Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal

Grant Thornton, LLP
Business Continuity Planning (BCP) methodology

August 2011
Danny Miller, CISA, CRISC, ITIL, QSA

-1- © Grant Thornton LLP. All rights reserved.

Table of Our understanding
Basic concepts for BCP Scope and Approach Value to Organization Contact
contents of Organization interest

Table of contents

• Introductions and initial discussion
• Our Understanding of your interest
• Basic concepts for BCP
• Scope and Approach for a BCP exercise
• Value to the organization



Grant Thornton’s Business Continuity Planning
Scope and Approach (Our Understanding of Interest)

Grant Thornton Grant Thornton Grant Thornton Grant Thornton
Perform or Evaluate Develop requirements with Observe testing of BCP, Review and give feedback
Risk Assessment Organization leadership, develop RFPprovide oversight, evaluate on training and awareness
(BIA), develop and issue to short-list test results program
short-list of possible vendors of providers

Develop Business
Risk Assessment Validate BCP Post-Implementation
Continuity Plan (BCP)

Organization Vendor Vendor Vendor & Organization
Work with GT on Receive RFP, attend bidders Develop test scripts, Develop and roll-out employee
either updating existing BIA meetings, go through conduct test (multi-level), awareness program and
or identifying development process, issue develop and implement BCP conduct training of emergency
risks and assets for BIA RFP response, meet to prove across all locations with and key personnel
build-out response to GT/Organization team,
walkthroughs with stakeholders
winner develops BCP and update BCP on results



Our understanding of Organization interest

• BCP Objectives
− Concepts
− Vulnerability and Risk Analysis
− Business Impact Analysis (BIA)
− Build-up of Business Continuity
• How a BCP project works (with options)



Business Continuity Management (BCM)
Defined

…the development of
strategies, plans, and actions which provide
Business
Continuity
protection or alternative modes of
operation for those activities or business
Management processes which, if they were to be
interrupted, might otherwise bring about a
seriously damaging or potentially fatal loss
to the enterprise.

BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning



Components of Business Continuity Management

• Crisis Management
– Governance/ownership
– Organizational structure
– Human Factor

• Business Resumption Planning
– Business Impact Analysis
– Tested, documented procedures
– Communications Processes

• IT Disaster Recovery Planning
– Emergency Operations Center
– Alternate Processing Facility



Business Continuity Management
Governance structure

Business Continuity BCM Steering Committee
Management
requirements need to
include business and IT.

Business Requirements IT Requirements

RTO App redundancy

RPO Infra redundancy


Business Resumption Planning
Business Impact Analysis

BIA Defined

• The careful, holistic study of individual business processes and support
functions, as well as the system of business processes in its entirety, to
better understand objectives regarding continuity of operations.

The “BCP Blue Print”

• If performed correctly, the BIA is the business continuity plan (BCP)
blueprint. It establishes the business case for spending scarce funding
on a process traditionally viewed as a glorified insurance policy.



Business Resumption Planning
Business Impact Analysis (con't.)

The relationship between the BIA and the Enterprise
(organization)-wide risk assessment…

• Now more than ever, the BIA and the enterprise-wide risk
assessment are tied together.
• One can’t be done without the other.
• Also, the BIA is no longer limited to the internal workings of an
organization, but rather to the extended enterprise, meaning
customers and suppliers are now included.


Potential impacts significance and likelihood

• The Analysis of Risk, as part of the BIA, determines the loss potential
and other tangible and intangible impacts to the organization
• Taking into account
− Key functions
− Personnel and other resources
− Technology
− Regulations
− Service level agreements (SLAs), internal dependencies and third-party interdependencies
− Emergency hotline lists (Drs, Medical assistance, Medical type transportation etc.)
− Backup facilities (hospitals, clinics etc)
− Community notification procedures
− Internal/external communications strategies and implementation mechanisms.

- 10 - © Grant Thornton LLP. All rights reserved.


The analysis of risk

Analysis of Risk defined:
• Continuous process of estimating the likelihood of potential
events and their impact on the organization

− Terms used:
− Likelihood  probability
− Impact  $$



Categories of risk

• Strategic • Environmental
• Operational • Man-made Risks (Accidental &
• Market Intentional)
• Regulatory • Business Process-related Risk
• Contractual Relationship • Single Points of Failure
• HR • Supply Chain
• Reputation • Information Technology Availability
Risks



Potential impacts

• Loss of Human Life • Work Stoppage
• Opportunity Costs • Cash Flow Interruption
• Idle Workforce and Resources • Financial Control/Reporting
• Regulatory Noncompliance • Customer Service
• Financial Loss • Vendor Relations
• Reputation Impairment • Employee Morale/Retention
• EHS Impairment (OSHA) • Market Reaction
• Loss of Market Share • Contractual Default



Typical approach to conducting the BIA

• Work through a Steering Committee
• Identify what the deliverables should look like and the desired content
• Develop an initial scope
• Identify process-level subject matter experts (including care experts)
• Develop fact gathering plan
• Summarize findings
• Conduct analysis and develop conclusions
• Validate findings with subject matter experts
• Present validated findings to executive management for buy-in
• Transition to strategy development



Framework for successful Business Impact Assessment
1
A Business Impact
Project
Analysis structure Initiation
2 3
leverages the same Project Plan Risk & Issue
process model as project 4
Management
5
Management
6
management. The BIA Change Reporting & Project
structure includes an Management
7
Communication
88
Administration

integration component to Quality Financial

manage inter- Management
9
Management

dependencies, key Integration

milestones and key Management

deliverables related to the
requirements.



(con't.)

BCM Managers need to look at and address the points below, to ensure
quality of service to customers:
• Prolonged disruption of service from multiple failure scenarios is a tangible risk in
today’s business and health care environments crawling with unforeseen threats.
• Safety and security of employees and clients (patients) are at higher risk
• Service contracts these days essentially address business continuity SLAs and it benefits
both parties in that it lays down expectations clearly if a disaster strikes.
• With increased outsourcing, customers take no compromise on security and continuity.
• Laws and regulations have now come into force clearly holding business leaders /
vendors responsible for ensuring demonstrable continuity planning.
• Legal and standards requirements of clients (patients) domains



(con't.)

Developing a BIA facilitates balancing business requirements, resource utilization
(cost) and targeted results to keep the business running.

REQ’MT COST
RESULTS

• aligned business and technology objectives

• repeatable standards, processes and tools

• achieved customer and management expectations

• maintain budget

• maximized technology investment


Strategies for achieving BIA value

Understand how IT systems and activities support
Align IT with the business (BT) BCM processes and priorities (includes equipment
and tech that is used for patients)

Innovate Identify and implement solutions to support and
enable BCM

Ensure information system availability and Policies, Procedures, Standards, Redundancy, Monit
business continuity, security and integrity oring, Training

Assess, address and communicate risks
Assess and address IT risks to achieving BCM

Support compliance Integrate IT into compliance process and leverage
to optimize



Compliance Requirements – Cost Drivers

• National Fire Protection Association • Foreign Corrupt Practices Act (FCPA)
(NFPA)
• Federal Energy Regulatory
• NFPA 1600 – Standard on Disaster, Commission (FERC)
Emergency Management and Business
Continuity Programs • US Securities and Exchange
Commission (SEC)
• Health Insurance Portability and
Accountability Act of 1996 (HIPAA) • International Organization for
Standardization (ISO)
• Gramm-Leach-Bliley Act (GLBA)
• QS 9000 – Quality Systems Handbook
• Federal Financial Institutions
Examination Council (FFIEC) • State Insurance Departments

• Occupational Safety & Health
Administration (OSHA)


Why BCP initiatives fail?

Mainly, because the approach and conclusions fail to meet management expectations. Here
are some of the more common criticisms.
• “The results are too high level”
• “Those numbers can’t be right”
• “You assumed the worst-case scenario”
• “Weak approach”
• “Yeah, but it depends…”
• “That part of the business isn’t that critical - they’re just trying to justify their jobs!”
• “You collected the wrong information from the wrong person”



Framework for successful Business Continuity
Management

Enhance BCM value through robust business requirements aligned with technology capabilities requires
a holistic integrated approach with the following balanced framework:

• Governance requires:
- Active engagement to promote ownership
- Business partnering to align strategy and mobilize energy
- Formal process to drive consistency, credibility, and accountability

• Methodology must support:
- Business Impact Assessment approach across the enterprise
- Investment management focused on the results
- Multi-dimensional change management

• Measurement supports decision-making:
- Assessing business and financial value
- Monitoring the plan


Scope and Approach

Grant Thornton uses a four-phase approach to develop a Business Continuity Plan

Develop Business
Risk Assessment Validate BCP Post-Implementation



Scope and Approach
Phase I: Risk assessment
Phase I consists of the following three categories:
Risk Assessment a. Perform Project Initiation and Management
b. Perform Threat Analysis
c. Perform Business Impact Analysis

Phase I (a) – Perform Project Initiation & Management
During this stage, a project manager and representatives to the
Business Continuity project are named; an outline of personnel
and resource requirements for the project are also identified.

Appropriate project initiation and management are critical to business continuity
planning success.



Scope and Approach
Phase I (b) – Perform Threat Analysis
Risk Assessment
During the Threat Analysis, a business criticality assessment is
performed to identify the key business processes and IT
infrastructure of the company.

A threat probability assessment is performed to identify the
events and environmental surroundings that can adversely affect
the organization and its facilities with or without disruption
and/or disaster. The likelihood of occurrence for each event is
identified, along with the damage such events can cause.

The controls needed to prevent or minimize the effects of
potential loss are also identified. A gap analysis is performed to
determine if measures currently in place are adequate to mitigate
the identified risks.


Scope and Approach

Identify Key Business Perform Threat
Processes Probability Assessment

Threat Analysis

Identify Key
Perform Gap Analysis
IT Infrastructure



Scope and Approach

Determine
Criticality of
Business Units

Determine Determine Identify Determine Criticality
Business Unit Application Critical Partners of IT Infrastructure
Recovery Priorities Recovery Priorities and Vendors Components

Document
Processes
in Flow Charts



Scope and Approach
• Develop project timeline
• Facilitate monthly checkpoint meetings with team members
Risk Assessment • Provide meeting notes, including action items, issues and
recommendations
• Create Risk Assessment and Impact Analysis Report,
including:
– confirmed and prioritized list, in matrix form, of the in-scope
processes, risk priority and acceptable outage criteria
communicated by the team
– identification of responsible parties and supporting systems
– documentation of the potential impact to the business of
uncontrolled, non-specific disruption events on the business
processes and customers, based on information provided by
management.



Scope and Approach
Phase II: Develop business continuity plan
Phase II – Develop Business Continuity Plan
Develop Business Phase II includes developing the business continuity plan based on
management's approval of potential recovery.

• Communications plans are established for employees, clients, suppliers,
owners/stockholders and any local/state/federal government
organizations.
• The project team develops specific recovery procedures and names
members to each recovery team.
• Public relations mechanisms and crisis communications structures are
implemented.



Scope and Approach
Phase II: Develop business continuity plan
Phase II – Develop Business Continuity Plan (OPTION A continued)
Develop Business Phase II includes creating an avoidance and mitigation strategy to resume
Continuity Plan (BCP) business operations and to recover vital physical records that are not
part of IT.

At this point, business resumption requirements should be documented
and the resumption organization, such as the location of the command
center, recovery responsibilities and the communication process involved
if a disaster occurs.

We would seek to provide different scenarios, such as working with
Organization management to arrive at alternate site locations for events
and other strategic decision-making on a site-by-site basis.

The business resumption organization is combined with the threat
analysis, business impact analysis, disaster recovery
plan, avoidance/mitigation strategy and vital record recovery
strategy, constructing the business continuity plan.


Scope and Approach
Phase II: Develop BCP deliverables
• Conduct checkpoint meetings with team members
Develop Business • Create Business Continuity Plan, including:
– trigger events and conditions for activating the BCP
– list of key personnel necessary to recover and sustain a
function
– description of advance activities required for business
recovery readiness
– plan for internal and external communications, as needed
– description of outsourcing alternatives, as needed
– instructions to activate the BCP and resume normal
operations upon disruption resolution, including
activities, responsibilities, timeframe and required resources.



Scope and Approach
Phase III: Validate business continuity plan
Phase III – Validate the Business Continuity Plan
Validate BCP
Phase III should include separate walkthroughs of the BCP with key
stakeholders (tabletop exercise) to identify potential issues in plan
design/workability, missing documentation, training
requirements, etc.



Scope and Approach
Phase III: Validate business continuity plan
• Conduct ongoing checkpoint meetings with team
Validate BCP
members
• Create Business Continuity Plan Test Scripts for each
business process
• Perform walkthroughs with stakeholders
• Update BCP document with changes



Scope and Approach
Phase IV: Post-implementation
Phase IV – Post-Implementation
Post-Implementation Phase IV establishes provisions to build employee awareness
and train emergency response & recovery personnel.

Business continuity plans are living documents that are tested annually – or
whenever significant business process changes occur – to determine the
adequacy of strategies, and are updated as needed.



Value to Organization
Value drivers

• Ensuring the safety and care of clients
• Quicker recovery from operational failure
• Rapid reaction to environmental threats
• Reduced risk of missed commitments to product donors and
other stakeholders
• Greater resiliency and recoverability of the existing business and
technology environment



Value to Organization
Grant Thornton Value Proposition

• Strong business, IT and operational knowledge leveraged to identify
critical processes and develop corresponding continuity strategies.
• A business continuity process designed to manage the safety and care of
clients in the event of incident, financial loss, and reputation impairment
risk through the use of a proven planning approach – the end result is
staying in the market and protecting the brand.
• A planning process that efficiently leverages internal resources, freeing
employees to focus on their primary jobs.
• A planning philosophy grounded in a mature knowledge transfer
process, designed to enable our clients to effectively manage business
continuity internally without significant additional overhead.



Experience in Performing BCP/DR work
Grant Thornton Value Proposition

• Manufacturing companies of various sizes, including regional
• Healthcare organizations in the NE region
• Asset management firms with multiple operating locations/branches in
NY and Boston
• Government consulting firm focused on defense contracts in the DC area
• Apparel manufacturer, designer, importer and distributor with a global
footprint
• Real estate property owner/manager who is based in NYC, NJ and Long
Island



Contact information

Danny Miller
T: 215.376.6010
E: Danny.Miller@us.gt.com


Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (7)

Similaire à Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal

Similaire à Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal (20)

Plus de Danny Miller

Plus de Danny Miller (7)

Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal