Business Continuity Planning A practical guide - PowerPoint PPT Presentation

Loading...

PPT – Business Continuity Planning A practical guide PowerPoint presentation | free to view - id: 272712-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Business Continuity Planning A practical guide

Description:

Sample full table of contents. First Response Flowchart. Sample Role ... Sample ICT Disaster Recovery Plan table of contents. Crisis Leadership: The Challenge ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 48
Provided by: adamla4
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Business Continuity Planning A practical guide


1
Business Continuity Planning A practical guide
  • Adam Lawrence, Director Terrorism Risk
  • ROSS CAMPBELL ASSOCIATES

2
Introduction
  • Ross Campbell Associates Crisis Management
    Recovery
  • Business resilience strategies
  • Clients in 25 countries
  • Workshops reviews
  • Preparedness audits
  • Executive training
  • Corporate plans enterprise-wide programs
  • Simulation exercises, walk-through rehearsals,
    capability tests
  • Alignment of Crisis Management, Business
    Continuity, issues management, emergency
    management
  • Managing the worst-case scenario

3
Agenda
  • Introduction case studies and context
  • Business Continuity Management an overview
  • Identifying plausible disruption scenarios
  • Business Impact Analysis
  • Response-Resumption-Recovery
  • BC Plan - the essentials
  • Leadership and governance
  • Rehearsing the plan and capability testing

4
Purpose
  • Raise awareness
  • Enhance capability of QUESTNET member
    institutions in responding to and recovering from
    a major disruption
  • QLD Government initiative to protect Mass
    Gathering Infrastructure in light of the threat
    of terrorism

5
Video compile
6
Terrorism HSBC (Bank)
  • Istanbul, Turkey
  • 20 November 2003
  • Car bomb
  • 26 killed
  • 450 wounded

7
Utilities failure US power outage
In just three minutes, starting at 4.10pm, 21
power plants shut down CNN, 14 August 2003
8
Telco infrastructure failure
  • Telstra says more than 16,000 of its network
    cables were accidentally severed in the past 12
    months
  • The Age, 25 July 2005

9
Data centre failure
  • Multiple failures at a datacentre run by CSC
    left hospital trusts without access to patient
    administration systems for up to five days
  • ComputerWeekly.com, 13 Sep 2006

10
SARS
  • Began in Asia February 2003
  • Within weeks reported in 25 countries
  • Impact on airlines, tourism industry
  • Impact on businesses with operational links to
    Asia
  • Learnings for Avian flu preparedness?

11
Crisis/disaster impacts
  • People harmed
  • Disruption to operations
  • Asset damage
  • Loss of reputation
  • Loss of customer/public support
  • Financial loss
  • Increased regulation
  • Increased insurance premiums
  • Legal action
  • Destabilisation of senior management

12
Monash shootings 2002
  • ABC Interviewer no amount of training can equip
    you for what happened yesterday?
  • Vice-Chancellor we had a crisis management
    exercise of something similar to this about three
    months ago, which actually helped us through all
    of this
  • ABC Radio, October 2002

13
What is Business Continuity?
  • The uninterrupted availability of all key
    resources supporting essential business
    functions
  • (ANAO, 2000)
  • Keeping the wheels of business in motion
    following a material disruption (irrespective of
    the cause)
  • Key strategic risk that an organisation is
    unable to remain operational

14
Related disciplines
  • Emergency Management
  • ICT Disaster Recovery (service disruption, data
    loss)
  • Salvage and recovery (damaged hard-copy files)
  • Issue Management (public perception/reputation)
  • Government response
  • Crisis Management the worst-case scenario
    (during the acute/emergency phase of response)
  • A crisis is an adverse situation that has the
    potential to cause serious harm to people,
    operations, assets, earnings, reputation or brand

15
Common capability gaps
  • Plans lacking fundamental components
    WHO-WHAT-WHERE-WHEN-WHERE-HOW-WHY
  • Unspecified or vague (contingency) roles and
    tasks
  • Lack of pre-designated alternative venues
  • Alternative/back-up venues in same precinct
  • Ill-equipped contingency venues
  • Lack of alternate/deputy (contingency) roles
  • Un-rehearsed plans call-out procedures
  • No pre-designated spokesperson
  • No documented Business Impact Analysis (BIA)

16
Common capability gaps (cont.)
  • Insufficient understanding of or linkages to
    government response
  • Sole reliance on mobile telephones to co-ordinate
    the response (prone to failure)
  • Insufficient protocols for communication with
    staff, visitors, students
  • Recovery times (RTOs) not specified
  • Lacking 24/7 remote access to HR/vendor contact
    details
  • Lack of confidence in documented plans too much
    information

17
Critical success factors
  • Learn from the experience of others
  • address the common capability gaps
  • Clear command structure
  • Have a group that has authority to invoke
    recovery plans and management strategic
    ramifications (Crisis Management Team)
  • Clear communication reporting channels (between
    Head Office and subordinate entities including
    first responders)
  • Identify alternative command venue/s and
    contingency work accommodation
  • Ensure adequate incident notification and
    call-out procedures

18
Other challenges
  • Extreme stress
  • Cause may be beyond your control (3rd party
    dependency)
  • Determining peoples whereabouts/safety
  • Implications of rapid and intrusive media
  • Rumours and innuendo bad news travels fast
  • Panic/hysteria
  • Aspects of government response may be beyond your
    influence
  • Understand the rights/obligations of all
    responders
  • Jurisdictional responsibility

19
BCM Process steps involved
  • Risk/vulnerability assessment
  • Business Impact Assessment
  • Define Response Strategies
  • Determine Resource and Interdependency
    requirements to enact each plan
  • Develop Continuity Plans for the chosen strategy
  • Develop Communication Strategy
  • Training, Maintenance Testing plans
  • Activation/execution of plans

20
crisismanagement.com.au
21
Operational Risk Assessment
  • What does the organisation depend on to operate?
  • What can happen?
  • When, where and how?
  • What are the critical processes or assets?
  • Workshop hypothetical scenarios
  • Interviews with principal staff/department heads
  • Site inspection (ideally by third party)
  • Event/media monitoring, industry briefs, case
    studies - learn from the experiences of others

22
Identifying disruption scenarios
  • Consider worst-case (total loss) disruption
    scenarios
  • Loss of building
  • Loss of precinct
  • Denial of access to building for a limited time
  • Loss of ICT (data)
  • Loss of ICT (voice)
  • Loss of vital (non-electronic) records
  • Loss of key staff
  • Loss of key dependencies
  • Source APRA Prudential Standard APS 232 Business
    Continuity Management

23
Business Impact Analysis (BIA)
  • Undertaken for all key business processes
  • Call management
  • Service activations
  • Service restorations
  • Escalation management
  • Vendor management
  • Sets recovery processes, in the event of a
    high-impact disruption/loss (outage)
  • Establish a scenario as an aid to planning
  • Physical event, e.g. fire, flood, earthquake,
    terrorist attack
  • Assume worst case, e.g. total destruction of
    workplace and primary ICT resources

24
What would happen if?
  • Work with business owner or departmental
    representatives
  • Workshop/group approach
  • One-on-one interviews
  • Determine Maximum Acceptable Outage (MAO)
  • Maximum time it will take before an outage
    threatens an organisation achieving its business
    objectives
  • Max survival time before recovery procedures must
    commence
  • Qualify consequences/costs of impacts
  • By timeframes (1 day, 1 week, 1 month)
  • Simple narrative/description
  • Formal risk rating (negligible-extreme)

25
Recommended reading - BIA
  • Better Practice Guide Business Continuity
    Management Keeping the wheels in motion, ANAO
    2000 (www.anao.gov.au)
  • Has excellent BIA Worksheet template
  • Example impact/risk analysis matrix

26
Example workshop approach (BIA)
  • Denial of access for a limited time
  • Multiple cases of Legionella infection are
    attributed to the data-centre building
  • Victims include a number of maintenance vendors
    (2 are critically ill)
  • Management become aware of the situation during
    business hours
  • Health authorities order the evacuation of all
    non-essential staff and visitors
  • The water-coolers are shut down and samples taken
    for testing
  • Disinfection action begins (will take several
    days)

27
Part 2 Escalation
  • A day later the presence of a hazardous strain
    of Legionella bacteria is lab-confirmed
  • Health authorities are advising anyone with
    symptoms (fever, cough, breathlessness, chest
    pain, diarrhoea) to seek medical attention and
    undergo tests
  • Building will remain closed for at least 3 days
    to allow for Health Authority/Work Cover
    investigation and the identification of other
    potential victims
  • Only a limited number of building services staff
    and specialist contractors are permitted to have
    access

28
Part 3 Implications
  • No air conditioning for up to 10 days
  • Very limited staff access (to treat hazard only)

29
Phases of response
  • Preparedness
  • Response emergency protection of people and
    property (to limit the impacts)
  • Resumption/continuity immediate fixes to
    begin interim operations
  • Recovery steps for achieving full operational
    normality (pre-disruption)

30
Response
  • Protection of people and property
  • Evacuation/hold-in place procedures
  • Automated fire suppression
  • Actions of emergency services
  • Processes to limit impact on critical services
  • e.g. back-up power fail-over
  • Standard service disruption procedures
  • Incident escalation/notification to governing
    entity
  • Call-out of governing entity (Crisis Management
    Team)
  • Setting up Command Centre

31
Resumption
  • Relocation of staff to alternative venue (e.g.
    commercial DR site)
  • Source alternative office accommodation
  • Diversion of telephones
  • Data recovery from back-up tapes
  • Restoration of desktop environment, email,
    network access etc
  • Work from home strategy
  • Emergency procurement of replacement
    infrastructure
  • Stakeholder communication - staff, vendors,
    students, creditors, insurers, media etc
  • Key issue - remote access to BCP with planning
    data

32
Recovery
  • Specialist salvage and recovery - site clean-up
  • Rebuild primary site or seek new premises?
  • Sourcing new vendor/s
  • Long term project effort
  • People issues retention/recruitment

33
crisismanagement.com.au
34
BC Plan - the essentials
  • WHO-WHAT-WHEN-WHERE-HOW (WHY)
  • Sample full table of contents
  • First Response Flowchart
  • Sample Role Checklist - Team Leader
  • Sample Threat/Risk Response Guidelines
  • Sample Business Unit Recovery Plan
  • APRA compliant disruption scenarios
  • Sample ICT Disaster Recovery Plan table of
    contents

35
Crisis Leadership The Challenge
  • Managing information overload
  • Whats going on? maintaining situational
    awareness
  • What should I do?
  • Communication bottlenecks
  • Public/customer perceptions/expectations?
  • Internal perceptions/expectations?
  • Expectations of higher office/regulators/authoriti
    es?
  • Tales of great strategies derailed by poor
    execution are all too common

36
Human Response to Stress
  • Perception of situation (as a threat)
  • Expectations of own ability to cope
  • Fight or flight response
  • Calm/confident in facing situation (fight), or
  • Avoiding it (flight)
  • Positive leadership influence on others
  • Sound judgment, decisive action
  • Impaired judgement
  • indecision
  • poor execution of contingencies

37
  • Commercial Issues
  • Legal
  • Risk
  • Insurance
  • Customers
  • Record of Incident
  • Response
  • Roles accountabilities
  • Resources available
  • Training requirements
  • Documented
  • Recovery
  • Short term operations
  • Long term recovery goals
  • Documented BCP
  • Integration with DRP

CRISIS MANAGEMENT
  • External Affairs
  • Ministerial liaison
  • Interviews
  • Media releases
  • Media management on site
  • Community relations
  • Business relations
  • Employees and Next of Kin
  • Communicate
  • Training
  • Delivering the message
  • Communications
  • Control centre
  • Communications equipment requirements
  • Call centre interface

38
Crisis Leadership What it takes
  • Calmness/confidence in tackling the unexpected
  • Sound judgement
  • Decisiveness
  • Regular communication with stakeholders
  • Trust, delegation allow yourself time to think
  • Have a special team to support you
  • Treat the stressors and build confidence

39
The solution?
  • Have a single, organisation-wide framework for
    all occasions
  • Ensure full alignment of BC, ICT DR, emergency
    procedures, security and other contingency plans
  • Simple, concise checklists
  • Train, rehearse/validate, review and revise

40
Crisis Management Team
  • TEAM LEADER
  • Leadership
  • Call-out decision
  • Key stakeholder liaison
  • Goal setting
  • Prioritising work
  • Spokesperson
  • Media face
  • Media conferences
  • One face once message
  • Recovery
  • BCP interface
  • Office relocation
  • Alt premises
  • Identify allocate
  • resources to achieve goals
  • External
  • Affairs
  • Media
  • management
  • HQ advice
  • News releases
  • Community and government relations
  • Human
  • Resources
  • Internal communication
  • Tracking victims
  • Employee records
  • Next of kin liaison
  • Welfare
  • Counselling
  • Response
  • Contact with scene
  • Monitor situation
  • Advise team
  • Emergency control
  • Evacuation
  • ICT Coordinator
  • CMT support
  • CMT venue set-up
  • ICT DR interface
  • Vendor liaison
  • Salvage recovery
  • Procurement
  • Commercial
  • Services
  • Regulatory
  • Legal
  • Insurance
  • Customers
  • Suppliers
  • Maintainrecords

41
Team Structure
  • Manageable span of control (5-7 direct reports)
  • Resist temptation to include additional direct
    reports less is more
  • Having a larger, flatter structure means
  • More stress to Team Leader, and
  • Less efficient interaction between team members
  • Distinguish contingency functions from
    status/rank and day-to-day role
  • Select best person for the job
  • Not everyone has to be involved

42
crisismanagement.com.au
43
Testing the capability
  • HB 221 BCM guidelines
  • Planning template
  • Desktop walk-throughs
  • Individual component testing (e.g. IT DR)
  • Fully integrated tests with third party service
    providers

44
Scenario planning exercises
  • Decide on participants - site, business unit
    and/or senior leadership team?
  • Decide on desired outcome - general awareness
    building, compliance, plan orientation,
    evaluation of performance, full functional test
  • Resources to be tested - people, IT, vital
    records (hardcopy/electronic), facilities,
    internal dependencies, external dependencies
  • Exclusions
  • Decide on threat/risk scenario

45
Scenario planning exercises
  • Develop theoretical sequence of events - as
    situation unfolds - not in relation to planned
    response actions
  • Consider possible reaction of key stakeholders
    media, employees/contractors, students,
    investors, families, authorities, commercial
    partners, suppliers etc
  • Write script
  • Establish the cast - who will play what roles

46
Scenario planning exercises
  • Establish how the situation will be
    communicated to participants
  • Recommend real-time game play without too much
    fictitious background material beforehand

47
Recommended reading
  • HB 2212003 Business Continuity Management
  • ANAO better practice guide Business Continuity
    Management Keeping the wheels in motion
  • APRA Prudential Standard 232

48
crisismanagement.com.au
About PowerShow.com