A Guide to Disaster Preparedness for Businesses
•
3 recomendaciones•392 vistas
Does your business have a disaster preparedness plan? This SlideShare will cover all considerations necessary to formulate a comprehensive plan following the NFPA 1600 Standards followed by the US Department of Homeland Security.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Similar a A Guide to Disaster Preparedness for Businesses
Similar a A Guide to Disaster Preparedness for Businesses (20)
Último
Último (20)
A Guide to Disaster Preparedness for Businesses
- 2. Program Management The preparedness plan is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the plan up-to-date. • DR Coordinator – leads the preparedness program for organization • DR Committee – includes employees that have knowledge of all aspects of the business
- 3. Preparedness Policy A preparedness policy should be consistent with the mission and vision of the business. The policy should define roles and responsibilities of the committee and designate employees to keep the program current. The policy should also define the goals and objectives of the program.
- 4. Preparedness Goals Short term goals • Establish committee • Conduct Risk Assessment • Improve RTO/RPO times • Take inventory of assets Long term goals • Upgrade building protection • Implement Data Backup Solution • Transition operations to the cloud • Establish Preparedness Program
- 5. Crisis Communications Effective and timely communication is critical following a hazardous event. Identify an emergency response procedure in the event of a disaster. Depending on the type of crisis, identify the lines of authority, succession of management, and delegation of authority. Include key vendors and contractors that need to be involved during response and recovery efforts.
- 7. Risk Assessment When developing a Disaster Preparedness Plan, it’s important to take an “all hazards” approach. Consider the three types of hazards, natural, human, and technology. Determine how they could affect your business differently. There are many possible scenarios that could unfold depending on variables such as timing and magnitude of the event. Assess the risk of your business by look for vulnerabilities that would make an asset more susceptible to damage or loss
- 8. Risk Assessment ProbabilityandMagnitude Vulnerability Hazards • Fire • Explosion • Natural Hazard • Hazardous Material Spill • Terrorism • Workplace Violence • Pandemic disease • Utility outage • Mechanical failure • Supplier failure • Cyber attack Impacts • Casualties • Property Damage • System Failure • Equipment Damage • Interruption to Supply Chain • Financial Loss • Restricted Access • Data Corruption • Environmental Contamination • Loss of Customers and/or Trust • Fines and Penalties • Lawsuits Assets at Risk • People • Property (building, critical infrastructure) • Supply Chain • Systems/Equipment • Information Technology • Business Operations • Reputation of Entity • Confidence in Entity • Regulatory and contractual obligations • Environment Source: Ready.gov
- 9. Business Impact Analysis The Business Impact Analysis looks at operational and financial impacts resulting from a disruption in business functions and processes. Consider potential impacts resulting from a hazardous event. How would your business be impacted if any of these disruptions occurred? • Property or equipment damage • Restricted access (data or property) • Interruption of supply chain • Utility/Power outage
- 10. Mitigating Risks and Recovery Strategies Businesses can reduce potential impact by investing in hazard insurance and disaster recovery solutions. A disaster recovery strategy should be developed for information technology (IT) systems, applications, and data. It should anticipate the loss of one or more of the key components of a technology system, including networks, servers, desktops and laptops, wireless devices, data and connectivity. Having a disaster recovery strategy in place will help your business recover more quickly and efficiently than it would without one.
- 11. Data Impact Analysis The Data Impact Analysis looks at operational and financial impacts resulting from a disruption in business systems and applications. To determine the impact a hazardous event has on business data, you need to consider how long your business can afford to be offline. This is often referred to as your Recovery Time Objective (RTO) or Recovery Point Objective (RPO).
- 13. Disaster Preparedness Plan A Disaster Preparedness Plan should identify resources, strategies and plans to effectively respond to, manage, and recover from a hazardous event. Plans should include: • Resource Management and Maintenance • Emergency Response Plan • Crisis Communications Plan • Business Continuity Plan • Data Recovery Plan • Manual Workarounds • Employee Assistance Guidelines • Incident Management Process • Training Program
- 14. Determine Plan Triggers When do you plan to implement the Disaster Preparedness Plan? • When there is property damage? • If network resources are unavailable? • During a power outage? • If there is a hostile intruder? • Or during a specific combination of events?
- 15. Disaster Preparedness Regulations Federal, state, and local laws and regulations may define minimum requirements for emergency management and business continuity. Based on your industry, determine if any of these regulations apply and then identify the requirements that need to be incorporated into your preparedness plan. Regulations may apply to hazard prevention, risk mitigation, emergency response and business continuity. Visit: www.ready.gov/laws-authorities for information on regulations for Employee Safety and Health, Environment, Life Safety and Fire Codes.
Notas del editor
- TELL STORY ABOUT GIBSON GAS LEAK The preparedness program is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the plan up-to-date. The program coordinator leads the disaster preparedness program and assists with its development, implementation, evaluation and maintenance. Disaster Recovery Committee should have knowledge in these areas of the business: Legal Human Resources Public Relations Insurance and Risk Management Environmental Health and Safety (EHS) Finance Labor Relations Operations Facilities or Property Management Engineering Security Medical Information Technology Purchasing, Supply Chain and Distribution Quality Control Employees
- A preparedness policy should be consistent with the mission and vision of the business. The policy should define roles and responsibilities of the committee and designate employees to keep the program current. The policy should also define the goals and objectives of the program. Basic policy outline: Plan Scope: A general statement regarding the Disaster Preparedness Program Plan Committee: Define the coordinator and committee members Plan Distribution Access: Where are copies of the plan stored? Who has access to the plan? Plan Objectives: What goals of the Disaster Preparedness Program Plan Audit and Maintenance: How often will the program be reviewed
- Consider goals and objectives for managing risk, investing in resources, establishing capabilities through training and exercising and complying with regulations. Consider both short-term objectives for the development of the program and long-term objectives that may require more significant planning or investment. Goals should be tangible and measureable. ASK CROWD TO NAME GOALS OUT LOUD. WRITE DOWN IF POSSIBLE.
- Effective and timely communication is critical following a hazardous event. Identify a emergency response procedure in the event of a disaster. Depending on the type of crisis, identify the lines of authority, succession of management, and delegation of authority. Include key vendors and contractors that need to be involved during response and recovery efforts GIVE CROWD TIME TO ADD VENDORS AND CONTRACTORS THAT THEY CAN THINK OF.
- TALK ABOUT RISKS AND WHAT CONSTITUTES A DISASTER.
- When developing a Disaster Preparedness Plan, it’s important to take an “all hazards” approach. Consider the three types of hazards, natural, human, and technology. Determine how they could affect your business differently. There are many possible scenarios that could unfold depending on variables such as timing and magnitude of the event. Assess the risk of your business by look for vulnerabilities that would make an asset more susceptible to damage or loss
- GIVE CROWD TIME TO COMPLETE RISK ASSESSMENT TABLE Column 1: List assets types (people, facilities, machinery, equipment, information technology, etc.) Column 2: List hazard and hazard type (natural, human, technology) that would impact asset. There may be more than one per asset. Column 3: For each hazard, consider the impact it would have on the asset. (high or low) Column 4: Identify asset vulnerabilities or weaknesses that would make it susceptible to loss. Determine opportunities for prevention or risk mitigation. Column 5: Estimate the probability that the hazards from column 2 will occur (Low, Medium, or High) Column 6 – 10: Rate the level of impact each hazard from column 2 will have on core business assets (people, property, operations*, environment, entity**) from Low, Medium, or High *use business impact analysis for operations, **use potential financial, regulatory, contractual, and brand/image/reputation impacts Column 11: The Overall Hazard Rating is a two-letter combination of the rating in column 5 and the highest rating in columns 6-10. Review scenarios with moderate (MM) to high (HH) impacts. Consider what actions can be taken to mitigate risks or reduce potential impacts.
- The business impact analysis looks at operational and financial impacts resulting from a disruption in business functions and processes. Consider potential impacts resulting from a hazardous event. How would your business be impacted if any of these disruptions occurred? Property or equipment damage Restricted access (data or property) Interruption of supply chain Utility/Power outage CONDUCT BIA ASSESSMENT: ASK CROWD TO IDENTIFY POTENTIAL IMPACTS OF DISRUPTION TO A BUSINESS FUNCTION OR PROCESS THEY ARE RESPONSIBLE FOR. First column: Identify a point-in-time when the interruption would have greater impact (e.g., season, end of month, end of quarter). Second column: Consider the potential duration of the interruption (e.g., 1 hour, 1 day, 1 week). Third column: Determine the operational impact of the interruption (e.g., lost sales, negative cash flow, increased expenses, fines or penalties, customer dissatisfaction, etc.). Fourth column: Determine the financial impact of the interruption considering the point-in-time, duration, and operational impact. How much will this disruption cost you?
- Businesses can reduce potential impact by investing in hazard insurance and disaster recovery solutions. Recovery strategies should be developed for Information technology (IT) systems, applications and data, and anticipate the loss of one or more of it’s key components, including networks, servers, desktops, laptops, wireless devices, data and connectivity. Having a recovery strategy in place will help your business recover more quickly and efficiently than it would without one.
- The Data Impact Analysis looks at operational and financial impacts resulting from a disruption in business systems and applications. To determine the impact a hazardous event has on business data, you need to decide how long your business can afford to be offline. TAKE CROWD THROUGH DATA IMPACT ANALYSIS PROVIDED BY DATTO. Ask crowd to fill in worksheet: Recovery Process How much data is on your critical business systems? How often do you currently backup these systems? How long does it take to initiate your recovery process? Are you recovering data from a local network or the cloud? Downtime Costs 5. How many employees would be affected if the critical systems fail? 6. What is the average wage of an employee using these systems? 7. What is the overhead cost of these employees? 8. What is the revenue generated per hour of these employees? Calculations Number 3 + (Number 1/10gbps*) =Downtime *Local speed is the default local restore speed based on a typical gigabyte connection. Local speed in South Bend is typically 10 gbps. Downtime Costs (Number 5 x Number 6) + (Number 7 + Number 8) = Cost of Downtime per hour Financial Impact to Business Downtime x Cost of Downtime = Total Financial Impact
- Now that we have determined the areas of vulnerability, you are ready to begin developing a disaster preparedness plan. OUTLINED IN WORBOOK: Resource Management and Maintenance: Resources needed for responding to emergencies, continuing business operations and communicating during and after an incident should be identified and assessed. Resources and Maintenance procedures should include: Program administration and lines of authority Vendor and Response Teams contact List Policies and Organizational Statements Plan goals and objectives Plan review schedule and assignments Corrective action measures to address deficiencies Emergency Response Plan: A plan to protect people, property and the environment should be developed. Plans should include evacuation, sheltering in place and lockdown as well as plans for other types of threats identified during the risk assessment. Crisis Communications Plan: A plan to communicate with employees, client management, the news media and stakeholder. Business Continuity Plan: A business continuity plan that includes short-term recovery strategies to overcome the disruption of business should be developed. Operations Plan – equipment & supplies, HR – How will people get paid? Data Recovery Plan: A plan to recover computer hardware, connectivity and electronic data to support critical business processes should be developed. Manual Workarounds: Document all forms and resource requirements for manual workarounds Employee Assistance Guidelines: The business preparedness plan should encourage employees and their families to develop family preparedness plans. Plans should also be developed to support the needs of employees following an incident. Incident Management Process: An incident management system is needed to define procedures and responsibilities to coordinate and manage activities before, during and following an incident. Procedures should include: Incident detection and reporting Alerting and notifications Business continuity plan activation Emergency operations center activation Damage assessment and situation analysis Incident action plan Training: Persons with a defined role in the preparedness program should be trained to do their assigned tasks. All employees should be trained so they can take appropriate protective actions during an emergency. Training, testing and exercise plans to include: Training curriculum Testing schedule and procedures Fillable forms for business recovery and data recovery strategies Orientation, tabletop, and full-scale exercises
- In addition to the information provided in the last slide, some businesses may be required to adhere to federal, state, or local regulations. Included in your workbook is a link you can visit for more information on regulations for employee safety and health, environment, life safety and fire codes.
- In addition to the information provided in the last slide, some businesses may be required to adhere to federal, state, or local regulations. Included in your workbook is a link you can visit for more information on regulations for employee safety and health, environment, life safety and fire codes.