Business Continuity Planning LGMA Conference October 27, 2011 Presented by Lisa Benini
What is it? Business Continuity Planning Definition: Process of developing and documenting advance arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical functions after an interruption. source: www.drj.com SAFETY / EMERGENCY PREPAREDNESS SECURITY CONSEQUENCE MANAGEMENT ENTERPRISE RISK MANAGEMENT EMERGENCY RESPONSE BUSINESS CONTINUITY CRISIS COMMUNICATIONS INFORMATION TECHNOLOGY RECOVERY CRITICAL INFRASTRUCTURE RECOVERY October 27, 2011 Benini Consulting Ltd. 2
Why Are We Concerned? Disasters increasing in frequency and severity How many internal disasters go unreported? Indirect impacts from Catastrophic Disasters Kelowna Fire October 27, 2011 Benini Consulting Ltd. 3
Why Are We Concerned? Aging infrastructure Emerging new risks (e.g. Pandemic) Highly dependent on Communications & Technology Government October 27, 2011 Benini Consulting Ltd. 4
Hazards in BC www.pep.bc.ca Earthquakes Floods Tsunami Severe Weather Fires Avian Influenza 5
Why is it important? Expectations of key stakeholders Essential management function Becoming a common practice Some organizations have set policy for it Makes good business sense Sustainability & Survivability October 27, 2011 Benini Consulting Ltd. 6
What is it? Who executes the plan s actions? Employees Management People are your most important asset Business Partners / Key Stakeholders October 27, 2011 Benini Consulting Ltd. 7
What is it? Where will your people go to resume operations? Work from a Hotel / Boardroom Work from Home Alternate Site Another Civic Facility October 27, 2011 Benini Consulting Ltd. 8
What is it? When will your operations resumed? October 27, 2011 Benini Consulting Ltd. 9
What is it? What do you need to resume operations? Printers Copiers Workspace Computers Computer Center Telephones Office Furniture Paper Records Assets October 27, 2011 Benini Consulting Ltd. 10
How will this be done? April 30, 2008 Benini Consulting Ltd. 11
10 Step Process 1 Project Initiation and Management 2 Risk Evaluation and Control 3 Business Impact Analysis 4 Develop Business Continuity Strategies 5 Emergency Response and Operations 6 Develop/Implement BCPs 7 Awareness and Training Programs 8 Exercise and Maintain BCPs 9 Crisis Communications 10 Coordination with External Agencies April 30, 2008 Benini Consulting Ltd. 12
1. Project Initiation / Control Everyone needs a Plan You need Senior Mgmt Buy-in You need a Policy, Objectives & Scope You should manage it as a project & give it some dollars You need people to do the work You need Management to Approve it April 30, 2008 Benini Consulting Ltd. 13
2. Risk Evaluation/Control Anything done to date? What are your threats? What is likelihood & consequences? What is an acceptable levels of risk? Are you addressing high risks? What controls are in place? What else can you do reduce the impact? You need Management to Approve it April 30, 2008 Benini Consulting Ltd. 14
3. Business Impact Analysis What are your critical functions? Identify Business Functions Determine Maximum Allowable Outage Determine Impact (Qualitative/Quantitative) Identify Dependencies & Resources Define Recovery Objectives & Time Sensitivities Determine Alternates Procedures / Arrangements How do you do a BIA? Create Prioritization of critical functions You need Management to Approve it April 30, 2008 Benini Consulting Ltd. 15
4. Develop Strategies What can I do to mitigate the high risks? What can I do when a business disruption occurs to continue my critical business? What is the advantages & disadvantages? What will these options cost? Which are the most feasible options? Can I consolidate these options? April 30, 2008 Benini Consulting Ltd. 16
4. Develop BC Strategies Need to consider: Key Personnel Place to Work Means of Communicating Computers/Data Networks Supplies Key Records, Information, Data Resource Availability Timeframe Capability to Recover April 30, 2008 Benini Consulting Ltd. 17
5. Emergency Response / Operations Everyone needs to know what to do in an emergency & what is their role? How will you escalate? Who will you call? Who is authorized to activate the plan? How will you manage the incident Try to reduce damage and secure the site Integrate emergency response with business continuity organization & activities April 30, 2008 Benini Consulting Ltd. 18
6. Develop Business Continuity Plan Alternate Facilities & Resources Timing Escalation Call Lists Actions Recovery Inventories Organization Administration Maintenance & Exercising 1. 2. 3. 4. Priorities Responsibilities April 30, 2008 Benini Consulting Ltd. 19
7. Awareness and Training Start early with awareness Everyone needs to know about the plan and what is your expectations Train your continuity teams before you exercise Make sure it happens Continue to Monitor it April 30, 2008 Benini Consulting Ltd. 20
8. Exercise and Maintain BCPs Make sure the plan works and the people know what to do Identifies strengths & weaknesses Document lessons learned Make sure they are assigned and followed up Keep exercising your plan April 30, 2008 Benini Consulting Ltd. 21
8. Exercise and Maintain BCPs When changes occurs, update your plan: Acquire new business line Reorganize your service offerings Implement a new computer system Changes in staff / stakeholders New risks emerge Check your control programs Continuously update your plan Let Management know how you are doing April 30, 2008 Benini Consulting Ltd. 22
9. Crisis Communications Do you have Media Relations Procedures? Who will liaise with other Agencies? Who are your major Stakeholders and who will liaise with them? What and How will you communicate? Who is responsible? Make sure you exercise the communication process April 30, 2008 Benini Consulting Ltd. 23
10. Coordination with Public Authorities Which other Public Authorities do you deal with? Make contact with them How will you coordinate with them in an event? What are the procedures for dealing with them? Invite them to an exercise or ask to participate in their exercise April 30, 2008 Benini Consulting Ltd. 24
What will it achieve? Protects People, Property, Assets and Information Identifies tolerable outage Minimizes confusion and chaos Enables effective decision making Minimizes loss of data, revenue, clients Allows pre-positioning critical resources and arrangements October 27, 2011 Benini Consulting Ltd. 25
What will it achieve? Reduces dependency on specific personnel Coordinate with inter-dependencies Facilitates timely recovery of business functions Meet regulatory requirements Maintains public image and reputation October 27, 2011 Benini Consulting Ltd. 26
Final Thought "The unfortunate truth is our ability to imagine and plan for catastrophic disasters is woefully inadequate. 1 A broad assessment from Dr. Irwin E. Redlener, the director of the National Center for Disaster Preparedness at Columbia University 1. Business Week, 9/19/05, p. 35 June 8, 2010 Benini Consulting Ltd. 27
Q & A Thank you Lisa Benini Benini Consulting Ltd. Ltbenini@shaw.ca 250.813.2435