6/22/2021

Business Continuity
Planning
• Resources
• Relocation of staff
• Information requirement
• Backup strategies
• Site selection
• Business Continuity Plan
• Test and exercise
• Test review, report and follow-up
• Monitoring and review

Business Continuity Planning

BCP

1
 6/22/2021

Business Continuity Planning

A sudden accident or a

Disaster
natural catastrophe that
causes great damage or
loss of life.

Business Continuity Planning

Serious problem occurring over a short

or long period of time that causes

Disaster widespread human, material, economic

or environmental loss which exceeds
the ability of the affected community or
society to cope using its own resources

2
 6/22/2021

Business Continuity Planning

… it’s not rocket

BCM

science

Business Continuity Planning

Not just a paper plan, it also

requires organization, planning,
BCM
assessment, training, rehearsal
and more.

3
 6/22/2021

Business Continuity Planning

A process that establishes a secure

and resilient business environment
BCM capable of mounting an
immediate and effective response
to a major incident.

Business Continuity Planning

• Holistic management process

• Identifies potential impacts

BCM • Framework for resilience and
response capability

• Safeguard interests of key

stakeholders

4
 6/22/2021

Business Continuity Planning

• A process to minimize the impact of

a major disruption to normal

BCM operations

• A process to enable restoration of

critical assets

Business Continuity Planning

… it is not just

BCM recovery of information

technology resources

5
 6/22/2021

Business Continuity Planning

• it is the phase of crisis management

that follows the immediate actions

BCM taken to protect life and property

and contain the event

• it begins when the situation has

been stabilized.

Business Continuity Planning

Disaster Recovery

The creation & execution of plans to

Context recover the data & systems of an
organization to the point immediately
prior to the interruption

6
 6/22/2021

Business Continuity Planning

Operational Continuity

The alternative processes

Context implemented during a failure, which
allow the “process” to continue, whilst
relying on the contingencies or DR
Plans to restore full operations

Business Continuity Planning

Business Continuity

The processes by which business can

Context be maintained to an acceptable level
until full processes and systems are
restored

7
 6/22/2021

Business Continuity Planning

• To identify the organization's key

processes
• To identify the critical underlying
technology & services
Goals • To identify the critical stakeholder
relationships
• To identify the alternative approaches
• To establish a plan[s] that can be readily
and effectively activated
• To provide real operational alternatives

Business Continuity Planning

The BCP should cover all aspects of an

organization, including:
• Personnel
Scope
• Facilities

• Infrastructure

• Support systems

• Information systems

8
 6/22/2021

Business Continuity Planning

• Pressure From Audit Committees

• Pressure From Financial Institutions

• Pandemic Concern
Why • New Threats & Risks Since 9/11

• Demands From Customers

• Cost Of Insurance

• Perceived As Competitive Edge

Business Continuity Planning

• Reliance On Third Parties

• Increased Regulatory And Self-regulated

Requirements
Why • Loss Of Customers

• Loss Of Revenue

• Decrease In Stock Value

• Increase Of Insurance Premiums

• Loss Of Assets And Employees

9
 6/22/2021

Where Business Continuity Fits

Business Continuity Objective

Fully tested
effective BCM
Level of business

No BCM –
‘lucky’ escape

No BCM – likely
outcome

Critical recovery Time

point

10
 6/22/2021

Business Continuity Objective

IMPACT

Crisis
event

Lost time/productivity

With
It reduces the crisis management Without Time
crisis management
Negative impact

negative impact
and speeds
recovery from all Damage to
kinds of corporate financial results,
reputation and
crises
key relationships

Business Continuity Planning

• Maintaining a viable ongoing business

• Continuity of key services
• Reduces and manages uncertainty
• Protection of:
Benefits – Staff & staff confidence
– Assets
– Reputation
– Economic position
• A firm level of security for both suppliers
and customers

11
 6/22/2021

The Business Continuity Lifecycle

The Business Continuity Stages

12
 6/22/2021

The Business Continuity Methodology

BCM programme management – driven top-down by executive

management ensuring ownership and establishing policy. Managed
at corporate/operational and operational/facility levels.

Measure results through auditing, Identify overall strategic objectives, values and
exercising, maintenance and training. activities; identify stakeholders, business
Support continuous improvement processes, products and services
through constructive feedback.

BCM
programme
management Analyse financial and non-financial
Develop business continuity plans in
business impacts resulting from
line with agreed strategies; embed
disruption of business processes (BIA);
BCM within culture of the
identify business-critical processes;
organisation.
identify gaps in recovery capability;
develop prioritised recovery timeline.

Design appropriate levels of recovery strategies that provide practical, cost-

effective solutions to close the gaps; design organisational structure to
implement the formulated strategic objectives and operating model to
respond to major incidents.

Key Steps to a BCP

13
 6/22/2021

BCP Phases

Project
Mgmt/Initiation

Business Impact
Assessment

Recovery Strategy

Plan Design &

Development

Implementation

Maintenance Testing

Project Management and Initiation

14
 6/22/2021

Business Impact Analysis (BIA)

Business Impact Analysis (BIA)

The BIA is a functional analysis that

identifies the impacts should an outage
occur. Impact is measured by the following:
BIA • Allowable Business Interruption – the Maximum
Tolerable Downtime

• Financial and Operational Considerations

• Regulatory Requirements

• Organizational Reputation

15
 6/22/2021

Business Impact Analysis (BIA)

The BIA sets the stage for determining a

business-oriented judgment concerning the
appropriation of resources for recovery
BIA planning efforts.

Business Impact Analysis (BIA)

Step 1: Select Interviewees

Step 2: Determine information, techniques

Step 3: Customize questionnaire to gather

BIA Steps
economic and operational impact
information (quantitative and qualitative)
Step 4: Analyze information

16
 6/22/2021

Business Impact Analysis (BIA)

Step 5: Determine time-critical business

systems

Step 6: Determine maximum tolerable

BIA Steps downtimes

Step 7: Prioritize critical business systems

based on maximum tolerable downtimes

Step 8: Document findings and report

Business Impact Analysis (BIA)

BIA Steps

17
 6/22/2021

Business Impact Analysis (BIA)

To complete a Business Impact Analysis:

• Identify the business activities of your

organization. These may include
BIA – Internal activities such as payroll and
purchasing.

– External activities such as providing a service

or selling a product to a customer.

Business Impact Analysis (BIA)

• Assess for each activity what the realistic

timescale is before there would be an
- Reputation
impact if that activity could not be
- Internal
performed.
- External

- Financial • Assess for each activity what the realistic

- Legal/Regulatory impact is against prescribed factors if that
activity could not be performed.

18
 6/22/2021

Recovery Strategy

Recovery strategies are a set of pre-defined

and management approved actions that will
be followed and implemented in response to
Recovery a business interruption.

Recovery Strategies Focus

• Meeting the pre-determined recovery

time frames.

• Maintaining the operation of the critical

Recovery business functions.

• Compiling the resource requirements.

• Identifying alternatives that are available

for recovery.

19
 6/22/2021

RS Key Element

The key element of developing a recovery

strategy is to base it on the recovery time for
mission critical business systems -- as
Recovery outlined in the Business Impact Analysis.

RS Development Steps

• Document all costs with each alternative.

• Obtain cost estimates for any outside services.

• Develop written agreements for such services.

Recovery • Evaluate resumption strategies based on a full

loss of the facility.

• Document recovery strategies and present to

management for comments and approval.

20
 6/22/2021

Categories of RS

• Business Recovery

• Facility and Supply

• User
Recovery
• Operational

• Data

Business Recovery

Focus is on the critical resources and the

maximum tolerable downtime for each
business/support unit system:
Recovery • Critical IT system hardware, software, and data

• Critical equipment, supplies, furniture, and office

space

• Key personnel for each business unit and support

unit, such as Operations, Facilities, Security, etc.

21
 6/22/2021

Facility and Supply Recovery

Focus is on restoration and recovery such as:

• Facility - main building, remote facilities

• Inventory - supplies, equipment, paper, forms

Recovery • Equipment - network environments,

• Telecommunications - voice and data

• Documentation - application, technical materials

• Transportation - equipment, personnel

• Supporting equipment - HVAC, safety, security

User Recovery

Focus is on personnel requirements such as:

• Manual procedures

• Vital record storage (i.e. Medical, Personnel)

Recovery • Employee transportation

• Critical documentation and forms

• User workspace and equipment

• Alternate site access procedures

22
 6/22/2021

Operational Recovery

Determine the necessary equipment

configurations such as:
• Mainframes, LANs, microcomputers, peripherals
Recovery • Explore opportunities for integration
/consolidation

• Usage parameters

• Data communications configurations include:

• Switching equipment, Routers, Bridges, Gateways

Operational Recovery

Outline alternative strategies for technical

capabilities, such as network components.

Options include:
Recovery • Hot Site, Warm Site, Cold Site, Mobile Site

• Reciprocal or Mutual Aid Agreements

• Multiple Processing Centers

• Service Bureaus

23
 6/22/2021

Operational Recovery

Software and Data Recovery

Focus is on the recovery of information/Data

• Backing up and Off-site storage

• Electronic vaulting
Recovery • On-line tape vaulting

• Remote journaling

• Database Shadowing

• Standby Services

• Software Escrow

24
 6/22/2021

Plan Design and Development

In this phase the team prepares and

documents a detailed plan for recovery of

Design and critical business systems include:

Development • Business and Service Recovery Plans

• Plan Maintenance Programs

• Employee Awareness and Training Programs

• Test Method Descriptions

• Restoration Plans

Design and Development Steps

• Determine management concerns and priorities.

• Determine planning scope such as geographical

concerns, organizational issues, and the various
Design and
recovery functions to be covered in the plan.
Development
• Establish outage assumptions.

• Identify response procedures, such as ensuring

evacuation and safety of personnel, notification
of disaster, initial damage assessment, activating
teams, relocating to alternate sites.

25
 6/22/2021

Design and Development Steps

• Identify resumption strategies for mission critical-

and non-mission critical-systems at alternate
sites.
Design and
• Identify the location for the emergency
Development
operations center/command center.

• Identify restoration procedures for salvage,

repair, and return to the primary site. Also, the
procedures to deactivate the recovery site.

Design and Development Steps

• Plan and implement the gathering of data

required for plan completion.
– Personnel information
Design and – Vendor services
Development – Equipment, software, forms, supplies

– Vital records

– Technical information

– Office space requirements

26
 6/22/2021

Design and Development Steps

• Review and outline who (and how) the

organization will interface with external groups:
– Customers
Design and – Shareholders
Development – Civic officials

– Community, region, and state emergency services

– Utility providers

– Industry group coalitions

– Media

Design and Development Steps

• Review and outline how the organization will

cope with the actual disaster.
– Responsibility to families
Design and – Coordination with HR and legal departments
Development – Fraud opportunities

– Looting and vandalism

– Ensuring primary site is protected during disaster

– Safety and legal problems

– Expenses exceeding emergency manager authority

27
 6/22/2021

Design and Development Steps

• Develop support service plans, including human

resources, public relations, transportation,
facilities, information processing,
Design and
telecommunications, etc.
Development
• Develop business function plans and procedures.

• Develop facility recovery (i.e. the building) plans.

• Combine all of the various steps into the organization’s
BCP. This plan should then be interfaced with the
organization’s other emergency plans.

Testing, Maintenance,
Awareness, and Training
In this phase, plans for testing and
maintaining the BCP are implemented and
Testing,
also awareness and training procedures are
Maintenance,
Awareness, and
executed.

Training

28
 6/22/2021

Plan Testing

Plan testing ensures that the business

continuity capability remains effective,
Testing,
regardless of the disaster. It includes:
Maintenance,
• Testing objectives
Awareness, and
Training • Measurement criteria

• Test Schedules

• Post-test reviews

• Test results reported to management

Plan Testing

The five main types of BCP testing

strategies are:
Testing,
• Checklist
Maintenance,
Awareness, and • Structured Walk-Through
Training • Simulation

• Parallel

• Full Interruption

29
 6/22/2021

Plan Maintenance Goal

Develop processes that maintain the

currency of continuity capabilities and the
Testing,
BCP document in accordance with the
Maintenance,
Awareness, and
organization's strategic direction. This

Training includes:

Plan Maintenance Goal

• Changing management procedures

• Resolving problems found during testing

Testing,
Maintenance, • Building maintenance procedures into the
Awareness, and process
Training
• Centralizing responsibility for updates

• Reporting results regularly to team

members

30
 6/22/2021

Restoration Action

Restoration

Damage Assessment

• Determine the extent of damage to the

facility.

• Estimate the time needed to resume

Restoration
normal operations.

• Notify management of the findings.

31
 6/22/2021

Damage Assessment

• If the time estimated to resume

operations exceeds the Maximum
Tolerable Downtime (MTD) for critical
Restoration
business functions, then management
should consider declaring a disaster and
implementing the BCP.

Restoration Actions

Restoration operations involve restoring the

primary site to normal operation conditions.

• Complete an assessment of all damage.

Restoration
• Initiate cleanup of the primary site.

• Implement necessary replacement

procedures.

32
 6/22/2021

Restoration Actions

• Move unused backup from the alternate site to

the primary site.

• Do least critical work first.

Restoration • Perform installations and updates of programs
and data.

• Certify and accredit the system at the primary

site.

• Initiate normal processing.

Recovery time

• RTO [Recovery Time Objective]

The point in time when you must have at least the
critical aspects of your business operational again.
• RPO [Recovery Point Objective]
Restoration The last copy of your data that is out of harm’s
way – hopefully it is recently current.
• MAO [Maximum Allowable Outage ]
Maximum amount of time can survive without the
business process

33
 6/22/2021

Restoration Actions

Alarm Notification to First Responders

Data center fire

Activate the Emergency Operations Center

Restoration
IT decision to move to a backup facility

Assemble IT recovery team at appropriate sites

Obtain backup tapes from off-premises storage

Restoration Actions

Acquire and install backup hardware and network connections

Restore Operating System and Network

Restoration Reload database and other data

Restore Critical Applications

This is your Recovery Time Objective (RTO)

34
 6/22/2021

Restoration Actions
COST/IMPACT

Short RPO RPO Long RPO

RTO MAO

Restoration

Unrealistic Realistic Unrealistic TIME

- Cost - Optimal - Impact &
time, cost Time
& Impact

High Level Look at a Recovery Effort

Restoration Actions
Lost Data
Move to
Resume Return
Vital Records Alternate
Business Home
Restore Technology Capability Site
Notifications

Restore Communications
(If necessary)
Restore Business Functions Data Synchronization
Data Recovery Objective

Recovery Time Objective

35
 6/22/2021

Risk Management
• Guidelines
• Context establishment
• Identification
• Analysis
• Evaluation
• Treatment
• Communication
• Monitoring and control

Risk Management

“There are “known knowns”. [These are

things we know that we know.]

There are “known unknowns”. [there are

RM things that we know we don't know.]

But there are also “unknown unknowns”.

[There are things we don't know we don't
know.]” Donald Rumsfeld (Feb 12, 2002)

36
 6/22/2021

Risk Management

“The major difference between a thing that

might go wrong and a thing that cannot
possibly go wrong is that when a thing that
RM cannot possibly go wrong goes wrong it
usually turns out to be impossible to get at
or repair.”

Risk Management

Risk
Uncertain or chance events that planning can not
overcome or control.

RM • Uncertainty - changing circumstances or situation

• Risk - effect of uncertainty on objectives

• Opportunity - the positive impact on objectives

• Issue - an event that has happened or will happen

37
 6/22/2021

Risk Management

RM

Risk Management

Risk Management
is the name given to a logical and systematic
method of identifying, analyzing, treating and

RM monitoring the risks involved in any activity or

process.

Risk Management is a methodology that helps

managers make best use of their available resources

38
 6/22/2021

Risk Management

Risk Management
A proactive attempt to recognize and manage
internal events and external threats that affect the

RM likelihood of a project’s success

• What can go wrong (risk event).

• How to minimize the risk event’s impact (consequences).

• What can be done before an event occurs (anticipation).

• What to do when an event occurs (contingency plans).

Enterprise Risk Management

Enterprise Risk Management (ERM)

The process of identifying and addressing
methodically the potential events that represent

ERM risks to the achievement of strategic objectives, or

to opportunities to gain competitive advantage.

39
 6/22/2021

Enterprise Risk Management

Enterprise Risk Management (ERM)

The fundamental elements of ERM are the assessment of
significant risks and the implementation of suitable risk
responses.
ERM Risk responses include: acceptance or tolerance of a risk;
avoidance or termination of a risk; risk transfer or sharing via
insurance, a joint venture or other arrangement; and
reduction or mitigation of risk via internal control procedures
or other risk prevention activities.

Enterprise Risk Management

Enterprise Risk Management (ERM)

ERM concepts include the risk philosophy or risk
strategy, risk culture and risk appetite. These are
ERM
expressions of the attitude to risk in the
Concept
organization, and of the amount of risk that the
organization is willing to take. These are important
elements of governance responsibility.

40
 6/22/2021

Enterprise Risk Management

ERM

Process

Enterprise Risk Management

• Greater awareness about the risks facing the

organization and the ability to respond effectively

• Enhanced confidence about the achievement of

ERM
strategic objectives
Benefits • Improved compliance with legal, regulatory and
reporting requirements

• Increased efficiency and effectiveness of

operations

41
 6/22/2021

Enterprise Risk Management

ERM

What is Risk Management

• Good management practice

• Process steps that enable improvement in

decision making
RM
• A logical and systematic approach

• Identifying opportunities

• Avoiding or minimizing losses

42
 6/22/2021

Who uses Risk Management?

Risk Management practices are widely used

in public and the private sectors, covering a
wide range of activities or operations.
RM • Finance and Investment

• Insurance

• Health Care

• Public Institutions

• Governments

Who uses Risk Management?

Risk Management is now an integral part of

business planning.

Educational institutions have formal study

RM courses and award degrees in RM

The Risk Management process is well

established. (International RM process
standards.)

43
 6/22/2021

Risk Management’s Benefits

• A proactive rather than reactive approach.

• Reduces surprises and negative
consequences.
• Prepares the project manager to take
RM advantage of appropriate risks.
• Provides better control over the future.
• Improves chances of reaching project
performance objectives within budget and
on time.

Risk Management’s Objective

Risk management has objectives before and

after a loss occurs
• Pre-loss objectives:
 Prepare for potential losses in the economical way
 Reduce anxiety
RM  Meet any legal obligations
• Post-loss objectives:
 Ensure survival of the firm
 Continue operations
 Stabilize earnings
 Maintain growth
 Minimize the effects that a loss will have on other
persons and on society

44
 6/22/2021

Types of Risk Management

• Safety risk management

• Insurance risk management

• Financial (Investment) risk management

RM
• Project risk management

• Business risk management

• Information risk management

Managing Risks

• Misunderstand organisational attitudes

and risk appetite

Common – Risk attitude.

failures Organization's approach to assess and eventually

pursue, retain, take or turn away from risk

– Risk appetite.

The amount and type of risk that an organisation is

willing to pursue or retain

45
 6/22/2021

Managing Risks

• Not focusing on the appropriate risks

(business efficiency vs information security)
– Business efficiency risk
Information cannot be located quickly as a result of
Common poor categorization resulting in more time/ resources
required to find records.
failures
– Information security risk.
Information cannot be located as a result of poor file
categorization resulting in not finding important records.

Managing Risks

• Consequence:
If the event occurs what will the
consequence be:
 Critical
 High
 Medium
 Low
 Very low

46
 6/22/2021

Managing Risks

• Likelihood
What is the likelihood that the event will
occur and result in the consequence
indicated:
 Almost certain
 Likely
 As likely as not
 Possible
 unlikely

Risk Management Framework

47
 6/22/2021

Risk Identification

Risk Identification

48
 6/22/2021

Risk Management Process

Process

Risk Management Process

Process

49
 6/22/2021

Risk Management Process

• Step 1: Risk Identification

 Generate a list of possible risks through
brainstorming, problem identification and risk
profiling.
Process • Macro risks first, then specific events
• Step 2: Risk assessment
 Scenario analysis
 Risk assessment matrix
 Failure Mode and Effects Analysis (FMEA)
 Probability analysis
• Decision trees, NPV, and PERT
 Semi quantitative scenario analysis

Risk Assessment Form

Failure Mode and Effects Analysis (FMEA)

Impact × Probability × Detection = Risk Value
Process

50
 6/22/2021

Risk Severity Matrix

User Interface
Red zone (major risk) backlash problems
4

Likelihood 3

Yellow zone (moderate risk) System

2 freezing

Hardware
1 malfunct-
ion

Green zone (minor risk)

1 2 3 4 5
Impact

Risk Severity Matrix

51
 6/22/2021

Qualitative Risk Analysis

Qualitative risk analysis involves

identifying threats (or opportunities), how
likely they are to happen, and the potential
impacts if they do. The results are typically
shown using a Probability/Impact ranking
matrix. This type of analysis will also
categorize risks, either by source or effect.

Qualitative Risk Analysis

Qualitative risk analysis operates in a more

generalized, “big-picture”

Benefits • Simple assessment methods

• Easy prioritization

• Clear presentation options

52
 6/22/2021

Qualitative Risk Analysis

It’s operates in a more generalized, “big-

picture” with serves 3 functions:

• Priorities risks according to probability &

impact

• Identify the main areas of risk exposure

• Improve understanding of project risks

Qualitative Risk Analysis

• Subjective Evaluation

• Limited Scope

• Lack of Differentiation
Limitations

53
 6/22/2021

Qualitative Risk Analysis

Quantitative Risk Analysis

Quantitative risk analysis is a numeric

estimate of the overall effect of risk on the
project objectives such as cost and
schedule objectives.

The results provide insight into the

likelihood of project success and is used to
develop contingency reserves.

54
 6/22/2021

Quantitative Risk Analysis

 Quantifies the possible outcomes for the

project and assesses the probability of
achieving specific project objectives

 Provides a quantitative approach to making

decisions when there is uncertainty

 Creates realistic and achievable cost, schedule

or scope targets

Qualitative Risk Analysis

55
 6/22/2021

Risk Management Process

• Step 3: Risk Response Development

 Mitigating Risk
• Reducing the likelihood an adverse event will occur.
• Reducing impact of adverse event.
 Avoiding Risk
Process
• Changing the project plan to eliminate the risk or
condition.
 Transferring Risk
• Paying a premium to pass the risk to another party.
 Retaining Risk
• Making a conscious decision to accept the risk.
 Sharing Risk
• Allocating risk to different parties

Contingency Planning

• Contingency Plan
 An alternative plan that will be used if a
possible foreseen risk event actually occurs.
 A plan of actions that will reduce or mitigate the
Process negative impact (consequences) of a risk event.

• Risks of Not Having a Contingency Plan

 Having no plan may slow managerial response.
 Decisions made under pressure can be
potentially dangerous and costly.

56
 6/22/2021

Risk and Contingency Planning

• Technical Risks
 Backup strategies if chosen technology fails.
 Assessing whether technical uncertainties
can be resolved.
Process
• Schedule Risks
 Use of slack increases the risk of a late project
finish.
 Imposed duration dates (absolute project finish
date)
 Compression of project schedules due to a
shortened project duration date.

Risk and Contingency Planning

• Costs Risks
 Time/cost dependency links: costs increase
when problems take longer to solve than
expected.
 Deciding to use the schedule to solve cash flow
Process problems should be avoided.
 Price protection risks (a rise in input costs)
increase if the duration of a project is increased.

• Funding Risks
 Changes in the supply of funds for the project
can dramatically affect the likelihood of
implementation or successful completion.

57
 6/22/2021

Opportunity Management

• Exploit
 Seeking to eliminate the uncertainty associated with an
opportunity to ensure that it definitely happens.
• Share
 Allocating some or all of the ownership of an
Process opportunity to another party who is best able to
capture the opportunity for the benefit of the project.
Tactics • Enhance
 Taking action to increase the probability and/or the
positive impact of an opportunity.
• Accept
 Being willing to take advantage of an opportunity if it
occurs, but not taking action to pursue it.

Opportunity Management

Process

Tactics

58
 6/22/2021

Risk Management Process

• Step 4: Risk Response Control

 Risk control
• Execution of the risk response strategy
• Monitoring of triggering events
Process • Initiating contingency plans
• Watching for new risks
 Establishing a Change Management System
• Monitoring, tracking, and reporting risk
• Fostering an open organization environment
• Repeating risk identification/assessment exercises
• Assigning and documenting responsibility for
managing risk

Risk Management Process

Process

59
 6/22/2021

Risk Management Process

Process

60