Business Continuity: An introduction

1

• Business Continuity An introduction

2

• Purpose
• The sole purpose of Business Continuity is to
• Maintain a minimum level of service while
  Restoring the organization to business as usual

3

• Who needs it?
• Everyone
• Commerce and industry need it to protect the
  customer base
• Charities need it to assure continued funding
• Government agencies need it to assure continued
  funding and existence
• Managers need it to assure their positions

4

• The difference
• The difference between Business Continuity and
  Disaster Recovery
• Business Continuity is PROACTIVE its focus is to
  avoid or mitigate the impact of a risk
• Disaster Recovery is REACTIVE its focus is to
  pick up the pieces and to restore the
  organization to business as usual after a risk
  occurs
• Disaster Recovery is an integral part of a
  Business Continuity plan

5

• Why Business
  Continuity?
• An organization which fails to provide a minimum
  level of service to its clients following a
  disaster event may not have a business to recover
  
• Customers may go to a competitor
• Funding may disappear
• A need may be re-evaluated and deemed unnecessary

6

• What to protect
• Business functions
• Functions which provide products or services
• Critical support functions
• Functions without which the Business Functions
  cannot function (e.g. Facilities, IT)
• Corporate level support functions
• Functions required for effective operation of
  Business Functions (e.g. HR, Finance)

7

• Most important resource
• Personnel

8

• Why people?
• Although there are other critical resources, the
  actual product or service in most organizations
  depends on actions performed by, and decisions
  made by, people.

9

• Who is involved?
• In a word, EVERYONE
• Executive management
• Mid-level managers
• Line personnel
• Support personnel
• Vendors
• Municipal Emergency Management

10

• Management involvement
• Executive management
• Support is required for successful plan
• Provides high-level overview of organizations
  operation
• Provides long-range planning to assure the
  Business Continuity plan compliments the
  organizations Business Plan

11

• Mid-level
  managers
• Provide departmental direction
• Provide department-level overviews
• Provide an insight into external (to the
  department/function) interdependencies
• Offer suggestions on how to enhance critical
  business processes
• Identify risks

12

• Line personnel
• Provide operational details
• Offer suggestions on how to enhance critical
  business processes
• Identify risks

13

• Support personnel
• Provide information about services which assure
  the critical Business Functions can be performed
  at a minimum level of service or better
• Provide information about protecting resources

14

• 
  Support may include
• Accounts receivable
• Accounts payable
• Communications
• Documentation
• Facilities
• Finance
• Human Resources
• IT/MIS
• Janitorial
• Legal
• Mail Room
• Marketing
• Public relations
• Sales

15

• Vendors
• Vendors provide services and
  products
• Courier services and mail
• Communications (telephone, fax, email)
• Insurance (business, health, property)
• Necessities (municipal services)
• Utilities (electricity, fuel)

16

• Emergency Management
• Municipal Emergency management must be
  included in the plan to
• Assure personnel safety
• Mitigate damage from risks
• Train personnel to avoid risks and to protect
  themselves and the organization

17

• No man or department is an island

18

• Protect all to protect one
• In order to protect any single Business Function,
  the enterprise must be protected.
• There are too many easily identifiable
  dependencies to create successful function-only
  or resource-only plans.

19

A few risks

• 
  
• Aircraft accident
• Bond rating
• Civil unrest
• Communications
• Competition
• Customer failure (K-Mart)
• Debris
• Drought
• Electrical failure
• Epidemic

• Espionage
• Fire
• Flood
• Hacked database
• HazMat incident
• Heat
• Hurricane
• Ice
• Industry image (airlines)

20

A few more risks

• 
  
• Internet failure
• Intranet failure
• IT/MIS
• Legal action
• Lender reluctance
• Local statues
• Loss of key personnel
• Rail accident
• Recession
• Regulatory agencies
• Reputation

• Snow
• State law
• Stock value
• Tornado
• Traffic accident
• Vendor failure
• Wildfire
• Work action
• Ubiquitous other

21

• Rating a risk
• Not all risks present the same danger to an
  organization
• Risks are rated based on
• Probability of occurrence
• Impact on the organization

22

• Risk options
• Avoid the risk
• Usually the most expensive option
• Required by some 247365 operations
• Mitigate the risk
• Less expensive than avoidance
• Reduces the impact of the inevitable
• Absorb the risk
• The process or product is antiquated anyway

23

• The plan Part 2
• Create business continuation processes
• Create organization recovery processes
• Create a training program
• Establish a plan maintenance procedure
• Train, train, and train some more

24

• Business continuation
• Business continuation processes are designed so
  the organization maintains at least a minimum
  level of service to assure there will be a
  business to recover
• Each Business and Support function must have a
  continuation plan
• How quickly the process must be functioning
  depends on the maximum allowable outage

25

• Recover the business
• This may be in multiple stages
• Recovery to a minimum level of service
• Recovery to business as usual There may be
  intermediate stages between the two recovery
  stages shown above

26

• Training program
• The training program has two primary goals
• To assure personnel will be able to efficiently
  and effectively respond following a disaster
  event
• To develop self-confidence in the personnel to
  perform their assigned functions

27

• Maintenance
• A plan that lacks maintenance quickly becomes a
  non-plan
• Plan maintenance is based on the calendar
• Plan maintenance is based on trigger events
• Personnel change
• Process, procedure change
• Etc.

28

• Creating a plan
• Do it yourself
• Can you think of everything?
• Can you think objectively?
• Who will review your plan?
• Call a professional
• Experience
• Network to help think of almost everything
• Only objective is to create a successful plan

29
(No Transcript)
30

• 1) Develop a business continuity / disaster
  recovery plan
• - Establish a disaster-recovery team of
  employees who know your
• business best, and assign
  responsibilities for specific tasks.
• - Identify your risks (kinds of disasters
  you're most likely to
• experience).
• - Prioritize critical business functions
  and how quickly these must
• be recovered.- Establish a disaster
  recovery location where employees may work
• off-site and access critical back-up
  systems, records and supplies.- Obtain temporary
  housing for key employees, their families and
• pets.- Update and test your plan at
  least annually.

31

• 2) Alternative operational locations
  Determine which alternatives are available.
  For example
• - A satellite or branch office of your
  business.- The office of a business partner or
  even an
• employee.- Home or hotel.

32

• 3) Backup site. Equip your backup operations
  site with critical equipment, data
• files and supplies
• - Power generators. - Computers and
  software. - Critical computer data files
  (payroll, accounts payable and
• receivable, customer orders,
  inventory). - Phones/radios/TVs. - Equipment
  and spare parts. - Vehicles, boats and spare
  parts. - Digital cameras. - Common supplies.
  - Supplies unique to your business (order forms,
  contracts, etc.). - Basic first aid/sanitary
  supplies, potable water and food.

33

• 4) Safeguard your property Is your property
  prepared to survive a
• hurricane or other disaster
• - Your building? - Your equipment? - Your
  computer systems? - Your company vehicles? -
  Your company records? - Other company assets?

34

• 5) Contact information Do you have current
  and multiple contact
• information (e.g., home and cell phone
• numbers, personal e-mail addresses) for
• - Employees? - Key customers? - Important
  vendors, suppliers, business
• partners? - Insurance companies? - Is
  contact information accessible electronically
• for fast access by all employees?

35

• 6) Communications Do you have access to
  multiple and reliable
• methods of communicating with your
  employees
• - Emergency toll-free hotline? - Website?
  - Cell phones? - Satellite phones? - Pagers?
  - BlackBerry(TM)? - Two-way radios? -
  Internet? - E-mail?

36

• 7) Employee preparation Make sure your
  employees know
• - Company emergency plan. - Where they
  should relocate to work. - How to use and have
  access to reliable methods of
• communication, such as satellite/cell
  phones, e-mail,
• voice mail, Internet, text messages,
  BlackBerry(TM),
• PDAs. - How they will be notified to
  return to work. - Benefits of direct deposit of
  payroll and subscribe to
• direct deposit. - Emergency company
  housing options available for them
• and their family.

37

• 8) Customer preparation Make sure your key
  customers know
• - Your emergency contact information for sales
• and service support (publish on your
  website). - Your backup business or store
  locations
• (publish on your website). - What to
  expect from your company in the
• event of a prolonged disaster
  displacement. - Alternate methods for placing
  orders. - Alternate methods for sending invoice
• payments in the event of mail disruption.

38

• 9) Evacuation order When a mandatory
  evacuation is issued, be prepared to grab and
• leave with critical office records and
  equipment
• - Company business continuity / disaster
  recovery plan and
• checklist. - Insurance policies and
  company contracts. - Company checks, plus a
  list of all bank accounts, credit cards,
• ATM cards. - Employee payroll and
  contact information. - Desktop/laptop
  computers. - Customer records, including orders
  in progress. - Photographs/digital images of
  your business property. - Post disaster contact
  information inside your business to alert
• emergency workers how to reach you. -
  Secure your building and property.

39

• 10) Cash management Be prepared to meet
  emergency cash-flow needs
• - Take your checkbook and credit cards in the
  event of an
• evacuation. - Keep enough cash on hand
  to handle immediate needs. - Use Internet
  banking services to monitor account
• activity, manage cash flow, initiate
  wires, pay bills. - Issue corporate cards to
  essential personnel to cover
• emergency business expenses. - Reduce
  dependency on paper checks and postal service
• to send and receive payments (consider
  using electronic
• payment and remote deposit banking
  services).

40

• 11) Post-disaster recovery procedures
• - Consider how your post-disaster business may
• differ from today. - Plan whom you will
  want to contact and when. - Assign specific
  tasks to responsible employees. - Track
  progress and effectiveness. - Document lessons
  learned and best practices.