View
614
Download
0
Category
Tags:
Preview:
Citation preview
March 9, 2006
Business Continuity Planning
Fred KlapetzkyDerek Hanson
Marsh 2
Agenda
Business Continuity Planning - OverviewBCP DefinitionWhy Plan?Interdependency (Crisis Management, Emergency Response, Business Continuity)
Business Continuity Planning - ProcessBusiness Impact AnalysisStrategy Development & SelectionPlan DevelopmentTraining & TestingDeployment & Maintenance
Business Continuity Planning - Pandemics
Business Continuity Planning - Model School
Marsh 3
Business Continuity Planning Overview
Marsh 4
Business Continuity versus Disaster Recovery
Business Continuity Planning (BCP):The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources. Said another way, to do what isnecessary to keep the critical business units running.
Disaster Recovery (DR):Is the technical or IT portion of the BCP. Includes; Mainframe,Midrange (VAX, AS/400), Client Server (UNIX, NT, etc.)
Disaster Recovery is a component of Business Continuity
Marsh 5
Why Plan?
“Disasters” happen Fire, Flood, Tornado, Earthquake, Hurricane…Network failure, server power supply failure, water main break…Lost data, corrupted data…
What will you do when it does?Even with good plans in place, it may take hours before the extent of the damage has been determinedThe critical actions in a recovery or continuity process are taken within the first 8 hours in most situationsResources go to those that ask first (in most cases)
Marsh 6
What does it take to cover all the bases?
Business Continuity and IT recovery is a process, not a template to complete.Business Continuity is a program, not a project. Once you learnthe process, you repeat it often to keep plans current, viable and focused on the critical components.The process gathers the data (specifications) to help make decisions in the development of a cost effective and focused program. Trying to write plans without gathering the data is like asking a person to build a house without any blueprints. You may get it done, but it will take longer and you may not like the end results.
Marsh 7
How does all this “fit together”?
•Minor injury• Fire quickly extinguished•Bomb threat
EmergencyResponse
•Product Contamination•Accounting Irregularities•Allegation of Impropriety
CrisisManagement
Loss of ITTelecomm failureSupply chain interruption
BusinessContinuity
Physical / Information
Security LossControl
Marsh 8
Business Continuity Planning Process
Marsh 9
BCP Methodology - Overview
Risk AssessmentPlan Test
& Maintenance
Plan Develop /Execution
StrategySelection
BusinessImpact
Analysis
BCPLife Cycle
BCPLife Cycle
Marsh 10
Business Impact Analysis
Provide independent view of risksProvide basis for determining cost effective strategiesDetermine critical and necessary business functions/processes and the resource dependenciesIdentify critical computer applicationsEstimate the financial and operational impact of the disruption and the required recovery time frame for the critical business functionsBuild business case for strategy selectionPrepare solid foundation for plan development
Marsh 11
Katrina Business Impacts
Estimated recovery costs for individual universities and colleges in the hundreds of millions ($$)
Estimated recovery costs for higher education in the impacted area in the billions ($$)
Moody’s downgrades bond ratings
Lost research
Employee layoffs
Elimination of academic disciplines
Suspension of athletic programs
Marsh 12
Strategy Development and Selection
Advantages Disadvantages
Timeframes Strategies Could be
Used Costs
Netw
ork and Voice C
onnections
Adequate Workspace
Available
Located in Close Proxim
ity to C
urrent Facility
Requires Em
ployees to Travel A
way from
Hom
e
High P
re-disaster Costs
Inability to Maintain
Centralized com
mand and
control
Prior to Disaster
< 48 Hrs
48 Hrs –
1 Week
1 Week –
1 Month
One-tim
e
On-going
Time of D
isaster
1 Relocate to an Internal Facility X X X X X X N L H
2 Work Remotely X X X X X N L N
3 Relocate to a Local Hotel X X X N L M
4 Mobile Recovery X X X X X X X X H L M
5 Hot-site X X X X X X N M H
# Recovery Strategy
Marsh 13
Plan Development
Plan Contents:IntroductionRecovery OrganizationRecovery Time ObjectivesRecovery StrategiesPlan ActivationRecovery PlansPlan TestingPlan MaintenanceAttachments
Marsh 14
Training & Testing
Training:All employeesMembers of ERT, CMT, BCPManagement
Drills:Practice specific skillsUse systems & equipment
Exercises:FamiliarizationValidationIdentify deficiencies
Types:WalkthroughMobilizationExecution
Marsh 15
Deployment & Maintenance
Plan managementCentralized monitoring
Maintain control of standardsAccess all plans and components
Decentralized creation and maintenanceUpdate
TasksResourcesPersonnel
Marsh 16
Business Continuity Planning Pandemics
Marsh 17
Pandemics
This is not a normal business continuity problem
Basic assumptions are changed in a pandemic situation
You must use a broader approach
The planning for a pandemic can be used in other multi-location outages
We’ll spend a few slides on background information
Marsh 18
Avian Flu Preparedness – A Quick History
In the past century, the US has been hit by 3 large scale influenza pandemics
In all cases, viruses contributed by birds
1918 – killed over half a million Americans and more than 20 million around the world
1957 and 1968 – killed tens of thousands of Americans and millions around the world
SARS (Severe Acute Respiratory Syndrome)
Infected more than 8,000 people and killed nearly 800
Cost the Asian Pacific region roughly $40 billion
Travel to Asia dropped 45% in the year following the outbreak
Marsh 19
Avian Flu Preparedness – Current Facts
The Current IssueFocus on H5N1 strain of the Avian Influenza A virusDiagnosed in Asia and Europe Bird to Human infection is rare however some deaths in Asia and TurkeyUSA does not import poultry from countries with verified as having Avian Influenza infected birds
How the government is preparing for an avian flu outbreakEducating the populace about all aspects of this infection and following the latest developments on-line at www.cdc.gov/flu/avian and www.aphis.usda.gov/lpa/issues/avian_influenza/index.htmlEnsuring access to laboratory testing for the virus, if suspectedCoordinating response strategies with local & state public health officialsQuerying travelers with flu-like symptoms about possible exposure to poultryImplementing aggressive infection control measures
Marsh 20
What is the risk?
Virus mutates to a form that allows rapid human to human transmission
Without immunity or vaccines in combination with air travel, thedisease spreads quickly around the world
Will it happen?
Is a global pandemic likely in the next 5-10 years?
If we spend time and effort on planning for avian flu and it doesn’t occur, is it all wasted effort?
Marsh 21
If it occurs, what is the most likely scenario?
Disease develops in geographic pockets (e.g. China)
Government may/may not be open and responsive
Quarantines and travel restrictions are not effective in containing infected people
Disease spread by global travel
Individual countries attempt to control by limiting travel
Supply chains become disrupted
Business and economies slow down globally
Marsh 22
What are the effects on employees?
Fear due to limited information initially
Concerned about family and friends
Potential initial over reaction (worried well)
Normally healthy individuals disproportionate impact
High (30%) absenteeism
Health care system quickly overtaxed
EMS can only treat/transport a fraction of patients
Limited antiviral supplies – hording and disagreement over distribution
Possibly months to develop and produce vaccines
Marsh 23
What process should a college or university follow to improve preparedness
Develop a better understanding of the most likely development scenarios (CDC, WHO, DHS, Public Health..)
Understand how employees and the institution would be affected (focused risk assessment)
Develop/update plans to minimize the impact on the institution
Develop/update plans to minimize the impact on staff and their families
Identify the internal resources required and increase as necessary
Make a realistic assessment of the community and other external resources likely to be available
Identify and train a senior management team to oversee crisis management
Develop policies and educational programs for all staff
Marsh 24
Business Continuity Planning Model School
Marsh 25
Overview
Process Understand current business continuity programsComplete business continuity pilot projectsLeverage lessons learned
AdvantagesIdentify similarities and differences between institutions without direct comparison (instead comparing institutions to “model school”)Identify ability to leverage current business continuity practices between and among member institutionsGain efficiencies through the development of common terminology, tools and processes
Marsh 26
Understand Current Programs
Understand maturity of business continuity program at each member institution and current business continuity initiativesUnderstand processes performed at each member institution
Institution:
Student Life C
ycle
Application
Adm
ission
Registration
Support Services
HR
–B
enefits
Finance -Payroll
Research Projects
Proposals
Project Accounting
Developm
ent
Outreach –
Radio/TV
Athletics
Athletic R
ecruiting
Facilities
IT System
s
PeopleSoft
Telecomm
unications
Miscellaneous
Medical C
enter
Public Safety
Institution 1
Institution 2
Institution 3
Process:
For illustrative purposes only. Does not include all processes.
Marsh 27
Complete Pilot Project
Develop common approachDevelop common business continuity terminologyComplete business continuity life cycle with pilot institution(s):
Workbook approachTraditional approach
Develop tools, processes and knowledge that may be used at other institutions
Marsh 28
Leverage Lessons Learned
Apply pilot project lessons learned, tools and processes to other member institutionsBring all member institution business continuity programs to at least a minimum standard levelDevelop process for maintaining business continuity plans and increasing program maturity levelsEstablish forum for on-going sharing of business continuity knowledge between member institutions
Marsh 29
Marsh Contacts
Fred KlapetzkyFred.Klapetzky@marsh.com618.581.1047
Timothy BishopTimothy.Bishop@marsh.com414.290.4740
Derek HansonDerek.Hanson@marsh.com920.831.2657
Recommended