Business Continuity Planning Disaster Planning , Emergency Response & Crisis Management 101 Presented by Hub International New England James E. Burke, VP/Sr. Risk Consultant; CSP, ARM, CHMM, ABCP, CHSP, CFPS Michael DuBose, VP/Sr. Risk Consultant; CBCP, CBCA, ARM
About the Presenters Michael DuBose CBCP, CBCA, ARM VP/Senior Risk Consultant HUB International
Mike currently serves as the HUB Practice Leader for Emergency Response, Business Continuity, Security & Enterprise Risk Solutions. He is a Certified Business Continuity Professional and Certified Business Continuity Auditor.
James E. Burke, CSP, ARM, CHMM, ABCP, CHSP, CFPS AVP/Senior Risk Consultant HUB International
Jim is an Environmental, Health & Safety professional with over 30 years experience implementing successful corporate and site specific environmental health and safety programs; developing and implementing risk minimization and mitigation strategies; and advising small, medium, and large businesses on proven best practices for protecting persons and property.
Agenda
Introduction Lessons Learned BCP Implementation Next Steps Question & Answer
Introduction
Business Continuity Planning Statistics
70% of businesses involved in a major fire fail within 3 years (Chubb) One out of two businesses never return to the marketplace following a major disaster (AXA) Losses reduced by 75% to 85%, for those firms with a business continuity plan (Chubb) The return on investment is estimated to be $681 of reduced property damage for every dollar spent on planning (Chubb)
2013 Disaster Map The World
Physical Security Professional (PSP),
2012 Disaster Map United States
March 19, 2014
Change footer
7
Disaster Declarations 1964-2010
What is Business Continuity Planning? Managed effort to prioritize key business processes, identify significant threats to normal operation, and plan mitigation strategies to ensure effective and efficient organizational response to the challenges that surface during and after a business disruption An effective business continuity plan reduces risk through upfront mitigation and post-disaster response, recovery, and restoration.
A process that establishes a secure and resilient business environment capable of mounting an immediate and effective response to a major incident.
What is Business Continuity Planning? Exists to avoid any interruptions that could lead to either significant losses or a failure to achieve the organization’s principle objectives As process, ensures critical activities are performed no matter what else is happening. ISO 22301 BCP Lifecycle
Stages of an Event
Crisis Management
Recovery
Detection
Business Continuity
Emergency Response
Minutes
Hours
Weeks
Be prepared Business Continuity Management Emergency Response • Initial control of emergency situation • safeguarding human life • Stabilizing, security, damage assessment
Crisis Management • Strategic direction/policy issues Business • Crisis communications – Recovery internal and external (media) • Outward facing liaison • Phased recovery of stakeholders, users etc. business-critical processes • Co-ordination of service recovery efforts
Disaster Recovery
• Recovery of technology services • Returning IT to “business as normal”
Disaster Management Plans Types ERP: Emergency Response Plan Event Driven Response (Site Impact) Contamination, Bomb-threat, Fire, Earthquake, Wind, Etc.
ERP
IT-DRP
Integrations
CMP: Crisis Management Plan Event Escalation Response (Corporate Impact) Non-physical or physical impacts, Examples: Exxon –Valdez Oil Spill, J&J – Tylenol Tampering Hudson Foods – Meat Threat
Integrations
Depending on Event, The integration of all Plans is Possible. Integrations
IT-DRP: IT Disaster Recovery Plan (Technology - Voice & Data Impact) Network Failure, Sabotage, Virus, Physical Loss of Systems Etc.
BCP
Integrations
CMP
BCP: Business Continuity Plan Time Driven Response (Site and Business and Image Impact) Infrastructure Disruptions, Business Unit Disruptions, Department Disruptions (Failure to deliver product or service)
Objective of business continuity planning
Level of business
Fully tested effective BCP
No BCP – ‘lucky’ escape
No BCP – likely outcome Critical recovery point
Time
The business continuity plan Emergency response plan
A successful outcome
Activity
Crisis management/ communication plan
A Business recovery plan
Business Continuity Planning Guidelines Used
Professional Practices for Business Continuity Planners developed through a cooperative effort of the Disaster Recovery Institute (DRI) International and Business Continuity Institute (BCI) National Fire Protection Association (NFPA) 1600 – Standard on Disaster/Emergency Management and Business Continuity Programs – 2013 edition ISO 223301 - 2012 - Societal security – Business Continuity Management Systems - Requirements
What can disrupt business operations? Natural and Man-made Disasters
Natural Disasters, such as hurricanes, tornados, or earthquakes Security Incidents, such as violent intruders, terrorism or civil disorder Public Health Concerns, such as infectious diseases and pandemics Emergencies, such as fire, hazardous chemical spills, or bomb threats
Business Continuity Planning Focus on Outcomes not Causes 5 Possible Scenarios 1. Loss of Technology – the technology you use is not available or doesn’t work 2. Loss of a Building – a building is destroyed or out of action for the medium to long term
3. Denial of Access to a building – your staff are not allowed into their place of work 4. Loss of Staff – key staff are unable to attend work 5. Loss of a Supplier – a supplier is unable to provide critical services, products or resources.
Lessons Learned
Business Continuity Planning Lessons Learned from Hurricane Sandy General Comments Should have had a Business Continuity Plan (BCP) Power is critical (Need for backup generators)
Communication with Staff
Daily communication (e-mails, texts, phone, internet, Skype, FB, etc.) Facility emergency call-in numbers Ongoing Immediate supervisor communication with staff Managers keep hard copies of team home and emergency contact information
Communication with Clients and Vendors Forward office numbers to cell or home numbers to easily get client calls Communicate prior to storm on preparations and communication strategies Constant contact with clients, suppliers and vendors
Business Continuity Implementation
Business Continuity Management Six Step Approach
1. 2. 3. 4. 5.
Understand the Business Operations Develop Risk Mitigation Strategies Develop Business Continuity Strategies Develop Documentation Implement Business Continuity Plan & Training Program 6. Develop Process for Exercising, Maintaining & Auditing Plans
Business Continuity Management Approach Identify Risks and Analyze Business Impacts
Develop Risk Mitigation Strategies
Establish Planning Committee Review Organizational Strategy Business Impact Analysis Risk Assessment
Protection Systems Hazard Elimination / Process Change Duplication of Resources Alternate Operating Strategies
Emergency Response Department Business Functions Business Process Steps
Crisis Management
Support Components People
IT
Records
Voice & Data
Suppliers Equip & & Hardware Vendors
Develop BCM Strategies
Corporate Strategy Process Level Strategy Resource Recovery Strategy
Development BCM Documentation Emergency Response Plan Crisis Management Plan Business Continuity/Recovery Plan
BCM Implementation & Training Facilities
Business Continuation
Assessing Awareness Develop / Monitor Awareness, Skills, & Culture
BCM Exercising, Maintenance & Auditing
1. Understand The Business • Establish Planning Committee • Review Organizational Strategy • Conduct Assessments − Business Impact Analysis − Risk/Vulnerability Assessment
Establish a Planning Committee • Members could include: − Senior Management − CFO − Operations − IT − Marketing − Facilities − Human Resources − Legal
Business Impact Analysis (BIA) Identify all organization functions Identify critical processes/services Identify dependencies & interdependencies Identify priorities Identify risks/vulnerabilities Identify impact on operations
Recovery Time Objective (RTO) Priorities Staff Facility / Equipment Technology Files
What is a Critical Function/Process/Service? Must be delivered during a disruption, even if it is at a reduced level, for the business to survive
What Is Your Cost of Downtime? Revenue • Direct loss • Compensatory • Lost future revenue • Billing losses • Investment losses
Productivity • Number of employees impacted X hours out X burdened hourly rate
Damaged Reputation • Customers • Suppliers • Financial markets • Banks • Business partners
Know your downtime costs perhour, -day, -two days ...
Financial Performance • Revenue recognition • Cash flow • Lost discounts (A/P) • Payment guarantees • Credit rating • Stock price
Other Expenses Temporary employees, equipment rental, overtime costs, extra shipping costs, travel expenses ...
Risk & Vulnerability Assessment
Naturally Occurring Human-Caused Technological-Caused Hazards
Assets at Risk
Fire/Explosion Natural Hazards Terrorism Workplace Violence Pandemic Disease Utility Outage
People Buildings Equipment Information Technology Business Operations Cash/Financial Assets
Hazard Identification
Vulnerability Assessment
Impacts Casualties Property Damage Business Interruption Loss of Customers Financial Loss Fines/Penalties Lawsuits
Impact Analysis
Resource/Capabilities Assessment • What are the internal capabilities for response? • Will external resources be able to respond to us for this emergency as quickly as we may need them or will they have other priority areas to serve? • What can we expect?
Develop Mitigation Strategies Mitigate risks that threaten the health and safety of people, company assets, operations, or the environment
Hazard Elimination / Minimization Installation of Protection Systems Back-up power systems Duplication of Critical Resources / Processes IT Backup Cross-Training of Personnel Relocation Qualification of Secondary Suppliers Outsourcing
Develop Business Continuity Strategies
Corporate Process-Level Resource Recovery
Manual Workarounds Remote Working Mutual Agreements Alternate Sites (owned / thirdparty) Hot-site
Business Continuity Strategies Simple, Likely Scenarios that Need to Be Considered: Entire Building Inaccessible Portion of Building Inaccessible Building Accessible, Systems Inoperable Building (or Portion) Inaccessible, Systems Inoperable Reduced Staff Levels
Create Communication Strategies Clear Procedures for Notifying Affected Parties Immediate Actions Status / Next Steps
Common Methods
PA Announcements Phone Trees Mass Communication Systems Coded Alarms Virtual Conference Bridge
RSS
Desktop Alerting
IM
On Premise Devices
Develop Plan Documentation
Common Plans Crisis Management Plan Emergency Response Plan Business Continuity Plan
BCP Plan Development Sample Written Plan Outline
1. Table of contents 2. Plan Description • • • •
Purpose Objectives Assumptions Critical Business Functions and Recovery Time Objectives
3. Plan Declaration • •
Authorization to invoke the plan Immediate Actions and Notifications
4. Roles and responsibilities • • 35
Key individuals Recovery teams (Support, Operations)
BCP Plan Development Sample Written Plan Outline (continued)
5. Site recovery procedures • • •
Damage assessment Alternate worksites Functional area recovery plans 1. 2. 3. 4. 5.
Transportation Warehouse Inbound Products Manufacturing Administration
6. Voice/data communication requirements 7. Plan Training, Testing and Maintenance 7. Appendix: vital records and alternate work sites, additional resources, glossary of terms, key contacts 36
Essential Items for Each Plan Identify the following items: 1. Key people and teams assigned to the recovery effort 2. Key contacts (customers, suppliers, vendors, internal, external) 3. Work space, computer systems, applications, people, machinery, equipment and supplies needed for recovery 4. Manual workaround procedures 5. One or more alternate places to go to conduct business 6. Outside resources that can assist in the recovery process
Normal operations
Processes
Business Units
Business recovery solution Work Area
Business Units
Data Center DATA STORAGE Back Up Mirroring
Objectives
Processes
INFORMATION TECHNOLOGY Computer Equipment Communications Operating Systems Applications
Suppliers
Recovery Teams
Customers
Command Center
Next Steps? Next Steps Review your current plan(s) Conduct a hazard vulnerability assessment Perform a formal BIA Conduct staff BCP training Facilitate a tabletop training exercise to rehearse plans Develop a full BCP
March 19, 2014
Change footer
40
QUESTIONS?
Jim Burke, VP/Sr. Risk Consultant, HUB International
[email protected] 781.635.9242 Mike DuBose, VP/Sr. Risk Consultant, HUB International
[email protected] 908.246.8409