BUSINESS CASE FOR ENTERPRISE

CONTINUITY PLANNING

© 2014

Developed and Presented by: William Godwin 3/4/2014

Value

Safeguard business viability

Enhance corporate responsibility

Establishes Strategic, Financial and Organizational Drivers for Business Continuity

Strategic Drivers: Accounts for business portfolio, geographic footprint, and changes in operations, consumer base or market

Financial Drivers: Accounts for missed financial targets, budgeting, penalties/fees, loss in production, potential downgrade of credit rating

Organizational Drivers: Accounts for new or change in executive structure or vision and garners support.

Establishes a business continuity program on principle of continuous improvement

Scope

Position/Posture Organization

Risk Appetite

Determine organization tolerance to risk exposure

Business Impact Analysis

Determine criticality of departments/divisions and supporting resources

Threat Analysis

Analyze Operational and IT Threats

Business Continuity Requirements

Identify key requirements

Develop Strategy, Plan, and Exercise

Develop/Foster Continuous Improvement Opportunities

Organization Position/Posture

Develop strategy for implementation. Output from Risk Appetite exercise (Ref. slide #5)

Garner support from organization leadership

Large/Enterprise organizations may have multiple COOs, CIOs, CFOs, and CEOs or Presidents

Obtain operations leadership buy-in

Once you have executive leadership buy-in, Operation Managers will need to be made aware of their roles and expectations

Develop Enterprise standards to communicate and establish organization requirements for continuity planning

Determine & Establish Risk Appetite

Businesses may implement appropriate level of contingency operations based on the risk appetite.

Various approaches for determining risk appetite have been established. Best practices approach focus on Quantitative and/or Qualitative methods.

Quantitative methods evaluate negative effects a threat may have on areas where “values” may be effectively measured. For example, damage to achieve financial targets, ability to pay debts and penalties.

Qualitative methods evaluate negative effects a threat may have on areas where “values or non-tangibles” may be effectively measured. For example, damage to Brand, reputation, customer satisfaction and Regulatory Compliance.

Business Impact Analysis

Categorize and analyze criticality of business

department/divisions

Create priority list of most sensitive business functions

Create priority list of support resources

Human Resources

Information Technology Resources

Establish contingency requirements

Identify and implement mitigating or compensating

controls to reduce risk

Threat Analysis

Identify and analyze Operational and IT Threats

Threats may be both of human and non-human nature

Evaluate likelihood or probability a threat source could attack a weakness

Evaluate the impact an organization would experience in the event the threat source attacks a weakness

Identify mitigating controls for each weakness to reduce residual risk

Business Continuity Requirements

Identify regulatory compliance requirements

Must implement no matter the business risk appetite

Examples: PCI-DSS, Critical Infrastructure, HIPAA, SOX,

GLBA, other sensitive regulated information

Identify Business Continuity Requirements for critical

areas of operation

Develop priority list for remaining non-critical areas

of operation

Develop Strategy, Plan, and Exercise

Develop Continuity Strategy

Leverage output of Risk Appetite analysis

Ensures coverage of most critical departments/divisions

Develop Continuity Standards/Requirements

Critical Departments/Divisions

Develop Business Continuity Plan

Develop IT Contingency Plan

Develop Disaster Recovery Plan

Develop Incident Response and Management Plan

Develop/Foster Continuous Improvement

Opportunities

Identify success/fail requirements

Identify metrics applicable to the organization to

measure. Examples such as…

Support contract time requirements met

Response time of key contingency/disaster personnel

Recovery time of system after outage

Equipment failure rates

And many more…

Implementation Schedule

Schedule to implement depends on the organization’s…

risk appetite,

current continuity structure,

number of IT support systems,

resources to execute strategy

ability to implement, and

number of critical functions

On average, organizations implementing Contingency Planning activities in critical divisions/departments should expect approximately 1 year level of effort.

Mitigate scheduling conflicts by…

Isolate to critical divisions/departments

Ensure resources available and scheduled

Conclusion

Aids organization leaders to identify and assign

priority to business units based on criticality

Enables effective financial planning for support of

critical business units

Ensures compliance with regulatory requirements

Optimize support contracts for systems supporting

critical business units

Well established continuity roles and responsibilities