Business Continuity Planning Overview, Regulations and the Growing Significance of Automated BC Solu - PowerPoint PPT Presentation

Loading...

PPT – Business Continuity Planning Overview, Regulations and the Growing Significance of Automated BC Solu PowerPoint presentation | free to download - id: 22615c-N2Y4Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Business Continuity Planning Overview, Regulations and the Growing Significance of Automated BC Solu

Description:

Business Continuity Planning Overview, ... Her Majesty's Treasury appoints the FSA Board. Banks, Financial Services, Securities and Futures ... – PowerPoint PPT presentation

Number of Views:1005
Avg rating:3.0/5.0
Slides: 93
Provided by: stevek155
Learn more at: http://www.almitech.ru
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Business Continuity Planning Overview, Regulations and the Growing Significance of Automated BC Solu


1
Business Continuity Planning Overview,
Regulations and the Growing Significance of
Automated BC Solutions
Presented bySteve Kokol, Vice President of
International Sales Strohl Systems Group,
Inc. skokol_at_strohlsystems.com September 2006
2
What is a Disaster?
  • A disaster is a sudden, unplanned calamitous
    event that creates the inability on an
    organisations part to provide the critical
    business functions for some predetermined period
    of time and which results in great damage or
    loss. (DRI International)
  • The time factor which determines whether a
    service interruption is an inconvenience or a
    disaster will vary from organization to
    organization.
  • The type, timing and severity of any business
    disruption is unpredictable.

3
Disasters are never on our calendar
4
Disasters. . . But we can prepare for them
5
Business Continuity Planning Defined
  • An ongoing programme to ensure prudent risk
    reduction and to resume key business operations
    before unacceptable impacts and losses are
    incurred.
  • Business continuity bridges the gap between
    disaster and recovery
  • Whatever the scenario, business continuity
    identifies weak links in the flow of information
    and builds systems and procedures to eliminate
    downtime.

6
Business Continuity Planning
  • BCP v. DR
  • BCP grew out of DR
  • Disaster Recovery tends to focus on data
  • BCP focuses on the entire Business and Business
    Units
  • BCP takes a more proactive stand
  • BCP programme elements include
  • Program authorization (a Business Impact Analysis
    and a commitment by executive management)
  • Business Continuity Plan development (response,
    resumption, recovery and crisis management)
  • Recovery Plan (and the regular maintenance of
    this plan)
  • Availability and survivability components such as
    UPS and redundant telecommunication systems.

7
Proactive v. Reactive
  • Business Continuity Planning
  • Proactive Process
  • By having a BCP, organisations seek to prevent
    interruption of mission critical services
  • BCPs generally cover most or all of an
    organizations critical business processes and
    operations
  • Disaster Recovery Planning
  • Reactive Process
  • More technical plans that are developed for
    specific groups within an organization to allow
    them to recover a specific business application
  • Areas requiring specific DRPs include IT, call
    centers, and distribution centers

8
A Business Continuity Programme is NOT
  • A project
  • A one time task with a fixed duration
  • Just about data
  • BCP must be an on-going, living programme with
    commitment from Top Management.

9
BCP Acceptance Worldwide
  • What drives BCP Acceptance in a particular
    country versus another?
  • Country Culture
  • Risk Avoidance
  • Laissez-faire
  • To some extent - Technological Advancement

10
BCP Acceptance Worldwide
  • What drives BCP Acceptance in a particular
    country versus another?
  • Presence of BCI, DRII or other organisations
    promoting BCP Standards BCI Country
    Representatives www.thebci.org
  • http//www.thebci.org/worldwideoffices.htm
  • Both BCI and DRII offer BCP certification

11
BCP Acceptance Worldwide
  • What drives BCP Acceptance in a particular
    country versus another?
  • Propensity to experience frequent natural
    disasters
  • Typhoons
  • Earthquakes
  • Floods
  • Monsoons
  • Country Specific Regulations
  • Industry Regulations
  • Corporate Governance Laws
  • Avian Pandemic / SARS
  • War / Terrorism

12
Type of Threats
  • Acts of nature
  • Man-made disruptions/disasters
  • Failure of infrastructure or technology

13
Ability to Recover versus BCP Maturity
14
Four Elements of a Business Continuity Program
Keep the plan up-to-date
Assure strategy reflects the business needs
On-going testing
Trained recovery teams
15
Integrated Business Continuity Program
16
Business Continuity Planning Budget
  • BUDGET ELEMENTS
  • Hot Site Contracts Staff
  • Hardware Education
  • Media Storage Testing
  • Software

FACTORS INFLUENCING THE PERCENTAGE OF BCP BUDGET
Executive Commitment Geographical
Disbursement Industry Regulations
Industry Revenues and Profits RTO
Availability Goals - Protection of Data versus
Operations
17
Which department in your organization is
ultimately responsible for business continuity
planning?
18
What is the title of the executive sponsor of
your organization's BCP program?
19
Changing Priorities
20
Recovery Time Objective
The RTO (Recovery Time Objective) is the
Timeframe in which a Business Function must
resume a Level of Service that will Prevent
Unacceptable Financial and/or Operational Impacts
from being Incurred by the Organization.
21
Protection of Data versus Protection of Operations
  • Protect the Data
  • Research and Development Pharmaceutical
  • Downtime not as important as protection against
    lost data
  • Retesting to meet documented regulatory
    requirements
  • Isnt the protection of data always most
    important ?
  • Maintaining Continuous Operations
  • Manufacturing and Supply Chain
  • Cost of stopped product line can cost Millions
    per hour.
  • Also need to look upstream to ensure
    suppliers maintain continuous operations through
    a formal BCP.
  • Philips Electronics fire at Chip Plant
  • Nokia v. Ericsson (one did a better job than the
    other because of their tested BCP plan)

22
Define the Cost of an Outage
Data 99 availability 88 hours each year
that computing resources are unavailable
Average Cost of an outage according to
Gartner USD 42,000 per hour for mission
critical applications
3,600,000 lost each year due to unplanned
downtime
For companies that rely 100 on technology such
as online brokers, e-commerce companies and
traders, hourly downtime risks can be 1,000,000
or more !
23
Define the Cost of an Outage
  • It must be measured in more than just
  • Why do I need a BCP programme if I have
    insurance?
  • Insurance only covers the financial
    considerations
  • Need a plan to stay in business
  • 50 of companies that experience a significant
    interruption or disruption in service who do not
    have tested, up-to-date BCP Plan go out of
    business within one year of this interruption or
    disaster
  • Can often recover from the financial impact, but
    can you recover from the lost of market share and
    customer confidence?

24
BCP Acceptance Worldwide
  • Regulations drive Acceptance
  • UK Financial Services Authority
  • Basel II Accord
  • European Central Bank
  • Bank of Russia
  • SAMA Saudi Arabian Monetary Agency
  • De Nederlandsche Bank
  • Monetary Authority of Singapore
  • Hong Kong Monetary Authority
  • Bank of Thailand
  • NYSE Rule 446
  • Quality Standards ISO 17799, BS 7799
  • ISO Crisis Management Standards ISO studying
    May 2006
  • BS 25999 BCM Planning In Progress August
    2006
  • Australian Standards - AS 4444, AS/NZS 4360, HB
    221
  • British Standards PAS 56
  • UK Civil Contingencies Bill of 2005
  • Insurance Regulations
  • Corporate Governance

25
BCP Acceptance Worldwide
  • UK Financial Services Authority (FSA)
  • Independent non-governmental body, given
    statutory powers by the UK Financial Services and
    Markets Act of 2000 (responsibility transferred
    to FSA from the Bank of England)
  • Her Majestys Treasury appoints the FSA Board
  • Banks, Financial Services, Securities and Futures
  • Combined Code Directors must annually conduct a
    review of the groups effectiveness system of
    internal controls and report to the shareholders
    that they have done so. (No requirement to
    publish this review)

26
BCP Acceptance Worldwide
  • UK Financial Services Authority (FSA)
  • Guidance on Business Continuity (SYSC 3.2.19
    G)
  • A firm should have in place appropriate
    arrangements, having regard to the nature, scale
    and complexity of its business, to ensure that it
    can continue to function and meet its regulatory
    obligations in the event of an unforeseen
    interruption. These arrangements should be
    regularly updated and tested to ensure their
    effectiveness
  • www.fsa.gov.uk/

27
BCP Acceptance Worldwide
  • New Basel Capital Accord (Basel II) issued by
    the Bank for International Settlements (BIS)
    www.bis.org
  • Originally issued the Basel Capital Accord (Basel
    I) in 1988 applied minimum capital reserve
    standards to the banking industry (8)
  • January 2001 Proposal for new Basel Accord to
    replace 1988 standard
  • Initial goal was to finalise by 2004 pushback
    from the banking community, fearful that they
    could not comply)
  • Implementation by year-end 2006, (or possibly
    later)

28
BCP Acceptance Worldwide Basel II
  • New Basel Capital Accord (Basel II)
  • Three Pillars of Basel II
  • Capital Standards
  • Supervisory Review
  • Market Discipline
  • Operational Risk addressed in all three pillars

29
BCP Acceptance Worldwide Basel II
  • New Basel Capital Accord (Basel II)
  • Banks that can demonstrate sound practices for
    the management and supervision of operational
    risk will be able to reduce their capital
    reserves, freeing up large amounts of additional
    funds for investment.
  • Sound Practices for the Management of Operational
    Risk
  • Operational Risk the risk of loss resulting
    from inadequate or failed internal processes,
    people and systems, or from external events
  • Developing an Appropriate Risk Management
    Environment
  • Principle 7 Banks should have in place
    contingency and business continuity plans to
    ensure their ability to operate on an ongoing
    basis and limit losses in the event of severe
    business disruption
  • Basel II places emphasis on internal controls and
    risk management

30
BCP Acceptance Worldwide
  • New Basel Capital Accord (Basel II)
  • Once finalised, each Nation may make amendments
    to their domestic versions of Basel II
  • Companies wanting to reduce their operational
    reserves must show a 5 year track record of
    compliance to be able to reduce these reserves.
  • Basel II should not simply be viewed as a
    compliance initiative, but as an opportunity for
    change!
  • www.bis.org/publ/bcbsca.htm

31
BCP Acceptance Worldwide
  • ECB European Central Bank June 2006
  • Three-year deadline for the introduction of
    stricter business continuity planning and crisis
    management procedures
  • Payments system operators, key suppliers and
    participants - should have well-defined
    strategies and monitoring mechanisms for dealing
    with major outages aimed at the recovery and
    resumption of critical functions within the same
    settlement day.
  • Systems should also have a secondary,
    geographically separate site, capable of
    independent operation in the event of failure at
    the primary facility.
  • June 2009 compliance with revised standard
  • http//www.ecb.int/pub/pdf/other/businesscontinuit
    ysips2006en.pdf

32
BCP Acceptance Worldwide
  • Standard of the Bank of Russia January 2006
  • Ensuring information security of the
    organizations of the banking system of Russian
    Federation
  • 9.6. Business continuity management and disaster
    recovery
  • Organization should develop and deploy the plan
    of business continuity management and disaster
    recovery.
  • The plan and corresponding business processes
    should be reviewed on the regular basis and
    updated (e.g. after significant changes in
    operational activities, organizational structure,
    business processes and information systems).
  • The effectiveness of documented procedures of
    recovery should be periodically checked and
    tested (at least twice per year). All staff
    involved into the plan execution and DR
    procedures should be familiarized with the plan
  • As a methodological basis for the plan
    development common international standards of
    Business continuity management (like BSI PAS-56)
    could be used.

33
BCP Acceptance Worldwide
  • SAMA Saudi Arabian Monetary Agency
  • 2006
  • Currently seeking guidance in setting BCP
    standards from their member banks
  • http//www.sama.gov.sa/

34
BCP Acceptance Worldwide
  • De Nederlandsche Bank
  • 2005 Business Continuity Assessment Framework
  • Assist firms to benchmark their BCP activities
  • Framework will be introduced to other firms
    within the Euro-zone
  • Each firm must have a BCP plan approved by
    management board or senior management
  • Advisable to have the BCP plan assessed by by the
    internal audit department
  • The Assessment framework contains a total of 10
    criteria

35
BCP Acceptance Worldwide
  • Monetary Authority of Singapore
  • June 2003 Guidelines on Risk Management
    Practices Business Continuity
  • The guidelines will serve as a standard for
    financial institutions and raise their awareness
    and preparedness by having in place effective and
    comprehensive BCP
  • Institutions are encouraged to adopt these
    principles and implement BCP that is commensurate
    with the institutions nature, scale and
    complexity of business activities
  • MAS will, in the course of its supervision of
    institutions, review the BCP implementations
  • Board and Senior Management should be responsible
    for the BCP preparedness of their institution
  • Institutions should embed BCP into their
    business-as-usual operations, incorporating sound
    BCP practices

36
BCP Acceptance Worldwide
  • Monetary Authority of Singapore
  • June 2003 Guidelines on Risk Management
    Practices Business Continuity
  • Institutions should test their BCP regularly,
    completely and meaningfully
  • Institutions should develop recovery strategies
    and set recovery time objectives for critical
    business functions
  • Institutions should understand and appropriately
    mitigate interdependency risks of critical
    business functions
  • Institutions should plan for wide-area
    disruptions
  • Institutions should practice a separation policy
    to mitigate concentration risk of critical
    business functions
  • www.mas.gov.sg/regulations/download/BCMGuidelines.
    pdf

37
BCP Acceptance Worldwide
  • Hong Kong Monetary Authority
  • New BCP policy established in December 2002
  • Sets out the HKMAs supervisory approach to
    business continuity planning (BCP)
  • www.info.gov.hk/hkma/eng/bank/spma/index.htm

38
BCP Acceptance Worldwide
  • The Bank of Thailand November 2005
  • Requirement of an IT Contingency Plan BOT
    Notification No 1953-2548
  • Restore IT systems of Financial Institutions
    within a suitable period
  • Maintain customer and stakeholder confidence in
    financial institutions services
  • Board of Directors of each Financial Institution
    must establish a written policy statement and
    guide for preparing the IT Contingency plan
  • Functional and full scale tests must be conducted
    at least once per year
  • BOT recognized that IT plan is part of the BCP
    plan. BOT is in the process of issuing guidance
    for the preparation of business continuity plans.
  • www.bot.or.th

39
BCP Acceptance Worldwide
  • NASD 3500 Series-Emergency Preparedness (3510 and
    3520) and NYSE-Rule 446 Business Continuity Rules
  • Approved by the US SEC - April 2004
  • NASD and NYSE member organizations must develop
    and maintain a written business continuity and
    contingency plan
  • Must conduct, at minimum, and annual reviewin
    light of changes to the organizations
    operations, structure, business or location
  • Plan must address
  • Data back-up and recovery or mission critical
    systems
  • Alternate communications between customers and
    the firm
  • Alternate communications between the firm and its
    employees
  • Financial and operational risk
  • Alternate Physical location of employees
  • Communication with Regulators

40
BCP Acceptance Worldwide
  • NASD and NYSE Business Continuity Rules
  • NASD and NYSE member also required to disclose to
    its customers a summary of its business
    continuity plan that addresses how the member
    intends to respond to potential disruptions of
    varying scope
  • Must designate a senior officer to approve the
    Plan and be responsible for the annual review and
    emergency contact person(s)
  • NASD providing a template for small businesses
    and a repository to hold BCP plans
    http//www.nasdr.com/business_continuity_planning.
    asp
  • http//www.sec.gov/news/press/2004-53.htm

41
BCP Acceptance Worldwide
  • Quality Standards ISO 17799, BS 7799-22002
  • International Organization for Standardization
    (ISO)
  • British Standards Institute Specification for
    Information Security Management
  • BS7799 is the most widely recognized security
    standard in the world.
  • Best practices in information security
  • Code of practices (ISO)
  • Specification for Information Security Management
    (BS)


42
BCP Acceptance Worldwide
  • Quality Standards ISO 17799, BS 7799-22002
  • ISO17799 is organized into ten major sections,
    each covering a different topic or area
  • 1. Business Continuity Planning - The objectives
    of this section are To counteract interruptions
    to business activities and to critical business
    processes from the effects of major failures or
    disasters.
  • www.iso.org

43
BCP Acceptance Worldwide
  • ISO Crisis Management Standards
  • ISO Technical Committee (ISO/TC) studying May
    2006
  • Mission of ISO/TC 223 is to develop International
    Standards or other ISO deliverables that will
    improve preparedness before a crisis,
    coordination during a crisis and reconstruction
    and remedial action afterwards.
  • Scope of crisis management is broad, spanning
    everything from preparation, analyses, forecasts
    and development of systems to education, drills
    and evaluation.
  • Next Meeting November 2006
  • www.iso.org

44
BCP Acceptance Worldwide
  • Quality Standards BS 25999
  • Code of practice for business continuity
    management
  • Draft for public comment ended August 2006
  • Part 1 Code of practice for business continuity
    management
  • Part 2 Specification for business continuity
    management
  • Part 2 specifies the process for achieving
    certification that business continuity capability
    is appropriate to the size and complexity of an
    organization.
  • www.bsi-global.com/bs25999

45
BCP Acceptance Worldwide
  • Australian Standard - Security Standards - AS
    4444
  • Key Controls 1
  • Information Security Policy document
  • Key Controls 2
  • Business Continuity Planning
  • AS/NZS 4360 Risk Management Standards
  • Business Continuity Management Handbook HB
    2212003
  • www.standards.com.au/catalogue/script/search.asp

46
British Standards PAS 56
  • Publicly Available Specification 56
  • Guide to Business Continuity Management
  • March 2003 Published by the British Standards
    Institute and sponsored by the BCI
  • Based on the BCIs Good Practiced guide
  • Pre-Standard which may form the basis for an
    eventual standard
  • Envisioned that organizations who already have
    processes in place will be asked at some point by
    their stakeholders to confirm that they comply
    with PAS 56
  • Provides a framework for incident anticipation
    and response evaluation techniques and criteria
  • Provides recommendations for good practice
  • www.thebci.org/pas56.html

47
UK Civil Contingencies Bill of 2005
  • UK Drafted the Act in January 2004
  • Became a UK Regulation in early 2005
  • Addresses various natural and man-made threats,
    emergencies or disasters
  • Requires Responders to perform contingency
    planning, risk assessment and maintain plans that
    if an emergency occurs the person or body is
    able to continue to perform his or her functions
  • Responders
  • Category 1 County Councils, District Councils,
    Police, Fire Health, Environmental
  • Category 2 Utilities, Transport, Health and
    Safety
  • http//www.parliament.the-stationery-office.co.uk
    /pa/cm200304/cmbills/014/2004014.htm
  • Self Assessment tool http//www.audit-commission.
    gov.uk/emergencyplanning/index.asp

48
BCP Acceptance Worldwide
  • Insurance Regulations
  • A documented and tested BCP plan is a requirement
    of many insurance firms
  • Precondition of Insurance
  • Premiums lower for sound, mature, tested BCP
    programs.

49
BCP Acceptance Worldwide
  • Other Factors
  • Have experienced a disaster in the past have
    felt the pain
  • Power Outages Worldwide
  • Mandate for BCP plans from other corporations
    with whom you are doing business
  • Supply chain - diversify
  • Competitive Advantage
  • Avian Pandemic / SARS
  • Fear factor

50
BCP Acceptance Worldwide
  • Corporate Governance
  • WorldCom, Enron, Ansett Airlines, dot-gones
  • Directors being held directly responsible for
    Business Continuity Plans
  • USA Sarbanes-Oxley Act of 2002
  • Increased standards for corporate governance,
    transparency and accountability
  • Section 404 focuses on BCP and Operational risk
  • Executives must review internal controls and
    publish the results of the review
  • Section 409 focuses on prompt disclosure
  • Executives are required to disclose to the
    public, on an urgent basis, information on
    material changes in their financial condition or
    operations
  • Only applies to publicly traded companies
  • Does apply to Non-USA companies that are listed
    in the USA
  • Effective for US companies 15 June 2004 and 15
    April 2005, depending on the size of the business
  • Effective for non US companies in 2005
  • http//www.soxlaw.com/s802.htm

51
BCP Acceptance Worldwide
  • Corporate Governance
  • The Turnbull Report 1999 Institute of
    Chartered Accountants in England and Wales
    (ICAEW) provides guidance to Directors on the
    Combined Code of the Committee on Corporate
    Governance
  • Compliance is a prerequisite for being listed on
    the London Stock Exchange
  • Higgs Report Role of the Board Proposed to be
    combined into the UKs Combined Code
  • http//www.dti.gov.uk/cld/non_exec_review/pdfs/hig
    gsreport.pdf
  • King Report on Corporate Governance (King 2)
    South Africa
  • Company must protect stakeholders from effects of
    the worst disasters
  • Places BCP responsibility at the Board of
    Directors level
  • Formal risk assessment at least once per year
  • Australian Stock Exchange Principles of Good
    Corp Governance
  • Australia AS 8000-2003 Principles of Corporate
    Governance
  • Upcoming Malaysia Regulations for listed companies

52
Business Continuity Planning
  • The Business Impact Analysis
  • Plan Development
  • Plan Testing
  • Incident Management
  • Emergency Notification

53
What is a Business Impact Analysis?
  • A business impact analysis (BIA) is the
    foundation for all business continuity planning
    programs.
  • It prioritizes your business units and critical
    processes so that you can identify the timeframes
    in which they need to be recovered
  • It helps executive management develop strategies
    for managing continuity and recovery
  • Without this knowledge, making the right
    decisions to protect your company's assets is
    tenuous if not impossible.

54
What is a Business Impact Analysis (BIA)?
  • Objective, management-level analysis tool
  • Objective, not subjective
  • Deals in Roubles, , , , etc. and business
    terms that managers understand
  • Uses data provided by business function managers,
    not project team

55
What kind of information does a BIA provide?
  • Financial impacts
  • Operational impacts
  • Extraordinary expenses
  • Current state of preparedness
  • Recovery resource requirements
  • Competitive Analysis

56
Questions to be Answered
  • What is the magnitude of the potential financial
    operational impacts and exposures?
  • How quickly do they escalate over time?
  • What are the business function interdependencies?
  • What is the dependence on technology?
  • What resources are required to recover each
    function?

57
MS Excel is NOT the Answer to your BIA
  • BIA surveys must be designed so they are easy for
    the recipient to understand and use.
  • You must be able to send the BIA surveys and
    collect the data in a number of ways
  • Interviews
  • E-mail
  • Over the Internet
  • You must be able to validate the data that
    recipients enter into the survey
  • You must be able to easily change the survey to
    meet the demands of various business departments
  • You must be able to easily consolidate the BIA
    data and provide automated reporting

BIA Professional Business Impact Analysis
58
The Goal of Business Continuity Planning
  • Protect employees, members, etc. . . PEOPLE!!
    through controlled emergency recovery.
  • Define service alternatives for accomplishing
    critical applications.
  • Minimize the extent of interruption.
  • Limit financial losses and hardships.
  • Establish customer confidence in a companys
    ability to maintain operations.
  • Satisfy federal and state compliance regulations.

59
Whats in a Business Continuity Plan?
60
Assumptions
  • A major disruption will occur
  • Planning will be for worst case scenario
  • Recovery will be executed using only
    pre-positioned resources and materials from
    off-site storage
  • Recovery readiness is a formof insurance

61
Plan Development
Equipment
Software Data Backups
People
Hardware
Recovery Processes
Transportation
Vital Records
Special Forms Documentation
Voice Data Communications
Locations
62
Functions
63
STROHL PR4STANDARD
64
The Recovery Cycle
  • RECOVERY RESTORATION
  • Long-term Continuity
  • Repair/ Replace
  • Migration
  • Resume Normal Service
  • RESPONSE
  • Assessment
  • Escalation
  • Declaration
  • RESUMPTION
  • Initial
  • Short-term Continuity

65
Why New Requirements for BCP?
  • Whats Changed?
  • New threats
  • New technology
  • As a result there is more regulatory focus on
    business resumption and a greater emphasis on
    testing and maintenance

66
Why New Requirements for BCP?
  • Requirement for enterprise-wide planning
  • Recovery time objectives becoming shorter and
    shorter
  • Interdependency
  • Technology dependence outside the organization
  • Importance of HR

67
Why New Requirements for BCP?
  • Old Assumptions in the past a business could
    assume that if the main office was in NY, and the
    backup was in Chicago, the staff would just fly
    to the backup location in the event of an
    unplanned disruption
  • New Perspectives No one ever planned for all
    airlines being grounded but it happened.
  • Source FFIEC IT Handbook Presentation

68
What is a BCP Plan?
  • A collection of resources, actions, procedures,
    and information that is developed, tested, and
    held in readiness for use in the event of a major
    disruption in business operations.

69
Technology Recovery
  • Computer Processing
  • Mainframes/Mini-Computers
  • Client/LAN/Servers
  • PCs/Terminals
  • Voice Communications
  • Consoles
  • PBX
  • Telephones
  • FAX Machines
  • Data Communications
  • Internet Operations (e-business)
  • Special Equipment

70
MS Word is NOT the Answer to your BCP Plans
  • BCP plans are dynamic, constantly changing
  • Need to be updated regularly
  • Extremely difficult and time consuming to
    continually update information in MS Word
  • Employee Changes, Company Structural
    reorganisations, application changes
  • Need the power and flexibility of a BCP plan
    built on a relational database
  • Plans from various business units should be
    consolidated to provide a corporate, global,
    enterprise BCP plan
  • No way to do this with MS Word
  • Specialised planning solutions provide for the
    development of an organizational plan hierarchy
    for summarization and drill down

LDRPS Living Disaster Recovery Planning System
71
Test, Test, Test
  • You have done your BIA
  • You have created a great BCP plan
  • Now, how are you going to test it?
  • Simulated disaster
  • Start small, then expand to include larger
    portions of your company, finally moving to
    coordination with vendors, suppliers and your
    local community
  • Automated Tool to help collect and analyze the
    results of a test

72
Before and After the Test
  • Pre-test Meeting with Disaster Recovery Team
  • Identify objectives and the members of the team
  • Verify RTOs
  • Post Test Review
  • Original RTOs versus Actual Recovery Times
  • Review Infrastructure Problems
  • Review Data Issues
  • Identify changes to the plan based on documents
    issues discovered during the test
  • Test, Test, Test

73
MS Project is NOT the Answer to your Incident
Management Needs
  • Incident Management is dynamic with many
    uncertainties
  • Must be linked to your BCP Plan
  • As the Incident Changes, we must manage those
    changes
  • Plans from various business units should be
    integrated to act as the basis for your incident
    management and needs

Incident Manager Testing and Incident Management
74
Do you have a plan in place to contact employees
prior to a known disaster ?
75
If your organisation was to experience a Regional
or National disaster, do you feel your plan would
be able to withstand wide-scale communication
failures?
76
When was the last time you tested your call tree?
77
Covering All the Bases
1) Utilise a well documented Emergency
Notification plan 2) Leverage technology 3) Test
your Emergency Notification plan 4) Test your
Emergency Notification plan again 5) Establish
accurate Emergency Notification reports 6)
Implement corrective actions in your Emergency
Notification Plan
78
Increased Need for Effective Crisis Communications
  • GOALS
  • Centralise control of the incident
  • Control the message
  • Avoid speculation and misinformation
  • Set pace and tone for resolution
  • Protect people first assets second

79
Developing a Communications Plan
  • An effective plan allows you to focus on solving
    problems and communicating appropriately.

Emergency Notification useful before, during, and
after disasters Not just a disaster recovery
(after the disaster has struck) tool
80
Best Practices
  • Automate!
  • Eliminate rumor
  • Prevent loss of important information
  • Speed

81
Manual Call Trees are NOT the Answer to your
Emergency Notification Plans
  • Informing your stakeholders of a disruption in
    service or disaster
  • Automate the process
  • Contact Emergency Response Personnel, suppliers,
    general employee population
  • Contact via phone, Mobile, Pager, SMS, e-mail all
    simultaneous and within a specified Service Level
    Agreement (SLA)

NotiFind, powered by EnvoyWorldWide
82
  • Summary

83
BCP Trends
  • Increased Standards
  • Industry
  • Country
  • Corporate Governance
  • Globalization of BCP
  • Enterprise Continuity Planning
  • Greater visibility of Business Continuity
    Planning issues at the Managing Director and C
    levels of the organization

84
BCP Trends
  • BCP expanding outside of its traditional IT
    boundaries
  • Move toward resiliency (zero down time) versus
    recovery
  • Move toward disaster prevention versus disaster
    recovery
  • BCP is increasingly becoming integrated with
    corporate functions
  • Leading organizations integrating business
    continuity with risk management

85
BCP A Coordinated Effort
  • Business Continuity Planners should work with
  • Emergency Response Plans (typically owned by
    facilities managers)
  • Disaster Recovery Plans (typically an IT
    responsibility)
  • Corporate Crisis Management (typically the
    responsibility of corporate security)
  • External Communications (typically the
    responsibility of the corporate communications
    organization)

86
BCP An Ongoing, Living Process
  • BCP is not a project or one time event
  • Must be coordinated throughout an organization
    and include external dependencies.
  • Enterprise Continuity Planning a Corporate
    Function
  • We must not only meet regulatory requirements.
  • we must strengthen corporate governance as a
    means of gaining competitive advantage in todays
    global economy.

87
Strohl Systems
  • For the past 18 years, Strohl Systems has been
    devoted exclusively to the business of providing
    the worlds finest business continuity planning
    software and services to a worldwide market.
  • LDRPS, Strohls Business Continuity planning
    tool, is the cornerstone of the Strohl Systems
    organization.
  • It offers
  • a proven methodology
  • an existing support network
  • an extensive user community

88
Industries Served - USA
  • 9 out of 10 securities firms
  • 5 out of 6 telecommunication companies
  • 4 out of 5 U.S. insurance companies
  • 4 out of 5 financial institutions
  • 4 out of 5 household goods producers
  • 4 out of 5 aerospace and defense companies
  • 3 out of 5 general retailers
  • 6 out of 10 commercial banks
  • 3 out of 5 computer makers
  • 4 out of 6 energy companies

89
Who Users Strohl Automated Business Continuity
Planning Solutions in the Region?
  • Arab Bank
  • Riyad Bank
  • Arab National Bank
  • Bank of Bahrain and Kuwait
  • Byblos Bank
  • Investcorp Bank
  • Samba
  • Many more

90
Industries Served
91
Strohl Systems, Inc.
  • Worldwide organization dedicated solely to
    Business Continuity Planning solutions

92
Successful Program
93
Strohls Worldwide Presence August 2006
37 Distributors and Reseller covering 79 Countries
94
Questions?
?
?
?
?
?
?
?
?
About PowerShow.com