Overview of Business Continuity Planning: Terminology, Rationale, Business Continuity Planning Cycle, Methodology. A high-level description with minimal detail of each of these steps: Risk Assessment, Business Impact Analysis, Risk Mitigation Strategy, Business Continuity Plan, Training, Testing and Auditing, and Plan Maintenance.
2. Disaster – an event, which causes the loss of an
essential service, or part of it, for a length of time
which imperils mission achievement.
(Andrew Hiles, Business Continuity: Best Practices)
Rationale for Business Continuity Planning
3. If an ice storm struck a data center rendering several critical IT
services unavailable?
If an unencrypted laptop hosting proprietary information,
financial or human resources data were stolen?
If an unsecured data server, workstations, and other equipment
were confiscated from an overseas branch office?
If a terrorist attack targeted an overseas operations center?
If a pandemic threatened global operations for your business?
Rationale for Business Continuity Planning
4. The occurrence of some events could cause a temporary
disruption of mission-critical services.
Some scenarios could actually result in long-term loss of
mission-critical capacity.
The ‘unthinkable’ might include shutdown of programs or
business segments supported by these services.
Rationale for Business Continuity Planning
5. 43%
51%
6%
Never reopen
Close within two years
Survive long-term
Organizations that experience major data
loss without disaster recovery plans*
* Cummings, Haag, & McCubbrey (2005). Management
Information Systems for the Information Age. Rationale for Business Continuity Planning
7. a management approved strategic and comprehensive
capability of an organization to plan for and respond
to events and conditions in order to continue business
operations*.
It is the most proactive risk management discipline.
Business Continuity Theory
Business
Continuity
Planning
* The International Consortium for Organizational
Resilience, CS SS BCM 3030
8. 1.) Risk
Assessment
2.) Business
Impact
Analysis
3.) Risk
Mitigation
Strategy
4.) Business
Continuity
Plan
Development
5.) Training,
Testing &
Auditing
6.) Business
Continuity
Plan
Maintenance
Business Continuity Theory
9. Natural/Environmental
Threats
• Fire
• Flood
• Hurricane
• Winter storm
• Pandemics
• Tornado
• Lightning
• Drought
• Earthquake
• Volcano
• Tsunami
Human Threats
• Fire (accidental or
arson)
• Cyber-attack
• Data theft or loss
• Extortion
• Terrorist attack
• Sabotage/Vandalism
• Workplace violence
• Civil unrest & war
• Chemical or
biological hazard
Infrastructure Threats
• Power grid failure
• Petroleum supply
disruption
• Food or water
contamination
• Public utility failure
(water, sewer, etc.)
• Heating/Cooling
system failure (affects
IT & people)
• Public transport
disruption
Assess the threat landscape and determine relevant threats.
Business Continuity Theory
Risk
Assessment
10. Threat
Assessment
• Compile a list
of relevant
threats;
relevant =
historical,
contemporary,
or emerging
Probability
Assessment
• Example: High
frequency of
electrical
storms = high
probability of
lightning strike
Vulnerability
Assessment
• Example: Lack of
lightning / surge
suppression =
high vulnerability
to a lightning
strike.
Business Continuity Theory
Risk
Assessment
11. Business Continuity Theory
A process designed to identify and quantify impacts
resulting from disruptive events and disaster scenarios.
Results include:
List of mission-critical functions, processes, & roles;
Recovery priorities and their interdependencies
Recovery Time Objectives (RTOs) for these priorities
Business
Impact
Analysis
12. Create a list of the
mission’s
functional areas.
Assemble subject
matter experts.
Identify mission-
critical functions,
processes, and
roles.
Determine the
impact on mission
of ‘outage’.
Establish the
‘Maximum
Tolerable Outage’.
Identify any
external/ internal
dependencies.
Business Continuity Theory
Business
Impact
Analysis
13. Protect
Data and
Operations
Essential to
Recovery
HR records, IT
Recovery
Documentation,
Corporate
Databases
Network
Operations,
Essential IT
Dependencies
Voice & Data
Communications
Networks
Business Continuity Theory
Risk
Mitigation
Strategy
14. Determine
Recovery
Options
Work at
home for key
employees
Alternate
work-site
Alternate site
for mission-
critical IT
operations
Business Continuity Theory
Risk
Mitigation
Strategy
15. • Response and Recovery
• Vital Records, Databases, IT ServicesPriorities
• Designated Roles and Responsibilities
• Contact InformationTeams
• Recovery of Mission-Critical IT Services
• Replacement of Critical EquipmentProcedures
• Plan Activation: Transition Point from
Emergency Response to Plan Activation
• Declaration: Disruptive Event to Disaster
Criteria
Business Continuity Theory
Business
Continuity
Plan
Development
16. Business Continuity Theory
Plan should designate teams, roles, responsibilities;
Plan should include actions required on a timeline
basis … response, recovery, & restoration;
Particular attention should be given to protection and
restoration of mission-critical processes and services.
Business
Continuity
Plan
Development
17. Business
Continuity
Plan
Testing
• Tests Information
Technology &
Telecommunications
dependencies to find
design flaws
Exercises
• Reveals potential
points of failure in the
Business Continuity
Plan
Training
• Develops familiarity
with the Business
Continuity Plan and
competence in its
execution.
Business Continuity Theory
Training,
Testing &
Auditing