Does your business have a disaster preparedness plan? This SlideShare will cover all considerations necessary to formulate a comprehensive plan following the NFPA 1600 Standards followed by the US Department of Homeland Security.
2. Program Management
The preparedness plan is built on a foundation of management
leadership, commitment and financial support. Without
management commitment and financial support, it will be
difficult to build the program, maintain resources and keep the
plan up-to-date.
• DR Coordinator – leads the preparedness program for
organization
• DR Committee – includes employees that have knowledge
of all aspects of the business
3. Preparedness Policy
A preparedness policy should be consistent with the mission and
vision of the business. The policy should define roles and
responsibilities of the committee and designate employees to
keep the program current. The policy should also define the goals
and objectives of the program.
4. Preparedness Goals
Short term goals
• Establish committee
• Conduct Risk Assessment
• Improve RTO/RPO times
• Take inventory of assets
Long term goals
• Upgrade building protection
• Implement Data Backup
Solution
• Transition operations to the
cloud
• Establish Preparedness Program
5. Crisis Communications
Effective and timely communication is critical following a
hazardous event. Identify an emergency response procedure in
the event of a disaster.
Depending on the type of crisis, identify the lines of authority,
succession of management, and delegation of authority.
Include key vendors and contractors that need to be involved
during response and recovery efforts.
7. Risk Assessment
When developing a Disaster Preparedness Plan, it’s important to take
an “all hazards” approach.
Consider the three types of hazards, natural, human, and technology.
Determine how they could affect your business differently. There are
many possible scenarios that could unfold depending on variables
such as timing and magnitude of the event.
Assess the risk of your business by look for vulnerabilities that would
make an asset more susceptible to damage or loss
8. Risk Assessment
ProbabilityandMagnitude
Vulnerability
Hazards
• Fire
• Explosion
• Natural Hazard
• Hazardous Material Spill
• Terrorism
• Workplace Violence
• Pandemic disease
• Utility outage
• Mechanical failure
• Supplier failure
• Cyber attack
Impacts
• Casualties
• Property Damage
• System Failure
• Equipment Damage
• Interruption to Supply Chain
• Financial Loss
• Restricted Access
• Data Corruption
• Environmental Contamination
• Loss of Customers and/or Trust
• Fines and Penalties
• Lawsuits
Assets at Risk
• People
• Property (building, critical
infrastructure)
• Supply Chain
• Systems/Equipment
• Information Technology
• Business Operations
• Reputation of Entity
• Confidence in Entity
• Regulatory and contractual
obligations
• Environment
Source: Ready.gov
9. Business Impact Analysis
The Business Impact Analysis looks at operational and financial impacts
resulting from a disruption in business functions and processes.
Consider potential impacts resulting from a hazardous event. How would
your business be impacted if any of these disruptions occurred?
• Property or equipment damage
• Restricted access (data or property)
• Interruption of supply chain
• Utility/Power outage
10. Mitigating Risks and Recovery Strategies
Businesses can reduce potential impact by investing in hazard insurance and
disaster recovery solutions.
A disaster recovery strategy should be developed for information technology (IT)
systems, applications, and data. It should anticipate the loss of one or more of the
key components of a technology system, including networks, servers, desktops
and laptops, wireless devices, data and connectivity.
Having a disaster recovery strategy in place will help your business recover
more quickly and efficiently than it would without one.
11. Data Impact Analysis
The Data Impact Analysis looks at operational and financial impacts
resulting from a disruption in business systems and applications.
To determine the impact a hazardous event has on business data, you
need to consider how long your business can afford to be offline. This is
often referred to as your Recovery Time Objective (RTO) or Recovery
Point Objective (RPO).
13. Disaster Preparedness Plan
A Disaster Preparedness Plan should identify resources, strategies and plans
to effectively respond to, manage, and recover from a hazardous event.
Plans should include:
• Resource Management and
Maintenance
• Emergency Response Plan
• Crisis Communications Plan
• Business Continuity Plan
• Data Recovery Plan
• Manual Workarounds
• Employee Assistance Guidelines
• Incident Management Process
• Training Program
14. Determine Plan Triggers
When do you plan to implement the Disaster Preparedness Plan?
• When there is property damage?
• If network resources are unavailable?
• During a power outage?
• If there is a hostile intruder?
• Or during a specific combination of events?
15. Disaster Preparedness Regulations
Federal, state, and local laws and regulations may define minimum
requirements for emergency management and business continuity.
Based on your industry, determine if any of these regulations apply and then
identify the requirements that need to be incorporated into your
preparedness plan.
Regulations may apply to hazard prevention, risk mitigation, emergency
response and business continuity.
Visit: www.ready.gov/laws-authorities for information on regulations for
Employee Safety and Health, Environment, Life Safety and Fire Codes.
Notas del editor
TELL STORY ABOUT GIBSON GAS LEAK
The preparedness program is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the plan up-to-date.
The program coordinator leads the disaster preparedness program and assists with its development, implementation, evaluation and maintenance.
Disaster Recovery Committee should have knowledge in these areas of the business:
Legal
Human Resources
Public Relations
Insurance and Risk Management
Environmental Health and Safety (EHS)
Finance
Labor Relations
Operations
Facilities or Property Management
Engineering
Security
Medical
Information Technology
Purchasing, Supply Chain and Distribution
Quality Control
Employees
A preparedness policy should be consistent with the mission and vision of the business. The policy should define roles and responsibilities of the committee and designate employees to keep the program current. The policy should also define the goals and objectives of the program.
Basic policy outline:
Plan Scope: A general statement regarding the Disaster Preparedness Program
Plan Committee: Define the coordinator and committee members
Plan Distribution Access: Where are copies of the plan stored? Who has access to the plan?
Plan Objectives: What goals of the Disaster Preparedness Program
Plan Audit and Maintenance: How often will the program be reviewed
Consider goals and objectives for managing risk, investing in resources, establishing capabilities through training and exercising and complying with regulations. Consider both short-term objectives for the development of the program and long-term objectives that may require more significant planning or investment. Goals should be tangible and measureable.
ASK CROWD TO NAME GOALS OUT LOUD. WRITE DOWN IF POSSIBLE.
Effective and timely communication is critical following a hazardous event. Identify a emergency response procedure in the event of a disaster.
Depending on the type of crisis, identify the lines of authority, succession of management, and delegation of authority. Include key vendors and contractors that need to be involved during response and recovery efforts
GIVE CROWD TIME TO ADD VENDORS AND CONTRACTORS THAT THEY CAN THINK OF.
TALK ABOUT RISKS AND WHAT CONSTITUTES A DISASTER.
When developing a Disaster Preparedness Plan, it’s important to take an “all hazards” approach.
Consider the three types of hazards, natural, human, and technology. Determine how they could affect your business differently. There are many possible scenarios that could unfold depending on variables such as timing and magnitude of the event.
Assess the risk of your business by look for vulnerabilities that would make an asset more susceptible to damage or loss
GIVE CROWD TIME TO COMPLETE RISK ASSESSMENT TABLE
Column 1: List assets types (people, facilities, machinery, equipment, information technology, etc.)
Column 2: List hazard and hazard type (natural, human, technology) that would impact asset. There may be more than one per asset.
Column 3: For each hazard, consider the impact it would have on the asset. (high or low)
Column 4: Identify asset vulnerabilities or weaknesses that would make it susceptible to loss. Determine opportunities for prevention or risk mitigation.
Column 5: Estimate the probability that the hazards from column 2 will occur (Low, Medium, or High)
Column 6 – 10: Rate the level of impact each hazard from column 2 will have on core business assets (people, property, operations*, environment, entity**) from Low, Medium, or High
*use business impact analysis for operations, **use potential financial, regulatory, contractual, and brand/image/reputation impacts
Column 11: The Overall Hazard Rating is a two-letter combination of the rating in column 5 and the highest rating in columns 6-10. Review scenarios with moderate (MM) to high (HH) impacts. Consider what actions can be taken to mitigate risks or reduce potential impacts.
The business impact analysis looks at operational and financial impacts resulting from a disruption in business functions and processes.
Consider potential impacts resulting from a hazardous event. How would your business be impacted if any of these disruptions occurred?
Property or equipment damage
Restricted access (data or property)
Interruption of supply chain
Utility/Power outage
CONDUCT BIA ASSESSMENT:
ASK CROWD TO IDENTIFY POTENTIAL IMPACTS OF DISRUPTION TO A BUSINESS FUNCTION OR PROCESS THEY ARE RESPONSIBLE FOR.
First column: Identify a point-in-time when the interruption would have greater impact (e.g., season, end of month, end of quarter).
Second column: Consider the potential duration of the interruption (e.g., 1 hour, 1 day, 1 week).
Third column: Determine the operational impact of the interruption (e.g., lost sales, negative cash flow, increased expenses, fines or penalties, customer dissatisfaction, etc.).
Fourth column: Determine the financial impact of the interruption considering the point-in-time, duration, and operational impact. How much will this disruption cost you?
Businesses can reduce potential impact by investing in hazard insurance and disaster recovery solutions.
Recovery strategies should be developed for Information technology (IT) systems, applications and data, and anticipate the loss of one or more of it’s key components, including networks, servers, desktops, laptops, wireless devices, data and connectivity.
Having a recovery strategy in place will help your business recover more quickly and efficiently than it would without one.
The Data Impact Analysis looks at operational and financial impacts resulting from a disruption in business systems and applications.
To determine the impact a hazardous event has on business data, you need to decide how long your business can afford to be offline.
TAKE CROWD THROUGH DATA IMPACT ANALYSIS PROVIDED BY DATTO.
Ask crowd to fill in worksheet:
Recovery Process
How much data is on your critical business systems?
How often do you currently backup these systems?
How long does it take to initiate your recovery process?
Are you recovering data from a local network or the cloud?
Downtime Costs
5. How many employees would be affected if the critical systems fail?
6. What is the average wage of an employee using these systems?
7. What is the overhead cost of these employees?
8. What is the revenue generated per hour of these employees?
Calculations
Number 3 + (Number 1/10gbps*) =Downtime*Local speed is the default local restore speed based on a typical gigabyte connection. Local speed in South Bend is typically 10 gbps.
Downtime Costs
(Number 5 x Number 6) + (Number 7 + Number 8) = Cost of Downtime per hour
Financial Impact to Business
Downtime x Cost of Downtime = Total Financial Impact
Now that we have determined the areas of vulnerability, you are ready to begin developing a disaster preparedness plan.
OUTLINED IN WORBOOK:
Resource Management and Maintenance: Resources needed for responding to emergencies, continuing business operations and communicating during and after an incident should be identified and assessed.Resources and Maintenance procedures should include:
Program administration and lines of authority
Vendor and Response Teams contact List
Policies and Organizational Statements
Plan goals and objectives
Plan review schedule and assignments
Corrective action measures to address deficiencies
Emergency Response Plan: A plan to protect people, property and the environment should be developed. Plans should include evacuation, sheltering in place and lockdown as well as plans for other types of threats identified during the risk assessment.
Crisis Communications Plan: A plan to communicate with employees, client management, the news media and stakeholder.
Business Continuity Plan: A business continuity plan that includes short-term recovery strategies to overcome the disruption of business should be developed. Operations Plan – equipment & supplies, HR – How will people get paid?
Data Recovery Plan: A plan to recover computer hardware, connectivity and electronic data to support critical business processes should be developed.
Manual Workarounds: Document all forms and resource requirements for manual workarounds
Employee Assistance Guidelines: The business preparedness plan should encourage employees and their families to develop family preparedness plans. Plans should also be developed to support the needs of employees following an incident.
Incident Management Process: An incident management system is needed to define procedures and responsibilities to coordinate and manage activities before, during and following an incident.Procedures should include:
Incident detection and reporting
Alerting and notifications
Business continuity plan activation
Emergency operations center activation
Damage assessment and situation analysis
Incident action plan
Training: Persons with a defined role in the preparedness program should be trained to do their assigned tasks. All employees should be trained so they can take appropriate protective actions during an emergency.Training, testing and exercise plans to include:
Training curriculum
Testing schedule and procedures
Fillable forms for business recovery and data recovery strategies
Orientation, tabletop, and full-scale exercises
In addition to the information provided in the last slide, some businesses may be required to adhere to federal, state, or local regulations. Included in your workbook is a link you can visit for more information on regulations for employee safety and health, environment, life safety and fire codes.
In addition to the information provided in the last slide, some businesses may be required to adhere to federal, state, or local regulations. Included in your workbook is a link you can visit for more information on regulations for employee safety and health, environment, life safety and fire codes.