Business Continuity Planning –

Preparing Your Organization

Nicholas De Laurentis, CRM, IGP

nick.delaurentis.gmkj@statefarm.com

1

Objectives

• Understand the importance of Business Continuity

Planning

• Know basic terms used and roles involved in

Business Continuity Planning

• Understand the steps and relationship of initial

Business Continuity Planning and continuous

review and maintenance

2

3

Information Governance Programs

Accountability

Transparency

Integrity

Protection

Compliance

Availability

Retention

Disposition

4

Operational

Regulatory

• An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

Protection

• An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

Availability

5

DR is to BC as RIM is to IG

• Business Continuity is the entire process of planning how to recover from a disaster or significant interruption to normal business operations.

• We regard this process as developing plans and procedures in advance of an event that would allow our critical business functions to continue to operate at acceptable levels.

Business Continuity

• The process, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to an organization after a natural or human-induced disaster.

• Focus is on recovering IT capabilities, processes, and services.

Disaster Recovery

6

Importance of Business

Continuity Planning

7

70% of businesses involved in a major fire fail within 3 years (Chubb)

One out of two businesses never return to the marketplace following a major disaster (AXA)

Within 2 years after Hurricane Andrew in Florida (1992), 80% of affected companies that lacked a

BCP went out of business (FEMA)

Internal and External Threats

Natural Disasters

• Earthquake

• Hurricane

• Flood

Accidents• Fire

• Utility Outage

Malicious

• Sabotage

• Terrorism

• Cyber Attack

Market

• Suppliers

• Competitors

• Consumer Trends

Political • Legislation

8

Why is BCP Important?Board of Director Expectations

• We have expectations placed on us by the Board of Directors.

Customer Expectations

• In order for us to meet our mission statement of helping our customers manage the risks of everyday life, recover from the un-expected and realize their dreams, we need to have Business Continuity Plans (BCP) in place so that we can be available in their time of need.

Regulatory Requirements

• As an Insurance Company and Financial Institution, we have regulatory requirements with the Office of the Comptroller of the Currency (OCC), Department of Insurance (DOI) as well as other regulatory bodies.

9

FFEIC BCP ObjectivesThe business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components;

Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery;

Business continuity planning includes the integration of the institution's role in financial markets;

Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and

Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing.

10

FFEIC BCP Process

•BIA

•Threat Scenarios

•Analyze Threat Impact

•Prioritizing Disruptions

•GAP Analysis vs. Policies & Procedures

•BIA and RA

•Specific Steps

•Flexible to Respond

•Various Threats

•Minimize Disruptions

•Prioritization and Depend. of Busn. Process

•Potential Impact of Disruptions

•Leg/Reg Requirements

•Est. Downtime & Acceptable Loss

•RTOs, RPOs, Crit. Path

•BIA, RA, RM Testing

•Enterprise-wide Testing Program

•Assign Roles & Responsibilities

• Annual Test/Exercise

•Evaluate by Leadership & Independent Party

Risk Monitoring and Testing

Business Impact

Assessment

Risk Assessment

Risk Management

11

BCP Components

• Personnel;

• Communication;

• Technology issues;

– Hardware - mainframe, mid-range, servers, network, end-

user;

– Software - applications, operating systems, utilities;

– Communications (network and telecommunications);

– Data files and vital records;

– Operations processing equipment; and

– Office equipment.

12

BCP Components (cont.)

• Facilities;

• Electronic payment systems;

• Liquidity concerns;

• Financial disbursement;

• Manual operations; and

• Other considerations.

13

Key Roles in BCP

Enterprise Business Continuity

Communicates strategic decisions to

Department BRCs

Provide process and tool training for BUTLs

and BRCs

Provide Exercise Assistance

Business Recovery

Coordinator (BRC)

BRCs are located in the Field and in each

Corporate Dept to coordinate/communicate activities associated

with BCP

Corporate BRCs are responsible for a

specific Dept, while BRCs in the Field are

responsible for a particular location

Business Unit Team Leader

(BUTL)

BUTLs are responsible for maintenance/

update of Business Unit BCP, periodic plan exercises, and execution of plan at

time of disaster

BUTLs are also known as plan owners

14

Annual BCP Cycle

15

0.

Plan Development

1.

Review

2.

Exercise

3.

Update

4.

Verification

0. Plan Development

The goal of business continuity planning is to reduce the impact of any

disruptive event to a manageable level. Plans are developed to:

• Organize recovery of business units and/or processes.

• Establish team leadership responsibilities and design team structures.

• Document key information for the plan, including call trees, recovery

procedures, work area requirements and prioritization, vital records, key

contacts, etc.

Each BRC is responsible for ensuring that all BCPs are in place and current.

Continued plan development is critical for plans to be effective. The required

annual review of the BCP must be completed within a window and consists of:

1. Plan Review

2. Plan Exercise

3. Plan Update

4. Plan Verification 16

1. Plan Review

1. Review the roles and responsibilities of a BRC or BUTL

and the Business Continuity Annual Plan Review process.

2. Read through a printed copy of your plan, or navigate

through each section in BCP tool used. Make note of any

information currently contained in the plan that needs to

be verified, updated, or removed, as well as any

information that must be added.

3. If your plan encompasses multiple functional areas,

consider contacting subject matter experts in each of

those areas to ensure the plan adequately addresses their

recovery needs. If necessary, gather additional material

for those areas and incorporate the information into your

plan.

17

2. Plan Exercise

Some of the objectives of the Plan Exercise are:

• Evaluate the recovery procedures to ensure accuracy.

• Verify the ability of recovery teams to activate their plans and recover their

critical functions.

• Identify cross-functional interdependencies with other business units.

• Identify plan deficiencies and document information changes that require

plan modification.

• Evaluate whether recovery plans have been properly maintained and

updated to reflect actual recovery needs.

Annual exercises are performed to include all associates who have recovery

responsibilities under the BCP. Each BRC should establish an exercise cycle

that increases in scope and complexity over time.

18

Table TopWalk

ThroughMock

ExerciseIT DR

ExerciseActual Event

3. Plan Updates

• Based on changes identified during the annual plan review

and/or exercise process, the BUTL updates the BCP and

any related documentation in the plan.

• Updates to vital records, contact information, documented

procedures, equipment needs, skillset requirements,

vendor information, hardware and software requirements,

19

4. Plan Verification

• Plan Verification is the final phase of the business

continuity planning process. This ensures business

continuity plans are accurate and compliant with company

standards.

• Each business unit is required to submit review verification

documentation within 3 months from the date each

business unit plan expires. Each plan must be reviewed in

terms of accurate content, some level of exercise is

performed, and updates are made to the plan based upon

the plan review and exercise discoveries.

20

Additional Resources

• Federal Financial Institutions Examination Council

(FFIEC) IT Examination Handbook -

http://ithandbook.ffiec.gov/

• Federal Emergency Management Agency (FEMA) -http://www.fema.gov/media-library/assets/documents/89510

21

FEMA BCP Process

22

BCP Overview

23

Questions?

24