NEXT GENERATION BUSINESS CONTINUITY EXERCISE PROGRAMEXERCISE PROGRAMDRJ Fall WorldSeptember – 2011
John Linse, Global BC/DR Program Director
1© Copyright 2011 EMC Corporation. All rights reserved.
John Linse, Global BC/DR Program DirectorSam Stahl, Program Manager
Agenda• Synopsis• Definitions / Program Components• Approach
– Assess the Organization and Resiliency – Identify the Gaps – Recommendations
• Exercise and Training – Design– Socialize– Build
Implement
2© Copyright 2011 EMC Corporation. All rights reserved.
– Implement– Track
• Credibility– Measure – Validate
Synopsis“Next Generation Business Continuity Exercise Program”
This presentation will showcase the importance of designing, socializingand implementing a next generation exercise and training program that p g g g p gbetter positions your organization to manage crisis-potential disruptions from preparation to recovery.
- Does your exercise program assess the credibility of contingency plans?- Does your organization have a disciplined notification and assembly process?- Do you integrate public sector participants in your exercise program?- Are your employees aware of their role and responsibilities during a crisis?- How do you increase involvement and support of your senior executives?- How do you develop the next generation of business resilience leaders?
3© Copyright 2011 EMC Corporation. All rights reserved.
Discussion will focus on answering these and many other questions as it suggests a baseline from which to develop your next generation business continuity exercise program.
Definitions / Program Components• Recovery Time Objective (RTO) vs. Recovery Point Objective
(RPO)• Business Impact Analysis (BIA)• Disaster Recovery vs. Business Continuity vs. ICS… • Recovery Program / Continuity Program / Crisis Management
Program• Governance Teams vs. Response Team vs. Recovery Teams• Crisis Management vs. Emergency Management• Emergency Response
4© Copyright 2011 EMC Corporation. All rights reserved.
• Organizational Resilience• SLAs, DOUs, Contracts & Regulations• Creditability / Audit / Review
Approach• Approach
– Assess the Organization and Resiliency – Identify the Gaps
R d ti– Recommendations• Exercise and Training
– Design– Socialize– Build– Implement– Track
5© Copyright 2011 EMC Corporation. All rights reserved.
• Credibility– Measure – Validate
Assess – OrganizationAnnual Report – ABC Manufacturing , CO
REVENUEREVENUE
Computers50%
Peripherials30%
Consulting20% Administration
- R & R - HR- R & R - Sales
6© Copyright 2011 EMC Corporation. All rights reserved.
- Manufacturing- Sales- Services- IT
- Legal- Payroll- Accounting- Help Desk- Education
- Manufacturing- Sales- Services- IT
- IT
Assess – Organization Major Business Facilities
7© Copyright 2011 EMC Corporation. All rights reserved.
Phoenix Greensboro Germany AustraliaMinneapolis Houston Mexico JapanCanada Great Britain
Assess – Resiliency• Existing Recovery Infrastructure
– Organization – Who Owns and Drives Resiliency?– Program – What are the processes and Guidelines?– Plans – What is the Resiliency, Response, and
Recovery Structure?– Exercises – Who and What do you test and How often?– Training – Who do you train on What areas and How
often?
8© Copyright 2011 EMC Corporation. All rights reserved.
Assess – Resiliency• Resiliency
– Current understanding of• Business Impacts• Business Impacts• Risks • Mitigation
– Having put mitigation plans in place– Having comprehensive recovery plans in place
• Corporate or Geographical / LocalEmergency Management
• Geographical / Local
9© Copyright 2011 EMC Corporation. All rights reserved.
• Geographical / LocalEmergency ResponseDisaster RecoveryBusiness Continuity
Assess – Recovery and Response Teams
Corporate Emergency
Management Team
Geographic Emergency
Management Team
Emergency Response Team
Geographic Emergency
Management Team
Emergency Response Team
10© Copyright 2011 EMC Corporation. All rights reserved.
p
Business Unit Business Continuity
Team
Geographic IT / Asset Disaster Recovery Team
p
Business Unit Business Continuity
Team
Geographic IT / Asset Disaster Recovery Team
Assess – Recovery and Response Plans Response Overview
NaNational Crisis Management TeamNational Incidents
Executive Crisis ManagerSenior Leadership
Team
Regional Crisis Management TeamRegional Crisis Manager / RVP
Regional/LocalIncidents and
Outages
Emergency ResponsePlans
Incident Management Plans
Business Unit / IT
Recovery Plans
People & Property Impacts Network & InfrastructureImpacts
Business Unit Impacts
11© Copyright 2011 EMC Corporation. All rights reserved.
People
People BuildingsTechnical BuildingsRetail Stores
People Buildings Data Centers DR CTRs Comms Critical Business Processes
Outages/Escalations for:Information TechnologyNetwork ServicesData DistributionData Replication
Maintain Product and Services DeliveryMaintain Billing ProcessFund Bank Accounts/Pay EmployeesManage Reputation and Brand ImpactManage Internal and External Communications
Assess – Risks• Facility or Building
• People or staff
• Technology
• Machinery
• Transportation
• Critical Records
Suppliers (or Supply chain)
12© Copyright 2011 EMC Corporation. All rights reserved.
• Suppliers (or Supply chain)
Assess – Exercise Program• What kind of exercises do you run?
– IT Disaster Recovery: Application, Data Center, Enterprise– BC Business Unit: Business Unit, Location, Regional, Enterprise
E R B i U it L ti R i l– Emergency Response: Business Unit, Location, Regional, Enterprise
– Emergency Management: Location, Regional, Enterprise
• Does your exercise strategy reflect back to the:– Plans, teams,– Revenue , – Business Impact Analysis, and
13© Copyright 2011 EMC Corporation. All rights reserved.
– Risks?
• Is your exercise strategy aimed at proving that your recovery program provides resiliency based on key business factors?
• How do you measure it?
Assess –Exercise Program: Who Participates?
• Crisis Management Team
• Response Teams• Business Unit
Other Teams / Agencies /Organizations
Participation or due diligence Handicap employeesNon-recovery team employees
Operations Technology
Business
TeamsNon recovery team employeesPolice: Town, County, State,
DOC, otherFireHospitalsOffice of Emergency
ManagementMilitaryRegulatorsFEMAStrategic VendorsStrategic Customers?Post Office
14© Copyright 2011 EMC Corporation. All rights reserved.
Risk• Information
Technology Support Teams
Other Support Teams, such as Facilities, HR, Finance, Corporate Communications
School officialsOther private companies
Assess – Training Program• What kind of training do you hold?
– IT Disaster Recovery: Application, Data Center, Enterprise– BC Business Unit: Business Unit, Location, Regional, Enterpriseg– Emergency Response: Business Unit, Location, Regional,
Enterprise– Emergency Management: Location, Regional, Enterprise
• Does your training strategy reflect back to the:– Exercises, Plans, teams,– Revenue ,
15© Copyright 2011 EMC Corporation. All rights reserved.
– Business Impact Analysis, and – Risks?
Conclusions & Recommendations• Develop conclusions and Recommendations based on the
research findings outlined above:Geographical– Geographical
• Security• Crime• Social Unrest• Quickly changing regulations
– Supply Chain– Financial
Operational
16© Copyright 2011 EMC Corporation. All rights reserved.
– Operational– Etc. based on actual findings
Next Steps – Exercise and Test Strategies• Design• Socialize• Build• Implement
17© Copyright 2011 EMC Corporation. All rights reserved.
Credibility• Measure
– Develop measurements based on the resiliency i trequirement
– Tie back to ROI– Review measurement strategy with stakeholders
• Track– Document all measurements based on resiliency
requirements
18© Copyright 2011 EMC Corporation. All rights reserved.
requirements• By business unit, revenue stream, critical infrastructure, critical
products, etc.– Track risk mitigation issues identified by exercises
THANK YOUJohn Linse, Global BC/DR Program Director, [email protected] 903 5246
19© Copyright 2011 EMC Corporation. All rights reserved.
847-903-5246
Sam Stahl, Program [email protected]