Business Continuity Planning

Introduction
BCP/DRP
Course Objectives
By the end of this course, you will learn The meaning of BCP and DRP Risk Assessment Business Impact Analysis BCP and DRP development process
Course Contents
Introduction Section I: Section II: Section III: Section IV: Section V: Section VI: Section VII: Section VIII: Summary
3
BCP and DRP Overview Project Initiation Risk Assessment Business Impact Analysis Risk Mitigation Strategy Plan Design and Development Testing and Training Plan Maintenance
BCP/DRP 4
BCP/DRP
Section 1 BCP/DRP Overview
Section I - Introduction
Section I Objectives
In this section we will cover Defining Business Continuity and Disaster Recovery Cost of Planning Types of Disasters BCP and DRP Steps
BCP/DRP
BCP/DRP
Defining Business Continuity and Disaster Recovery

Business Continuity Planning is a methodology to create and validate a plan for maintaining continuous business operations, before, during and after any type of disaster. Addresses the ability to continue operations under any disaster scenario BCP deployment varies widely from company to company, and one organization from another. There is no one size fits all Some cannot tolerate any down time Some may have greater tolerance for down time Some may have variable down time tolerance level depending on the time The type and size of business determines the final plan The cost of business disruption vs. investing in BCP
BCP/DRP 7
Defining Business Continuity and Disaster Recovery

Disaster Recovery is part of Business Continuity Deals with an impact of an event DR involves Stopping the effects of the disaster as quickly as possible
Minimize the damage, Save as much as possible
Addressing the immediate aftermath
BCP/DRP
Section I Introduction
Business components in BCP

As any project, BCP development includes People:
People are responsible for developing and implementing the BC/DR Plan
People in BC/DR Planning

To develop and implement an effective BCP, you need people across the organization/department Getting key people in the company to be involved in developing the plan is essential Identifying key people to implement the plan is equally important Planning and implementation phases
Planning phase - you need people to develop the Plan Implementation phase (during and after disaster) - you need people who perform the plan.
9 BCP/DRP 10
Process:
Processes maintain an orderly flow of business operations
Technology (and Infrastructure):

Understanding how technology is used in the business operations
Each of these must be addressed in BCP

BCP/DRP
Process in BC/DR Planning

Process also, has two phases
Planning, Implementation
Technology (Infrastructure) in BC/DR Planning

Need to understand what happens to your technology components on different types of disasters Which elements are venerable to what type of disaster
(e.g. Power Outage, flood, virus )
Companies have processes for running their business smoothly. It could be well documented or not When disaster occurs, the normal established process is interrupted. Then the question is: How quickly can you recover from a disaster and get the business up and running? This depends on the process you developed in the BCP/DRP. Disaster response varies on the type of disaster and your Plan has to develop a process for handling various types of disasters. The eventual Recovery or Failure is dependent on your BCP/DRP
Your BCP/DRP may provide you a business case to change/upgrade the technology deployed. Or may require to redesign your network
BCP/DRP
11
BCP/DRP
12
Considering BCP
Having DR plan for infrastructure only (switches, routers, cell tower,..) is not sufficient Equally important you have to understand how the whole company conducts its business departments or business units write DRP from their perspective only For effective BC and DR planning need to look at it from the top You need to involve representatives from each and all business units.
BCP/DRP 13
Cost of Planning
Companies do not invest in projects that dont generate revenue or increase the bottom line. Funds are limited - Competing against projects that add to bottom line is difficult Mgmt tends to defer BCP - may be next year , What do you have to support your argument for BCP development? Large business customers require you to have BCP to do business with
Impact on revenue growth
Improves business process and operational savings Potential disaster without a mitigating plan causes significant financial loss There could be legal liability implication from the customer
e.g. customer data loss without proper BCP
Could be required by law depending the type of business you are running
BCP/DRP 14
Cost of Planning, contd

The Cost of Planning must be balanced with the cost of taking risk. (auto insurance) Do not try to cover every disaster scenarios Create a plan for events most likely to happen and most likely to have critical impact on your business operations Bad plan is worse than no plan
Cost of Planning, contd

After a major disaster 40% of businesses go out of business within 5 years. In 1993 WTC 42% (150/350) went out of business In 2001 majority of businesses were back up and in operation within days.
BCP/DRP
15
BCP/DRP
16
Types of Disasters
Location the location of business determines what type of disaster likely to happen. As a starting point make your BCP team come up with the list of disasters that are most likely to happen. Disasters can be divided in three categories
Natural Man-made Accidents
Types of Disasters - Natural

Weather related
Avalanche, Snow, Heavy rain, Floods Drought Fire Strom Hurricanes Tornado
Geological
Earthquake Tsunami Volcano Landslide
BCP/DRP 17 BCP/DRP 18
Types of Disasters - Man-made

Fire Cyber attack Riot Product tampering Explosion Threat Theft
Types of Disasters - Accidents

Transportation Infrastructure
Electricity Gas Water Sewer
Information system infrastructure

Communications infrastructure failure Systems failures
Building collapse
Protecting Data during a disaster

When disaster occurs chaos Businesses become venerable to theft and fraud (internal and external)
After disaster People, Process and Technology are in disarray Need to develop method to prevent fraud or theft.
(This could also be used for normal and emergency operation)
Managing Access During Disaster

Managing Access during disaster should be part of BC/DR Plan Access to Data
Who should have access to data and systems during disaster? Too restrictive access or open to all access have problems.
Restrictive person/s may not be available during emergency Open loss of accountability, theft
Physical access to the building/systems

BCP and DRP Steps

There are 7 basic steps to develop a good plan
1.
BCP and DRP Steps - contd

5.
Plan Development
Outline the methodology to follow for plan development
Project Initiation
Deals with the process of creating a project plan for BC/DR activities
6. Training and Testing
2.
Risk Assessment
The process of looking the risks the company faces. Covers all potential risks, determine the likelihood of a particular disaster occurring
3. 4.
Business Impact Analysis (BIA)

Deals with the potential impacts of these risks to the Business.
Addresses: Training people on how to implement the plan Running drills, exercises, simulations and reviews Testing the Plan
7.
Plan Maintenance
Plan needs to be maintained, updated, validated regularly and after the event.
Risk Mitigation Strategy

Addresses on how the identified risk and its impact can be tolerated, reduced or avoided
BCP/DRP 23
BCP/DRP
24
Section I
Section 1:
The Seven Steps

Risk Assessment
Summary
Plan Develop -ment Testing and Training Plan Maintenance
Project Initiation
BIA
Each of these steps will be covered in detail in the following sections.
In this section we Defined Business Continuity and Disaster Recovery Identified Business Components Identified Types of Disasters Identified the steps required for successful BC/DR plan and implementation
BCP/DRP
25
BCP/DRP
26
Section II Project Initiation
Section II
Section Objectives
In this section we will cover the first Step in BCP/DRP Project Initiation
BCP/DRP
27
BCP/DRP
28
Section II
Project Initiation
Introduction Project Initiation

Project is a defined set of tasks with clear objectives, requirements and goals and with start and end points. BC/DC planning process should be handled as a project plan and BC and DR are projects. In this section we will discuss the process of create a project plan for BR/DC and the elements that contribute to successful completion of the project.
(In general, as a PM you can follow your own Project Management methodology and also the unique needs of your company)
Project Initiation
Risk Assessment
BIA
Plan Develop -ment
Testing and Training
Plan Maintenance
BCP/DRP
29
BCP/DRP
30
Introduction Project Initiation

What are the factors to make a successful BC/DR plan? What are Project Plan Components? Who are Key Contributors?
Project Initiation - Success Factors

Executive Support User Involvement Experienced Project Manager Clearly Defined Project Objectives Clearly Defined Project Requirements Clearly Defined Scope Shorter Schedule Clearly defined PM Process
31 BCP/DRP 32
BCP/DRP
Success Factors Executive Support

As any project Executive support is the main factor for the success of BCP/DRP development. If the top management is convinced the business need for the project you will get all the support in every corner. BC/DR planning project involves people from all areas of the business. You need to pull away people from other projects Some departments/organizations may not buy BC/DR project and resist to participate.
BCP/DRP 33
Success Factors Executive Support - contd

How do you get executive support?
Start with your immediate management for 100% support Communicate clearly and convincingly.
Executives understand business and finance not technology
Prepare presentations
Formatted to the intended audience. (know your audience before hand) Non technical, clear and conscience Help them to understand the need for and make the right decision.
If possible, provide rough cost estimate of the project and how long it will take.
What if the decision is No?

..
BCP/DRP 34
Success Factors Executive Support contd.

What if the Executive Management decision is No?
There are still things you can do help start the process
You can incorporate BC/DR in your organization project plans that you can control If you are implementing new technology or upgrading or expanding the current systems you can include BC/DR concepts in the requirement. Specially backup and redundancy can be included as part of the business operations.
Success Factors User Involvement

As any project end-user involvement is critical The processes being developed should be done with the end-users input and collaboration. For BC/DR Planning there are two types of users
Who will be involved in the planning the BC/DR project, and Who will implement the plan when the event occurred (could be the same or other group of people) The latter should be involved in training and testing phase. Need to involve a key personnel from start to finish
BCP/DRP
35
BCP/DRP
36
Success Factors Experienced Project Manager
Success Factors Clearly Defined Project Objectives

Clearly Defined Project Objectives Helps to define the Plan to your unique business needs Helps identify most important and less important areas to allocate time and resources accordingly Insures all functional areas are covered and brings critical people together to develop the objectives How?
List your business functional areas Invite key people from those areas to help define the objectives Get agreement from all functional areas on prioritizing objectives
37 BCP/DRP 38
This is critical project and its successes depend on primarily putting well experienced PM Pick experienced Project Manager who
Has formal Project Management training Has understanding what it takes to get it done
Experienced PM is more effective for BC/DR planning

(it involves people at all levels and various organizations)
BCP/DRP
Success Factors Clearly Defined Project Requirements

Developing clear and complete requirement is the difference between success and failure
Objectives are what you want to accomplish Requirements are how to accomplish those objectives Clear requirement before the project work begins is critical and saves rework.
Success Factors Clearly Defined Scope
Scope is the total amount of work to be accomplished. This is dependent on the Project Objectives.
Clearly defined project objectives derive a clearly defined scope
Requirements have three categories

Business requirement to determine what the business needs to survive an event Functional requirement details which processes, methods and resource need to be available during and after an event Technical requirement identify technology equipment and business applications requirement
Scope is susceptible to changes as Project Planning progresses.

There could be a scenario where it may be necessary that additional functions may be identified. In this case a highlevel project objective and scope will be added.
39 BCP/DRP 40
The more detailed requirement the better.

BCP/DRP
10
Success Factors Shorter Schedule

Shorter schedules with more milestones produce successful result BC/DR planning is a comprehensive look at the business and its processes to determine its critical functions and emergency procedures. It is better to break it down into smaller projects One project plan for each functional area and one master plan Longer schedules people lose interest Move to other projects or replaced Milestones help you to: gauge the progress stay on budget be on schedule stay on Scope
BCP/DRP 41
Success Factors Clearly Defined PM Process
PM should have a set of methods, procedures and associated documents or use a well-defined project management process. Select a process and use it start to finish
BCP/DRP
42
Project Plan Components

Project Definition Project Team Project Organization Project Planning Project Implementation Project Tracking Project Close Out
Project Plan Components - Project Definition

It is a starting point of the project. To get clear understanding of the project and its expected result the following need to be defined or identified
Problem Statement Mission statement Potential solutions Requirements and Constraints Success criteria Project Proposal after selection of the best solution write a brief project proposal Estimates Project Sponsor - who has authority to approve, fund and support the project.
43 BCP/DRP 44
BCP/DRP
11
Project Plan Components Forming the Project Team

Create Project Team early When forming the team
Look Companys organizational chart to help you identify geographical locations, functional departments and organizations Technical people with technical specialties from different business units, in addition to IT, should be included. Logistical responsible for logistics and purchasing should be included Political/PR people who are responsible that reassure key customers and stakeholders during and after a crisis should be included
BCP/DRP 45
Project Plan Components Project Organization

Addresses on how to organize and run the project. It includes
Project Objectives, Project Requirements, Project Parameters Project Infrastructure Project Processes Project Communications Plan
BCP/DRP
46
Project Plan Components Project Organization

Project Objectives
Using the project solution developed in the Project Definition stage, need to develop specific Project Objectives for BC/DR plan
Business Continuity Plan focuses on sustaining business activities. It can be written for specific business process or for all key business processes Continuity of Operations Plan focuses on restoring mission-critical operations in an alternate location for an extended period of time Disaster Recovery Plan focuses on restoration of key business processes immediately after a disaster Crisis Communication Plan focuses on providing on consistent and clear communications with employees, customers and stakeholders Occupant Emergency Plan focuses on building and facility safety, specifically to building occupants
Project Plan Components Project Organization contd

Project Requirements
Write well defined project requirements based on the objectives discussed above. Project requirement defines functional and technical requirement
Project Parameters
These are scope, budget , schedule and quality They are interrelated - changing one impacts the others Scope is the total amount of work to complete the project Create scope statement assumptions, included and not included in the project based on the objectives Project Parameters need to be ranked from least flexible to most flexible (usually least is budget)
BCP/DRP 48
BCP/DRP
47
12
Project Plan Components Project Organization contd

Project Infrastructure
It is the tools and resources you have/need to develop BC/DR project
Project Plan Components Project Planning

Key elements in project planning process
Developing Work Breakdown Structure (WBS)
list of outcomes to be accomplished to complete the project The top level WBS can follow this structure Risk Assessment Business Impact Analysis Risk Mitigation Strategy Development Emergency Preparation Training and Testing Maintenance
Project Processes
Need to establish processes and procedures, and proper documentation to run the project Team Meetings (how, when, where to conduct meetings) Reporting (minutes for the team and status for sponsors) Escalation (problems) Project Progress (how to track) Change Control (how to capture and address changes within the company) Quality Control
Project Communication Plan

Need to develop proper communication method on the activities and progress of the BC/DR plan to sponsor and all organizations and departments that have stake
Critical Path
Describes how long the project will take and identifies critical and non-critical tasks
49 BCP/DRP 50
BCP/DRP
Project Plan Components Project Implementation

How do you manage changes occur in the middle of BC/DR planning development? Any changes in the departments occurring should be assessed on their impact to BC/DR planning
Managing Progress
Need to develop a method to keep track on the changes occurring in departments/organization that are being covered under the BC/DR plan Address how their work impacts the project Address how your project impacts their work
Project Plan Components Project Tracking

Need to develop project tracking system to track project progress, schedules, budget . Create project major and minor milestones to track the project progress compared to the schedule
Major milestones can be set for each Phase of the Project Minor Milestones for significant tasks within the phase.
Managing Change
Plans are always subject to change Need to develop Change management process
This information should be available to all team members

51 BCP/DRP 52
BCP/DRP
13
Project Plan Components Project Close Out

The last steps when the Project is completed BC/DR plan should be kept up to date under maintenance plan.
Regular review of the plan (yearly) Walk-through of the BC and DR steps defined Regular testing
Key Contributors and Responsibilities

Who are or should be key contributors to BC/DR plan and what should their roll be? List the business units and select representatives
Sample list it is different from one company to another
Information Technology Human Resources Facility Security Finance Legal Warehouse Purchasing Logistics Marketing and Sales Public Relations
53 BCP/DRP 54
There has to be some org/department that you can hand off the project and own the maintenance aspect of it. Conduct post-project review for lessons learned.
BCP/DRP
Key Contributors and Responsibilities contd
Requirements Definition
Select representative from each organization or group listed

Depending the size of the department the numbers vary.
The following criteria can be used for Business units the BC/DR focuses
Experience with working cross departmental team Ability to communicate effectively Ability to work well with wide variety of people Experience with critical business and technology systems Project management leadership
BCP/DRP 55
Business, Functional and Technical requirements are part of Project Definition (discussed earlier)
Business requirements define the scope of the project Functional requirements define what the plan does to accomplish business requirements Technical requirements define how these business and functional requirements will be met.
BCP/DRP
56
14
Requirements Definition Business Requirements
Requirements Definition Functional Requirements Functional requirements describe what functions or features must be available. Functional requirements state the need for a method or process to be available to meet the business requirement. Need to develop a ranking mechanism to each requirement to determine the criticality of the system for ongoing operations of the business.
Very-High, High, Normal, Low
The first step in developing BR/DR project requirement is to define Business Requirements. Need to understand critical areas of the business. Need to know what questions to ask, and how to ask to determine if the business is critical or not
Scenario based question provide better result than asking users if the business or system is critical or not. Develop a list of what-if scenario questions
BCP/DRP
57
BCP/DRP
58
Section II:
Requirements Definition Technical Requirements
Summary Project Initiation

In this section
Defined the factors to make a successful BC/DR plan Identified Project Plan Components Indentified Key Contributors to BC/DR plan Defined business, function and technical requirements
Technical requirements define how functional and business requirements are met, mainly with technology. Technical requirements help to:
assess if the current technology meets BC/DR requirement define new technology solution if the current does not meet the requirement determine that the current technology in place can be utilized in different way to meet the requirement
BCP/DRP 59
BCP/DRP
60
15
Section III
Section III
Risk Assessment
Section Objectives
In this section we will cover the 2nd Step in BCP/DRP Risk Assessment
BCP/DRP
61
BCP/DRP
62
Section III
Risk Assessment
Section III
Introduction Risk Assessment

In this section we will cover the concept and practical application of risk management from BC/DR point of view. Identify types of risks companies and businesses face. Define risk avoidance, reduction, acceptance and transferring. Identify risk management methods
Project Initiation
Risk Assessment
BIA
Plan Develop -ment
Plan Maintenance
BCP/DRP
63
BCP/DRP
64
16
Section III
Risk Management
Risk Management is a topic that covers the management of all types of risks to a company.
(We will cover only risks that are directly related to BC/DR planning.)
Risk Management
Risk can be defined as
Risk = Threat + Likelihood + Vulnerability + Impact (risk is a combination of threat, the likelihood of the threat occurring, vulnerability of the company and the impact of the threat on the company)
Managing Risk is the process of identifying, controlling, eliminating or minimizing uncertain events that may affect businesses Risk Management Process is assessing the potential and analyzing the trade-off (opportunity cost) of a particular risk. It is very important to understand the opportunity cost of a threat.
BCP/DRP
65
BCP/DRP
66
Section III
Risk Management Process

The basic steps of risk management process
Threat Assessment a process of identifying threats that can negatively impact the company and its source Vulnerability Assessment analyzes how vulnerable, susceptible and exposed a system/business is to a particular threat and the likelihood of the threat occurring Impact assessment analyzes the magnitude of the impact of the threat on the system/business Risk mitigation strategy addresses the four strategies of risk mitigation and their associated cost
Risk Reduction Risk Avoidance Risk Acceptance Risk Transfer
BCP/DRP 67
Risk Management People, Process, Technology and Infrastructure
For every risk/threat being considered its impact on the four business components should be addressed
If a particular threat occurred,
What is the impact on people and how do they react? How does it impact the business process? What is the impact on Technology? What is the impact on the Infrastructure (internal and external)?
BCP/DRP
68
17
Risk Assessment Components
Risk Assessment Components Threat Assessment
There are three Risk Assessment Components

Threat Assessment Vulnerability Assessment Impact Assessment (will be covered in the next section)
Risk assessment begins with the assessment of all potential threats and an analysis of those threats. Threats impact on People, Process, Technology and Infrastructure (business components) Threat assessment includes
Information gathering Identifying and listing potential threats
Natural Threats Human Threats Infrastructure Threats
Threat Assessment
Vulnerability Assessment
Impact Assessment
Threat assessment methodology

DR development phase
BCP/DRP 69
Quantitative Qualitative
BCP/DRP 70
Threat Assessment Information Gathering

There are different methods of collecting data about companys risks:
Questionnaires: to collect data from specific groups or people Interviews: interviews with SMEs - important specially if the SME cannot be part of the BC/DR planning team Document reviews: Reviewing corporate and organizational documents helps to identify threats, threat sources and vulnerabilities Research: Internal and External:
Internal: data about the past business interruptions External: data on the frequency of earthquake, storm, .
BCP/DRP 71
Threat Assessment Identifying and Listing Threats
Natural Threats - threats caused by natural phenomenon.

Fire Flood Winter Storm Drought Earthquake Tornados Hurricanes Tsunamis Volcanoes Pandemics
BCP/DRP 72
18
Human Threats: that are caused by human act.

Fire Theft, Sabotage, Vandalism Labor Disputes Terrorism Chemical/Biological Hazards War Cyber Threats
Infrastructure Threats: mainly external issues you have no control over

Building Failure Public Transportation Disruption Loss of Utilities Oil Shortage Food or water contamination Regulatory or Legal changes
73 BCP/DRP 74
BCP/DRP
Risk Assessment Components Threat Assessment Threat Checklist

Threat Checklist
Natural Threats Fire Flood Winter Storm Human Caused Threats Fire Theft, Sabotage Labor Disbutes .. Infrastructure Threats Building failure Non IT Equipment Failure Heating/Cooling Failure Public Transportation Disruption IT Specific Threats Cyber Threats Equipment Failure Loss of Data
Risk Assessment Components Risk Assessment Table
Item No
Threat Name
Threat Source
Vulnerability Rating
Likelihood Rating
Existing Controls
Impact Rating
Overall Risk Rating
001 002 003
Fire Flood
Internal External Internal
BCP/DRP
75
BCP/DRP
76
19
Risk Assessment Threat Assessment Methodology

There are two types of methodologies to evaluate the various threats being considered
Quantitative Threat Assessment
Quantitative method is using hard numbers to represent threats, vulnerabilities and impacts
Risk Assessment Quantitative Threat Assessment

e.g. Building power outage threat caused by Lightening
Threat Threat Source Impact Likelihood Vulnerability Impact Cost Risk Cost Power Outage Lightning Power outage for two days ? ? ? ?
Qualitative Threat Assessment

Qualitative method is using relative values used to represent threats, vulnerabilities and impacts
BCP/DRP
77
BCP/DRP
78

Threat Likelihood Let us say, using information gathering methods discussed earlier found that there is one major outage every other year. So the likelihood of getting one every year is 50% Vulnerability - if there is power outage due to lightning, there is 100% chance for a loss of power for 48 hours Impact Cost:
Lose of sales (2 days) = $50,000.00 Cost (expense) due to outage = 5,000.00 impact cost = $55,000.00

Now you have the information available to decide on what type of risk mitigation strategy to follow for Power Outage threat caused by Lightning.
Threat Threat Source Impact Likelihood Vulnerability Impact Cost Risk Cost (yearly) Power Outage Lightning Power outage for two days 50% 100% $55,000.00 $27,500
Risk Cost = Likelihood * Vulnerability * Impact cost

50% * 100% * $55,000.00 = $27,500.00
BCP/DRP 79
BCP/DRP
80
20
Risk Assessment Qualitative Threat Assessment

Qualitative assessment uses words instead of values. Define Qualitative Value Scale
Value 1 2 3 4 5 6 Level Extremely Low Very Low Low High Very High Extremely High

Same example used for Quantitative Method Threat Likelihood using information gathering method discussed earlier found that there is one major outage every other year. So you can say the likelihood of getting one every year is High (4) Vulnerability - if there is power outage due to lightning, the chance of losing of power for two days is Extremely High (6) Impact Cost: the total cost of revenue loss and expenses incurred is Low (3) Risk Cost: is the average value of Likelihood, Vulnerability and Impact cost
(4 + 6 + 3)/3 = 4.3 ~ 4 (High)
81 BCP/DRP 82
BCP/DRP

Now you have the information available to develop a risk mitigation strategy for Power Outage threat caused by Lightning.
Threat Threat Source Impact Likelihood Vulnerability Impact Cost Risk Cost (yearly) Power Outage Lightning Power outage for two days 4 (High) 6 (Extremely High) 3 (Low) 4 (High)
Risk Assessment Components Risk Assessment Table
Update the Risk Assessment Table
Item No 001 002 003 004
Threat Name Fire
Threat Source Internal External
Vulnerability
Likelihood
Existing Controls
Impact
Overall Risk
Flood Power Outage
Internal Lightening ExtremelyHigh High None High
BCP/DRP
83
BCP/DRP
84
21
Risk Assessment Components Vulnerability Assessment
Risk Assessment Components Vulnerability Assessment
Vulnerability is weakness, exposure or susceptibility to threats. Vulnerabilities can be exploited intentionally or triggered unintentionally. The result of Threat assessment becomes input to Vulnerability assessment. People, Process, Technology and Infrastructure are vulnerable to threats. For each threat, each business component will be considered for vulnerability assessment
How vulnerable are people (the staff , customers ) to the threat presented? How vulnerable is the business process to the threat? How vulnerable is the technology in place to the threat? How vulnerable is the infrastructure to the threat?
BCP/DRP 85
Vulnerability assessment can be qualitative or quantitative (mainly qualitative High, Medium, Low). It addresses how vulnerable the business component is Information gathering:
Questionnaires, Interviews, Document reviews and Research.
Risk = Threat + Likelihood + Vulnerability + Impact

BCP/DRP 86
Section III:
Risk Assessment
Summary
In this section we Defined Risk Management concept Covered the Risk Management processes. Identified Risk Assessment components. Information gathering methods Defined Threat and Vulnerability Assessment methods
From Threat and Vulnerability assessments we collected the following information needed for the next phase
Potential Threat Sources Likelihood of the threat occurring Vulnerability of the company A preliminary Risk value
Risk = Threat + Likelihood + Vulnerability + Impact

22
Section IV Business Impact Analysis
Section IV
Section Objectives
In this section we will cover the third Step in BCP/DRP Business Impact Analysis
BCP/DRP
89
BCP/DRP
90
Section IV
Business Impact Assessment
Section IV
Introduction Business Impact Assessment

In this section we will:
Define Business Impact Assessment (BIA) concepts Identify critical business processes Determine disruption impact - including financial, operational and legal Define business recovery requirements
Project Initiation
Risk Assessment
BIA
Plan Develop -ment
Plan Maintenance
BCP/DRP
91
BCP/DRP
92
23
Business Impact Assessment

BIA is identifying critical processes to the on-going business operations and to understand the disruption of these processes impact on the business. The primary purposes of BIA are
Understanding and identifying the organizations critical business objectives Determine the time it takes to resume business functions after disruption Assess the impact of disruption on critical business functions and set priorities Provide information for which recovery strategy can be developed
BCP/DRP 93
Business Impact Assessment Impact category

First step is to clearly define a category to assess business process criticality.
Category Function 1 2 3 4 Critical Essential Necessary Desirable
Label Mission-Critical Vital Important Minor
BCP/DRP
94
Business Impact Assessment Impact category

Mission-Critical business processes are the ones that have serious impact in the companys operations. Vital business processes are also the processes considered critical, but can be tolerated until MissionCritical processes are restored Important business processes are the ones that does not stop the company from operating in the near term but have long-term impact. Minor business processes are processes that can be restored at a later time after recovery is completed.
BCP/DRP 95
Business Impact Assessment Recovery Time

Recovery Time Requirements Maximum Tolerable Downtime (MTD) or Maximum Tolerable Outage (MTO): The maximum down time the business can tolerate a particular business process or function outage. MTD is the combination of systems recovery time and work recovery time. MTD = RTO + WRT. Recovery Time Objective (RTO): The time available to recover disrupted systems Work Recovery Time (WRT): the time it takes to get critical business functions up and running after systems recovered. Recovery Point Objective (RPO): The amount or extent of data loss be tolerated by the critical business systems.
BCP/DRP
96
24
Business Impact Assessment RTO
BIA impact evaluation

After risks and threats identified (previous section), the business impact must be evaluated for
Business functions: activities sales, marketing, manufacturing Business processes: how these activities occur or get done IT systems: how these business processes are carried out computer systems, applications, automated systems
Recovery Window
Category 1 2 3 4 Function Critical Essential Necessary Desirable Label Mission-Critical Vital Important Minor RTO 0-12 hours 13-24 hours 1-3 days > 3 days
The impact should also be considered for upstream and downstream functions
BCP/DRP
97
BCP/DRP
98
BIA Identifying Business Functions

Create a list of functional areas of the business. Start with common business functions listed below, and add from organizational chart
List of Business functions Information Technology Operations Human Resources Finance Legal Facilities/Security Marketing and Sales Manufacturing Warehouse .
BIA Gathering Data

The next step is to collect data for the each business functional areas listed. (processes and criticality) Data collection methodologies:
Questionnaires: Interviews: Workshops: Documents and research.
sample questions:
What single point of failures exist? What are upstream and downstream risks to your business function? What workaround would you use for your business process? What is the minimum number of staff you need? What is the maximum tolerable down time? What are the key skills and knowledge required to recover your business process? How would this business function in a recovery site? .
Contact SMEs for to discuss the critical business functions With the help of SMEs, list all departments, divisions, under each heading.
BCP/DRP 99
BCP/DRP
100
25
BIA Determining the Impact of disruption

The next step is to determine the impact for each business functional areas, then assign criticality rating. The impact can include:
Financial: loss of revenue, lost sales, salaries and wages paid. Customers: loss of customers go to competitors Suppliers: lose of suppliers Employees: impacted by the disaster (injury, . PR: lose of thrust Legal: unable to meet legal and regulatory requirement Operational: Business operations being disrupted HR: The impact on the staff on handling the disaster Investors: may lose confidence. Competitive Advantage:
BIA Criticality Matrix

After data collection, assign criticality rating.
Business Function Human Resources Finance
Business Process Payroll New Hire Accounts Receivable Accounts Payable Tax filings
Criticality Mission-critical Important Mission-critical Mission-critical Mission-critical Vital Minor

102
Marketing and Sales
Sales Calls Sales Training
BCP/DRP
101
BCP/DRP
Section IV:
BIA Findings Report

The next step to write the BIA findings report based on the information collected. The report should include:
Key Business functions and processes Process and resource interdependence IT dependencies Criticality Impacts on operations Recovery time requirements Recovery Resources SLA Technology Work-around procedures Financial impact Legal impact Competitive impact Investor impact Customer impact .
Summary
In this section we Defined BIA Identified Business functions and processes Learned on how to gather BIA information and to prepare BIA Reports
BCP/DRP
103
BCP/DRP
104
26
Section V Risk Mitigation Strategy Development
Section V
Section Objectives
In this section we will cover the fourth Step in BCP/DRP Risk Mitigation Strategy Development
Types Risk Mitigation Strategies Risk Mitigation Process. Backup and Recovery considerations.
BCP/DRP
105
BCP/DRP
106
Section V
Introduction Risk Mitigation Strategy

Risk Mitigation is a process of taking steps to reduce the effects of an event. Developing the Risk Mitigation Strategy is the last step in Risk Management activity for BC/DR Plan development Inputs:
Risk Assessment (threat and vulnerability assessment) BIA
Project Initiation
Risk Assessment
BIA
Plan Develop -ment
Plan Maintenance
Output:
Risk Management Strategy Plan
BCP/DRP
107
BCP/DRP
108
27
Risk Mitigation Strategies

There are four types of Risk Management Strategies.
Risk Acceptance Risk Avoidance Risk Limitation Risk Transference
Risk Mitigation Strategies Risk Acceptance

Risk Acceptance: Accepting risk does not reduce its impact. There are many reasons companies choose risk acceptance
The primary is Cost. Accepting the risk can be less costly than implementing mitigation strategies. Small companies do it more often.
It is the least expensive option for near term and the most expensive when disaster happens.
BCP/DRP
109
BCP/DRP
110
Risk Mitigation Strategies Risk Avoidance

Risk Avoidance is the opposite of Risk Acceptance. In BC/DR plan, it is an action that avoids any exposure to a risk (example deploying fully redundant systems). It is the most expensive of all mitigation strategies, but has significant impact in reducing cost of down time and recovery. This is one of the options to be considered for missioncritical business functions.
Risk Mitigation Strategies Risk Limitation

Risk Limitation is a method of limiting the exposure to threat by taking action. Does not stop the system from failure but helps to recover in a timely manner.
e.g. daily backup of data.
It falls between Risk Avoidance and Risk Acceptance. The cost varies depending the options implemented.
BCP/DRP
111
BCP/DRP
112
28
Risk Mitigation Strategies Risk Transference

Risk Transference is a method of transferring the risk to a third party. Paying another company to assume the risk.
e.g. Buying insurance, outsourcing payroll services.
Risk Mitigation Process

The next step is to select appropriate options in order to develop comprehensive strategy.
Recovery Requirements Recovery Options Recovery Cost
Risk Transference has an ongoing cost (e.g. service fee).
BCP/DRP
113
BCP/DRP
114
Risk Mitigation Process Recovery Requirements

Recovery Requirements are developed for critical business process identified in BIA report. Include
Recovery Time Cost of recovery Processes required
Risk Mitigation Process Recovery Options

Recovery Options are developed for each critical business process identified in BIA report. There are three options
As-needed Prearranged Preestablished
Identify the resources and associated cost to help determine the mitigation strategy.
The cost and time to implement these options varies Each option must be reviewed in terms of MTD for each critical business process.
(e.g. If you have a requirement to have an alternate site for IT services, all options must be considered)
BCP/DRP
115
BCP/DRP
116
29
Recovery Options As-needed

As-needed option
takes longer time to deploy may cost more (depending on the disruption type)
Recovery Options Prearranged

Prearranged option requires making arrangements and contractual agreement with suppliers and service providers for equipment and services to be provided within specified period. In addition to the cost of equipment and services, there is a recurring cost.
Resources and services are acquired after the event occurred. There is additional risk of not being able to get the Resources at all.
BCP/DRP
117
BCP/DRP
118
Recovery Options Pre-established

Pre-established recovery option is setting up an alternate site that can be activated after the disaster. The site is only used for recovery option. The site must be kept up-to-date to reflect the current environment of the actual site There is a cost for building the site and up keep. Shorter recovery time than the other options.
Developing Risk Mitigation Strategy

Risk Mitigation Strategy steps
Gather recovery data Compare cost and capability options Select the mitigations options for each business process acceptance, avoidance, limitation, or transference Select the recovery options
Based on the above information can develop a document that outlines the cost, capability, effort, quality of each option considered
119 BCP/DRP 120
BCP/DRP
30
IT Recovery Options
When developing IT Systems Risk Management Strategy need to consider the latest technology available today.
As technological developments are fast paced (specially for IT), the system currently in operation/production can be outdated, you may even consider to replace or upgrade the system. Or, if you already have BC/DR plan developed a few years ago can be invalid due to technological advancement; you need to revise the BC/DR plan more often than the other business functions.
BCP/DRP 121
IT Recovery Options Alternate Sites

Considering an alternate site. Common options Fully Mirrored Site: a fully redundant site that mirrors the live site.
Provides high availability Can also be used for load balancing.
Hot Site: with an identical configuration that can be operational within 4 hours. Warm Site: Fully or partially equipped site and can be operational within hours being restored from backup data. The facility can be used for less critical functions during normal business operation. Mobile Site: A self contained unit that can be transported to establish an alternate work site. Cold Site: A site that is started up after the disruption occurred. It is the least expensive but has the longest recovery time. Reciprocal Site: It is an arrangement made with other companies that have similar operations.
BCP/DRP
122
Section V:
Summary
In this section we covered Types Risk Mitigation Strategies Risk Mitigation Process. Backup and Recovery Considerations.
Section VI BC/DR Plan Development
BCP/DRP
123
BCP/DRP
124
31
Section VI
Section VI
Section Objectives
In this section we will cover the fifth Step in BCP/DRP Business Continuity/Disaster Recovery Plan Development Business Continuity and Disaster Recovery phases Define BC/DR Teams. Define BC/DR activity checklists
Plan Development
Project Initiation
Risk Assessment
BIA
Plan Develop -ment
Plan Maintenance
BCP/DRP
125
BCP/DRP
126
Introduction BC/DR Plan Development

The plan needs to state risks, vulnerabilities, potential impacts to mission-critical business functions and associated mitigation strategies. From the previous sections we have
Identified risks, Assessed vulnerabilities Determined potential impacts on business Identified mission critical business functions Developed mitigation strategies
BC/DR Plan Phases
Business Continuity and Disaster Recovery Phases
Activation Phase
Recovery Phase
Business Continuity Phase
Maintenance/ Review Phase
Next is to determine and develop a guideline on when, how and by whom are these strategies implemented
32
BC/DR Plan Activation Phase

Activation Phase addresses the time during and immediately after a business disruption Activation includes
Initial Response Problem assessment Escalation Disaster declaration Plan implementation
BC/DR Plan Activation Phase Disaster Levels

Defining the disaster type and level. There should be clearly defined disaster level to help you determine the types of activation and recovery process to follow.
Major Disaster: has major impact on business. It disrupts all or most of the critical business operations. Such as the destruction of the entire facility. It occurs rarely. Intermediate Disaster: the impact is less than major. It impacts one or more mission-critical business functions. Business operations will experience significant disruption. Minor Disaster: It is a type of disaster occurs more often and impacts only a single business operations. It is an Isolated incident, and normal business operations will not be interrupted.
129 BCP/DRP 130
BCP/DRP
BC/DR Plan Activation Phase BR/DR Teams

Notification of the disaster to the following BC/DR
BC/DR Plan Triggers

Trigger defines when an alternate plan or method should be implemented Activation Trigger: For each Disaster Level, need to have clearly defined triggers. Based on the Initial Assessment - determine the disaster level and activate the part of BC/DR Plan that addresses the issue. Transition Trigger: a trigger to move from one phase to another
evaluation from Damage assessment team, CMT is on the scene and the selected BC/DR plan is activated Recovery to Continuity Phase: This is triggered after the disaster (event) is under control and the effects have been addressed. Business Continuity to Normal Operations: this is triggered when things are back to normal.
Activation to Recovery Phase: it is triggered after the initial
Teams. They will handle/respond to disaster by implementing procedures outlined in the BC/DR Plan
Crisis Management Team Damage Assessment Team Notification Team Emergency Response Team Business Continuity Leader Crisis Communication Team Resource and Logistics Team Risk Assessment Team
BCP/DRP
131
BCP/DRP
132
33
BC/DR Plan Recovery Phase

Recovery Phase is started immediately after the
BC/DR Plan Business Continuity Phase

Business Continuity phase starts after Recovery
disaster occurred and contained. The event could still be continuing.
phase is done and the steps to get back normal operating conditions are determined. It addresses
How business operations can resume on temporary
locations
The work-around needed The transition back to normal operations from
temporary location
BCP/DRP
133
BCP/DRP
134
BC/DR Plan Maintenance/Review Phase

Maintenance Phase occurs whether the BC/DR is activated or not. It deals with reviewing, evaluating and revising the plan. If activated, has to be done after the completion of Recovery Activity.

BC/DR Teams
Creating BC/DR Teams : people should be selected base on the skills, and expertise for the task they be assigned. Crisis Management Team:

have representatives from all business units Have expertise to deal with major business disruption In charge for activating, implementing and managing BC/DR plan
Evaluate how the plan performed in the light of actual event. Revise the document on the lessons learned.
Regular/scheduled plan review to insure the document still
current and valid.

During Operational changes: all changes in the business
operations and processes should will be handled in Change Control

BCP/DRP 135
Damage Assessment Team(s): from key areas of business units. Can be multiple Teams Mobile, immediate availability Operations Assessment Team(s): Who can assess the immediate impact on operations IT Team: have expertise in system administration and other IT related activities Administrative Support Team: Who can handle administrative tasks
BCP/DRP 136
34
BC/DR Teams contd

Transportation and Relocation Team: Who can address transportation and relocation needs for people and equipment Media Relations Team: Who can provide information about the disruption to employees, media, investors, customers, suppliers Human Resource Team: Who handle employees needs during disaster, hiring additional staff Legal Affairs Team: Who can address the legal concerns of the company Physical Security Team: Who can handle physical safety of the people, building. Who can handle access control to the building Procurement Team: Handles equipment and services purchasing
BC/DR Contact Information

Contact Information should include the following and be
stored where it can be readily available under a disaster condition.

The list should include Management Key Operations Staff BC/DR Team members Suppliers, vendors Key customers Emergency number Others as needed
This information should be maintained regularly and kept
up-to-date.
BCP/DRP
137
BCP/DRP
138
BC/DR Plan Change Control

Need to develop a method to:
update the BC/DR Plan when change occurs in the organization
Emergency Response and Recovery

Emergency Management Simple rule - Assigning roles Emergency Response Plan Emergency Response is the immediate response to the incident The Plan is derived from the risks identified Some of Emergency Response tasks are:

that has impact on the plan
E.g. Adding new departments, upgrading systems, changing operational process . Revision history table
monitor and track changes in BC/DR Plan (version control)
distribute the BC/DR plan to interested parties
Protect personnel Contain the incident Engage ERT and CMT Assess impact Notification
Develop a basic plan that covers variety of emergencies that contains Roles and Responsibilities Tools and equipment Resources Actions and procedures
35
Emergency Response Team (ERT)

Set up ERT with defined roles and responsibilities The ERT leader is responsible for activating and
Crisis Management Team (CMT)

CMT is responsible for making high-level decisions, coordinating efforts and determining the appropriate responses The team leaders for various activities in the BC/DR should be a member of CMT CMT oversees ERT and DRT ERT leader should be a member of CMT and report the activities to CMT regularly CMT coordinates the activities related to initiating DR efforts CMT role ceases when business continuity begins and it transitions the business operations to normal management. Need to create a hand-over criteria for transfer responsibility to normal operations. If alternate facility is setup, CMT is responsible for overseeing disaster recovery and business continuity activities
141 BCP/DRP 142
coordinating emergency response

If CMT and ERT are two separate teams the ERT leader
should be a member of CMT.

Emergency Response and Disaster Recovery can go in
parallel ERT members should be trained and regularly exercise on the tasks they are responsible for.
BCP/DRP
Crisis Management Team (CMT)

All Crisis related communications are originated or approved by CMT. It helps to insure correct and consistent information being release/communicated It keeps the CMT in the loop HR representative should be a member of the CMT. Addresses needs of employees Can hire, select and manage additional temporary staff (if needed). Representative from legal departments should be a member. Helps to address/handle legal and insurance related issues Representative form financial department should be a member to assess the status of the company and insure bills are dispersed in timely manner.
BCP/DRP 143
Disaster Recovery - checklists

Checklists help make the right decision and responders
understand the steps to take.
Activation Checklists: Activation checklist can be used to
determine if, how and when to activate BC/DR Plan. Identify all activities and triggers should take place before and during the plan activation.

Initial Response Checklist Damage Assessment Checklist Disaster Declaration and Notification Checklist
Recovery Checklists: identify all the activities should take
place during recovery phase

General Recovery Checklist Inspection, Assessment and Salvage Checklist

BCP/DRP 144
36
Section V:
Business Continuity - checklists

Business continuity begins when disaster recovery ends. Involves limited business operations. Involves work-around solutions while systems and resource are fully restored The most critical aspect of BC is determining what should be restored, salvaged or replaced. BC checklists help to insure the required systems are in place and functional

Summary
In this section we Studied Business Continuity and Disaster Recovery phases Defined BC/DR Teams. Defined BC/DR activity checklists
Resuming Work checklist HR checklist Insurance and Legal checklist Production and Operations checklist Resuming Operations checklist Using Existing Facility checklist New Facility checklist Transition to Normalized Activities checklist
Section VI Testing and Training
Section VI
Section Objectives
In this section we will cover the fifth Step in BCP/DRP Testing and Training Training for
Emergency Response Disaster Recovery Business Continuity
Testing BC/DR Plan.
BCP/DRP
147
BCP/DRP
148
37
Section VI

After BC/DR Plan is developed the next step is to test the plan effectiveness and train the implementers for the specific roles assigned
Plan Develop -ment Testing and Training Plan Maintenance
Project Initiation
Risk Assessment
BIA
BCP/DRP
149
BCP/DRP
150
Section VI
Section VI
Training for Emergency Response

ERT members should be trained in the emergency response activities described in the BC/DR Plan the basic CPR training should be part of all emergency responders training. Specialized skills training may be required Refresher training should be taken regularly ERT leader is responsible for ensuring the members are trained
DR and BC Testing/Training
Four methods of plan testing
Paper Walk-through Functional exercise Field exercise Full interruptions
Training can be coordinated with testing The objective of the training is to understand the plan and
how to activate, when to activate, and how to implement the steps defined
Everyone involved in the BC/DR implementation needs to understand their roles and responsibilities
38
Section VI
Section VI
DR and BC Testing/Training Contd

Testing the plan Verifies the validity of the steps developed Provides training to implementers Identifies gaps and flaws in the plan, so can be revised Determines the cost and feasibility Before Testing develop Test Evaluation Criteria After completion write recommendation based on the result
DR and BC Testing Paper Walk-through

A Paper walk-through should be scheduled once a year.
Steps to run paper walk-through
Develop Realistic Scenarios Develop Evaluation Criteria Provide copies of the plan to CMT Divide participants by Team Use Checklists for key processes Take Notes Identify Additional Training needs Develop Summary and Lessons Learned Revise DR/BC Plan if needed.
BCP/DRP
153
BCP/DRP
154
Section VI
Section VI
DR and BC Testing Functional Exercise

A functional exercise is to test some of the plans functionality.
Done with very minimal or no impact to mission-critical business operations. Functional exercises can be used as a training mechanism. Follow similar steps covered in Paper walk-through
DR and BC Testing Field Exercise

Field exercises should be done with simulated realistic scenario. Can be with specific organization or department Can also be coordinated with the local/city emergency responders. Provides hands-on training. Helps to evaluate/assess the performance of CMT and DRT members
BCP/DRP
155
BCP/DRP
156
39
Section VI
Section VI
DR and BC Testing Full Interruption Test

Full Interruption activates all components of the Plan and interrupts mission-critical functions. Can be run with specific organization(s) or department(s) Can also be coordinated with the local/city emergency responders. Very expensive to run the test.
Summary
In this section we Studied BC/DR Plan testing and training
BCP/DRP
157
BCP/DRP
158
Section VII Plan Maintenance
Section VII
Section Objectives
In this section we will cover the last Step in BCP/DRP cycle Plan Maintenance Change Management Maintenance Activities
BCP/DRP
159
BCP/DRP
160
40
Section VII
Section VII
Plan Maintenance
Plan Maintenance Change Management

Plan Maintenances critical part is controlling and keeping up with changes to make the document current and viable. The major reasons for change or revising the plan are:
IT Change Operations Corporate Regulatory
Project Initiation
Risk Assessment
BIA
Plan Develop -ment
Plan Maintenance
BCP/DRP
161
BCP/DRP
162
Section VII
Plan Maintenance Change Control Methods

Monitoring implement a step in each business/function operational procedure to include if change impacts on BC/DR submit change request Regular review of organizational changes, current employment status and department of each BC/DR Team members. Ensure that everyone uses the latest version of the Plan
Steps
Risk Assessment
Project Initiation
BIA
Plan Develop -ment
Plan Maintenance
BCP/DRP
163
BCP/DRP
164
41

Business Continuity Planning

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Continuity Planning

Uploaded by

Copyright:

Available Formats

Introduction

Section 1 BCP/DRP Overview

Defining Business Continuity and Disaster Recovery

Defining Business Continuity and Disaster Recovery

Addressing the immediate aftermath

Business components in BCP

People in BC/DR Planning

Technology (and Infrastructure):

Each of these must be addressed in BCP

Process in BC/DR Planning

Technology (Infrastructure) in BC/DR Planning

Cost of Planning, contd

Cost of Planning, contd

Types of Disasters - Natural

Types of Disasters - Man-made

Types of Disasters - Accidents

Information system infrastructure

Protecting Data during a disaster

Managing Access During Disaster

Physical access to the building/systems

BCP and DRP Steps

BCP and DRP Steps - contd

6. Training and Testing

Business Impact Analysis (BIA)

Risk Mitigation Strategy

The Seven Steps

Each of these steps will be covered in detail in the following sections.

Section II Project Initiation

Introduction Project Initiation

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Introduction Project Initiation

Project Initiation - Success Factors

Success Factors Executive Support

Success Factors Executive Support - contd

What if the decision is No?

Success Factors Executive Support contd.

Success Factors User Involvement

Success Factors Experienced Project Manager

Success Factors Clearly Defined Project Objectives

Experienced PM is more effective for BC/DR planning

Success Factors Clearly Defined Project Requirements

Success Factors Clearly Defined Scope

Requirements have three categories

Scope is susceptible to changes as Project Planning progresses.

The more detailed requirement the better.

Success Factors Shorter Schedule

Success Factors Clearly Defined PM Process

Project Plan Components

Project Plan Components - Project Definition

Project Plan Components Forming the Project Team

Project Plan Components Project Organization

Project Plan Components Project Organization

Project Plan Components Project Organization contd

Project Plan Components Project Organization contd

Project Plan Components Project Planning

Project Communication Plan

Project Plan Components Project Implementation

Project Plan Components Project Tracking

This information should be available to all team members

Project Plan Components Project Close Out

Key Contributors and Responsibilities