The document provides information on developing business continuity plans (BCPs). It discusses that a BCP includes planning for non-IT aspects of a business to continue operating during and after a disaster, including facilities, personnel and communications. The presentation covers the components of an effective BCP, such as identifying critical business processes and resources, creating recovery teams and procedures, and testing the plan annually. It emphasizes the importance of having alternative sites, backup systems and preventative measures in place to ensure business operations can continue despite disruptions.
Don’t wait for Disaster to Strike! Be Prepared with Business Continuity Plans
1. DON’T WAIT FOR DISASTER TO
STRIKE! BE PREPARED WITH
BUSINESS CONTINUITY PLANS
DATA SERVICES DEPTARTMENT
SRIIA TECHNOLOGIES, INC.
BUSINESS CONSULTING
SERVICES
11/19/2013
Developing and Supporting BCPs
2. Creating a Business Continuity Plan
Presenter: Kevin Williams
Principal – SRIIA Technologies
Consulting Services
Austin, TX
kevin.williams@sriiatech.com
512.694.0237
3. Learning Objectives
After participating in this session, you will be able to:
Understand the goals of Business Continuity Planning
Understand the components of a Business Continuity plan
Begin your Business Continuity Planning project
11/19/2013
4. What is a Business Continuity Plan?
•
•
•
Disaster recovery planning is a subset of a larger process
known as business continuity planning and should include
planning for resumption of applications, data, hardware,
communications (such as networking) and other IT
infrastructure.
A business continuity plan (BCP) includes planning for non-IT
related aspects such as key personnel, facilities, crisis
communication and reputation protection, and should refer to
the disaster recovery plan (DRP) for IT related infrastructure
recovery / continuity
Source: http://en.wikipedia.org/wiki/Disaster_recovery
11/19/2013
5. Remember this Terrible Day?
•
Hurricane Katrina
•
Hurricane Katrina was the deadliest and most
destructive Atlantic tropical cyclone of the 2005
Atlantic hurricane season. It was the costliest natural
disaster, as well as one of the five deadliest
hurricanes, in the history of the United States. Among
recorded Atlantic hurricanes, it was the sixth strongest
overall. Total property damage was estimated at
$81 billion (2005 USD), nearly triple the damage
brought by Hurricane Andrew in 1992.
11/19/2013
6. FEMA Grant Helps Restore New
Orleans' Katrina-Damaged Archives
•
Release date: FEBRUARY 3, 2012 - Release
Number: 1603-963
•
NEW ORLEANS, La. -- The Federal Emergency Management Agency
announced today approximately $1.7 million in public assistance
funding to restore New Orleans Notarial Archives’ book volumes and
historical records damaged during Hurricane Katrina.
•
“The Katrina-affected materials contain the original evidence of
transactions involving land transfers, business agreements, mortgages,
estates, agency rulings and other agreements relating to Orleans
Parish properties. The volumes, which date from approximately 1965
to 2005, are critical for use in title examinations and serve as a rich
supply of primary source materials for historical research on their
period.
11/19/2013
8. What is a BCP?
•
It is a plan that gives a recovery team the
information it needs to:
•
•
•
Recover from a disaster
Continue the business operations
Return to normal operations
11/19/2013
9. How is the BCP Used?
•
•
•
•
As a ready reference for all information needed
during the recovery phase following a disaster
Lists strategies & priorities for recovery
Lists contact information for recovery assistance &
personnel
Outlines the stages and flow of the recovery
process
11/19/2013
10. General Overview
•
General Overview of the Organization
•
•
•
•
•
•
•
Managers & contact information
Assembly sites—evacuation & alternate
BCP coordinators & contact information
Recovery site information
Critical dependencies
Important deadlines
Important agreements
11/19/2013
11. General Overview (cont’d)
•
Recovery Strategies
•
•
•
•
Address the priority that you wish to use to recover
your information assets
Include the identification of the assets, their location,
and why important
Establish the strategy to follow for several days during
the recovery
Uses the Vital Records plan to establish those
priorities.
11/19/2013
12. Initial Response / Escalation
Procedures
•
Notification checklist
•
•
Who do you call? What are their numbers?
In what priority do you call?
•
•
•
•
•
Declaration Procedures
Initiate Evacuation Procedures
•
•
•
•
Security / 911
Building Management?
Department Manager?
Account for all Personnel
Alert recovery site
Assess severity of situation
Activate Recovery Team
11/19/2013
13. Declaration Procedures
•
•
•
•
Determine procedures for when to declare a
disaster
Determine who can declare a disaster
Establish local, regional Authorities and contact
info
If you must activate a hotsite, make sure these
persons can also activate that site through the
vendor
11/19/2013
14. Organizational Recovery Teams –
Roles & Responsibilities
•
Management Team - Planning
•
•
•
•
•
Appoints business recovery coordinator to oversee
plan development & maintenance
Confirms essential functions & acceptable downtime
for recovery efforts
Approves alternate site / relocation decisions
Sets test objectives—requirements to be met
Reviews test results, ensures corrective measures are
detailed and actions taken
11/19/2013
16. Alternate Site (cont’d)
•
First, consider the following issues risk managers
commonly address in developing alternate site strategies
as part of overall business continuity planning programs:
•
•
•
Employee comfort. Risk managers are growing more concerned
and increasingly thoughtful about employees during crises.
Location, location, location. Alternate site solutions that require
significant travel can necessitate substantial expense in
providing employee transportation and remote
accommodations.
Fast recovery time balanced with a reasonable budget.
Customers are looking to restore their data and business
functions promptly, but without placing undue strain on
financial resources. Internal 'hot sites' are preferred by some
corporations, but after staffing and accounting for space and
technology upgrades, can wind up costing significantly more.
11/19/2013
17. Establish Requirements
•
Requirements Matrix – lists of what you need
•
•
How much staffing required?
Equipment needed? Make, Model & Speed
•
•
•
•
Computers, fax machines, data lines, printers
Desks, chairs, cabinets, etc.
Forms, office supplies
Software needed? (This is where Cloud Computing, SaaS
type services become very tactical in a compelling BCP.)
•
•
Any software critical to your function, not commonly found in
other departments
Help to bring it up and running – tech support people
11/19/2013
18. Business Critical Records
•
Where are they located?
•
•
•
Can anyone find them– firemen, 1st responders, etc.?
Can you contact off-site storage?
•
•
•
•
Best practices suggest CRM records management
(Working with your hard-copy and digital storage providers
is critical for successful BCP planning).
Do you know what to order?
Keep a list of your business critical records, locations,
accessibility with your BCP
Keep it updated!
11/19/2013
19. Establish Recovery Procedures
•
•
Procedures to Activate Teams
Establish new telecommunications
•
•
•
•
Platform restoration
•
•
•
Voice recovery
Data recovery
Vendor connectivity
Server applications
Desktop applications / WAN
Retrieval of Business Critical Records
11/19/2013
21. Develop Calling Lists
•
You will need help to recover—don’t be afraid to
ask for help
•
•
•
•
Applications support – vendors, companies
Personnel – others at your company / office who
might be able to help
Customers need to be informed- (Public Service
Announcements for government offices)
Vendors – can supply needed materials, equipment
11/19/2013
23. Deciding goals for operational
continuity?
•
•
•
•
What are your organizations key business
processes?
How long can your org survive without these
operations business process?
Do manual methods make time to restore less
critical?
Do you have any processes with very little
tolerance for downtime?
11/19/2013
24. Decide Criteria for invoking the plan
•
•
What is the maximum amount of time a process
can be unavailable before action must be taken?
At what point does the cost of executing the plan
become secondary to the outage?
11/19/2013
25. Critical Business Process Recovery
Section
•
•
•
•
•
•
Critical Business Process Workflow
Physical Plant Related Recovery Plans
IT Related Recovery Plans
People Related Recovery Plans
Assignments and Execution
Preconditions / Preventative Plans
11/19/2013
26. Critical Business Process Workflows
•
•
•
Use the process workflow that was developed
through a “Discovery” methodology as outlined in
the earlier sections
Make sure the workflow shows enough detail that
someone who isn’t you can understand!
Be sure to identify critical systems and applications
used in the transactions
28. IT Related Recovery Plans
•
•
•
•
•
Hardware?
Power?
Internet?
Email?
Phone Service?
• Applications (got
media and a license
key?)
• Data Recovery from
Backup? (Do you have
backups offsite?)
• Tech support contact
information?
29. Technology Time out:
Consider Hosting, ASP or SaaS
•
•
•
Consider preventing server disasters by owning and
maintaining as few as possible
Consider a provider that will be contractually
bound to 99%+ uptime for your critical services
without your efforts
Ideas to look into:
•
•
ASP or SaaS from your software vendor
Rackspace (Managed service provider)
11/19/2013
30. People Related Recovery Plans
•
•
•
•
•
Who knows how to contact vendors?
Who knows how to cut payroll checks?
Who knows how to process credit card payments?
Is there more than one person who can perform
each critical business transaction?
Do you have cell phone numbers to reach
employees / volunteers / service providers?
31. Assignments and Execution
•
•
•
•
•
•
What steps need to be taken to restore this
process?
Who has the authority with vendors to do so?
Who has the required knowledge or training?
Is there a backup operator to execute this plan if
the primary is unavailable or unreachable?
Who can make the decision to enact the plan?
Assign roles and communicate expectations to staff
11/19/2013
32. Required Preconditions / Preventative
Plans
What needs to be part of your regular operating
plan to enable your disaster recovery plans?
• Set these actions in motion as part of your finished
recovery plan
Example:
• Its really hard to restore from backup tapes if they
are burned in an office fire or submerged under
water.
•
11/19/2013
33. Technology Time out:
Cloud Backup Solutions
Example of cost :
Amazon S3 $0.15 / GB / month
•
Don’t want to “Roll your own” try one of these:
•
•
•
•
www.crashplan.com
www.jungledisk.com
www.spideroak.com
www.barracuda.com
34. Testing The Plan
•
•
•
•
Test each business process in your section when
finished and at least annually after that!
Make sure that your interactions with your vendors
work as planned
Streamline your plan based on your test results
It is unlikely your plan will work exactly as you have
planned it, do not be disappointed and focus on
making corrections for the next test.
11/19/2013
35. Plan Maintenance
Review your business processes at least annually
• Update the processes for changes in how things
work
Examples:
• Did you add new software applications?
• Add new vendors you rely on?
• Are there new processes or services to constituents
you need to protect?
•
36. Resources
•
Technical References –
•
PRISM
DR Reference
Disaster Planning: What Organizations Need to Know to
Protect Their Tech (Webinar)
Disaster Planning: FEMA Reference
ARMA Resources
ARMA Resources
•
http://en.wikipedia.org/wiki/Disaster_recovery
•
•
•
•
•
11/19/2013