1

Business Continuity Business Continuity Planning: Planning:

Bridging the Gap Bridging the Gap Between IT and Between IT and

BusinessBusiness

Steve Burns, PresidentSteve Burns, PresidentEverGreen Data Continuity, Inc. EverGreen Data Continuity, Inc.

sburns@evergreensburns@evergreen--data.comdata.com

2

The Hard FactsThe Hard Facts

• One-third of businesses don’t include a recovery sequence for business functions. . . . META Group

• Nearly half of the organizations that lose data as a result of a disaster

never re-open and are out of business within 2 years. . .

University of Texas, Center for Research on IS

3

Why Do Plans Fail?Why Do Plans Fail?

• The answer is in the question– It’s a plan, not a program– Programs are living and threaded

throughout the organization

• The wrong recovery strategy was chosen– It worked for IT, but not the business– The technology in the plan is no longer used

4

Continuous Operations Continuous Operations vs. Disaster Recoveryvs. Disaster Recovery

• Disaster recovery is traditionally an IT responsibility

• Covered IT infrastructure and network communications

• Business functions require continuous operations

How do you bridge the gap?

5

Work Backwards

• Throw out the traditional way of thinking

FirstDefine business requirements and priorities

Then• Map requirements to infrastructure that

supports it– applications, systems, voice, networks, data

center as an entity

6

How?

• Conduct a BIA independent of the IT staff

• BIA from a financial standpoint is only half the story– Outage Tolerance– Operational Dependency

7

The Business Perspective

• Get the business perspective on IT usage– Perform functions– Create critical prioritization of assets and IT

infrastructure based on business need

• Viewpoints– Financial– Tolerance– Dependency

8

IT Recoverability

• Conduct a Risk Assessment independent of the business staff

• Review all applications, systems, data centers, storage, high availability, security and disaster preparedness

• Define true recoverability of the IT infrastructure

9

There is a GAP!

Most organizations have a tremendous gap between

the time business units say they need critical

functions “live” and how fast the IT staff says they

can actually recover the functions.

10

How Do You Close the Gap?

• Set up a Recovery Task Force– Business leaders that

identify critical resources, assets and priorities– IT leaders that identify system requirements

and recovery procedures for critical systems– Responsibility to identify interdependencies

and their links– Reports must outline 4-5 levels of priority

11

DefiningInterdependencies

• Two-Phased Approach• Business Process

Dependencies Matrix– Functions, not departments– Two-way dependency

• IT Dependencies Matrix– Recovery procedures of each system,

application– Two-way dependency

12

Business Continuity Planning Matrix

• Business Recovery Needs

• IT Recovery Needs

• Aligned by RTO and RPO

13

Formulating Recovery Strategies• Multiple options – hot

site, cold site, internal, etc.• Blend of: – Best technological solution to close the gap

from an IT perspective – Solutions within budget constraints

Close the GAP as much as you can in Year 1 of a 3 year plan to mitigate your risks

14

Business Continuity Planning

• Goal is to provide an actionable and streamlined Business Continuity Plan for the recovery of business operations and supporting IT

• Define all organizations, locations, applications, systems, assets

• Define recovery team structures and responsibilities

15

Business Continuity Workshop

• Introduce the program to business leaders

• Business units begin to formulate continuous operation procedures

• Review recovery procedures with individual business units

16

IT Workshops

• Introduce project to IT participants

• Formulate recovery procedures for applications, servers, networks, etc.

• Review recovery procedures with individual IT participants

17

Emergency Management Workshop

• Define emergency management team hierarchy

• Command center procedures• Incident response procedures• Recovery site activation procedures• Communications plans• Transportation plans• Continuous operation management

18

Final Planning Pieces

• Develop change management process from an enterprise perspective

• Assist with management program approval and buy-in

• Integrate the plan with current business processes

19

Your Business Continuity Plan

• Chapter 1 – BCP Overview• Chapter 2 – Potential Impacts• Chapter 3 – Recovery Phases &

Organization• Chapter 4 – EMT and DRC

Recovery Team Tasks• Chapter 5 – IT Recovery Plans• Chapter 6 – Business Unit

Recovery Plans• Appendices detailing Command

Centers, Contact Lists, Recovery Requirements, Emergency Plans and a Glossary of Terms

20

Plan Testing

• Disaster simulation andworkgroup recovery

done together

• Identify test objectives for IT and business units

• Document post test report

21

Plan Maintenance

• Develop programs for all components in program, including risk assessments,

BIA, plans and testing

• Teach BCP Coordinator and other critical staff to successfully manage, update and maintain the overall program

22

Critical Responsibilities

• Business Unit and IT Leaders (at least one per unit)– Provide documentation– Attend workshop(s)– Define continuous operations for

critical processes– Manage tasks/responsibilities

related to program– Timely information turnaround– Plan reviews/tabletop exercise– Incorporation of change management

23

Pain Points• Communication is Key

– Project Manager and Project Coordinators

• Lack of Understanding– “Why are you here, why do you

want to know?”• Timeliness of turnaround

– “When do you need this by?”• Process, Process, Process

– Standardize on all data output across the organization• Tread Lightly

– Know your audience• Experience

– Sometimes it’s what they don’t say

24

It’s Easy if You Know How To . . .

• Communication is Key– Weekly/bi-weekly scheduled reviews

• Lack of Understanding– Pre-engagement summaries and notification schedules– Checklists

• Timeliness of turnaround– Defined escalation processes

• Process, Process, Process– Standardize data gathering, analysis and reporting

• Tread Lightly– Coordination of resources with project and unit coordinators

• Experience– Create the best team possible

25

Recipe for Success

• Internal– Software to manage the program– Business Continuity program

manager– Business Continuity Planner– 1-2 Administrators for program– Internal sponsor from management

Or• Outsource the entire program to Experts

– Software– Program Management– Planners and Administrators at Your Location– Monthly Managed Service Fees

26