Business Continuity / Business Continuity / Disaster RecoveryDisaster Recovery

Destructive

'ILOVEYOU'

computer

virus strikes

worldwide

May 4, 2000

Melissa Virus

Government Considers

New Smallpox Vaccine

Burst water pipe floods adjacent offices and stores

David Shimberg, CBCPSasser Worm

What is a Disaster?What is a Disaster?

“ “A business disaster is that point in A business disaster is that point in

time after the “cause” when you can time after the “cause” when you can

not provide your customers and users not provide your customers and users

with the minimum level of services they with the minimum level of services they

need and expect”need and expect”

Why doesn’t everyone Why doesn’t everyone Plan?Plan?

The Human ElementThe Human Element The “it’s not going to happen to me” The “it’s not going to happen to me”

view or philosophy.view or philosophy. We have a tendency to view concerns We have a tendency to view concerns

from a “life span” and personal from a “life span” and personal experience aspect.experience aspect.– It hasn’t happed yet…It hasn’t happed yet…– Not on Manager’s list of goalsNot on Manager’s list of goals– We’ll get to itWe’ll get to it– Looks to BIG! Where do we start?Looks to BIG! Where do we start?

You practice this at You practice this at home….home….

You may not have thought of them as contingency You may not have thought of them as contingency plans, but at home you have:plans, but at home you have:

Smoke alarmsSmoke alarms Carbon monoxide alarmsCarbon monoxide alarms Family escape plans with meeting placeFamily escape plans with meeting place Battery radio, flash lightsBattery radio, flash lights Homeowners’ or Renters’ InsuranceHomeowners’ or Renters’ Insurance Anti Virus and firewall softwareAnti Virus and firewall software Fire extinguishers and home sprinkler systemsFire extinguishers and home sprinkler systems Info on the web at: American Red Cross or FEMA Info on the web at: American Red Cross or FEMA

web sites for additional emergency information and web sites for additional emergency information and adviceadvice

Why have a Business Plan ?Why have a Business Plan ?

According to research data kept at the National ArchivesAccording to research data kept at the National Archives& Records Administration in Washington, DC:& Records Administration in Washington, DC: Nearly Nearly 90%90% of all small businesses don't have a continuity plan of all small businesses don't have a continuity plan

in placein place

Only Only 43%43% of businesses suffering a disaster ever recover of businesses suffering a disaster ever recover sufficiently to resume businesssufficiently to resume business

Of those that do reopen, only Of those that do reopen, only 29%29% are still operating two years are still operating two years laterlater

93%93% of businesses that lost their data-center for more than 9 of businesses that lost their data-center for more than 9 days filed for bankruptcy within one year of the disaster.days filed for bankruptcy within one year of the disaster.

50%50% of businesses that found themselves without data of businesses that found themselves without data management for more than 9 days filed for bankruptcy management for more than 9 days filed for bankruptcy immediately.immediately.

Continuity Plans Continuity Plans Components Components

Awareness of Roles and ResponsibilitiesAwareness of Roles and Responsibilities

– Who will do what? Employees and staff are critical. Pandemic is an Who will do what? Employees and staff are critical. Pandemic is an

extreme example of a disaster where employee resources will be very extreme example of a disaster where employee resources will be very

limited!limited!

Defined recovery time objectivesDefined recovery time objectives

Risk Management to identify & reduce risksRisk Management to identify & reduce risks

Alternate Processes (telecommuting, distance learning) Alternate Processes (telecommuting, distance learning)

Alternate recovery locationsAlternate recovery locations

Off-site storage of critical media Off-site storage of critical media andand non-media items non-media items

Written plans, reviewed & updated regularlyWritten plans, reviewed & updated regularly

Frequent plan exercisesFrequent plan exercises

Major Business Continuity Major Business Continuity ActivitiesActivities

Complete BIA (Business Impact Analysis)Complete BIA (Business Impact Analysis) 1. Identify processes & prioritize by criticality1. Identify processes & prioritize by criticality

2. Determine survival requirements2. Determine survival requirements 3. Determine RTOs (Recovery Time Objective)3. Determine RTOs (Recovery Time Objective)

Develop Response/Recovery Strategy: Develop Response/Recovery Strategy: 1. How will event be handled immediately?1. How will event be handled immediately?

2. How will recovery be handed (achieve survival mode)?2. How will recovery be handed (achieve survival mode)? 3. What tasks must be accomplished to achieve recovery?3. What tasks must be accomplished to achieve recovery?

Develop Teams/Call ListsDevelop Teams/Call Lists 1. Identify key players (1. Identify key players (and alternatesand alternates) and organize teams to ) and organize teams to

accomplish identified tasksaccomplish identified tasks 2. Develop and test notification call lists/trees2. Develop and test notification call lists/trees

BC Activities…cont’dBC Activities…cont’dIdentify Critical Equipment, Vendors, DocumentsIdentify Critical Equipment, Vendors, Documents 1. Identify critical infrastructure/servers (networks, telecom, etc)1. Identify critical infrastructure/servers (networks, telecom, etc)

2. Identify equipment needs for (day 1, day 3, etc …)2. Identify equipment needs for (day 1, day 3, etc …)

3. Identify critical vendors (who will supply recovery equipment, 3. Identify critical vendors (who will supply recovery equipment, etc.)etc.)

4. Identify vital records (what records if lost would cripple or 4. Identify vital records (what records if lost would cripple or hinder recovery?)hinder recovery?)

Document PlansDocument Plans 1. Appropriate information is included, attached, or referenced, 1. Appropriate information is included, attached, or referenced,

facilitating a successful response, recovery, and restoration of facilitating a successful response, recovery, and restoration of servicesservices

2. Plans are frequently reviewed and updated on a scheduled 2. Plans are frequently reviewed and updated on a scheduled basisbasis

BC Activities…cont’dBC Activities…cont’d

Exercise PlansExercise Plans

1. Conduct plan walk through, referencing tasks, call 1. Conduct plan walk through, referencing tasks, call

lists, attachments, etclists, attachments, etc

2. Conduct IT exercise, confirming application recovery 2. Conduct IT exercise, confirming application recovery

meets survival needsmeets survival needs

3. Participate in Integrated Exercise with other business 3. Participate in Integrated Exercise with other business

units testing call trees, application and process units testing call trees, application and process

dependencies and work- arounds meet RTOs dependencies and work- arounds meet RTOs

4. Update Plan with lessons learned, following exercise4. Update Plan with lessons learned, following exercise

Business Continuity Business Continuity EffortsEfforts

Include:Include: Directing BIA and planning efforts with Directing BIA and planning efforts with

Business UnitsBusiness Units Awareness programs Awareness programs (risk reduction)(risk reduction) Employee security & safetyEmployee security & safety Coordinating BC exercisesCoordinating BC exercises Participating in info security reviewsParticipating in info security reviews Coordinating with local emergency agenciesCoordinating with local emergency agencies Managing plan tracking and evaluationManaging plan tracking and evaluation

Business Continuity Business Continuity Plans must be usefulPlans must be useful

Successful Business Successful Business Continuity Planning Continuity Planning helps ensure that helps ensure that employees and the employees and the interests of owners and interests of owners and customers are customers are protected.protected.

Make sure the plans Make sure the plans that protect each of that protect each of us is more than ……..us is more than ……..

Sponsorship is Key to Sponsorship is Key to SuccessSuccess

Board of Directors or Senior executives Board of Directors or Senior executives (president, vice presidents, officers) must (president, vice presidents, officers) must identify BCP a priority.identify BCP a priority.

Executives and senior managers must actively Executives and senior managers must actively support the BCP Process.support the BCP Process.

Business Recovery Coordinators (BRCs) within Business Recovery Coordinators (BRCs) within business units / departments must be actively business units / departments must be actively involved, developing, implementing, and involved, developing, implementing, and exercising BC plans, and accept ownership of exercising BC plans, and accept ownership of their plans.their plans.

Communication is CriticalCommunication is Critical

Employees, Employees, customers, business customers, business partners must know partners must know key information about key information about your plan if your plan your plan if your plan is to work. is to work.

Plans must be Plans must be periodically reviewed periodically reviewed in team meetings and in team meetings and shared with new team shared with new team members.members.

Secret Plans won’t Secret Plans won’t work!work!

Communication…..Communication….. Contact information for all team members must be Contact information for all team members must be

currentcurrent

Make sure employees have Emergency Wallet Cards Make sure employees have Emergency Wallet Cards with key phone numbers, etcwith key phone numbers, etc

Plans must include:Plans must include:

– Clear chains of authorityClear chains of authority

– Clear listing of tasks, roles and responsibilitiesClear listing of tasks, roles and responsibilities

– DR conference lines or standing communication toolsDR conference lines or standing communication tools

– Standing meetings (times, numbers)Standing meetings (times, numbers)

– Alternate meeing locationsAlternate meeing locations

– Centralized communication facility (VM, web site, etc…)Centralized communication facility (VM, web site, etc…)

Off Site Storage is Off Site Storage is Critical !Critical !

When a facility is lost or inaccessable, all items inside are When a facility is lost or inaccessable, all items inside are no longer available. What is needed in off site storage no longer available. What is needed in off site storage if you had to recover from scratchif you had to recover from scratch

PC backup media must be stored off-site?PC backup media must be stored off-site?

Critical, Critical, non-medianon-media, documents and materials must be , documents and materials must be available in an off-site location, accessble by available in an off-site location, accessble by appropriate indviduals or teams during a disaster or appropriate indviduals or teams during a disaster or exrecise. exrecise.

Key personnel must know where off-site storage items Key personnel must know where off-site storage items are located and to where items will be shipped (Hot-are located and to where items will be shipped (Hot-site, Incident Command Center or remain in off-site site, Incident Command Center or remain in off-site storage?)storage?)

ExercisesExercises

Test plan concepts and procedures frequentlyTest plan concepts and procedures frequently

Identify tasks or components that do not work as Identify tasks or components that do not work as expected.expected.

Identify missing tasks or contactsIdentify missing tasks or contacts

Reinforce individual and team roles and Reinforce individual and team roles and responsibiltiesresponsibilties

Confirm and reinforce dependent interractions Confirm and reinforce dependent interractions with other teamswith other teams

Increase BCP AwarenessIncrease BCP Awareness

Employees Prepare themselves Employees Prepare themselves by:by:

Attending sessions on BC planningAttending sessions on BC planning Having a personal emergency plan for your familyHaving a personal emergency plan for your family Understanding your role in your unit’s BCP planUnderstanding your role in your unit’s BCP plan Knowing where and who to call in an emergency Knowing where and who to call in an emergency

(Emergency Wallet Card)(Emergency Wallet Card)

Keeping emergency contact Keeping emergency contact information currentinformation current

Participating in BC/DR exercisesParticipating in BC/DR exercises

Challenging the status quo. If Challenging the status quo. If something doesn’t seem right, something doesn’t seem right, Question it!Question it!

Supply Chain ConsiderationsSupply Chain Considerations

Premier, Inc – largest healthcare group Premier, Inc – largest healthcare group purchasing organization is working with hospitals purchasing organization is working with hospitals and suppliers to identify critical areas in a and suppliers to identify critical areas in a disaster and actions to improve response:disaster and actions to improve response:

TransportationSupplies &

DistributionCoordinationCommunications

CommunicationsCommunications Explore alternate and multiple communication

methods; VOIP, satellite, multiple cellular providers, etc.

Creation of deeper communication guides; office, work, home, cell numbers. Creation of formal call-trees.

Apply for TSP Authorization code to ensure priority in restoring telecommunications access and GETS program access to bypass overloaded phone circuits.

CoordinationCoordination

Clear, advanced identification of individual roles and responsibilities.

Creation of national internet site to serve as clearinghouse for information sharing and communication.

Include other stakeholders in design sessions.

Supplies & DistributionSupplies & Distribution

Creation of “core product supply lists” based on type of disaster.

ER auto-substitution rules; (eg. 20cc syringe substituted with 30cc).

Greater coordination among suppliers.

“Emergency ship to’s”

Supplies & DistributionSupplies & Distribution

Create Mobile fuel storage depots and mobile supply stations.

Get pre-authorization from Fed’s governing authority to ship to effected locales.

Create contingencies for all routes, including air-drop emergency plan.

Re-think “lean inventory” model for critical supplies & perishables.

Create NYC model of “integrated command center”.

Pandemic ConsiderationsPandemic Considerations Incubation period: 1 to 3 weeksIncubation period: 1 to 3 weeks Viral shedding greatest in 1Viral shedding greatest in 1stst 2 days 2 days Viral shedding 0.5 to 2 days before Viral shedding 0.5 to 2 days before

symptomssymptoms Children shed more virus and longer Children shed more virus and longer

than adultsthan adults Each case of influenza infects two more Each case of influenza infects two more

casescases

Slow spread, decrease illness and Slow spread, decrease illness and death, buy timedeath, buy time– Antiviral treatment and isolation for people Antiviral treatment and isolation for people

with illnesswith illness

– Quarantine for those exposedQuarantine for those exposed

– Social distancingSocial distancing

– Vaccine when readyVaccine when ready

Depends on which virusDepends on which virus

Weeks

Impact

Prepared

Unprepared

Options for Prevention & Options for Prevention & ControlControl

ImmunizationImmunization Respiratory hygiene/cough etiquetteRespiratory hygiene/cough etiquette Hand hygieneHand hygiene Contact avoidance Contact avoidance

– Social DistancingSocial Distancing

AntiviralsAntivirals

Strategic National Stockpile

HHS Pandemic influenza HHS Pandemic influenza preparedness strategy and planpreparedness strategy and plan

International surveillanceInternational surveillance

Domestic SurveillanceDomestic Surveillance

Vaccines and AntiviralsVaccines and Antivirals

CommunicationCommunication

State and Local State and Local PreparednessPreparedness

11 Supplements with 11 Supplements with detailed guidancedetailed guidance

Pandemic Influenza Preparedness Pandemic Influenza Preparedness ConsiderationsConsiderations

Being able to work may be difficultBeing able to work may be difficult– Plans for working at homePlans for working at home– Adopt practices and sick-leave policies to encourage Adopt practices and sick-leave policies to encourage

sick employees to stay homesick employees to stay home

Schools may be closedSchools may be closed– Child care planningChild care planning

TransportationTransportation Home supplies (good for power outages and Home supplies (good for power outages and

disasters)disasters)– Non perishables, water, flashlights/batteries, Non perishables, water, flashlights/batteries,

medicinemedicine

Infection Control MeasuresInfection Control MeasuresHealthcare facility, workplace, home, communityHealthcare facility, workplace, home, community

Reduce transmissionsReduce transmissions– MasksMasks– Cough etiquetteCough etiquette– Hand hygieneHand hygiene

Contact interventionsContact interventions– Teleconferences vs meetingsTeleconferences vs meetings– Social distancing (no handshaking, 3 feet Social distancing (no handshaking, 3 feet

away)away)– Liberal non-punitive leave policy to care for Liberal non-punitive leave policy to care for

family and selffamily and self

Respiratory protection:Respiratory protection:Masks or N95 Respirators?Masks or N95 Respirators?

Season flu – CDC recommends masksSeason flu – CDC recommends masks Pandemic – WHO recommends Pandemic – WHO recommends

– masks for routine caremasks for routine care– N95 for aerosol generating procedures (fit N95 for aerosol generating procedures (fit

testing required by OSHA)testing required by OSHA)

Pandemic – HHS recommends Pandemic – HHS recommends – Masks for close contactMasks for close contact

BCP Planning ResourceBCP Planning Resource

Contingency Planning Association of the Carolinas (CPAC)Contingency Planning Association of the Carolinas (CPAC)– www.cpaccarolinas.orgwww.cpaccarolinas.org

Disaster Recovery JournalDisaster Recovery Journal– www.drj.com/groups/drj6.htmlwww.drj.com/groups/drj6.html

Disaster Recovery Institute International (DRII)Disaster Recovery Institute International (DRII)– www.drii.org/www.drii.org/

DHS - DHS - www.ready.gov/www.ready.gov/

FEMA - FEMA - www.fema.gov/www.fema.gov/

Institute for Business & Home Safety (IBHS)Institute for Business & Home Safety (IBHS)– www.ibhs.org/business_protectionwww.ibhs.org/business_protection //

Premier Safety InstitutePremier Safety Institute– www.premierinc.com/quality-safety/tools-services/safety/index.jspwww.premierinc.com/quality-safety/tools-services/safety/index.jsp

BCP Planning ResourceBCP Planning Resource

9th Annual Symposium Thursday, Nov 30 - Fri Dec 1, 2006

Charlotte Marriott Executive Park, Charlotte, NC

Preparing for the Coming StormBridging the Preparedness Gap$225 members and $275 non-members

Topics and presentations include:• Pandemic Preparedness• How Los Angeles, CA is bridging the gap between the public and private sectors• Changes in the BC Profession• Practical tips and lessons learned on conducting Business Impact Analysis• Considerations in establishing Incident Command• Making sure your continuity planning process will actually meet your needs• Participate in a panel discussion with experts• Register early to get a place in the 3-hour pandemic mock exercise (limited to 104)

www.cpaccarolinas.org