Recovery!
Recovery!
April 19, 2010
UHY / MMA
Business Survival Series
Business Survival Series
Webinar Focus . . . .
• Understanding the components of Business
Continuity Planning and resulting “Business
Continuity Planning and resulting “Business
Continuity Plan” (BCP)
• Conducting a BCP Gap Analysis/Risk Assessment
• Developing and implementing your BCP
• Establishing a Disaster Recovery Plan (DRP)
• Testing your BCP, DRP and associated controls
UHY Advisors, Inc.
• UHY Advisors, Inc. is the 15
thlargest professional services
firm in the U.S.
firm in the U.S.
• Provide Business Advisory, Audit and Tax services to a
wide variety of companies and industries.
• 20 offices located through the U.S., with Michigan offices
in Southfield and Sterling Heights.
• UHY International Limited (UHYI), is one of the largest
accounting firms in the world with 198 offices in 65
countries and approximately 6,300 employees.
Definitions . . .
1. Business Continuity Planning (BCP):
The creation and validation of a practiced logistical plan for The creation and validation of a practiced logistical plan for how an organization will recover and restore critical functions within a predetermined time after a disaster or extended disruption.
2. Disaster Recovery (DR):
The process, policies and procedures related to preparing for recovery after a natural or human-induced disaster. Disaster recovery includes planning for resumption of business operations. Disaster Recovery includes physical facilities, equipment, applications, data, hardware, communications (such as networking) and other critical business processes.
Definitions . . .
3. Risk Tolerance Level (RTL):
A process by which a company determines the risks, vulnerability p y p y , y and impact analysis of various disaster scenarios on critical business processes and/or activities. RTL incorporates:
– Assessing and prioritizing business functions, processes,
activities, etc.
– Identifying interdependencies between critical operations,
departments, personnel and services departments, personnel and services
– Identifying potential impacts of uncontrolled, non-specific
Definitions . . .
4. Recovery Point Objective (RPO):
The acceptable time delay associated with systems, data and/or p y y , process before the loss of an activity become critical.
5. Recovery Time Objective (RTO):
The acceptable amount of time to restore a designated business function.
6. Probable Maximum Business Interruption Loss (PML):
Losses, based on worst-case scenario, that result from a business interruption. . .Function of Seriousness and Duration
BCP – Why Bother?
1.
Stability:
Survival rate for companies that encounter a disaster Su a ate o co pa es t at e cou te a d saste without a business continuity plan is less than 10%! Only 6% of companies suffering from a catastrophic loss survive, while 43 % never reopen and 51 % close within two years.
2. Financial:
C ti Pl i R h th h l
- Contingency Planning Research pegs the average hourly downtime cost at $18,000 for a small business.
- Assume they are off by 90% . . .that’s:
BCP – Why Bother?
3. It Makes Good Business Sense!
• Uncovers core business weaknesses
• Addresses visible and concealed areas of
concern
• Strengthens customer perception
• Separates your company from competition
Proactive
BCP – A Strategy
• BCP as an Offensive/Competitive Strategy . . .
1
Helps your company stand out from others:1.
Helps your company stand out from others:Business Continuity Standards are coming!
ISO 27001, Austrian Standard HB 221:2003, NFPA 1600, PAS 56, BS25999 . . . .
2. Creates a business which operates its systems at the optimum levels:
Flexible with the ability to quickly identify and respond Flexible with the ability to quickly identify and respond to challenges, threats and disasters.
3. Builds a Resiliency into your operation:
Hardened systems fail less often and return more quickly from day-to-day glitches.
BCP – UHY Perspective
• From our perspective . . .
– BCP process involves the recovery resumption BCP process involves the recovery, resumption, and maintenance of the entire business . . More than just IT and Data.
– Restoration of IT systems and electronic data is important . . but . . recovery of these system will not always be enough to restore operations. – BCP involves the prioritization of
business objectives and critical operations that are essential for recovery.
BCP – Protection From???
Natural Disasters Material ShortagesBusiness
Continuity
- Protection From –?
Product Liability Client/Customer Strikes Delivery Delays Terrorist Activities?
Power Failure Computer Viruses Technological Developments Client/Customer InsolvencyBCP – Protection From???
Example of a Risk MapBusiness Continuity Planning
Critical Steps
Step 1
Assessment
• Objectives Include:
1. Raising Awareness
1. Raising Awareness
2. Involving All Business Units / Departments
3. Involving All Personnel
4. Identifying the Critical Interactions Between
People, Processes and Departments . . .
• Examine the company as a whole for conditions
d
th t
iti
l
f
l
and processes that are critical for seamless
business operations . . . a Threat Analysis.
• Plan is to provide management with a complete
picture of processes, dependencies and threats.
Step 2
Risks, Vulnerabilities & Impact Analysis
• Impact Analysis:
A t f ti t d t d d id tif Assessment of operations to understand and identify precisely what functions, activities, elements, etc. would be impacted should there be a disruption or disaster
• Risk Assessment:
Determining the potential losses from a threat verses the cost of protecti e meas res against the al e of the cost of protective measures against the value of the asset.
How Much Do We Spend to Protect?
RISK / COST / ROI
Step 2
Risks, Vulnerabilities & Impact Analysis
• UHY’s approach is to utilize a Risk Tolerance
L
l (RTL) t t
t
bi
Ri k
Level (RTL) strategy to combine, Risks,
Vulnerabilities and Impacts.
• TRL incorporates a FMEA (Failure Mode & Effects
Analysis) format with:
- SEVERITY (impact on your business)
- FREQUENCY / OCCURANCE
- Impact on your Customer(s)
• Scale is 1 to 10 for each:
1 = No Impact / Never Occurs
Step 2
Risks, Vulnerabilities & Impact Analysis
• RTL # Reaction Plan:
Less than 20Less than 20
No corrective action and/or additional controls are required.
20 to 40
Risk control(s), including control method, process and frequency should be reviewed to identify reaction steps/actions needed to ensure business continuity.
41 to 60
Risk control(s), including control method, process and frequency should be improved to incorporate actions that will lead to a reduction in the RTL #.
61 to 80
Risk control(s), including control method, process and frequency indicate a concern regarding business continuity. Control should be improved to reduce the RTL #.
Greater than 80
Represents a Business Continuity concern. The Risk and associated Control(s) must be improved by implementing actions that will reduce the RTL #.
Step 3
Recovery – Strategies & Actions
• Recovery Window . . . Specific period in which
l
b
i t l
bl
losses become intolerable.
- The shorter the window, the more recovery
resources need to be in place and ready.
- For longer windows, the recovery resources can
be put into place following the interruption.
• It is critical the recovery resources be:
• It is critical the recovery resources be:
- Identified
- Listed / Documented
- Pre-Arranged / Pre-Planned
- Tested
Step 3
Recovery – Strategies & Actions
• Disaster / Interruption Levels:
L
l I
I t
ti
i
P
i O t
Level I:
Interruption, i.e., Power is Out
Time Frame - 1 hour, 4 hours, >24 hours
Level II:
Vacate the Facilities, i.e., Fire
Time Frame - 1 day, 1 week, 1 month
Level III: Facilities Gone, i.e., Tornado
Time Frame - Immediate Actions
Time Frame Immediate Actions
Business Resumption
• Establish Recovery Action Checklist for each
scenario . . .Action Steps and Responsibilities
Step 3
Recovery – Strategies & Actions
• Recovery plans must:
1 Id
tif th
i d t
b i
1. Identify the resources required to resume basic
level of business operations.
2. Document skills, equipment, procedures, steps,
etc. required by each department/activity.
3 Specify authority roles and responsibilities to
3. Specify authority, roles and responsibilities to
ensure that actions and tasks are managed,
completed and communicated.
Step 4
Interdependencies
• Predominate Recovery Goal . . .to re-establish
ti l d
t d
b i
f
ti
b f
essential day-today business functions before
consequential effects occur.
• Key concerns:
- What’s the priority and sequence of recovery?
- What should be first, second, third, etc.
- Which functions are dependant on interacting
p
g
functions?
• Interaction or Process Flow Diagrams can be used
to identify dependencies . . . .
Risk Mapping / Interactions
Step 5
Training and Awareness
• Employees need to know and understand:
1 Th f d
t l
i
t f
B i
1. The fundamental requirements of your Business
Continuity Plan . . . Who, What, Where, When, Etc.
2. The documented recovery action steps and their
role and responsibilities . . . Where do I go?
What do I do? What don’t I do?
3. The reaction plan based on who is available.
• Employee training should be provided on at least
Step 6
Testing Plans
• BCP testing should be based on the importance of the business process to the both the company and to the business process to the both the company and to the customer base.
• The testing process should be structured to: – Incorporate and address the identified risk levels
– Assign and designate roles and responsibilities for testing
and reporting and reporting
– Demonstrate that the business continuity strategy and
recovery action steps have the ability to sustain the business until operations can be re-established
Step 6
Testing Methods
• Testing methods vary from simple to complex . . . Depends on the
Risk and Business Process complexity. Risk and Business Process complexity.
• Level I - Structured Walk-Through:
Used as a training tool and as a test to determine fundamental compliance.
• Level II - Walk-Through Simulation Test:
Choose a specific event . . apply the established recovery actions.
• Level III - Functional Test: • Level III - Functional Test:
Performing actual recovery processes as defined in the company’s Recover Action Checklists.
• Level IV - Full-Scale Test:
Step 7
Maintenance / Sustainability
• The final step in developing and implementing a
BCP/DRP is “maintenance” to ensure sustainability and BCP/DRP is maintenance to ensure sustainability and effectiveness.
• The resulting BCP/DRP Manual is a living document that must be kept up-to-date:
– This document defines the policies and sets out the
steps, recovery actions, roles, guidance, etc. for disaster recovery
recovery.
– This document must reflect changes in business, staffing,
processes, technologies, etc.
– Reviewed and updated on at least an annual basis.
Business Continuity – Cost/Benefit
• BCP entails costs . . . .There is no rule of thumb for the level
of costs involved. Depends on: - The nature of the possible losses - The potential impact
- The probability of the risks occurring
• Fundamentals apply . . . The tighter the safety net and the
greater the availability, the higher the costs.
• Example . . . Idle production costs and damage to a
i f i i i
company’s image as a result of business interruption are compared with the preventive and reactive expenses involved in BCP.
Remember the earlier slide . . . .minimum of
$1,800/hour!
Cost/Benefit Example
• Suppose we are considering the installation of a backup
generator so that our servers can continue operation in the event of an extended power failure.
• Assume that we lose on average $50k for each extended
power failure, and on average there are two such failures a year. The backup generator will prevent all such failures.
• Calculate the Annualized Loss Expectancy (ALE) by
multiplying the Annual Rate of Occurrence(ARO) by the
i ( )
Single Loss Expectancy (SLE):
Cost/Benefit Example
ALE = ARO * SLE = 2 * $50k = $100k
• If the annualized cost (taking into account depreciation,
training, and maintenance) of our backup generator is: 1. Less than $100k . . .we should install the generator. 2. Greater than 100k . . .we should accept the risk and
not buy the generator.
• Business continuity plan is a countermeasure (like the
backup generator) its value can be established using the same technique.
BCP . . . .Cost-Benefit
• A Business Continuity Plan reduces the probability of
failure.
- Assume that it reduces the probability of failure from 5% to 3%.
- Assume the company is worth $20 million. - The value of our Business Continuity program is
worth the difference between these two valuations, $400 000
or $400,000.
• Is a reduction of failure probability from 5% to 3%
BCP . . . Just Thoughts . . .
• Insurance:- BCP regulates the preventive and reactive action to be taken in a crisis situation.
- Business interruption insurance covers the consequential financial loss of a hazard (e.g. a fire).
- By paying standing charges, the cost of necessary loss minimization measures and the profits lost, business interruption insurance contributes to the company’s economic recovery following a crisis
economic recovery following a crisis.
• Questions . . . .Do We Have:
1. The Right Coverage?
2. Enough Insurance?
BCP . . . Just Thoughts . . .
• The object of business interruption insurance is to cover the
consequential loss(es) arising from a business disaster.
• Business interruption insurance essentially covers three
main areas:
1. The net profit that would have been made if there had been no consequential loss.
2. The normal standing charges that still have to be paid and cannot be reduced.
3. The (loss minimization) costs incurred in order to reduce the duration and extent of the business interruption loss.
BCP . . . To Do List
9 Determine RISKs and Business Impact for critical processes
9 Define Business Recovery objectives priorities and expectations
9 Define Business Recovery objectives, priorities, and expectations
9 Define critical, time-sensitive functions and systems
9 Incorporate changes into the plan
9 Establish the Disaster Recovery Team
9 Conduct employee training to test and understand the plan
9 Test the plan periodically . . .make amendments to the plan
9 Conduct Business Continuity Audits
9 Improve processes to minimize exposure during disruptions
9 Optimize operational strategies to mitigate against threats
Questions?
THANK YOU!
Alan Lund UHY Advisors, Inc. Southfield, Michigan 48034
(248) 204-9447 [email protected]
