepared to respond to
  threats of terroism, crime, public health issues
  and disasters of all kinds.
• Continuity of Operations Planning
  http//ready.gov/business/plan/planning.html
• FEMA http//fema.gov/business/bc.shtm -
  Standard Checklist Criteria for Business Recovery
  template

27
Business Continuity Planning Resources

• State and Local Information
• Association of Contingency Planners
  International Network and information exchange.
  Local Chapters Greater Tampa Bay Chapter
  (website under construction). Call Wendi Stevens
  727-214-3449. www.acp-international.com
• Community Emergency Response Teams (CERT)
  Brings 1st responders and citizen volunteers
  together to prepare for and recover from disaster
  situations.
• http//training.fema.gov/EMIWeb/CERT/
• Florida Division of Emergency Management Basic
  Business Plan templates. www.floridadisaster.org
• Tampa Chamber of Commerce Educational Seminars.
• www.tampachamber.com

28
Business Continuity Planning Resources

• Training
• Emergency Management Institute National
  Emergency Training Center (NETC)
  http//training.fema.gov/EMIWeb/IS/
• Business Continuity Institute (BCI) Development
  Tools and Training www.thebci.org

29

• Planning is an unnatural process it is much
  more fun to do something else. The nicest
  thing about not planning is that
• failure comes as a complete surprise, rather
  than being
• preceded by a period of worry and
  depression.
• Sir John Harvey-Jones

30
Q A