Enterprise Business Continuity Management

EnterpriseBusiness Continuity ManagementUtilizing “Collaboration” inThe state of WashingtonBusiness Continuity ProgramSmall Agency Presentation August 21, 2006

Judy Sweet, CBCPWashington State Enterprise Business Continuity Program Manager

Business Continuity Program PurposeThe State of Washington must maintain confidence of its constituents, and ensure continued operation of vital government services when an incident has caused, or has the potential to cause, significant consequences.

The Business Continuity Program will provide the framework to develop an enterprise approach and coordinate agency efforts to minimize business interruptions, and create a state of readiness, so that agencies can respond to and recover from events, resuming vital services as quickly as possible.

Business Continuity Milestones

Enterprise Executive Symposium 6/2005 Enterprise BC Software Tool Installed 7/2005 Business Continuity Initiative Project Kickoff 8/2005 Statewide BC Work-sessions Begin 9/2005 Regular BC Work-sessions Concluded 6/2006 Statewide BC Program & Sustaining BC Model

Statewide BIA Statewide COOP Development Enterprise Solution Development

Minimize service interruptions, to acceptable levels Understand your agency services Collaborate with other agencies Incorporate Best Practices Utilize common planning framework

Identify high impact areas Based on risk intelligence

Execute an Enterprise strategy to prioritize and mitigate risk. Account for dependencies across agencies Capitalize on economies of scale

Business Continuity Planning Objectives

~80% Business and 20% Technology

Business Continuity Management (BCM)Answers . . .

What is an incident / disruption / disaster?

What are the impacts over time?

How much loss can be tolerated? Risk Threshold, Tolerance

What can be mitigated? Work-around, Enterprise solutions

How to reestablish business services? Activate response plans

What is required? Resources, time, people/skill sets, procedures, dollars

How much is enough? Balance options “Proactive verses Reactive”

Bottom Line: BCM Program Umbrella

Sustain & Protect People Property Information Operations Gov. Services

BCM provides a balance between acceptable potential losses and

acceptable onetime and annual costs.

Business Continuity

Investments in business continuity should be prioritized based on analysis of risks and impacts over time.

Create Value in Operability. Be Positioned to be successful.

BIA Snapshot of Business Drivers

Sample Business Impact Analysis Deliverable

A “typical” graph showing impact vs. recovery time, which visually assists with risk mitigation prioritization.

Time

5 days 3 days 2 days 24 hrs 12 hrs or <

Imp

ac t L

ow

Med

ium

Hig

hV

ery

Hig

h V

ery

Lo

w

WSPCompute

r Dispatch

State Warrants

Prison Control System

Drinking Water Safety

HAZMAT

State Payroll

Dam Inspection Services

Military’s Dispatche

d Resources

Firearms Licensing

Notional: Business Continuity Event Life Cycle

Normal Operations

TimeTime

Cap

abil

ity

Cap

abil

ity

Risk Mitigati

on

Contingency Planning

Notional: Business Continuity Event Life Cycle

Service Disruption

Occurs

Normal Operations

TimeTime

Cap

abil

ity

Cap

abil

ity

Minimal Acceptable

Level of Capability

Modified U.S. DoD graphic

Proactive BC Activities Reactive BC Activities

Problem Mgmt & ResponseRecovery

Restoration

Return to Normal Operations

Recovery Time

Business Continuity Planning(Will incorporate NIMS requirements)

Call Lists- Recovery Teams- Customers- Vendors- Management- Media

Roles & Responsibilities

Inventories- IT Enterprise Services- Platforms, Apps, S/W, H/W- Vital Records- Critical Resources- Desktop

Priorities

Actions (Check-lists:ContainmentAssessmentEscalationNotification

Administration, Maintenance, and

Exercising

Organization

Alternate Facilities and Resources

Time ObjectivesBusiness Process (RTO)Production data (RPO)

EscalationProcedures- If . . . Then . . .

Response & Recovery Plan

Types of Plans?

Continuity of Operations (COOP) PlanIncident Management PlanBusiness Continuity Plan

Vital Service Response Plans

Let’s put this into perspective!

COOP

Plan Incident Mgmt Plan

Business Continuity Plan

Vital

Service

Response

Plan

Business Continuity Plan Types & Business Continuity Plan Types & RelationshipsRelationships

Vital Service Response Plan for ‘A’

Vital Service Response Plan for ‘B’

Vital Service Response Plan for . . . ‘n’


Incident Management Plan(Sometimes referred to as “Problem or Crisis Management” Plan)

Specific Action Plan

An Agency-wide Perspective Global Risk Mitigations, Contingencies and Responses for Business Operations

An Agency-wide Perspective Repeatable Process & Practices Incident Alerting, Reporting, Tracking & Status

ID of Essential Functions Delegations of Authority Orders of Succession Interoperable Communications

The Continuity of Operations (COOP) Plan is the roadmap for the highest level of planning within an agency.

Alternative Facilities Vital Records and Databases Human Capital Tests, Training, & Exercises

Continuity of Operations (COOP) Plan

Address Full Spectrum of Threats & Hazards

Involves Investigation, Diagnoses Assembly of Incident Command System (ICS) ICS Draws on Response Plan(s)) for Resolution

Specific Action Plan Specific Action Plan

to

From More

General

Specific

Business Continuity Plan Types & Business Continuity Plan Types & RelationshipsRelationships

Vital Service Response Plan for ‘A’

Vital Service Response Plan for ‘B’

Vital Service Response Plan for . . . ‘n’


Incident Management Plan(Sometimes referred to as “Problem or Crisis Management” Plan)

Specific Action Plan

An Agency-wide Perspective Global Risk Mitigations, Contingencies and Responses for Business Operations

An Agency-wide Perspective Repeatable Process & Practices Incident Alerting, Reporting, Tracking & Status

ID of Essential Functions Delegations of Authority Orders of Succession Interoperable Communications

The Continuity of Operations (COOP) Plan is the roadmap for the highest level of planning within an agency.

Alternative Facilities Vital Records and Databases Human Capital Tests, Training, & Exercises

Continuity of Operations (COOP) Plan

Address Full Spectrum of Threats & Hazards

Involves Investigation, Diagnoses Assembly of Incident Command System (ICS) ICS Draws on Response Plan(s) for Resolution

Specific Action Plan Specific Action Plan

to

From More

General

Specific

Business Continuity Plans & Relationships [V4.18.06] — High-level OverviewIn

cid

en

t M

an

ag

em

en

t T

ea

mIn

cid

en

t C

om

ma

nd

Sys

tem

(IC

S)

Ag

en

cy U

sers

or

Cu

sto

me

rs

If

OR

Then

If If

Follow Agency’s Business Continuity

Plan

Appropriate Incident Command System

(ICS) Activated

Receive Notification of Incident

Receive information of experienced

problem(s)

Logistics

Major Threat / Health

Hazard?

Perform Damage

Assessment

Follow Agency’s Business Continuity

PlanActivate COG Plan

Major Incident or Disruption Occurs

Problem(s) being experienced

Operations

Physical Security?


(ICS) Activated

Service Disrupted?

Phone Call or E-Mail

Incident Management Plan

(Always Live & Active)


(ICS) Activated

Agency’s COOP Plan(Reference & Apply Appropriate Measures from COOP)

Then Then

Notify EMD & Go to Shared ICS Command

Vital Svc. Disrupted?

Deploy Vital Service Response Plan

Criteria to Notify EMD?

Notify Appropriate Incident Command

System (ICS)And Then

Best if facilitated through your agency’s Help DeskLikely changes that may affect agencies: > New or revised roles and responsibilities> Swift and redundant means of contacting ICS contacts

Solution(s) Working?

Recovery & Return to Normal

Consider EscalatingNo

Assistance & Resources From Other Agencies

Jspecht:home

Note: could be initially received by one’s security or call center – then escalated according to operating procedures.

Collaborative Roles in Enterprise Business Continuity Planning

Vital Service ARisk MitigationsContingencies Responses Recoveries

Vital Service BRisk MitigationsContingencies Responses Recoveries

Vital Service CRisk MitigationsContingencies Responses Recoveries

Vital Service DRisk MitigationsContingencies Responses Recoveries

Vital Service ERisk MitigationsContingencies Responses Recoveries

Vital Service FRisk MitigationsContingencies Responses Recoveries

Enterprise BC Program Office – State of WAEnterprise Risk & Vulnerabilities StatusGovernance

PoliciesPracticesPlanning PrioritiesDecision Packages

Subject Matter Expertise Standards & PracticesTools and TemplatesPlanning AssistanceReportingMeeting Compliances

@Agency ‘A’ Level1. BC Developed Capabilities2. Planning For Worst-Case

Scenarios @ Agency Perspective3. CONOPS / COOP = NIMS RqmtsRisk Mitigations, Contingencies,

Responses, Recoveries

Agency ‘B’

Estimated 200-500

Vital Services

150+ Agencies,

Boards and Commissions

1 Enterprise BC

Program Office

<----------------------------------------------------------------------------------------------------------------------------------------------------------->

Enterprise Level

Planning

Agency Level

Planning

Vital ServiceLevel

Planning

eBRP BC Tool & Repository eBRP BC Tool & Repository

eBR

P B

C T

ool

4. BC Instilled across Agency in all Business Practices

5. BC Exercises & Updates (=NIMS Rqmts)

6. On-going Training

1. BC Developed Capabilities2. Planning For Worst-Case

Scenarios @ Agency Perspective3. CONOPS / COOP = NIMS RqmtsRisk Mitigations, Contingencies,


4. BC Instilled across Agency in all Business Practices

5. BC Exercises & Updates (=NIMS Rqmts)

6. On-going Training

Component Plans

Planning for Worst-Case Scenarios @ Enterprise (Shared Command) LevelRisk Mitigations, Contingencies,


1 Enterprise BC Software

Administrator

Inherent Benefits of an Enterprise Business Continuity Program

Maintain Commonality Develop a Repeatable Process Achieve Agency and State Business Objectives Share Best Practices Rank Priorities Mitigate Risk Identify Dependencies Develop Incident Response/Recovery Plans Form Partnerships Identify Enterprise Solutions Implement Cost/Benefit Contingencies

Evolution of Business Continuity Management In Washington State

Time

EffortAcademy Initiative

BCM Pro

gram

• Foster a Repeatable Approach• ID Agency’s & Enterprise Risk Thresholds• Collaborate & Prioritizing Needs• Implement Enterprise Solutions• Incorporate Incident Management

• Begin Agency BC Planning• Refine Framework Templates / Tools• ID Agency Risks & Thresholds• ID Service Needs• ID & Resolve Issues

What’s Next?

Continue development of the BC Framework (templates, tools, best practices) Within the BC Program

Apply the BIA across all agencies to: Identify where the State could best invest & reduce risk Ties to “Continuity of Operations” COOP (HLS & NIMS Rqmt)

Transition to a new Business Continuity Culture Setup a Business Continuity Management (BCM) Program Establish governance along with Roles and Responsibilities Address Continuity of Operations (COOP) with agencies Join with EMD efforts providing info on NIMS & Emergency Response Promote Agency/Enterprise collaboration to best achieve objectives

Participating Agencies

Department of Personnel Department of Corrections Department of Health Department of Licensing Department of Information Services Department of Transportation Retirement Systems Social and Health Services Department of Ecology Health Care Quality Authority

Liquor Control Board Labor and Industries Military Department Office of Financial Management State Treasurer Public Disclosure Commission Washington State Patrol Clark County King County City of Seattle

Questions?

Contact Information

Judy Sweet, CBCPEnterprise Business Continuity Management (BCM) Program ManagerDepartment of Information Servicese-mail: [email protected] | (360) 902-3560

Enterprise Business Continuity Management

Documents

Transcript of Enterprise Business Continuity Management