Mod16_BusinessContinuityPlanning.pptx

    Business Continuity Planning (BCP)

    MSIS 4253/5253

    What is a Business Continuity Plan?

    A Business Continuity Plan is a structured approach to looking at your business, identifying what can go wrong and then putting plans in place to reduce those risks.

    You want to protect people and property and to be able to resume your critical business operations/work processes.

    2

    Definition

    Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company

    A subset of risk assessment

    Primary focus is any event that could negatively impact operations is included in the plan, such as interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource).

    BCPs are tailored to fit the business

    Getting started

    Emergency Contact Persons

    Organization Policy

    Business Description

    Office Locations

    Alternative Physical Locations of Employees

    Data Back-up and Recovery (Hard copy and electronic)

    Financial and Operational Assessments

    Mission Critical Systems

    Alternative Communications Between Organization and Customers, Employees, and Regulators

    Critical Business Constituents, Banks, and Counter-Parties

    Regulatory Reporting

    Disclosure of Business Continuity Plan

    Updates and Annual Review

    Senior Management Approval

    Emergency Contact Persons

    Identify the people that will kick off BCP in the event of a disruption

    Position should be codified in writing

    Should be in contact 24/7

    Include name, title, mailing address, email address, telephone number and any other relevant contact information

    Organization Policy

    State organization’s objective for business continuity:

    Our organization’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the organization’s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to….

    Signification Business Disruptions

    Internal: Affects only our ability to communicate and do business

    External: Prevents others from doing business

    Approval Authority

    Plan Location and Access

    Business Description and Office Locations

    State the type of business the organization conducts

    Include major functional areas

    Include major inventories held on site

    Office Locations

    List location of all offices

    Include the means of transportation employees use to get to office

    Identify which mission critical systems take place at each location

    Alternative Physical Location of Employees

    Locations organization will use in the event an SBD affects the operation of the main office

    Where will employees work?

    Think beyond IT work (this is a BCP)

    Data Back-up and Recovery (Hard copy and electronic)

    Identification of location where primary books and records are stored

    Describe how back-ups are accomplished

    How will organization recover data in the event of a SBD

    Financial and Operational Assessments

    Operational Risk

    Organization’s ability to maintain communications with customers and to retrieve key activity records through its mission critical systems

    Financial Risk

    Involves the organization’s ability to fund operations and maintain adequate financing and sufficient capital.

    May also involve a credit risk which could also hinder the ability of the organization’s counterparts to fulfill their obligations

    Mission Critical Systems

    Could include:

    Order taking

    Order entry

    Order execution and delivery

    Other services provided to customers

    Supply chain

    Clearly describe each

    Explain how each will be accomplished in the event on SBD

    Alternative Communications

    Customers

    Employees

    Regulators

    Financial Insitutions

    Critical Business Constituents, Banks, and Counter-parties

    Business constituents: What if they can no longer provide needed goods or services due to a SBD?

    Identify alternative suppliers

    Banks: Can they continue to provide financing

    Identify alternative banks and financial institutions

    Counter-Parties: Can our competitor process some of our orders

    Regulatory Reporting

    How will the organization file regulatory reports in the event of an SBD

    Describe how it is normally done and when

    Determine which means are still available

    Written

    Oral

    Disclosure of BCP

    Disclosure statement

    How to contact

    Basics of the BCP

    Communications

    Back-ups

    How business will be conducted during SBD

    Varying disruptions

    POC for more information

    Issues and Pitfalls (same as DRP)

    Lack of buy in

    Incomplete RTO and RPOs

    System myopia (vpn example, cell phone example)

    Lack of security

    Outdate plans

    Changes in organization structure

    Changes in technology

    Changes in mission

    Failure to test

    Summary

    BDP is subset of risk assessment

    Focus is on keeping the business operational

    Customers, Banks, Counter-parties, Suppliers

    BCP, DRP and Risk Assessments all draw on the same data

                                                                                                                                      Order Now