isaca business continuity management lifecycle

Deloitte & Touche LLP

ISACA Business Continuity Management Lifecycle

1Copyright © 2009 Deloitte Development LLC. All rights reserved.

AgendaIntroductions 12:00 – 12:05

Overview of Business Continuity 12:05 – 12:20

Business Continuity Lifecycle 12:20 – 12:35

Module 1: Analyze 12:35 – 1:05

Break 1:05 – 1:10

Module 2: Develop 1:10 – 1:30

Module 3: Implement 1:30 – 1:50

Issues 1:50 – 2:55

Q&A 2:55 – 2:05

OVERVIEW OF BUSINESS CONTINUITY

2


What is Business Continuity Management (BCM)?

• Business Continuity Management:– “The ability and readiness to manage business interruptions, in order to provide

continuity of services at a minimum acceptable level and to safeguard the financial and competitive position in the short and longer term. It includes the organization in place to determine the continuous adaptation to changing risks, changing environment, and coordination of regular training and testing.”

• Viability– Keeping the company in business

• Earnings/Profit Protection– Protecting the Enterprise’s Financial Commitments

• Continuing New Business– Preserving the ability to sell in the marketplace

• Brand Protection– Avoiding public embarrassment and loss of credibility

Business Continuity Objectives


What is BCM? (cont.)

• Elements include– Principles of Risk Management – Design and implementation of Crisis Management and Emergency

Operations Programs– Planning for recovery and continued availability of operations during

disruptive events– Designing and implementing business process manual procedures

for use during a disruption– Designing and implementing secure, fail-proof (fault-tolerant)

systems for continuous availability– Designing and implementing threat prevention and detection systems– Encompasses development of procedures, acquisition of resources,

testing, and maintenance


Crisis event timeline

Incident

NormalOperations

Time

RestorationPeriod

Hour “0” RecoveryBegins

Back to Normal

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.


The image cannot be displayed. Your computer may not have eno



The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been


The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. R

The

image

cannot

be

di



The

image

cannot

be

di

The image cannot be displayed. Your computer may not have

The

image

cannot

be

di




The

image

cannot

be

di


The

image

cannot

be

di


The

image

cannot

be

di


The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di


The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di


The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di


The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di

The

image

cannot

be

di


The

image

cannot

be

di



The

image

cannot

be

di




The

image

cannot

be

di





The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. R

The image cannot be displayed. Your computer may not have enough me

The image cannot be displayed. Your computer may not have enough me

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file agai

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the re



The image can

The image cannot be displayed. Your comput…

The image cannot be displa

The

image

c

The

image

c

The image can

Emergency Response

The image cannot be displayed. Your computer may not have enough memor…

The

image

c

The image cannot be displayed. Your computer may not have enough memo …

The

image

c

The

image

c

The

image

c

The

image

c

The image cannot be displa

IT-DR Plans activated Business Continuity Plans activated

Recovery PeriodResponse Period

Damage Assessment

Recovery in Place

Crisis Management Plan activated

EVOLUTION OF BCM

6


Evolution of BCM

• The future towards a “Resilient Enterprise” – Companies are seeking a paradigm shift in their business continuity

program – from a responsible organization to one that is able to predict and isolate events before adverse effects occur.

Vision

BackupsMaking exact

copies of electronic data

Disaster Recovery

Plan Plan for the

recovery of data processing

facilities

Business Continuity

Management Building

availability into management

processes

Predictive Modeling

Anticipating the effects of

emergencies before they happen

Contingency Plan

Procedures to follow after

operational mishaps

ResilienceHardening the

enterprise against many foreseeable emergencies

Continuous Availability

Automatic rollover of information

systems

Business Continuity

PlanPlan for

recoveringBusiness

operations

Bus

ines

s Va

lue


Evolution of BCM (cont.)

• A Model of Risk to Business Continuity – Companies are seeking an approach that is business oriented focusing on the business process

instead of applications. Companies are seeking measures based on business risk instead of event

Empirical Data• Legal and regulatory

• Political and economic • State of affairs

• Industry-wide insights• Geo-political risk

• Assessment

Subject Matter Skilled

• Geo-political risk skilled• Economists

• Forums• Executives from

• Diverse industries• Networks

Company Activities• Risk analysis

• Investment analysis• Interviews with key leaders/management

• Focus Groups• Process subject matter experts

• Company strategy• Known weaknesses

Impacts of Scenarios

Scenarios and Threats• People• Process

External Sources Internal Sources

Continuous Threat Monitoring

• Technology• Infrastructure

• Partners• Market and Economic

Reality Check• Assess response and mitigation plans• Redefine/Bolster test criteria• Reevaluate priorities of risk

• Enhanced monitoring and mitigation technique

• More preventive and responsive plans

Business Impact to Regulatory Requirements

9


Impact of regulatory requirements Industry Regulation Impact on Business Continuity Management

Many Publicly Traded Companies

Sarbanes-Oxley • Guidelines for corporate governance and oversight of accounting and audit practices as well as financial record retention

SEC Policy • Regulates self-regulatory organizations operating trading markets, ECNs and important "shared systems" such as market data feeds

• Mandates recovery/resumption by next business day • Business continuity plans, geographic diversity, and industry wide test of

capacity and connectivity with counterparties

ISO 17799 • Require a BCM process implementation and implementation of a acceptable level of preventative and recovery controls

HealthcareHIPAA • Requires data backup, DR and emergency mode operation plan

• Requires reasonable and appropriate measures relative to the size, complexity and resources of the organization

FDA • Establishes the requirements for electronic records and electronic signatures

Government

FISMA and Executive Order on Critical Infrastructure Protection in the Information Age, 16 October 2001

• Mostly emphasizes data security rather than BC and DRAn important need to be addressed is the requirement that government is open and running during a crisis

COOP and COG • Establishes minimum planning considerations for federal government operations

NIST and Contingency Planning Guide for Information Technology Systems

• Defines detailed recommendations from NIST, requiring contingency, DR and COOP plans

• Mandatory security controls will become a federal standard by the end of 2005. NIST 800-53A will provide assessment guidelines that are closely aligned to the controls listed in NIST 800-53

Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005

As used in this document, “Deloitte” means Deloitte LLP. Please see www.deloitte.com/us/aboutfor a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

www.deloitte.com/us/about


Industry Regulation Impact on Business Continuity Management

Finance

FFIEC • Specifies that directors and managers are accountable for organization-wide contingency planning and for “timely resumption of operations in the event of a disaster”

Gramm Leach Bliley • Requires banks, insurance companies, brokerages, and other financial institutions to establish administrative, technological, and physical safeguards to determine the confidentiality and integrity of customer records and information. Financial institutions are required to establish measure to monitor and manage security systems

Basel II, Basel Committee on Banking Supervision, Sound Practices for Management and Supervision, 2003

• Requires that banks put in place BC and DR plans to determine continuous operation and to limit losses

Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, 2003

• More focused on systemic risk than individual enterprise recovery. Requires BCP to be upgraded and tested to incorporate risks discovered as a result of the World Trade Center disaster

EFA • Requires federally chartered financial institutions to have a demonstrable BCP to determine prompt availability of funds

NASD 3510/3520 and NYSE Rule 446

• Mandates securities firms to establish Business Continuity Plans for critical systems and to determine compliance with many aspects of the regulation including senior management review and approval, customer disclosure, and maintenance of Business Continuity Plans

SEC Rule 17a4 • Requires securities firms to preserve electronic records in a non-rewriteable, non-erasable format with a focus on archival practices for email systems and instant messaging

Business impact to regulatory requirements (cont.)



Business impact to regulatory requirements (cont.)Industry Regulation Impact on Business Continuity Management

Utilities

GASB • Requires a BCP to determine that agency mission continues in time of crisis.

NERC • Recovery plans currently voluntary.

Includes BC in information security standards for the industry-government partnership (guided by Critical Infrastructure Protection Committee [CIPC]).

FERC • Mandates recovery plans.

RUS 7 CFR Part 1730, 2005 • Emergency restoration plan required as condition of continued borrowing.

Telecommunications Act of 1996, Section 256, Coordination for Interconnectivity

• Requires the Federal Communications Commission (FCC) to establish procedures to oversee coordinated network planning by carriers and other providers.

Chemical Facilities Security Act

• Mandate chemical operators to craft vulnerability assessments and site security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants.

Chemical Facilities Security Act

• Mandate chemical operators to craft vulnerability assessments and site security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants.


Business Continuity Management Life Cycle

13


Business Continuity Management Life Cycle

The Deloitte & Touche Approach to Business Continuity Management

Analyze Develop Implement

Continuous Improvement / Quality

Current StateAssessment

Risk Assessment

Business Impact Analysis

Governance

Availability/Recoverability

Strategies

Procedures

Resource Acquisition/

Implementation

Training

Testing

The Deloitte & Touche Approach to Business Continuity Management

Analyze Develop Implement

Continuous Improvement / Quality Assurance

Current StateAssessment

Risk Assessment


Governance

Availability/Recoverability

Strategies

Procedures

Resource Acquisition/

Implementation

Training

Testing

Module 1ANALYZE

15


Current State Assessment

Analyze

1Current StateAssessment

2Risk Assessment

3Business Impact Analysis

ObjectiveTo assess the organization’s current BCM program status including identifying any existing gaps and provide a quick, high-level report card based on observations and interviews.

Overview A current state assessment examines each major component important to

a BCM program. It includes the following:

• Evaluate the current BCM program

• Determine where the organization is currently on a “lagging” to “leading edge” maturity scale

• Compare with industry peer status (optional depending on scope and availability of information)

• Align BCM program objectives with management’s goals andobjectives



Analyze


2Risk Assessment


Key ConsiderationsThe current state assessment framework could be organized into the following 15 components.

• Leadership/Governance

• Regulatory/Industry Compliance

• Crisis Management

• Business Process/Work Recovery Plans

• Centralized IT Recovery Plans

• Distributed IT Recovery Plans

• Desktop-Technology Plans

• Data Communications

• Voice Communications

• Data/Vital Records

• Facilities/Infrastructure

• Third-Party Continuity

• Testing

• Training

• Life Safety


Partial Sample Current State Assessment Summary

Tech

nolo

gy

Facilities / Infrastructure

IT Disaster Recovery

Telecommunications

Data / Vital Records

Awareness of need to support

alternate workspace,relocation, and utilities

backup/ recovery

Awareness of need to support

alternate workspace,relocation, and utilities

backup/ recovery

Many single points of failure.

Limited awareness of the impact of full

technology outage

Many single points of failure.

Limited awareness of the impact of full

technology outage

Single telecomm provider.

Limited awareness of the impact of full telecomm outage

Single telecomm provider.

Limited awareness of the impact of full telecomm outage

Building security/safety plans exist; limited business requirements

Building security/safety plans exist; limited business requirements

Risk analysis performed. Redundancy built in for

power, some redundancy in place for key

technology components

Risk analysis performed. Redundancy built in for

power, some redundancy in place for key

technology components

Recovery strategy addresses partial

telecomm redundancy with

limited recoverability




Facilities plans indevelopment. Utilities

backup/recovery planned, not

fully implemented

Facilities plans indevelopment. Utilities

backup/recovery planned, not

fully implemented

Technology Assessmentfull. Mitigation of risk. IT Recovery sites identified

Technology Assessmentfull. Mitigation of risk. IT Recovery sites identified







Recovery plans addressmany aspects of IT.

Examining electronic vaulting, journaling,

data replication solutions

Recovery plans addressmany aspects of IT.

Examining electronic vaulting, journaling,

data replication solutions

Recovery plans addressmany telecomm

requirements and areincorporated into annual

testing

Recovery plans addressmany telecomm

requirements and areincorporated into annual

testing

Exploration andimplementation of Public

/Private response

cooperation

Exploration andimplementation of Public

/Private response

cooperation

Leading technologies implemented providing

data and system redundancy from

separate locations

Leading technologies implemented providing

data and system redundancy from

separate locations

Leading telecommunicationstechnologies such as Internet, cellular, and

radio frequency are built into recovery plans

Leading telecommunicationstechnologies such as Internet, cellular, and

radio frequency are built into recovery plans

Category 1 – Lagging 2 – Awareness 3 – Partial Implementation 4 – Implemented 5 – Leading

Facilities plans implemented to support

resiliency. UPS, and diesel generators. Annual

testing.

Peop

le

Life Safety

Training and Awareness

Absence of BCP Training and Awareness ProgramAbsence of BCP Training and Awareness Program

Evacuation routes and emergency medical procedures posted

Evacuation routes and emergency medical procedures posted

IT Department andBusiness Unit are trained to execute

recovery plan activities

IT Department andBusiness Unit are trained to execute

recovery plan activities

Periodically conduct evacuation drills and medical emergency

training. Floor wardens established

Periodically conduct evacuation drills and medical emergency

training. Floor wardens established

Regular BCP Training sessions conducted.

BCP training manuals distributed to key

employees

Regular BCP Training sessions conducted.

BCP training manuals distributed to key

employees

Annual testing of evacuation and medical emergency procedures. Drills and Emergency Response coordinated with local authorities

Annual testing of evacuation and medical emergency procedures. Drills and Emergency Response coordinated with local authorities

BCP Training program established includes

regular employee contact and continuous improvement

BCP Training program established includes

regular employee contact and continuous improvement

Integrated evacuation and medical testing

between Crisis Management, Business Units, IT, Facilities, and

external parties

Integrated evacuation and medical testing

between Crisis Management, Business Units, IT, Facilities, and

external parties

Pro-active BCP Training Process including

factoring in BCP / BCM into design and implementation

Pro-active BCP Training Process including

factoring in BCP / BCM into design and implementation

Absence of Life Safety measures. No evacuation routes posted or evacuation drills performed

Inconsistent data retention and offsite Storage program in

place.

Inconsistent data retention and offsite Storage program in

place.

Data backups stored offsite. Frequencies and

methods driven by IT system and application

requirements

Data backups stored offsite. Frequencies and

methods driven by IT system and application

requirements

Data backups taken for many platforms:

operating sys apps and data and tested at

remote site. Imaging program in place

Data backups taken for many platforms:

operating sys apps and data and tested at

remote site. Imaging program in place

Examining methods for minimizing potential data

loss and providing duplicate copies of data

at multiple sites

Examining methods for minimizing potential data

loss and providing duplicate copies of data

at multiple sites

Leading technologies such as elect. vaulting, journaling, mirroring are implemented. Duplicate

copies of all data is maintained.

Leading technologies such as elect. vaulting, journaling, mirroring are implemented. Duplicate

copies of all data is maintained.



Sample Current State Continuum

Management

Technology

Buildings

Category

Process

Leadership / Governance

Sub-Category

Regulatory / Industry Compliance

Crisis Management

Business Process / Work Recovery

Centralised Information Technology

Testing (validation)

Third Party Continuity

Distributed Information Technology

Current/Goal State Ratings

Data / Vital Records

Training

Backup Site

Primary Site

Voice Communications

Data Communications

1 - Lagging 2 - Awareness 3 - Partially Implemented 4- Implemented 5 - Leading

LegendLife Safety

Current State Goal State

People

G

GC

GC

GC

GC

GC

G

GC

GC

GC

GC

GC

GC

GC

GCGC

G

C



Risk Assessment

Analyze


2Risk Assessment


Objective

Overview A risk assessment is a broad analysis of the potential hazards,

threats, and perils that can disrupt the continuity of the organization’s business processes

A list of inherent risks and the likelihood of occurrence is developed based on natural and man-made events known to the area and the organization’s industry

Existing experience is gathered through Internet research and select interviews

Based on existing mitigating measures and implemented, an overall “residual risk” rating is developed

Risk avoidance solutions will be recommended by the project team to mitigate gaps between the residual risk and an estimated risk tolerance for the organization

To assess existing business continuity threats and recommend solutions to further mitigate vulnerability where appropriate.


Analyze


2Risk Assessment


Key Considerations Identification of credible threats

Site specific history of threat occurrences

Risk• The exposure to loss, injury, and/or major business disruption

• Types of Risk include:

1. Inherent Risk – risk that any business is exposed to, involving multiple threats that can impact the company’s ability to perform major business processes. These risks have a potential negative impact on business resources including people, assets and information. Companies can implement additional measures to either prevent their occurrence or mitigate their impact

2. Residual Risk – risk that remains after taking into account the organization's existing mitigation measures. Businesses may not be able to completely remove residual risk. Business continuity plans are usually implemented in an effort to deal with the residual risk, reducing the threats to a level that is acceptable to management

Risk Assessment


Inherent Risk

Residual Risk

Risk Assessment

THREATS INHERENTRISK

CONSEQUENCESFOR RESOURCES

• Natural• Accidental• Deliberate• Technical

+ =Level 1• Confidentiality• Availability• Integrity• Accuracy• Completeness

Level 2• Strategy• Transaction• Compliance• Reputation• Other

• People• Assets• Information• Customers• Vendors• Other Stakeholders• Other

INHERENTRISK

RESIDUALRISK- =CONTROLS

• Preventing Controls• Mitigating Controls


Analyze


2Risk Assessment


Risk Assessment ApproachGeneral risk is based on NFPA 1600 which grouped risk into three categories:

Natural Events – risk driven by natural or act of God

Technological Events – risk driven by technology, broadlydefined

Human Events – event driven by acts of specific individualsboth internal and external to the organization

Specific risk is further assessed based on: Infrastructure Single Points of Failure (SPOF)

Reliance on few individuals

Reliance on third parties

Risk Assessment

www.nfpa.org

www.nfpa.org


Analyze


2Risk Assessment


Sample of Threat List Group by Threat Categories

Threat Types/ Causes Examples

Health Bioterrorism – Anthrax, Plague, etcPandemicTraveler’s HealthFood/Water Safety

Chemical HazardWorkplace injuriesRadiation emergencies

Natural FloodingEarthquakeHurricaneLandslide

SandstormSnow / Ice StormTornadoWind Storm

Man-Made Bomb ThreatComputer Crime/TheftInadvertent DisclosureFireFraud HackingHuman Error – Administration Neglect / Data Entry

Extortion / EmbezzlementLoss of Key PersonnelNon-Compliance (Ignorance or Willful) Riot / Civil DisorderSabotage Labor StrikeTheft / Loss

Technological Alteration of DataAlteration of SoftwareDisclosure Hardware Failure

Malicious Code Software Error Telecom OutageVandalism\Cyber-vandalism

Infrastructural Power Failure/FluctuationHazardous Material Spill Emanations

FireWater Pipe Leak/BurstTelecom Outage

Risk Assessment


Analyze


2Risk Assessment


Sample Threat Chart

Risk Assessment



Analyze


2Risk Assessment


Objective

Overview A Business Impact Analysis (BIA) is the cornerstone of a BCM program. It

identifies the impacts as a function of time resulting from a major unplanned disruption to one or more business processes

It provides measurable metrics to assist management with the business case for making the appropriate investment in business continuity solutions

It identifies external and internal interdependencies of business functions, technologies, and services and analyzes the overall impact of outages to determine appropriate solutions. It also leverages a structured approach and tools and templates provide an enterprise view of business impacts

To establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for major business processes based on a structured approach to estimate financial and operational impacts associated with disruptions. RTO is the business tolerance for operational down time and RPO is the maximum allowable data loss. The BIA is also be used to identify the resource requirements necessary to meet RTO and RPO.


Analyze


2Risk Assessment


Key ConsiderationsSample Results from a BIA

• Identify the RTO and RPO for each major business process

• Identify existing departmental business continuity and disaster recovery capabilities – including departmental recovery capabilities

• Business functions within each department deemed critical by management

• Information flow of operations within each department and location and any interdependencies between them

• Existing business resources that support these functions including, but not limited to, information technology, electronic and paper-based vital records, hardware, software, telecommunications, etc

• Resources within each department deemed necessary for the various disruption scenarios discussed

• Ability to meet regulatory compliance issues at the time of a disaster

• Minimum operating requirements are your organization’s key operating resource dependencies; they must be replicated at alternate recovery facilities, including people, vital records, communications, facilities, equipment and IT infrastructure



Identification of dependencies

Analyze


2Risk Assessment



3rd Parties(Vendors, Customers,

Service Providers)

Human Resources

Technology(Application, Data, Infrastructure)

Equipment

Building(Facilities / Utilities)


The types of impacts of disruption for an organization are grouped by:

Quantitative Financial in nature; where dollar values or ranges can be estimated

Examples are

– Revenue loss; fines; cash flow; account receivables; accounts payable discounts; legal liability; loss of productivity; etc

Operational and Qualitative More difficult to quantify; obtained by estimating impacts based on a ranking scale from minimal to significant

Examples are

– Customer Service; Human Resource; employee morale; confidence; legal; social and corporate image; credibility; etc

Measuring Financial Impact

Analyze


2Risk Assessment




The Most Significant Quantitative Impacts for a Commercial Enterprise:

Revenue Impacts – Sales revenue, professional fees or other financial losses that can be estimated based on an hourly cost of operational downtime or the chronological loss of data records. Revenue loss should be understood as a one-time financial loss tied to a single event. One time revenue impacts should be measured separately from the loss of future revenue tied to the permanent loss of customers who have become dissatisfied as a result of the business disruption and have chosen to take their business elsewhere

Productivity Impacts – Can be quantified by estimating the percentage change in effectiveness (i.e. reduction in normal work product) for a business function relative to operational downtime and/or the chronological data/records loss. Assuming normal productivity of a group of workers to be 100%, the organization can estimate how productivity can degrade during downtime or based on data/record loss. One approach could be to multiply this percentage of productivity loss against a full time resource pay rate for each employee within a business function to quantify the cost of productivity loss for that function over time


Analyze


2Risk Assessment




The Most Significant Financial Impacts for a Commercial Enterprise:

Market Share Loss – Are losses from customers who are so dissatisfied from the business disruption that they permanently take their business to another company. This results in a future revenue loss. To calculate such losses

1. First, estimate the number of customers that may be permanently lost related to operational downtime and/or chronological data record loss. This number will likely grow as operational downtime and/or chronological record loss grows.

2. Second, the organization must be able to define the average lifetime of a typical customer in months or years.

3. Last, multiply these variables by an estimate of the average monthly revenue per customer. This quantifies future revenue losses due to permanent customer loss

Regulatory Fines and Sanctions – Depending on the enterprise, potential liabilities for non-compliance with applicable regulations can range from minor to disastrous.


Analyze


2Risk Assessment




Auditing Module 1

Risk Assessment:• Does a risk assessment exist, when was it last updated and what

facilities or business functions does it cover?• Has a residual risk been assigned to each threat with mitigation

strategies and single points of failure (SPOF)?• Has it been reviewed and accepted by senior management?Business Impact Analysis:• Does a BIA exist and when was the last time it was updated? • Does a prioritized list, including recovery timeframes of business

functions or units and applications exist and have they been reviewed and accepted by senior management?

• Have interdependencies been outlined, including other business functions or units, facility, personnel, equipment, technology and vendors?

• Have quantitative and qualitative impacts been identified?

BREAK

33

Module 2DEVELOP

34


Develop

6Plans & Documentations

4Governance

5Availability/Recoverability

Strategies

Governance

Objective

Overview Business Continuity Governance oversight includes senior management’s

involvement in the overall program. The governance program should involve the BCM steering committee, program standards and guidelines, monitoring and updating standards, Board reporting, budget approval, and goal setting

BCM proposals should highlight that our demonstrated methodology includes a structured approach to Governance to further distinguish us from our competition

To introduce key BCM governance practices; to explain the operational and functional roles and responsibilities of management; to promote a successful BCM program


Develop


4Governance


Strategies

Key Considerations Must identify a senior management champion. A visible corporate

sponsor is an influencer in the budgeting process.

Integrate effective governance as much as possible into organization’s leadership structure; the goal is to embed BCM in the corporate culture. Understand the strategic business continuity goals. Refer to any business availability and recovery priority requirements developed as part of a BIA. The governance process should include the triggers to re-evaluate this information when business change occur

Reassess staffing levels. It is common that an organization has staff dedicated to business continuity. Assessing the staffing structure should be based on the governance model developed to determine that the program can meet expectations.

Identify primary and secondary resources to fill roles. This is critical and ideally includes BCM responsibilities within the formal performance appraisal process

Develop BCM policies and roles and responsibilities that make business continuity a key accountability throughout the organization

Governance


Governance ApproachConsist of both regulatory and organizational structure

Governance Decision Framework

Monitoring & Control• What qualitative benchmarking

should be performed?• How should periodic BCM progress

reports be created and reviewed?• What corrective action should be

taken as key findings are made?• How should the organization

determine corrections take place?

Coordination & Compliance• What process should be used to

determine compliance with BCM standards and obligations

• How should Corporate BCM coordinate recovery activities between organizational units?

Allocating Capital• How should limited resources be

efficiently allocated?• What capital is available for

investment?• What criteria should be used to

dictate BCM investment decisions?• What process should be used to

review expenditures?

Leadership• What is the overall direction for the

business and related IT within the corporation?

• What are the cultural values regarding risk management?

• How should key stakeholders be represented?

Planning• What should the corporate

business recovery strategy include?

• What should be the corporate IT recovery goals?

• How should BCM program management be measured?

Policy• What should the fundamental BCM

operating principles be?• What internal BCM standards, rules

and protocols are needed?

BCM GovernanceDecisions

Governance


Governance Approach On Policy DevelopmentA company policy must contain enough information to carefully reflect your organization’s BCM program. It should include the sections listed below; use the following sample company policy as your guide.

• Policy Introduction• Authority• Scope• Audience• Governance Policy

– Purpose– Scope– Governance structure business objectives– Governance framework (refer to module 2.2)– Program administration roles & responsibilities– Crisis management roles & responsibilities

• Business Continuity Policy Statements (“Thou Shall”) for:–Assessment

•BIA•Critical ratings

• Crisis management– Team activation & escalation– Damage assessment– Crisis management plan

• Employee response & communication for events occurring DURING business hours

– Evacuation & assembly– Crisis calling procedures– Staff & corporate communications

• Crisis management (continue)• Employee response & communication for events occurring AFTER

business hours– Crisis calling procedures– Staff & corporate communications

• Command post• Crisis communications• Business recovery plan activation procedures• Plan distribution

– Business recovery plan– Testing

• Types• Calendar & frequency• Strategy

–Assumptions– Objectives– Success criteria– Retesting/Post-test activities

– Maintenance• Schedule triggers• Unscheduled triggers

– Monitoring & reporting– Training– Awareness

• Compliance• Non-compliance• Communication• Technology & Tools

Governance


Governance Approach to Governance FrameworkA successful business continuity governance model must align the business continuity lifecycle to accountable resources within the organization’s structure. The Governance Framework includes a RACI matrix that assigns cross-functional responsibilities. The following is a sample of the RACI Governance Framework that highlights the value of a RACI matrix:

• (R) Responsible – Doing the work• (A) Accountable – The buck stops here• (C) Consulted – Adds input• (I) Informed – Kept abreast of activities

Milestone/Task Technologist Business Dept. Head

Business Continuity

Coordinator

Chief Information

Officer

Chief Risk Officer

Identify System Outage

R C I A I

Assess Situation C I C R A

Accept Disaster Declaration

I R C I A

Invoke Life Safety Procedures

I I R C A

Governance


Governance ApproachGovernance Structure

Audit Committee

Business AreaLeaders

Board of Directors

Executive Management Team

Business Continuity Management

CorporateSupport Team

CorporateInformation Technology

Recovery

Business AreaContinuity Teams

Human Resources

Facilities

Media Relations

Legal

Risk Mgt.

Other

Regulatory Agencies

Governance


Develop


4Governance


Strategies

Availability/Recovery Strategies

ObjectiveTo recommend tactical and strategic solutions to enable the organization to meet availability and recoverability objectives established during the Business Impact Analysis. Recommended alternatives are based on criteria developed to be compatible with organization’s risk tolerance.

Overview Compile a list of potential solutions that meet RTO and RPO’s accepted by

management

Develop selection criteria and order of importance based on key operational, cost, and risk attributes to assist with the selection approach

Establish management expectations regarding the level of detail necessary in the alternative definition and costs in order to obtain directional approval

If rapid recovery is not required, relocation, restoration and rebuilding may be appropriate strategies


Develop


4Governance


Strategies

Key Considerations There are no universal solutions when designing availability and

recoverability strategies.

Consider legal and regulatory requirements, as well as company policies and culture

Consider both the formal organization of a company as well as the informal delegation of authority when defining solutions

Consider operational enhancements that may result from a solution in addition to its recovery capabilities. For example, if data networks need to be resilient, it may be value added to provide voice network resiliency as well, even if the RTO does not require the same. If both travel over the same physical facilities, conduits, carriers, frames, etc, the recovery of data communications will allow recovery of voice communications at minimal incremental cost

Eliminate non viable alternatives from consideration as soon as possible



Availability/Recovery Strategies Practical Approach

Strategic Drivers

Build on Strengths & Reduce Limitations

ContinuityProcessDesign

ExecutiveAlignment and Buy-In

LeadingPractices

Industry & Market Trends

• Strategic Drivers are the considerations (network, people, etc.) to be factored in when looking at recovery capability from both a risk avoidance and business continuity point of view.

• Understand strengths and limitations of the current environment

• Understanding Business Needs

• Consolidation and globalization

• Increased regulatory scrutiny• Threat from intentional acts

of terrorism• Reduced tolerance for

downtime

• Leading Business Practices

• Achieving high-quality performance based on cost-benefit analysis

Recommended Solutions

Business Process Needs based on

BIA and Risk Analysis



• Business Process• Facility• Technical - Desktop• Technical – Centralized and

Distributed• Voice• Data Network• Electronic Data• Vital Hard Copy Records

• Testing and Maintenance• Training and Awareness• Governance• Crisis Management• Third-party• Life Safety• Regulatory

The list below describes 15 categories that may require a strategy to recover from a major unplanned disruption. This list is meant to be suggestive rather than exhaustive.



Cos

t of S

olut

ion

Time To Functional Availability

MobileFacility

RemoteAccess

DedicatedWorkspace

Acquisition

Dedicated Facility with Quick Ship for Desktop Technology

CommercialWork Area

Pre-stagedWorkspace

Dedicated Facility & Infrastructure Supporting

Providing Immediate Access to a Replicated Work Environment

Shared Vendor Facility with Desktop Technology (PC and

Voice)

Third Party Offices with Critical IT Connectivity

Vendor Shipped Facility Configured for Quick Set-up

Leading EffortTime of Disaster

Acquisition

Continuum ofAvailability Strategies

$$$

WeeksMinutes HoursSeconds Days

Range of Recovery Alternatives for Business Function Availability



Summary Description of Business Function Availability Alternatives

Description Relative Cost Recovery Time

Remote Server Clustering with Application Load Balancing and/or

Intelligent Fail-Over ProcessingZero to 8 Hours

Floor space: $$$$Infrastructure: $$$$ Network: $$$$ Total Cost: $$$$

Remote Server Clustering with Manual Fail-Over Requiring

Operator Intervention

Restoration of Application Processing to Pre-Staged Network

and Dedicated IS Infrastructure


and Limited IS Infrastructure

Restoration of IS to Pre-Staged Facility & Utility. Infrastructure Acquired at Time of Disaster

Leading Effort At Time of Disaster to Acquire Facility & Infrastructure.

Data Restored From Tape Backup

4 Hours to 24 Hours

12 Hours to 72 Hours

4 Hours to 5 Days

3 Days to 10 Days

5 Days to 21 Days

Pre-stagedWorkspace

CommercialWork-area

DedicatedWorkspace

RemoteAccess

MobileFacility

Acquisition

Floor space: $$$$Infrastructure: $$ Network: $$$ Total Cost: $$$

Floor space: $$$$Infrastructure: $ Network: $$$Total Cost: $$$

Floor Space: N/AInfrastructure: $$$ Network: $$ Total Cost: $$

Floor Space: $$$ Infrastructure: $$ Network: $$Total Cost: $$

Floor Space: N/A Infrastructure: N/A Network: N/A Total Cost: N/A



Cos

t of S

olut

ion

Time To Functional Availability

Cold-Site

Warm-Site

Hot-Site

Acquisition

Pre-Staged Facility, IT Equipment, & Network (shared or dedicated)

Manual Fail-Over

Automatic Fail-Over

Dedicated Facility & Infrastructure Supporting

Automated Fail-OverAnd Application Load-Balancing

Dedicated Facility & Infrastructure Supporting Manual

Fail-Over

Pre-Staged Facility, Utility, & Network, Awaiting Equipment Delivery (shared or dedicated)

Facility, Utility, &Environmental Only

Leading EffortTime of Disaster

Acquisition

Continuum ofAvailability Strategies

$$$

WeeksMinutes HoursSeconds Days

Range of Recovery Alternatives for IT Application Availability



Summary Description of Availability Alternatives

Description Relative Cost Recovery Time

Remote Server Clustering with Application Load Balancing and/or

Intelligent Fail-Over ProcessingZero to 60 Minutes

Storage: $$$$Hosts: $$$$ Network: $$$$ Facilities: $$$$

Remote Server Clustering with Manual Fail-Over Requiring

Operator Intervention


and Dedicated IS Infrastructure


and Limited IS Infrastructure

Restoration of IS to Pre-Staged Facility & Utility. Infrastructure Acquired at Time of Disaster

Leading Effort At Time of Disaster to Acquire Facility & Infrastructure.

Data Restored From Tape Backup

60 Minutes to 12 Hours

12 Hours to 72 Hours

48 Hours to 5 Days

96 Hours to 14 Days

10 Days to 30 Days

Automatic Fail-Over

Manual Fail-Over

Hot-Site

Warm-Site

Cold-Site

Acquisition

Storage: $$$$Hosts: $$$$ Network: $$$ Facilities: $$$$

Storage: $$$Hosts: $$$ Network: $$$Facilities: $$$

Storage: $$Hosts: $$ Network: $$ Facilities: $$$

Storage: N/A Hosts: N/A Network: $Facilities: $$$

Storage: N/A Hosts: N/A Network: N/A Facilities: N/A



Cos

t of S

olut

ion

Chronological Point in Time for Data Recovery

Electronic Vaulting

Remote Journaling

Stand-ByDatabase

TraditionalData

Recovery

Tape Based Backup & Recovery

(daily, weekly, monthly)

Transaction Replication

To Remote Facility

Remote Data-BaseReplication with

Electronic Journaling AsynchronousReplication

Synchronous Mirroring

Real-Time Data Volume Mirroring (no data loss)

Bulk Data Transfer(time/event driven)

Continuum of Data Recovery Strategies

Near Real-Time DataReplication (withlimited data loss)

ZeroMinutesHours

Days Seconds

$$$

Range of Recovery Alternatives for Data Recovery



Summary Description of Data Recovery AlternativesDescription Relative Cost Data Recovery PointReal-Time Remote

Disk Volume Mirroring(equivalent to remote RAID-1)

TraditionalData

Recovery

Zero Data Loss

Electronic Vaulting

Remote Journaling

Stand-ByDatabase

AsynchronousReplication

Synchronous Mirroring

Near Real-Time Remote Disk Volume Mirroring

or Data Replication

Remote Transaction Journaling or Vaulting as

Applied To a Standing Database

Remote Transaction Data Recovery Near to Point of Failure

Bulk Data Transfer to Remote Tape/Disk as

Triggered By Time or Event

Weekly, Nightly or Intra-Day Backup To Off-Line Tape Media That

Is Manually Moved Off-Site

Data Recovery Within Seconds to Minutes of Last

Transaction, Track Change, or Other Delta

Data Recovery Within Seconds or Minutesof Point of Failure

Data Recovery Within Seconds or Minutesof Point of Failure

Data Recovery Within Minutes or Hoursof Point of Failure

Data Recovery WithinHours or Days

Of Point of Failure

Storage: $$$$Hosts: $$$ Network: $$$$ Tape: N/A

Storage: $$$$ Hosts: $$$ Network: $$$$ Tape: N/A

Storage: $$$ Hosts: $$ Network: $$$Tape: $

Storage: $$ Hosts: $$ Network: $$$Tape: $

Storage: $$Hosts: $ Network: $$ Tape: $

Storage: $Hosts: $ Network: $ Tape: $$



Develop


4Governance


Strategies

BCM Plans & Documentation

Objective

Overview Documented procedures to enable emergency response and recovery

teams to understand and perform their recovery tasks

Types of plans include:

– Emergency Response

– Business Continuity/IT-DR

–Crisis Management

–Pandemic

Plans should be action oriented and provide a level of detail so that individuals less familiar with the task will be able to accomplish it

Plans should include 24 X 7 internal and external contacts to facility timely decision making and recovery

To detail the required people, processes, procedures and infrastructure necessary based on the recovery strategy selection to meet RTO’s and RPO’s developed in the BIA and accepted by management


Develop


4Governance


Strategies

Crisis Management PlanRoles & Responsibilities (RACI Chart)Crisis Command Center

Declaration ProceduresEvent ManagementProblem ResolutionCoordination with local/state/federal authorities

Communication PlansCommunity Response ActionsMedia Coordination and SpokespersonsDamage Assessment

Emergency Response PlanRoles & ResponsibilitiesLife SafetyCoordination with First Responders and Local Authorities

Disaster Recovery PlanRoles & Responsibilities (RACI Chart)Information Technology Infrastructure RecoveryApplication RecoveryData Recovery & Synchronization



Develop


4Governance


Strategies

Business Continuity PlanRoles & Responsibilities (RACI Chart)Procedural Work-AroundsFacilities Personnel Support/ReplacementContact Information

ToolsEstablished Word TemplatesStrohl Systems LDRPS/eBRP/BPSI Notification – Everbridge, Envoy, MIR3, Others



Develop


4Governance


Strategies

Key Considerations Documented plans should be flexible, adaptable and easy to

follow, exercise, and maintain

Methods of building plans includes

• Specialized BCP software application

• Document repository system

• MS Word based plan templates

Determine life safety procedures are addressed for employees and visitors

Include communication methods to be use including email, cell phones, pages, radio, etc. Define any tracking tools needed to document the situation, actions taken and upcoming decision points



Develop


4Governance


Strategies

Components of a plan include:• Roles & Responsibilities of who executes the plan and what is needed

to recover, resume and restore business function

• Alternate location to recover critical business processes and shared services

• Elapsed expected timeframes for business functions to be operational and key milestones for the recovery and business resumption

• Detail tasks and supporting information and procedures for recovery

• BCP plans will likely have multiple teams with specific roles and responsibilities. Examples include:

– Crisis Management Team

– Damage Assessment Team

– IT Functional Recovery Teams

– Business Function Teams

Refer to the next page for a description of the response and recovery timeline that plans must address



PHASE 1EmergencyResponse

to Disruption

PHASE 2Mobilization/Failover to

Recovery Site

PHASE 3Environment

Restoration at Alternate Site

PHASE 4Application

Restoration at Alternate Site

PHASE 6Business Function

Restoration

IT Recovery Operations

Mobilize ITRecovery

Team

Business Recovery Operations

RestoreWorkspace& Manage Backlog

Restore ITSystems,

Applications,and Data

ValidateSystem &

ApplicationIntegrity

ExecuteContingencyWork AroundProcedures

PHASE 5Data-Flow

Restoration & Recreation

Manual Data

Re-Entry & Validation

RecreateLost

Transactions& Data

Recovery Voice & Data Network

MobilizeBusinessRecovery

Team

VitalVitalRecordsRecords& Data& Data

EVENT

Recovery Point Recovery Time

Re-Synch& ResumeBusiness

Operations

Backlogged Transactions



The broad preparation strategy leverages ten key components which are critical to sustaining operations during a pandemic crisis including supply chain, distribution and retail.

Implement a Pandemic Planning and Coordination Unit (PPCU) as part of the existing Business Continuity Planning (BCP) function

Increase awareness and knowledge about influenza prevention and treatment through clear, consistent, medically accurate information

Develop and maintain valuable partnerships with trading partners and critical stakeholders such as unions and public health agencies

Communicate the response plan and approach to employees and families, customers, suppliers, and partners

Identify organizational and technical infrastructure requirements to minimize the potential disruption resulting from a pandemic

Leadership/Decision MakingLeadership/Decision Making

EducationEducation

Public/Private PartnershipsPublic/Private Partnerships

CommunicationCommunication

TeleworkingTeleworking

Identify likely threats in order to decrease the risk of threat occurrence and contain damageDevelop risk mitigation policies and procedures

Identify core staff and functions and establish policies and procedures during the pandemic

Review demand, distribution, and production plans and link strategies with key trading partners to determine that critical business processes are maintained

Review contracts with health plans and provider networks to determine coverage and provision of services such as vaccinations and access to medical facilities

Risk and LegalRisk and Legal

HR Policies & ProceduresHR Policies & Procedures

Trading PartnersTrading Partners

Employee WellnessEmployee Wellness

Develop policies and processes to maintain operational effectiveness during a pandemicKey Business ProcessesKey Business Processes

Key Components

Pandemic Planning


Auditing Module 2

Governance:• Does someone own the program? Is there a steering committee that

oversees the overall program?• Do BCM policies and procedures exist?Strategies:• Are the current business and technical strategies that are in place

appropriate?Plans:• Do plans exist for critical business functions and

applications/infrastructure?• Do they meet recovery timeframe requirements?• Do they include procedures defining what to do in the event of a facility,

technology, equipment, personnel, or vendor outage?

Module 3IMPLEMENT

59


Implement

7Resource Acquisition &

Implementation

9Testing

8Training

Resource Acquisition & Implementation

ObjectiveTo provide project management assistance for the implementation of BCM infrastructure and processes and the organizational rollout of the overall BCM program

Overview Provide BCM coordination with the implementation and

rollout of recovery strategies, plans, and ongoing quality confirmation and process improvement

Provide a structured approach and guidance for the tracking of multiple project initiatives and coordination for a successful program implementation


Implement


Implementation

9Testing

8Training

Training & Awareness

ObjectiveTo develop an ongoing awareness and training program to support and improve an organization’s BCM capability. The training and awareness should be integrated with other company programs and become an integral part of the company’s overall organizational culture.

Overview BCM awareness and communications should effectively involve and communicate with many key stakeholders in order to successfully support the BCM program

Successful BCM program implementation occurs when everyone involved in the process is aware of and enabled to fulfill their BCM responsibilities


Implement


Implementation

9Testing

8Training

Key Considerations

Objectives of any awareness communication should be:

– Promote the vision and purpose of the BCM program and its benefits to stakeholder groups

– Actively enlist, engage, and inform all identified stakeholders to participate to the level necessary to achieve BCM goals

– Build energy and momentum within business units to promote and support the BCM program



Key ConsiderationsA big picture view of the communications and education strategy:

Business Continuity

Management

Compelling, Shared Vision

Measures,Milestones

& Evaluation

Power & PoliticsPower & Politics

Communications& Engagement

Training& Performance

Support

OrganizationalInfrastructure& Processes

Stakeholders with authority, power and/or influence lead and visibly support the communication & education effort

Articulation of a compelling, shared vision and business imperative for BCM communication & education

Associates are well-informed about BCM

Establishment of short- and long-term measures of success

Development of a framework that supports ongoing BCM communication & education

Key employees are enabled to perform their BCM roles and responsibilities

BCM Program Communications & Education Strategy



Training ApproachTraining Roles and ResourcesLarge global organizations may want to include a formal BCM training program to educate local BCM coordinators and recovery team members. If this is the case, the program may require resources described below:

Training Developers

• Training developers are responsible for creating all course content and related materials for both classroom and computer-basedtraining courses

– Review existing documentation to identify gaps– Engage business units as required to leverage current training infrastructure and tools– Work with BCM Team to develop course content, training scripts, case studies and exercises– Develop instructional material (instructor / participant), CPL documentation and exercises

Training Manager

• The training manager is responsible for overseeing overall CPL education and learning effort:– Validate and fine-tuning of training strategy and plan– Develop and managing work plan – Provide direction and leadership around course development and delivery– Provide direction and overall leadership around quality review process – Coordinate training the trainers on presentation and facilitation skills, as necessary– Manage and resolving issues as they arise– Recommend approach, tools and standards to support continuous improvement – Managing training budget

Trainers

• Professional trainers facilitate CPL training to assist the BCM team in training delivery• BCM team members support the development of CPL training by serving as SME’s and by serving as co-leads to professional

trainers – Support training developers as required to develop course outlines and instructional materials– Work with trainers to co-lead training – Gather feedback from the CPL community and providing input to the training team through the appropriate channels

Facilities & Materials

• The logistics necessary to prepare both training facilities and materials are listed below:– Reserve training rooms and setup with proper equipment and connectivity– Order and install all training equipment– Arrange for material reproduction and delivery to the classrooms



Implement


Implementation

9Testing

8Training

Testing

Objective

Overview Testing is a critical component of BCM in uncovering

problems with exist plans for improvements

Involve management goal setting and results reporting to help determine problem resolution discovered from testing is corrected

Testing BCM plans regularly is an effective approach to keeping plan information current and in sync with the every changing business needs

To provide guidance in the development of a broad integrated testing program that includes business work-area recovery, data center recovery, and emergency communications


Implement


Implementation

9Testing

8Training

Key Considerations Develop and/or revise a testing strategy annually or when an organization

experiences a major business change. The testing process provides a roadmap describing the methods and frequency of test execution during the next 12 month period including specific test dates, key success criteria, and establish responsibilities for leading test planning and execution activities

Often test time with commercial recovery vendors must be scheduled at least twelve months in advance

Adopt a testing approach that designs and executes tests consistent with actual recovery during an actual interruption

It is critical that a test does not create a major disruption to ongoing business activities

A formal review should be conducted after all tests to share lessons learned and to develop an action plan for plan improvement

Testing


Implement


Implementation

9Testing

8Training

Testing Approach

There are four types of tests outlined, they are:

• Work-Area Recovery Test

• Data Center Recovery Test

• Emergency Communications Test

• Table-Top Walk-Through Test

Testing


Continuous Improvement/QA

Develop


4Governance


Strategies

Implement


Implementation

9Testing

8Training

10Continuous Improvement & Quality Assurance

Analyze


2Risk Assessment

3Business Impact

Analysis

# Refers to it’s respective module which this training is organized

ObjectiveTo develop an ongoing process to enable an organization to maintain and constantly improve their BCM program with procedures to support a goal of “Zero Defects”Overview• A business continuity plan is bound to have

defects after its initial implementation (e.g.,issues overlooked or unknown during plan development, to shortcomings that only become apparent after testing, to business and technology changes that occurred since the plan was first drafted and to common misunderstandings introduced into every development process).

• The purpose of continuous improvement and quality assurance is to identify and rectify defects, and identify and implement process improvements in the BCM program


Key ConsiderationsDetermine if internal or external auditors, risk management, or if any independent groups have performed an assessment or gap analysis of the organization’s BCM program. Gather data and determine the status of recommendations for corrective action

There are four major components for consideration in a continuous improvement and quality assurance program:

Continuous Improvement – A process instituted by the organization’s BCM program to recognize areas in which business continuity plans, tools, procedures or any other aspect of the program require enhancement and to make the necessary changes

Root Cause Analysis – A process by which shortcomings are noted and the underlying reasons for the defects are identified and rectified

Quality Assurance – A process performed by an entity independent of the BCM program to determine that standards are followed and that the plans, tools, etc not only remain effective, but improve over time. Improvement in this case may mean shortened RTO’s, less latency in RPO’s, timelier updates to plans, a greater number of business functions included in the plan, etc.

Change Management – A process involving many sectors of the organization’s operations in which changes to the business are reflected in the plan and changes in the plan are reflected in the organization’s normal business operations

Continuous Improvement/QA


Auditing Module 3

Training:• Does a training program exist and how often do training sessions occur?• Are key personnel included in the training sessions?Testing:• Does a testing strategy exist? • Are all CM, ER, critical BCPs and IT-DR plans tested?• Do testing plans exist?• Are results from the tests documented and if so, are the results reflected

in the plans?Continuous Maintenance/QA:• What sort of maintenance and change control procedures are in place?• Are all aspects of the program updated on a regular basis?

ISSUES

71


Top issues we have identified

1. Reliance: Relying on a BCM plan can lead to a false sense of security and potential business failure if the plan is not updated regularly and fully tested. In addition, recovery personnel must be trained on plan execution and employees must be aware of the plan's provisions.

2. Scope: Companies often limit the scope of their efforts to systems recovery. Business continuity planning requires consideration of both business process and systems recovery.

3. Prioritization: A formal process prioritizing key business processes is a critical step that often does not get its due attention by senior management. Without prioritization, a plan may recover less-than-critical business processes rather than the ones crucial for survival.

4. Plan Update: Formal mechanisms are not in place to force a plan update on a regular basis or when significant systems or business process change occurs.

5. Ownership: Senior management often appoints the wrong person to manage the BCM process; someone with the power to lead, influence, support, prioritize, and organize the project should be named.

6. Communications: Communications issues are often overlooked. Formal plans to contact employees, vendors, business partners, and clients often lack specific communications strategies. Strategies to address how these groups obtain recovery status updates is often inadequate.

7. Security: Information systems security controls are often disregarded during plan development, resulting in a greater risk exposure during recovery operations.

8. Public Relations: Practitioners often fail to plan for public relations and investor considerations, therefore missing the opportunity to limit perceived impact by the public and investors.

9. Insurance: Many BCMs fail to adequately plan to support the filing of insurance claims resulting in delayed or reduced settlements.

10. Service Evaluation: Many companies poorly evaluate recovery products (hot site, cold site, and planning software), relying on vendor-supplied information. This often leads to a solution that may not adequately address a company's needs.

73Copyright © 2009 Deloitte Development LLC. All rights reserved.Presented by: 73September 25 - 27,

2006

Helpful sites

• The Institute of Internal Auditors (IIA)http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gtag/gtag10/

• Disaster Recovery Institute International (DRII) http://www.drii.org/

• Business Continuity Insights (BCI) http://www.thebci.org/

• National Fire Protection Associationhttp://www.nfpa.org/assets/files/pdf/nfpa1600.pdf

http://www.theiia.org/guidance/standards-and-

http://www.drii.org/

http://www.thebci.org/

http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf


Q&A


Contact informationM.J. Vaidya, Senior Manager, CISSPDeloitte & Touche LLPEmail: [email protected]: 516-445-9434

mailto:[email protected]


This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

isaca business continuity management lifecycle

Documents

e e e e pla e e e

cannotge e

orhav e

hav e ima ima

enoughc hav e

mayyed e pla eyed yed

hav e topla pla

c c c c