BUSINESS CONTINUITY

A PRIMER

Ron Andrews OSHRM - MIT

September 2015

CONTEXT - GOM FOCUS AREAS

WHY BUSINESS CONTINUITY?

Every organization remains vulnerable and at risk from business disruptions caused by natural and man-made hazards... o Floods, tornadoes, blizzards, fires, typhoons, earthquakes o Accidents o Sabotage o Infectious disease outbreaks o Personnel shortages o Labour strife o Transportation, safety and service sector failures o Environmental disasters o Cyber terrorism

WHY BUSINESS CONTINUITY?

o Regardless of type, size or composition, every organization – public, private or third sector – needs a business disruption plan

o The Manitoba Emergency Measures Act (including amendments) mandates Business Continuity Planning (BCP) for all government departments, crowns and government funded organizations

WHAT IS BUSINESS CONTINUITY?

o Business Continuity is a proactive and ongoing planning and improvement process undertaken to ensure that mission-critical functions, and services, are delivered at pre-determined levels during any kind of significant business disruption

o BCP is an internationally standardized professional approach to risk mitigation, risk management, emergency preparedness and incident response

o BCP is also known as Operational Risk in the larger Enterprise Risk Management framework

ENTERPRISE RISK & BUSINESS CONTINUITY

HAZARD

OPERATIONAL

STRATEGIC FINANCIAL

• Personnel • Property • Loss Exposure • Hazard Assessments • Legal

• Market • Credit • Price • Liquidity

• ICT Systems • Staffing • Business Processes • Critical Functions • Infrastructure A.K.A. Business Continuity

• Economy • Political Environment • Business Strategy • Demographic Shifts

ORGANIZATION

Larry Stevenson Safety & Risk Control

Jodi MacDonald

Business Continuity

• ICT Systems • Infrastructure

• Safe Work • Critical Functions

Chris Sahaidak Claims & Risk Control Rob Starodub Supportive Employment

•Personnel • Property • Loss Exposure • Hazard Assessments • Legal

OSHRM – RISK MANAGEMENT & BCP

HAZARD

OPERATIONAL

STRATEGIC FINANCIAL

• Market • Credit • Price • Liquidity

• Economy • Political Environment • Business Strategy • Demographic Shifts

MIT

WHAT IS IN A BCP?

Identification of Critical Functions and Services o Mission Critical in MIT = Recovery Time in 8 hours or less

Risk Assessment o Identification of hazards, risk exposures and vulnerabilities o Results help response team focus on required resources

Business Impact Analysis (BIA) o Identification of criticality and required resources to maintain a

minimum operating level o Identification of supply chain dependencies and specialized concerns

Strategy and Plan o How your response team will handle the incident

Training and Exercising o Ensuring staff know their response role o Exercising the plan on a continual basis for response improvement

HOW DOES MIT & OSHRM DO BCP?

o OSHRM BCP Specialist meets with managers of established and known critical functions

o An introduction and overview of BCP is offered o Pre-read and preparatory information is sent to an established Incident

Response team o Meetings are scheduled to complete a facilitated BCP Risk Assessment with

the Incident Response team o Results are reviewed and recommendations offered o Further meetings occur to complete the Business Impact Analysis (BIA)

template o Results are reviewed and improvements noted, where necessary o Incident Response team meets to determine, and document, their continuity

strategy and plan o Once completed, BCP Specialist assists with final plan completion o Plan exercise and review is scheduled with the Incident Response team

months later

BCP IS A PROCESS

NOT A PRODUCT

BCP FRAMEWORK & PROCESS

Lead & Establish

Accountability

Communicate & Report

Align & Integrate

Allocate Resources

ASSEMBLE TEAM

IDENTIFY CRITICAL FUNCTIONS

COMPLETE

RISK ASSESSMENT

COMPLETE

BUSINESS IMPACT ANALYSIS (BIA)

COMPLETE

BCP STRATEGY

COMPLETE

BCP PLAN

EXERCISE & REVIEW BCP

FRAMEWORK PROCESS &

BUSINESS CONTINUITY IN ACTION

GOM BUSINESS CONTINUITY

o Incident Response Teams (Business Units/ Functional Areas)

o BCP Coordinators (Departments)

o Provincial BCP Coordinator (EMO) o BCP Coordinator Steering Committee

o Terms of Reference for GOM service environment

o BCP Courses, Training and Certification

o Deputy Minister Committee on Emergency Management and Public Safety o BCP Subcommittee

o BCP 24 Month Planning Cycle

IDENTIFYING FUNCTIONS

o Engage your BCP Coordinator to discuss...

o Nature of the work

o Meeting strategy and expected outcomes

o Resources and steps in completing the BCP

o Assemble your Response Team

o Discuss the functions of your branch/ service

o Distinguish between activities and functions

o Discuss risk, exposure and vulnerability

o Determine the criticality of functions

o Consider the impact of non-operative functions

RISK ASSESSMENT

o Identify the hazards, risks and vulnerabilities to your business functions

o Risk Exposure: Discuss and assess both the;

o Probability (Likelihood) x Impact (Consequence)

o Prioritize risks and implement risk measures

o Risk mitigation, avoidance, treatment, transfer, etc.

o Document (map) the risk exposures

o Use the Risk Assessment for the BIA discussion

RISK ASSESSMENT - QUALITATIVE

RISK ASSESSMENT - QUANTITATIVE

GROUP EXERCISE

Quiz – Business Continuity Planning in Government

o Two competing teams will now complete the Business Continuity in Government Quiz, comprised of True and False questions

o Scores will be shared at the end of the presentation

o Could be some good prizes

20 minutes

BUSINESS IMPACT ANALYSIS (BIA) For Critical Function(s)... o Identify a Normal Operating Standard o Identify a Minimum Operating Standard o Prioritize functions by Recovery Time Objective (RTO)* o Determine impacts if critical function(s) not available o Determine resource requirements necessary for the

continuity of function(s) during a disruption o Identify critical supply chain dependencies and ‘single

points of failure’ * RTO also known as Maximum Allowable Down Time

BCP STRATEGY

o Plan with your response team how you will manage a disruption to your critical function(s)

o Discuss and document risk mitigation, preparedness, response and recovery strategies

o Ensure that your response strategies are time-based

o Use your completed Risk Assessments and BIAs for a more informed discussion

o Develop viable strategic options for your response team

o Recognize the possible realities of available resources, dependencies and critical supply chain concerns

o Identify any single points of failure

BUSINESS CONTINUITY PLAN

o Assemble your Risk Assessment, your BIAs and your Strategy approach into one concise BCP

o Attach all relevant documents (contact lists, reference documents, etc.)

o Distribute physical and e-copies of your BCP to all response team members and relevant stakeholders

o As required by legislation, submit a copy of your BCP to your BCP Coordinator

o Set a review and plan exercise date with the BCP Coordinator

o Absolutely never create an unwieldy binder of nonsense

...Plans are nothing – planning is everything...

BCP EXERCISE & REVIEW

Exercise your BCP to...

o Prepare for the inevitability of a real disruption

o ‘Skill up’ your staff who have a response role

o Know exactly what to do, when and with whom

o Determine and address planning gaps

o Update plan and contact information

o Re-examine business processes, where appropriate

o Meet legislative and departmental obligation

BCP INCIDENT MANAGEMENT

•Conduct Impact Assessment •Determine Immediate Actions •Alert Incident Response Team

Are Critical Functions

Operational?

•Maintain Operations •Initiate Incident Recovery

•Debrief •Complete Gap Analysis

YES

NO

•Convene Incident Response Team

•Activate BCP •Alert MIT BCP Lead

•Begin Incident Command (IC) •Re-assess Situation

Minimum Operating Standard

Achieved?

YES NO

•IC Alerts All Executive Staff and Stakeholders •Departmental Resources Assembled

•EMO Notified

•Incident Command Expands •Departmental Response Coordinated •Actions Undertaken to Achieve MOS

POTENTIAL CRISIS

INCIDENT

SCOPE - FUNCTIONAL AREA _____________________________ SCOPE - DEPARTMENTAL/ GOM

MIT CRITICAL FUNCTIONS/ SERVICES DIVISIONAL AREA CRITICAL FUNCTION/ SERVICE

ACCOMMODATION SERVICES (IN TRANSITION) Facility Operations Space Planning

ADMINISTRATIVE SERVICES Financial Services Information Technology

BOARDS AND COMMITTEES Highway Traffic & Motor Transport Medical Review Licence Suspension Appeal

EMERGENCY MEASURES & PROTECTIVE SERVICES (EMPS) EMO - Coordination of Emergency Response Protective Services

ENGINEERING AND OPERATIONS Road Operations NAMO

MOTOR CARRIER & TRANSPORTATION POLICY Motor Carrier Enforcement

SUPPLY AND SERVICES (IN TRANSITION) VEMA Government Air Services MDA

WATER CONTROL AND STRUCTURES Hydrologic Forecasting Flood Operations

BCP RESOURCES Resources o OSHRM SharePoint http://cserv.internal/sites/mit-org/oshrm/bc/SitePages/Home.aspx

o Emergency Measures Organization (EMO) http://www.gov.mb.ca/emo/ o Disaster Recovery Institute (DRI) http://www.dri.ca/index.php o Winnipeg Emergency Preparedness Program http://winnipeg.ca/epp/ o Public Safety Canada http://www.publicsafety.gc.ca/index-eng.aspx o Government of Canada – Emergency Preparedness Guide http://www.getprepared.gc.ca/cnt/rsrcs/pblctns/yprprdnssgd/index-

eng.aspx

REMEMBER

A properly developed, maintained and exercised

Business Continuity Plan will help you...

o Reduce the risk and impact of business disruptions

o Respond more effectively to the disruption event

o Return to normal more quickly after a disruption

o Improve responder skills sets and competencies

o Be more responsive to emerging risks and vulnerabilities

GROUP EXERCISE Continuity Event

o Discuss the scenario before you at your tables

o Determine the possible risk mitigation, preparedness, response and recovery options for this scenario

o Document your results

o Appoint a spokesperson to share your results with all

30 minutes

GROUP EXERCISE Business Continuity

o Discuss the scenario before you at your tables

o Each team has been assigned to assist Air Services to develop their continuity plan

o Discuss;

o Possible Risk Mitigation and Assessment actions

o What are the critical services?

o People, process and things Air Services requires for their BCP

o Share results with the room

30 minutes