Introduction

BCP/DRP

Course Objectives
By the end of this course, you will learn The meaning of BCP and DRP Risk Assessment Business Impact Analysis BCP and DRP development process

Course Contents
Introduction Section I: Section II: Section III: Section IV: Section V: Section VI: Section VII: Section VIII: Summary
3

BCP and DRP Overview Project Initiation Risk Assessment Business Impact Analysis Risk Mitigation Strategy Plan Design and Development Testing and Training Plan Maintenance
BCP/DRP 4

BCP/DRP

Section 1 BCP/DRP Overview

Section I - Introduction

Section I Objectives
In this section we will cover Defining Business Continuity and Disaster Recovery Cost of Planning Types of Disasters BCP and DRP Steps

BCP/DRP

BCP/DRP

Section I - Introduction

Section I - Introduction

Defining Business Continuity and Disaster Recovery

Business Continuity Planning is a methodology to create and validate a plan for maintaining continuous business operations, before, during and after any type of disaster. Addresses the ability to continue operations under any disaster scenario BCP deployment varies widely from company to company, and one organization from another. There is no one size fits all Some cannot tolerate any down time Some may have greater tolerance for down time Some may have variable down time tolerance level depending on the time The type and size of business determines the final plan The cost of business disruption vs. investing in BCP
BCP/DRP 7

Defining Business Continuity and Disaster Recovery

Disaster Recovery is part of Business Continuity Deals with an impact of an event DR involves Stopping the effects of the disaster as quickly as possible
Minimize the damage, Save as much as possible

Addressing the immediate aftermath

BCP/DRP

Section I Introduction

Section I Introduction

Business components in BCP

As any project, BCP development includes People:
People are responsible for developing and implementing the BC/DR Plan

People in BC/DR Planning

To develop and implement an effective BCP, you need people across the organization/department Getting key people in the company to be involved in developing the plan is essential Identifying key people to implement the plan is equally important Planning and implementation phases
Planning phase - you need people to develop the Plan Implementation phase (during and after disaster) - you need people who perform the plan.
9 BCP/DRP 10

Process:
Processes maintain an orderly flow of business operations

Technology (and Infrastructure):

Understanding how technology is used in the business operations

Each of these must be addressed in BCP

BCP/DRP

Section I Introduction

Section I Introduction

Process in BC/DR Planning

Process also, has two phases
Planning, Implementation

Technology (Infrastructure) in BC/DR Planning

Need to understand what happens to your technology components on different types of disasters Which elements are venerable to what type of disaster
(e.g. Power Outage, flood, virus )

Companies have processes for running their business smoothly. It could be well documented or not When disaster occurs, the normal established process is interrupted. Then the question is: How quickly can you recover from a disaster and get the business up and running? This depends on the process you developed in the BCP/DRP. Disaster response varies on the type of disaster and your Plan has to develop a process for handling various types of disasters. The eventual Recovery or Failure is dependent on your BCP/DRP

Your BCP/DRP may provide you a business case to change/upgrade the technology deployed. Or may require to redesign your network

BCP/DRP

11

BCP/DRP

12

Section I Introduction

Section I Introduction

Considering BCP
Having DR plan for infrastructure only (switches, routers, cell tower,..) is not sufficient Equally important you have to understand how the whole company conducts its business departments or business units write DRP from their perspective only For effective BC and DR planning need to look at it from the top You need to involve representatives from each and all business units.
BCP/DRP 13

Cost of Planning
Companies do not invest in projects that dont generate revenue or increase the bottom line. Funds are limited - Competing against projects that add to bottom line is difficult Mgmt tends to defer BCP - may be next year , What do you have to support your argument for BCP development? Large business customers require you to have BCP to do business with
Impact on revenue growth

Improves business process and operational savings Potential disaster without a mitigating plan causes significant financial loss There could be legal liability implication from the customer
e.g. customer data loss without proper BCP

Could be required by law depending the type of business you are running
BCP/DRP 14

Section I Introduction

Section I Introduction

Cost of Planning, contd

The Cost of Planning must be balanced with the cost of taking risk. (auto insurance) Do not try to cover every disaster scenarios Create a plan for events most likely to happen and most likely to have critical impact on your business operations Bad plan is worse than no plan

Cost of Planning, contd

After a major disaster 40% of businesses go out of business within 5 years. In 1993 WTC 42% (150/350) went out of business In 2001 majority of businesses were back up and in operation within days.

BCP/DRP

15

BCP/DRP

16

Section I Introduction

Section I Introduction

Types of Disasters
Location the location of business determines what type of disaster likely to happen. As a starting point make your BCP team come up with the list of disasters that are most likely to happen. Disasters can be divided in three categories
Natural Man-made Accidents

Types of Disasters - Natural

Weather related
Avalanche, Snow, Heavy rain, Floods Drought Fire Strom Hurricanes Tornado

Geological
Earthquake Tsunami Volcano Landslide
BCP/DRP 17 BCP/DRP 18

Section I Introduction

Section I Introduction

Types of Disasters - Man-made

Fire Cyber attack Riot Product tampering Explosion Threat Theft

Types of Disasters - Accidents

Transportation Infrastructure
Electricity Gas Water Sewer

Information system infrastructure

Communications infrastructure failure Systems failures

Building collapse
BCP/DRP 19 BCP/DRP 20

Section I Introduction

Section I Introduction

Protecting Data during a disaster

When disaster occurs chaos Businesses become venerable to theft and fraud (internal and external)
After disaster People, Process and Technology are in disarray Need to develop method to prevent fraud or theft.
(This could also be used for normal and emergency operation)

Managing Access During Disaster

Managing Access during disaster should be part of BC/DR Plan Access to Data
Who should have access to data and systems during disaster? Too restrictive access or open to all access have problems.
Restrictive person/s may not be available during emergency Open loss of accountability, theft

Physical access to the building/systems

BCP/DRP 21 BCP/DRP 22

Section I Introduction

Section I Introduction

BCP and DRP Steps

There are 7 basic steps to develop a good plan
1.

BCP and DRP Steps - contd

5.

Plan Development
Outline the methodology to follow for plan development

Project Initiation
Deals with the process of creating a project plan for BC/DR activities

6. Training and Testing

2.

Risk Assessment
The process of looking the risks the company faces. Covers all potential risks, determine the likelihood of a particular disaster occurring

3. 4.

Business Impact Analysis (BIA)

Deals with the potential impacts of these risks to the Business.

Addresses: Training people on how to implement the plan Running drills, exercises, simulations and reviews Testing the Plan
7.

Plan Maintenance
Plan needs to be maintained, updated, validated regularly and after the event.

Risk Mitigation Strategy

Addresses on how the identified risk and its impact can be tolerated, reduced or avoided
BCP/DRP 23

BCP/DRP

24

Section I

Section 1:

The Seven Steps

Risk Assessment
Risk Mitigation Strategy

Summary
Plan Develop -ment Testing and Training Plan Maintenance

Project Initiation

BIA

Each of these steps will be covered in detail in the following sections.

In this section we Defined Business Continuity and Disaster Recovery Identified Business Components Identified Types of Disasters Identified the steps required for successful BC/DR plan and implementation

BCP/DRP

25

BCP/DRP

26

Section II Project Initiation

Section II

Section Objectives
In this section we will cover the first Step in BCP/DRP Project Initiation

BCP/DRP

27

BCP/DRP

28

Section II

Project Initiation

Introduction Project Initiation

Project is a defined set of tasks with clear objectives, requirements and goals and with start and end points. BC/DC planning process should be handled as a project plan and BC and DR are projects. In this section we will discuss the process of create a project plan for BR/DC and the elements that contribute to successful completion of the project.
(In general, as a PM you can follow your own Project Management methodology and also the unique needs of your company)

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Plan Maintenance

BCP/DRP

29

BCP/DRP

30

Introduction Project Initiation

What are the factors to make a successful BC/DR plan? What are Project Plan Components? Who are Key Contributors?

Project Initiation - Success Factors

Executive Support User Involvement Experienced Project Manager Clearly Defined Project Objectives Clearly Defined Project Requirements Clearly Defined Scope Shorter Schedule Clearly defined PM Process
31 BCP/DRP 32

BCP/DRP

Success Factors Executive Support

As any project Executive support is the main factor for the success of BCP/DRP development. If the top management is convinced the business need for the project you will get all the support in every corner. BC/DR planning project involves people from all areas of the business. You need to pull away people from other projects Some departments/organizations may not buy BC/DR project and resist to participate.
BCP/DRP 33

Success Factors Executive Support - contd

How do you get executive support?
Start with your immediate management for 100% support Communicate clearly and convincingly.
Executives understand business and finance not technology

Prepare presentations
Formatted to the intended audience. (know your audience before hand) Non technical, clear and conscience Help them to understand the need for and make the right decision.

If possible, provide rough cost estimate of the project and how long it will take.

What if the decision is No?

..
BCP/DRP 34

Success Factors Executive Support contd.

What if the Executive Management decision is No?
There are still things you can do help start the process
You can incorporate BC/DR in your organization project plans that you can control If you are implementing new technology or upgrading or expanding the current systems you can include BC/DR concepts in the requirement. Specially backup and redundancy can be included as part of the business operations.

Success Factors User Involvement

As any project end-user involvement is critical The processes being developed should be done with the end-users input and collaboration. For BC/DR Planning there are two types of users
Who will be involved in the planning the BC/DR project, and Who will implement the plan when the event occurred (could be the same or other group of people) The latter should be involved in training and testing phase. Need to involve a key personnel from start to finish

BCP/DRP

35

BCP/DRP

36

Success Factors Experienced Project Manager

Success Factors Clearly Defined Project Objectives

Clearly Defined Project Objectives Helps to define the Plan to your unique business needs Helps identify most important and less important areas to allocate time and resources accordingly Insures all functional areas are covered and brings critical people together to develop the objectives How?
List your business functional areas Invite key people from those areas to help define the objectives Get agreement from all functional areas on prioritizing objectives
37 BCP/DRP 38

This is critical project and its successes depend on primarily putting well experienced PM Pick experienced Project Manager who
Has formal Project Management training Has understanding what it takes to get it done

Experienced PM is more effective for BC/DR planning

(it involves people at all levels and various organizations)

BCP/DRP

Success Factors Clearly Defined Project Requirements

Developing clear and complete requirement is the difference between success and failure
Objectives are what you want to accomplish Requirements are how to accomplish those objectives Clear requirement before the project work begins is critical and saves rework.

Success Factors Clearly Defined Scope

Scope is the total amount of work to be accomplished. This is dependent on the Project Objectives.
Clearly defined project objectives derive a clearly defined scope

Requirements have three categories

Business requirement to determine what the business needs to survive an event Functional requirement details which processes, methods and resource need to be available during and after an event Technical requirement identify technology equipment and business applications requirement

Scope is susceptible to changes as Project Planning progresses.

There could be a scenario where it may be necessary that additional functions may be identified. In this case a highlevel project objective and scope will be added.
39 BCP/DRP 40

The more detailed requirement the better.

BCP/DRP

10

Success Factors Shorter Schedule

Shorter schedules with more milestones produce successful result BC/DR planning is a comprehensive look at the business and its processes to determine its critical functions and emergency procedures. It is better to break it down into smaller projects One project plan for each functional area and one master plan Longer schedules people lose interest Move to other projects or replaced Milestones help you to: gauge the progress stay on budget be on schedule stay on Scope
BCP/DRP 41

Success Factors Clearly Defined PM Process

PM should have a set of methods, procedures and associated documents or use a well-defined project management process. Select a process and use it start to finish

BCP/DRP

42

Project Plan Components

Project Definition Project Team Project Organization Project Planning Project Implementation Project Tracking Project Close Out

Project Plan Components - Project Definition

It is a starting point of the project. To get clear understanding of the project and its expected result the following need to be defined or identified
Problem Statement Mission statement Potential solutions Requirements and Constraints Success criteria Project Proposal after selection of the best solution write a brief project proposal Estimates Project Sponsor - who has authority to approve, fund and support the project.
43 BCP/DRP 44

BCP/DRP

11

Project Plan Components Forming the Project Team

Create Project Team early When forming the team
Look Companys organizational chart to help you identify geographical locations, functional departments and organizations Technical people with technical specialties from different business units, in addition to IT, should be included. Logistical responsible for logistics and purchasing should be included Political/PR people who are responsible that reassure key customers and stakeholders during and after a crisis should be included
BCP/DRP 45

Project Plan Components Project Organization

Addresses on how to organize and run the project. It includes
Project Objectives, Project Requirements, Project Parameters Project Infrastructure Project Processes Project Communications Plan

BCP/DRP

46

Project Plan Components Project Organization

Project Objectives
Using the project solution developed in the Project Definition stage, need to develop specific Project Objectives for BC/DR plan
Business Continuity Plan focuses on sustaining business activities. It can be written for specific business process or for all key business processes Continuity of Operations Plan focuses on restoring mission-critical operations in an alternate location for an extended period of time Disaster Recovery Plan focuses on restoration of key business processes immediately after a disaster Crisis Communication Plan focuses on providing on consistent and clear communications with employees, customers and stakeholders Occupant Emergency Plan focuses on building and facility safety, specifically to building occupants

Project Plan Components Project Organization contd

Project Requirements
Write well defined project requirements based on the objectives discussed above. Project requirement defines functional and technical requirement

Project Parameters
These are scope, budget , schedule and quality They are interrelated - changing one impacts the others Scope is the total amount of work to complete the project Create scope statement assumptions, included and not included in the project based on the objectives Project Parameters need to be ranked from least flexible to most flexible (usually least is budget)
BCP/DRP 48

BCP/DRP

47

12

Project Plan Components Project Organization contd

Project Infrastructure
It is the tools and resources you have/need to develop BC/DR project

Project Plan Components Project Planning

Key elements in project planning process
Developing Work Breakdown Structure (WBS)
list of outcomes to be accomplished to complete the project The top level WBS can follow this structure Risk Assessment Business Impact Analysis Risk Mitigation Strategy Development Emergency Preparation Training and Testing Maintenance

Project Processes
Need to establish processes and procedures, and proper documentation to run the project Team Meetings (how, when, where to conduct meetings) Reporting (minutes for the team and status for sponsors) Escalation (problems) Project Progress (how to track) Change Control (how to capture and address changes within the company) Quality Control

Project Communication Plan

Need to develop proper communication method on the activities and progress of the BC/DR plan to sponsor and all organizations and departments that have stake

Critical Path
Describes how long the project will take and identifies critical and non-critical tasks
49 BCP/DRP 50

BCP/DRP

Project Plan Components Project Implementation

How do you manage changes occur in the middle of BC/DR planning development? Any changes in the departments occurring should be assessed on their impact to BC/DR planning
Managing Progress
Need to develop a method to keep track on the changes occurring in departments/organization that are being covered under the BC/DR plan Address how their work impacts the project Address how your project impacts their work

Project Plan Components Project Tracking

Need to develop project tracking system to track project progress, schedules, budget . Create project major and minor milestones to track the project progress compared to the schedule
Major milestones can be set for each Phase of the Project Minor Milestones for significant tasks within the phase.

Managing Change
Plans are always subject to change Need to develop Change management process

This information should be available to all team members

51 BCP/DRP 52

BCP/DRP

13

Project Plan Components Project Close Out

The last steps when the Project is completed BC/DR plan should be kept up to date under maintenance plan.
Regular review of the plan (yearly) Walk-through of the BC and DR steps defined Regular testing

Key Contributors and Responsibilities

Who are or should be key contributors to BC/DR plan and what should their roll be? List the business units and select representatives
Sample list it is different from one company to another
Information Technology Human Resources Facility Security Finance Legal Warehouse Purchasing Logistics Marketing and Sales Public Relations
53 BCP/DRP 54

There has to be some org/department that you can hand off the project and own the maintenance aspect of it. Conduct post-project review for lessons learned.
BCP/DRP

Key Contributors and Responsibilities contd

Requirements Definition

Select representative from each organization or group listed

Depending the size of the department the numbers vary.

The following criteria can be used for Business units the BC/DR focuses
Experience with working cross departmental team Ability to communicate effectively Ability to work well with wide variety of people Experience with critical business and technology systems Project management leadership
BCP/DRP 55

Business, Functional and Technical requirements are part of Project Definition (discussed earlier)
Business requirements define the scope of the project Functional requirements define what the plan does to accomplish business requirements Technical requirements define how these business and functional requirements will be met.

BCP/DRP

56

14

Requirements Definition Business Requirements

Requirements Definition Functional Requirements Functional requirements describe what functions or features must be available. Functional requirements state the need for a method or process to be available to meet the business requirement. Need to develop a ranking mechanism to each requirement to determine the criticality of the system for ongoing operations of the business.
Very-High, High, Normal, Low

The first step in developing BR/DR project requirement is to define Business Requirements. Need to understand critical areas of the business. Need to know what questions to ask, and how to ask to determine if the business is critical or not
Scenario based question provide better result than asking users if the business or system is critical or not. Develop a list of what-if scenario questions

BCP/DRP

57

BCP/DRP

58

Section II:

Requirements Definition Technical Requirements

Summary Project Initiation

In this section
Defined the factors to make a successful BC/DR plan Identified Project Plan Components Indentified Key Contributors to BC/DR plan Defined business, function and technical requirements

Technical requirements define how functional and business requirements are met, mainly with technology. Technical requirements help to:
assess if the current technology meets BC/DR requirement define new technology solution if the current does not meet the requirement determine that the current technology in place can be utilized in different way to meet the requirement
BCP/DRP 59

BCP/DRP

60

15

Section III

Section III

Risk Assessment

Section Objectives
In this section we will cover the 2nd Step in BCP/DRP Risk Assessment

BCP/DRP

61

BCP/DRP

62

Section III

Risk Assessment

Section III

Introduction Risk Assessment

In this section we will cover the concept and practical application of risk management from BC/DR point of view. Identify types of risks companies and businesses face. Define risk avoidance, reduction, acceptance and transferring. Identify risk management methods

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Plan Maintenance

BCP/DRP

63

BCP/DRP

64

16

Section III

Risk Management
Risk Management is a topic that covers the management of all types of risks to a company.
(We will cover only risks that are directly related to BC/DR planning.)

Risk Management
Risk can be defined as
Risk = Threat + Likelihood + Vulnerability + Impact (risk is a combination of threat, the likelihood of the threat occurring, vulnerability of the company and the impact of the threat on the company)

Managing Risk is the process of identifying, controlling, eliminating or minimizing uncertain events that may affect businesses Risk Management Process is assessing the potential and analyzing the trade-off (opportunity cost) of a particular risk. It is very important to understand the opportunity cost of a threat.

BCP/DRP

65

BCP/DRP

66

Section III

Risk Management Process

The basic steps of risk management process
Threat Assessment a process of identifying threats that can negatively impact the company and its source Vulnerability Assessment analyzes how vulnerable, susceptible and exposed a system/business is to a particular threat and the likelihood of the threat occurring Impact assessment analyzes the magnitude of the impact of the threat on the system/business Risk mitigation strategy addresses the four strategies of risk mitigation and their associated cost
Risk Reduction Risk Avoidance Risk Acceptance Risk Transfer
BCP/DRP 67

Risk Management People, Process, Technology and Infrastructure

For every risk/threat being considered its impact on the four business components should be addressed
If a particular threat occurred,
What is the impact on people and how do they react? How does it impact the business process? What is the impact on Technology? What is the impact on the Infrastructure (internal and external)?

BCP/DRP

68

17

Risk Assessment Components

Risk Assessment Components Threat Assessment

There are three Risk Assessment Components

Threat Assessment Vulnerability Assessment Impact Assessment (will be covered in the next section)

Risk assessment begins with the assessment of all potential threats and an analysis of those threats. Threats impact on People, Process, Technology and Infrastructure (business components) Threat assessment includes
Information gathering Identifying and listing potential threats
Natural Threats Human Threats Infrastructure Threats

Threat Assessment

Vulnerability Assessment

Impact Assessment

Threat assessment methodology

DR development phase
BCP/DRP 69

Quantitative Qualitative
BCP/DRP 70

Threat Assessment Information Gathering

There are different methods of collecting data about companys risks:
Questionnaires: to collect data from specific groups or people Interviews: interviews with SMEs - important specially if the SME cannot be part of the BC/DR planning team Document reviews: Reviewing corporate and organizational documents helps to identify threats, threat sources and vulnerabilities Research: Internal and External:
Internal: data about the past business interruptions External: data on the frequency of earthquake, storm, .
BCP/DRP 71

Threat Assessment Identifying and Listing Threats

Natural Threats - threats caused by natural phenomenon.

Fire Flood Winter Storm Drought Earthquake Tornados Hurricanes Tsunamis Volcanoes Pandemics
BCP/DRP 72

18

Threat Assessment Identifying and Listing Threats

Threat Assessment Identifying and Listing Threats

Human Threats: that are caused by human act.

Fire Theft, Sabotage, Vandalism Labor Disputes Terrorism Chemical/Biological Hazards War Cyber Threats

Infrastructure Threats: mainly external issues you have no control over

Building Failure Public Transportation Disruption Loss of Utilities Oil Shortage Food or water contamination Regulatory or Legal changes
73 BCP/DRP 74

BCP/DRP

Risk Assessment Components Threat Assessment Threat Checklist

Threat Checklist
Natural Threats Fire Flood Winter Storm Human Caused Threats Fire Theft, Sabotage Labor Disbutes .. Infrastructure Threats Building failure Non IT Equipment Failure Heating/Cooling Failure Public Transportation Disruption IT Specific Threats Cyber Threats Equipment Failure Loss of Data

Risk Assessment Components Risk Assessment Table

Item No

Threat Name

Threat Source

Vulnerability Rating

Likelihood Rating

Existing Controls

Impact Rating

Overall Risk Rating

001 002 003

Fire Flood

Internal External Internal

BCP/DRP

75

BCP/DRP

76

19

Risk Assessment Threat Assessment Methodology

There are two types of methodologies to evaluate the various threats being considered
Quantitative Threat Assessment
Quantitative method is using hard numbers to represent threats, vulnerabilities and impacts

Risk Assessment Quantitative Threat Assessment

e.g. Building power outage threat caused by Lightening
Threat Threat Source Impact Likelihood Vulnerability Impact Cost Risk Cost Power Outage Lightning Power outage for two days ? ? ? ?

Qualitative Threat Assessment

Qualitative method is using relative values used to represent threats, vulnerabilities and impacts

BCP/DRP

77

BCP/DRP

78

Risk Assessment Quantitative Threat Assessment

Threat Likelihood Let us say, using information gathering methods discussed earlier found that there is one major outage every other year. So the likelihood of getting one every year is 50% Vulnerability - if there is power outage due to lightning, there is 100% chance for a loss of power for 48 hours Impact Cost:
Lose of sales (2 days) = $50,000.00 Cost (expense) due to outage = 5,000.00 impact cost = $55,000.00

Risk Assessment Quantitative Threat Assessment

Now you have the information available to decide on what type of risk mitigation strategy to follow for Power Outage threat caused by Lightning.
Threat Threat Source Impact Likelihood Vulnerability Impact Cost Risk Cost (yearly) Power Outage Lightning Power outage for two days 50% 100% $55,000.00 $27,500

Risk Cost = Likelihood * Vulnerability * Impact cost

50% * 100% * $55,000.00 = $27,500.00
BCP/DRP 79

BCP/DRP

80

20

Risk Assessment Qualitative Threat Assessment

Qualitative assessment uses words instead of values. Define Qualitative Value Scale
Value 1 2 3 4 5 6 Level Extremely Low Very Low Low High Very High Extremely High

Risk Assessment Qualitative Threat Assessment

Same example used for Quantitative Method Threat Likelihood using information gathering method discussed earlier found that there is one major outage every other year. So you can say the likelihood of getting one every year is High (4) Vulnerability - if there is power outage due to lightning, the chance of losing of power for two days is Extremely High (6) Impact Cost: the total cost of revenue loss and expenses incurred is Low (3) Risk Cost: is the average value of Likelihood, Vulnerability and Impact cost
(4 + 6 + 3)/3 = 4.3 ~ 4 (High)
81 BCP/DRP 82

BCP/DRP

Risk Assessment Qualitative Threat Assessment

Now you have the information available to develop a risk mitigation strategy for Power Outage threat caused by Lightning.
Threat Threat Source Impact Likelihood Vulnerability Impact Cost Risk Cost (yearly) Power Outage Lightning Power outage for two days 4 (High) 6 (Extremely High) 3 (Low) 4 (High)

Risk Assessment Components Risk Assessment Table

Update the Risk Assessment Table

Item No 001 002 003 004

Threat Name Fire

Threat Source Internal External

Vulnerability

Likelihood

Existing Controls

Impact

Overall Risk

Flood Power Outage

Internal Lightening ExtremelyHigh High None High

BCP/DRP

83

BCP/DRP

84

21

Risk Assessment Components Vulnerability Assessment

Risk Assessment Components Vulnerability Assessment

Vulnerability is weakness, exposure or susceptibility to threats. Vulnerabilities can be exploited intentionally or triggered unintentionally. The result of Threat assessment becomes input to Vulnerability assessment. People, Process, Technology and Infrastructure are vulnerable to threats. For each threat, each business component will be considered for vulnerability assessment
How vulnerable are people (the staff , customers ) to the threat presented? How vulnerable is the business process to the threat? How vulnerable is the technology in place to the threat? How vulnerable is the infrastructure to the threat?
BCP/DRP 85

Vulnerability assessment can be qualitative or quantitative (mainly qualitative High, Medium, Low). It addresses how vulnerable the business component is Information gathering:
Questionnaires, Interviews, Document reviews and Research.

Risk = Threat + Likelihood + Vulnerability + Impact

BCP/DRP 86

Section III:
Risk Assessment

Summary
In this section we Defined Risk Management concept Covered the Risk Management processes. Identified Risk Assessment components. Information gathering methods Defined Threat and Vulnerability Assessment methods

From Threat and Vulnerability assessments we collected the following information needed for the next phase
Potential Threat Sources Likelihood of the threat occurring Vulnerability of the company A preliminary Risk value

Risk = Threat + Likelihood + Vulnerability + Impact

BCP/DRP 87 BCP/DRP 88

22

Section IV Business Impact Analysis

Section IV

Section Objectives
In this section we will cover the third Step in BCP/DRP Business Impact Analysis

BCP/DRP

89

BCP/DRP

90

Section IV

Business Impact Assessment

Section IV

Introduction Business Impact Assessment

In this section we will:
Define Business Impact Assessment (BIA) concepts Identify critical business processes Determine disruption impact - including financial, operational and legal Define business recovery requirements

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Plan Maintenance

BCP/DRP

91

BCP/DRP

92

23

Business Impact Assessment

BIA is identifying critical processes to the on-going business operations and to understand the disruption of these processes impact on the business. The primary purposes of BIA are
Understanding and identifying the organizations critical business objectives Determine the time it takes to resume business functions after disruption Assess the impact of disruption on critical business functions and set priorities Provide information for which recovery strategy can be developed
BCP/DRP 93

Business Impact Assessment Impact category

First step is to clearly define a category to assess business process criticality.

Category Function 1 2 3 4 Critical Essential Necessary Desirable

Label Mission-Critical Vital Important Minor

BCP/DRP

94

Business Impact Assessment Impact category

Mission-Critical business processes are the ones that have serious impact in the companys operations. Vital business processes are also the processes considered critical, but can be tolerated until MissionCritical processes are restored Important business processes are the ones that does not stop the company from operating in the near term but have long-term impact. Minor business processes are processes that can be restored at a later time after recovery is completed.
BCP/DRP 95

Business Impact Assessment Recovery Time

Recovery Time Requirements Maximum Tolerable Downtime (MTD) or Maximum Tolerable Outage (MTO): The maximum down time the business can tolerate a particular business process or function outage. MTD is the combination of systems recovery time and work recovery time. MTD = RTO + WRT. Recovery Time Objective (RTO): The time available to recover disrupted systems Work Recovery Time (WRT): the time it takes to get critical business functions up and running after systems recovered. Recovery Point Objective (RPO): The amount or extent of data loss be tolerated by the critical business systems.

BCP/DRP

96

24

Business Impact Assessment RTO

BIA impact evaluation

After risks and threats identified (previous section), the business impact must be evaluated for
Business functions: activities sales, marketing, manufacturing Business processes: how these activities occur or get done IT systems: how these business processes are carried out computer systems, applications, automated systems

Recovery Window
Category 1 2 3 4 Function Critical Essential Necessary Desirable Label Mission-Critical Vital Important Minor RTO 0-12 hours 13-24 hours 1-3 days > 3 days

The impact should also be considered for upstream and downstream functions

BCP/DRP

97

BCP/DRP

98

BIA Identifying Business Functions

Create a list of functional areas of the business. Start with common business functions listed below, and add from organizational chart
List of Business functions Information Technology Operations Human Resources Finance Legal Facilities/Security Marketing and Sales Manufacturing Warehouse .

BIA Gathering Data

The next step is to collect data for the each business functional areas listed. (processes and criticality) Data collection methodologies:
Questionnaires: Interviews: Workshops: Documents and research.

sample questions:
What single point of failures exist? What are upstream and downstream risks to your business function? What workaround would you use for your business process? What is the minimum number of staff you need? What is the maximum tolerable down time? What are the key skills and knowledge required to recover your business process? How would this business function in a recovery site? .

Contact SMEs for to discuss the critical business functions With the help of SMEs, list all departments, divisions, under each heading.
BCP/DRP 99

BCP/DRP

100

25

BIA Determining the Impact of disruption

The next step is to determine the impact for each business functional areas, then assign criticality rating. The impact can include:
Financial: loss of revenue, lost sales, salaries and wages paid. Customers: loss of customers go to competitors Suppliers: lose of suppliers Employees: impacted by the disaster (injury, . PR: lose of thrust Legal: unable to meet legal and regulatory requirement Operational: Business operations being disrupted HR: The impact on the staff on handling the disaster Investors: may lose confidence. Competitive Advantage:

BIA Criticality Matrix

After data collection, assign criticality rating.

Business Function Human Resources Finance

Business Process Payroll New Hire Accounts Receivable Accounts Payable Tax filings

Criticality Mission-critical Important Mission-critical Mission-critical Mission-critical Vital Minor

102

Marketing and Sales

Sales Calls Sales Training

BCP/DRP

101

BCP/DRP

Section IV:

BIA Findings Report

The next step to write the BIA findings report based on the information collected. The report should include:
Key Business functions and processes Process and resource interdependence IT dependencies Criticality Impacts on operations Recovery time requirements Recovery Resources SLA Technology Work-around procedures Financial impact Legal impact Competitive impact Investor impact Customer impact .

Summary
In this section we Defined BIA Identified Business functions and processes Learned on how to gather BIA information and to prepare BIA Reports

BCP/DRP

103

BCP/DRP

104

26

Section V Risk Mitigation Strategy Development

Section V

Section Objectives
In this section we will cover the fourth Step in BCP/DRP Risk Mitigation Strategy Development
Types Risk Mitigation Strategies Risk Mitigation Process. Backup and Recovery considerations.

BCP/DRP

105

BCP/DRP

106

Section V

Risk Mitigation Strategy

Introduction Risk Mitigation Strategy

Risk Mitigation is a process of taking steps to reduce the effects of an event. Developing the Risk Mitigation Strategy is the last step in Risk Management activity for BC/DR Plan development Inputs:
Risk Assessment (threat and vulnerability assessment) BIA

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Plan Maintenance

Output:
Risk Management Strategy Plan

BCP/DRP

107

BCP/DRP

108

27

Risk Mitigation Strategies

There are four types of Risk Management Strategies.
Risk Acceptance Risk Avoidance Risk Limitation Risk Transference

Risk Mitigation Strategies Risk Acceptance

Risk Acceptance: Accepting risk does not reduce its impact. There are many reasons companies choose risk acceptance
The primary is Cost. Accepting the risk can be less costly than implementing mitigation strategies. Small companies do it more often.

It is the least expensive option for near term and the most expensive when disaster happens.

BCP/DRP

109

BCP/DRP

110

Risk Mitigation Strategies Risk Avoidance

Risk Avoidance is the opposite of Risk Acceptance. In BC/DR plan, it is an action that avoids any exposure to a risk (example deploying fully redundant systems). It is the most expensive of all mitigation strategies, but has significant impact in reducing cost of down time and recovery. This is one of the options to be considered for missioncritical business functions.

Risk Mitigation Strategies Risk Limitation

Risk Limitation is a method of limiting the exposure to threat by taking action. Does not stop the system from failure but helps to recover in a timely manner.
e.g. daily backup of data.

It falls between Risk Avoidance and Risk Acceptance. The cost varies depending the options implemented.

BCP/DRP

111

BCP/DRP

112

28

Risk Mitigation Strategies Risk Transference

Risk Transference is a method of transferring the risk to a third party. Paying another company to assume the risk.
e.g. Buying insurance, outsourcing payroll services.

Risk Mitigation Process

The next step is to select appropriate options in order to develop comprehensive strategy.
Recovery Requirements Recovery Options Recovery Cost

Risk Transference has an ongoing cost (e.g. service fee).

BCP/DRP

113

BCP/DRP

114

Risk Mitigation Process Recovery Requirements

Recovery Requirements are developed for critical business process identified in BIA report. Include
Recovery Time Cost of recovery Processes required

Risk Mitigation Process Recovery Options

Recovery Options are developed for each critical business process identified in BIA report. There are three options
As-needed Prearranged Preestablished

Identify the resources and associated cost to help determine the mitigation strategy.

The cost and time to implement these options varies Each option must be reviewed in terms of MTD for each critical business process.
(e.g. If you have a requirement to have an alternate site for IT services, all options must be considered)

BCP/DRP

115

BCP/DRP

116

29

Recovery Options As-needed

As-needed option
takes longer time to deploy may cost more (depending on the disruption type)

Recovery Options Prearranged

Prearranged option requires making arrangements and contractual agreement with suppliers and service providers for equipment and services to be provided within specified period. In addition to the cost of equipment and services, there is a recurring cost.

Resources and services are acquired after the event occurred. There is additional risk of not being able to get the Resources at all.

BCP/DRP

117

BCP/DRP

118

Recovery Options Pre-established

Pre-established recovery option is setting up an alternate site that can be activated after the disaster. The site is only used for recovery option. The site must be kept up-to-date to reflect the current environment of the actual site There is a cost for building the site and up keep. Shorter recovery time than the other options.

Developing Risk Mitigation Strategy

Risk Mitigation Strategy steps
Gather recovery data Compare cost and capability options Select the mitigations options for each business process acceptance, avoidance, limitation, or transference Select the recovery options

Based on the above information can develop a document that outlines the cost, capability, effort, quality of each option considered
119 BCP/DRP 120

BCP/DRP

30

IT Recovery Options
When developing IT Systems Risk Management Strategy need to consider the latest technology available today.
As technological developments are fast paced (specially for IT), the system currently in operation/production can be outdated, you may even consider to replace or upgrade the system. Or, if you already have BC/DR plan developed a few years ago can be invalid due to technological advancement; you need to revise the BC/DR plan more often than the other business functions.
BCP/DRP 121

IT Recovery Options Alternate Sites

Considering an alternate site. Common options Fully Mirrored Site: a fully redundant site that mirrors the live site.
Provides high availability Can also be used for load balancing.

Hot Site: with an identical configuration that can be operational within 4 hours. Warm Site: Fully or partially equipped site and can be operational within hours being restored from backup data. The facility can be used for less critical functions during normal business operation. Mobile Site: A self contained unit that can be transported to establish an alternate work site. Cold Site: A site that is started up after the disruption occurred. It is the least expensive but has the longest recovery time. Reciprocal Site: It is an arrangement made with other companies that have similar operations.

BCP/DRP

122

Section V:

Summary
In this section we covered Types Risk Mitigation Strategies Risk Mitigation Process. Backup and Recovery Considerations.

Section VI BC/DR Plan Development

BCP/DRP

123

BCP/DRP

124

31

Section VI

Section VI

Section Objectives
In this section we will cover the fifth Step in BCP/DRP Business Continuity/Disaster Recovery Plan Development Business Continuity and Disaster Recovery phases Define BC/DR Teams. Define BC/DR activity checklists

Plan Development

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Plan Maintenance

BCP/DRP

125

BCP/DRP

126

Introduction BC/DR Plan Development

The plan needs to state risks, vulnerabilities, potential impacts to mission-critical business functions and associated mitigation strategies. From the previous sections we have
Identified risks, Assessed vulnerabilities Determined potential impacts on business Identified mission critical business functions Developed mitigation strategies

BC/DR Plan Phases

Business Continuity and Disaster Recovery Phases

Activation Phase

Recovery Phase

Business Continuity Phase

Maintenance/ Review Phase

Next is to determine and develop a guideline on when, how and by whom are these strategies implemented
BCP/DRP 127 BCP/DRP 128

32

BC/DR Plan Activation Phase

Activation Phase addresses the time during and immediately after a business disruption Activation includes
Initial Response Problem assessment Escalation Disaster declaration Plan implementation

BC/DR Plan Activation Phase Disaster Levels

Defining the disaster type and level. There should be clearly defined disaster level to help you determine the types of activation and recovery process to follow.
Major Disaster: has major impact on business. It disrupts all or most of the critical business operations. Such as the destruction of the entire facility. It occurs rarely. Intermediate Disaster: the impact is less than major. It impacts one or more mission-critical business functions. Business operations will experience significant disruption. Minor Disaster: It is a type of disaster occurs more often and impacts only a single business operations. It is an Isolated incident, and normal business operations will not be interrupted.
129 BCP/DRP 130

BCP/DRP

BC/DR Plan Activation Phase BR/DR Teams

Notification of the disaster to the following BC/DR

BC/DR Plan Triggers

Trigger defines when an alternate plan or method should be implemented Activation Trigger: For each Disaster Level, need to have clearly defined triggers. Based on the Initial Assessment - determine the disaster level and activate the part of BC/DR Plan that addresses the issue. Transition Trigger: a trigger to move from one phase to another
evaluation from Damage assessment team, CMT is on the scene and the selected BC/DR plan is activated Recovery to Continuity Phase: This is triggered after the disaster (event) is under control and the effects have been addressed. Business Continuity to Normal Operations: this is triggered when things are back to normal.
Activation to Recovery Phase: it is triggered after the initial

Teams. They will handle/respond to disaster by implementing procedures outlined in the BC/DR Plan
Crisis Management Team Damage Assessment Team Notification Team Emergency Response Team Business Continuity Leader Crisis Communication Team Resource and Logistics Team Risk Assessment Team

BCP/DRP

131

BCP/DRP

132

33

BC/DR Plan Recovery Phase

Recovery Phase is started immediately after the

BC/DR Plan Business Continuity Phase

Business Continuity phase starts after Recovery

disaster occurred and contained. The event could still be continuing.

phase is done and the steps to get back normal operating conditions are determined. It addresses
How business operations can resume on temporary

locations
The work-around needed The transition back to normal operations from

temporary location

BCP/DRP

133

BCP/DRP

134

BC/DR Plan Maintenance/Review Phase

Maintenance Phase occurs whether the BC/DR is activated or not. It deals with reviewing, evaluating and revising the plan. If activated, has to be done after the completion of Recovery Activity.

BC/DR Teams
Creating BC/DR Teams : people should be selected base on the skills, and expertise for the task they be assigned. Crisis Management Team:

have representatives from all business units Have expertise to deal with major business disruption In charge for activating, implementing and managing BC/DR plan

Evaluate how the plan performed in the light of actual event. Revise the document on the lessons learned.

Regular/scheduled plan review to insure the document still

current and valid.

During Operational changes: all changes in the business

operations and processes should will be handled in Change Control

BCP/DRP 135

Damage Assessment Team(s): from key areas of business units. Can be multiple Teams Mobile, immediate availability Operations Assessment Team(s): Who can assess the immediate impact on operations IT Team: have expertise in system administration and other IT related activities Administrative Support Team: Who can handle administrative tasks
BCP/DRP 136

34

BC/DR Teams contd

Transportation and Relocation Team: Who can address transportation and relocation needs for people and equipment Media Relations Team: Who can provide information about the disruption to employees, media, investors, customers, suppliers Human Resource Team: Who handle employees needs during disaster, hiring additional staff Legal Affairs Team: Who can address the legal concerns of the company Physical Security Team: Who can handle physical safety of the people, building. Who can handle access control to the building Procurement Team: Handles equipment and services purchasing

BC/DR Contact Information

Contact Information should include the following and be

stored where it can be readily available under a disaster condition.

The list should include Management Key Operations Staff BC/DR Team members Suppliers, vendors Key customers Emergency number Others as needed

This information should be maintained regularly and kept

up-to-date.

BCP/DRP

137

BCP/DRP

138

BC/DR Plan Change Control

Need to develop a method to:
update the BC/DR Plan when change occurs in the organization

Emergency Response and Recovery

Emergency Management Simple rule - Assigning roles Emergency Response Plan Emergency Response is the immediate response to the incident The Plan is derived from the risks identified Some of Emergency Response tasks are:

that has impact on the plan

E.g. Adding new departments, upgrading systems, changing operational process . Revision history table

monitor and track changes in BC/DR Plan (version control)

distribute the BC/DR plan to interested parties

Protect personnel Contain the incident Engage ERT and CMT Assess impact Notification

Develop a basic plan that covers variety of emergencies that contains Roles and Responsibilities Tools and equipment Resources Actions and procedures
BCP/DRP 139 BCP/DRP 140

35

Emergency Response Team (ERT)

Set up ERT with defined roles and responsibilities The ERT leader is responsible for activating and

Crisis Management Team (CMT)

CMT is responsible for making high-level decisions, coordinating efforts and determining the appropriate responses The team leaders for various activities in the BC/DR should be a member of CMT CMT oversees ERT and DRT ERT leader should be a member of CMT and report the activities to CMT regularly CMT coordinates the activities related to initiating DR efforts CMT role ceases when business continuity begins and it transitions the business operations to normal management. Need to create a hand-over criteria for transfer responsibility to normal operations. If alternate facility is setup, CMT is responsible for overseeing disaster recovery and business continuity activities
141 BCP/DRP 142

coordinating emergency response

If CMT and ERT are two separate teams the ERT leader

should be a member of CMT.

Emergency Response and Disaster Recovery can go in

parallel ERT members should be trained and regularly exercise on the tasks they are responsible for.

BCP/DRP

Crisis Management Team (CMT)

All Crisis related communications are originated or approved by CMT. It helps to insure correct and consistent information being release/communicated It keeps the CMT in the loop HR representative should be a member of the CMT. Addresses needs of employees Can hire, select and manage additional temporary staff (if needed). Representative from legal departments should be a member. Helps to address/handle legal and insurance related issues Representative form financial department should be a member to assess the status of the company and insure bills are dispersed in timely manner.
BCP/DRP 143

Disaster Recovery - checklists

Checklists help make the right decision and responders

understand the steps to take.

Activation Checklists: Activation checklist can be used to

determine if, how and when to activate BC/DR Plan. Identify all activities and triggers should take place before and during the plan activation.

Initial Response Checklist Damage Assessment Checklist Disaster Declaration and Notification Checklist

Recovery Checklists: identify all the activities should take

place during recovery phase

General Recovery Checklist Inspection, Assessment and Salvage Checklist

BCP/DRP 144

36

Section V:

Business Continuity - checklists

Business continuity begins when disaster recovery ends. Involves limited business operations. Involves work-around solutions while systems and resource are fully restored The most critical aspect of BC is determining what should be restored, salvaged or replaced. BC checklists help to insure the required systems are in place and functional

Summary
In this section we Studied Business Continuity and Disaster Recovery phases Defined BC/DR Teams. Defined BC/DR activity checklists

Resuming Work checklist HR checklist Insurance and Legal checklist Production and Operations checklist Resuming Operations checklist Using Existing Facility checklist New Facility checklist Transition to Normalized Activities checklist
BCP/DRP 145 BCP/DRP 146

Section VI Testing and Training

Section VI

Section Objectives
In this section we will cover the fifth Step in BCP/DRP Testing and Training Training for
Emergency Response Disaster Recovery Business Continuity

Testing BC/DR Plan.

BCP/DRP

147

BCP/DRP

148

37

Section VI

Testing and Training

Testing and Training

After BC/DR Plan is developed the next step is to test the plan effectiveness and train the implementers for the specific roles assigned
Plan Develop -ment Testing and Training Plan Maintenance

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

BCP/DRP

149

BCP/DRP

150

Section VI

Section VI

Training for Emergency Response

ERT members should be trained in the emergency response activities described in the BC/DR Plan the basic CPR training should be part of all emergency responders training. Specialized skills training may be required Refresher training should be taken regularly ERT leader is responsible for ensuring the members are trained

DR and BC Testing/Training
Four methods of plan testing
Paper Walk-through Functional exercise Field exercise Full interruptions

Training can be coordinated with testing The objective of the training is to understand the plan and
how to activate, when to activate, and how to implement the steps defined

Everyone involved in the BC/DR implementation needs to understand their roles and responsibilities
BCP/DRP 151 BCP/DRP 152

38

Section VI

Section VI

DR and BC Testing/Training Contd

Testing the plan Verifies the validity of the steps developed Provides training to implementers Identifies gaps and flaws in the plan, so can be revised Determines the cost and feasibility Before Testing develop Test Evaluation Criteria After completion write recommendation based on the result

DR and BC Testing Paper Walk-through

A Paper walk-through should be scheduled once a year.
Steps to run paper walk-through
Develop Realistic Scenarios Develop Evaluation Criteria Provide copies of the plan to CMT Divide participants by Team Use Checklists for key processes Take Notes Identify Additional Training needs Develop Summary and Lessons Learned Revise DR/BC Plan if needed.

BCP/DRP

153

BCP/DRP

154

Section VI

Section VI

DR and BC Testing Functional Exercise

A functional exercise is to test some of the plans functionality.
Done with very minimal or no impact to mission-critical business operations. Functional exercises can be used as a training mechanism. Follow similar steps covered in Paper walk-through

DR and BC Testing Field Exercise

Field exercises should be done with simulated realistic scenario. Can be with specific organization or department Can also be coordinated with the local/city emergency responders. Provides hands-on training. Helps to evaluate/assess the performance of CMT and DRT members

BCP/DRP

155

BCP/DRP

156

39

Section VI

Section VI

DR and BC Testing Full Interruption Test

Full Interruption activates all components of the Plan and interrupts mission-critical functions. Can be run with specific organization(s) or department(s) Can also be coordinated with the local/city emergency responders. Very expensive to run the test.

Summary
In this section we Studied BC/DR Plan testing and training

BCP/DRP

157

BCP/DRP

158

Section VII Plan Maintenance

Section VII

Section Objectives
In this section we will cover the last Step in BCP/DRP cycle Plan Maintenance Change Management Maintenance Activities

BCP/DRP

159

BCP/DRP

160

40

Section VII

Section VII

Plan Maintenance

Plan Maintenance Change Management

Plan Maintenances critical part is controlling and keeping up with changes to make the document current and viable. The major reasons for change or revising the plan are:
IT Change Operations Corporate Regulatory

Project Initiation

Risk Assessment

BIA

Risk Mitigation Strategy

Plan Develop -ment

Testing and Training

Plan Maintenance

BCP/DRP

161

BCP/DRP

162

Section VII

Plan Maintenance Change Control Methods

Monitoring implement a step in each business/function operational procedure to include if change impacts on BC/DR submit change request Regular review of organizational changes, current employment status and department of each BC/DR Team members. Ensure that everyone uses the latest version of the Plan

Steps
Risk Assessment
Risk Mitigation Strategy

Project Initiation

BIA

Plan Develop -ment

Testing and Training

Plan Maintenance

BCP/DRP

163

BCP/DRP

164

41