© 2013 MHA Consulting All Rights Reserved. 0 Presented by: Michael Herrera Brandon Magestro MHA Consulting MHA Consulting Business Continuity Management 101
© 2013 MHA Consulting All Rights Reserved.
0
Presented by:Michael Herrera
Brandon MagestroMHA Consulting
MHA ConsultingBusiness Continuity Management 101
© 2013 MHA Consulting All Rights Reserved.
Agenda 1
MHA Consulting – Introduction
Business Continuity Management (BCM) Defined
2013 Trends
The Business Impact Analysis (BIA)
Threat & Risk Assessment (TRA)
Business Recovery Plans (BRP)
IT Disaster Recovery Plans (DRP)
Questions?
© 2013 MHA Consulting All Rights Reserved.
MHA Consulting, Inc. 2
Michael Herrera
Leading boutique consulting firm since 1999Provider of consulting services to private and public sectorcompanies across the USAProven cross-industry experience in Business Continuity,Disaster Recovery and IT Optimization
Who We Are
What We Do
Business Continuity ManagementDisaster Recovery PlanningTraining & AwarenessPhysical Security ConsultingInformation Technology Optimization & Best Practices
What Makes Us Different
Experienced professionals that possess a unique blend of knowledge
Experience combines focus, dedication and independence of a specialty firm
Proven methodologies and tools
Financial and management stability
Domestic presence and deep skill-sets of the Big 4 or larger consulting firm
© 2013 MHA Consulting All Rights Reserved.
Experience & Qualifications
MetroWaterDistrict
3
© 2013 MHA Consulting All Rights Reserved.
BCM Defined 4
Development of strategies, plans and actions which provideprotection or alternative modes of operation for those activitiesor business processes which, if they were to be interrupted,might otherwise bring about a seriously damaging or potentiallyfatal loss to the enterprise.
Business Continuity Management:
The development of key plans and strategies
Protection of your organizations operations
The identification and protection of your most critical business processes
© 2013 MHA Consulting All Rights Reserved.
Business Resumption Planning:
The process initiated to resume businessoperations to a level consistent with thebusiness requirements.
Crisis Management:
A series of actions taken to gain control of theevent quickly to minimize the affects of aninterruption and prepare for recovery.
IT Disaster Recovery Planning:
The recovery of informationtechnology processes, systems,applications, databases, andnetwork assets used to supportcritical business processes.
BCM - A Common Language
5
5
© 2013 MHA Consulting All Rights Reserved.
BCM Model
6
Disaster Recovery Institute International Model
Testing, Maint.,Execution
ProjectMgmt
Policies&
Standards
BIA
RiskAssessment
BRP
DRP
CMT
Testing
Maint
ContImp.
Execute
Project Initiation
FunctionalRequirements
Design, Dev,Implementation
Re
co
ve
ryS
tra
teg
y
6
© 2013 MHA Consulting All Rights Reserved.
The Business Continuity Lifecycle
7
Risk Assessment &Risk Assessment &Business Impact AnalysisBusiness Impact Analysis
Business ContinuityBusiness ContinuityStrategy DesignStrategy Design
Business AlignmentBusiness Alignment
Compliance MonitoringCompliance Monitoring& Auditing& Auditing
Training & AwarenessTraining & Awareness
Plan Development &Plan Development &Strategy ImplementationStrategy Implementation
ContinuityContinuity
Life CycleLife CycleTesting & MaintenanceTesting & Maintenance
Executive ManagementExecutive ManagementSupport & SponsorshipSupport & Sponsorship
Risk Assessment &Risk Assessment &Business Impact AnalysisBusiness Impact Analysis
Business ContinuityBusiness ContinuityStrategy DesignStrategy Design
Business AlignmentBusiness Alignment
Compliance MonitoringCompliance Monitoring& Auditing& Auditing
Training & AwarenessTraining & Awareness
Plan Development &Plan Development &Strategy ImplementationStrategy Implementation
ContinuityContinuity
Life CycleLife Cycle
ContinuityContinuity
Life CycleLife CycleTesting & MaintenanceTesting & Maintenance
Executive ManagementExecutive ManagementSupport & SponsorshipSupport & Sponsorship
7
© 2013 MHA Consulting All Rights Reserved.
Elements of BCM Implementation Process
8
Executive Management sponsorship
BCM Governance Program/Team
Provide a framework and methodology for understanding, discussingand developing plans
Follow a holistic project approach similar to the DRII Model
Execute a Threat and Risk Assessment and Business ImpactAnalysis
Research and develop business and IT recovery strategies
Develop and formalize crisis management, crisis communication, ITdisaster recovery and business recovery plans
Institute testing, training and awareness
Conduct post-test analysis and make adjustments accordingly
Implement a maintenance strategy
8
© 2013 MHA Consulting All Rights Reserved.
Learning’s from 2013 9
Business Continuity Management (BCM) is the new BusinessContinuity Planning (BCP). The majority of organizationsare renaming their enterprise continuity programs to BusinessContinuity Management.
Business Continuity staffing in most organizationsis not increasing. Many organizations continue to either staffminimally or use outside consultants to augment the program
Enterprise Risk Management (ERM) is integrating BCM into itsprocess and utilizing the information gathered through BIAs andThreat & Risk Assessments to support identification of risks andexposures; a good sign.
© 2013 MHA Consulting All Rights Reserved.
Learning’s from 2013
The Business Impact Analysis (BIAs) study remain as thefoundational component to drive the development of the BCMprogram. However, senior management is continually looking forus to refine the BIA process, shorten business unit participationtime in the studies and ensure the rigor in the process clearlyidentifies the most critical activities and dependencies.
We see Recovery Time Objectives (RTOs) continue to getshorter and shorter (e.g., no downtime, 1 hour, 4 hours, etc.) inmany of the companies we worked at in 2013.
The new norm for tolerance for data loss or Recovery PointObjectives (RPOs) across critical business activities is zero ornear zero in many companies due to the use of complextechnology and automated workflows that virtually eliminate
manual workarounds.
Business and IT RTO/RPO Alignment – Alignment remains acritical gap across a majority of companies whether they are small,medium or large.
10
© 2013 MHA Consulting All Rights Reserved.
Learning’s from 2013 11
Emergency Notification Systems – The use of ENS is becomingwidespread. However, organizations routinely struggle with badcontact data and the processes to effectively and efficiently notifyassociates. Also, its not good with no electrical power.
Companies struggle with Recovery Strategies particularly for thebusiness units of the organization.
Our most mature clients (financial, utilities) are holdinglive Recovery Exercises.
© 2013 MHA Consulting All Rights Reserved.
NFPA 1600
HIPAA
GLBA
FFIEC
OSHA
FCPA
SEC
ISO 9000, 14000 & 22301
QS 9000
State Insurance Departments
Critical Infrastructure Protection
– Security Standards for Electric Market Participants
– Sound Practices to Strengthen the Resilience of the US Financial System
BCM Regulatory Requirements & Guidelines 12
© 2013 MHA Consulting All Rights Reserved.
Conducting the BIA
Methodologies and ApproachesRelationship between the BIA and Risk Assessment
Objectives:
– Quantify the loss potential
– Qualify other types of loss
– Establish Recovery Time Objective
– Establish Recovery Point Objective
13
13
Business Impact Analysis Defined:
The careful study of individual business activities and supportfunctions, as well as the system of business processes in theirentirety, to better understand objectives regarding continuity ofoperations.
© 2013 MHA Consulting All Rights Reserved.
Threat & Risk Assessment
Natural/Environmental Threats
Technological Threats
Man-made Threats (Accidental and Intentional)
Business Process-related Risks
– Single Points of Failure
– Personnel
– Supply Chain
Information Technology Availability Risks
Third Parties / Vendors
14
14
© 2013 MHA Consulting All Rights Reserved.
A Common Ailment
15
15
A rigorous Business Impact Analysis (BIA), including an analysis ofrecovery options, helps address the gap between Business Requirementsand IT Capabilities currently experienced by many organizations
© 2013 MHA Consulting All Rights Reserved.
Business Recovery Plans
16
Purpose, scope, assumptions, etc.
Activation procedures
Listing of critical business activities and priority of recovery
Roles and responsibilities
Emergency procedures to ensure safety of all affected staff members
Response, recovery and resumption procedures
Coordination procedures with public authorities
Communication procedures
Critical information on continuity teams, staff, customers, suppliers, etc.
Off-site storage of critical records, documentation and other pertinentresources
Copies of the BRP at various secure locations
Business Recovery Plans (BRPs) are developed to ensure recoveryof the critical activities identified in the BIA. At a minimum, the BRPcontains the following information.
16
© 2013 MHA Consulting All Rights Reserved.
Business Recovery Testing
17
Business recovery testing options:
Tabletop Exercise / Structured Walkthrough - A tabletop exercise/structuredwalk-through test is conducted as preliminary step in the overall testing process;however, it is not a preferred testing method. Its objective is to ensure thatcritical personnel are familiar with the recovery plan and it accurately reflects theorganization's ability to recover.
Walk Through Drill / Simulation Test - A walk-through drill/simulation test is asecondary step in the overall testing process and is more involved than atabletop exercise/structured walk-through test because the participants choosea specific event scenario and apply the Business Recovery Plan to it.
Functional Drill/Parallel Testing- Test involves the actual mobilization ofpersonnel to other sites in an attempt to establish communications and performactual recovery processing as set forth in the Plan.
TREND: Majority of organizations only perform Tabletop Exercises, few performWalk through and only a very small number perform functional drills.
Business recovery testing reduces risk that an organization could incur givena disruption of critical business activities that are required to maintain themission and operations of the organization.
17
© 2013 MHA Consulting All Rights Reserved.
Disaster Recovery Plans
18
Disaster recovery plans are developed for each critical IT system/applicationand identifies:
Alternative equipment/facilities adequate to recover critical systems
Prioritization of recovering critical and non-critical applications
Recovery and validation steps for each system and application
Personnel requirements/skills in the event of a disaster
Critical application programs, third-party services, operating systems,databases, data files, supplies and timeframes needed for recovery
Off-site storage of critical back-up media, documentation and other pertinentresources
Copies of the DRP at various secure locations
The DRP includes all the recovery steps, technology processes,systems, applications, databases and network assets used to supportthe recovery of the systems and applications required by the criticalbusiness activities of the organization.
18
© 2013 MHA Consulting All Rights Reserved.
Disaster Recovery Testing
19
Disaster recovery testing options:
Standalone Testing – Perform recovery of individual systems andapplications. This is a good first step.
Integrated Testing – Perform recovery of multiple systems and applicationsthat are dependent on each other (upstream and downstream) and see howthey work together in the recovered state.
Business Activity Testing – Perform recovery of a critical business activityfrom end to end using all of the upstream and downstream systems andapplications needed.
TREND: Majority of organizations perform standalone and integrated testingbut and very few if any perform business activity testing. Unless you have amature and tested recovery capability, integrated and business activitytesting is difficult to achieve by most organizations.
Disaster recovery testing reduces risk that an organization could incur given asevere disruption of business if the computing center and system custodiansare unable to recover processing or key technology infrastructure in the eventof a disaster.
19
© 2013 MHA Consulting All Rights Reserved.
BCM Metrics
Purpose
The BCMMETRICS secure, web based self-assessment tool is designed toevaluate the compliance of an enterprise Business Continuity Management(BCM) program to accepted industry best practices and standards.
Consistency with Industry Best Practices
BCMMETRICS.com uses the leading BCM industry best practices, standardsand guidelines as its basis for evaluating the compliance of a program. Thetool will comply with a number of widely accepted best practices andstandards that include, but are not limited to:
• ISO 22301
• BCI Good Practices
• National Fire Protection Act 1600 (NFPA 1600)
• Federal Financial Institution Examination Council (FFIEC) BCMStandards
20
© 2013 MHA Consulting All Rights Reserved.
21BCM Metrics
© 2013 MHA Consulting All Rights Reserved.
BCM Metrics 22
© 2013 MHA Consulting All Rights Reserved.
23BCM Metrics
© 2013 MHA Consulting All Rights Reserved.
Brandon MagestroDirector of OperationsMHA Consulting,Inc.
Mobile: (907) 748-4024
24Questions ….
If you have questions regarding the information presented todayand/or any other DR/BCP questions, please call or email: