Business Continuity Management 10 Professional Practices

26 November 2013

Business Continuity Management Course / Certification

BC-DR Professional

BCM Courses

IT DRP Course

Pass Qualifying Exam with at least 75%

< 2 Years significant Experience

ABCP

Accumulate BC Experience

> 2 Years BC Experience + Expertise in atleat 3 Subject area

CFCP

Exam Score >80%

> 2 Years BC Experience + Expertise in atleat 5 Subject area

CBCP

Exam Score >85%

> 5 Years BC Experience + Expertise in atleat 7 Subject area

MBCP

26 November 2013

Disaster Recovery Institute

DRI Internationals Education Program-1. BCLE 100: Project Management Principles

2. BCLE 200: Introduction to principle of risk Management

3. BCLE 300: Introduction to Business Impact Analysis 4. BCLE 400: Developing Business Continuity Strategies * * 9. BCLE 900: Crisis Communications coordination of external Agencies 10. BCLE 1000: Introduction to Business Continuity Mgmt

11. BCLE 2000: BCM for Advanced professional

26 November 2013

Business Continuity Management

BASIC ELEMENTS-1. What you do to reduce risk before an Event 2. How you respond during an event 3. What you to do recover after an event

26 November 2013

Business Continuity Management

Different Phases ( Also called 6R)

1. REDUCE steps taken before an incident to identify and mitigate risk 2. RESPOND Planned reaction to manage during an event 3. RECOVER-- To recover the CRITICAL data 4. RESUME-- To start CRITICAL activity +start recovering non critical data 5. RESTORE-- Resumption of non critical activity 6. RETURN Final movement back to original location

26 November 2013

Professional Practices for Business Continuity Professionals

1. PROJECT INITATION AND MANAGEMENT 2. RISK EVALUATION AND CONTROL 3. BUSINESS IMPACT ANALYSIS

4. DEVELOPING BUSINESS CONTINUITY STRATEGIES

5. EMERGENCY RESPONSE AND OPERATIONS 6. DEVELOPING AND IMPLEMENTING BC PLANS

7. AWARENESS AND TRAINING PROGRAMS

8. MAINTAINING AND EXERCISING BC PLANS 9. CRISIS COMMUNICATION 10. COORDINATION WITH EXTERNAL AGENCIES

26 November 2013

Business Continuity Problem Statement

Internal or External event interrupts one or more of your business processes Time Length of interruption -- causes situation to become a Disaster Amount of data loss and criticality of processes level of disaster

DIASTER is unplanned calamitous event causing great damage or loss

26 November 2013

BC Program Purpose
Protect your. People Information Operations Organization

For any BC Program protecting people is primary and most important aspect

26 November 2013

BC Program Objectives
Ensure continuity and survival of organization Planned reaction and management of interruption Planned resumption and recovery of operations and systems after an interruption The restoration or replacement of asset to a permanent site after an interruption

26 November 2013

Why is BC Program Important ?

Safeguards human life
Minimizes confusion and enables effective decisions in time of crisis

Reduce dependency on specific personnel

Minimize loss of data, revenue, customers

Facilitates timely recovery of business functions

Maintain public image and reputation Minimize time spent in decision making during crisis
26 November 2013 10

Trends and directions..

The wonder of the Web is that the customer knows about problems the same time you do. There is no camouflage

THEN

NOW

PROTECT THE DATA CENTRE

PRTECT CRITICAL BUSINESS PROCESSES

26 November 2013

11

1. Project Initiation and Management

PURPOSE:
To provide an understanding of how to establish the need and obtain management support for a Business Continuity Management (BCM) Program in your organization and to organize and manage the program to initiate the process to completion within agreed upon time and budget limits.

Objective:
1. Establish the Need for Business Continuity

Reference relevant legal/regulatory/statutory/contractual requirements and restrictions Like Banking regulations (BC-177) NFPA 1600
(National Fire Protection Association

Graham Leach Bliley Act Prudent Man Act

HIPAA
BASEL II Sarbanes- Oxley
26 November 2013 12

1. Project Initiation and Management

Objective (cont):
2. Identify business practices (e.g., just-in-time inventory) that may adversely impact the organizations ability to recover following a disaster event 3. To document what is industry standard and what competition is doing

4. Communicate the need for business continuity plan (

By BIA Suggesting strategies for safeguarding critical functions Develop awareness by means of formal reports By relating BCP benefits to organizational mission, objectives and operations 5. Involve Executive Management in BCP Project Defining approval chain is critical for success 6. Establish Planning/Steering Committee : Roles and responsibilities

26 November 2013

13

1. Project Initiation and Management

Objective (cont):
7. Develop Budget requirements Clearly define resource requirement Clearly define financial requirement

8. Identify Planning team(s) and responsibility

Emergency Mgmt/ Crisis response/ Crisis Mgmt Team BCP Teams (multi-location, multi-divisions, etc) Recovery/response and restoration team 9. Develop Documentation requirements and responsibility 10. Continuously report to senior mgmt thru regular status report and obtain senior mgmt approvals. Key of project mgmt success is: a) Choice of right people b) Involve first level mgmt in project c) Senior mgmt commitment

26 November 2013

14

2. RISK EVALUATION AND CONTROL

PURPOSE: Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss. Provide cost-benefit analysis to justify investment in controls to mitigate risks

Objective:
1. Identify risk and threats that organisation is exposed to 2. Probability of their occurrence

3. Identify critical functions

4. Impact of the threats 5. Control required to mitigate the threat 6. Cost-Benefit analysis of control Vs Risk

26 November 2013

15

2. RISK EVALUATION AND CONTROL

Understand the loss potential:
1. THREATS -- Cause/Event 2. RISKS --- Effect 3. PROBABILTY --- frequency/chances 4. VULNERABILITY

Threat

Vulnerability

Risk

Cause

Probability

Effect

A S S E T S

26 November 2013

16

2. RISK EVALUATION AND CONTROL

Identify exposures from both internal and external sources. These should include, but not be limited to, the following: a) Natural, man-made, technological, or political disasters b) Accidental versus intentional c) Internal versus external d) Controllable risks versus those beyond the organizations control e) Events with prior warnings versus those with no prior warnings Determine the probability of events

a) Information sources
b) Credibility Create methods of information gathering Develop a suitable method to evaluate probability versus severity Establish cost benefit analysis to be associated with the identified loss potential
26 November 2013 17

2. RISK EVALUATION AND CONTROL

Select exposures most likely to occur and with greatest impact Identify Controls and Safeguards to Prevent and/or Mitigate the Effect of the Loss Potential Considerations: The actions taken to reduce the probability of occurrence of incidents that would impair the ability to conduct business. a) Physical protection b) Physical presence c) Logical protection

d) Location of assets
e) Procedural controls

26 November 2013

18

2. RISK EVALUATION AND CONTROL

Risk Evaluation and Control 1. Establish disaster scenarios based on risks to which the organization is exposed. The
disaster scenarios should be based on these type of criteria: severe in magnitude, occurring at the worst possible time, resulting in severe impairment to the organizations ability to conduct business. 2. Evaluate risks and classify them according to relevant criteria, including: risks under the organizations control, risks beyond the organizations control, exposures with prior warnings (such as tornadoes and hurricanes), and exposures with no prior warnings (such as earthquakes).

3. Evaluate impact of risks and exposures on those factors essential for conducting business operations: availability of personnel, availability of information technology, availability of communications technology, status of infrastructure (including transportation), etc.
4. Evaluate controls and recommend changes, if necessary, to reduce impact due to risks and exposures Controls to inhibit impact exposures: preventive controls (such as passwords, smoke detectors, and
firewalls) Controls to compensate for impact of exposures: reactive controls (such as hot sites)
26 November 2013 19

3. BUSINESS IMPACT ANALYSIS

PURPOSE: Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.

OBJECTIVE: Establish critical functions

Determine qualitative and quantitative impacts of the disruptions Prioritize activities

Establish RTO and RPO

Establish interdependencies of functions Document the list of vital records

26 November 2013

20

3. BUSINESS IMPACT ANALYSIS

Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.

OBJECTIVE: Establish critical functions

Determine qualitative and quantitative impacts of the disruptions Prioritize activities Establish RTO and RPO Establish interdependencies of functions Document the list of vital records

PURPOSE:
To provide business rationale for a business continuity plan To provide a factual, understandable and informative set of findings that mgmt can use to provide direction for development of BCP To communicate the inherent vulnerabilities of the business units
26 November 2013 21

3. BUSINESS IMPACT ANALYSIS

Recovery Time Objective (RTO) : Time within which Business functions or applications systems must be recovered to acceptable levels of operational capability to minimize the impact of the outage

RTOs are often used as basis of:

Establishing priorities Developing strategies As a determinant as to whether or not the event is a disruption or a disaster

Recovery Point Objective (RPO) :

1. 2. 3. 4. Potential loss transactions Tolerable data loss Target recover point in time Last available data backup

26 November 2013

22

3. BUSINESS IMPACT ANALYSIS

Assess Effects of Disruptions, Loss Exposure, and Business Impact
Effects of disruptions
Loss of assets: key personnel, physical assets information assets, intangible asset Disruption to the continuity of service and operation Violation of law/regulation Public perception

Impact of disruptions on business Financial

Customers and suppliers Public relations/credibility Legal Regulatory requirements/considerations Environmental Operational Personnel Other resources

26 November 2013

23

3. BUSINESS IMPACT ANALYSIS

Assess Effects of Disruptions, Loss Exposure, and Business Impact Determine Loss Exposure

Quantitative
1.
2. 3. 4. 5. 6. 7. 8. 9. Property loss Revenue loss Fines Cash flow Accounts receivable Accounts payable Legal liability Human resources Additional expenses/increased cost of working

Qualitative
1.
2. 3. 4. 5. 6. Human resources Morale Confidence Legal Social and corporate image Financial community credibility
26 November 2013 24

3. BUSINESS IMPACT ANALYSIS

Determine minimum resource requirements for recovery and resumption of critical functions and support systems
Internal and external resources Owned versus non-owned resources Existing resources and additional resources required

Interdependencies between the business processes

Intradepartmental

Interdepartmental External relationships

The BIA provides mgmt key information for making strategic decisions regarding business continuity and recovery

26 November 2013

25

4. DEVELOPING BUSINESS CONTINUITY STRATEGIES

Determine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies with in the recovery time objective, while maintaining the organizations critical functions

OBJECTIVE: 1. Understand Available Alternatives and Their Advantages, Disadvantages, and Cost Ranges, including mitigation as a recovery strategy 2. Identify Viable Recovery Strategies within Business Functional Areas 3. Consolidate Strategies 4. Identify Off-Site Requirements and Alternative Facilities 5. Develop Business Unit Strategies 6. Obtain Commitment from Management for Developed Strategies

26 November 2013

26

4. DEVELOPING BUSINESS CONTINUITY STRATEGIES

1. Identify Enterprise-wide and Business Unit Continuity Strategic Requirements
Review business continuity issues 1. Timeframes 2. Options 3. Location 4. Personnel 5. Communications (crisis/media and voice/data) Compare internal/external solutions Identify alternative continuity strategies 1. Do nothing 2. Defer action 3. Manual procedures 4. Reciprocal agreements 5. Alternative site or business facility 6. Alternate source of product 7. Third-party service providers/outsourcers 8. Distributed processing 9. Alternative communications 10. Mitigation 11. Preplanning Assess risk associated with each optional continuity strategy

26 November 2013

27

4. DEVELOPING BUSINESS CONTINUITY STRATEGIES

2. Assess Suitability of Alternative Strategies Against the Results of a Business Impact
Analysis 3. Prepare Cost/Benefit Analysis of Continuity Strategies and Present Findings to Senior Management 4. Select Alternate Site(s) and Off-Site Storage

1.

Criteria 2. Communications 3. Agreements considerations 4. Comparaison techniques 5. Acquisition 6. Contractual consideration

5. Develop, implement and exercise enterprise-wide plans for business continuity

6. Develop, implement and exercise Business Units plans for business continuity in line with enterprise-wide plan 7. Develop strategies to recover/restore Telecommunications Voice communications Data communications Strategies should be developed at organizational as well as functional level
26 November 2013 28

5. EMERGENCY RESPONSE AND OPERATIONS

Develop and implement procedures for response and stabilizing the situation following an incident or event, including establishing and managing an Emergency Operations Center

to be used as a command center during the emergency.

OBJECTIVE:
1. Identify Potential Types of Emergencies and the Responses Needed (e.g.,fire , hazardous materials leak, medical) 2. Identify the Existence of Appropriate Emergency Response Procedures 3. Recommend the Development of Emergency Procedures Where None Exist 4. Integrate Disaster Recovery/Business Continuity Procedures with Emergency Response Procedures and Escalation Procedures 5. Identify the Command and Control Requirements of Managing an Emergency 6. Recommend the Development of Command and Control Procedures to Define Roles, Authority, and Communications Processes for Managing an Emergency 7. Ensure Emergency Response Procedures are Integrated with Requirements of Public Authorities (Refer also to Subject Area 10, Coordination With Public Authorities)

26 November 2013

29

5. EMERGENCY RESPONSE AND OPERATIONS

1. Identify Components of Emergency Response Procedure A. Reporting procedures
I. Internal (escalation procedures) a. Local b. Organization (decision-making process) II. External (response procedures) a. Public agencies and media b. Suppliers of products and services B. Pre-incident preparation I. By types of disaster a. Acts of nature b. Accidental c. Intentional II. Management continuity and authority III. Roles of designated personnel C. Emergency actions a. Evacuation b. Medical care and personnel counselling c. Hazardous material response d. Firefighting e. Notification f. Other
26 November 2013 30

5. EMERGENCY RESPONSE AND OPERATIONS

D. Facility stabilization E. Damage mitigation F. Testing procedures and responsibilities

2. Develop Detailed Emergency Response Procedures A. Protection of personnel

B. Containment of incident C. Assessment of effect D. Decide optimum actions

3. Identify Command and Control Requirements A. Designing and equipping the Emergency Operations Center
B. Command and decision authority roles during the incident C. Communication vehicles (eg., e-mail, radio, messengers, and cellular telephones, etc.) D. Logging and documentation methods

26 November 2013

31

5. EMERGENCY RESPONSE AND OPERATIONS

4. Command and Control Procedures
A. B. C. D. E. Opening the Emergency Operations Center Security for the Emergency Operations Center Scheduling the Emergency Operations Center teams Management and operations of the Emergency Operations Center Closing the Emergency Operations Center

5. Emergency Response
A. Develop, implement, and exercise emergency response procedures, including determination of priorities for actions in an emergency B. Develop, implement, and exercise procedures such as first aid and medical treatment; identify location and develop procedures for transportation to nearby hospitals Identify Command and Control Requirements

6. Recognize potential need to establish liaison with external agencies (e.g., statutory agencies, emergency services such as fire departments and police, insurers, loss adjusters, etc.), and specify type of information these agencies may require 7. Establish procedures with public authorities for facility access 8. Establish procedures with third-party service providers, including appropriate contractual agreements
26 November 2013 32

5. EMERGENCY RESPONSE AND OPERATIONS

Emergency Response components
1. Escalation and reporting procedures

2. 3.

Emergency notification procedure for internal and external parties Life safety procedures

4.
5. 6. 7.

Identify types of emergencies and responses needed

Identify current procedures/ recommend new Define core roles and responsibility Testing procedures and responsibilities

Planning must take place before you have a emergency so that there is a coordinated, effective response that protects your organization and minimize the damage

26 November 2013

33

6. Developing and Implementing Business Continuity Plans

Design, develop, and implement Business Continuity and Crisis Management plans that provides continuity within the recovery time objective and recovery point objective.
OBJECTIVE: Document procedures required to continue, recover and restore the functional capability of the organization.
SOME KEY TASK: 1. Develop teams and tasks 2. Develop specific steps to minimize the risks of outage and restore normal operations 3. Document the plan SOME KEY DELIVERABLES: 1. Emergency response plans and procedures 2. Crisis communication procedures 3. Coordination with external agencies 4. The draft plan

26 November 2013

34

6. Developing and Implementing Business Continuity Plans

TYPES OF PALNS : 1. Crisis Mgmt Plan 2. 3. 4. 5. 6. Disaster recovery plan Emergency response plan Business Continuity plan Business Unit Plans COOP (Continuity of operation) These are jointly called Business Continuity Management

Business Continuity Plan products:

Information 1. WHO executes recovery actions

2.
3. 4. 5.

WHAT is needed to recover, resume, continue ore restore business function

WHERE to go to resume corporate, business and operations functions WHEN business functions and operations must resume HOW --- detailed procedures for recovery, resumption, continuity and restoration
26 November 2013 35

6. Developing and Implementing Business Continuity Plans

SUCCESSFUL PALNS : 1. Clear and concise 2. 3. Coordinated with suppliers and vendors Senior management support/organisation commitment

4.
5. 6. 7. 8. 9.

On-going/part of strategic effort

Appropriate budget Backups and offsite storage programs Fully documented and exercised regularly Risk are managed Vulnerability are prioritized

10. Flexible and adaptable 11. Information security inbuilt with the plan REVIEW COMPONENTS: 1.
2. 3. 4. Is the plan consistent with the findings of the BIA Are roles and responsibility defined Are resources in place Can plan be implemented
26 November 2013 36

6. Developing and Implementing Business Continuity Plans

STRUCTURE : 1. Develop General Introduction or Overview A. General Information:
Introduction Scope Objectives Assumptions Responsibility overview Testing Maintenance

B. Plan activation:
Notification Disaster declaration procedure Mobilization procedures Damage assessment concepts

C. Team Organisation D. Policy Statement E. Emergency Operations Centres

26 November 2013 37

6. Developing and Implementing Business Continuity Plans

STRUCTURE (contd.) :

2. Develop Administration Team Documentation

A. Identify continuity functions for the following, including qualifications, responsibilities and resources required
1. Communications (public relations/media, client and employee) 2. Personnel/human resources 3. Security 4. Insurance/risk management 5. Equipment/supplies purchasing 6. Transportation 7. Legal

B. Other specialist coordinator/team responsibilities

1. Relations/liaison with regulatory bodies 2. Investor relations 3. Relations with other involved groups (e.g., customers and suppliers) 4. Labour relations

C. Develop specific procedures for each function or building identified above:

1. Department/individual/building plans 2. Checklists 3.Technical procedures

26 November 2013

38

6. Developing and Implementing Business Continuity Plans

STRUCTURE (contd.) :

3. Develop Business Operations Team Documentation A. Operating department plans

1. Essential business functions 2. Information protection and recovery 3. Activation actions 4. Disaster site recovery/restoration actions 5. End-user computing needs B. Action sections 1. Recovery team a. Personnel b. Responsibilities c. Resources C. Action plans 1. Specific department/individual plans 2. Checklists 3. Technical procedures

26 November 2013

39

6. Developing and Implementing Business Continuity Plans

STRUCTURE (contd.) :

4. Develop Communication Systems

A. Voice communications recovery plans 1. Phone lines, including in-bound, toll-free (1-800) lines, and fax lines 2. Voice mail, voice response units, and other voice-based services 3. Alternate arrangement for automated voice response during a disaster B. Data communications recovery plans 1. Data communications with mainframe-based information systems 2. Local area network (LAN) recovery for work area recovery 3. Wide area network (WAN) recovery for restoring global connectivity 4. E-mail, groupware, and other data communications-based work support C. Emphasize and ensure detailed and up-to-date documentation of voice and data communications networks throughout the enterprise

26 November 2013

40

6. Developing and Implementing Business Continuity Plans

STRUCTURE (contd.) :

5. Implement the Plans

A. Ensure that required tasks are completed for plan implementation 1. Acquiring additional equipment 2. Contractual arrangements 3. Preparing backup and offsite storage 4. Appropriate documentation for plans in place B. Develop test plans, schedules, and test reporting procedures

1. Acquiring additional equipment

2. Contractual arrangements 3. Preparing backup and off-site storage C. Develop maintenance, updating, and reporting procedures

26 November 2013

41

7. Awareness and Training Program

Prepare a program to create and maintain corporate awareness and enhance the skills required to develop and implement the Business Continuity Management program or process and its supporting activities.

1. Define Awareness and Training Objectives

2. Develop and Deliver Various Types of Training Programs as appropriate
a. Computer-based b. Classroom c. Test-based d. Instructional guides and templates

3. Develop Awareness Programs

a. Management b. Team members c. New employee orientation and current employee refresher program

4. Identify Other Opportunities for Education

a. Professional business continuity planning conferences and seminars b. User groups and associations c. Publications and related Internet sites

5. Identify Vehicles for corporate awareness

26 November 2013 42

7. Awareness and Training Program

Prepare a program to create and maintain corporate awareness and enhance the skills required to develop and implement the Business Continuity Management program or process and its supporting activities.

1. Define Awareness and Training Objectives

2. Develop and Deliver Various Types of Training Programs as appropriate
a. Computer-based b. Classroom c. Test-based d. Instructional guides and templates

3. Develop Awareness Programs

a. Management b. Team members c. New employee orientation and current employee refresher program

4. Identify Other Opportunities for Education

a. Professional business continuity planning conferences and seminars b. User groups and associations c. Publications and related Internet sites

5. Identify Vehicles for corporate awareness

26 November 2013 43

7. Awareness and Training Program

Purpose of Awareness Program 1. 2. 3. 4. 5. Increase knowledge and awareness on how to prepare for and respond to emergency situations Knowing how to respond to an event will increase the chances of survival Making employee aware of the risks to the organisation and the impact of those risks Making employees aware of the plans in place to protect them from a disaster Training employees how to respond during disaster

6.

Orients new employees to BCM program

Awareness and training activities should be designed to meet the needs of the target audience

26 November 2013

44

8. Maintaining and Exercising Business Continuity Plans

Pre-plan and coordinate plan exercises, and evaluate and document plan exercise results. Develop processes to maintain the currency of continuity capabilities and the Plan documents in accordance with the organizations strategic direction. Verify that the Plans will prove effective by comparison with a suitable standard, and report results in a clear and concise manner Objective: 1. Assesses viability of the plan 2. Practice procedure before the disaster 3. Satisfy the legal and audit requirements 4. Identifies the area which need modification 5. Enables BCM program to retain active, up-to-date, understood and usable 6. Demonstrate the ability to recover 7. Provides mechanism for maintaining and updating plan

8. Ensure plan is effective to achieve targeted RTO

26 November 2013 45

8. Maintaining and Exercising Business Continuity Plans

The safety policy and procedures were in place;

the practice was deficient
--- extract from Lord Cullens report into the Piper Alpha Disasters

I hear. I forget I see. I remember I do. I understand

--- Chinese Proverb

26 November 2013

46

8. Maintaining and Exercising Business Continuity Plans

1. Establish an Exercise Program A. Develop an exercise strategy that does not put the organization at risk, is practical, cost-effective, and appropriate to the organization, which ensures a high level of confidence in recovery capability B. Employ a logical, structured approach (effectively analyze complex issues) C. Create a suitable set of exercise guidelines 2. Determine Exercise Requirements A. Define exercise objectives and establish acceptable levels of success B. Identify types of exercises, and their advantages and disadvantages 1. Walk-throughs/ tabletop 2. Simulations 3. Modular/component (call trees, applications, etc.) 4. Functional (specific lines of business) 5. Announced/planned 6. Unannounced/surprised C. Establish and document scope of the exercise (participants, timing, etc.)

26 November 2013

47

8. Maintaining and Exercising Business Continuity Plans

3. Develop Realistic Scenarios A. Create exercise scenarios to approximate the types of incidents the organization is likely to experience and the problems associated with these incidents B. Map scenarios identified to different test types

4. Establish Exercise Evaluation Criteria and Document Findings

A. Develop criteria aligned with exercise objectives and scope 1. Measurable and quantitative 2. Qualitative B. Document results as per criteria identified 1. Expected versus actual results 2. Unexpected results 5. Create an Exercise Schedule A. Develop a progressive, incremental schedule B. Set realistic time scales

26 November 2013

48

8. Maintaining and Exercising Business Continuity Plans

6. Prepare Exercise Control Plan and Reports
a. Define exercise objectives and select an appropriate scenario b. Define assumptions and describe limitations c. Identify resources required to conduct the exercise, identify participants; ensure all understand the objectives and their roles d. Identity exercise adjudicators (umpires), and clearly identify all roles and responsibilities e. Provide a timetable of events and circulate to all participants, facilitators, and adjudicators f. In the event of a real situation occurring during an exercise, you may want to have a predetermined mechanism for cancelling the exercise and invoking your real business continuity process

7. Facilitate Exercises
a. Execute the exercise(s) as planned above b. Audit exercise actions

26 November 2013

49

8. Maintaining and Exercising Business Continuity Plans

8. Post-Exercise Reporting
a. Provide a cogent, comprehensive summary with recommendations, commensurate with levels of confidentiality requested by exercise umpire/ adjudicator or as specified by the subject organization 9. Feedback and Monitor Actions Resulting from Exercise a. Conduct debriefing sessions to review exercise results and identify action items for improvement. b. Identify actions and owners for recommendations; confirm owner acceptance

c. Confirm time schedules for completing or reviewing agreed actions

d. Monitor (and escalate where necessary) progress to completion of agreed actions 10. Define Plan Maintenance Scheme and Change control procedure a. Ensure that scheduled plan maintenance addresses all documented recommendations b. Analyze business changes with business continuity planning implications c. Develop change control procedures to monitor changes d. Create proper version controldevelop plan reissue, distribution, and circulation procedures e. Identify plan distribution list for circulation
26 November 2013 50

8. Maintaining and Exercising Business Continuity Plans

11. Establish Status Reporting Procedures
a. Establish reporting procedures 1. Content 2. Frequency 3. Recipients

12. Audits
A. Audit the BCPs Structure, Contents, and Action Sections 1. Determine if a section in the BCP addresses recovery considerations 2. Evaluate the adequacy of emergency provisions and procedures 3. Recommend improved positions if weaknesses exist B. Audit the BCPs Documentation Control Procedures 1. Determine whether the BCP is available to key personnel 2. Review update procedures 3. Demonstrate that update procedures are effective by auditing test results 4. Examine the provision of secure backup copies of the BCP for emergency use 5. List those individuals with copies of the BCP 6. Ensure that BCP copies are current The goal of testing and exercising your plan is not to find out if it works, but to determine how it doesnt
26 November 2013 51

9. Public relation and crisis communication

Develop, coordinate, evaluate, and exercise plans to communicate with internal stakeholders (employees, corporate management, etc.) external stakeholders (customers, shareholders, vendors, suppliers, etc.) and the media (print, radio, television, Internet, etc.) OBJECTIVE:
1. Establish Programs for Proactive Crisis Communications 2. Establish Necessary Crisis Communication Coordination with External Agencies (local, state, national government, emergency responders, regulators, etc.) 3. Establish Essential Crisis Communications with Relevant Stakeholder Groups 4. Establish and Exercise Media Handling Plans for the Organization and its Business

Units

26 November 2013

52

9. Public relation and crisis communication

1. Identify and Develop a Proactive Crisis Communications Program
a. Internal (corporate and business unit level) groups b. External groups (customers, vendors, suppliers, public) c. External agencies (local, state, national governments, emergency responders, regulators, etc.) d. Media (print, radio, television, Internet)

2. Establish Essential Crisis Communication Plans with External Agencies as appropriate.

A. Develop ongoing procedures/tools to manage relationships with multiple agencies as appropriate 1. Local/state/national emergency services 2. Local/state/national civilian defence authorities 3. Local/state/national weather bureaus 4. Other governmental agencies as appropriate

26 November 2013

53

9. Public relation and crisis communication

3. Establish Essential Communications Plans with Internal and External Stakeholders to ensure they are kept informed as appropriate
A. Develop ongoing procedures/tools to manage relationships with multiple stakeholders as appropriate (1) Owners/stockholders (2) Employees and their families (3) Key customers (4) Key suppliers (5) Corporate/headquarters management (6) Other stakeholders

4. Establish Essential Crisis Communications Plans with the Media outlets

A. Develop ongoing procedures/tools to manage relationships with the media 1. Print (newspapers, journals,etc.) 2. Radio 3. Television 4. Internet

26 November 2013

54

9. Public relation and crisis communication

5. Develop and Facilitate Exercises for Crisis Communication Plans A. Establish exercise objectives annually
B. Coordinate and execute exercises C. Debrief and report on exercise results, including action plans for revisions What is Crisis Communication? Effective and managed communication about an even or occurrence that can impact people, organization and communities Simple Direct Honest

26 November 2013

55

9. Public relation and crisis communication

Key component of messages 1. Clear and easy to comprehend 2. Repeated constantly

3. Integrated with message sent to other audiences

4. Consistent 5. Be up front regarding confidential information 6. Speak to the specific audiences concerns

7. Use personal language and acknowledge emotions

8. Appreciate the individuality of the responses

Perception is Reality

26 November 2013

56

10. Coordination with Public authorities

Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with external agencies (local, state, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes or regulations.

OBJECTIVE: 1. Identify and Establish Liaison Procedures for Emergency Management 2. Coordinate Emergency Management with External Agencies 3. Maintain Current Knowledge of Laws and Regulations Concerning Emergency Management as it pertains to a particular organization

26 November 2013

57

10. Coordination with Public authorities

1. Identify Applicable Laws and Regulations Governing Emergency Management A. Gather/identify sources of information on applicable laws and regulations (disaster recovery, environmental cleanup, business resumption, etc.) and determine their impact to own organization and/or industry B. Identify statutory requirements for the industry in which the organization participates
2. Identify and Coordinate with Agencies Supporting Business Continuity aims A. Identify and develop procedures with external agencies providing disaster assistance (financial and resources) to manage the ongoing relationships as appropriate B. Work with statutory agencies to conform to legal and regulatory requirements as appropriate

26 November 2013

58

10. Coordination with Public authorities

3. Develop and Facilitate Exercises with External Agencies A. Establish exercise objectives annually B. Coordinate and execute exercises C. Debrief and report on exercise results, including action plans for revisions

26 November 2013

59

Thank You
Source: http://www.drii.org/DRII/ProfessionalPractices/about_professional.aspx

26 November 2013

60