Business Continuity Planning

For Research and Development Organizations

Presented by Steve Davis, Principal, DavisLogic & All Hands Consulting

“Stuff” Happens

How should you help your company maintain "business continuity" in

the wake of disaster?

Are You Ready For Anything?

Eighty-one per cent of CEOs say that their company's plans were inadequate to handle the myriad of issues arising from the World Trade Center tragedy

Disaster Causes & EffectsCommon Causes

Natural Hazards

Ice Storm Earthquake Wind Flood Lightning Snow Frost

Man-made Hazards (Deliberate)

Theft Violence Fraud Arson Malicious Damage Strike

Disaster Causes & EffectsCommon Causes

Man-made Hazards (Deliberate) Riot Bomb Damage Bomb Hoax Terrorists Hacking

Man-made Hazards (Accidental) Operator Error Explosion Fire Water Leaks Fire Extinguisher

Discharge

Disaster Causes & EffectsCommon Effects

Man-made Hazards (Indirect) Power Failure Telecommunications Failure Smoke Damage Fire Suppression Agents Hardware/Software failure

Disaster Causes & EffectsCommon Effects

Denial of Service

Data Loss

Loss of Personnel

Loss of System Function

Lack of Information

Denial of Access

Compromised or Corrupted Data

Damaged Environment

Productivity Loss

Disaster Causes & EffectsCommon Effects

Loss of Control

Loss of Communication

Interrupted Cash Flow

Loss of Image

Loss of Market Share

Costs of Repair

Cost of Recovery

Lower Morale

Loss of Profits

Special Considerations

AnimalsEvacuation - whereOngoing care and feedingBites/Scratches

Hazardous MaterialsBio HazardsRadiationChemicals

Alternate Space

Wet Labs

Power Needs

Containment

Terminology

Business Continuity Planning

What is BusinessContinuity Planning?

Planning to ensure the continuation of operations in the event of a catastrophic event.

Business continuity planning includes the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs, and operations in the event of unexpected interruptions.

Contingency Planning

Business Continuity Planning

Disaster Recovery

Security Business Recovery Crisis Management

BC Plan Components

BCP Disaster Recovery

Business Recovery

Business Resumption

Contingency Planning

ObjectiveCritical Computer Apps

Critical Business Processes

Process Restoration

Process Workaround

FocusData Recovery

Process Recovery

Return to Normal

Make Do

Example

EventMainframe or server failure

Laboratory Flood

Building FireLoss of Application

SolutionHot Site Recovery

Dry Out & Restart

New Equip. New Bldg.

Use Manual Process

Create a Business Continuity

Management Team

Lead by Top Management

Project BoD Monitors

Regular Status Reporting to Management

Broad-based

Awareness for Everyone

Key PlayersSenior OfficialsFacilities/SafetyRisk ManagementLegalFinance/BudgetProcurement

Business Continuity Process

Assess - identify and triage all threats (BIA)Evaluate - assess likelihood and impact of each threatMitigate - identify actions that may eliminate risks in advancePrepare – plan for contingent operations Respond – take actions necessary to minimize the impact of risks that materialize Recover – return to normal as soon as possible

Building a BCP Plan

Business Impact Assessment

The purpose of the BIA is to:

Identify critical systems, processes and functions;

Establish an estimate of the maximum tolerable downtime (MTD) for each business process

Assess the impact of incidents that result in a denial of access to systems, services or processes; and,

Determine the priorities and processes for recovery of critical business processes.

BIA Review Factors

All Hazards Analysis Likelihood of Occurrence Impact of Outage on Operations System Interdependence Revenue Risk Personnel and Liability Risks

Risk Analysis MatrixP

rob

abil

ity

of

Lik

elih

oo

d

Severity of Consequence

High

Medium

Low

Low Medium High

Area of Major

Concern

Developing Business Continuity Strategies

1. Understand alternatives and their advantages, disadvantages, and cost ranges, including mitigation and mutual aid as recovery strategies.

2. Identify viable recovery strategies with business functional areas.

3. Consolidate strategies.4. Identify off-site storage requirements and

alternative facilities.5. Develop business unit consensus.6. Present strategies to management to obtain

commitment.

Contingency Planning Process Phases

Assessment - organizing the team, defining the scope, prioritizing the risks, developing failure scenarios

Planning - building contingency plans, identifying trigger events, testing plans, and training staff on the plan

Plan Execution - based on a trigger event, implementing the plan (either preemptively or reactively)

Recovery - disengaging from contingent operations mode and restarting primary processes of normal operations by moving from contingency operations to a permanent solution as soon as possible.

Evaluating Alternatives

Functionality - provides an acceptable level of service

Practicality - is reasonable in terms of the time and resources needed to acquire, test, and implement the plan

Cost Benefit - cost is justified by the benefit to be derived from the plan

Emergency Management Planning

Work with local and regional disaster agencies and business associations

Assess special problems with disasters Loss of lifelines Emergency response

Review and revise existing disaster plans

Look for new areas for disaster plans

Include Disaster Recovery Planning

Elements of a Good Plan

Prevention, Response, Recovery, Remediation, Restoration

Top Priorities addressed first

Elements of a Good Plan

Action Plan responsibilities clearly definedCommunication alternatives are consideredRedundancies are in place

Elements of a Good Plan

Product sources are identified

Personnel sources are identified

Keys to Success

Vulnerabilities Clearly IdentifiedComprehensive Plan in PlacePlan Understood, Communicated and Updated Tested quarterly Adequately funded

Emergency Response Action StepsThe first 48 hours can make the difference.

Safety First!

Getting Started Off-Site

Stabilize the Building & Environment

Documentation

Retrieval & Protection

Damage Assessment

Salvage Priorities

Adapted from FEMA – handout contains details.

For More Information

Contact:

Steve Davis, Principal

DavisLogic & All Hands

Steve@DavisLogic.com

DavisLogic.com

AllHandsConsulting.com