april •talking stick resort •scottsdale, arizona who’s in ... · • phased evolution and...

April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona

Who’s in your army?

• How many of you go it alone in your BCM program?• Do you complete plans or business units complete plans?

• What are your biggest roadblocks to getting things done?– Management/people support– Funding for resources/strategies– Technology / infrastructure

• Does your organization have any existing management collaboration programs?– Site leadership teams– Business unit leadership teams

1


Our global volunteer armyExecutive Management

Support

Business Verticals

Recovery Teams and Stakeholders

All Personnel

VP – CFOCRA to Board

71 GFL2‐3 M&A/year

95 BU plans81 site plans

17,000 personnel50 Incident Commanders


Executive Management Support

• No significant regulatory drivers for our industry and no direct BCM budget

• Leveraged annual client assessments to tie the BCM program to revenue support– We track the annual business tied to each client request and provide a quarterly cumulative to management

• Created a broad terms policy document– Not enough requirements to scare execs or legal– Tied generally to SOX entity level controls– Once approved for the company policy repository, we used to enforce participation in training and exercises


Program Framework & Vision

• Lifecycle based on DRII model– Awareness/training, assessment, strategy, plan, exercise, continuous improvement

• Adopted the BS25999 standard– Global in nature– Customer contract– Compliant, not certified

• BCM Policy• Phased evolution and elements of ISO 22301


Business Verticals

• Global Functional Lead (GFL) Program– Had 3 people to cover the globe

• 43 countries, 174 cities, 187 locations

– GFL is a global liaison for a business unit or function• The de facto BC project manager for their group

– Recruited by request to business leadership• Leadership often more readily will designate someone else, than volunteer themselves

• GFL needs to have the knowledge and authority to make decisions for their BU


Business Verticals

• Governance– Established compliance criteria based on BCM program lifecycle

– GFL self‐reported via SharePoint that is auditable– Quarterly reported to Symantec global victory plan• Success breeds success– Cross‐functional view allowed us to help groups close gaps or broker solutions, with business looking to BCM as a trusted advisor

– CARE– Super User Group– Use our tools for customer facing notifications


Recovery Teams and Stakeholders

• Had BC planning tool

• Silent revolt on extra training

• Orgs too lean to train tool administrators

• Switched to MS Office which everyone uses

• Sync SharePoint plans to Outlook on desktop

• Pre populated plan templates with guideline information and content


Two layers of recovery plans


All Personnel CommunicationsIMT groups and how we utilize them

Stakeholders Groups Sites


Incident Command Staffing

• Participants told to take on the extra duties versus independently volunteering to

• Could not get executive sponsor to push a formal program top down across the company

• So pushed a grassroots volunteer program up– Marketing the improved program to BU’s

•Billboard flyers•Internal intranet front page•Company managers monthly e‐mail

– Running the volunteers through a series of questions and training to ensure they qualified and knew what they were getting into

•1:1, Interactive training sessions, exercises– Transitioning out the current Incident Commanders and creating a new

schedule


Embedding Business Continuity in the Organizational Culture

• The “all staff” population who are not regularly involved in BCM are the hardest to reach– Independent volunteers become evangelists for the company program

• Discussions with interested volunteers, generated spontaneous sharing of response and recovery information outside formal program of team members

• Now when incidents occur, staff reach out to report them and seewhat they can do to help

• Staff are then cascading guidelines Reaching out requesting moreinfo for their peers on how to report an incident

– Leveraged our company “social network” tool


AccomplishmentsWhat we’ve achieved with the army we have:• Corporate BCM Policy• BS25999 and ISO22301 compliant• Maintain 81 site operations plans and 95 business unit plans• Augment formal BIA with quarterly updates for M&A and

organizational changes• Annual physical exercise includes 12 to 14 global site

operations, 450 response and recovery team members, and communications with all global personnel

• To date, managed over 170 significant incidents without impact to customer operations

• Incident debrief process tracks process improvement items in quarterly BCM Steering Committee with GFL


Thank you!

Symantec Global BCM Program

• Courtenay Enright, CBCP, BCI Senior Director

• Ron Helart, CBCP, BCI, BCMM Assessor Senior Manager

• John Dalisky, CBCP, BCMM Assessor Senior Manager

• Crystal Witt Business Operations Analyst


Sample GFL recruitment letter

To: Senior executive of the business vertical

I’m reaching out to get your recommendation for designee(s) who can represent the BU team’s interests in Symantec’s response and recovery program.

Each business unit vertical has identified liaison(s) known as Global Functional Leads (GFL) to ensure every Symantec function has representation in the company’s business continuity program, and to ensure we meet BS25999 andbusiness unit specific standards requested by large enterprise clients.

GFL meet quarterly in a Steering Committee forum and guide active participation for your business functions in standard planning activities such as the BIA and annual test, as well as response to incidents impacting your function, as needed.

A full list of GFL responsibilities is on our intranet site at http://syminfo.ges.symantec.com/workplace_solutions/bcdr/contacts/GFL.asp and listed below.

Please let me know if you have any questions or would like to schedule time for a brief program overview.

Regards,

AppendixBusiness Vertical Designees


AppendixBusiness Vertical Stoplight Compliance

• Awareness– Green = core recovery team and stakeholders signoff they have reviewed plan and have no pending questions; understand their role; GFL attends at least

50% of monthly meetings– Yellow = recovery plan reviewers signoff within the recovery plan document exists and is dated 13 months or newer – Red = missing reviewers signoff in plan, or is dated older than 13 months; GFL did not attend any of the BC/DR monthly meetings– Orientation for all GFLs with BCM staff

• Assessment– Green = BIA current within 2 years; no significant issues (new or old) pending assignment of assessment or analysis– Yellow = BIA current within 2 years; significant issue requiring assessment or analysis assignment – Red = BIA older than 2 years

• Strategy– Green = Strategy goals & process identified; developed & ready– Yellow = Strategy goals & process identified, but not developed or ready– Red = Strategy goals & process not identified or ready– (RTO & method to achieve ‐move work, people, or remote)

• Plan– Green = plans 12 months or more recent; have full review/approver signoff; in SharePoint; Outlook synch in place w/ GFL and core recovery team members;

Business Unit represented in facility sites plans– Yellow = plan > 12 months old but less than 18 months old; or 12 months or more recent, but pending reviewer/approver signoff, not in SharePoint, synch

not in place, or pending inclusion in Site Plans– Red ‐ doesn't meet above criteria

• Exercise/Response– Green = Tabletop of plan in last 12 months; completed functional exercise as required; participants attended training; rotated participants from last exercise;

evaluations turned in for functional and tabletop– Yellow = Tabletop of plan in last 18 months; completed functional exercise if required– Red = Does not meet above conditions

• Continuous improvement– Green = Gap analysis documented; action items timely; signoff acknowledgement from BU executive– Yellow = missing 1 of above criteria– Red = missing 2 or more of the above criteria– Note ‐ all incident debrief action items will have a 90‐day window to resolve

april •talking stick resort •scottsdale, arizona who’s in ... · • phased evolution and...

Documents