© 2013 MHA Consulting All Rights Reserved.

0

Presented by:Michael Herrera

Brandon MagestroMHA Consulting

MHA ConsultingBusiness Continuity Management 101

© 2013 MHA Consulting All Rights Reserved.

Agenda 1

MHA Consulting – Introduction

Business Continuity Management (BCM) Defined

2013 Trends

The Business Impact Analysis (BIA)

Threat & Risk Assessment (TRA)

Business Recovery Plans (BRP)

IT Disaster Recovery Plans (DRP)

Questions?

© 2013 MHA Consulting All Rights Reserved.

MHA Consulting, Inc. 2

Michael Herrera

Leading boutique consulting firm since 1999Provider of consulting services to private and public sectorcompanies across the USAProven cross-industry experience in Business Continuity,Disaster Recovery and IT Optimization

Who We Are

What We Do

Business Continuity ManagementDisaster Recovery PlanningTraining & AwarenessPhysical Security ConsultingInformation Technology Optimization & Best Practices

What Makes Us Different

Experienced professionals that possess a unique blend of knowledge

Experience combines focus, dedication and independence of a specialty firm

Proven methodologies and tools

Financial and management stability

Domestic presence and deep skill-sets of the Big 4 or larger consulting firm

© 2013 MHA Consulting All Rights Reserved.

Experience & Qualifications

MetroWaterDistrict

3

© 2013 MHA Consulting All Rights Reserved.

BCM Defined 4

Development of strategies, plans and actions which provideprotection or alternative modes of operation for those activitiesor business processes which, if they were to be interrupted,might otherwise bring about a seriously damaging or potentiallyfatal loss to the enterprise.

Business Continuity Management:

The development of key plans and strategies

Protection of your organizations operations

The identification and protection of your most critical business processes

© 2013 MHA Consulting All Rights Reserved.

Business Resumption Planning:

The process initiated to resume businessoperations to a level consistent with thebusiness requirements.

Crisis Management:

A series of actions taken to gain control of theevent quickly to minimize the affects of aninterruption and prepare for recovery.

IT Disaster Recovery Planning:

The recovery of informationtechnology processes, systems,applications, databases, andnetwork assets used to supportcritical business processes.

BCM - A Common Language

5

5

© 2013 MHA Consulting All Rights Reserved.

BCM Model

6

Disaster Recovery Institute International Model

Testing, Maint.,Execution

ProjectMgmt

Policies&

Standards

BIA

RiskAssessment

BRP

DRP

CMT

Testing

Maint

ContImp.

Execute

Project Initiation

FunctionalRequirements

Design, Dev,Implementation

Re

co

ve

ryS

tra

teg

y

6

© 2013 MHA Consulting All Rights Reserved.

The Business Continuity Lifecycle

7

Risk Assessment &Risk Assessment &Business Impact AnalysisBusiness Impact Analysis

Business ContinuityBusiness ContinuityStrategy DesignStrategy Design

Business AlignmentBusiness Alignment

Compliance MonitoringCompliance Monitoring& Auditing& Auditing

Training & AwarenessTraining & Awareness

Plan Development &Plan Development &Strategy ImplementationStrategy Implementation

ContinuityContinuity

Life CycleLife CycleTesting & MaintenanceTesting & Maintenance

Executive ManagementExecutive ManagementSupport & SponsorshipSupport & Sponsorship

Risk Assessment &Risk Assessment &Business Impact AnalysisBusiness Impact Analysis

Business ContinuityBusiness ContinuityStrategy DesignStrategy Design

Business AlignmentBusiness Alignment

Compliance MonitoringCompliance Monitoring& Auditing& Auditing

Training & AwarenessTraining & Awareness

Plan Development &Plan Development &Strategy ImplementationStrategy Implementation

ContinuityContinuity

Life CycleLife Cycle

ContinuityContinuity

Life CycleLife CycleTesting & MaintenanceTesting & Maintenance

Executive ManagementExecutive ManagementSupport & SponsorshipSupport & Sponsorship

7

© 2013 MHA Consulting All Rights Reserved.

Elements of BCM Implementation Process

8

Executive Management sponsorship

BCM Governance Program/Team

Provide a framework and methodology for understanding, discussingand developing plans

Follow a holistic project approach similar to the DRII Model

Execute a Threat and Risk Assessment and Business ImpactAnalysis

Research and develop business and IT recovery strategies

Develop and formalize crisis management, crisis communication, ITdisaster recovery and business recovery plans

Institute testing, training and awareness

Conduct post-test analysis and make adjustments accordingly

Implement a maintenance strategy

8

© 2013 MHA Consulting All Rights Reserved.

Learning’s from 2013 9

Business Continuity Management (BCM) is the new BusinessContinuity Planning (BCP). The majority of organizationsare renaming their enterprise continuity programs to BusinessContinuity Management.

Business Continuity staffing in most organizationsis not increasing. Many organizations continue to either staffminimally or use outside consultants to augment the program

Enterprise Risk Management (ERM) is integrating BCM into itsprocess and utilizing the information gathered through BIAs andThreat & Risk Assessments to support identification of risks andexposures; a good sign.

© 2013 MHA Consulting All Rights Reserved.

Learning’s from 2013

The Business Impact Analysis (BIAs) study remain as thefoundational component to drive the development of the BCMprogram. However, senior management is continually looking forus to refine the BIA process, shorten business unit participationtime in the studies and ensure the rigor in the process clearlyidentifies the most critical activities and dependencies.

We see Recovery Time Objectives (RTOs) continue to getshorter and shorter (e.g., no downtime, 1 hour, 4 hours, etc.) inmany of the companies we worked at in 2013.

The new norm for tolerance for data loss or Recovery PointObjectives (RPOs) across critical business activities is zero ornear zero in many companies due to the use of complextechnology and automated workflows that virtually eliminate

manual workarounds.

Business and IT RTO/RPO Alignment – Alignment remains acritical gap across a majority of companies whether they are small,medium or large.

10

© 2013 MHA Consulting All Rights Reserved.

Learning’s from 2013 11

Emergency Notification Systems – The use of ENS is becomingwidespread. However, organizations routinely struggle with badcontact data and the processes to effectively and efficiently notifyassociates. Also, its not good with no electrical power.

Companies struggle with Recovery Strategies particularly for thebusiness units of the organization.

Our most mature clients (financial, utilities) are holdinglive Recovery Exercises.

© 2013 MHA Consulting All Rights Reserved.

NFPA 1600

HIPAA

GLBA

FFIEC

OSHA

FCPA

SEC

ISO 9000, 14000 & 22301

QS 9000

State Insurance Departments

Critical Infrastructure Protection

– Security Standards for Electric Market Participants

– Sound Practices to Strengthen the Resilience of the US Financial System

BCM Regulatory Requirements & Guidelines 12

© 2013 MHA Consulting All Rights Reserved.

Conducting the BIA

Methodologies and ApproachesRelationship between the BIA and Risk Assessment

Objectives:

– Quantify the loss potential

– Qualify other types of loss

– Establish Recovery Time Objective

– Establish Recovery Point Objective

13

13

Business Impact Analysis Defined:

The careful study of individual business activities and supportfunctions, as well as the system of business processes in theirentirety, to better understand objectives regarding continuity ofoperations.

© 2013 MHA Consulting All Rights Reserved.

Threat & Risk Assessment

Natural/Environmental Threats

Technological Threats

Man-made Threats (Accidental and Intentional)

Business Process-related Risks

– Single Points of Failure

– Personnel

– Supply Chain

Information Technology Availability Risks

Third Parties / Vendors

14

14

© 2013 MHA Consulting All Rights Reserved.

A Common Ailment

15

15

A rigorous Business Impact Analysis (BIA), including an analysis ofrecovery options, helps address the gap between Business Requirementsand IT Capabilities currently experienced by many organizations

© 2013 MHA Consulting All Rights Reserved.

Business Recovery Plans

16

Purpose, scope, assumptions, etc.

Activation procedures

Listing of critical business activities and priority of recovery

Roles and responsibilities

Emergency procedures to ensure safety of all affected staff members

Response, recovery and resumption procedures

Coordination procedures with public authorities

Communication procedures

Critical information on continuity teams, staff, customers, suppliers, etc.

Off-site storage of critical records, documentation and other pertinentresources

Copies of the BRP at various secure locations

Business Recovery Plans (BRPs) are developed to ensure recoveryof the critical activities identified in the BIA. At a minimum, the BRPcontains the following information.

16

© 2013 MHA Consulting All Rights Reserved.

Business Recovery Testing

17

Business recovery testing options:

Tabletop Exercise / Structured Walkthrough - A tabletop exercise/structuredwalk-through test is conducted as preliminary step in the overall testing process;however, it is not a preferred testing method. Its objective is to ensure thatcritical personnel are familiar with the recovery plan and it accurately reflects theorganization's ability to recover.

Walk Through Drill / Simulation Test - A walk-through drill/simulation test is asecondary step in the overall testing process and is more involved than atabletop exercise/structured walk-through test because the participants choosea specific event scenario and apply the Business Recovery Plan to it.

Functional Drill/Parallel Testing- Test involves the actual mobilization ofpersonnel to other sites in an attempt to establish communications and performactual recovery processing as set forth in the Plan.

TREND: Majority of organizations only perform Tabletop Exercises, few performWalk through and only a very small number perform functional drills.

Business recovery testing reduces risk that an organization could incur givena disruption of critical business activities that are required to maintain themission and operations of the organization.

17

© 2013 MHA Consulting All Rights Reserved.

Disaster Recovery Plans

18

Disaster recovery plans are developed for each critical IT system/applicationand identifies:

Alternative equipment/facilities adequate to recover critical systems

Prioritization of recovering critical and non-critical applications

Recovery and validation steps for each system and application

Personnel requirements/skills in the event of a disaster

Critical application programs, third-party services, operating systems,databases, data files, supplies and timeframes needed for recovery

Off-site storage of critical back-up media, documentation and other pertinentresources

Copies of the DRP at various secure locations

The DRP includes all the recovery steps, technology processes,systems, applications, databases and network assets used to supportthe recovery of the systems and applications required by the criticalbusiness activities of the organization.

18

© 2013 MHA Consulting All Rights Reserved.

Disaster Recovery Testing

19

Disaster recovery testing options:

Standalone Testing – Perform recovery of individual systems andapplications. This is a good first step.

Integrated Testing – Perform recovery of multiple systems and applicationsthat are dependent on each other (upstream and downstream) and see howthey work together in the recovered state.

Business Activity Testing – Perform recovery of a critical business activityfrom end to end using all of the upstream and downstream systems andapplications needed.

TREND: Majority of organizations perform standalone and integrated testingbut and very few if any perform business activity testing. Unless you have amature and tested recovery capability, integrated and business activitytesting is difficult to achieve by most organizations.

Disaster recovery testing reduces risk that an organization could incur given asevere disruption of business if the computing center and system custodiansare unable to recover processing or key technology infrastructure in the eventof a disaster.

19

© 2013 MHA Consulting All Rights Reserved.

BCM Metrics

Purpose

The BCMMETRICS secure, web based self-assessment tool is designed toevaluate the compliance of an enterprise Business Continuity Management(BCM) program to accepted industry best practices and standards.

Consistency with Industry Best Practices

BCMMETRICS.com uses the leading BCM industry best practices, standardsand guidelines as its basis for evaluating the compliance of a program. Thetool will comply with a number of widely accepted best practices andstandards that include, but are not limited to:

• ISO 22301

• BCI Good Practices

• National Fire Protection Act 1600 (NFPA 1600)

• Federal Financial Institution Examination Council (FFIEC) BCMStandards

20

© 2013 MHA Consulting All Rights Reserved.

21BCM Metrics

© 2013 MHA Consulting All Rights Reserved.

BCM Metrics 22

© 2013 MHA Consulting All Rights Reserved.

23BCM Metrics

© 2013 MHA Consulting All Rights Reserved.

Brandon MagestroDirector of OperationsMHA Consulting,Inc.

magestro@mha-it.comwww.mha-it.com

Mobile: (907) 748-4024

24Questions ….

If you have questions regarding the information presented todayand/or any other DR/BCP questions, please call or email: