Business Continuity Issues Beyond IT

1
Business Continuity Issues Beyond IT

• Business Continuity Forum 2004
• Sotiris Papiotis, CISSP, CISA
• TSRS Manager

27/1/2004
2
Agenda

• What is an emergency
• Events characterized as emergencies
• Companies vulnerability to disruptions
• What is the Business Continuity Management (BCM)
  Process
• Common BCM drivers
• Fundamental BCM components
• Additional but critical BCM components
• Business continuity puzzle and lifecycle

3
What is an Emergency?

• An emergency is any un-planned event that can
  cause deaths or significant injuries to
  employees, customers, or the public or that can
  shut down your business, disrupt operations,
  cause physical or environmental damage, or
  threaten the facilitys financial standing or
  public image
• Source Emergency Management Guide for Business
  and Industry, Federal Emergency Management Agency
  (FEMA).

4
Events Characterized As Emergencies

• Fire
• Explosion
• Flood
• Earthquake
• Winter storm
• Communications failure
• Hardware/software failure
• Virus incident
• Hacking incident
• Terrorist damage
• Employee misconduct

• Operational errors
• Supply chain disruption
• Business partner misconduct
• Civil disturbance
• Employee health and safety scare
• Loss of people and skills
• Damaging corporate image story
• Negative publicity/coverage
• Unknown cause

5
Companies Vulnerability to Disruptions

• Disasters are not more common, but different and
  enterprises are increasingly more vulnerable to
  them
• Increased dependency on technology infrastructure
• Increased dependency on partners their disaster
  could become your disaster
• Individual acts can have far reaching
  consequences
• Dependence on technology and information has
  created new disaster potentials
• In a de-regulated environment, there is a greater
  competitive risk to downtime

6
Business Continuity Among Top Five Risks

• Top five risks cited by bankers

1996 2003
Poor management Complex financial instruments
Bad lending Credit risk
Derivatives Macroeconomic conditions
Rogue traders Insurance
Excessive Competition Business continuity
Source Centre for the Study of Financial Innovation, The Economist, January 24th 2004. Source Centre for the Study of Financial Innovation, The Economist, January 24th 2004.
7
What is the Business Continuity Management
Process?

• a holistic management process that identifies
  potential impacts that threaten an organization
  and provides a framework for building resilience
  and the capability for an effective response that
  safeguards the interests of its key stakeholders,
  reputation, brand and value creating activities
• Source Business continuity management Good
  practice guidelines, Business Continuity Institute

8
Business Continuity Management Process
Source The Business Continuity Institute (BCI)
Business Continuity Management Good Practice
Guidelines
9
Common BCM Drivers

• Legal/Regulatory Requirements
• Disasters Do Occur
• Satisfy an Audit Concern
• Customer/Shareholder/Partner/Employee Concern
• Good Business Practice

10
Fundamental Components of BCM

• Risk analysis and mitigation
• Internal and external threats, liabilities and
  exposures
• Their likelihood of occurring (probability or
  frequency)
• The vulnerability of your organization on these
  threats
• Risk mitigation
• Business impact analysis
• Financial and non-financial impacts
• Critical business processes and systems
• Recovery objectives and minimum required
  resources
• Business continuity strategies formulation

11
Additional but Critical Components of BCM

• Crisis management plan
• Emergency response plan
• Command and control center
• Crisis communications
• Vital records preservation
• Media relations

12
Crisis Management Plan

• Have you developed a crisis management plan to
  assist you
• Maintain organization's reputation and brand
  image
• Maintain public, customer, shareholder, market
  and regulatory confidence and trust
• Demonstrate effective crisis management and
  governance to all stakeholders
• Limit/prevent the impact of a crisis event
• Does it contain
• Plan overview (Scope, objectives, assumptions,
  ownership, process flowchart etc.)
• Emergency procedures
• Roles, accountability, responsibilities and
  authority
• Notification, invocation and escalation
  procedures
• Team members and alternates
• Command and control center location, contact
  details and
  resource profile
• Required internal and external contacts
• Task checklists
• Form/document templates
• Other supporting information

13
Emergency Response Plan

• Have you identified and established roles,
  responsibility, accountability and authority?
• Have you defined procedures and plans for
• Emergency assessment and notification
  of relevant parties
• Evacuation vs Invacuation
• First aid and medical care
• Hazardous material response
• Fire fighting
• Co-operation with public authorities

14
Command and Control Center

• Have you provided for the establishment and
  equipment of a Command and Control Center (on
  site and/or off site) as well as appropriate
  communication protocols and procedures?
• Command and decision authority roles
• Reporting lines and command channels
• Situation assessment
• Formulation of response strategies
• Activation of appropriate resources
• Coordination of outside response teams
• Logging and documentation methods
• (e.g. pre-formatted documents,
• forms, etc.)

15
Crisis Communications

• Communication between
• Emergency responders
• Responders and CC center
• Responders and employees
• CC and external parties (customers,
  shareholders, vendors, suppliers)
• CC and external agencies (local, governmental,
  emergency responders, regulators)
• CC and media

• Communication methods
• Messengers
• Telephone
• Two-way radio
• Pagers
• FAX machines
• Microwave Comms
• Satellite Comms
• Dial-up modems
• LANs WANs
• Hand signals
• Warning systems
• Audible/Visual alarms
• Internal public announcement systems

Have you provided for backup communication
methods?
16
Vital Records Preservation

• Identify and prioritize various documents/forms
  required to resume critical processes
• Formulas and trade secrets
• Engineering plans and drawings
• Personnel files
• Contracts
• Forms
• Develop strategies for their preservation and
  maintenance
• Making copies and moving to backup site
  periodically
• Evacuating to backup facilities during emergency
• Develop procedures for protecting and controlling
  access to vital records
• Develop procedures for retrieving, distributing
  and preparing to use

17
Media Relations

• Designate a trained spokesperson and an alternate
  one
• Setup a media briefing area
• Establish procedures to ensure that information
  is complete, accurate and approved for public
  release
• Determine an appropriate and useful way of
  communicating technical information
• Conduct press briefings and interviews (when
  appropriate)
• Provide press releases when possible
• Do not permit unauthorized personnel to release
  information

18
Business Continuity Plan
Business Continuity Plan
Overview Roles Responsibilities
Supporting material
Notification, Invocation Escalation Procedures
Plan testing, maintenance, distribution and
control procedures
BCM team, CCC Contact Info, RRP
BUR ITDR Plans
Emergency Response and Crisis Management Plans
19
Other Issues To Consider

• Exercising, testing and auditing business
  continuity plans
• Maintenance of business continuity and crisis
  management plans
• Business continuity culture development and
  awareness program
• Insurance coverage and policies
• Business continuity program management
• Business continuity policies and standards

20
The Business Continuity Puzzle
Emergency Management Plan
Physical Information Security
Insurance Plan
Communication Plans
BC Program Management And Culture Development
Crisis Management Plan
Business Unit Recovery
Third Party Relations
IT Infrastructure Recovery
21
The Business Continuity Lifecycle
22
Thank you for your attention!

• Sotiris Papiotis, CISSP, CISA
• TSRS Manager
• Tel 210 2886000
• E-Mail Sotiris.Papiotis_at_gr.ey.com

27/1/2004