Business Continuity
-
Upload
jamil-ahmad-saad -
Category
Documents
-
view
49 -
download
0
description
Transcript of Business Continuity
-
Basics of Business Continuity
Management
Brad Weger, MS, CSP MRIGlobal Safety Officer
-
72% of businesses impacted by
a disaster never reopen or close
within three years!
(Hiles, 2007).
-
Objectives
Define BCM
3 Phases of BCM
Important aspects of BCM program
NFPA 1600
The purpose of the PS-Prep Program is to enhance nationwide resilience in an all-hazards environment by encouraging private sector preparedness.
-
Elements of an Emergency Action Plan
1. Having a written plan
2. Procedures on how employees are to report
the emergency
3. Evacuation procedures
4. Employee accountability
5. Procedures for employees performing rescue
or medical duties.
6. Training and review
OSHA 29CFR1910.38
-
Business Continuity Management
Addresses the actions to be taken after the storm has passed.
- Disaster/incident has occurred & passed
- Emergency Action Plan has been successfully
carried out
- Concentration on resuming normal business can
begin.
-
What is BCM?
Series of pre-planned steps that allows an organization to
regain operational capabilities asap, after an incident.
The objective of BCM is to ensure the uninterrupted availability of all key business resources required to
support critical business activities in the event of business
disruption and expedite a return to business as usual
(Hiles, 2007, p. 36).
-
Why BCM? PRODUCTIVITY
- Loss Of Productivity - Employee Moral
REPUTATION - Customers
- Suppliers
- Financial Markets
- Banks
- Business Partners
- Etc.
OTHER EXPENSES - Temporary employees,
- Equipment Rental,
- Overtime,
- Extra Shipping Costs,
- Travel Expenses,
- Etc.
LEGAL/REGULATORY - Contractual Requirements
- Regulatory Requirements
FINANCIAL
PERFORMANCE - Lost Market Share
- Revenue Recognition
- Cash Flow
- Lost Discounts
- Payment Guarantees
- Stock Price
- Credit Rating
REVENUE - Direct Loss
- Deferred Losses
- Compensatory Payments
- Lost Future Revenue
- Billing Losses
- Investment Losses
-
Protecting the companys 3 core assets
1. People Employees and their expertise; vendors, investors and customers.
2. Finances Cash, stock, credit rating, capital equipment and other areas of vital financial
strength.
3. Reputation Positive feelings people have towards your company and organization.
-
Reputation affected by blame
5 questions of blame Severity can escalate significantly if there is blame towards the company.
1. Should management have foreseen the incident and taken
adequate precautions to prevent it?
2. Was management unprepared to respond effectively to the incident
after it occurred?
3. Did management do anything intentionally that caused the incident
to occur or that made it more severe?
4. Was management unjustified in the actions it took leading up to
and following the incident?
5. Is there any type of scandal or cover-up that related to
managements involvement in the incident?
-
BP Oil spill case study
-
Case Study
BP oil spill
20 April 2010 explosion of Deepwater Horizon
Killed 11, injured 17
Explosion caused oil cap release
Estimated that the daily flow rate diminished over time, starting at about 62K barrels per day
Flowed unabated for three months
15 July 2010, the gushing wellhead was capped
January 2011: White House oil spill commission released final report on the causes of the spill. Blamed BP and partners for making a
series of cost-cutting decisions and failing to ensure well safety.
-
BPs response..
Emergency response plan prepared by BP shows BP never anticipated an oil spill of this magnitude.
The 582-page document, "Regional Oil Spill Response Plan Gulf of Mexico," was approved in July 2010 by the Federal Minerals Management
Service (MMS). It offers technical details on how to use chemical
dispersants and provides instructions on what to say to the news media,
does not mention how to react if a deep-water well spews oil uncontrollably
BP spokesman Steve Rinehart said the plan provided the company a blueprint for response during the current disaster, but BP officials had to
improvise due to the "unforeseen circumstances" of the event a renegade well 5,000 feet under water. "Nobody foresaw an incident in
which something like this occurred," Rinehart said.
USA Today - 5/17/2010
-
Publics perception can have tremendous impact on businesses
Punishing BP: 6 brutal proposals over its disastrous Gulf oil spill. What's the appropriate penalty? posted on May 28, 2010, at 12:45 PM Newsweek - 2010
-
What is an incident?
Any event that affects an organizations operational capacity.
Forklift incident - micro
Severe weather incident macro
Micro can cause macro incidents
Macro can cause several micro incidents
-
Scale of incident effecting businesses
Common misconception is that only large scale disasters call for implementation of BCP.
Electrical utilities are shut down due to a vehicle accident. Power is expected to be down for 2 hours.
Labs No power for refrigerated product Manufacturing Assembly lines stop Offices Lighting/computers shut down
-
Scenario Automated order/delivery system for goods has been damaged beyond
immediate repair
You have just been asked to ensure that product is still
being processed/manufactured/shipped as scheduled.
- Customer orders must be taken in 2 hours
- Deliveries must be made as scheduled
- Top two customers must have deliveries that
same day.
Are you Ready?
-
Business Continuity Management A standards based approach Voluntary Private Sector Accreditation and Certification Program (PS-Prep).
The US Government recognizes the impact a disaster can have an individual company, but also the country. The Department of Homeland Security, by order of
Congress, has been given the responsibility to develop and maintain a Voluntary
Private Sector Accreditation and Certification Program. Disasters and attacks (such
as the terrorist attacks of September 11, 2001) place an emphasis on BCP
sanctioned by the government.
The Department of Homeland Security is implementing this voluntary program based on recommendations of the 9/11 Commission Act of 2007.
Ultimate Goal: Establishing a universal set of criteria for private sector organizations to prepare for emergency management, disaster management, business continuity
programs
-
PS-Prep
3 Standards adopted by DHS
ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System. Available at no
cost.
British Standards Institution 25999 Business Continuity Management: Part 1 (2006) and Part 2 (2007). Both parts available
for a reduced fee ($19.99 each).
National Fire Protection Association 1600: 2007 Standard on Disaster / Emergency Management and Business Continuity
Program. Available at no cost.
-
3 Phases in BCM
1. Emergency Response
2. Crisis Management
3. Business Recovery
-
Emergency Response phase
Emergency Response is the component of the
BCP that protects and saves lives, property, and
ultimately the organization.
1. Pre-planning - can be viewed as information gathering where all share insights/options on what can be expected; how to overcome
anticipated disasters/incidents
Identify all resources and personnel that would be needed during an emergency
2. Reviewing - Process of verifying that the proposed emergency
action plan, laid out in the planning phase, has solidity to it
-
Emergency Response phase cont.
3. Training Component where applicable personnel are trained in their required duties/tasks
4. Testing - After initial plan review, it must be
periodically tested. Caution: Last years EAP may
need to be updated for current
business needs
-
Crisis Management Phase
The intent; Eliminate, modify, or reduce exposure to crisis situations as much as
developing response management and recover
management plans (Hiles, 49).
Establishment of a Crisis Management Team (CMT)
-
Business Recovery Phase
Mission critical elements should be addressed first (outlined in BIA)
Activating resources
Alternative facilities, mutual-aid agreements, equipment rental/needs, multi-lateral continuity plans, contractors needed
in recovery/refurbish efforts should all be addressed and pre-
planned.
Once recovery operations are activated, all designated personnel and contractors are already lined up to provide a
smooth recovery
-
Business Impact Analysis NFPA 1600 5.5
Evaluates and determines the impact a disaster/incident will have on an organization
Analysis should include financial impact and manpower impact of an incident
BIA is generally based upon frequency and severity of the incident/scenario
-
BIA - Questions to Ask
What are the worst things that can happen to my
organization?
What can we prevent?
What are we willing to do to
prevent the event/incident?
Can we afford the risk?
How will we deal with it?
What is our most critical
operations?
Dave Arick - 2012
-
Impact Analysis Planning for all scenarios
-
Business Impact Analysis
Addresses probability and severity for a potential event.
Likelihood and severity will help determine time/resources necessary to minimize the event.
Identify all critical operations: Identify the tolerable timeframe for recover of critical
operations.
-
Frequency of an event
High Significant likelihood of
occurrence
Medium Realistic likelihood of
occurrence
Low Not likely
Risk Impact
Tornado M H
Hurricane N/A N/A
Earthquake L H
Severe Weather M M
Lightning M L
Flood M H
Flood (internal) M M
Fire L M
Tidal wave N/A N/A
Workplace violence L H
Disasterous event
-
Risk Analysis Grid
S E V E R I T Y
PROBABILITY
Low Probability
High Severity
Biological attack through the
mail
Medium Probability
High Severity
Fire or Explosion
High Probability
High Severity
Leak from utilities down to
server room
Low Probability
Medium Severity
Medium Probability
Medium Severity
High Probability
Medium Severity
Low Probability
Low Severity
Medium Probability
Low Severity
High Probability
Low Severity
-
BIA - continued
Rank business operations by importance
Critical Resumed in 24 hours
Fulfilling customer orders
Important Resumed in 48 hours
Restoring support operations Accounting
Moderate
Restoring facilities/cleaning services
-
Business Impact Cost Considerations
Tammineedi 2010
-
Business Continuity Management Key Elements
Information / Data
Documentation
Asset Accountability
Mutual Aid
Information Management
Employee Continuity
Training & Verification
-
Information / Data Continuity
Data back-up
Frequency?
Backed-up to a storage device
Kept off-site?
-
Document Control / Retention
Document storage room
Fire damage
Water damage
Stored off-site
Duplicate copies
Transition to data file management
-
Asset Accountability
Lists company assets
Updated annually
Copy at facility
Copy off-site
List compiled using:
Data/manual inventory
Photos of facility/assets
Video of facility/assets
-
Multi-lateral Continuity
Vendors
Specialized vendors currently utilized
Other venders with similar/like product?
Have multiple vendors for maximum flexibility
Ask about your vendors BCP
How they will assure that your company receives product/services
Pettibone - 2008
-
Multi-lateral Continuity
Agreements with competitors.
Assures services/products for your customers
Inform customers services/products continue from company X.
Effective PR/confidence in your company.
-
Multi-lateral Continuity
Mutual Aid NFPA1600-6.2
Agreement with similar company
Utilize portion of their facility
Quid pro quo Reciprocation your facility
Temporary rental agreements
Warehouse/office
-
Information Management NFPA 1600-6.3
Hotline for employees
Automated message
Regular updates (hourly/daily)
Means to keep employee performed
Automated email sent out
-
Information Management
Train/Designate a Primary/Secondary media officer
Information sent to customers/Public
Mishandled information can have negative impact on the organization.
Information/details supplied to the media must be strategic.
-
Case Study Perrier Water Company 1989 Perrier (market leader in bottled mineral water, name synonymous
with purity and quality. Found in high-class establishments world-wide. Sales
topped at over 1.2 billion bottles per year.
160 million bottles were recalled due to a benzene contamination, public relations were virtually non-existent/mishandled.
Issue caused by process failure; incorrect use of benzene cleaning product, followed by a failure to replace a filter.
1991: sales plunged to 761 million bottles per year. Perrier was effectively dead in the USA/Europe; Perrier lost 90% of original market share.
Result: Perrier water suffered tremendous financial set backs from its negative image perceived when it had sent out contaminated water and
mishandled their PR
Hiles - 2007
-
Employee Continuity NFPA1600-6.6
Critical Stress Debriefing
All staff meeting
EAP (Employee Assistance Program)
Counseling on-site
Counseling off-site
-
Testing and Verification
Verifies BCP actually works.
Table Top Drills - Most cost-effective. Simulates scenario/event.
Live Drills Facility evacuation, simulate calling resources, etc.
Critique Assess how plan performed.
Review
-
Questions Brad Weger, MS, CSP Safety Officer 425 Volker Boulevard Kansas City, MO 64110 Office: 816-753-7600 X1623 Cell: 816-225-6483 [email protected]
-
References Arick, D. (2012). Crisis Management Strategies. Presentation at RIMS 2012 Conference
Hiles, A. (2007). The definitive handbook of Business Continuity Management. Southern Gate, England: John Wiley & Sons.
Is Your Thinking About Business Continuity Wrong? (2007) Security Directors Report, 7, 1 11-15.
Rhodes. 2008. Data Recovery Planning and Business Continuity. Homeland Defense Journal, 36-40.
Tammineedi, 2010. Business Continuity Management: A Standards-Based Approach. Information Security Journal, 19, 36- 50.
Make sure your business continuity plan is a living document. (2004). Risk management Society, 1-3.
Pettibone. 2008. Out of Sight, Not Out of Mind. Risk Management, 89-90.
Thomas, B., Bruce, Preston, L., Ware. (2005). Insuring Business Continuity. Strategic Finance, 35-38.
ANAB. How to become an ANAB-Accredited Certification Body. Retrieved June 2, 2010.
From http://www.anab.org/certification-bodies/become-a-cerfication-body.asps
Department Of Homeland Security. Federal Emergency Management Acenty. (2008).
Document Action: Notice of availability; request for comments.
http://www.thefederalregistrer.com/d.p./2009-10-16-E9-24968.
Federal Emergency Management Agency. (2008). Voluntary Private Sector Preparedness
Accreditation and Certification Program. www.http://www.fema.gov/news/newsrelease.fema?id=45287
Hiles, A. (2007). The definitive handbook of Business Continuity Management. Southern Gate, England: John Wiley & Sons.
Public Law 110-53, (2007). Implementing Recommendations of the 9/11 Commision Act of 2007. www.ise.gov/docs/nsis/Implementing911acBiot_reader.php?BiotID=530.
Schmidt, L. Donald. Voluntary Certification of Private Sector Preparedness Program and
NFPA 1600: What do they mean for your business?. Powerpoint presented at the 6th annual business continuity
and safety planning conference.
Voluntary Private Sector Accreditation and Certification Preparedness program Department of Homeland Security. (2009). Notice of availability: request for comments. (Federal Registrar / Vol. 74, No. 1999.