Post on 16-Dec-2015
Introduction to Business Introduction to Business Continuity PlanningContinuity Planning
An Introduction to the Business An Introduction to the Business Continuity Planning Process Including Continuity Planning Process Including
Developing your Process and the Developing your Process and the Plans to Support RecoveryPlans to Support Recovery
©Green Oak Solutions, L.L.C.
Brighton, MI
The primary goals of BCP are to The primary goals of BCP are to ensure Staff Safety and delivery of ensure Staff Safety and delivery of goods and services to external and goods and services to external and
internal customers in spite of internal customers in spite of adverse conditionsadverse conditions
Goals for the Process
Process DriversProcess Drivers
Just in Time Operations- JIT, Lean ManufacturingJust in Time Operations- JIT, Lean Manufacturing Limited Redundancy in OperationsLimited Redundancy in Operations Reliance Upon Technology to Accomplish JobReliance Upon Technology to Accomplish Job Low Maximum Acceptable DowntimeLow Maximum Acceptable Downtime Single Points of Failure in OperationsSingle Points of Failure in Operations Supply Chain Network RisksSupply Chain Network Risks Financial, Reputation, Legal, Market RisksFinancial, Reputation, Legal, Market Risks Post 9/11 Concerns- People and OperationsPost 9/11 Concerns- People and Operations
Business Continuity Business Continuity Planning involves:Planning involves:
Emergency Response PlanningEmergency Response Planning
Crisis Management and Crisis Management and CommunicationCommunication
Business Resumption PlanningBusiness Resumption Planning
Business Continuity Planning
Maximum Acceptable Downtime
The period the operation or business functions can be shut down without there being a significant impact on the company’s revenue stream, public credibility, regulatory compliance, etc.
Business Continuity Planning
Disaster
Any event that causes disruption to company operations or business functions for a period beyond the Maximum Acceptable Downtime.
Following a Crisis, Insurance Following a Crisis, Insurance Won’t:Won’t:
Retain customer confidence and market Retain customer confidence and market shareshare
Address Customer MigrationAddress Customer Migration Restore damage to company imageRestore damage to company image Develop and bring new products into the Develop and bring new products into the
marketplacemarketplace Replace valuable employees or improve Replace valuable employees or improve
employee moraleemployee morale
Ultimate GoalsI. Integrate Operational and Business Risk
Reduction with Business Continuity.
II. Create a Risk Reduction/Disaster Resistance Mentality
III. Cover all aspects of the Response/Recovery process from Emergency Response through Business Recovery
IV. Integrate all key aspects of planning- Security, Crisis Management, Crisis Communications, Damage Assessment and Restoration, Business Resumption
Critical Success Factors
1. Provide management support and direction- Process Owner and Process Sponsorship
2. Recognize scope and magnitude of effort
3. Commit sufficient financial and personnel resources to Process- Project Manager
4. BCP is a Process not a Project
A Risk Based View of PlanningA Risk Based View of Planning
Planning involves the reduction of risksPlanning involves the reduction of risks In order to determine the priorities for In order to determine the priorities for
planning a Needs Assessment/ Business planning a Needs Assessment/ Business Impact Analysis is conductedImpact Analysis is conducted
The BIA forms the The BIA forms the Pre IncidentPre Incident operations risk assessmentoperations risk assessment
Risks are Identified, and Quantified Risks are Identified, and Quantified Mitigation Priorities are Established-see Mitigation Priorities are Established-see
Flowchart that followsFlowchart that follows
Business Continuity Planning
Pre Incident Planning and Post Incident Response
The Pre Incident Planning Process identifies the key risks to the organization, quantifies them and suggests ways to mitigate them
The Post Incident Response Plans are designed to provide the full range of response to incidents beginning with the initial stages of an event through to its resolution, and resumption of operations
Business Continuity Planning and Recovery Process
Pre-Incident Planning Process
EMERGENCYRESPONSE
CRISIS MANAGEMENT
STEP 1
Post-Incident Response Planning Process
INCIDENT
RISKIDENTIFICATION
RISK QUANTIFICATION
RISK MITIGATION
STEP 2 STEP 3
STEP 4 STEP 5 STEP 6
BusinessResumption
Key Factors for ProcessKey Factors for Process
Each step in process can be defined and Each step in process can be defined and measuredmeasured
Several key factors for each step are summarized Several key factors for each step are summarized in slides that followin slides that follow
Can form measurement grid for processCan form measurement grid for process Provide an indication of the issues to be Provide an indication of the issues to be
addressed at each step in the processaddressed at each step in the process
Risk Identification - Typical Risk Generators
> Physical risks identified
> Operational risks identified
> Critical single source suppliers identified
> Revenue impact potential identified
> Contractual/Regulatory exposures identified
> Process flow mapped
Risk Quantification - Typical Measurement Methods
> Physical risk controls identified and evaluated for effectiveness
> Operational risk controls identified and evaluated for effectiveness
> Residual risk identified and translated to outage and impact potential
> Outage potential translated to revenue impact, regulatory impact, long term migration potential, etc.
> Risk and impact quantification used to develop mitigation priorities
Risk Mitigation - Typical Risk Reduction
> Future mitigation priorities supported by risk ID, and quantification
> Physical and Operational risk reduction from mitigation quantified
> Mitigation issues assigned time frame and responsibility
> Review process addresses mitigation issue resolution
Emergency Response – Typical Initial Emergency Response – Typical Initial ResponseResponse
>> Emergency Response Team is in place and trainedEmergency Response Team is in place and trained
> All potential hazard scenarios are considered> All potential hazard scenarios are considered
> Evacuation and Take Cover procedures are in place and > Evacuation and Take Cover procedures are in place and testedtested
> Employee gathering spots are defined> Employee gathering spots are defined
> Plan addresses notification and direction of police, fire, EMS, > Plan addresses notification and direction of police, fire, EMS, and Utilitiesand Utilities
> Restoration and Reconstruction contractors identified and > Restoration and Reconstruction contractors identified and engagedengaged
> Damage Assessment Team and Plan is developed> Damage Assessment Team and Plan is developed
Crisis Management – Typical Incident Crisis Management – Typical Incident Management ControlsManagement Controls
>> Facility Crisis Management Team identified and completeFacility Crisis Management Team identified and complete
> Roles and Responsibilities are detailed> Roles and Responsibilities are detailed
> Crisis Communications Plan is in place for all effected/interested > Crisis Communications Plan is in place for all effected/interested partiesparties
> Damage Assessment reporting is linked with CMT operations> Damage Assessment reporting is linked with CMT operations
> Disaster Declaration criteria/decision points are defined> Disaster Declaration criteria/decision points are defined
> CMT directs both Restoration and Resumption> CMT directs both Restoration and Resumption
> CMT is the focal point for local recovery and Corporate liaison> CMT is the focal point for local recovery and Corporate liaison
Business Resumption – Typical Longer Business Resumption – Typical Longer Range ActionsRange Actions
>> Recovery teams are identified with detailed Roles and Recovery teams are identified with detailed Roles and ResponsibilitiesResponsibilities
> Mitigation of customer impact is captured in the plan> Mitigation of customer impact is captured in the plan
> Restoration of productive capacity and capability with timeframes> Restoration of productive capacity and capability with timeframes
> Restoration of Host Site is addressed> Restoration of Host Site is addressed
> Alternative Production operations are defined in detail> Alternative Production operations are defined in detail
> Manufacturing Contingency Plans are in place> Manufacturing Contingency Plans are in place
> Mega Application of sound Manufacturing Engineering principles> Mega Application of sound Manufacturing Engineering principles
> IT and Telecommunications recovery plan is identified> IT and Telecommunications recovery plan is identified
Operation of The Operation of The Business Continuity PlanBusiness Continuity Plan
Flowchart that follows depicts a typical Flowchart that follows depicts a typical recovery sequencerecovery sequence
Can be modeled to any operationCan be modeled to any operation Identifies the Key Escalation points, and Identifies the Key Escalation points, and
Plans that are activatedPlans that are activated Every Operation is Different…Every Operation is Different… The Response Process is Similar…The Response Process is Similar… The Solution is Customization of the Plan The Solution is Customization of the Plan
ElementsElements
Key Elements of ResponseKey Elements of Response
Emergency Response PlanEmergency Response Plan Crisis Management PlanCrisis Management PlanDamage Assessment and Facility Damage Assessment and Facility
RestorationRestorationCrisis Communications and Human Crisis Communications and Human
ResourcesResourcesThese plans Respond to the Incident, Mitigate These plans Respond to the Incident, Mitigate
its effects, and Manage the Process of its effects, and Manage the Process of Restoring Full OperationsRestoring Full Operations
Key Elements of ResponseKey Elements of Response
Emergency Operations CentersEmergency Operations Centers
Crisis Management TeamCrisis Management Team
Crisis Communications TeamCrisis Communications Team
Damage Assessment TeamDamage Assessment Team
Key Elements of ResponseKey Elements of Response
Full Business Resumption PlansFull Business Resumption Plans
These plans are developed at the These plans are developed at the operations level to address recovery operations level to address recovery from incidents ranging from from incidents ranging from moderate to severe in nature- All moderate to severe in nature- All operating areas should develop a operating areas should develop a planplan
ERP Activated and Initial
Response is Conducted.Employee
Evacuation and Safeguarding, etc.
Initial Assessment of
Damage by First
Responders
Incident Contained by First
Responders>Limited Damage
>No Crisis Management Plan
Activation
Damage Assessment Plan Activated by CM
Team LeaderDAT Leadership Deploys to Site
Crisis Management Plan
Activated
CMT Activated and Deploys to the EOC
EOC Plan ActivatedFor CMT
Operations
Damage AssessmentRestorationRepair and
Reconstruction Plan Activated
Crisis Management and
Crisis Communications Plan Activated
Is Maximum Acceptable
Downtime going to be Exceeded?
MAD Not Exceeded
Repairs Expedited and Restoration to Full
Production Within MAD
MAD Exceeded
Activate Full Recovery and Contingency Efforts Including:
> Rapid Reconstruction
> Expanded Crisis Communications
> Production Contingency Plan
> Supply Chain Network Response Plan
2-4 Hours Into IncidentInitial Activation of Crisis Management Plan-Damage
Assessment PlanCrisis Management Plan Fully Activated
4 to 8 Hours Into Incident
Crisis Management Sub Plans Activated 4 hours to 48 Hours after Incident
Evaluation of Potential for ExceedingMaximum Acceptable Downtime
2 to 3 days after Incident
Crisis Management
Plan
Incident Response Flow And
Plan Activation
Copyright 2005 Green Oak Sol utions, L.L.C.
Key Elements of ResponseKey Elements of Response
TeamsTeams Emergency Response Team-Emergency Response Team- Safety, Security, Safety, Security,
Medical, Line Management, EnvironmentalMedical, Line Management, Environmental Crisis Management Team-Crisis Management Team- Senior leadership, Senior leadership,
Operations ManagementOperations Management Damage Assessment Team-Damage Assessment Team- Facility and Utilities Facility and Utilities
Engineering, Process Maintenance, Purchasing, Engineering, Process Maintenance, Purchasing, Logistics, SecurityLogistics, Security
Crisis Communications-Crisis Communications- HR and Communications HR and Communications SpecialistsSpecialists
Business Resumption-Business Resumption- Line Management and Staff Line Management and Staff
TheThe Value of Emergency ResponseValue of Emergency Response
1991-2000 Business Interruption Losses1991-2000 Business Interruption Losses 2,281 Losses Examined2,281 Losses Examined Emergency Response Plan ActivatedEmergency Response Plan Activated Properly Planned and Implemented - $920,000Properly Planned and Implemented - $920,000 Not well planned or implemented - $4,100,000Not well planned or implemented - $4,100,000 4.45:1 Loss Ratio4.45:1 Loss Ratio Conclusion- Emergency Response Planning Conclusion- Emergency Response Planning
CriticalCritical
Courtesy of FM Global
www.fmglobal.com
The Value of Continuity The Value of Continuity PlanningPlanning
100 Losses Examined100 Losses Examined 54 Determined to have Continuity Planning in Some 54 Determined to have Continuity Planning in Some
FormForm Average Business Interruption Loss - $7.1 MillionAverage Business Interruption Loss - $7.1 Million With Contingency Planning Considered Adequate - With Contingency Planning Considered Adequate -
$4.0 MM$4.0 MM With Contingency Planning Considered Poor - $7.9 With Contingency Planning Considered Poor - $7.9
MMMM Approximately 50% Reduction in BI with Good Approximately 50% Reduction in BI with Good
ContingencyContingency No Statistics on Remaining 46%No Statistics on Remaining 46% Contingency Planning Further Reduces Deep Losses Contingency Planning Further Reduces Deep Losses
in Time Elementin Time Element Courtesy of FM Global
www.fmglobal.com
Green Oak SolutionsGreen Oak Solutions
Business Continuity Program Development and PlanningBusiness Continuity Program Development and Planning Crisis Management PlanningCrisis Management Planning Executive Level Needs AssessmentsExecutive Level Needs Assessments Business Impact AnalysisBusiness Impact Analysis Physical and Operational Risk AssessmentsPhysical and Operational Risk Assessments Damage Assessment and Facility Restoration PlanningDamage Assessment and Facility Restoration Planning Training and Education in Emergency ManagementTraining and Education in Emergency Management
Green Oak Solutions, L.L.C.
Craig Holmes, PE-Managing Director
cholmesgos@charter.net
1-810-813-8396