March 9, 2006

Business Continuity Planning

Fred KlapetzkyDerek Hanson

Marsh 2

Agenda

Business Continuity Planning - OverviewBCP DefinitionWhy Plan?Interdependency (Crisis Management, Emergency Response, Business Continuity)

Business Continuity Planning - ProcessBusiness Impact AnalysisStrategy Development & SelectionPlan DevelopmentTraining & TestingDeployment & Maintenance

Business Continuity Planning - Pandemics

Business Continuity Planning - Model School

Marsh 3

Business Continuity Planning Overview

Marsh 4

Business Continuity versus Disaster Recovery

Business Continuity Planning (BCP):The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources. Said another way, to do what isnecessary to keep the critical business units running.

Disaster Recovery (DR):Is the technical or IT portion of the BCP. Includes; Mainframe,Midrange (VAX, AS/400), Client Server (UNIX, NT, etc.)

Disaster Recovery is a component of Business Continuity

Marsh 5

Why Plan?

“Disasters” happen Fire, Flood, Tornado, Earthquake, Hurricane…Network failure, server power supply failure, water main break…Lost data, corrupted data…

What will you do when it does?Even with good plans in place, it may take hours before the extent of the damage has been determinedThe critical actions in a recovery or continuity process are taken within the first 8 hours in most situationsResources go to those that ask first (in most cases)

Marsh 6

What does it take to cover all the bases?

Business Continuity and IT recovery is a process, not a template to complete.Business Continuity is a program, not a project. Once you learnthe process, you repeat it often to keep plans current, viable and focused on the critical components.The process gathers the data (specifications) to help make decisions in the development of a cost effective and focused program. Trying to write plans without gathering the data is like asking a person to build a house without any blueprints. You may get it done, but it will take longer and you may not like the end results.

Marsh 7

How does all this “fit together”?

•Minor injury• Fire quickly extinguished•Bomb threat

EmergencyResponse

•Product Contamination•Accounting Irregularities•Allegation of Impropriety

CrisisManagement

Loss of ITTelecomm failureSupply chain interruption

BusinessContinuity

Physical / Information

Security LossControl

Marsh 8

Business Continuity Planning Process

Marsh 9

BCP Methodology - Overview

Risk AssessmentPlan Test

& Maintenance

Plan Develop /Execution

StrategySelection

BusinessImpact

Analysis

BCPLife Cycle

BCPLife Cycle

Marsh 10

Business Impact Analysis

Provide independent view of risksProvide basis for determining cost effective strategiesDetermine critical and necessary business functions/processes and the resource dependenciesIdentify critical computer applicationsEstimate the financial and operational impact of the disruption and the required recovery time frame for the critical business functionsBuild business case for strategy selectionPrepare solid foundation for plan development

Marsh 11

Katrina Business Impacts

Estimated recovery costs for individual universities and colleges in the hundreds of millions ($$)

Estimated recovery costs for higher education in the impacted area in the billions ($$)

Moody’s downgrades bond ratings

Lost research

Employee layoffs

Elimination of academic disciplines

Suspension of athletic programs

Marsh 12

Strategy Development and Selection

Advantages Disadvantages

Timeframes Strategies Could be

Used Costs

Netw

ork and Voice C

onnections

Adequate Workspace

Available

Located in Close Proxim

ity to C

urrent Facility

Requires Em

ployees to Travel A

way from

Hom

e

High P

re-disaster Costs

Inability to Maintain

Centralized com

mand and

control

Prior to Disaster

< 48 Hrs

48 Hrs –

1 Week

1 Week –

1 Month

One-tim

e

On-going

Time of D

isaster

1 Relocate to an Internal Facility X X X X X X N L H

2 Work Remotely X X X X X N L N

3 Relocate to a Local Hotel X X X N L M

4 Mobile Recovery X X X X X X X X H L M

5 Hot-site X X X X X X N M H

# Recovery Strategy

Marsh 13

Plan Development

Plan Contents:IntroductionRecovery OrganizationRecovery Time ObjectivesRecovery StrategiesPlan ActivationRecovery PlansPlan TestingPlan MaintenanceAttachments

Marsh 14

Training & Testing

Training:All employeesMembers of ERT, CMT, BCPManagement

Drills:Practice specific skillsUse systems & equipment

Exercises:FamiliarizationValidationIdentify deficiencies

Types:WalkthroughMobilizationExecution

Marsh 15

Deployment & Maintenance

Plan managementCentralized monitoring

Maintain control of standardsAccess all plans and components

Decentralized creation and maintenanceUpdate

TasksResourcesPersonnel

Marsh 16

Business Continuity Planning Pandemics

Marsh 17

Pandemics

This is not a normal business continuity problem

Basic assumptions are changed in a pandemic situation

You must use a broader approach

The planning for a pandemic can be used in other multi-location outages

We’ll spend a few slides on background information

Marsh 18

Avian Flu Preparedness – A Quick History

In the past century, the US has been hit by 3 large scale influenza pandemics

In all cases, viruses contributed by birds

1918 – killed over half a million Americans and more than 20 million around the world

1957 and 1968 – killed tens of thousands of Americans and millions around the world

SARS (Severe Acute Respiratory Syndrome)

Infected more than 8,000 people and killed nearly 800

Cost the Asian Pacific region roughly $40 billion

Travel to Asia dropped 45% in the year following the outbreak

Marsh 19

Avian Flu Preparedness – Current Facts

The Current IssueFocus on H5N1 strain of the Avian Influenza A virusDiagnosed in Asia and Europe Bird to Human infection is rare however some deaths in Asia and TurkeyUSA does not import poultry from countries with verified as having Avian Influenza infected birds

How the government is preparing for an avian flu outbreakEducating the populace about all aspects of this infection and following the latest developments on-line at www.cdc.gov/flu/avian and www.aphis.usda.gov/lpa/issues/avian_influenza/index.htmlEnsuring access to laboratory testing for the virus, if suspectedCoordinating response strategies with local & state public health officialsQuerying travelers with flu-like symptoms about possible exposure to poultryImplementing aggressive infection control measures

Marsh 20

What is the risk?

Virus mutates to a form that allows rapid human to human transmission

Without immunity or vaccines in combination with air travel, thedisease spreads quickly around the world

Will it happen?

Is a global pandemic likely in the next 5-10 years?

If we spend time and effort on planning for avian flu and it doesn’t occur, is it all wasted effort?

Marsh 21

If it occurs, what is the most likely scenario?

Disease develops in geographic pockets (e.g. China)

Government may/may not be open and responsive

Quarantines and travel restrictions are not effective in containing infected people

Disease spread by global travel

Individual countries attempt to control by limiting travel

Supply chains become disrupted

Business and economies slow down globally

Marsh 22

What are the effects on employees?

Fear due to limited information initially

Concerned about family and friends

Potential initial over reaction (worried well)

Normally healthy individuals disproportionate impact

High (30%) absenteeism

Health care system quickly overtaxed

EMS can only treat/transport a fraction of patients

Limited antiviral supplies – hording and disagreement over distribution

Possibly months to develop and produce vaccines

Marsh 23

What process should a college or university follow to improve preparedness

Develop a better understanding of the most likely development scenarios (CDC, WHO, DHS, Public Health..)

Understand how employees and the institution would be affected (focused risk assessment)

Develop/update plans to minimize the impact on the institution

Develop/update plans to minimize the impact on staff and their families

Identify the internal resources required and increase as necessary

Make a realistic assessment of the community and other external resources likely to be available

Identify and train a senior management team to oversee crisis management

Develop policies and educational programs for all staff

Marsh 24

Business Continuity Planning Model School

Marsh 25

Overview

Process Understand current business continuity programsComplete business continuity pilot projectsLeverage lessons learned

AdvantagesIdentify similarities and differences between institutions without direct comparison (instead comparing institutions to “model school”)Identify ability to leverage current business continuity practices between and among member institutionsGain efficiencies through the development of common terminology, tools and processes

Marsh 26

Understand Current Programs

Understand maturity of business continuity program at each member institution and current business continuity initiativesUnderstand processes performed at each member institution

Institution:

Student Life C

ycle

Application

Adm

ission

Registration

Support Services

HR

–B

enefits

Finance -Payroll

Research Projects

Proposals

Project Accounting

Developm

ent

Outreach –

Radio/TV

Athletics

Athletic R

ecruiting

Facilities

IT System

s

PeopleSoft

Telecomm

unications

Miscellaneous

Medical C

enter

Public Safety

Institution 1

Institution 2

Institution 3

Process:

For illustrative purposes only. Does not include all processes.

Marsh 27

Complete Pilot Project

Develop common approachDevelop common business continuity terminologyComplete business continuity life cycle with pilot institution(s):

Workbook approachTraditional approach

Develop tools, processes and knowledge that may be used at other institutions

Marsh 28

Leverage Lessons Learned

Apply pilot project lessons learned, tools and processes to other member institutionsBring all member institution business continuity programs to at least a minimum standard levelDevelop process for maintaining business continuity plans and increasing program maturity levelsEstablish forum for on-going sharing of business continuity knowledge between member institutions

Marsh 29

Marsh Contacts

Fred KlapetzkyFred.Klapetzky@marsh.com618.581.1047

Timothy BishopTimothy.Bishop@marsh.com414.290.4740

Derek HansonDerek.Hanson@marsh.com920.831.2657