Mod16_BusinessContinuityPlanning.pptx

Business Continuity Planning (BCP)

MSIS 4253/5253

What is a Business Continuity Plan?

A Business Continuity Plan is a structured approach to looking at your business, identifying what can go wrong and then putting plans in place to reduce those risks.

You want to protect people and property and to be able to resume your critical business operations/work processes.

2

Definition

Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company

A subset of risk assessment

Primary focus is any event that could negatively impact operations is included in the plan, such as interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource).

BCPs are tailored to fit the business

Getting started

Emergency Contact Persons

Organization Policy

Business Description

Office Locations

Alternative Physical Locations of Employees

Data Back-up and Recovery (Hard copy and electronic)

Financial and Operational Assessments

Mission Critical Systems

Alternative Communications Between Organization and Customers, Employees, and Regulators

Critical Business Constituents, Banks, and Counter-Parties

Regulatory Reporting

Disclosure of Business Continuity Plan

Updates and Annual Review

Senior Management Approval

Emergency Contact Persons

Identify the people that will kick off BCP in the event of a disruption

Position should be codified in writing

Should be in contact 24/7

Include name, title, mailing address, email address, telephone number and any other relevant contact information

Organization Policy

State organization’s objective for business continuity:

Our organization’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the organization’s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to….

Signification Business Disruptions

Internal: Affects only our ability to communicate and do business

External: Prevents others from doing business

Approval Authority

Plan Location and Access

Business Description and Office Locations

State the type of business the organization conducts

Include major functional areas

Include major inventories held on site

Office Locations

List location of all offices

Include the means of transportation employees use to get to office

Identify which mission critical systems take place at each location

Alternative Physical Location of Employees

Locations organization will use in the event an SBD affects the operation of the main office

Where will employees work?

Think beyond IT work (this is a BCP)

Data Back-up and Recovery (Hard copy and electronic)

Identification of location where primary books and records are stored

Describe how back-ups are accomplished

How will organization recover data in the event of a SBD

Financial and Operational Assessments

Operational Risk

Organization’s ability to maintain communications with customers and to retrieve key activity records through its mission critical systems

Financial Risk

Involves the organization’s ability to fund operations and maintain adequate financing and sufficient capital.

May also involve a credit risk which could also hinder the ability of the organization’s counterparts to fulfill their obligations

Mission Critical Systems

Could include:

Order taking

Order entry

Order execution and delivery

Other services provided to customers

Supply chain

Clearly describe each

Explain how each will be accomplished in the event on SBD

Alternative Communications

Customers

Employees

Regulators

Financial Insitutions

Critical Business Constituents, Banks, and Counter-parties

Business constituents: What if they can no longer provide needed goods or services due to a SBD?

Identify alternative suppliers

Banks: Can they continue to provide financing

Identify alternative banks and financial institutions

Counter-Parties: Can our competitor process some of our orders

Regulatory Reporting

How will the organization file regulatory reports in the event of an SBD

Describe how it is normally done and when

Determine which means are still available

Written

Oral

Disclosure of BCP

Disclosure statement

How to contact

Basics of the BCP

Communications

Back-ups

How business will be conducted during SBD

Varying disruptions

POC for more information

Issues and Pitfalls (same as DRP)

Lack of buy in

Incomplete RTO and RPOs

System myopia (vpn example, cell phone example)

Lack of security

Outdate plans

Changes in organization structure

Changes in technology

Changes in mission

Failure to test

Summary

BDP is subset of risk assessment

Focus is on keeping the business operational

Customers, Banks, Counter-parties, Suppliers

BCP, DRP and Risk Assessments all draw on the same data