What would you do if you were locked out of your office for 5-days?
If your business is unable to service its clients for 5 consecutive days or more, (e.g. have to abandon / surrender your facilities), the FEMA statistic says 80% of these businesses will be out of business within two years. Large corporations are able to fund, plan, build and test disaster recovery & business continuity plans.But what about the rest of us mere mortals? What is realistic preparation for Small & Medium businesses?
Meetup 35 in Oakville saw three presenters and a panel Q&A session with 4 panelist.
15. Incident Level Communication
Critical – Fatality Activation – Action required
Major – EMS Notification – FYI, no action required
Minor – Treat and return to work All Clear – Incident resolved
15
16. IMS Response
Stage Three Incident
Executives
Stage Two Incident
Mangers
Stage One Incident
Supervisors/ staff
16
19. Emergency Continuum
Inconvenience Problem Emergency Crisis Disaster Cataclysm
• Degree of impact on
– Organization
– Staff
– Community
– Government
– Infrastructure
19
20. Business Continuity
• Controlled degradation
– Like a body going into shock
• What functions are really critical?
– You may be surprised
– Criticality is tied to how long the function is not available
• Reallocate resources, build-in redundancy
20
21. Mitigate & Prepare
• Reality check:
– People will forget to prepare
– Readiness processes will fade away
– Plans won’t be tested and will get obsolete
• Best hope:
– Leverage existing processes
– Get your information close to the source
– Use “emergency” processes routinely
– Create a 1-page Emergency Plan
21
22. Pandemic Planning Extras
• Planning assumptions
– 15% to 35% of workforce is affected
– First 8 weeks are bad, then it really hits you
– Ubiquitous: you’re on your own
• Well defined phases to pace response
• Ethical & business considerations
– e.g. pay for antivirals? for whole family?
• Pandemic fatigue
22
27. What Other Threats is Your Business
Exposed to?
Meth lab building remains closed to workers – Three killed in Via Rail train derailment in
Mississauga News 05/05/2008 Burlington, Ont. – National Post 02/26/2012
Starting over after a cyberattack shuts down
the business –The New York Times –
08/29/2012
28. Business Risk Impact Assessment
Consider Rationally & Honestly:
• Business (AR/AP, Access to clients, Staff, & Suppliers)
• Corporate & Professional Reputation (Internal/External)
• Intellectual Property and Intangible Assets (Loss of
Competitive Advantage)
• Personal Investment (Retirement, Succession Planning)
Determine which risks you can control and mitigate and those you
cannot!
29. Drive ROI from Your Readiness Plan
• Leverage to Drive New Business , Competitive Advantage &
Enhanced Reputation
• Share Your Plan with Insurance Providers, Lenders, and Potential
Shareholders for Improved Terms and Market Access
• Cloud Technologies Presents a Unique SWOT
• Improve Operational Understanding & Efficiency - Best Practices
• Embrace New Technologies but Extend Your Preparations Beyond
the Server Room
30. What Choices Do You Have To Get
Ready?
You can find templates on the Internet $0 to $1,000
You can buy a software package Starting at $30,000
You can hire someone Starting at $100,000/year
You can hire expensive consultants Starting at $50,000
30
31. About Modular DPS
Who We Partner With?
Modular DPS has carefully chosen to work with industry leading organizations
who bring innovative and dynamic services and solutions to market.
The ReadySmith Advisers Limited. organization has been a long standing
partnership spanning more than 6 years and several organizations. They bring
unparalleled capabilities and experience to address this critical business
planning requirement.
31
33. Scott Ashley, BCP/EM practitioner at Get Ready Emergency
Training Inc. Twenty-five years experience in emergency
management in Canada & US.
get-ready.ca
Carlos Paz-Soldan, Founder & CEO at Tenet ComputerGroup Inc.
Emergency Planning , BCP and DR planning
@Tenet_com
Danny Deganis, Co-founder & COO at Modular Data Protection
Services Inc. Enables organizations to Plug in Cloud Services.
modulardps.com
Mauro Lollo, is a recognized technology business leader and
technical futurist. Former cofounder and CTO of Unis Lumin.
@maurolollo
Sylvain Rollin – President, ERMS Corporation
Provider of a comprehensive and enterprise-class emergency and
incident mass notification system.
@ERMSCorporation
Our most important assets are our People, Business and Data.
To Protect our People we have an ERP, BCP for Business and DRP for Data.
This structure has three levels Tactical , Operational and Strategic. The Tactical level is yellow and represents the tactical level or front line response teams and include the emergency response teams, business recovery teams and disaster or data recovery teams. These groups manage all the Stage One incidents.The Operational or Orange level represents the Incident Management Team that will oversee and direct all stage two and three incidents.The Strategic is red and represents our strategic or executive level. The executive team will assist in some key decisions in terms of approvals on spending, operational issues as required and communications with internal and external groups.
I always like to put in this slide known as the designated worrier slide. This is to point to the person who is responsible for worrying about the fact that these issues are getting handled in a timely and effective manner. When we have an incident it is our tactical level teams that spend 90% of their time worrying about how manage or clean-up the incident and 10% on maintainingoperations. The incident Management team spends 50% of their time worrying about the incident and the other half worrying about restoring and maintaining operations. The Executive team knows the incident is being managed and therefore spends 90% of their time thinking about is how to meeting operations, reputation, communications and how these may impact the organization.
Once the incident stage level has been determined, switchboard will then know what teams or individuals will need to be activated and who needs to be notified. An activation is an alert to someone who is going to participate directly in the event.A notification is really just FYI and someone who needs to be aware of the incident but not have any direct participation or actions. You can see on this scale a stage one incident with activate the ERT and only notify the IMT. At stage two both the ERT in the IMT of the would be activated in the executive on-call would be notified. For a stage three incident, all levels of our incident management structure would be to activated.
This structure has three levels Tactical , Operational and Strategic. The Tactical level is yellow and represents the tactical level or front line response teams and include the emergency response teams, business recovery teams and disaster or data recovery teams. These groups manage all the Stage One incidents.The Operational or Orange level represents the Incident Management Team that will oversee and direct all stage two and three incidents.The Strategic is red and represents our strategic or executive level. The executive team will assist in some key decisions in terms of approvals on spending, operational issues as required and communications with internal and external groups.
Decision #1 :determine your “level of paranoia”, i.e. how much can you really afford to worry about and prepare for.
Decision #2: decide what really matters
Regardless of organization size, what’s urgent takes precedence over what’s important.Preparedness has to be built-into routine processes, or it will be forgotten until September 12.
Influenza ‘A’ Pandemics are to humans what fires are to forests: just a part of life.
Large organizations and emergency responders can afford to have sophisticated Incident Management processes.
Tenet’s mobile app
Source: Data Leakage Worldwide: Common Risks and MistakesEmployeesMake - Cisco 2008• Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.• Misuse of corporate computers: 44 percent of employees share work devices with others without supervision.• Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.• Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home.• Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and ItalyHttp://boss.blogs.nytimes.com/2012/08/29/starting-over-after-a-cyberattack-shuts-down-the-business/Train Derailments: http://news.nationalpost.com/2012/02/26/burlington-train-derailed/Meth Labs: http://www.mississauga.com/article/17484 http://www.rkiinstruments.com/pages/application_briefs/Methamphetamine_Laboratories_Gas_Detection.htmData leakage: http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-499060.html http://humanresources.about.com/od/whenemploymentends/a/end_employment.htm
What are the risks to your critical business processes and procedures? What would happen in you could not access your clients, issues invoices, pay employees and suppliers. How long would they wait while you figured things out? What is your process to resume communications & coordinate notifications and recovery procedures?What if an ex-employee accessed one or more of your social media accounts and posted obscene or embarrassing information about you or your company? Do you have an employee exit policy and checklist in place to protect your critical communication and social media properties, client and staff lists? Are you subject to government or industry governance & compliance requirements? What are the penalties and publicity risks associated with non compliance?Do you have just in time inventory or response sensitive SLA’s in place with any of your customer’s and clients?You’ve invested time, money, heart & soul into building your business. If your business is generating a 6 figure income for you, is it not worth investing in the protection of that income and asset stream?How much you spend on promotional items, gift baskets, and staff events relative to the ongoing resiliency of your business?