Business Continuity / Disaster Recovery from a Business Perspective

1
Business Continuity / Disaster Recovery from a
Business Perspective

• Dan Esser, CBCP, FLMI
• 109 Haywood Ct.
• Columbia, MO 65203
• 573-234-2948
• DEsser5_at_aol.com

2
Not just Computer Back-Up

• IT functionality - limited usefulness if the rest
  of the business is not present.
• Todays primary discussion - non-IT
  functionality.

3
What you get to take with you

• An overview of BCP Structure and Techniques.
• A set of questions you can ask in your business
  to help you gauge preparedness.
• Some Tools and Resources that may be useful.

4
Disaster Fact

• Out of every FIVE businesses that suffer a major
  disaster,
• TWO will never reopen and
• A THIRD will fail within 2 years.
• DRI International

5
BCP Like Life Insurance?

• Uses up resources.
• Only pays off if something bad happens.
• Costs every year - Never Finished

6
Kinds of Risks / Dangers

• Natural
• Proximity
• People
• Environmental

7
Natural Risks

• Earth
• Wind
• Fire
• Water

8
Proximity Risks

• Government Buildings
• Airports / Heliports
• Industries using Chemicals or Flammables
• Trains
• Highways

9
Risks from People

• Disease
• Bomb Threats
• Workplace Violence
• Cyber Attacks

10
Environmental Risks

• Asbestos
• PCBs
• Mold / Sick Building Syndrome
• Piled up Paper
• Ongoing Construction

11
BCP as Advance Planning

• Business Continuity Planning is at least
  partially the art of making all the decisions
  that can be made in advance of a disaster.

12
BCP - Four Major Components
Life/Safety
BIA
EM R
Departmental Recovery
13
BCP - Four Major Components
Life/Safety Plan
14
BCP - Four Major Components
Business Impact Analysis
15
BCP - Four Major Components
Emergency Management Response
16
BCP - Four Major Components
Departmental Recovery
17
RTOs, RPOs Declaration
Info Tech RTO
Catch-up Processing
Disaster Event
Disaster Declaration
Department RTO
Reconstruct WIP Lost
Stockpiled Transaction Input
Normal Business Activities
GAP
Pre-Processing Opportunity
18
How Important is Information Technology?

• If you can only afford to protect one thing in
  your business, protect your data. You will not
  recover without it.
• Just don't expect that alone to save you from a
  disaster.

19
Functionality is the Issue

• A business must regain process functionality.
• Computers are just a tool.
• They make things faster, but they are not the
  business.

20
Scenario

• You are a Progressive Organization.
• Your Data is Backed up and Off Site - Daily.
• You can Recover from any Disaster that Dares to
  hit you.

21
Scenario

• You are a Progressive Organization.
• Your Data is Backed up and Off Site - Daily.
• You can Recover from any Disaster that Dares to
  hit you.

22
Scenario - 2

• A disaster event fire, flood, anthrax,
  something has made your primary business
  location unusable, either permanently, or for a
  long time

23
Good News - Maybe

• You already have the answers.
• Here are some of the questions to assist your
  planning process.

24
Management Organization

• Where is the default meeting place for senior
  managers if telephones are unavailable?
• Is there a succession plan if several senior
  managers are killed in the disaster?

25
Management Organization

• Who would face the media and regulatory
  authorities?
• Is he or she prepared to do so?
• Is there a backup person?
• Do all others know to NOT talk to the media?

26
Management Organization

• How many days can the company be completely
  down before serious business repercussions are
  inevitable? (loss of customers, employees,
  regulatory intervention)

27
Notification

• How would you contact employees, suppliers, key
  customers, etc. without access to your business
  records?

28
Infrastructure

• How much space would you need and how quickly
  could it be acquired?
• What space is available today in your city?
• Who is in charge of office layout, furniture,
  wiring, etc. and who backs them up if they are
  made unavailable by the disaster?

29
Resource Requirements

• Who has purchasing authority?
• Who is the purchasing backup?
• How quickly would the company need replacement
  resources? Day 1, day 3, etc.?
• Do you know where to get those resources in the
  quantities you need on a rush basis?
• Have you ever tested whether or not those
  suppliers can deliver on a rush basis?

30
Resource Requirements

• What custom documents and forms does the company
  have where the entire supply is on site?
  (checks, envelopes, letterhead, invoices)

31
Advance Agreements

• Who is in charge of liaison with fire, police or
  other emergency authorities?
• Who is his/her backup?
• Have you met with those authorities to determine
  their protocols in emergencies and establish a
  liaison relationship with them?

32
Advance Agreements

• Does the company have arrangements with its
  telephone carrier to place messages on inbound
  lines until they can be answered?
• What messages will you use?
• Who will the telephone carrier recognize as
  having the authority to institute them or make
  changes?

33
Emergency Operations

• How would the company go about setting up an
  Emergency Operations Center?
• Who would staff the EOC?
• Do you have EOC supplies already off site?
  (Sample list in packet)

34
Emergency Operations

• Which critical business functions need to be up
  and running first?
• How long can functions be down before the company
  incurs regulatory scrutiny and penalties?
• How long can functions be down before customers
  abandon you for another supplier?
• What can you do to mitigate this?

35
Financial Preparation

• Are emergency lines of credit in place and the
  authority to access them clearly delineated?
• Does the company have arrangements with its
  bank(s) to continue repetitive payments for a
  short time?

36
Financial Preparation

• Are corporate accounting records and processes
  backed up and documented off site? (Key people
  may not be available after a disaster.)
• Does the company have manual disbursement
  procedures?

37
Salvage

• Did you know that wet records could be
  freeze-dried and often saved?
• Do you have an agreement with someone who does
  that kind of work?
• Do you know who does that kind of work? (See
  list at end)

38
Salvage

• Information from hard drives of smoke or water
  damaged PCs can also be retrieved by experts.

39
Mail

• Mail handling operations are often overlooked.
  What would the company do about lost mail, both
  incoming and outgoing?
• Is there a plan to get mail flowing in an orderly
  fashion after a disaster?

40
Security

• How easy is it for a non-employee to get into
  your office today?
• How would you maintain security at your primary
  site until salvage could be carried out?

41
Departmental Readiness

• Who is the recovery coordinator for each
  department and what preparations have they made?
• What are those things that each department needs
  that may be below the radar of corporate
  planners and not easily obtainable?

42
Departmental Readiness

• Have the departments taken any steps to safeguard
  those things? Every Department should consider
  what kind of problems an off-site box at a
  remote storage facility could save them.

43
Departmental Readiness

• Has each department determined how to recover
  work-in-progress?
• Does each department know what resources it
  requires to resume business operations? (How
  many computers, desks, chairs, file cabinets, fax
  machines, printers, copiers, phones, etc.?)

44
Departmental Readiness

• How quickly would each Department need
  replacement resources? How much on day 1, day 3,
  day 5, etc.? (This is how you build the company
  list.)

45
Departmental Technology

• Is the operating department responsible for
  replacing desktop technology or is IT? Does
  everyone understand that?
• Have you written into your plan the minimum
  hardware/software configuration you require for
  desktop workstations?

46
Resources

• For Clean Up / Restoration
• BMS Catastrophe (www.bmscat.com)
• ServiceMaster (www.servicemasterclean.com/)
• Mobile Office Space / Data Centers / Equipment
• Agility Recovery Solutions (www.agilityrecovery.co
  m)
• Sungard (www.sungard.com)
• Rental Systems (www.rentsys.com)

47
Resources

• Business Continuity Education and Certification
• DRI International (www.drii.org)
• Professional Journals Articles and links to
  vendors
• Disaster Recovery Journal (www.drj.com)
• Contingency Planning Management
  (www.contingencyplanning.com)

48
Resources

• Workplace Violence Resources
• Occupational Safety Health Administration
  (http//www.osha.gov/SLTC/workplaceviolence/)
• National Institute for Occupational Safety and
  Health (http//www.cdc.gov/niosh/violcont.html)
• Minnesota Department of Labor Industry
  Workplace Violence Prevention Resources
  (http//www.doli.state.mn.us/violence.html)
• USDA Handbook on Workplace Violence Prevention
  and Response (http//www.usda.gov/news/pubs/violen
  ce/wpv.htm)