Business Continuity Planning An Introduction

1
Business Continuity PlanningAn Introduction
Its NOT Business as Usual

• Presented by
• David Kreifeldt
• October 18, 2004

2
IntroductionThis Sessions Goals

• Understand what is included in a Business
  Continuity Plan
• Understand the plan development Project and the
  Business Continuity Process and the differences
  between them

3
Todays Agenda

• Understand why a continuity plan is necessary
• Intro to Business Continuity Planning Basics
• The Business Continuity Planning Project Team
• The Steps in Creating a Business Continuity Plan
• Risk Impact Process Overview
• Overview of Continuity Plan
• Testing Required to Validate Find Problems
• Ongoing Plan Maintenance
• Table Top Exercise
• Questions

4
Is Anyone Prepared for a Disaster?
5
IntroductionWhy Do Continuity Planning?

• Ongoing Business Continuity Planning is Prudent
  and its the RIGHT thing to do
• National War with Terrorists Exists with High
  Potential for Visible Terrorist Disruption
• Business Continuity Plans Must Exist Before
  Expectation of Continuity of Critical Services
  can be Assured
• Unforeseen events disrupt daily functions

6
Weve Moved!!!
7
IntroductionWhy Health-Related Organizations?

• Utah Health Agencies may be affected by a
  regional disaster same as other sectors
• Utah Health Orgs. must be able to recover their
  business critical functions before they can
  perform their primary mission
• Business Continuity and Recovery functions are
  the same as other sectors
• Repercussions for failure to deliver services are
  unacceptable to customers

8
A Simple Backup Plan
9
Who is accountable?

• Senior Management, Boards of Directors, Financial
  Officers, Managers

10
Plan Ownership(Who OWNS the Plan?)

• Each individual Agency Owns the plan and is
  ACCOUNTABLE for
• Providing Business Continuity Project Team, where
  applidcable
• Identifying business Critical functions and
  Acceptable Outage times and Acceptable
  Information Loss
• Developing the complete Business Continuity plan
  steps
• Providing Business Continuity Resources
• Ongoing exercise program
• Until the plan works
• Periodically to validate
• When operational changes occur
• Documenting exercise results
• Ongoing Plan Maintenance

11
Roles and Process
Consultant or Expert Leads
Project Startup Training
Business Leads
Joint Leadership
Risk Impact Assessment
Plan Development
Plan Testing
Plan Activation
Plan Maintenance
Monitoring Plan and Environments for change
Project Management
12
Where Do Agencies Get Support

• Outside Sources
• (ACP) Association of Contingency Planners
• Consultants
• Professional Seminars
• Industry Associations
• Management Provides
• Direction
• Resources Funding
• Priorities
• Involvement

• Other Entities May Provide
• Technology
• Purchasing
• Real Estate
• Personnel
• Auditor support
• Contracted Services
• Etc.

13
Plan Development Steps(Different from
Continuity Plan Steps)

• Project Planning Personnel Identification
• Identify functional requirements
• Risk Assessment
• Develop Business Continuity strategy
• Do disaster/damage mitigation
• Develop plan activation strategy
• Develop Business Continuity operations
• Conduct training
• Perform testing
• Ongoing plan maintenance revision

14
From the VideoNot Business as Usual

• Consider your position - How long could you
  survive? And, At What Cost?
• What are Most Critical Resources needed to
  Prevent/Reduce Losses?
• How will you Protect Inventory/Service
  Capability?
• Do you have a Plan to Resume Production/Service?
• Develop a List of Things Needed to Restore
  Business Functions.

15
-- Things Needed -- for Successful Recovery

• People Those with Knowledge and Authority
• Information Ready Access to Essential Data
• Stuff Things People Need for Crisis Operation
• Space Prepared and Usable for all Recovery
  Activities for Business
• Continuity Plan (or Script) Who does What,
  Where, When,
  and How (Why has
  already been determined)
• Pre-Disaster Management Involvement Provide
  Recovery Resources and Ongoing Support

16
Plan Development Sequence

• Plan for Business Critical Functions First
• Perform Risk Assessment / Impact Analysis for
  Critical Departments/Functions
• Identify and consider Viable Recovery
  Alternatives for Business
• Select best alternative Consider cost,
  probability, controlled circumstances, future
  needs, etc.
• Create a Draft Plan strategy for review by
  others
• Finalize document and test from plan

17
Dont Be Afraid to Start!!
18
Recovery Plan First Step

• Perform Impact or Risk Analysis
• Understand all the normal Business processes
• Identify the business critical processes
• Prioritize the business critical applications
  that support business critical processes
• Understand the components and systems used in
  those processes
• Identify and evaluate the points of failure
• Estimate the total impact of the loss of the
  process for various periods of Outage
• Determine Acceptable Outage limits

19
Risk/Impact Analysis

• Identify Business Critical functions
• Consider special processes or equipment
• Quantify Loss Materiality or Impact ( or
  function)
• What are the effects of the outage
• Financial, loss of reputation and public
  confidence, etc
• Quantify Probability of loss (or threat)
  occurring
• What could happen and how likely is it?
• Identify the Threat Direction (Outside
  Environment, not just inside the Business)
• Increasing, stable or decreasing?
• Identify existing Controls (or lack of them)
• Determine True Risk and Action Level

20
Determining a Risk Level
Cost /Expense
Moderately High

High
Moderate
Moderately High

Moderately Low
Moderate
Moderately Low
Moderate

Low
High
Medium
Low
Probability
21
Develop Action Plans to Control the Risk

• High Risk Level Critical
• Immediate Action required to to reduce/control
  risk
• Continuity Plan Development Required Immediately
• Moderate Risk Level Planned Actions
• Planned Actions to control the risks
• Continuity Plan Development required soon
• Low Risk Level Acceptable
• Meets Requirements
• Continuity Plan to be Developed Later

22
Continuity Plan Includes

• Identification and Preparation of a Recovery
  Control Location
• Business Continuity Steps and Activities
• Various Notification Lists
• Who activates the plan under what circumstances
• Management Succession Trees
• Vendors and other contacts
• Critical Customers and Suppliers

23
Continuity Plan -- Overview --

• Recovery Plan Steps

• Appendices
• Changeable information
• Lists
• Inventory Supplies
• Space Required
• Information Technology and Contacts
• Communications
• Locations
• Resources
• Data Backup Strategy

Phase 1 Immediate Response Phase 2 Event
Assessment Phase 3 Notification/Plan
Implementation Process Phase 4 Business
Continuity Preparations Phase 5 Business
Continuity Activities Phase 6 Public
Information Phase 7 Final Report
24
OngoingExercises and Plan Maintenance

• Ongoing Maintenance is Mandatory
• Until plan is exercised satisfactorily, assume
  plan does not work.
• Exercises are Learning Experiences and should
  test the Business performance limits
• Corrections to plan must be made promptly
• Documentation must remain current
• Staff, preparation and contact changes need
  updating
• All changes must go through Change Management
  Process

25
Lessons Learned

• Plans and equipment MUST be funded and in place
  for recovery of business critical functions
• Secondary effects can be worse than original
• Notification plans for key people must be tested
• Plans MUST be regularly exercised to work
• Employee Heroes will emerge during recovery
• Prepare for Media Contact
• Communications links are critical elements
• Its nice (and important) to be lucky

26
Plans Confidential Nature

• Disclosure of Plan Details may compromise the
  Plan
• Keep Plan Details
• Confidential within
• the Business and
• those with Need to Know.

STOP
Continuity Plan is
Business Confidential
27
Tabletop Exercise

• Not Business as Usual!!!

28
Review of Agenda(Did we cover all the topics?)

• Understand why a continuity plan is necessary
• Intro to Business Continuity Planning Basics
• The Business Continuity Planning Project Team
• The Steps in Creating a Business Continuity Plan
• Risk Impact Process Overview
• Overview of Continuity Plan Phases
• Testing Required to validate find problems
• Ongoing Plan Maintenance
• Questions

29
Association of Contingency Planners (ACP)

• National Organization of Business Continuity
  Professionals
• Not for Profit Organization
• Deliverables are self help and mentoring
• Started in 1984
• 22 Chapters nationwide
• Utah Chapter started in 1985
• www.acputah.org

30
Additional Resources

• Federal Emergency Management Agency -
  www.fema.gov (Also can link to State Emergency
  Management Agencies)
• Department of Homeland Security - www.dhs.gov
• American Red Cross - www.redcross.org
• Disaster Recovery Journal - www.drj.com (FREE
  magazine subscription)
• Contingency Planning Management -
  www.contingencyplanning.com

31
Your Presenter

• David R. Kreifeldt
• Business Continuity
• Planning Coordinator
• Utah Dept of Human Services
• 120 N 200 West, Rm331
• Salt Lake City, UT 84103
• 801/538-4239
• dkreifeldt_at_utah.gov