![Page 1: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/1.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
DISASTER RECOVERY AND BUSINESS CONTINUITY:An Executive Overview
SEPTEMBER 27, 2016
![Page 2: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/2.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
MEET YOUR PRESENTERS
Tim Maloney, Associate DirectorMike Smith, Director
![Page 3: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/3.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
OUR AGENDA
+ The difference between Disaster Recovery and Business Continuity
+ The Business Continuity Management (BCM) program Lifecycle
+ Why should we care?
+ Conducting a Risk
Assessment
+ Prevent vs.
Respond
+ What is a
Business Impact
Analysis?
+ What are
Maximum
Allowable
Downtime (MAD),
Recovery Time
(RTO), and
Recovery Point
Objective (RPO)
+ Determining MAD,
RTO, and RPO
+ A typical
disruption timeline
+ Roles &
Responsibilities
+ Writing a scalable
response plan
+ Keeping your
program fresh
+ External
Frameworks
+ Supporting Tools
+ Lessons Learned
Determining what threats matter
What is Disaster Recovery?
Prioritizing impact and recovery requirements
Nurturing and maintaining a BCM / DR program
02 03 04 0501
![Page 4: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/4.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
What is Disaster Recovery?
3
![Page 5: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/5.jpg)
“”
It's not whether
you get knocked
down; it's whether
you get up.
Vince Lombardi
![Page 6: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/6.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
THE BCM LIFECYCLE
Crisis Management
Strategy
Implement Crisis
Management Plan
Test Crisis Management
Plan
Business Recovery Strategy
Implement Business
Recovery Plan
Test Business Recovery Plan
IT Disaster Recovery Strategy
Implement IT Disaster
Recovery Plan
Test IT Disaster Recovery Plan
Design IT Architecture
Implement IT Architecture
BCM Quality Assurance
BCM Program Governance
Quality AssuranceImplementationStrategy DesignBusiness Assessment
Program Review and Planning
Risk Assessment
Business Impact Analysis
![Page 7: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/7.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Determining what threats matter
![Page 8: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/8.jpg)
“
”
There's nothing
like a jolly good
disaster to get
people to start
doing something.
Prince Charles
![Page 9: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/9.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
ADDRESSING RISK ASSESSMENT RESULTS
Prevent
Respond
8
Technology
People
Lo
ca
tio
ns V
en
do
rs
![Page 10: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/10.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Prioritizing impact & recovery
![Page 11: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/11.jpg)
“
”
It is not the strongest or
the most intelligent who
will survive but those
who can best manage
change.
Charles Darwin
![Page 12: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/12.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PRIORITIZE IT SYSTEM
RECOVERY NEEDS
PRIORITIZE BUSINESS PROCESS
RECOVERY NEEDS
DEFINE MINIMUM
OPERATING NEEDS
WHAT IS BUSINESS IMPACT ANALYSIS?
Business Impact Analysis (BIA): A systematic process to determine and
evaluate the potential effects of a disruption to critical business operations as a
result of a disruption.
![Page 13: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/13.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
UNDERSTANDING THE RECOVERY TIMELINE
Disaster
Occurs
Maximum Allowable Downtime
Recovery Time
Objective
Manual work-arounds
required TIME
Desired Recovery Point Objective
Technical Recovery
Point Objective
Manual Catch-up /
Unacceptable Loss
![Page 14: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/14.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
MAPPING OPERATIONAL IMPACTS
Time Horizon
Functional Area 0 - 8 hours 8 - 24 hours 24 - 72 hours 3 - 7 days 1 - 2 weeks 2 weeks +
Patient Delivery High High High High High High
Record Keeping High High High High High High
Facilities Management High High High High High High
Supply Chain Management Medium High High High High High
Regulatory / Legal Compliance Low Medium High High High High
Patient Finance Low Medium Medium High High High
Accounting Low Low Medium High High High
Outcome Improvement Low Low Medium Medium High High
HR / Payroll Low Low Low Medium High High
Manage External Relations Low Low Low Low Medium High
Strategic Planning Low Low Low Low Low High
Research Low Low Low Low Low High
Fundraising / Philanthropy Low Low Low Low Low Medium
![Page 15: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/15.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
![Page 16: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/16.jpg)
“”
At the onset of an
emergency,
everyone's IQ goes
immediately to zero.
Winston ScottFormer Astronaut & Director of Florida Space Port
![Page 17: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/17.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
TYPICAL PLAN STRUCTURED
isru
pti
ve R
isk A
ssessm
en
t
Bu
sin
ess I
mp
act
An
aly
sis
Crisis Management PlanEvent Handling
Communication Plan / Tree
Escalation Plan
Disaster Declaration
Recovery Plan Invocation
Location Specific Procedures
IT Disaster Recovery Plan
Data Center
Inventory &
Procedures
Business Resumption Plan
HQ / Field
Offices
Inventory &
Procedures
Functional Area
Procedures
Functional Area
Procedures
Business
Recovery
Locations /
Strategies
Technology
Recovery
Architecture
Business
Resumption
Plan Test
Results
IT DR Plan
Test Results
Crisis
Management
Plan Test
Results
BCM / DR Governance Charter or Policy
Functional Area
Procedures
Functional Area
Procedures
Crisis
Management
Tools /
Strategies
![Page 18: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/18.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
TYPICAL DISRUPTION TIMELINE
Disaster Occurs
IT/Business
Recovery
Normal
OperationsBusiness Resumption
Validate Personnel Safety and
Execute Crisis Communication Plan
Normal
Operations
Continuous Communication Across the Enterprise
Operate at Alternative Facilities if Necessary
![Page 19: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/19.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PROGRAM ROLES & RESPONSIBILITIES
BCM Leader
or Team
Executive
Management
Team
Business Unit
& Department
Leads
Continuity
Coordinators
Before an Event During an Event
• Sets tone at the top and makes
BCM / DR a strategic priority
• Reviews periodic reporting and
performance metrics
• Leads risk and impact analyses
• Oversees and guides plan
development
• Facilitates plan testing and
lessons learned
• Provides input to risk and
impact analyses
• Leads development of individual
plan components
• Participates in plan testing
• Develops plan procedures
• Participates in plan testing
• Executes remediation actions
identified during testing
• Declares disaster and direct
enactment of plans
• Makes decisions based on
reports from the field
• Manages plan execution
• Serves as coordinator between
the field and executives
• Oversees “return to normal”
efforts
• Verifies individual personnel
safety
• Executes plan components
• Reports issues and status
• Leads “return to normal” efforts
• Supports plan execution
![Page 20: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/20.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Nurturing your plan
![Page 21: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/21.jpg)
“
”
BCM is not a project,
it is a culture!
Deutsche Bank IT Director
![Page 22: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/22.jpg)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WHAT HAVE WE OBSERVED?
Communication must be a priority
Have a defined decision hierarchy
Business continuity planning is not an “IT only” venture.
Do not place too much reliance on the availability of a small group of individuals
Routinely test disaster preparation and crisis response
Companies should understand critical vendor recovery requirements
![Page 23: DISASTER RECOVERY AND BUSINESS CONTINUITY - abms.org · IT Disaster Recovery Plan Data Center Inventory & Procedures Business Resumption Plan HQ / Field Offices Inventory & Procedures](https://reader031.vdocuments.net/reader031/viewer/2022022113/5c661d3709d3f20f218bcaaf/html5/thumbnails/23.jpg)