© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

DISASTER RECOVERY AND BUSINESS CONTINUITY:An Executive Overview

SEPTEMBER 27, 2016

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

MEET YOUR PRESENTERS

Tim Maloney, Associate DirectorMike Smith, Director

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

OUR AGENDA

+ The difference between Disaster Recovery and Business Continuity

+ The Business Continuity Management (BCM) program Lifecycle

+ Why should we care?

+ Conducting a Risk

Assessment

+ Prevent vs.

Respond

+ What is a

Business Impact

Analysis?

+ What are

Maximum

Allowable

Downtime (MAD),

Recovery Time

(RTO), and

Recovery Point

Objective (RPO)

+ Determining MAD,

RTO, and RPO

+ A typical

disruption timeline

+ Roles &

Responsibilities

+ Writing a scalable

response plan

+ Keeping your

program fresh

+ External

Frameworks

+ Supporting Tools

+ Lessons Learned

Determining what threats matter

What is Disaster Recovery?

Prioritizing impact and recovery requirements

Nurturing and maintaining a BCM / DR program

02 03 04 0501

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

What is Disaster Recovery?

3

“”

It's not whether

you get knocked

down; it's whether

you get up.

Vince Lombardi

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

THE BCM LIFECYCLE

Crisis Management

Strategy

Implement Crisis

Management Plan

Test Crisis Management

Plan

Business Recovery Strategy

Implement Business

Recovery Plan

Test Business Recovery Plan

IT Disaster Recovery Strategy

Implement IT Disaster

Recovery Plan

Test IT Disaster Recovery Plan

Design IT Architecture

Implement IT Architecture

BCM Quality Assurance

BCM Program Governance

Quality AssuranceImplementationStrategy DesignBusiness Assessment

Program Review and Planning

Risk Assessment

Business Impact Analysis

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

Determining what threats matter

“

”

There's nothing

like a jolly good

disaster to get

people to start

doing something.

Prince Charles

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

ADDRESSING RISK ASSESSMENT RESULTS

Prevent

Respond

8

Technology

People

Lo

ca

tio

ns V

en

do

rs

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

Prioritizing impact & recovery

“

”

It is not the strongest or

the most intelligent who

will survive but those

who can best manage

change.

Charles Darwin

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

PRIORITIZE IT SYSTEM

RECOVERY NEEDS

PRIORITIZE BUSINESS PROCESS

RECOVERY NEEDS

DEFINE MINIMUM

OPERATING NEEDS

WHAT IS BUSINESS IMPACT ANALYSIS?

Business Impact Analysis (BIA): A systematic process to determine and

evaluate the potential effects of a disruption to critical business operations as a

result of a disruption.

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

UNDERSTANDING THE RECOVERY TIMELINE

Disaster

Occurs

Maximum Allowable Downtime

Recovery Time

Objective

Manual work-arounds

required TIME

Desired Recovery Point Objective

Technical Recovery

Point Objective

Manual Catch-up /

Unacceptable Loss

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

MAPPING OPERATIONAL IMPACTS

Time Horizon

Functional Area 0 - 8 hours 8 - 24 hours 24 - 72 hours 3 - 7 days 1 - 2 weeks 2 weeks +

Patient Delivery High High High High High High

Record Keeping High High High High High High

Facilities Management High High High High High High

Supply Chain Management Medium High High High High High

Regulatory / Legal Compliance Low Medium High High High High

Patient Finance Low Medium Medium High High High

Accounting Low Low Medium High High High

Outcome Improvement Low Low Medium Medium High High

HR / Payroll Low Low Low Medium High High

Manage External Relations Low Low Low Low Medium High

Strategic Planning Low Low Low Low Low High

Research Low Low Low Low Low High

Fundraising / Philanthropy Low Low Low Low Low Medium

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

“”

At the onset of an

emergency,

everyone's IQ goes

immediately to zero.

Winston ScottFormer Astronaut & Director of Florida Space Port

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

TYPICAL PLAN STRUCTURED

isru

pti

ve R

isk A

ssessm

en

t

Bu

sin

ess I

mp

act

An

aly

sis

Crisis Management PlanEvent Handling

Communication Plan / Tree

Escalation Plan

Disaster Declaration

Recovery Plan Invocation

Location Specific Procedures

IT Disaster Recovery Plan

Data Center

Inventory &

Procedures

Business Resumption Plan

HQ / Field

Offices

Inventory &

Procedures

Functional Area

Procedures

Functional Area

Procedures

Business

Recovery

Locations /

Strategies

Technology

Recovery

Architecture

Business

Resumption

Plan Test

Results

IT DR Plan

Test Results

Crisis

Management

Plan Test

Results

BCM / DR Governance Charter or Policy

Functional Area

Procedures

Functional Area

Procedures

Crisis

Management

Tools /

Strategies

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

TYPICAL DISRUPTION TIMELINE

Disaster Occurs

IT/Business

Recovery

Normal

OperationsBusiness Resumption

Validate Personnel Safety and

Execute Crisis Communication Plan

Normal

Operations

Continuous Communication Across the Enterprise

Operate at Alternative Facilities if Necessary

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

PROGRAM ROLES & RESPONSIBILITIES

BCM Leader

or Team

Executive

Management

Team

Business Unit

& Department

Leads

Continuity

Coordinators

Before an Event During an Event

• Sets tone at the top and makes

BCM / DR a strategic priority

• Reviews periodic reporting and

performance metrics

• Leads risk and impact analyses

• Oversees and guides plan

development

• Facilitates plan testing and

lessons learned

• Provides input to risk and

impact analyses

• Leads development of individual

plan components

• Participates in plan testing

• Develops plan procedures

• Participates in plan testing

• Executes remediation actions

identified during testing

• Declares disaster and direct

enactment of plans

• Makes decisions based on

reports from the field

• Manages plan execution

• Serves as coordinator between

the field and executives

• Oversees “return to normal”

efforts

• Verifies individual personnel

safety

• Executes plan components

• Reports issues and status

• Leads “return to normal” efforts

• Supports plan execution

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

Nurturing your plan

“

”

BCM is not a project,

it is a culture!

Deutsche Bank IT Director

© 2016 Protiviti Inc.

CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

WHAT HAVE WE OBSERVED?

Communication must be a priority

Have a defined decision hierarchy

Business continuity planning is not an “IT only” venture.

Do not place too much reliance on the availability of a small group of individuals

Routinely test disaster preparation and crisis response

Companies should understand critical vendor recovery requirements