Post on 29-Nov-2015
description
2April 17, 2023
Business Continuity Management – Course / Certification
BC-DR Professional
BCM Courses IT DRP Course
Pass Qualifying Exam with at least
75%
< 2 Years significant Experience
ABCP
Accumulate BC Experience
> 2 Years BC Experience + Expertise in atleat 3 Subject
areaCFCP
Exam Score >80%> 2 Years BC Experience +
Expertise in atleat 5 Subject area
CBCP
Exam Score >85%> 5 Years BC Experience +
Expertise in atleat 7 Subject area
MBCP
3April 17, 2023
Disaster Recovery Institute
DRI International’s Education Program--
1. BCLE 100: Project Management Principles
2. BCLE 200: Introduction to principle of risk Management
3. BCLE 300: Introduction to Business Impact Analysis
4. BCLE 400: Developing Business Continuity Strategies
*
*
9. BCLE 900: Crisis Communications coordination of external Agencies
10. BCLE 1000: Introduction to Business Continuity Mgmt
11. BCLE 2000: BCM for Advanced professional
4April 17, 2023
Business Continuity Management
BASIC ELEMENTS--
1. What you do to reduce risk before an Event
2. How you respond during an event
3. What you to do recover after an event
5April 17, 2023
Business Continuity ManagementDifferent Phases ( Also called 6R)
1. REDUCE– steps taken before an incident to identify and mitigate risk
2. RESPOND– Planned reaction to manage during an event
3. RECOVER-- To recover the CRITICAL data
4. RESUME-- To start CRITICAL activity +start recovering non critical data
5. RESTORE-- Resumption of non critical activity
6. RETURN– Final movement back to original location
6April 17, 2023
Professional Practices for Business Continuity Professionals…
1. PROJECT INITATION AND MANAGEMENT
2. RISK EVALUATION AND CONTROL
3. BUSINESS IMPACT ANALYSIS
4. DEVELOPING BUSINESS CONTINUITY STRATEGIES
5. EMERGENCY RESPONSE AND OPERATIONS
6. DEVELOPING AND IMPLEMENTING BC PLANS
7. AWARENESS AND TRAINING PROGRAMS
8. MAINTAINING AND EXERCISING BC PLANS
9. CRISIS COMMUNICATION
10.COORDINATION WITH EXTERNAL AGENCIES
7April 17, 2023
Business Continuity Problem Statement…
Internal or External event interrupts one or more of your
business processes
Time – Length of interruption -- causes situation to
become a Disaster
Amount of data loss and criticality of processes – level of
disaster
DIASTER is unplanned calamitous event causing great damage or loss
8April 17, 2023
BC Program Purpose…
Protect your….
People
Information
Operations
Organization
For any BC Program protecting people is primary and most important aspect
9April 17, 2023
BC Program Objectives…
Ensure continuity and survival of organization
Planned reaction and management of interruption
Planned resumption and recovery of operations and
systems after an interruption
The restoration or replacement of asset to a “permanent”
site after an interruption
10April 17, 2023
Why is BC Program Important ?
Safeguards human life
Minimizes confusion and enables effective decisions in
time of crisis
Reduce dependency on specific personnel
Minimize loss of data, revenue, customers
Facilitates timely recovery of business functions
Maintain public image and reputation
Minimize time spent in decision making during crisis
11April 17, 2023
Trends and directions..
The wonder of the Web is that the customer knows about problems
the same time you do. There is no camouflage
THEN NOW
PRTECT CRITICAL BUSINESS PROCESSES
PROTECT THE DATA CENTRE
12April 17, 2023
1. Project Initiation and Management
PURPOSE:
To provide an understanding of how to establish the need and obtain management support for a Business Continuity Management (BCM) Program in your organization and to organize and manage the program to initiate the process to completion within agreed upon time and budget limits.
Objective:
1. Establish the Need for Business Continuity
o Reference relevant legal/regulatory/statutory/contractual requirements and restrictions Like
▬ Banking regulations (BC-177)▬ NFPA 1600 (National Fire Protection Association
▬ Graham Leach Bliley Act
▬ Prudent Man Act
▬ HIPAA
▬ BASEL II
▬ Sarbanes- Oxley
13April 17, 2023
1. Project Initiation and Management Objective (cont):
2. Identify business practices (e.g., just-in-time inventory) that may adversely impact the
organization’s ability to recover following a disaster event
3. To document what is industry standard and what competition is doing
4. Communicate the need for business continuity plan (
By BIA
Suggesting strategies for safeguarding critical functions
Develop awareness by means of formal reports
By relating BCP benefits to organizational mission, objectives and operations
5. Involve Executive Management in BCP Project
Defining approval chain is critical for success
6. Establish Planning/Steering Committee : Roles and responsibilities
14April 17, 2023
1. Project Initiation and Management
Objective (cont):
7. Develop Budget requirements
Clearly define resource requirement
Clearly define financial requirement
8. Identify Planning team(s) and responsibility
Emergency Mgmt/ Crisis response/ Crisis Mgmt Team
BCP Teams (multi-location, multi-divisions, etc)
Recovery/response and restoration team
9. Develop Documentation requirements and responsibility
10. Continuously report to senior mgmt thru regular status report and obtain senior mgmt approvals.
Key of project mgmt success is: a) Choice of right people b) Involve first level mgmt in project c) Senior mgmt commitment
15April 17, 2023
2. RISK EVALUATION AND CONTROL
PURPOSE:
Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss. Provide cost-benefit analysis to justify investment in controls to mitigate risks
Objective:
1. Identify risk and threats that organisation is exposed to
2. Probability of their occurrence
3. Identify critical functions
4. Impact of the threats
5. Control required to mitigate the threat
6. Cost-Benefit analysis of control Vs Risk
16April 17, 2023
2. RISK EVALUATION AND CONTROL
Understand the loss potential:
1. THREATS -- Cause/Event
2. RISKS --- Effect
3. PROBABILTY --- frequency/chances
4. VULNERABILITY
Threat Vulnerability Risk
ASSETS Cause Probability Effect
17April 17, 2023
2. RISK EVALUATION AND CONTROL Identify exposures from both internal and external sources. These
should include, but not be limited to, the following:
a) Natural, man-made, technological, or political disasters
b) Accidental versus intentional
c) Internal versus external
d) Controllable risks versus those beyond the organization’s control
e) Events with prior warnings versus those with no prior warnings
Determine the probability of events
a) Information sources
b) Credibility
Create methods of information gathering
Develop a suitable method to evaluate probability versus severity
Establish cost benefit analysis to be associated with the identified loss potential
18April 17, 2023
2. RISK EVALUATION AND CONTROL Select exposures most likely to occur and with greatest impact
Identify Controls and Safeguards to Prevent and/or Mitigate the Effect of the Loss Potential
Considerations: The actions taken to reduce the probability of occurrence of incidents that would impair the ability to conduct business.
a) Physical protection
b) Physical presence
c) Logical protection
d) Location of assets
e) Procedural controls
19April 17, 2023
2. RISK EVALUATION AND CONTROLRisk Evaluation and Control 1. Establish disaster scenarios based on risks to which the organization is exposed. The
disaster scenarios should be based on these type of criteria: severe in magnitude, occurring at the worst possible time, resulting in severe impairment to the organization’s ability to conduct business.
2. Evaluate risks and classify them according to relevant criteria, including: risks under the organization’s control, risks beyond the organization’s control, exposures with prior warnings (such as tornadoes and hurricanes), and exposures with no prior warnings (such as earthquakes).
3. Evaluate impact of risks and exposures on those factors essential for conducting business operations: availability of personnel, availability of information technology, availability of communications technology, status of infrastructure (including transportation), etc.
4. Evaluate controls and recommend changes, if necessary, to reduce impact due to risks and exposures
Controls to inhibit impact exposures: preventive controls (such as passwords, smoke detectors, and firewalls)
Controls to compensate for impact of exposures: reactive controls (such as hot sites)
20April 17, 2023
3. BUSINESS IMPACT ANALYSIS
PURPOSE: Identify the impacts resulting from disruptions and disaster scenarios that can affect the
organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.
OBJECTIVE: • Establish critical functions• Determine qualitative and quantitative impacts of the disruptions
• Prioritize activities
• Establish RTO and RPO
• Establish interdependencies of functions
• Document the list of vital records
21April 17, 2023
3. BUSINESS IMPACT ANALYSISIdentify the impacts resulting from disruptions and disaster scenarios that can affect the
organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.
OBJECTIVE: • Establish critical functions• Determine qualitative and quantitative impacts of the disruptions
• Prioritize activities
• Establish RTO and RPO
• Establish interdependencies of functions
• Document the list of vital records
PURPOSE: • To provide business rationale for a business continuity plan
• To provide a factual, understandable and informative set of findings that mgmt can use
to provide direction for development of BCP
• To communicate the inherent vulnerabilities of the business units
22April 17, 2023
3. BUSINESS IMPACT ANALYSISRecovery Time Objective (RTO) : Time within which Business functions or applications systems must be recovered to
acceptable levels of operational capability to minimize the impact of the outage
RTO’s are often used as basis of: • Establishing priorities
• Developing strategies
• As a determinant as to whether or not the event is a disruption or a disaster
Recovery Point Objective (RPO) :1. Potential loss transactions2. Tolerable data loss3. Target recover point in time4. Last available data backup
23April 17, 2023
3. BUSINESS IMPACT ANALYSIS Assess Effects of Disruptions, Loss Exposure, and Business Impact
Effects of disruptions▬ Loss of assets: key personnel, physical assets information assets, intangible asset▬ Disruption to the continuity of service and operation▬ Violation of law/regulation▬ Public perception
Impact of disruptions on business▬ Financial▬ Customers and suppliers▬ Public relations/credibility▬ Legal▬ Regulatory requirements/considerations▬ Environmental▬ Operational▬ Personnel▬ Other resources
24April 17, 2023
3. BUSINESS IMPACT ANALYSIS Assess Effects of Disruptions, Loss Exposure, and Business Impact
Determine Loss Exposure ▬ Quantitative
1. Property loss2. Revenue loss3. Fines4. Cash flow5. Accounts receivable6. Accounts payable7. Legal liability8. Human resources9. Additional expenses/increased cost of working
▬ Qualitative1. Human resources2. Morale3. Confidence4. Legal5. Social and corporate image6. Financial community credibility
25April 17, 2023
3. BUSINESS IMPACT ANALYSIS
Determine minimum resource requirements for recovery and
resumption of critical functions and support systems ▬ Internal and external resources
▬ Owned versus non-owned resources
▬ Existing resources and additional resources required
Interdependencies between the business processes ▬ Intradepartmental
▬ Interdepartmental
▬ External relationships
The BIA provides mgmt key information for making strategic decisions regarding business continuity and recovery
26April 17, 2023
4. DEVELOPING BUSINESS CONTINUITY STRATEGIES
Determine and guide the selection of alternative business recovery operating
strategies for recovery of business and information technologies with in the
recovery time objective, while maintaining the organization’s critical functions
OBJECTIVE:
1. Understand Available Alternatives and Their Advantages,
Disadvantages, and Cost Ranges, including mitigation as a recovery
strategy
2. Identify Viable Recovery Strategies within Business Functional Areas
3. Consolidate Strategies
4. Identify Off-Site Requirements and Alternative Facilities
5. Develop Business Unit Strategies
6. Obtain Commitment from Management for Developed Strategies
27April 17, 2023
4. DEVELOPING BUSINESS CONTINUITY STRATEGIES
1. Identify Enterprise-wide and Business Unit Continuity Strategic Requirements Review business continuity issues
1. Timeframes2. Options3. Location4. Personnel5. Communications (crisis/media and voice/data) Compare internal/external solutions Identify alternative continuity strategies
1. Do nothing2. Defer action3. Manual procedures4. Reciprocal agreements 5. Alternative site or business facility 6. Alternate source of product 7. Third-party service providers/outsourcers 8. Distributed processing 9. Alternative communications 10. Mitigation 11. Preplanning
Assess risk associated with each optional continuity strategy
28April 17, 2023
4. DEVELOPING BUSINESS CONTINUITY STRATEGIES
2. Assess Suitability of Alternative Strategies Against the Results of a Business Impact
Analysis
3. Prepare Cost/Benefit Analysis of Continuity Strategies and Present Findings to Senior
Management
4. Select Alternate Site(s) and Off-Site Storage 1. Criteria
2. Communications 3. Agreements considerations 4. Comparaison techniques 5. Acquisition
6. Contractual consideration
5. Develop, implement and exercise enterprise-wide plans for business continuity
6. Develop, implement and exercise Business Units plans for business continuity in line with
enterprise-wide plan
7. Develop strategies to recover/restore▬ Telecommunications▬ Voice communications
▬ Data communications
Strategies should be developed at organizational as well as functional level
29April 17, 2023
5. EMERGENCY RESPONSE AND OPERATIONS
Develop and implement procedures for response and stabilizing the situation following an
incident or event, including establishing and managing an Emergency Operations Center
to be used as a command center during the emergency.
OBJECTIVE:1. Identify Potential Types of Emergencies and the Responses Needed (e.g.,fire ,
hazardous materials leak, medical)
2. Identify the Existence of Appropriate Emergency Response Procedures
3. Recommend the Development of Emergency Procedures Where None Exist
4. Integrate Disaster Recovery/Business Continuity Procedures with Emergency
Response Procedures and Escalation Procedures
5. Identify the Command and Control Requirements of Managing an Emergency
6. Recommend the Development of Command and Control Procedures to Define
Roles, Authority, and Communications Processes for Managing an Emergency
7. Ensure Emergency Response Procedures are Integrated with Requirements of
Public Authorities (Refer also to Subject Area 10, Coordination With Public
Authorities)
30April 17, 2023
5. EMERGENCY RESPONSE AND OPERATIONS
1. Identify Components of Emergency Response Procedure A. Reporting procedures
I. Internal (escalation procedures) a. Local b. Organization (decision-making process)
II. External (response procedures) a. Public agencies and media b. Suppliers of products and services
B. Pre-incident preparation I. By types of disaster
a. Acts of nature b. Accidental c. Intentional
II. Management continuity and authority III. Roles of designated personnel
C. Emergency actions a. Evacuation b. Medical care and personnel counselling c. Hazardous material response d. Firefighting e. Notification f. Other
31April 17, 2023
5. EMERGENCY RESPONSE AND OPERATIONS
D. Facility stabilization
E. Damage mitigation
F. Testing procedures and responsibilities
2. Develop Detailed Emergency Response Procedures
A. Protection of personnel
B. Containment of incident
C. Assessment of effect
D. Decide optimum actions
3. Identify Command and Control Requirements
A. Designing and equipping the Emergency Operations Center
B. Command and decision authority roles during the incident
C. Communication vehicles (eg., e-mail, radio, messengers, and cellular telephones,
etc.)
D. Logging and documentation methods
32April 17, 2023
5. EMERGENCY RESPONSE AND OPERATIONS
4. Command and Control Procedures A. Opening the Emergency Operations Center B. Security for the Emergency Operations Center C. Scheduling the Emergency Operations Center teams D. Management and operations of the Emergency Operations Center E. Closing the Emergency Operations Center
5. Emergency Response A. Develop, implement, and exercise emergency response procedures, including determination of priorities for actions in an emergency B. Develop, implement, and exercise procedures such as first aid and medical treatment; identify location and develop procedures for transportation to nearby hospitals Identify Command and Control Requirements
6. Recognize potential need to establish liaison with external agencies (e.g.,
statutory agencies, emergency services such as fire departments and police, insurers, loss adjusters, etc.), and specify type of information these agencies may require
7. Establish procedures with public authorities for facility access
8. Establish procedures with third-party service providers, including appropriate contractual agreements
33April 17, 2023
5. EMERGENCY RESPONSE AND OPERATIONS
Emergency Response components
1. Escalation and reporting procedures
2. Emergency notification procedure for internal and external parties
3. Life safety procedures
4. Identify types of emergencies and responses needed
5. Identify current procedures/ recommend new
6. Define core roles and responsibility
7. Testing procedures and responsibilities
Planning must take place before you have a emergency so that there is a coordinated, effective response that protects your organization and minimize the damage
34April 17, 2023
6. Developing and Implementing Business Continuity Plans
Design, develop, and implement Business Continuity and Crisis Management plans that provides continuity within the recovery time objective and recovery point objective.
OBJECTIVE:Document procedures required to continue, recover and restore the functional capability
of the organization.
SOME KEY TASK:1. Develop teams and tasks2. Develop specific steps to minimize the risks of outage and restore normal
operations3. Document the plan
SOME KEY DELIVERABLES:1. Emergency response plans and procedures2. Crisis communication procedures3. Coordination with external agencies4. The draft plan
35April 17, 2023
6. Developing and Implementing Business Continuity Plans
TYPES OF PALNS :
1. Crisis Mgmt Plan
2. Disaster recovery plan
3. Emergency response plan
4. Business Continuity plan
5. Business Unit Plans
6. COOP (Continuity of operation)
These are jointly called Business Continuity Management
Business Continuity Plan products:
Information
1. WHO executes recovery actions
2. WHAT is needed to recover, resume, continue ore restore business function
3. WHERE to go to resume corporate, business and operations functions
4. WHEN business functions and operations must resume
5. HOW --- detailed procedures for recovery, resumption, continuity and restoration
36April 17, 2023
6. Developing and Implementing Business Continuity Plans
SUCCESSFUL PALNS :
1. Clear and concise
2. Coordinated with suppliers and vendors
3. Senior management support/organisation commitment
4. On-going/part of strategic effort
5. Appropriate budget
6. Backups and offsite storage programs
7. Fully documented and exercised regularly
8. Risk are managed
9. Vulnerability are prioritized
10. Flexible and adaptable
11. Information security inbuilt with the plan
REVIEW COMPONENTS:
1. Is the plan consistent with the findings of the BIA
2. Are roles and responsibility defined
3. Are resources in place
4. Can plan be implemented
37April 17, 2023
6. Developing and Implementing Business Continuity Plans
STRUCTURE :1. Develop General Introduction or Overview A. General Information:
• Introduction
• Scope
• Objectives
• Assumptions
• Responsibility overview
• Testing
• Maintenance
B. Plan activation:• Notification
• Disaster declaration procedure
• Mobilization procedures
• Damage assessment concepts
C. Team Organisation
D. Policy Statement
E. Emergency Operations Centres
38April 17, 2023
6. Developing and Implementing Business Continuity Plans
STRUCTURE (contd.) :2. Develop Administration Team Documentation A. Identify continuity functions for the following, including qualifications,
responsibilities and resources required 1. Communications (public relations/media, client and employee) 2. Personnel/human resources 3. Security 4. Insurance/risk management 5. Equipment/supplies purchasing 6. Transportation 7. Legal
B. Other specialist coordinator/team responsibilities 1. Relations/liaison with regulatory bodies 2. Investor relations 3. Relations with other involved groups (e.g., customers and suppliers) 4. Labour relations
C. Develop specific procedures for each function or building identified above: 1. Department/individual/building plans 2. Checklists 3.Technical procedures
39April 17, 2023
6. Developing and Implementing Business Continuity Plans
STRUCTURE (contd.) :
3. Develop Business Operations Team Documentation A. Operating department plans 1. Essential business functions 2. Information protection and recovery 3. Activation actions 4. Disaster site recovery/restoration actions 5. End-user computing needs
B. Action sections 1. Recovery teama. Personnelb. Responsibilitiesc. Resources
C. Action plans 1. Specific department/individual plans 2. Checklists 3. Technical procedures
40April 17, 2023
6. Developing and Implementing Business Continuity Plans
STRUCTURE (contd.) :
4. Develop Communication Systems A. Voice communications recovery plans
1. Phone lines, including in-bound, toll-free (1-800) lines, and fax lines
2. Voice mail, voice response units, and other voice-based services
3. Alternate arrangement for automated voice response during a disaster
B. Data communications recovery plans
1. Data communications with mainframe-based information systems
2. Local area network (LAN) recovery for work area recovery
3. Wide area network (WAN) recovery for restoring global connectivity
4. E-mail, groupware, and other data communications-based work support
C. Emphasize and ensure detailed and up-to-date documentation of voice and
data communications networks throughout the enterprise
41April 17, 2023
6. Developing and Implementing Business Continuity Plans
STRUCTURE (contd.) :
5. Implement the Plans A. Ensure that required tasks are completed for plan implementation
1. Acquiring additional equipment
2. Contractual arrangements
3. Preparing backup and offsite storage
4. Appropriate documentation for plans in place
B. Develop test plans, schedules, and test reporting procedures
1. Acquiring additional equipment
2. Contractual arrangements
3. Preparing backup and off-site storage
C. Develop maintenance, updating, and reporting procedures
42April 17, 2023
7. Awareness and Training Program
Prepare a program to create and maintain corporate awareness and enhance the skills
required to develop and implement the Business Continuity Management program
or process and its supporting activities.
1. Define Awareness and Training Objectives
2. Develop and Deliver Various Types of Training Programs as appropriate a. Computer-based b. Classroom c. Test-based d. Instructional guides and templates
3. Develop Awareness Programs a. Management b. Team members c. New employee orientation and current employee refresher program
4. Identify Other Opportunities for Education a. Professional business continuity planning conferences and seminars b. User groups and associations c. Publications and related Internet sites
5. Identify Vehicles for corporate awareness
43April 17, 2023
7. Awareness and Training Program
Prepare a program to create and maintain corporate awareness and enhance the skills
required to develop and implement the Business Continuity Management program
or process and its supporting activities.
1. Define Awareness and Training Objectives
2. Develop and Deliver Various Types of Training Programs as appropriate a. Computer-based b. Classroom c. Test-based d. Instructional guides and templates
3. Develop Awareness Programs a. Management b. Team members c. New employee orientation and current employee refresher program
4. Identify Other Opportunities for Education a. Professional business continuity planning conferences and seminars b. User groups and associations c. Publications and related Internet sites
5. Identify Vehicles for corporate awareness
44April 17, 2023
7. Awareness and Training Program
Purpose of Awareness Program
1. Increase knowledge and awareness on how to prepare for and respond to
emergency situations
2. Knowing how to respond to an event will increase the chances of survival
3. Making employee aware of the risks to the organisation and the impact of those
risks
4. Making employees aware of the plans in place to protect them from a disaster
5. Training employees how to respond during disaster
6. Orients new employees to BCM program
Awareness and training activities should be designed to meet the needs of the target audience
45April 17, 2023
8. Maintaining and Exercising Business Continuity Plans
Pre-plan and coordinate plan exercises, and evaluate and document plan
exercise results. Develop processes to maintain the currency of continuity
capabilities and the Plan documents in accordance with the organization’s
strategic direction. Verify that the Plans will prove effective by comparison
with a suitable standard, and report results in a clear and concise manner
Objective:
1. Assesses viability of the plan
2. Practice procedure before the disaster
3. Satisfy the legal and audit requirements
4. Identifies the area which need modification
5. Enables BCM program to retain active, up-to-date, understood and usable
6. Demonstrate the ability to recover
7. Provides mechanism for maintaining and updating plan
8. Ensure plan is effective to achieve targeted RTO
46April 17, 2023
8. Maintaining and Exercising Business Continuity Plans
“The safety policy and procedures were in place;
the practice was deficient”
--- extract from Lord Cullen’s report into the Piper Alpha Disasters
I hear. I forget
I see. I remember
I do. I understand--- Chinese Proverb
47April 17, 2023
8. Maintaining and Exercising Business Continuity Plans
1. Establish an Exercise Program
A. Develop an exercise strategy that does not put the organization at risk, is practical, cost-effective, and appropriate to the organization, which ensures a high level of confidence in recovery capability
B. Employ a logical, structured approach (effectively analyze complex issues) C. Create a suitable set of exercise guidelines
2. Determine Exercise Requirements
A. Define exercise objectives and establish acceptable levels of success
B. Identify types of exercises, and their advantages and disadvantages 1. Walk-throughs/ tabletop 2. Simulations 3. Modular/component (call trees, applications, etc.) 4. Functional (specific lines of business) 5. Announced/planned 6. Unannounced/surprised
C. Establish and document scope of the exercise (participants, timing, etc.)
48April 17, 2023
8. Maintaining and Exercising Business Continuity Plans3. Develop Realistic Scenarios
A. Create exercise scenarios to approximate the types of incidents the organization is likely to experience and the problems associated with these incidents
B. Map scenarios identified to different test types
4. Establish Exercise Evaluation Criteria and Document Findings
A. Develop criteria aligned with exercise objectives and scope 1. Measurable and quantitative 2. Qualitative
B. Document results as per criteria identified 1. Expected versus actual results
2. Unexpected results
5. Create an Exercise Schedule A. Develop a progressive, incremental schedule B. Set realistic time scales
49April 17, 2023
8. Maintaining and Exercising Business Continuity Plans
6. Prepare Exercise Control Plan and Reports a. Define exercise objectives and select an appropriate scenario
b. Define assumptions and describe limitations
c. Identify resources required to conduct the exercise, identify participants; ensure all
understand the objectives and their roles
d. Identity exercise adjudicators (umpires), and clearly identify all roles and
responsibilities
e. Provide a timetable of events and circulate to all participants, facilitators, and
adjudicators
f. In the event of a real situation occurring during an exercise, you may want to have a
predetermined mechanism for cancelling the exercise and invoking your real
business continuity process
7. Facilitate Exercises a. Execute the exercise(s) as planned above
b. Audit exercise actions
50April 17, 2023
8. Maintaining and Exercising Business Continuity Plans
8. Post-Exercise Reporting a. Provide a cogent, comprehensive summary with recommendations, commensurate
with levels of confidentiality requested by exercise umpire/ adjudicator or as specified by the subject organization
9. Feedback and Monitor Actions Resulting from Exercise
a. Conduct debriefing sessions to review exercise results and identify action items for
improvement.
b. Identify actions and owners for recommendations; confirm owner acceptance
c. Confirm time schedules for completing or reviewing agreed actions
d. Monitor (and escalate where necessary) progress to completion of agreed actions
10. Define Plan Maintenance Scheme and Change control procedure a. Ensure that scheduled plan maintenance addresses all documented
recommendations b. Analyze business changes with business continuity planning implications c. Develop change control procedures to monitor changes d. Create proper version control—develop plan reissue, distribution, and circulation
procedures e. Identify plan distribution list for circulation
51April 17, 2023
8. Maintaining and Exercising Business Continuity Plans
11. Establish Status Reporting Procedures a. Establish reporting procedures 1. Content 2. Frequency 3. Recipients
12. Audits A. Audit the BCP’s Structure, Contents, and Action Sections 1. Determine if a section in the BCP addresses recovery considerations 2. Evaluate the adequacy of emergency provisions and procedures 3. Recommend improved positions if weaknesses exist
B. Audit the BCP’s Documentation Control Procedures 1. Determine whether the BCP is available to key personnel 2. Review update procedures 3. Demonstrate that update procedures are effective by auditing test results4. Examine the provision of secure backup copies of the BCP for emergency use 5. List those individuals with copies of the BCP 6. Ensure that BCP copies are current
“The goal of testing and exercising your plan is not to find out if it works, but to determine how it doesn’t”
52April 17, 2023
9. Public relation and crisis communication
Develop, coordinate, evaluate, and exercise plans to communicate with
internal stakeholders (employees, corporate management, etc.) external
stakeholders (customers, shareholders, vendors, suppliers, etc.) and the
media (print, radio, television, Internet, etc.)
OBJECTIVE:
1. Establish Programs for Proactive Crisis Communications
2. Establish Necessary Crisis Communication Coordination with External
Agencies (local, state, national government, emergency responders, regulators,
etc.)
3. Establish Essential Crisis Communications with Relevant Stakeholder Groups
4. Establish and Exercise Media Handling Plans for the Organization and its Business
Units
53April 17, 2023
9. Public relation and crisis communication
1. Identify and Develop a Proactive Crisis Communications Program a. Internal (corporate and business unit level) groups
b. External groups (customers, vendors, suppliers, public)
c. External agencies (local, state, national governments, emergency responders,
regulators, etc.)
d. Media (print, radio, television, Internet)
2. Establish Essential Crisis Communication Plans with External Agencies as appropriate.
A. Develop ongoing procedures/tools to manage relationships with multiple agencies
as appropriate
1. Local/state/national emergency services
2. Local/state/national civilian defence authorities
3. Local/state/national weather bureaus
4. Other governmental agencies as appropriate
54April 17, 2023
9. Public relation and crisis communication
3. Establish Essential Communications Plans with Internal and External Stakeholders to ensure they are kept informed as appropriate
A. Develop ongoing procedures/tools to manage relationships with multiple stakeholders as appropriate
(1) Owners/stockholders (2) Employees and their families (3) Key customers (4) Key suppliers (5) Corporate/headquarters management (6) Other stakeholders
4. Establish Essential Crisis Communications Plans with the Media outlets
A. Develop ongoing procedures/tools to manage relationships with the media 1. Print (newspapers, journals,etc.) 2. Radio 3. Television 4. Internet
55April 17, 2023
9. Public relation and crisis communication
5. Develop and Facilitate Exercises for Crisis Communication Plans
A. Establish exercise objectives annually
B. Coordinate and execute exercises
C. Debrief and report on exercise results, including action plans for revisions
What is Crisis Communication?
Effective and managed communication about an even or occurrence that can impact
people, organization and communities Simple Direct Honest
56April 17, 2023
9. Public relation and crisis communication
Key component of messages
1. Clear and easy to comprehend
2. Repeated constantly
3. Integrated with message sent to other audiences
4. Consistent
5. Be up front regarding confidential information
6. Speak to the specific audiences’ concerns
7. Use personal language and acknowledge emotions
8. Appreciate the individuality of the responses
Perception is Reality
57April 17, 2023
10. Coordination with Public authorities
Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with external agencies (local, state, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes or regulations.
OBJECTIVE:
1. Identify and Establish Liaison Procedures for Emergency Management
2. Coordinate Emergency Management with External Agencies
3. Maintain Current Knowledge of Laws and Regulations Concerning
Emergency Management as it pertains to a particular organization
58April 17, 2023
10. Coordination with Public authorities
1. Identify Applicable Laws and Regulations Governing Emergency Management
A. Gather/identify sources of information on applicable laws and regulations
(disaster recovery, environmental cleanup, business resumption, etc.) and
determine their impact to own organization and/or industry
B. Identify statutory requirements for the industry in which the organization
participates
2. Identify and Coordinate with Agencies Supporting Business
Continuity aims
A. Identify and develop procedures with external agencies providing disaster
assistance (financial and resources) to manage the ongoing relationships
as appropriate
B. Work with statutory agencies to conform to legal and regulatory
requirements as appropriate
59April 17, 2023
10. Coordination with Public authorities
3. Develop and Facilitate Exercises with External Agencies
A. Establish exercise objectives annually
B. Coordinate and execute exercises
C. Debrief and report on exercise results, including action plans for revisions