Upload
piper-kinyon
View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Disaster Preparedness ILessons Learned
Don HallThomson Prometric
2006 Annual Conference
Alexandria, Virginia
Council on Licensure, Enforcement and Regulation
Expect the Unexpected: Are We Clearly Prepared?
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Thomson Prometric
Thomson Prometric is the leading global provider of comprehensive testing and assessment services. We deliver standardized tests for 600 client programs, in 26 languages, over the Web or through a global network of 3,200 testing centers in 135 countries.
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Continuity Management at Prometric
Thomson Prometric has defined a comprehensive Business Continuity Management (BCM) program that provides for contingency operations that will ensure the continuity of services provided to our clients, candidates, and channel testing partners using established “best practices” to safeguard the interest of our clients, reputation, brand, and revenue.
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Best Practices• Disaster Recovery Institute Int’l (DRII) • Business Continuity Institute (BCI)
– Promote a common knowledge and standards for BCM
– Certify individuals in the discipline– As such, in 1997, DRII, together with BCI,
published the Professional Practices for Business Continuity Planners as the industry's international standard.
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Professional PracticesPre-Planning
• Project Initiation and Management• Risk Evaluation and Control• Business Impact Analysis
Planning• Developing Business Continuity Strategies• Emergency Response & Operations• Develop and Implement Business Continuity Plans
Post-Planning• Awareness and Training Programs• Maintenance and Exercising Business Continuity
Plans• Public Relations and Crises Communications• Coordination with Public Authorities
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Professional Practices
Pre-planning• Project Initiation and Management• Risk Evaluation and Control• Business Impact Analysis
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Project Initiation and Management• Define Scope, Objectives, Policies and Critical
Success Factors• Establish the need for BCP• Communicate the need for BCP• Involve Executive Management• Establish a Steering Committee or Task Force• Develop the Budget• Identify Planning Team(s) and Responsibilities• Develop and Coordinate Action Plans• Develop Ongoing management and
documentation requirements for BCM• Report to Senior Management Team
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Risk Evaluation and Control
• Identify the threats• Eliminate threats, if possible• Estimate probability of threats• Perform Risk Analysis• Identify costs to reduce risks
– Spend resources on risks most likely to occur 80/20 Rule (1897, Vilfredo Pareto)
• Implement controls to reduce risks• Exercise, evaluate, and make changes
as needed to reduce the impact of risks
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Business Impact Analysis (BIA)
• Establish the value of each organizational resource as they relate to the function of the whole
• Provide the basis for identifying the critical resources required to develop your business recovery strategy
• Establish order of priority for restoration
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Professional Practices
Planning• Developing Business Continuity
Strategies• Emergency Response & Operations• Develop and Implement Business
Continuity Plans (BCP/COOP)
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Develop Business Continuity Strategy
• Identify the Enterprise Requirements• Identify strategies, costs, advantages,
and disadvantages for each– Compare internal and external
• Identify strategies for functional areas• Assess strategies using BIA results• Perform Costs/Benefits Analysis• Consolidate Continuity and Recovery
Strategies Across the Enterprise– Consolidate workspace recovery sites– Enterprise-level plans for media and
communications
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Emergency Response and Operations• Identify Types of Emergencies and the Response
– Fire, Flood, HAZMAT, etc…• Identify Components of Emergency Response
– Reporting procedures (internal/external)– Pre-incident preparation– Emergency Actions (evacuation, firefighting, notifications,
etc…)– Facility Stabilization– Damage mitigation– Testing procedures and responsibilities
• Develop Detailed Emergency Response Procedures– Protection of Personnel– Containment of the Incident– Assessment of effect– Decide optimum actions
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Emergency Response and Operations• Identify Command and Control Requirements
– Design and equip the Emergency Operations Center (EOC)– Define Command and Decision Authority roles– Communications vehicles (radio, e-mail, messengers, etc)– Logging and documentation methods
• Develop Command and Control Procedures– Opening the EOC– Security for the EOC– Scheduling the EOC teams (24 hour operations)– Management of the EOC– Closing the EOC
• Emergency Response and Triage• Salvage and Restoration
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Develop Business Continuity Plans • Advanced planning that is necessary to ensure
the continuity of critical functions for an organization
• Putting in place supporting infrastructure and resources to respond to a disaster event
• Implement procedures to reduce the risk of identifiable threats
• Develop plans that cover all events that result in the total or partial destruction of a facility, or create an inability to perform essential functions
• Create plans that include procedures, equipment, and personnel for both automated and manual procedures.
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Professional Practices
Post-Planning• Awareness and Training Programs• Maintenance and Exercising
Business Continuity Plans• Public Relations and Crises
Communications• Coordination with Public Authorities
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Awareness and Training
• Components of the COOP/BCP• Why is BCP important to them!• Who is the Business Continuity
Coordinator• Where to find more information• When is it exercised• How is the COOP activated
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Maintenance and Exercising BCPMaintenance
• Monthly– Call-trees– Personnel data
• Quarterly– Plan review
• As needed– Organizational Change– Process Change– Technology Change
• Exercise– Before (exercise preparation/plan review)– After (lessons learned)
• Annually– BIA– Corporate Strategic Direction
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Maintenance and Exercising BCPExercise
• Validate your plans• Familiarity with BCP procedures
– Reduce decisions, confusion, and recovery time– Reduced costs at time of recovery!
• Exercise Types– Walk-through (paper-based)– Simulation– Operational
• Exercise Guidance– Start small– Detailed procedures should be followed closely– Should include backup data (restores) and call-trees– Conduct surprise tests (very risky, only a few)– Use “actual” but not “live” data
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Crises Communications• Escalation
– Disaster declaration criteria– Problem Identification and Escalation
• when is it a disaster– Contact Lists– Initial Response Items
• Primary Notifications– BC Coordinator, SMT, CMT/IMT– BC Teams– Damage Assessment Teams
• Secondary Notifications– Other employees– Customers– Public– Suppliers
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Crises Communications• Public Relations
– Issue initial Press Release“canned response”
– Establish a schedule for Press Conferences
– Communicate the name of “official” spokesperson
– Be prepared for all “audiences” (internal, external, media, agencies)
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Coordination with External Agencies
• Identify applicable laws and regulations and determine impact
• Identify statutory industry requirements• Ensure your plans meet all statutory and
regulatory requirements– work with statutory agencies as appropriate
• Identify and coordinate with agencies supporting BCP aims– Identify and develop procedures with external
agencies providing disaster assistance (financial and resources)
• Develop exercises with external agencies– Establish exercise objectives– Coordinate and execute exercises– Debrief and report on exercises to include action
plans
Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia
Speaker Contact Information
Don Hall, Director Business ContinuityThomson Prometric1000 Lancaster Street, Baltimore, MD 21202Phone 443-923-8000E-mail [email protected] www.prometric.com