Business Continuity & Disaster Recovery Richard Long, Senior Advisory Consultant MHA Consulting Presented at CopperPoint SafetyWorks Aug & Sep, 2017 2017 MHA CONSULTING. ALL RIGHTS RESERVED.
COMPANY BACKGROUND KEY FACTS 18-year proven track record of applying industry standards and best practices across a diverse pedigree of clients. 18 Years in operation. 20 Average years industry experience. SENIOR LEADERSHIP MHA Consulting s senior team has an average of over 20 years of industry relevant experience in the areas of Business Continuity, Disaster Recovery, and Project Management. CAPABLE Comprehensive suite of services. GLOBAL Diverse, global client base. SAAS Compliance and risk tools. Richard Long, Practice Leader & Senior Advisory Consultant Phoenix, Arizona www.mha-it.com A simple mission: Ensure the continuous operations of our clients critical processes. 60% of revenue comes from Business Resiliency, 30% from IT Disaster Recovery, and 10% from SaaS tools. SaaS Tools: BIA On-Demand, Compliance Confidence, Residual Risk. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 2
DIVERSE, GLOBAL CLIENT BASE SERVICES HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 3
ROBUST SUITE OF SERVICES ASSESS THE CURRENT ENVIRONMENT RECOVERY STRATEGIES & SOLUTIONS RESPONSE & RECOVERY PLANS EXERCISES MAINTAIN & IMPROVE Current State Assessment Policy & Standards Business Impact Analysis Threat & Risk Assessment BCMMETRICS TM BIA On-Demand (BIA OD ) BCMMETRICS TM Compliance Confidence (C 2 ) Business Recovery Strategies & Solutions Data Center Recovery Strategies Crisis Management Business Recovery IT Disaster Recovery Training & Awareness Mock Disaster Exercises Plan Functional Walkthroughs Alternate Worksite Exercises Update Recovery Plans Update Current State Assessment Update Business Impact Analysis & Threat Assessment Third Party Assessments BCMMETRICS TM Residual Risk (R 2 ) 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 4
Why Are You Here? What are Business Continuity & Disaster Recovery? BC/DR Basics Myths Why should it be important you? Integration between BC/DR and other departments How do safety & risk fit in to BC/DR? 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 5
BUSINESS CONTINUITY MANAGEMENT SO, WHAT IS BUSINESS CONTINUITY MANAGEMENT? Business Resumption Planning The process initiated to resume business operations to a level consistent with the business requirements. IT Disaster Recovery Planning The recovery of information technology processes, systems, applications, databases, and network assets used to support critical business processes. Crisis Management A series of actions taken to gain control of the event quickly to minimize the effects of an interruption and prepare for recovery. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 6
CRISIS SPECTRUM ICM Annual Crisis Report, 2017. Institute for Crisis Management. OTHER: Catastrophe 1.01%; Casualty Accidents 0.14%; Financial Damage 0.14%; Hostile Takeover 1.64%; Labor Issues 0.14%; Sexual Harassment 0.48% 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 7
THE BIG PICTURE 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 8
BCM COMPLIANCE STANDARDS STANDARDS IN BUSINESS CONTINUITY MEASURE COMPLIANCE IN THESE BCM DIMENSIONS ISO 22301 FFIEC NIST 800 NFPA 1600 SEC FISMA FINRA Supply Chain Resiliency Leadership Council Program Administration Crisis Management Business Recovery IT Disaster Recovery Fire & Life Safety Supply Chain Risk Management Third Party Management 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 9
DEFINITIONS Business Continuity Disaster Recovery Process Availability & Resiliency Application Overall continuation of business functions during an emergency event. Recovery of systems, applications, and processing capabilities. A business process is functional and available. Remains available even during potential impact events. Available for use by the organization based on requirements. Remains available even during potential outage events. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 10
BASIC COMPONENTS IN OVERALL PROGRAM 01 BUSINESS IMPACT ANALYSIS. Determination of the recovery time for each business process. This is not based on applications, but processes. 02 THREAT & RISK ASSESSMENT. Identifying potential risks and the impact they have on the organization. 03 DOCUMENTATION UPDATE SCHEDULE. Without regular updates to the documentation, they will become out of date quickly. 04 TRAINING. This include both exercises, policy review, and plan reviews. 05 ACTION ITEMS. Overall management and status of issues and needs. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 11
BASIC COMPONENTS IN BUSINESS RESUMPTION PLANNING 01 BUSINESS RECOVERY PLANS. The most important part - these are the tasks and actions taken when an emergency or outage event occurs. 02 CONTACT LISTS. Employee, vendor, third party contacts, phone numbers, email addresses, etc. 03 MOCK DISASTER EXERCISES. Verifying the usability of the plan; often scenario based. 04 ALTERNATE SITE CONTRACTS. Having a contract or agreement in place in case there is a need to relocate. 05 TECHNOLOGY. Ensure IT has documented the appropriate technology requirements and plans for implementation (loaner laptops, network access, etc.). 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 12
BASIC COMPONENTS IN DISASTER RECOVERY 01 IT RECOVERY PLANS. These are the tasks and actions taken to restore applications and processing when an emergency or outage event occurs. 02 CONTACT LISTS. Employee, vendor, third party contacts, phone numbers, email addresses, etc. 03 DR STRATEGY/IMPLEMENTATION. Technical implementation. 04 DR TESTS. Verifying the recovery strategy is functional. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 13
BASIC COMPONENTS IN CRISIS MANAGEMENT 01 03 02 04 CRISIS MANAGEMENT TEAM. Senior management responsible for direction and overall management of an emergency event. Roles and responsibilities include business functions, communication, logistics, security, risk, etc. CRISIS MANAGEMENT PLAN. These are the tasks and actions taken to manage overall emergency events at a corporate level, including both internal and external communication. CONTACT LISTS. Employee, vendor, third party contacts, phone numbers, email addresses, etc. MOCK DISASTER EXERCISES. Verifying the plan and team are functional. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 14
MYTH BC/DR ARE DEAD Most events are self-inflicted (recent airline outages). Unanticipated events not natural disasters. Customers will NOT understand. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 15
MYTH DOCUMENTATION IS NOT NEEDED WE HAVE IT The team will know how to execute People are good at what they do every day. You don t recover every day. They will be tired or trying to perform multiple recoveries. You may be using secondary resources or contractors. Information is always readily available. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 16
MYTH OUR PEOPLE WILL FIGURE IT OUT True, but that will take time. Your strategy to meet RTO/RPO is mostly likely based on best case. There will be unexpected issues even in best case. Secondary people will be participating and may be primarily responsible. Often the recovery environment is not completely in sync with production. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 17
WHAT CONTENT SHOULD BE INCLUDED? Consider: 01 Put the usable information at the beginning of the plan. 02 Put the audit information in appendices. RECOMMENDATION 06 05 03 04 Checklist based Think airlines or surgeries Functional/proprietary What will people forget? Identify risks and impacts in the plan. Don t have the team figure it out during an event. Reference/use information already available. Contact lists (make copies as backup) BIA/TRA Functional exercises/training. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 18
INTEGRATION BETWEEN BUSINESS CONTINUITY AND OTHER DEPARTMENTS 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 19
INTEGRATION BETWEEN BUSINESS CONTINUITY AND OTHER DEPARTMENTS BUSINESS FIRST Everything should be about how it helps the organization. Increase revenue Decrease costs Regulatory/audit requirement Safety Every department is part of the business. Everyone (you) are part of BC/DR. 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 20
WHAT ROLE DOES SAFETY & RISK PLAY? SAFETY Provide your input Look at the big picture and what is the BC team missing? You own safety issues don t let BC team usurp your authority Provide guidance policies and safety risks Impacts related to safety issues associated with recovery strategies Relocation impact 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 21
WHAT ROLE DOES SAFETY & RISK PLAY? RISK Provide the risk profile to the BC team Coordinate and collaborate on the risk assessment Risk assessment provides input into the BC and DR plans 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 22
SO, WHAT ARE THE NEXT STEPS? WHAT DO WE DO NOW? HOW DO WE START OR CONTINUE? If you don t know your BC leader, go say Hi. Do you know what your BCP says related to your department? Do you know how you fit in and what role you play? AREAS TO REVIEW WHERE TO PRIORITIZE Base infrastructure (server, VM, network, authentication) Integrations Technology gaps Resource constrained areas SaaS/IaaS environments Validate recovery strategy 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 23
FINAL THOUGHTS 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 24
FINAL THOUGHTS 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 25
THANK YOU MHA CONSULTING, INC. www.mha-it.com long@mha-it.com (888) 689-2290 (602) 370-1864 2017 MHA CONSULTING. ALL RIGHTS RESERVED.