Business Continuity Planning A practical guide

1
Business Continuity Planning A practical guide

• Adam Lawrence, Director Terrorism Risk
• ROSS CAMPBELL ASSOCIATES

2
Introduction

• Ross Campbell Associates Crisis Management
  Recovery
• Business resilience strategies
• Clients in 25 countries
• Workshops reviews
• Preparedness audits
• Executive training
• Corporate plans enterprise-wide programs
• Simulation exercises, walk-through rehearsals,
  capability tests
• Alignment of Crisis Management, Business
  Continuity, issues management, emergency
  management
• Managing the worst-case scenario

3
Agenda

• Introduction case studies and context
• Business Continuity Management an overview
• Identifying plausible disruption scenarios
• Business Impact Analysis
• Response-Resumption-Recovery
• BC Plan - the essentials
• Leadership and governance
• Rehearsing the plan and capability testing

4
Purpose

• Raise awareness
• Enhance capability of QUESTNET member
  institutions in responding to and recovering from
  a major disruption
• QLD Government initiative to protect Mass
  Gathering Infrastructure in light of the threat
  of terrorism

5
Video compile
6
Terrorism HSBC (Bank)

• Istanbul, Turkey
• 20 November 2003
• Car bomb
• 26 killed
• 450 wounded

7
Utilities failure US power outage
In just three minutes, starting at 4.10pm, 21
power plants shut down CNN, 14 August 2003
8
Telco infrastructure failure

• Telstra says more than 16,000 of its network
  cables were accidentally severed in the past 12
  months
• The Age, 25 July 2005

9
Data centre failure

• Multiple failures at a datacentre run by CSC
  left hospital trusts without access to patient
  administration systems for up to five days
• ComputerWeekly.com, 13 Sep 2006

10
SARS

• Began in Asia February 2003
• Within weeks reported in 25 countries
• Impact on airlines, tourism industry
• Impact on businesses with operational links to
  Asia
• Learnings for Avian flu preparedness?

11
Crisis/disaster impacts

• People harmed
• Disruption to operations
• Asset damage
• Loss of reputation
• Loss of customer/public support
• Financial loss
• Increased regulation
• Increased insurance premiums
• Legal action
• Destabilisation of senior management

12
Monash shootings 2002

• ABC Interviewer no amount of training can equip
  you for what happened yesterday?
• Vice-Chancellor we had a crisis management
  exercise of something similar to this about three
  months ago, which actually helped us through all
  of this
• ABC Radio, October 2002

13
What is Business Continuity?

• The uninterrupted availability of all key
  resources supporting essential business
  functions
• (ANAO, 2000)
• Keeping the wheels of business in motion
  following a material disruption (irrespective of
  the cause)
• Key strategic risk that an organisation is
  unable to remain operational

14
Related disciplines

• Emergency Management
• ICT Disaster Recovery (service disruption, data
  loss)
• Salvage and recovery (damaged hard-copy files)
• Issue Management (public perception/reputation)
• Government response
• Crisis Management the worst-case scenario
  (during the acute/emergency phase of response)
• A crisis is an adverse situation that has the
  potential to cause serious harm to people,
  operations, assets, earnings, reputation or brand

15
Common capability gaps

• Plans lacking fundamental components
  WHO-WHAT-WHERE-WHEN-WHERE-HOW-WHY
• Unspecified or vague (contingency) roles and
  tasks
• Lack of pre-designated alternative venues
• Alternative/back-up venues in same precinct
• Ill-equipped contingency venues
• Lack of alternate/deputy (contingency) roles
• Un-rehearsed plans call-out procedures
• No pre-designated spokesperson
• No documented Business Impact Analysis (BIA)

16
Common capability gaps (cont.)

• Insufficient understanding of or linkages to
  government response
• Sole reliance on mobile telephones to co-ordinate
  the response (prone to failure)
• Insufficient protocols for communication with
  staff, visitors, students
• Recovery times (RTOs) not specified
• Lacking 24/7 remote access to HR/vendor contact
  details
• Lack of confidence in documented plans too much
  information

17
Critical success factors

• Learn from the experience of others
• address the common capability gaps
• Clear command structure
• Have a group that has authority to invoke
  recovery plans and management strategic
  ramifications (Crisis Management Team)
• Clear communication reporting channels (between
  Head Office and subordinate entities including
  first responders)
• Identify alternative command venue/s and
  contingency work accommodation
• Ensure adequate incident notification and
  call-out procedures

18
Other challenges

• Extreme stress
• Cause may be beyond your control (3rd party
  dependency)
• Determining peoples whereabouts/safety
• Implications of rapid and intrusive media
• Rumours and innuendo bad news travels fast
• Panic/hysteria
• Aspects of government response may be beyond your
  influence
• Understand the rights/obligations of all
  responders
• Jurisdictional responsibility

19
BCM Process steps involved

• Risk/vulnerability assessment
• Business Impact Assessment
• Define Response Strategies
• Determine Resource and Interdependency
  requirements to enact each plan
• Develop Continuity Plans for the chosen strategy
• Develop Communication Strategy
• Training, Maintenance Testing plans
• Activation/execution of plans

20
crisismanagement.com.au
21
Operational Risk Assessment

• What does the organisation depend on to operate?
• What can happen?
• When, where and how?
• What are the critical processes or assets?
• Workshop hypothetical scenarios
• Interviews with principal staff/department heads
• Site inspection (ideally by third party)
• Event/media monitoring, industry briefs, case
  studies - learn from the experiences of others

22
Identifying disruption scenarios

• Consider worst-case (total loss) disruption
  scenarios
• Loss of building
• Loss of precinct
• Denial of access to building for a limited time
• Loss of ICT (data)
• Loss of ICT (voice)
• Loss of vital (non-electronic) records
• Loss of key staff
• Loss of key dependencies
• Source APRA Prudential Standard APS 232 Business
  Continuity Management

23
Business Impact Analysis (BIA)

• Undertaken for all key business processes
• Call management
• Service activations
• Service restorations
• Escalation management
• Vendor management
• Sets recovery processes, in the event of a
  high-impact disruption/loss (outage)
• Establish a scenario as an aid to planning
• Physical event, e.g. fire, flood, earthquake,
  terrorist attack
• Assume worst case, e.g. total destruction of
  workplace and primary ICT resources

24
What would happen if?

• Work with business owner or departmental
  representatives
• Workshop/group approach
• One-on-one interviews
• Determine Maximum Acceptable Outage (MAO)
• Maximum time it will take before an outage
  threatens an organisation achieving its business
  objectives
• Max survival time before recovery procedures must
  commence
• Qualify consequences/costs of impacts
• By timeframes (1 day, 1 week, 1 month)
• Simple narrative/description
• Formal risk rating (negligible-extreme)

25
Recommended reading - BIA

• Better Practice Guide Business Continuity
  Management Keeping the wheels in motion, ANAO
  2000 (www.anao.gov.au)
• Has excellent BIA Worksheet template
• Example impact/risk analysis matrix

26
Example workshop approach (BIA)

• Denial of access for a limited time
• Multiple cases of Legionella infection are
  attributed to the data-centre building
• Victims include a number of maintenance vendors
  (2 are critically ill)
• Management become aware of the situation during
  business hours
• Health authorities order the evacuation of all
  non-essential staff and visitors
• The water-coolers are shut down and samples taken
  for testing
• Disinfection action begins (will take several
  days)

27
Part 2 Escalation

• A day later the presence of a hazardous strain
  of Legionella bacteria is lab-confirmed
• Health authorities are advising anyone with
  symptoms (fever, cough, breathlessness, chest
  pain, diarrhoea) to seek medical attention and
  undergo tests
• Building will remain closed for at least 3 days
  to allow for Health Authority/Work Cover
  investigation and the identification of other
  potential victims
• Only a limited number of building services staff
  and specialist contractors are permitted to have
  access

28
Part 3 Implications

• No air conditioning for up to 10 days
• Very limited staff access (to treat hazard only)

29
Phases of response

• Preparedness
• Response emergency protection of people and
  property (to limit the impacts)
• Resumption/continuity immediate fixes to
  begin interim operations
• Recovery steps for achieving full operational
  normality (pre-disruption)

30
Response

• Protection of people and property
• Evacuation/hold-in place procedures
• Automated fire suppression
• Actions of emergency services
• Processes to limit impact on critical services
• e.g. back-up power fail-over
• Standard service disruption procedures
• Incident escalation/notification to governing
  entity
• Call-out of governing entity (Crisis Management
  Team)
• Setting up Command Centre

31
Resumption

• Relocation of staff to alternative venue (e.g.
  commercial DR site)
• Source alternative office accommodation
• Diversion of telephones
• Data recovery from back-up tapes
• Restoration of desktop environment, email,
  network access etc
• Work from home strategy
• Emergency procurement of replacement
  infrastructure
• Stakeholder communication - staff, vendors,
  students, creditors, insurers, media etc
• Key issue - remote access to BCP with planning
  data

32
Recovery

• Specialist salvage and recovery - site clean-up
• Rebuild primary site or seek new premises?
• Sourcing new vendor/s
• Long term project effort
• People issues retention/recruitment

33
crisismanagement.com.au
34
BC Plan - the essentials

• WHO-WHAT-WHEN-WHERE-HOW (WHY)
• Sample full table of contents
• First Response Flowchart
• Sample Role Checklist - Team Leader
• Sample Threat/Risk Response Guidelines
• Sample Business Unit Recovery Plan
• APRA compliant disruption scenarios
• Sample ICT Disaster Recovery Plan table of
  contents

35
Crisis Leadership The Challenge

• Managing information overload
• Whats going on? maintaining situational
  awareness
• What should I do?
• Communication bottlenecks
• Public/customer perceptions/expectations?
• Internal perceptions/expectations?
• Expectations of higher office/regulators/authoriti
  es?
• Tales of great strategies derailed by poor
  execution are all too common

36
Human Response to Stress

• Perception of situation (as a threat)
• Expectations of own ability to cope
• Fight or flight response
• Calm/confident in facing situation (fight), or
• Avoiding it (flight)
• Positive leadership influence on others
• Sound judgment, decisive action
• Impaired judgement
• indecision
• poor execution of contingencies

37

• Commercial Issues
• Legal
• Risk
• Insurance
• Customers
• Record of Incident

• Response
• Roles accountabilities
• Resources available
• Training requirements
• Documented

• Recovery
• Short term operations
• Long term recovery goals
• Documented BCP
• Integration with DRP

CRISIS MANAGEMENT

• External Affairs
• Ministerial liaison
• Interviews
• Media releases
• Media management on site
• Community relations
• Business relations

• Employees and Next of Kin
• Communicate
• Training
• Delivering the message

• Communications
• Control centre
• Communications equipment requirements
• Call centre interface

38
Crisis Leadership What it takes

• Calmness/confidence in tackling the unexpected
• Sound judgement
• Decisiveness
• Regular communication with stakeholders
• Trust, delegation allow yourself time to think
• Have a special team to support you
• Treat the stressors and build confidence

39
The solution?

• Have a single, organisation-wide framework for
  all occasions
• Ensure full alignment of BC, ICT DR, emergency
  procedures, security and other contingency plans
• Simple, concise checklists
• Train, rehearse/validate, review and revise

40
Crisis Management Team

• TEAM LEADER
• Leadership
• Call-out decision
• Key stakeholder liaison
• Goal setting
• Prioritising work

• Spokesperson
• Media face
• Media conferences
• One face once message

• Recovery
• BCP interface
• Office relocation
• Alt premises
• Identify allocate
• resources to achieve goals

• External
• Affairs
• Media
• management
• HQ advice
• News releases
• Community and government relations

• Human
• Resources
• Internal communication
• Tracking victims
• Employee records
• Next of kin liaison
• Welfare
• Counselling

• Response
• Contact with scene
• Monitor situation
• Advise team
• Emergency control
• Evacuation

• ICT Coordinator
• CMT support
• CMT venue set-up
• ICT DR interface
• Vendor liaison
• Salvage recovery
• Procurement

• Commercial
• Services
• Regulatory
• Legal
• Insurance
• Customers
• Suppliers
• Maintainrecords

41
Team Structure

• Manageable span of control (5-7 direct reports)
• Resist temptation to include additional direct
  reports less is more
• Having a larger, flatter structure means
• More stress to Team Leader, and
• Less efficient interaction between team members
• Distinguish contingency functions from
  status/rank and day-to-day role
• Select best person for the job
• Not everyone has to be involved

42
crisismanagement.com.au
43
Testing the capability

• HB 221 BCM guidelines
• Planning template
• Desktop walk-throughs
• Individual component testing (e.g. IT DR)
• Fully integrated tests with third party service
  providers

44
Scenario planning exercises

• Decide on participants - site, business unit
  and/or senior leadership team?
• Decide on desired outcome - general awareness
  building, compliance, plan orientation,
  evaluation of performance, full functional test
• Resources to be tested - people, IT, vital
  records (hardcopy/electronic), facilities,
  internal dependencies, external dependencies
• Exclusions
• Decide on threat/risk scenario

45
Scenario planning exercises

• Develop theoretical sequence of events - as
  situation unfolds - not in relation to planned
  response actions
• Consider possible reaction of key stakeholders
  media, employees/contractors, students,
  investors, families, authorities, commercial
  partners, suppliers etc
• Write script
• Establish the cast - who will play what roles

46
Scenario planning exercises

• Establish how the situation will be
  communicated to participants
• Recommend real-time game play without too much
  fictitious background material beforehand

47
Recommended reading

• HB 2212003 Business Continuity Management
• ANAO better practice guide Business Continuity
  Management Keeping the wheels in motion
• APRA Prudential Standard 232

48
crisismanagement.com.au