Building a Standard for Business Continuity Planning John Lugo Sr. Business Continuity Analyst April 17, 2012 1
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Business Continuity @ Citrix
Statistics Over 36% of organizations reported incidents of workplace violence Source Society for Human Resource Management (SHRM)
Agenda Business Continuity Goals Global Core Business Continuity Team Structure Regional Business Continuity Plans Disaster Recovery / Business Continuity Testing Crisis Communications Employee Safety and Awareness Programs
Business Continuity Goals Maintain business critical functions and services before, during and after a wide range of disaster events Limit the impact to operations and the magnitude of any financial loss Ensure rapid recovery and timely resumption of company operations to protect employees, customers, shareholders and company reputation The formal BC plans combine preventive and recovery measures; the plans are updated, tested and communicated regularly to ensure effectiveness in mitigating business disruption
Global Business Continuity Team The Teams mission is to provide overall direction / preparation and recovery efforts Team members are a mixture of diverse departments including IT, HR, Legal, Facilities, Physical Security and Finance On Site Recovery Teams are the boots on the ground team responsible for individual offices in EMEA and Pacific Business Unit contacts are part of the Non Core BC Team Structure
Emergency Management Team (EMT) Provide overall recovery / preparation direction Provide strategically response and incident management Ensure Business Continuity Team communication Monitor event activity Escalate alert levels to all team members Facilitate communication with the Executive Management Committee Ensure the appropriate and adequate disaster response
Communications Team Provides communication to all parties including employees, vendors, public service agencies, customers Communication methods including emergency notification systems, email, vmail, external / internal web pages, press releases, media Team conveys a message on behalf of company
Campus Response Team Operational response and business direction Prepare property and equipment for the impending disaster event Provide HR related assistance for building items (people staying on site, building closures, parking garages, etc. Damage assessment from a disaster and its impact on continuing operations; assistance with insurance claims Secure buildings and grounds; liaise with landlord Historian Function Documenting all critical decisions once an event has occurred and keeping track of expenses
Business Readiness Team Make necessary arrangements to implement disaster business operations in accordance with business plan for each unit Provide a tactical response and business direction Act as a liaison with the Business Unit Teams Provide travel assistance for recovery team members Ensure critical business functions are operational at alternate processing centers
On Site Recovery Team Drivers of decisions regarding: Recovery of office Well being of employees Alternate relocation plans Communications out to employees in affected location(s)
Business Continuity Planning Scenarios Our Business Continuity plans are based on two incident types 1) Unexpected Disaster Fire, flood, earthquake, tornados, terrorist act, explosion, workplace violence, flu outbreak 2) Expected Scenario Scheduled protests, scheduled power outages / rolling blackouts Hurricane / severe weather due to our South Florida exposure; lead time allows for storm preparedness
Business Impact Analysis (BIA) The BIA is the initial step for Business Continuity planning from which the whole BCP program is built Provides the data from which appropriate continuity strategies can be determined Ranks core business activities Grades activities from a financial and non financial impact Determines interdependencies Defines Recovery Time Objectives (RTO) Defines process, people, equipment and IT systems needed to meet continuity objectives
Disaster Recovery Strategies What technology based solutions do you incorporate in your BC Program? Cloud computing, data replication, clustering, failover circuits, redundant equipment, restore from tape, software as a service (SAS) Bring Your Own Computer (BYOC) Program Desktop virtualization Work Anywhere Initiative
Business Continuity Plans Structure your plans around the responses from your BIA Plans contain critical processes and procedures to recover business functions in the event of an emergency interruption Individual plans are regional, country and business unit specific and are updated annually
Emergency Response Plans Build your ERPs with the help of executive management host a table top exercise ERPs are based on worse case scenario; anything less severe becomes a subset of the plan Develop plans for specific incidents hurricane, earthquake, active shooter scenario
IT Disaster Recovery Test Based on your requirements, do you have a Hot Site, Cold Site, Warm Site? Review the responses from your BIA to ensure that your critical applications and services reside in your DR environment Create a detailed site bring up script that is simple to follow Do you have plans in place to fail back to Production? Exercise your IT DR Plan at least once a year
Workplace Recovery Test In the event your office is inaccessible for a period of time, where are your employees going to relocate? Leverage offices in other cities / countries Work from home vs contracted office space Exercise your workplace recovery plan once a year Document your results and forward to senior management
Emergency Response Tests Develop realistic scenarios that your organization is likely to experience Establish a strong relationship with external agencies including local fire departments and emergency responders Work with senior management and HR to develop an emergency response plan around workplace violence Coordinate emergency evacuation drills with Facilities Exercise emergency response tests annually
Measurable Results April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona
Crisis Communication Plan Establish a crisis communication program with the Core Business Continuity Team Plan should identify all stake holders that are inclusive of emergency communications employees, clients, vendors, media, EMC Draft sample communications around realistic scenarios that could affect your location Have HR and Public Relations review communications before distribution
Communicate! Emergency notification systems Communicate quickly Push/pull communications Pre script communications Wallet cards and badges Satellite phones
Crisis Communication Tools Use internal resources Telecom Team, PBX, PA system, intranet Sharepoint site, company website Toll free emergency notification numbers for employees Blast emergency alerts through vmail Emergency Notification Software Sungard, Everbridge; sends messages via mobile, email, text, etc Satellite phones service is available even if infrastructure is down
Train the People in Charge Develop table top exercises with Core Business Continuity Teams Research emergency response training through local agencies Red Cross, Fire Departments, SWAT Teams, C.E.R.T. Review the roles and responsibilities with the Core BC Team annually Ensure that the global teams buy into the Standards of Business Continuity Deliver a robust employee safety program, even if there isn t a requirement by law in a particular country!!
Practice Emergency evacuation drills Bomb threat procedures Workplace violence process Emergency training Awareness newsletters Emergency information cards
New Employee Orientations Work with HR to include overview of Business Continuity Program Review emergency evacuation procedures Ensure that employees know where to find BC and DR documentation If possible, make training a mandate for compliance
Communications out to Employees Develop communications around specific incidents hurricane season, earthquake scenario, emergency evacuations Work with Business Unit leads to ensure that teams understand recovery processes Work with HR to develop a newsletter Post Incident Response Action Items in break room or common areas evacuation routes, assembly points, security hotlines
Plans Put into Practice Scenario 2 Scenario 1
Hurricane Wilma at HQ When: October 24 th 2005 Damage: 3 out of our 4 buildings closed for over a week 6 million people without power Local infrastructure damaged Pre storm activities completed Campus prepared Key business teams and IT flown out of area Communication schedule established with employees Post storm Reserved hotel rooms out of the area Employee assistance program Employees helping employees intranet site Post mortem review Long term office opened for customer facing teams out of the path of hurricanes HQ Location
Pandemic Planning Avian, H1N1, H3N2 and Influenza B Viruses Citrix Planning Creation of Pandemic Influenza Continuity Plan Phased alerts from the World Health Organization and the Center for Disease Control Updated internal policies; infected employees requested to stay home until symptoms subsided Employee awareness Communications sent to employees around best practices Travel recommendations posted on Intranet site Manager communication and training Distributed messages to managers around working with employees; options include working from alternate locations
Earthquake in Japan Damage: 10 employees overnight in office (elevator was on limited power) Office closed for 3 days Most employees worked from home leveraging our own products Daily meetings held with on site recovery teams (IT, Facilities and HR) Alternate relocation plan for employees (150 hotel rooms in Hiroshima) Resources sent to Tokyo from CA office Lessons learned: Creation of on site recovery teams for other regions Upgrade emergency notification system in Tokyo
Wrap Up Make sure your plans are flexible Revisit your strategy around DC infrastructure physical vs virtual Partner with key Business Units (IT, Facilities, HR) in other offices to help you build and test plans Include end users within your testing platform People come first!!
Building a Standard for Business Continuity Planning John Lugo Sr. Business Continuity Analyst