Business Continuity A Primer Andrews - September 2015
-
Upload
ron-andrews -
Category
Documents
-
view
218 -
download
1
Transcript of Business Continuity A Primer Andrews - September 2015
WHY BUSINESS CONTINUITY?
Every organization remains vulnerable and at risk from business disruptions caused by natural and man-made hazards... o Floods, tornadoes, blizzards, fires, typhoons, earthquakes o Accidents o Sabotage o Infectious disease outbreaks o Personnel shortages o Labour strife o Transportation, safety and service sector failures o Environmental disasters o Cyber terrorism
WHY BUSINESS CONTINUITY?
o Regardless of type, size or composition, every organization – public, private or third sector – needs a business disruption plan
o The Manitoba Emergency Measures Act (including amendments) mandates Business Continuity Planning (BCP) for all government departments, crowns and government funded organizations
WHAT IS BUSINESS CONTINUITY?
o Business Continuity is a proactive and ongoing planning and improvement process undertaken to ensure that mission-critical functions, and services, are delivered at pre-determined levels during any kind of significant business disruption
o BCP is an internationally standardized professional approach to risk mitigation, risk management, emergency preparedness and incident response
o BCP is also known as Operational Risk in the larger Enterprise Risk Management framework
ENTERPRISE RISK & BUSINESS CONTINUITY
HAZARD
OPERATIONAL
STRATEGIC FINANCIAL
• Personnel • Property • Loss Exposure • Hazard Assessments • Legal
• Market • Credit • Price • Liquidity
• ICT Systems • Staffing • Business Processes • Critical Functions • Infrastructure A.K.A. Business Continuity
• Economy • Political Environment • Business Strategy • Demographic Shifts
ORGANIZATION
Larry Stevenson Safety & Risk Control
Jodi MacDonald
Business Continuity
• ICT Systems • Infrastructure
• Safe Work • Critical Functions
Chris Sahaidak Claims & Risk Control Rob Starodub Supportive Employment
•Personnel • Property • Loss Exposure • Hazard Assessments • Legal
OSHRM – RISK MANAGEMENT & BCP
HAZARD
OPERATIONAL
STRATEGIC FINANCIAL
• Market • Credit • Price • Liquidity
• Economy • Political Environment • Business Strategy • Demographic Shifts
MIT
WHAT IS IN A BCP?
Identification of Critical Functions and Services o Mission Critical in MIT = Recovery Time in 8 hours or less
Risk Assessment o Identification of hazards, risk exposures and vulnerabilities o Results help response team focus on required resources
Business Impact Analysis (BIA) o Identification of criticality and required resources to maintain a
minimum operating level o Identification of supply chain dependencies and specialized concerns
Strategy and Plan o How your response team will handle the incident
Training and Exercising o Ensuring staff know their response role o Exercising the plan on a continual basis for response improvement
HOW DOES MIT & OSHRM DO BCP?
o OSHRM BCP Specialist meets with managers of established and known critical functions
o An introduction and overview of BCP is offered o Pre-read and preparatory information is sent to an established Incident
Response team o Meetings are scheduled to complete a facilitated BCP Risk Assessment with
the Incident Response team o Results are reviewed and recommendations offered o Further meetings occur to complete the Business Impact Analysis (BIA)
template o Results are reviewed and improvements noted, where necessary o Incident Response team meets to determine, and document, their continuity
strategy and plan o Once completed, BCP Specialist assists with final plan completion o Plan exercise and review is scheduled with the Incident Response team
months later
BCP IS A PROCESS
NOT A PRODUCT
BCP FRAMEWORK & PROCESS
Lead & Establish
Accountability
Communicate & Report
Align & Integrate
Allocate Resources
ASSEMBLE TEAM
IDENTIFY CRITICAL FUNCTIONS
COMPLETE
RISK ASSESSMENT
COMPLETE
BUSINESS IMPACT ANALYSIS (BIA)
COMPLETE
BCP STRATEGY
COMPLETE
BCP PLAN
EXERCISE & REVIEW BCP
FRAMEWORK PROCESS &
GOM BUSINESS CONTINUITY
o Incident Response Teams (Business Units/ Functional Areas)
o BCP Coordinators (Departments)
o Provincial BCP Coordinator (EMO) o BCP Coordinator Steering Committee
o Terms of Reference for GOM service environment
o BCP Courses, Training and Certification
o Deputy Minister Committee on Emergency Management and Public Safety o BCP Subcommittee
o BCP 24 Month Planning Cycle
IDENTIFYING FUNCTIONS
o Engage your BCP Coordinator to discuss...
o Nature of the work
o Meeting strategy and expected outcomes
o Resources and steps in completing the BCP
o Assemble your Response Team
o Discuss the functions of your branch/ service
o Distinguish between activities and functions
o Discuss risk, exposure and vulnerability
o Determine the criticality of functions
o Consider the impact of non-operative functions
RISK ASSESSMENT
o Identify the hazards, risks and vulnerabilities to your business functions
o Risk Exposure: Discuss and assess both the;
o Probability (Likelihood) x Impact (Consequence)
o Prioritize risks and implement risk measures
o Risk mitigation, avoidance, treatment, transfer, etc.
o Document (map) the risk exposures
o Use the Risk Assessment for the BIA discussion
GROUP EXERCISE
Quiz – Business Continuity Planning in Government
o Two competing teams will now complete the Business Continuity in Government Quiz, comprised of True and False questions
o Scores will be shared at the end of the presentation
o Could be some good prizes
20 minutes
BUSINESS IMPACT ANALYSIS (BIA) For Critical Function(s)... o Identify a Normal Operating Standard o Identify a Minimum Operating Standard o Prioritize functions by Recovery Time Objective (RTO)* o Determine impacts if critical function(s) not available o Determine resource requirements necessary for the
continuity of function(s) during a disruption o Identify critical supply chain dependencies and ‘single
points of failure’ * RTO also known as Maximum Allowable Down Time
BCP STRATEGY
o Plan with your response team how you will manage a disruption to your critical function(s)
o Discuss and document risk mitigation, preparedness, response and recovery strategies
o Ensure that your response strategies are time-based
o Use your completed Risk Assessments and BIAs for a more informed discussion
o Develop viable strategic options for your response team
o Recognize the possible realities of available resources, dependencies and critical supply chain concerns
o Identify any single points of failure
BUSINESS CONTINUITY PLAN
o Assemble your Risk Assessment, your BIAs and your Strategy approach into one concise BCP
o Attach all relevant documents (contact lists, reference documents, etc.)
o Distribute physical and e-copies of your BCP to all response team members and relevant stakeholders
o As required by legislation, submit a copy of your BCP to your BCP Coordinator
o Set a review and plan exercise date with the BCP Coordinator
o Absolutely never create an unwieldy binder of nonsense
...Plans are nothing – planning is everything...
BCP EXERCISE & REVIEW
Exercise your BCP to...
o Prepare for the inevitability of a real disruption
o ‘Skill up’ your staff who have a response role
o Know exactly what to do, when and with whom
o Determine and address planning gaps
o Update plan and contact information
o Re-examine business processes, where appropriate
o Meet legislative and departmental obligation
BCP INCIDENT MANAGEMENT
•Conduct Impact Assessment •Determine Immediate Actions •Alert Incident Response Team
Are Critical Functions
Operational?
•Maintain Operations •Initiate Incident Recovery
•Debrief •Complete Gap Analysis
YES
NO
•Convene Incident Response Team
•Activate BCP •Alert MIT BCP Lead
•Begin Incident Command (IC) •Re-assess Situation
Minimum Operating Standard
Achieved?
YES NO
•IC Alerts All Executive Staff and Stakeholders •Departmental Resources Assembled
•EMO Notified
•Incident Command Expands •Departmental Response Coordinated •Actions Undertaken to Achieve MOS
POTENTIAL CRISIS
INCIDENT
SCOPE - FUNCTIONAL AREA _____________________________ SCOPE - DEPARTMENTAL/ GOM
MIT CRITICAL FUNCTIONS/ SERVICES DIVISIONAL AREA CRITICAL FUNCTION/ SERVICE
ACCOMMODATION SERVICES (IN TRANSITION) Facility Operations Space Planning
ADMINISTRATIVE SERVICES Financial Services Information Technology
BOARDS AND COMMITTEES Highway Traffic & Motor Transport Medical Review Licence Suspension Appeal
EMERGENCY MEASURES & PROTECTIVE SERVICES (EMPS) EMO - Coordination of Emergency Response Protective Services
ENGINEERING AND OPERATIONS Road Operations NAMO
MOTOR CARRIER & TRANSPORTATION POLICY Motor Carrier Enforcement
SUPPLY AND SERVICES (IN TRANSITION) VEMA Government Air Services MDA
WATER CONTROL AND STRUCTURES Hydrologic Forecasting Flood Operations
BCP RESOURCES Resources o OSHRM SharePoint http://cserv.internal/sites/mit-org/oshrm/bc/SitePages/Home.aspx
o Emergency Measures Organization (EMO) http://www.gov.mb.ca/emo/ o Disaster Recovery Institute (DRI) http://www.dri.ca/index.php o Winnipeg Emergency Preparedness Program http://winnipeg.ca/epp/ o Public Safety Canada http://www.publicsafety.gc.ca/index-eng.aspx o Government of Canada – Emergency Preparedness Guide http://www.getprepared.gc.ca/cnt/rsrcs/pblctns/yprprdnssgd/index-
eng.aspx
REMEMBER
A properly developed, maintained and exercised
Business Continuity Plan will help you...
o Reduce the risk and impact of business disruptions
o Respond more effectively to the disruption event
o Return to normal more quickly after a disruption
o Improve responder skills sets and competencies
o Be more responsive to emerging risks and vulnerabilities
GROUP EXERCISE Continuity Event
o Discuss the scenario before you at your tables
o Determine the possible risk mitigation, preparedness, response and recovery options for this scenario
o Document your results
o Appoint a spokesperson to share your results with all
30 minutes
GROUP EXERCISE Business Continuity
o Discuss the scenario before you at your tables
o Each team has been assigned to assist Air Services to develop their continuity plan
o Discuss;
o Possible Risk Mitigation and Assessment actions
o What are the critical services?
o People, process and things Air Services requires for their BCP
o Share results with the room
30 minutes