8447779800, Low rate Call girls in Tughlakabad Delhi NCR
Executive Research Council Seminar: Business Continuity Planning
1. xbñÉÅìíáîÉ=oÉëÉ~êÅÜ=`çìåÅáä=içÖçz
Operations and Technology Research Interest Group
Business Continuity Planning Seminar
y g
Authored and presented by: Charles C. McKinney
EXECUTIVE RESEARCH COUNCIL
léÉê~íáçåë=~åÇ=qÉÅÜåçäçÖó=péÉÅá~ä=fåíÉêÉëí=dêçìéW=mêçàÉÅí=j~å~ÖÉãÉåí=qççäâáí===ö===M
2. Discussion Roadmap
i Introduction to business continuity (2-8)
i Initiating business continuity governance (9-15)
i Risk assessment (16-21)
i Business Impact Analysis (22-26)
i Business continuity strategy (27-32)
i Implementing business continuity plans (33-37)
i Awareness, testing and exercise (38-41)
i Self assessment guide (42-55)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 1
3. Introduction to Business Continuity
i Introduction to the discipline
i Process characteristics
i Key outcomes
i Strategic scope
i Evolving aspirations
i Argument in brief
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 2
4. Introduction to the Discipline
i Organizations need risk management processes to deal with disasters:
– Disruptions to business operations
– Damage to physical and intangible assets
– Loss of human life and well-being (9/11, Katrina)
– Business continuity planning establishes and maintains contingency plans for disasters
i Since the 1960s it has developed into a discipline, and today there are:
– P f
Professional associations (e.g., DRII)
i l i ti (
– Industry roundtables (e.g., FSTC SCOM)
– Professional certifications (e.g., CBCP, MBCP)
– Trade publications and conferences (e.g., CP&M)
– Best practices and industry regulations
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 3
5. Process Characteristics
i Business continuity planning is a process, characterized by:
– Defined inputs, outputs and critical success factors
– Interdependencies with other planning and control processes
– Dependence on people, technology, culture and managerial systems
i Process capability depends on sensing and responding to:
– Internal strengths and weaknesses
– E t
External threats, opportunities and conventions
l th t t iti d ti
Risks t th Enterprise
Ri k to the E t i
Value Chain – Ecosystem
Inbound
bou d Outbou d
Outbound Sa es and
Sales a d Distribution
st but o End User
d Use
Suppliers
S pplie s Purchasing
P chasin Production
P od ction
Logistics Logistics Marketing System Customers
Demand Chain
Supply Chain
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 4
6. Key Outcomes
Focus of business continuity planning is preventing and managing impact of
disasters, so risk exposure is kept to an acceptable level.
Disasters can cause unexpected . . . . . . and destroy shareholder value,
public confidence, and competitive
Loss of revenue
L f
position over the long run.
Loss of productivity
Unusual expenses
According to Gartner Group, 40% of
A di t G t G f
Customer defection
businesses that go through a disaster fail
Market share decline within two years. Early estimates of the
economic impact of 9/11 ranged from $16
Brand deterioration billion to $83 billion.
$
Penalties, fines and liabilities
Knowledge@Wharton estimated the
Harm to employee safety, morale impact of Katrina at $200 billion.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 5
7. Strategic Scope
A comprehensive strategy covers mitigation, planning and critical resources.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 6
8. Strategic Aspirations
Organizations increasingly use real-time information and operations to compete, and their
survival depends on availability of these resources.
Source: Campbell, Alonso, McKinney et al. (KPMG 2001)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 7
9. Argument in Brief
i Organizations aspire to change how they plan for business continuity
i Planning and control systems tend to under-perform in key areas:
– Institutionalizing governance of the business continuity process
– Understanding risks and defining requirements
– Making business continuity investments within a coherent strategy
– Monitoring and stress-testing organizational readiness for a disaster
i Business and risk managers need to plug themselves into the “vital few” root-cause issues,
so they can motivate performance improvement in their enterprises
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 8
10. Initiating Business Continuity Governance
i Initiation activities
i Chartering a steering group
i Articulating standards and policy
i Organizational design considerations
i Building momentum for change
i Process deployment planning
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 9
11. Initiation Activities
i Business continuity plans often evolve through decentralized efforts
i Whether starting fresh or working to improve legacy capabilities, initiating business
continuity can promote good governance and it benefits
ti it t d d its b fit
i Initiation activities typically include:
– Chartering a steering group to oversee business continuity planning
– Assigning roles and responsibilities to process actors
– Agreeing on high-level standards and articulating a policy
– Assigning executive oversight, staff resources and line accountabilities
– Building momentum through dialogue and by achieving quick wins
– Sequencing to deploy process capabilities
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 10
12. Chartering a Steering Group
i A steering group exists to guide process implementation, resolve conflict and monitor
performance – not to manage the process
i Obj ti
Objectives for a steering group may include:
f t i i l d
– Recommend a policy to the CEO and Board
– Approve priorities, investments and resource allotments
– Approve business continuity strategy and standards
– Monitor business continuity projects and process capabilities
– Provide direction to the business continuity manager
– Participate in or review efforts to exercise and test capabilities
– Perform defined roles during a disaster or crisis
i St k h ld coordination and lateral processes indispensable
Stakeholder di ti dl t l i di bl
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 11
13. Articulating Standards and Policy
i At this stage, standards frame the process and educate executives (see example of a
process definition template)
i P li articulates expectations and may include:
Policy ti l t t ti d i l d
– Key terms and definitions
– Policy statement (intent)
– Objectives (measurable outcomes)
– Minimum standards (due care)
– Chain of command for crisis management
i Standards can help to define the policy; need to be consistent with corporate governance
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 12
14. Organizational Design Considerations
The best organizational model supports an organization’s priorities, aligns its stakeholders,
and is appropriate for its risk profile (Motorola case study).
Source: Corporate Executive Board
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 13
15. Building Momentum for Change
i Momentum can be built through:
– Dialogue in the organization
– Attainment of quick wins (see handout)
i Business continuity planning requires long-term commitment without tangible outcomes
unless a disaster strikes
Kotter’s Eight Step Change Model
1. Establish a sense of urgency 5. Empower others to act on vision
2. Form powerful guiding coalition 6. Plan for and create short-term wins
3. Create a vision 7. Consolidate improvements
4. Communicate the vision 8. Institutionalize new approaches
Source: John Kotter, The Heart of Change (2002)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 14
16. Process Deployment Planning
Funding Business Continuity Implementation Planning
i Business continuity costs: i Process charter
– Staff function (headcount) i Sequencing plans:
– Standby sites (IT facilities)
– Deployment schedule
– IT infrastructure
– Project mix
– Third-party services
– Interdependencies
– BU and d
d department planning
t t l i
– Resources
– Testing and exercise
– Project management
– Other costs
i Communications
i Funding and chargeback methods
i Change management
i Infrastructure profiles (tiered service level
standards)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 15
17. Risk Assessment
i Risk assessment purpose
i Key activities and outcomes
i Process case study
i Risk categories
i Complementary tools
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 16
18. Risk Assessment Purpose
i Identify threats to the organization
i Understand vulnerability to these threats
i Determine risk exposure (e.g., ALE)
i Produce requirements to mitigate risk
i Track changes in risk profile over time
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 17
19. Key Activities and Outcomes
i Key activities in a risk assessment:
– Select risk categories and threats
– Determine fact finding methods
fact-finding
– Produce data collection form
– Gather data for the assessment
– Complete and collate forms
– Finalize threat assessment
– Estimate risk exposure
– Communicate work products
i Key outcomes:
– Catalog of threats and risks
– Risk exposure matrix
– Risk assessment report
i Activities and outcomes will depend on process design
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 18
20. Process Case Study
Intel provides a case study of implementing a global, centrally coordinated process to
periodically assess risk and pursue targeted mitigation.
Source: Corporate Executive Board, Intel
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 19
21. Risk Categories
i Traditional risk assessments examined manmade and natural disasters and political acts
(terrorism)
iD
Due t complexity of th
to l it f threats, many organizations now consider:
t i ti id
– Operational risks
– Strategic risks
– Composite risks
i Framework provides way to quantify and stratify exposure
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 20
22. Complementary Tools
i Complementary tools can further risk assessment activities:
– Failure modes and effects analysis (FMEA)
– Simulation and modeling exercises
– Design of experiment methods
i Tools employed in strategic planning and risk modeling groups may be worth exploring,
depending on the complexity of an enterprise’s business model and risk profile.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 21
23. Business Impact Analysis
i Business impact analysis overview
i Key activities and outcomes
i Defining critical resource requirements
i Prioritizing business functions
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 22
24. Business Impact Analysis Overview
i Purpose of business impact analysis is to:
– Assess impacts of a disaster to business areas (e.g., functions)
– Determine criticality of business functions based on impact
– Determine criticality of information systems that support business operations
– Define critical resource requirements for disasters
i Analysis ties estimates of impact to key performance indicators, such as:
– Fi
Financial i
i l impact (
t (e.g., present value of projected revenue l
t l f j t d loss))
– Customer impact (e.g., loss of existing customers and market share)
– Compliance penalties (e.g., liability to pay fines, SLA penalties)
– Unusual expenses (e.g., unplanned cost of facility repairs)
– Shareholder value (i.e., loss of value because of factors attributable to disaster)
(i e
– Other intangible impacts
i Contributes requirements for strategy to manage business continuity
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 23
25. Key Activities and Outcomes
i Key activities in a business impact analysis:
– Determine fact-finding and analytical methods
– Prepare data collection form (see handout)
– Gather and analyze data
– Prioritize business functions
– Determine critical resource requirements
– Report preliminary observations
– Obtain consensus on observations
– Issue report to management
i Key outcomes:
– Analysis of tolerance for a disaster
– Critical resource requirements
i Terminology: RTO versus RPO
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 24
26. Defining Critical Resource Requirements
i Requires use of a standard form to gather information provisioning requirements for:
– Information technology applications
– Server and network capacity
– User desktop configurations
– Vital records requirements
– Staffing needs (including key persons)
– Workspace, telecommunications, etc.
i Definition of critical resource requirements is based on a determination of each
department’s tolerance for a disaster
i See critical resource requirements handout
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 25
27. Prioritizing Business Functions
i Prioritization of business functions should occur for:
– Tolerance for unplanned downtime (recovery time objective)
– Tolerance for unexpected data loss (recovery point objective)
i Organizations typically group their recovery time objectives into buckets that correspond
how quickly business resumption should occur:
– Platinum (zero to four hours)
– Gold (four to twenty-four hours)
twenty four
– Silver (one day to three days)
– Bronze (greater than five days)
i These priorities are communicated to key stakeholders
i Consensus is critical, especially when the analysis is qualitative (by necessity or design)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 26
28. Business Continuity Strategy
i Mitigation and planning
i Organizational issues
i Alternate site options
i Alternate site provider considerations
i Documentation standards
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 27
29. Mitigation and Planning
Business continuity covers mitigation and planning but emphasizes corrective steps.
Mitigation integrates with the enterprise architecture (i.e., hardened patterns)
Application Services
Business
Services User User Business Business Common Information
Access Interaction Process Function Services Management
Services Services Choreography Services Services
Services Information
ER
Business Integration
USE
Service Adaptation
p Reporting
p g
Information
Packaged Acquired Access
Interaction Collaboration Choreography Applications Services
Analytics
Connectivity Presentation Business Rules Custom Personalization
Applications Metadata
Business
Service … … … … … …
Mediation, Messaging,
Mediation Messaging Events
Business
Performance Enterprise Service Bus
Management
BUSINESS
Business Connections
Utility Business Services
Metering Rating Billing Peering Settlement
Business
B i Services
Service
Service Level Automation and Orchestration
Problem Security Workload Configuration Availability Data
Management Services Services Services Services Placement …
Business Resource Virtualization Services
Service
Server Storage Network Resource Mapping Information …
Infrastructure Services
Source: IBM
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 28
30. Organizational Issues
i Incident command system:
– Crisis management team
– Business resumption teams
– Information technology teams
– Incident and emergency teams
– Staff groups (e.g., legal counsel)
i Implementation of a temporary structure to manage through a disaster
i Assignment of decision rights and authorities in a crisis
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 29
31. Alternate Site Options
i Today’s most common solutions address recovery of technology and facilities to support
operations
i Wh
When considering them, ask:
id i th k
– How do people and processes factor into contingency plans?
– How will operations return to normal?
– How will customer satisfaction be maintained?
– Does a business continuity solution support the productivity requirements of information assets?
i Distance from the primary site is an important consideration, along with the logistics of
cutting over to the alternate site in the case of a local or regional disruption
Buy and Build Cold Site Hot Site Redundant Site
Manual Automated
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 30
32. Alternate Site Provider Considerations
i Site maintenance
– Servicing and maintenance
– Frequency of testing
i Site services
i Site resources and upgrade frequency
i Disaster recovery support
i Internal control audits and contingency plans
i Over-subscription ratio and fallback locations
i Exclusion zone for other subscribers
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 31
33. Documentation Standards
i Organization of planning documentation
– Incident response and emergency management
– IT disaster recovery
– Business resumption
– Insurance and loss recovery
– Human resources
– Crisis communications
i Overall guidance on management of business continuity
i Usability of documentation and plan attachments
i Ease of document management and maintenance
g
i Attention to industry regulations (e.g., SEC)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 32
34. Implementing Business Continuity Plans
i Implementation techniques
i Plan element considerations
i Plan sections and contents
i Vital records protection
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 33
35. Implementation Techniques
i Each organization is unique:
– Tailoring contingency plans to requirements
– Retaining flexibility to allow additions modifications and maintenance
additions, modifications,
i There is a need to minimize dependency on:
– key persons
– Third parties
i Along with documenting contingency plans, procedures should be created to ensure:
– Completeness and testing
– Establishment of critical decisions
– Plans are kept current in each department
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 34
36. Plan Element Considerations
i Planning aids can assist stakeholders with learning and using business continuity plans
i Aids to consider using include:
– Job descriptions
– Action plans
– Checklists
– Matrices
– F
Forms
– Other supporting documentation
i Plans should clearly articulate assignments and responsibilities
i Site preparation must be completed in conjunction with documenting plans
p p p j gp
i Planning for IT must factor in restoration of general computing services, recovery of
applications and resumption of transaction processing
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 35
37. Plan Sections and Contents
i There is confusing terminology, including continuity of operations plans, disaster recovery
plans, and business recovery/resumption plans
iC
Comprehensive b i
h i business continuity plans typically cover (
ti it l t i ll (see h d t)
handout):
– Introduction and overall guidelines
– Crisis management organization
– Disaster notification and declaration
– Standby site invocation
– Human resources plan
– IT disaster recovery plans
– Business resumption plans
– Satellite location (small office) plans
– Crisis communications plan
– Facilities assessment and salvage
– Loss recovery
i Many organizations maintain their plans with COTS software
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 36
38. Vital Records Protection
i Backup and recovery procedures support vital records protection
i Vital records protection procedures:
– Protect against ordinary hazards of fire, water, mildew, light, dust, insects, rodents, acids and fumes,
and excessive humidity.
– Protect against human hazards of theft, misplacement, and unauthorized access.
– Protect against disasters of earthquakes, wind storms, explosions, bombings, nuclear fallout, and
radiation.
– Purpose is to protect essential information
i Best practices highlight the following key success factors:
– Identify functions essential to the primary mission of the organization
– Identify records whose informational value to the organization is so great (loss would be so severe)
that special protection is justified
– Have a classification scheme for organization documents/knowledge
– Institute an enterprise service to manage vital records
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 37
39. Awareness, Testing and Exercise
i Awareness Best Practices
i Tailoring for the Audience
i Testing Methods
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 38
40. Awareness Best Practices
i Inform staff of importance of business continuity
i Make line management responsible for orientation
i Use in house newsletters and magazines to feature business continuity
i Periodically distribute emails to employees
i Use corporate intranet to post business continuity plans
i Make mention of business continuity part of performance appraisal
i Use management meetings to communicate issues
i Periodically test and give honest, objective feedback about results
i Involve vendor managers and account managers in the process (extended enterprise
impacts)
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 39
41. Awareness Best Practices (Continued)
Leading organizations tailor their awareness-building activities by segmenting their audience
and tailoring materials for each group.
Source: Corporate Executive Board, HSBC
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 40
42. Testing and Exercise Methods
i Many organizations focus testing on proving their information systems will work at the
alternate site
i Th
They do this at the expense of:
d thi t th f
– Reviewing the usability of documentation
– Role-playing disasters (scenario planning)
– Testing organizational capacity and logistics
– Stress testing their business continuity plans
Stress-testing
i Organizations can complement traditional disaster recovery tests with a four-type
approach:
– Documentation review
– V lid ti
Validation exercise
i
– Partial simulation exercise
– Full disaster simulation
i Scarcity of scheduling options with alternate sites is a complicating factor
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 41
43. Self Assessment Guide
Step 1. Develop an understanding of the business continuity planning strategy and approach to understanding risks,
determining priorities and setting objectives.
Review Steps Observations
1.1 Review past reports for outstanding audit issues or previous problems.
Examine:
▪ Regulatory reports
▪ Internal and external audit reports, including SAS 70 reports
▪ Business continuity test results
▪ Organization’s overall risk assessment and profile.
1.2 Review management’s response to issues brought up during the last review of
disaster recovery and service continuity, including:
▪ Adequacy and timing of corrective action;
▪ Resolution of root causes rather than just specific issues; and
▪ Existence of any outstanding issues.
1.3 Interview management and review documentation to identify:
▪ Any significant changes in business strategy or activities that could affect
the business recovery process;
▪ Any material changes in the audit program, scope, or schedule related to
business continuity activities;
▪ Changes to internal business processes;
▪ Key management changes;
▪ Information technology (IT) environments and changes to configuration or
components;
▪ Changes in key service providers (technology, communication, back-
up/recovery, etc.) and software vendor listings; and
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 42
44. Self Assessment Guide (Continued)
Review Steps Observations
▪ Any other internal or external factors that could affect the business
continuity process.
1.4 Determine consideration of newly identified threats and vulnerabilities to the
organization’s business continuity process, including:
▪ Technological and security vulnerabilities
▪ Internally identified threats
▪ Externally identified threats (including known threats published by
information sharing organizations)
Step 2. Determine the existence of an appropriate business continuity plan (BCP).
Review Steps Observations
2.1 Review the written BCP and verify that the BCP:
▪ Addresses the recovery of each business unit/department/ function
according to its priority ranking in the risk assessment
▪ Considers interdependencies among systems and provisions for recovery of
these interdependencies
▪ Takes into account:
- Personnel
- Facilities
- Technology (hardware, software and other equipment)
- Telecommunications and network services
- Vendors
- Utilities
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 43
45. Self Assessment Guide (Continued)
Review Steps Observations
- Documentation (data and records)
- Law enforcement
- Security
- Media
- Customers
- Shareholders/stakeholders
▪ Addresses emergency response and crisis management, including:
Existence of call trees for managers, employees, suppliers and customers
Existence of decision-making authorities for designated teams, staff and
managers
Establishment of authority for declaring a disaster
Existence of contingency plans for specific emergency situations
Designation of public relations and customer relations spokespersons
Provisioning for temporary office space for key personnel
Provisioning for replacement equipment from vendors
2.2 Review the organization and scope of documented disaster recovery and
business continuity plans to determine if:
▪ Disaster recovery procedures for IT systems are clearly delineated
▪ Business resumption procedures for critical departments/functions are
clearly delineated
▪ Emergency response plans are clearly delineated
▪ Documentation of standards for emergency response, disaster recovery and
business resumption provides guidance to individual(s) serving in crisis
management, disaster recovery coordination and team leadership roles
2.2 Determine if resources are assigned to ensure the BCP is maintained and
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 44
46. Self Assessment Guide (Continued)
Review Steps Observations
periodically updated.
Step 3. Assess corporate governance of business continuity planning, including direction, oversight and support from the
board of directors and senior management.
Review Steps Observations
3.1 Determine if the board or senior management has established an enterprise-wide
business continuity planning process appropriate for the size and complexity of
the organization, which defines the organization’s business continuity strategy.
3.2 Determine if a senior manager has been assigned responsibility to oversee the
development, implementation, testing, and maintenance of the BCP.
3.3 Determine if the board has ensured that adequate resources, including sufficient
human resources, are devoted to the business continuity process.
3.4 Determine if senior management reviews and approves the written BCP(s) and
testing results at least annually.
3.5 Determine if senior management periodically reviews each business unit,
business process, department, and subsidiary to prioritize its criticality for
disaster recovery and business resumption importance and recovery
prioritization.
3.6 If applicable, determine if senior management has confirmed the existence and
evaluated the adequacy of BCPs for its external service providers.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 45
47. Self Assessment Guide (Continued)
Step 4. Determine if a business impact analysis (BIA) and risk assessment have been completed and are adequate.
Review Steps Observations
4.1 Determine if all functions and departments were included in the BIA.
4.2 Determine if the BIA identifies maximum allowable downtime for critical business
functions, acceptable levels of data loss and backlogged transactions, and the
cost and recovery time objectives associated with unplanned downtime.
4.3 Review the risk assessment and determine if it includes scenarios and probability
of occurrence of disruptions of information services, technology, personnel,
facilities, and external service provisioning from internal and external sources,
including:
▪ Natural events such as fires, floods, and severe weather;
▪ Technical events such as communication failure, power out-ages, and
equipment and soft-ware failure; and
▪ Malicious activity including network security attacks, fraud, and terrorism.
4.4 Determine if the risk assessment and BIA have been reviewed and approved by
senior management and the board.
4.5 Evaluate if the business impact analysis includes financial and non-financial
impact indicators, including revenue loss, unusual expenses, customer impact,
operational impact, and compliance with laws, regulations, contracts and other
legal obligations.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 46
48. Self Assessment Guide (Continued)
Step 5. Determine if appropriate risk management over the business continuity process is in place.
Review Steps Observations
5.1 Determine if adequate risk mitigation strategies have been considered for:
▪ Alternate locations and service provisioning capacity for:
▪ Data centers and computer operations
▪ Work locations for business functions
▪ Telecommunications
▪ Backup of:
- Data
- Operating systems
- Applications
- Utility programs
- Telecommunications and networking components
▪ Offsite storage of:
- Backup media
- Supplies
- Documentation of disaster recovery plans, standard operating procedures,
and other information deemed critical for business resumptions
▪ Alternate power supplies, including uninterruptible power supplies (UPS)
and backup generators in the data center
5.2 Determine if consideration has been given to geographic diversity for:
▪ Alternate processing locations
▪ Alternate locations for business processes and functions
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 47
49. Self Assessment Guide (Continued)
Review Steps Observations
▪ Off-site storage
5.3 Determine if appropriate policies, standards, and processes address business
continuity planning issues, including:
▪ Systems development lifecycle
▪ Change control process
▪ Data synchronization, back up, and recovery
▪ Employee training and awareness
▪ Insurance
▪ Customer relations, public relations and crisis communications
5.4 Evaluate if the business continuity strategy includes alternatives for
interdependent components and stakeholders, including:
▪ Utilities
▪ Telecommunications
▪ Third-party technology providers
▪ Key suppliers/business partners
▪ Customers/members
5.5 Determine if processes exist to ensure that BCPs remain accurate and current,
and that:
▪ Designated personnel are responsible for maintaining changes in processes,
personnel, and environment(s).
▪ Senior management reviews and approves the plan(s) annually and after
significant changes and up-dates.
▪ There is notification and distribution of revised plans to personnel and
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 48
50. Self Assessment Guide (Continued)
Review Steps Observations
recovery locations.
5.6 Evaluate the existence and adequacy of employee training and awareness
capabilities to:
▪ Familiarize employees with BCPs
▪ Provide key personnel with knowledge of their roles and responsibilities
▪ Monitor the effectiveness of employee knowledge, either as part of periodic
tests of BCPs or through other mechanisms
5.7 Determine if policies and controls exist, which ensure:
• Workstation, server and network device images are documented and
maintained as part of a configuration management library.
• Separate development, testing and production environments are
maintained.
• System, integration and user-acceptance testing is performed for all
production environment configuration changes prior to their release.
• Operational responsibility for production environment configuration items in
the IT environment is assigned and documented.
• Back-out plans are established for configuration changes, unless an
exception is authorized by an appropriate senior manager.
• Unplanned downtime is coordinated to minimize disruption of business
services.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 49
51. Self Assessment Guide (Continued)
Step 6. Determine whether disaster recovery and business continuity plans undergo periodic testing and exercises to
evaluate if the organization can recover from a disaster as planned.
Review Steps Observations
6.1 Determine if the BCP is tested at least annually.
6.2 Verify that all critical departments and business functions are included in BCP
tests and exercises.
6.3 Determine if BCP tests and exercises address the following:
• Setting goals and objectives in advance
• Realistic conditions and activity volumes
• Use of actual back-up system and data files while maintaining off-site
back-up copies for use in case of an event concurrent with the testing
• A post-test analysis report and re-view process that includes a comparison
of test results to the original goals
• Development of a corrective action plan(s) for all problems encountered
• Reviews by senior management and the board of directors
6.4 Verify the involvement of critical external service providers in testing of disaster
recovery and business continuity plans.
6.5 Evaluate if testing of disaster recovery plans for IT includes:
• Testing the operating systems, utilities and network connectivity
• Testing of transaction processing by all critical applications
• Testing data transfer between applications
• Testing customer access to critical applications
• Testing processing of interfaces to third parties or substitute workarounds
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 50
52. Self Assessment Guide (Continued)
Review Steps Observations
• Testing the environment and workload
6.6 Evaluate whether BCP tests and exercises rotate involvement of personnel from
technology areas and business functions
6.7 Evaluate if senior management has evaluated and/or approved testing and
exercising BCPs in collaboration with:
▪ External service providers
▪ Customers
▪ Affiliates and alliance partners
▪ Other business process stakeholders
6.8 Determine if BCP tests and exercises address crisis communications by:
• Reviewing the adequacy of customer contact procedures
• Verifying the accuracy of customer records
• Simulating customer contact in a crisis to assess the effectiveness of crisis
communications plans
6.9 Evaluate lessons learned follow-ups to BCP tests and exercises to determine if:
• Post mortem analysis and lessons learned review are defined milestones
• A standard process is employed to identify, capture and track lessons
learned
• Participant feedback is solicited through post-test meetings, focus groups,
surveys or other methods
• A lessons learned report is sent to senior management and other
stakeholders
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 51
53. Self Assessment Guide (Continued)
Step 7. Evaluate if data backup and recovery and vital records protection procedures are adequate to ensure the operating
effectiveness of disaster recovery plans.
Review Steps Observations
7.1 Determine if backup and recovery procedures are in place to ensure nightly
backup of critical application and business data
7.2 Evaluate if the frequency and scope of backups are adequate to ensure:
▪ The loss of any data caused by a system failure or outage does not surpass
tolerance for unplanned data loss
▪ Application, database and system data backups conform to internal or
vendor technical specifications
▪ Backup logs are reviewed for incomplete backups.
▪ Recoverability of data from tape backups is tested monthly or more often.
▪ Off-site tape inventory audits are conducted quarterly or more often.
▪ At a minimum, daily incremental backups are taken, and there is an
adequate inventory of tapes available for offsite rotation.
▪ At a minimum, full weekly backups are taken and there is an adequate
inventory of tapes available for offsite rotation.
▪ Desktop workstations are configured to require end users to save data to a
file server or periodically back up local hard drives.
▪ hEnd users with portable computers have procedures to follow for backing
up locally stored computer data onto a central file server.
7.3 Determine if procedures for protecting vital records in paper format are
documented and address all critical record types.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 52
54. Self Assessment Guide (Continued)
Step 8. Determine whether disaster recovery and business continuity plans address critical outsourced activities.
Review Steps Observations
8.1 Determine if BCPs address communications and connectivity with key business
partners and external service providers in the event of a disruption affecting the
organization or one of these third parties
8.2 Determine if there are documented procedures in place for accessing,
downloading, and uploading information with business partners and external
service providers, from primary and recovery locations, in the event of a
disruption
8.3 Determine if the organization has documentation describing disaster recovery
plans for its key business partners and external service providers and
incorporates this information, as appropriate, into its BCPs
8.4 Evaluate if the organization monitors its external service providers’ disaster
recovery and business continuity plans by requiring a SAS 70 report
Step 9. Evaluate environmental controls and physical security in the organization’s data center.
Review Steps Observations
9.1 Tour data center facilities and interview personnel evaluate physical security and
determine if:
▪ Security patrols of computing areas are periodically conducted.
▪ Doors to critical areas are kept locked at all times.
▪ There is a corporate company security officer.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 53
55. Self Assessment Guide (Continued)
Review Steps Observations
▪ Access pathways to computer facilities are subject to video surveillance.
▪ Access to data center and IT workspace is controlled by electronic keycards.
▪ Access to offsite storage is limited to authorized personnel.
▪ All visitors are required to sign in and out of the data center by authorized
personnel.
▪ Visitors are escorted at all times in the data center.
▪ Physical security logs are reviewed by an authorized security officer at least
quarterly.
9.2 Verify documentation of the organization’s UPS capabilities specifies that:
▪ UPS or backup power sources are tested quarterly or more often.
▪ Emergency lighting exists in data center and surrounding office areas.
▪ Emergency lighting is tested quarterly or more often.
▪ Emergency shutdown procedures are documented for computer equipment
in the event of a power
9.3 Tour the data center and verify that environmental controls and procedures
ensure that:
▪ Data center has 7x24 air temperature, humidity and air quality control.
▪ Heat and humidity recorder is available.
▪ Data center has backup system in place to provide for critical environmental
controls in the event of primary system failure.
▪ Shutdown alarms are installed.
▪ Shutdown alarms are tested at least quarterly.
▪ Emergency procedures are in place for IT personnel to contact facilities in
the event of a shutdown.
▪ Environmental control shutdown procedures are documented and available
to authorized personnel.
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 54
56. Self Assessment Guide (Continued)
Step 10. Discuss, finalize and communicate observations from the review.
Review Steps Observations
10.1 After completing fieldwork, prepare workpapers to conform to the organization’s
internal audit documentation standards
10.2 Document a preliminary list of any exceptions, present the preliminary list to
the Internal Audit Department for its review and comment, and update the
list, as appropriate
10.3 Follow up with the appropriate manager(s) about any exceptions to:
▪ Bring the exception to their attention
▪ Verify the exception or identify clarifying information and facts
▪ Obtain management agreement with the exception or provide an opportunity
for follow up
10.4 After reviewing any preliminary exceptions with the appropriate manager(s),
finalize the list of exceptions and develop reportable observations
10.5 Working with the Internal Audit Department, develop a preliminary set of
reportable observations and recommendations, which will be reviewed with
management, edited and finalized for inclusion in an internal audit report
10.6 After finalizing reportable observations and recommendations, prepare a draft
report for review by the Internal Audit Department and finalize the report to
incorporate feedback and comments
10.7 Communicate final observations and recommendations to management
through a meeting to close out the review
Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 55