Business Continuity & IT Disaster Recovery DONALD L. SCHMIDT, ARM, CBCP, MCP, CBCLA, CEM PREPAREDNESS, LLC MARCH 30, 2017 www.preparednessllc.com
What are Business Continuity & IT Disaster Recovery? BUSINESS CONTINUITY: An ongoing process to ensure that the necessary steps are taken to identify the impacts of potential losses and maintain viable continuity and recovery strategies and plans. NFPA 1600 www.nfpa.org/1600 BUSINESS CONTINUITY MANAGEMENT: management process that identifies risk, threats, and vulnerabilities that could impact continued operations. Business continuity provides a framework for building organizational resilience and the capability for an effective response. DRI s Professional Practices www.drii.org DISASTER RECOVERY: The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster Recovery Journal (DRI s International Glossary for Resiliency) www.drii.org 2
Key Elements of a Continuity & Recovery Program 1. Management commitment, direction & support (policy statement) 2. Program management 3. Risk assessment 4. Business impact analysis 5. Resource needs assessment 6. Continuity & recovery strategies 7. Incident management system 8. Education & training 9. Testing & exercises 10.Reviews and continuous improvement 3
Why is senior management support so important? Provides leadership Approves program resources Ensures people get involved Provides insight into the business Can build a culture of preparedness 4
Understanding the business is critical! Mission & vision Value stream Profits vs. revenues Growth potential Research & development Customers Regulations Essential services (nonprofits and public sector) What are the priorities? 80 60 40 20 0 2015 % Sales 2015 % Profits Product A Product B Product A Product B Product C Product D Product C Product D Sales 2015-2018 projected 2015 2016 2017 2018 Product A Product B Product C Product D 5
Build a strong team to manage your program Program Coordinator Vested with authority and held accountable Program Committee Management Operations Information Technology Supply Chain management Facilities Management Quality Finance Sales & Marketing Human Resources EH&S Purchasing others Credit: katemangostar Freepik 6
Risk Assessment; Evaluate planning scenario(s) Make the best possible decisions about loss prevention, hazard mitigation, risk financing, and continuity planning. Identify availability of resources for planning scenarios. 7
Business Impact Analysis: What s critical and when? Management level analysis that identifies, quantifies, and qualifies the impacts resulting from interruptions or disruptions of an entity s resources. The analysis can identify time-critical functions, recovery priorities, dependencies, and interdependencies so that recovery time objectives can be established and approved. NFPA 1600 Identify impacts Lost sales and revenue Loss of customers Customer dissatisfaction Determine minimum acceptable production or service level to avoid unacceptable impacts Identify how quickly minimum level must be restored: Recovery Time Objective Assess the Timing of Interruption Customer requirements Peaks in business activity End of month or quarter Deadlines 8
Recovery Time Objective (RTO) Pre-Disaster Production or Service Level Production Minimum Acceptable Production or Service Level RTO Lost Production Production Downtime Avoided T disaster T recovery Time 9
BIA continued: What resources are required? People Facilities Machinery & equipment Internal dependencies Supply chain Vital records Information & communications technology 10
Conducting the BIA Focus on priorities identified by senior management Identify and agree upon the planning scenario(s) (e.g., loss of facility, supply chain failure, technology or power outage, pandemic, etc.) Provide specific criteria to quantify and qualify impacts and recovery time objectives 1. Develop questionnaires with built-in criteria specific to each function 2. Conduct a workshop to introduce the project and explain how to complete questionnaires 3. Use spreadsheets or a database to compile resource requirements 4. Review questionnaires and interview persons to validate information 11
BIA Methodology & Process Develop Questionnaire Impacts Resources Vital Records Dependencies Workarounds Pending Changes Conduct BIA Workshop & Distribute Questionnaires Why is the BIA important? What information is needed? How should questionnaire be completed? Conduct Interviews Validate Assumptions Fill-in Gaps in Information Question Criticality Report Quantify Impacts Recovery Time Objectives Compile Resource Requirements Prioritize Functions, Processes & Applications 12
Continuity & Recovery Strategies Considerations Availability, capability, capacity, and cost of resources Planning scenarios Consistent with assumptions Intellectual property Quality Customer requirements Time to execute Options Work extra shifts Relocate or transfer to a surviving site Displace lower priority operations Inventory management Partnership agreements Outsource Telecommuting Lease space Repair or rebuild 13
Implementation: IT Disaster Recovery Identify the acceptable amount of data loss for physical and electronic records to identify the recovery point objective (RPO) NFPA 1600 IT Strategies Data backups Application recovery The cloud Active-active sites Hot sites Mobile recovery center Equipment procurement and rebuild Scope Enterprise apps Productivity apps Process control systems Building management, security, and other systems Considerations Scope & alignment with business needs Cost Reliability Availability 14
Training, Testing & Exercises Training Alerting of team Activation of the plan Incident management, roles, responsibilities, lines of authority and lines of succession Coordination internally and externally Continuity strategies and manual workarounds Exercises evaluate plans, procedures, training, and capabilities Testing Data backups and restoration capabilities Failover of systems and equipment IT disaster recovery: validation of the sequence and procedures for restoration of operating systems, applications, and data on specified hardware and networks Recovery strategies Alerting capabilities 15
Program Reviews & Continuous Improvement Change is constant but does your program keep pace? Triggers for program review New/revised regulations Acquisitions and divestitures Changes in operations Changes in infrastructure including technology environment Resource availability or capabilities Funding change Appropriate action to address program deficiencies 16
Program Development Resources www.preparednessllc.com 17
For More Information Donald L. Schmidt, ARM, CBCP, MCP, CBCLA, CEM Preparedness, LLC (781) 784-0672 DLS@PreparednessLLC.com www.preparednessllc.com 2017 Preparedness, LLC 18