Contingency Planning Contingency Planning for Senior Managementfor Senior Management

What you need to know about What you need to know about your business recoveryyour business recovery

AgendaAgenda

Current Regulatory EnvironmentCurrent Regulatory EnvironmentRisk Management Risk Management What is Contingency PlanningWhat is Contingency PlanningComponents of a solid recovery programComponents of a solid recovery programLessons from Sept 11Lessons from Sept 11Questions to ask your team before the disaster Questions to ask your team before the disaster happenshappensEleven Steps to a Business Contingency PlanEleven Steps to a Business Contingency PlanWhere to get helpWhere to get help

Current Regulatory EnvironmentCurrent Regulatory Environment

Interagency White PaperInteragency White PaperPrivacy regulationsPrivacy regulationsSarbanes OxleySarbanes OxleyCorporate GovernanceCorporate GovernancePrudent Man RulePrudent Man Rule

More to follow More to follow -- The rules will not get any The rules will not get any easier to comply with easier to comply with –– start nowstart now

GovernanceGovernanceGovernance: regulators, corporate governance requirements –Turnbull, Sarbanes-Oxley

• Typically: CEO or Board must certify that risks are understood and under control

• Requirements:

• aggregate reporting from all areas

• good lines of communication

• efficient reporting processes

GovernanceGovernance

A concise summary of your key risks A concise summary of your key risks A common vocabulary to discuss risk A common vocabulary to discuss risk A means to have productive discussions with your team A means to have productive discussions with your team A roadmap to help you in your business planning A roadmap to help you in your business planning A set of actions to help improve your risk management A set of actions to help improve your risk management process process

Risk Management ProgramRisk Management Program

Three components of RiskThree components of RiskThreatsThreatsAssetsAssetsMitigating FactorsMitigating Factors

Elements of RiskElements of Risk

Threats Threats --Events or situations which would cause financial or Events or situations which would cause financial or operational impact to the organization. operational impact to the organization. Threats are measured in probabilities, such as “may Threats are measured in probabilities, such as “may occur 1 time in 10 years”. occur 1 time in 10 years”. Each threat has a duration of time that the business Each threat has a duration of time that the business or operation would not be able to function in it’s or operation would not be able to function in it’s normal manner, if at all normal manner, if at all

Elements of RiskElements of RiskAssets Assets --

Assets are composed of many elements Assets are composed of many elements Physical assets that are owned by the organizationPhysical assets that are owned by the organizationInformation assetsInformation assetsFinancial assets Financial assets

Revenues lost for the duration of the incidentRevenues lost for the duration of the incidentAdditional costs to recoverAdditional costs to recoverFines and penalties incurredFines and penalties incurredLost good will or competitive advantagesLost good will or competitive advantages

Elements of RiskElements of Risk

Mitigating Factors Mitigating Factors --Mitigating factors are the protection devices, Mitigating factors are the protection devices, safeguards, and procedures which are in place safeguards, and procedures which are in place that reduce the effects of the threats. that reduce the effects of the threats. They do not reduce the threat; they only They do not reduce the threat; they only

reduce the effect of the threat.reduce the effect of the threat.

Examples of mitigating factors in use are UPS (Examples of mitigating factors in use are UPS (UninterruptableUninterruptablePower Supply) and Generator backups for replacement power, Power Supply) and Generator backups for replacement power, sprinkler systems to control the spread of fire, Assess Card sprinkler systems to control the spread of fire, Assess Card Readers to control physical access to Fidelity space, etc....Readers to control physical access to Fidelity space, etc....

Risk Mitigation StrategiesRisk Mitigation Strategies

Protecting People and WorkspacesProtecting People and Workspaces

Protecting InformationProtecting Information

Protecting ReputationProtecting Reputation

Protecting People and WorkspacesProtecting People and WorkspacesAccess ControlAccess ControlAlarm MonitoringAlarm MonitoringFloor WardenFloor WardenEvacuation DrillsEvacuation DrillsBackground InvestigationsBackground InvestigationsLandscape DesignLandscape DesignLightingLightingCamerasCamerasVisitor proceduresVisitor proceduresBackup Power systemsBackup Power systemsFacility designFacility designFacility sightingFacility sighting

Protecting InformationProtecting Information

Information Security policy and proceduresInformation Security policy and proceduresPrivacy PolicyPrivacy PolicyFirewallsFirewallsIntrusion DetectionIntrusion DetectionStrong PasswordsStrong PasswordsControlling access to informationControlling access to informationVendor ManagementVendor ManagementSecure offsite storageSecure offsite storageProprietary Waste DisposalProprietary Waste DisposalVirus Protection and ResponseVirus Protection and Response

Protecting ReputationProtecting Reputation

Strong GovernanceStrong GovernanceMedia trained Media trained Communication PlansCommunication PlansInternal and external auditsInternal and external auditsOperational ManagementOperational ManagementRecoverabilityRecoverabilityCode of EthicsCode of Ethics

FinancialStrategic Organizational Technology Operational Legal/Regulatory

Risk Definitions

MarketCreditLiquidity, Cap

& FundingPeople Process Events

Risks associated withthe use of systems andtechnology, including availability, capacityintegrity, operationalsupport, functionalitysystems integrationand change manage-ment

Risks that are an inherent part of

the business environment andhave an effect on

business objectivesand performance

Risks that are part of a unit’s environment

relating to people, culture,

organizational structure and values

that can impact overall organization

effectiveness

Risks relating to enforceability of

contracts, interpretation of laws, compliance

with law and impactof regulation

Inability to raise debtor equity capital as needed for short-term liquidity or

long-term growth,as well as uncertainty

in pricing or salesof assets orliabilities

Exposure to lossrelating to a change

in the credit-worthinessof a counter-party,

collateral, customeror partner that mayimpact the counter-

party’s ability to fulfill its obligations under acontractual agreement

The uncertainty inthe future market

value of a portfolioof assets and / or

liabilities

The risk of loss resulting from

people

The risk of loss resulting frominadequate or

failed processes

The risk of loss resulting from unique,

unusual or extraordinary

events

Event ManagementEvent Management

Contingency Plans are what we exercise when all other Contingency Plans are what we exercise when all other mitigating factors failmitigating factors failContingencies start with Event ManagementContingencies start with Event ManagementIf you do not properly manage Events, all the other If you do not properly manage Events, all the other Risks may occurRisks may occurEvent Management is about Communication and Event Management is about Communication and ResponseResponseEvent Management needs to be practicedEvent Management needs to be practiced

Event Management RequirementsEvent Management Requirements

Strategy must be consistent regardless of eventStrategy must be consistent regardless of eventNeed to establish an assessment processNeed to establish an assessment processEvent Ownership needs to be definedEvent Ownership needs to be definedManagement teams identifiedManagement teams identifiedResponse Teams identifiedResponse Teams identifiedProcess for gathering of key decision makersProcess for gathering of key decision makersMethods of communication need to be definedMethods of communication need to be defined

Event Management exampleEvent Management exampleFacility eventFacility event

Built by BuildingBuilt by BuildingThree teams :Three teams :

Assessment TeamAssessment TeamFirst Escalation TeamFirst Escalation TeamGeneral TeamGeneral Team

Permanent standing conference bridge that always Permanent standing conference bridge that always has the same phone numberhas the same phone numberEvent owners definedEvent owners definedEscalation process definedEscalation process defined

Contingency PlanningContingency Planning

If you are reading your plan for the first time and you are If you are reading your plan for the first time and you are in the middle of a disaster……….in the middle of a disaster……….

You are in troubleYou are in trouble

How ready is your business?How ready is your business?

If you were evacuated from your building and you were If you were evacuated from your building and you were standing in the evacuation area and they announce that standing in the evacuation area and they announce that you could not work at that site for at least the next 2 you could not work at that site for at least the next 2 weeks, weeks,

Do you know what to do next?Do you know what to do next?Does your staff?Does your staff?

What is a Contingency PlanWhat is a Contingency Plan

The documented process for The documented process for continuation/recovery of business functions in continuation/recovery of business functions in the event of an unexpected disruption of service. the event of an unexpected disruption of service. The plan describes the preThe plan describes the pre--planned sequence of planned sequence of events that allows for the continuation/recovery events that allows for the continuation/recovery of business functions, computer resources, of business functions, computer resources, networks, and facilities.networks, and facilities.

Components of a Solid Business Components of a Solid Business Continuity ProgramContinuity Program

DeliverablesDeliverables Due dateDue dateEmergency Notification ListEmergency Notification List QuarterlyQuarterlyBusiness Functions/ Resource RequirementsBusiness Functions/ Resource Requirements SemiSemi--AnnuallyAnnuallyBusiness Resumption Plans with signBusiness Resumption Plans with sign--offoff AnnuallyAnnuallyTraining & AwarenessTraining & Awareness QuarterlyQuarterlyVital Records ProgramVital Records Program OnOn--goinggoingTechnology ReviewsTechnology Reviews AnnuallyAnnuallyStrategy for loss of site/systemsStrategy for loss of site/systems AnnuallyAnnuallyProcedures for loss of site/systemsProcedures for loss of site/systems AnnuallyAnnuallyCall ExerciseCall Exercise SemiSemi--AnnuallyAnnuallyWalkWalk--Through ExerciseThrough Exercise AnnuallyAnnuallySimulated Or Actual ExerciseSimulated Or Actual Exercise SemiSemi--AnnuallyAnnuallyCompact ExerciseCompact Exercise AnnuallyAnnuallySystems Loss TestSystems Loss Test AnnuallyAnnually

Business Impact AnalysisBusiness Impact Analysis

The process used to identify what would happen if a risk The process used to identify what would happen if a risk occurredoccurredThe end result is to determine the Recovery Time The end result is to determine the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) Objective (RTO) and the Recovery Point Objective (RPO) of all processes within your organizationof all processes within your organizationIncludes technology and nonIncludes technology and non--technology functionstechnology functionsResults should be signed off by Senior Management as Results should be signed off by Senior Management as evidence of reviewevidence of reviewRTO and RPO drive the recovery strategies available for RTO and RPO drive the recovery strategies available for each business process to be recoveredeach business process to be recovered

Lessons from September 11Lessons from September 11The events of September 11th and the resulting The events of September 11th and the resulting business disruptions have highlighted the need for business disruptions have highlighted the need for companies to revisit the assumptions underlying their companies to revisit the assumptions underlying their disaster recovery and business continuity plans. Such disaster recovery and business continuity plans. Such plans have primarily focused on the loss of systems and plans have primarily focused on the loss of systems and information or the inability to access a main processing information or the inability to access a main processing facility. After September 11th, planning considerations facility. After September 11th, planning considerations have expanded to include:have expanded to include:

loss of key employees or emotionallyloss of key employees or emotionally--impacted staff,impacted staff,loss of access to major business districts,loss of access to major business districts,longlong--term operation at backterm operation at back--up sites,up sites,need for alternative backneed for alternative back--up sites,up sites,availability of contact information for key employees,availability of contact information for key employees,loss of paper documentation, andloss of paper documentation, andloss of critical vendors/business partners.loss of critical vendors/business partners.

How Close Were We?How Close Were We?

200 Liberty Street

Ariel View After the AttackAriel View After the Attack

Another ViewAnother View

What We Learned from 9/11What We Learned from 9/11

Testing was the key to the success of the recoveryTesting was the key to the success of the recoveryCritical operations in a single site are bad businessCritical operations in a single site are bad businessWe don’t have problem by business, we have problems by We don’t have problem by business, we have problems by building building Transportation was a major issue in the first few daysTransportation was a major issue in the first few daysIncomplete/inaccurate inventories make the insurance claim Incomplete/inaccurate inventories make the insurance claim difficultdifficultPeople do not want to travel away from their familiesPeople do not want to travel away from their familiesVery few business operations stand aloneVery few business operations stand aloneVoice is harder than data to recoverVoice is harder than data to recoverSome of our vendors were in trouble tooSome of our vendors were in trouble tooThe devil is in the detailsThe devil is in the details

We experienced no loss of life in New York and injuries were We experienced no loss of life in New York and injuries were not serious. All the required personnel were available.not serious. All the required personnel were available.The Full Market remained closed, allowing initial recovery The Full Market remained closed, allowing initial recovery efforts to be augmented and the business to prepare to efforts to be augmented and the business to prepare to conduct business for a long period of time in the alternate conduct business for a long period of time in the alternate sites sites TwoTwo--way pagers. They worked consistently when other way pagers. They worked consistently when other forms of communication were either busy or completely forms of communication were either busy or completely unavailable. unavailable. Buildout of all of the alternate sites occurred very quickly to Buildout of all of the alternate sites occurred very quickly to allow critical business functions to resume allow critical business functions to resume Bench Strength Bench Strength -- All of the people involved exhibited All of the people involved exhibited teamwork, flexibility, availability and an excellent attitude. teamwork, flexibility, availability and an excellent attitude. Many volunteered to work longer hours and additional shifts Many volunteered to work longer hours and additional shifts to get the job done. to get the job done. The ability to use alternate network resources to get the New The ability to use alternate network resources to get the New York Operations back online quickly and to provide York Operations back online quickly and to provide redundancy for network lines running in backup mode. redundancy for network lines running in backup mode.

The Good NewsThe Good News

Planning Assumptions to rePlanning Assumptions to re--thinkthinkAssume only one disaster strikes at the same timeAssume only one disaster strikes at the same time

We lost access to WFC and simultaneously lost access We lost access to WFC and simultaneously lost access to key buildings in Boston that were evacuated as a to key buildings in Boston that were evacuated as a precautionprecautionThis led to multiple disaster declarations in diverse This led to multiple disaster declarations in diverse locations that had to staffed at the same time by locations that had to staffed at the same time by multiple support groupsmultiple support groups

Assume infrastructure required for recovery is in Assume infrastructure required for recovery is in placeplace

Telecommunications, power and transportation were all Telecommunications, power and transportation were all impacted. No one had ever imagined a scenario where impacted. No one had ever imagined a scenario where all the planes in the country would be unavailableall the planes in the country would be unavailable..

Planning Assumptions to rePlanning Assumptions to re--thinkthinkAssume your disaster recovery team and the rest of Assume your disaster recovery team and the rest of the corporation survive the attackthe corporation survive the attack

We was unaffected by this, but other New York based We was unaffected by this, but other New York based corporations lost entire recovery teams and the corporations lost entire recovery teams and the documentation required to recoverdocumentation required to recoverOther corporations are struggling to do required day to Other corporations are struggling to do required day to day business functions because those responsible died day business functions because those responsible died in the event and the training materials for the position in the event and the training materials for the position were stored in the building were stored in the building

Assume the ability to get required equipment from Assume the ability to get required equipment from your vendors very quicklyyour vendors very quickly

This did not impact We, but the drop in the economy This did not impact We, but the drop in the economy has left many vendors with little or no inventory. The has left many vendors with little or no inventory. The ability to obtain obtain required equipment quickly was ability to obtain obtain required equipment quickly was hampered.hampered.

Planning Assumptions to rePlanning Assumptions to re--thinkthink

The disaster recovery plan should be built for a The disaster recovery plan should be built for a short interruption in business and only for the short interruption in business and only for the data center, not a long term disasterdata center, not a long term disaster

This type of planning assumption led many business This type of planning assumption led many business units to assume that plans only needed to be done for units to assume that plans only needed to be done for very small numbers of employees or only for their very small numbers of employees or only for their technology infrastructure. This led to scrambling technology infrastructure. This led to scrambling during a disaster and not necessarily the best during a disaster and not necessarily the best recovery plan for the employees involved. Recovery is recovery plan for the employees involved. Recovery is for the whole business. for the whole business.

Questions to Ask Your Team BEFORE Questions to Ask Your Team BEFORE the Disasterthe Disaster

Are we recoverable or just “green”?Are we recoverable or just “green”?What is our Recovery Time Objective?What is our Recovery Time Objective?What is our Recovery Point Objective?What is our Recovery Point Objective?Are we prepared for “loss of people”, not just loss of Are we prepared for “loss of people”, not just loss of site?site?Are we prepared for losing a critical application?Are we prepared for losing a critical application?Where is the alternate site?Where is the alternate site?How will you communicate during the event?How will you communicate during the event?When did you last test?When did you last test?Have we identified our critical vendors and do we know Have we identified our critical vendors and do we know what their recovery plans are?what their recovery plans are?

Don’t get caught without a planDon’t get caught without a plan

Eleven Steps to having a Contingency Eleven Steps to having a Contingency Plan for your businessPlan for your business

Follow these steps to a solid recovery Follow these steps to a solid recovery program for your businessprogram for your business

Step 1Step 1Identify Business Recovery teamIdentify Business Recovery team

•• Identify your team and make certain they Identify your team and make certain they know how to reach you in an emergencyknow how to reach you in an emergency

Step 2Step 2Identify business vital recordsIdentify business vital records

•• Identify vital recordsIdentify vital recordsProcedure manualsProcedure manualsformsformsvendor listsvendor listscontact listscontact listscustomer listscustomer listscontractscontractssource documentssource documents

Step 3Step 3Identify Business FunctionsIdentify Business Functions

•• Identify the business functions for functional Identify the business functions for functional areasareas

•• Perform risk and business impact analysis for Perform risk and business impact analysis for each functioneach function

•• Establish the recovery time for your business Establish the recovery time for your business functionsfunctions

•• Identify minimum staff requirementsIdentify minimum staff requirements•• Identify InterdependenciesIdentify Interdependencies

Step 4Step 4Identify desktop requirementsIdentify desktop requirements

•• Minimum desktop configurationMinimum desktop configuration•• Application connectivityApplication connectivity•• Voice RequirementsVoice Requirements

phonesphonesFaxFaxModemsModems

•• Print RequirementsPrint Requirements•• Proprietary software running on desktopProprietary software running on desktop

Step 5Step 5Define Recovery StrategyDefine Recovery Strategy

•• Develop recovery strategy for Develop recovery strategy for business functions based on the business functions based on the recovery priorityrecovery priority

Selecting the Right Recovery Strategy for Selecting the Right Recovery Strategy for your businessyour business

Recovery strategies will be driven by the recovery Recovery strategies will be driven by the recovery timeframe of the function. Recovery options might timeframe of the function. Recovery options might include the following:include the following:SelfSelf--service service -- A business unit can transfer work to another of its own locatioA business unit can transfer work to another of its own locations ns which have available facilities which have available facilities Internal Arrangement Internal Arrangement -- Training rooms, cafeterias, conference rooms, etc.... Training rooms, cafeterias, conference rooms, etc.... may be equipped to support business functions. may be equipped to support business functions. Reciprocal Agreements Reciprocal Agreements -- Other business units may be able to accommodate Other business units may be able to accommodate those affected. This could involved the temporary suspension ofthose affected. This could involved the temporary suspension of nonnon--critical critical functions at the business units not affected by the outage. functions at the business units not affected by the outage. Dedicated alternate sites Dedicated alternate sites -- Built by your company to accommodate critical Built by your company to accommodate critical function recovery. function recovery. External Suppliers External Suppliers -- A number of external companies offer facilities covering A number of external companies offer facilities covering a wide range of business recovery needs. a wide range of business recovery needs. No arrangement No arrangement -- for low priority business functions it may not be cost for low priority business functions it may not be cost justified to plan to a detailed level. The minimum requirement wjustified to plan to a detailed level. The minimum requirement would be to ould be to record a description of the functions, the maximum allowable laprecord a description of the functions, the maximum allowable lapse time for se time for recover, and a list of the resources required.recover, and a list of the resources required.

Step 6Step 6Internal Site SurveyInternal Site Survey

•• Survey existing sitesSurvey existing sites•• Identify equipment/phone servicesIdentify equipment/phone services•• Identify desktops to be used for Identify desktops to be used for

contingencycontingency•• Identify staff to be displaced or moved to Identify staff to be displaced or moved to

off shiftoff shift

Step 7Step 7External Site RecoveryExternal Site Recovery

Prepare RFP which includes all Prepare RFP which includes all requirementsrequirementsIdentify essential vs. “nice to have”Identify essential vs. “nice to have”Receive proposals from vendorsReceive proposals from vendorsCompare for requirements and costsCompare for requirements and costsVisit sites identified as potential vendorsVisit sites identified as potential vendorsSelect vendorsSelect vendors

Step 8Step 8Internal SystemsInternal Systems

•• Identify all platforms and applications Identify all platforms and applications supported by internal systems groupsupported by internal systems group

•• Identify recovery priority for each Identify recovery priority for each applicationapplication

•• Identify recovery strategy which meets the Identify recovery strategy which meets the business requirementsbusiness requirements

•• Develop recovery procedures for critical Develop recovery procedures for critical applicationsapplications

Step 9Step 9Document PlanDocument Plan

•• Pull the information together into a plan Pull the information together into a plan document and distributedocument and distribute

Step 10Step 10Train staffTrain staff

Everyone should know the answer to the question :Everyone should know the answer to the question :

If you couldn’t get back in your building today, If you couldn’t get back in your building today, what would you do next?what would you do next?

Step 11Step 11TEST, TEST, TESTTEST, TEST, TEST

•• Event Management testsEvent Management tests•• Alternate site testsAlternate site tests

Test alternate site

Don’t be the one taken by storm!!

It could happen anywhere...

WebsitesWebsites

Industry Group WebsitesIndustry Group Websites

DRI InternationalDRI Internationalwww.drii.orgwww.drii.org

Continuity InsightsContinuity Insightswww.continuityinsights.com/conf.cfmwww.continuityinsights.com/conf.cfm

Contingency planning and ManagementContingency planning and Managementwww.contingencyplanning.comwww.contingencyplanning.com

Disaster Recovery Disaster Recovery JounalJounalwww.drj.comwww.drj.com//

Global Association of Risk Professionals (GARP)Global Association of Risk Professionals (GARP)www.garp.comwww.garp.com

Professional Risk Managers International Association (PRMIAProfessional Risk Managers International Association (PRMIA))www.prmia.orgwww.prmia.org

Institute of Internal AuditorsInstitute of Internal Auditorswww.theiia.orgwww.theiia.org