2. Agenda
Business Continuity Planning and Disaster Recovery
Planning
British Standard on BC - BS25999
BCP
Risk Management
Process and Best Practices
Business Value
3. Views of BCP and Risk Management
Business View
Service and
Continuity
Customer Focus
Managing Risks
Operation Risk Controls
Auditing
Governance & Compliance
IT Infrastructure
Disaster Recovery
High Availability
4. Business Continuity Management
To counteract interruptions to business activities
To protect critical business processes from the effects of
major failures or disasters
“2 out of 5 companies
that experience a disaster
will go out of business
within 5 years”
- Gartner
10. Threats to Availability
DATA CORRUPTION COMPONENT FAILURE APPLICATION FAILURE
HUMAN ERROR MAINTENANCE SITE OUTAGE
11. Can you afford it?
eBay
12 June 1999 outage: 22 hrs.
Operating System failure
Cost: $3 million to $5 million
revenue hit
26% decline in stock price
AT&T
13 April 1998 outage: 6 to 26 hrs.
Software Upgrade
Cost: $40 million in rebates
Forced to file SLAs with the FCC
(frame relay)
MCI
August 1999 frame relay outage:
10 days
Software Upgrade
Cost: Up to 20 days free service
to 3,000 enterprises
Hershey Foods
September 1999 system failures
Application Rollout
Cost: delayed shipments; 12%
decrease in 3Q99 sales; 19%
drop in net income from 3Q98
Dev. Bank of Singapore
1 July 1999 to August 1999:
Processing Errors
Incorrect debiting of POS due
to a system overload
Cost: Embarrassment/loss of
integrity; interest charges
Charles Schwab & Co.
24 February 1999 through 21 April
1999: 4 outages of at least 4 hrs.
Upgrades/Operator Errors
Cost: ???; Announced that it had
made a $70 million new
infrastructure investment.
Causes of Unplanned
Application Downtime
Operator
Errors
40%
Application
Failures
40%
Technology
Failures
20%
13. Why should you care?
Avoiding complete loss of organization
Avoid
Revenue Loss
Damage to Reputation
Productivity
Performance and Governance
Complex Problem to Solve
Protect critical business processes
Protect critical supporting infrastructure
Protect company data and Intellectual Property
Meet Compliance regulations
Manage People in the Process
14. Impact of Disaster
14
Productivity:
Number of employees x
impacted x hours out x
burdened hours = ?
productivity/
employees
$millions
minutes daystime
$impact$billions
Revenue:
Direct loss, compensatory
payment, lost future
revenues, billing losses and
investment losses
direct financial/
customer
Damaged reputation:
Customers, competitors gain
advantage, suppliers,
financial markets, business
partners
damaged
reputation
Governance &
performance:
Revenue recognition, cash
flow, credit rating, stock
price, regulatory fines
Governance
Performance
constant
increase
Indirect impact of downtime can be
far more severe and unpredictable
exponential
increase
22. British Standard BS25999
The BCM Lifecycle: BS 25999-1 2006
BCM
Programme
Management
Understanding
the organization
Determining
BCM
strategy
Developing &
implementing
BCM response
Exercising,
maintaining &
reviewing
23. Processes - Business Continuity Mgmt
Business Continuity
Assessments / Audits
Risk Analysis
Business Impact
Analysis
Continuity Strategies
Business Continuity
Testing
Awareness and
Training
25. Risk Analysis provides focus for BCM
High
Medium
Low
Low Medium High
Area of
Major
Concern
26. Application Prioritization
Application
Priority
Rating
Recovery RequirementsRecovery Time Objective
AAA 0–6 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered
AA 6–12 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered.
A 12–24 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered.
B 24-48 Hours
Fail over Local,
Disaster Recovery
C 48–96 Hours Scheduled/Delayed Recovery
D Recovery in 1 Week Scheduled/Delayed Recovery
E
Recovery when
Resources Permit
Scheduled/Delayed Recovery
33. Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“critical few” with crisis
management team
Assess impact of events &
implement appropriate controls
Monitor & resolve at
appropriate level using
processesIncident Management
Process
Crisis Management
Process
35. Response Timeline
Last Offsite
Backup
Recovery Point
Objective
(RPO)
Stage 1
Immediate
Response
& Relocation
Business
as Usual
Stage 2
Op. Sys.
Restore Technology
Workarea
Restoration
Stage 3
Applications
Functional
Restoration
Stage 4
Data
Synchronization
Backlog &
Lost Data
Stage 5
Resume
Business
Recovery Time Objective (RTO)
Stage 6
Interim
Site
Stage 7
Retur
n
Home
Restore Communications
Restore Business Functions