1 / 29

Business Contingency Planning

Business Contingency Planning. Steve Elliot & Allen Patrick Association of Contingency Planners Greater Tampa Bay Chapter www.gtbacp.com.

lynnea
Download Presentation

Business Contingency Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Contingency Planning Steve Elliot & Allen Patrick Association of Contingency Planners Greater Tampa Bay Chapter www.gtbacp.com

  2. The Association of Contingency Planners (ACP) is a national, not-for-profit professional association with members from the business continuity, emergency management, and disaster recovery professions. Our members represent the private and public sectors, as well as higher education, faith-based, and non-profit organizations across the country.

  3. What is Business Continuity? Business Continuity/Preparedness Planning – What’s Important

  4. Overview – Planning Elements • Lay out a program plan… a vision • Management Support • Risk Analysis • Incident Response Planning • Recovery Planning • Training & Awareness • Exercises • Maintenance • Supplemental Info… resource links & suggestions

  5. Continuity and Preparedness Basic Definition: A business preparedness and continuity program aims to prevent or mitigate, respond effectively to, and recover from the effects of business disrupting events. Emphasize personnel safety!

  6. Management Support Key Points: • Secure support from the top level manager/executive … Ask what keeps them awake at night; • Obtain an executive level manager as a sponsor/champion and lead for a steering committee; • Establish a budget and planning team; • Arrange for an announcement to the organization endorsing the program, summarizing your role, and explaining the organization’s involvement expectations – both budget and participation.

  7. Respect People’s Time Even with upper management’s endorsement, respect people’s time and their need to balance continuity/preparedness planning priorities with their primary business priorities!

  8. Pragmatic approach… Apply “practical due diligence” when establishing a business continuity program. Initially, program needs to focus on the key planning elements: • Reliable Communication • Preparedness, Response, and Recovery Teams • Team Tasks and Responsibility Lists (Recommend plan templates for consistency and clarity. Adapt plans to size or complexity of the organization.)

  9. Pragmatic approach… Apply “practical due diligence” when maturing a business continuity program: • Prioritize and implement projects in phases based upon the best use of time and money; defer capabilities of marginal use… Lay out a maturity roadmap; • Program should be scalable. Processes should be scalable; • Operational structure and tools should conform to day-to-day business model as much as possible.

  10. Risk Assessment – Threat & Vulnerability Assessment • Threat and Vulnerability Assessment • Keep it simple; • Develop a strawman assessment; • Engage stake holders such as: Facilities, Security, HR, IT, Finance, Supply Chain, core business managers, etc. to build on the strawman; • Target at a Site/Facility-level (or sites/facilities if in the same geographical area and similar in operation) if possible; Process level if necessary; • For mitigation leverage basic prevention, early warning, and mitigation infrastructure, e.g. fire suppression, security, fire alarms, evacuation plans, data backups, backup power, etc.

  11. Risk Assessment • Threat and Vulnerability Assessment • Keep it simple • Site/Facility-level (or sites/facilities if in the same geographical area and similar in operation) if possible • Business Impact Analysis • Key info: What are the critical business processes and what is their recovery order • What are the critical operational and infrastructure processes that need to be recovered in order to recover the critical business processes… and what is their recovery order www.emsa.ca.gov/disaster/files/kaiser_model.xls

  12. Risk Detail Above added as Comments in each Risk cell. Event label entered in comment to clarify relationship of comment to the risk to which it applies.

  13. Risk Assessment: Business Impact Analysis (BIA) - Before you start… Understand how the results of the BIA are going to be used and make sure each question relates to that purpose. • Primary objective: What are the critical core business processes and recovery priorities; • Secondary: (RTO & RPO) Return Time Objective & Return Point Objective; • Tertiary: Core business process dependencies (Optionally, these can be identified in the recovery planning process.)

  14. Risk Assessment: Business Impact Analysis (BIA) - Before you start… Last thing you want to hear from management after you present the results is: “OK, now tell us something we didn’t already know.” Lesson learned – Find out what management doesn’t know up front. If they already know what it is you need to know… get it from them before putting the organization through the BIA process.

  15. Response Plan Based upon the Threat and Vulnerability Assessment, supplemented with regulatory requirements, establish an Incident Response/Emergency Plan • Establish an Incident Response/Management Team (IRT); • Address the top level threats and regulatory requirements; • Include contact information for the IRT and key outside support organizations, e.g. law enforcement, fire & rescue, response & restoration suppliers, etc.;

  16. Response Plan • Include key infrastructure maps, e.g. water valves, electrical panels, gas shut-offs, HAZMAT & other emergency supplies, etc.; • Provide employee-level response guidance, e.g. incident reporting, alarm activation, evacuation, employee accounting, etc.; • Make the plan available at appropriate level to audience…

  17. Samples: Campus or building flip charts and employee hang tags or wallet cards

  18. Response to Recovery Transition Response & Recovery Oversight Damage Assessment Response Recovery

  19. Recovery Plan Develop a strategy for each critical business and operational process… • Strategy could include more than one option… like a football playbook… use the recovery option appropriate to the situation; • Continuance doesn’t necessarily mean resuming in the same or a centralized alternate facility… For large enterprises could mean deferring to personnel performing the same function at another location; Temporarily outsourcing; Individuals working remotely with notebook computers & cell phones; etc. – TEST

  20. Recovery Plan Plan components… • Recovery team(s) with a team lead(s) and alternates and contact information • Engagement process and communication methods • Meeting location w/alternates – team operation center • Alternate operations options • Recovery responsibility & task lists

  21. Awareness and Training… Establish an awareness program for all levels, e.g. Execs, Planners and various teams’ members, employees, contractors, visitors…

  22. Awareness and Training… Key Points: • Employees as a whole, e.g. Newsletter announcements, emails, and articles, posters, wallet cards & hang tags, workshops, on-line training, family preparedness (http://www.ready.gov), etc. • Individual teams, e.g. walk-through exercises, team reviews, function-level incident exercises, rotate planning maintenance role, etc. • Community responders, e.g. periodic meetings, facility walk-throughs, participation in awareness week-type activities, etc. • Management

  23. Engage Senior Mgmt. Refresh Management Support… Back to Step one

  24. Nationally, ACP represents 2700 members in 44 different Chapters around the United States. In addition we have a growing virtual population of members from around the globe.

  25. Our local Chapter is made up of 80 members from organizations like Raytheon, Raymond James, Franklin Templeton, HSN, TECO, Tech Data, Valpak, USF, County and City governments, credit unions, the Red Cross, the YMCA, various consulting firms and vendors, etc.

  26. Typical monthly programs include:County Emergency Operations CenterLocal Media OutletsNational Weather ServiceUS Coast GuardDHS / FEMA / State Emergency ManagementBehind the scenes at sports venues / museums / attractionsPublic Information Officer & Emergency Management leadersTable-top Training Exercise / Disaster Simulation GamePublic-Private Partnerships (Red Cross, United Way, Regional Planning Councils)Hospital / Healthcare Emergency ManagementTours of Interesting Local BusinessesLessons Learned from Econ. Dev. & Recovery Agencies

  27. Questions? For more information about the Greater Tampa Bay Chapter of the Assoc. of Contingency Planners,please visit: www.gtbacp.com

  28. Resources… Threat (Hazard) & Vulnerability template (Consider listing all threats in one worksheet to facilitate criticality rank comparisons.) www.emsa.ca.gov/disaster/files/kaiser_model.xls SafetyInfo.com - Response/Emergency Planning 4 STEPS IN THE PLANNING PROCESS - For Details See: http://www.safetyinfo.com/guests/Emergency%20Planning%20-%204%20Step%20Planning.htm

  29. Resources… Flip chart model: http://police.wvu.edu/emergency_flip_chart Business Continuity Maturity Model – Virtual Corp’s free open access maturity and sustainability tool… http://virtual-corp.net/html/bcmm.html Leadership and the importance of communication in the midst of crisis interview with Rich Irwin, former Senior Special Operations Program Officer in the CIA: http://www.bulletproofblog.com/2010/10/21/bulletproof-interview-special-%E2%80%93-richard-irwin-on-effective-crisis-management-and-preparedness/

More Related