CBCP业务连续性管理专家培训材料_Area6.ppt

1,Business Continuity Management Course for Advanced Professionals Introduction,2,Subject Area 6: Developing & Implementing Business Continuity Plans,3,Lesson Overview,Plan Activation Procedures Opening the Emergency Operations Center Command centers public responders Securing the area Assessing the damage Salvage and restoration Plan development methodology Planning organization Plan documentation Plan implementation,4,Professional Practices for Business Continuity Professionals,Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Maintaining & Exercising Business Continuity Plans Crisis Communications Coordination with External Agencies,5,Objectives,Design, develop, and implement Business Continuity and Crisis Management plans that provides continuity within the recovery time objective and recovery point objective.,6,The Professionals Role (1/2),1. Identify the Components of the Planning Process Planning methodology Plan organization Direction of efforts Staffing requirements 2. Control the Planning Process and Produce the Plan 3. Implement the Plan,7,The Professionals Role (2/2),Test the Plan Maintain the Plan,8,Plan Activation,When an emergency occurs that necessitates a response that is beyond the scope of standard operating procedures, the plan is activated by the individual (s) designated in the plan.,9,Plan Activation,Problem Occurs, Operations Interrupted,Is Disaster Obvious?,Continue Problem Resolution, Escalation Process,Problem Resolved?,Activate Damage Assessment Team, Issue Alert,Does Problem Satisfy Disaster Declaration Criteria?,Yes,No,No,Yes,No,Yes,Declare,Notify Teams, Recovery Support Vendors,Activate The Plan,Recover,Problem Resolved, Return to Normal Operations,10,Plan Activation,Event-Response Recover Normal,Public-Private-Emergency Response/Management,Business Continuity Organization,Steering Committee=CMT Teams Activated Communications Team Risk Management Audit-Finance,Life-Safety,Property Protection/ Physical Security,Technology,Respond/Stabilize/Manage/Recover Normalize,Recover-Restore-Resume,11,Plan Activation,CMT/Management Notify appropriate personnel Team utilization/activation The Crisis Management Team decides whether or not to activate the entire Business Continuity Organization. Activate the Plan and/or Declare a disaster Personnel on standby Non-activated members on 24-hour alert Standby location (s) designated at time of announcement Required to be available for immediate telephone contact,12,Communication Plan Activation,Set up communication center Away from spot of crisis Open lines of communication Absorb all information available Monitor media for latest developments Update the press release scripts Develop schedule for communicating with the media Take care of regular business,13,Communication Tools,Cell phones Blackberries 2-way radios Landline phones Internet Emergency notification systems Ham radio operators,14,Plan Activation,CC at Impacted Location,CC at Alternate Recovery Location,Away from Incident!,EOC,Leadership-Strategic,Crisis Management Team,Communicate!,Communicate!,Control & Allocate Resources,Interim Business Area Recovery Teams Recovering Lost Functions,Tactical Specific Response Teams Damage Assessment Salvage Counting Heads,Communicate!,15,Plan Activation Command & Control A Fire Occurs at Facility 2 The Fire Department Responds & Assumes Command The private sector organization establishes a Command Center at Facility 2 to interface with the public sector and manage the private sector response The Fire Department establishes an Incident Command Post so supervise the event The private sector organization liaisons with the ICS Command Structure representing the Public Sector Agencies,16,Plan Activation Command & Control,A Command Center is Established at Facility 1 And recovery teams Work to recover lost functions,While the emergency Response is underway Cosmos Industries opens an Emergency Operations Center at the Corporate Headquarters,Corporate HQ Suburb A The EOC provides whatever Assistance is Needed at Facilities 1 & 2,17,Command Center,CC activation & communication Define the duties of personnel Establish procedures for each position Prepare checklists for all procedures Define procedures and responsibilities Determine lines of succession Determine equipment and supply needs,18,Command & Control,Which gate or entrance will responding units use? Where and to whom will they report? How will they be identified? How will facility personnel communicate with outside responders? Who will be in charge of response activities?,19,Command & Control,After the Fire Chief releases the scene to Cosmos Industries, the fire department leaves,20,Stabilize/Manage/Recover,Property Protection/ Physical Security,Secure Area Assess Damage Salvage & Restoration,Event-Response Recover Normal,Public-Private-Emergency Response/Management,Life-Safety,Technology,Respond/Stabilize/Manage/Recover Normalize,Recover-Restore-Resume,Business Continuity Organization,21,Secure Area,Isolate incident scene Secure scene Control access Close doors and windows Establish temporary barriers after people have safely evacuated Drop containment materials in the path of leaking materials Close file cabinets or desk drawers,22,Secure Area,Protect undamaged property Close up building openings Remove smoke, water, and debris Protect equipment against moisture Restore sprinkler systems Physically secure property Restore Power,23,Assess Damage,Take an inventory of damaged goods Restore equipment and property Assess value of damaged property Maintain contact with customers and suppliers Conduct an investigation,24,Assess Damage,Coordinate actions with appropriate government agencies Notify risk management department Contact insurance carrier Initiate insurance claim process Define claims requirements Arrange for an insurance adjustor,25,Salvage and Restoration,Define external agencies for liaison Statutory agencies Emergency services (fire, police) Insurers Loss adjusters Others? Prepare for specific information required by statutory agencies, emergency services, insurers, loss adjusters, etc.,26,Salvage and Restoration,Define Strategy for initial on-site activity Understand need for Action plan for site safety, security, and stabilization Identifying immediate loss mitigation and salvage requirements Understand and interpret business requirements to allow effective and efficient physical asset recovery Identify methods asset protection Equipment Premises Documentation,27,Salvage & Restoration,Effective diagnosis of incident Assemble required resources at affected site (s) Prepare action plan for site safety, security, and stabilization Establish liaison with external agencies Establish procedures with service providers,28,Salvage and Restoration,Conduct salvage operations Segregate damaged from undamaged property Keep damaged goods on hand until an insurance adjuster has visited,29,Stabilize/Manage/Recover,Business Continuity Organization,Media Relations Protect Employees Notify Proper Authorities Keep Detailed Records Begin Recovery Process,Event-Response Recover Normal,Public-Private-Emergency Response/Management,Life-Safety,Technology,Respond/Stabilize/Manage/Recover Normalize,Recover-Restore-Resume,Property Protection/ Physical Security,30,Protecting the Organization,Insurance Employee support Plummeting stock Product recall Tylenol tampering Ford/Firestone Tires Ethical violations-audit,31,Protecting the Organization,Keep detailed records Audio record all decisions Videotape and photograph the damage Preserve vital records Media relations Account for all damage-related costs Establish special job order numbers and charge codes for purchases and repair work,32,Protecting the Organization,Notify appropriate organizations OSHA? State? County? Suppliers of products and services Vendor relations-post-emergency services Records preservation Equipment repair Earthmoving Engineering,33,Professional Practices for Business Continuity Planners,Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Exercising & Maintaining Business Continuity Plans Public Relations and Crisis Communication Coordination with Public Authorities,34,The Planning Process,Objective Document procedures required to continue, recover and restore the functional capability of the organization Some key tasks Develop teams & tasks Develop specific steps to minimize the risks of outage and restore to normal operations Document the plan Some key deliverables Emergency response plans and procedures Crisis communication procedures Coordination with external agencies The draft plan,Plan Development,Project Planning,Risk Assessment & Analysis,Business Impact Analysis,Strategy Development,35,Develop Business Continuity Plans,36,BCM Plan Elements,People,Processes,Places,BCM Plan,Sales, Manufacturing, distribution, Accounting, Payroll, HR, etc.,Staff, visitors, Delivery people, Outside service Personnel, other tenants,The site and building which accommodates Part or all of the organization, and where some or all of the processes are conducted.,37,BCM Plan Stakeholders,Disaster Recovery User Group,Emergency Management Agencies,Senior Management,Corporate Information Systems Management,Disaster Recovery Vendors,Corporate Human Resources,User Community,Insurance Brokers,Auditors,Government Agencies,Media,Utilities/ Building Management,Business Continuity Program,38,Types of Plans Business Continuity Management,Crisis Management Plan Business Unit Plans COOP,Disaster Recovery Plan Emergency Response Plan Business Continuity Plan,39,Business Continuity Plan Objectives,Reduce consequences of a disaster to management approved service levels Define the high impact areas of the organization Involve all business units and/or functions Assess all aspects of the organization,40,Business Continuity Plan Products,Information Who executes recovery actions What is needed to recover, resume, continue, or restore business functions Where to go to resume corporate, business and operational functions When business functions and operations must resume How-detailed procedures for recovery, resumption, continuity, and restoration,41,Documenting the Plan,Who is going to do it? How are you going to do it? Conveying organizational program information Defining specific plan detail Structure of plan document,42,Outsourcing BC Plan Can someone else perform the service better, more efficiently, or more economically than you?,Risks vs. rewards Knowledge transfer Specific expertise Broader BCP experience Focus on strategies and plans,Ownership & Commitment Availability and response Knowledge of organization Driven by contractual objectives,43,Avoid Common Mistakes,Emergency response procedures labeled DR/BC plan Outside assistance will address our recovery Insurance will take care of it,44,Avoid Common Mistakes,4. Information not organized effectively 5. Format or software is too complex 6. Alternates are not identified 7. Information is not up to date,45,Avoid Common Mistakes,8. Single site scenarios 9. Data synchronization 10. Copies not accessible 11. Facility access list 12. Out-of-date recovery strategy/capacity 13. Under-estimated recovery time 14. Plans are too generic or too detailed,46,Avoid Common Mistakes,15. Data retrieval delays 16. People unable to cope 17. Effects of trauma and stress 18. Evacuation flaws 19. No alternate EOC 20. Communication choke points 21. Inadequate insurance coverage,47,Successful Plans,Clear and concise Coordinated with suppliers & vendors Senior management support/organization commitment On-going/part of strategic effort,Appropriate budget Retention, backups, & off-site storage program Fully documented & exercised regularly Risks are managed Vulnerabilities are prioritized Flexible and adaptable,48,Plan Development Requirements,Develop action plans/checklists Review and evaluate tools Acquire matrices and flowcharts Develop forms to acquire information Determine requirements for information database and other supporting information,49,Plan Development Requirements,Leverage the information gathered in forms to do more than develop plan document Share with organization resource providers to establish service requirement quantities and schedule Identify gaps in needs vs. resources,50,Plan Development Requirements,Allocate tasks and responsibilities Identify tasks to be undertaken Identify necessary teams to perform required tasks Assign responsibilities to tem Identify and list Key contacts Suppliers Resources,51,Plan Development Requirements,Locate and catalogue organization information Identify and confirm processing and documentation critical to key business processes Identify and determine which information/processes should be replicated Identify storage requirements Identify key suppliers Select of recommend methods of bakcup and retention of vital records,52,Scenario Development,“Worst case” Conditions Severe magnitude Occurs at worst possible time Loss of all files, information, and equipment Requires full plan implementation May change as organization changes Revise if major changes to facilities, equipment, organizational structure, or business functions affecting basis of business recovery planning,53,Plan Design,Approaches For locations For business processes For business unit/department/functions For service lines By phases,54,Implementing the Plan,Complete required tasks Continuity actions and procedures Allocate tasks and responsibilities Develop education program Develop plan review, update, and reporting procedures,55,Distribution and Control Procedures,Establish appropriate distribution and control procedures for: Business continuity plans Results of plan exercises and tests Plan changes and updates,56,Plan Security,Open document or classified document Document control Who gets copies of the plan? Full access or need-to-know basis Just their components Chapter/section distribution Organizational sensitivity and security concerns,57,Review and Sign off,Plan review should consider: Is the plan consistent with the findings of the BIA? Are roles & responsibilities defined? Are resources in place, or actions defined to get them in place? Can the plan be implemented? Will the owner sign off?,58,Plan Documentation,The plan document needs to be structured so that it is a viable, useable document In order for the plan document to be useful in a disaster it must include vital information and be organized in a way that makes it easy to use,59,Major Plan Components,Overview Incident management Teams & tasks Critical locations Critical processes Critical contacts BCP Outline,Technology Vital records/off-site storage Equipment & supplies Plan maintenance Appendices,60,BCM Program Overview,Methodology and planning approach Goals & objectives Organizational policy statement Scope, objectives & assumptions Disaster definition/criteria Roles and responsibilities by function Disaster scenario definitions Definition of terms and glossary,61,BCM Program Overview,Prevention and mitigation activities RA and BIA results & priorities Strategies developed Team organization Plan document structure Testing, exercising and maintenance,62,Plan Specific Elements,Mission Structure Detail ,63,Presentation of Findings,Methodology Data groupings Action items Next steps,64,Incident Management,Emergency notification procedures/plan Team call lists/tree Notification lists Escalation Plans Disaster declaration guidelines Activation of response/recovery teams EOC activation criteria & procedures,65,Teams & Tasks,Minimize dependency BCM team organization Delayed access Damage assessment & salvage procedures Address need for restoration and continuance of Personnel roles Business procedures Critical technologies,66,Teams & Tasks,Security Accounting Insurance Public/Media relations Transportation Legal These may each be separate plans,67,Critical Locations,Primary locations Alternate locations Recovery site information Off-site Storage Emergency operations center Command center (s),68,Critical Locations - Relocation,Sufficient square footage Voice/data communications Security Fire protection Environmental controls,Shipping & receiving capability Parking/public transport Compliance Employee needs Functionality balanced with comfort issues,69,Critical Key Processes,Identify time-sensitive key processes and systems Strategies for resumption and recovery Inventory of critical assets Methods for resumption of key business processes Back up procedures,70,Critical Contacts,Vendors Contractors Supplie