How to Derive Value from Business Continuity Planning

Presented byRandall J. Till, Principal

Till Continuity Group

11

Spring World 2011 Disaster Recovery Journal

March 28, 2011

Economic

Downturn

BCM Challenges

• BCM funding is limited or shrinking

• BCM doesn’t have

Business Continuity Management

• BCM doesn t have organizational commitment

• BCM is targeted for reductions

2

BCM Drivers

Release Cycle/ Change Process

Development Testing Prod. Implementation

DR

Exercise

Y/N

2. Recovery System

Risk Exposure

DR Exercise Cycle

Y

N2-4+ weeks

Plan Update Exercise Publication • BCM Drivers• BCM updates tied to tests or exercises • BCM managed as an annual project

Risks:•Business services and systems are always changing

33

us ess se ces a d syste s a e a ays c a g g•BC/DR plans and environments remain unchanged waiting for a an exercise date or a project deliverable

BCM Approach

Plan To Pass Audits & Meet Regulatory

Embrace Audits & Exceed Regulatory

C li

4

Compliance

4

Compliance

✓ Poor Investment ✓ Valuable Investment

BCM Approach - Siloed Practices

Plans

Risk Management

Crisis Management

Disaster Recovery

Business Continuity

5

✓ Disjointed

✓ Enbroiled in Politics

✓ Lacks Integration

5

Plan Execution and CoordinationPlanning is focused on

“How to build the plan”

We don’t focus on

✓ Chaos

We don t focus on “How to execute the

plan”

Execute on the Fly

66

✓ Stress

✓ Impacts

Business Continuity Management (BCM) Program

Crisis/ Emergency

Management

Risk Management

(RM)

✓ Each organization is unique

Disaster Recovery

(DR - system recovery)

(CM/EM)

Business Continuity

(BC - work area recovery)

(RM)

BC Program Governance

and Management

BCM Program

Governance

q✓Different levels of

responsibly✓ Each BCM Program is at

a different level of maturity

✓ BCM is a long journey

7

y)y)

Business Continuity Planning Cycle

Maintain Assess

Prioritize

ApproveImplement

Test/Exercise BCM Planning

CycleMaintain

Readiness

Address Business Changes

8

Plan

Train Personnel

Focus of Today's Discussion

J F M A M J J A S O N D

2011N J

2012BCM Governance

D

O i h f BCM P

J F M A M J J A S O N D

2011J

2012BCM Planning CyclesN D

Oversight of BCM ProgramSets Direction and ExpectationsManagement Buy-in and Endorsement

BCM Planning BCM Planning CyclesCycles

1.1.PrePre--CycleCycle2.2.Planning CyclePlanning Cycle3.3.PostPost--CycleCycle

9

Planning Processes and ProceduresDeliverables and Time TablesPlanning Cycles for BCM (CM, BC, DR)

6

Business Continuity Business Continuity Pre-Cycle

10

BCM Program Governance

BCM Governance ✓ OwnershipBusiness

Continuity Steering

C itt✓ Responsibility

BCMStrategic Direction

Committee

✓ Educate

✓ Commitment

✓ Metrics

1111

✓ Reporting Structure

BCM Ownership and Execution

Ownership Corporate Headquarters Europe Asia Pacific Latin America

IT Headquarters

Marketing

Sales

CustomerServices

Finance

CM

Facilitation Business Continuity PlannersDivision

Coordinators(Primary)

Regional Coordinators

(Secondary)

Coordination

12

Legal

HR

IT

CMPlans

BCPlans

Business Continuity Management

DRPlans

Business Continuity Planners

Business Continuity Pre-Cycle Timeline

J F M A M J J A S O N D2011

N J2012Business Continuity Oversight

D

J F M A M J J A S O N D2011

J2012

• 2011 Cycle Deliverables

• 2011 Cycle Communication

Business Continuity Planning CyclesN D

• BC Steering

•BCM Objectives

13

• Develop 2011 Objectives

• Develop Planning Strategies

• Cycle Def.

• Processes

• Tools

• Templates

• Metrics

• Cycle Kickoff

• Meetings with Coordinators

Business Continuity Business Continuity Planning Cycle

14

Crisis/Emergency Management (CM/EM)

Crisis/Emergency Management

(CM/EM)

Management of incident• Assessment • Business perspective• Notification & Assembly • Communications

Crisis Management

Life Safety - First Response

1515

Communications• Decisions - Activation

Value of Crisis/Emergency Management ✓

CM Organization & Plans✓ Enterprise-wide✓ Assign responsibilities

National Incident Management System

(NIMS)

✓ Setup Command Centers

1616

✓ Train people✓ Practice roles and procedures

p

Office Type Crisis Management Team Assigned*

Corporate and Core Offices - Corporate Incident Response Team (CIRT)- Local Incident Response Teams (LIRT)

Crisis Management Planning Strategies

- Initial Assessment Teams (IAT)

Regional and Select Offices(Offices with significant # of people/operations)

- Local Incident Response Teams (LIRT)- Initial Assessment Teams (IAT)

17

Smaller Offices Initial Assessment Teams (IAT)

* Based on ICS Structure

Crisis Management Cycle Matrix

DeliverablesCorporate/Co

re

CIRT/LIRTs

Regional/Select

LIRTs

Smaller

IATsDue Dates

CIRT/LIRT Notification Tests 2 2 0 During exercises

CIRT/LIRT Functional Group Training

1 1 0 Apr‐Sept

CIRT/LIRT Scenario Based Exercise

1 0 0 NY ‐ 8‐30Dallas ‐ 04/15SF ‐ 10/20

LIRT Self Exercise 0 1 0 May‐Aug

f

18

IAT Notification Tests 3 1‐2 1 Mar, Jun, Sept

IAT Training 1 1 1 Mar‐Jul

IAT Exercises/Self Exercises 2 1‐2 1 May‐Sept

Business Continuity Planning (BC)

Business Continuity

(BC - work area recovery)

✓ Business service✓ People✓ Business function

Business Service

Business Business FunctionFunction

Business Business FunctionFunction

Business Business FunctionFunction

Business Business FunctionFunction

DR System DR System DR System DR System DR System DR System

✓ Department ✓ Processes & procedures

✓ Information

19

✓ Systems/applications✓ Technology

✓ Dependencies

✓ Customers

✓ 3rd parties/vendors

Value of Business Continuity Protection of critical assets

Access to critical Business Customer information

Business Interdependencies

Recovery locations

Business Continuity

(BC - work area recovery)

communications

2020

✓ Business process analysis ✓ Office Infrastructure

✓ Process improvement

Office Type BC Planning Levels

Corporate/Core Offices BC planning at business function level

Regional and Select Offices BC planing at department level

BC Planning Strategies

Regional and Select Offices BC planing at department level

Smaller Offices BC planing at office level

Plan Criticality Recovery Times and Facilities

Essential Plans – Critical business functions RTO < 7 days – Recovery facilities pre-established

21

Deferred Plans – Less critical business functions >7 days) – No recovery facilities established

Business Continuity Planning Cycle

Deliverables Core Key Small Start Date End DateBusiness Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-Mar

BIA Sign-off by Senior Business Leader Y Y Y 1-Mar 31-Mar

Plan Review/Update (Ess/Def) Y Y N/A 1-Apr 30-Jun

Business Continuity Manual Review/Update N/A Y Y 1-Apr 30-Sep

Plan Roster Review/Update (Ess/Def - Qrtly) Y Y Y Jan, Apr, Jul, Oct

Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-Jul

22

Team Activation Exercise (Ess/Def) Y Y Y 1-Apr 30-Sep

Plan Walkthrough Exercise (Ess/Def) Y Y N/A 1-Apr 30-Sep

Business Recovery Site Exercise (Ess only) Y N/A N/A Office-1: Jun 21/Sep 13Office-2: May 17/Aug 7Office-3: Jun 1/ Nov. 22

Business Continuity Planning Cycle

Business Continuity Planning CycleM A M J J A S O

• BIA Reviews

• BIA Sign-offs

• Plan Review/Updates

• BC Manual Review/Updates

• W-F-H Validation

• Team Notification Tests

• Plan Walkthrough Exercises

• Alternate Site Functional E i

• Alternate Site Functional E i

23

ExerciseExercise

• Roster Updates Quarterly

• End-user Training

DR StrategyDR Strategy

Disaster Recovery (DR) Planning

Cost Reductions

Primary Site Alternate

Site

Disaster Recovery

(DR - system recovery)

Shared Shared

DiskDiskShared Shared

DiskDisk

24

DR TestingDR Testing

Data BackupNetworks

Disk Disk

24

Value of Disaster Recovery

✓ Reduce recovery objectives

Primary Site

Alternate Site✓Live Switches

✓Less Planned O

✓ Reduce loss of data

✓ ✓ Utilize DR

DBDB DB DB

Outages✓Co-processing✓Virtualization✓Cloud Computing

2525

✓ Improve system design

✓ Utilize DR resources

✓ Enhance operating flexibility

Data Centers Planning & Exercises

Primary Data Center (Internal Control)

- Full DR plans Tier 1& 2 systems- Full functional exercises Tier 1 systems

Co-location Data Center DR plans for Tier 1&2 systems

DR Planning Strategies

Co-location Data Center - DR plans for Tier 1&2 systems- Coordinated DR exercises with provider

Outsourced Processing - DR plans oversight and evaluation

DR Plan Criticality Recovery Times and Facilities

Tier 1 Systems –Critical systems RTO = 0-3 days–Hot recovery site established

26

Tier 2 Systems –Critical systems RTO = 4-14 days–DR plans developed, Warm recovery site

Tier 3 Systems –Critical systems RTO = >14 days–No recovery site established

Disaster Recovery Planning Cycle Deliverables Tier 1 Tier 2-3 Start Date End Date

System Impact Analysis (BIA) Review (Tier 1, 2 & 3) Y Y 1-Mar 31-Jul

BIA Sign-off by Tech Owner and Business Owner Y Y 1-Mar 31-Jul

Recovery Plan Reviews 1-Apr 31-OctRecovery Plan ReviewsY Y

1 Apr 31 Oct

Technical Recovery Manual Review/Update Y Y 1-Sept 31-Oct

Plan Roster Review/Update (Quarterly)Y Y

Jan, Apr, Jul, Oct

Team Activation Exercise Y Y

1-Apr 30-Sep

Pl W lkth h E i 1 A 30 S

27

Plan Walkthrough Exercise Y Y 1-Apr 30-Sep

Disaster Recovery Exercise (Tier 1) Y N/A Primary DC: Jun /SepSecondary DC: May/Aug Secondary DC: Jul/ Oct Remote DC: AugRemote DC: July

Business Continuity Cycle Timeline

J F M A M J J A S O N D2011

N J2012

Business Continuity OversightD

J F M A M J J A S O N D2011

J2012

New Requirements

Escalations to Management

• BC Steering

Business Continuity Planning CyclesN D

M CM BC DR Pl i C l

28

• 2012 Budgets and Plans

Crisis Management Planning CycleBusiness Continuity Planning CycleTechnical Recovery "DR" Planning Cycle

• Manage CM, BC, DR Planning Cycles

Business Continuity Business Continuity Planning

Post-Cycle

29

BCM Metrics

✓ Gain commitment

✓ Show readiness

3030

Below Expectations < 6.0 Partially Meets Expectations ≥ 6.0 to < 8.0 Meets Expectations ≥ 8.0

✓ Show readiness

✓ Meet compliance

Build Measurements into Cycle

Action plan underway:• Establish BRP Ownership • Build management relationships

E h B i C ti it

Below Expectations < 6.0 P ti ll M t E t ti ≥ 6 0 t < 8 0

• Enhance Business Continuity Plans

• Practice & test plans

31

Partially Meets Expectations ≥ 6.0 to < 8.0 Meets Expectations ≥ 8.0

Crisis Management Cycle MatrixCrisis Management Cycle Matrix

Measurements Based on BCM Cycles

B i C ti it C l M t iB i C ti it C l M t i

DeliverablesCorporate/C

oreCIRT/LIRTs

Regional/Select

LIRTs

SmallerIATs Due Dates

CIRT/LIRT N ifi i T 2 2 0 D i iBusiness Continuity Cycle MatrixBusiness Continuity Cycle Matrix

Disaster Recovery Cycle MatrixDisaster Recovery Cycle MatrixDeliverables Tier 1 Tier 2-3 Start Date

System Impact Analysis (BIA) Review (Tier 1, 2 & 3) Y Y 1-Mar

BIA Sign-off by Tech Owner and Business Owner Y Y 1-Mar

Deliverables Core Key Small Start Date End DBusiness Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-M

BIA Sign-off by Senior Business Leader Y Y Y 1-Mar 31-M

Plan Review/Update (Ess/Def) Y Y N/A 1-Apr 30-J

Business Continuity Manual Review/Update N/A Y Y 1-Apr 30-S

CIRT/LIRT Notification Tests 2 2 0 During exercises

CIRT/LIRT Functional Group Training

1 1 0 Apr‐Sept

CIRT/LIRT Scenario Based Exercise

1 0 0 May & Oct

LIRT Self Exercise 0 1 0 May‐Aug

32

Recovery Plan Reviews Y Y 1-Apr

Technical Recovery Manual Review/Update Y Y 1-Sept

Plan Roster Review/Update (Quarterly) Y Y Jan, Apr, Jul, Oct

Team Activation Exercise Y Y 1-Apr

Plan Roster Review/Update (Ess/Def - Qrtly) Y Y Y Jan, Apr, Jul, Oct

Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-J

Team Activation Exercise (Ess/Def) Y Y Y 1-Apr 30-S

Plan Walkthrough Exercise (Ess/Def) Y Y N/A 1-Apr 30-S

Business Recovery Site Exercise (Ess only) Y N/A N/A Office-1: Jun 21/Sep

IAT Notification Tests 3 2 1 Mar, Jun, Sept

IAT Training 1 1 1 Mar‐Jul

IAT Exercises/Self Exercises 2 2 1 May‐Sept

BCM Inculcation

System Project Define Define

RequirementsRequirements

Implement Implement

ProductionProduction

SystemSystem

Design andDesign and

DevelopDevelop

SystemSystem

Perform Perform

System and System and

Integration Integration

TestingTesting

Implement Implement

Recovery Recovery

CapabilitiesCapabilities

Design andDesign and

Develop RecoveryDevelop Recovery

CapabilitiesCapabilities

Update Recovery

Matrix

Perform Perform

BIABIA

Test Recovery Test Recovery Capabilities and Capabilities and Develop PlansDevelop Plans

Test Recovery Test Recovery Capabilities and Capabilities and Develop PlansDevelop Plans

Integrate into Integrate into Contingency Contingency

ExercisesExercises

Integrate into Integrate into Contingency Contingency

ExercisesExercises

Perform Exercise

AssessmentContingency Contingency

Exercise SuiteExercise SuiteContingency Contingency

Exercise SuiteExercise Suite

Continue to Continue to Maintain the Maintain the

Recovery System Recovery System & Environment& Environment

3333

AssessmentExercise SuiteExercise SuiteExercise SuiteExercise Suite

✓ Assimilation

✓ Reduces Politics

✓ Repeatability

Redesign Testing & Exercise Requirements

System Release

Cycle Requirements Design Development Testing Production

Recovery

Redesign Testing Requirements

Recovery System

Update Process Analysis Plan Update System Recovery

Test

• Recovery System Analysis Meetings• Recovery Plan Updates• Procedure Validation• Owner sign-off on recovery status

Recovery System Update Process

Modify Exercise Program

3434

• Modify exercise approach to focus on Core Business Services• Conduct Ad-hoc DR Exercises (limit size and scope)• Test DR Plans for Deferred Systems

Maintenance Processes and Cycles

✓ Automate

✓ Reuse data -single source

✓ E t bli h S h d l✓ Reliable information ✓ Develop

3535

✓ Dynamic

✓ Significant Volume of Data

✓ Establish Schedule

✓ Define responsibilities

✓ Develop Streamline Processes

Business Continuity Post-Cycle Timeline

J F M A M J J A S O N D2011

N J2012Business Continuity Oversight

D

BC Steering

J F M A M J J A S O N D2011

J2012

D l 2011 R t

• BOD Endorsement

Business Continuity Planning CyclesN D

• BC Steering

36

• Develop 2011 Reports

• Develop 2012 Objectives

Emergency Management Planning Cycle

Business Recovery Planning CycleTechnical Recovery "DR" Planning Cycle

Plan and Exercise

Evaluations

Maintenance Cycles

Value of BCM Planning Cycle

Business Continuity

M t

Inculcates BCM

practices into business cultureDefines

Management Program

Makes BCM processes

consistent &

Provides mechanism to educate

BCM

measurable BCM

requirements

37

Sets BCM deliverables into business

cycles

Leads to BCM

Program Maturity

repeatable

37

Business Continuity Cycle - Full Timeline

J F M A M J J A S O N D2011

N J2012

Business Continuity OversightD

J F M A M J J A S O N D2011

J2012

• BC Steering

• 2011 Objectives

• 2011 Cycle Deliverables

• 2011 Cycle Communication

New Requirements

Escalations to Management

• BC Steering

D l 2011 R t

• BOD Endorsement

Business Continuity Planning CyclesN D

• BC Steering

38

• Develop 2011 Objectives

• Develop Planning Strategies

• Cycle Def.

• Processes

• Tools

• Templates

• Metrics

• Cycle Kickoff• 2012 Budgets & Plans

• Develop 2011 Reports

• Develop 2012 Objectives

Emergency Management Planning Cycle

Business Recovery Planning CycleTechnical Recovery "DR" Planning Cycle

Plan and Exercise

Evaluations

• Manage CM, BC, DR Planning Cycles

Maintenance Cycles

Randall J. Till, MBCP

3939

,

Till Continuity Group314-608-7672

randall@tillcontinuity.com