1
2	Introduction Introductions Scott Porter, Director, Gartner Consulting Mike LaFrancis, Account Executive, Gartner Objectives Provide an overview of business continuity and disaster recovery planning Provide an overview of the business continuity planning process Discuss critical success factors for plan development
3	Disaster Recovery Planning What is a Disaster? Why do Disaster Planning?
4	What is a Disaster?
5	What is a Disaster: Vulnerability Disasters are not more common, but enterprises are increasingly more vulnerable to them Increased dependency on technology infrastructure Increased dependency on partners; their disaster could quickly become your disaster Individual acts can have far reaching consequences Dependence on technology has created new disaster potentials In a de-regulated environment, there is greater competitive risk to downtime
6	What is a Disaster: Vulnerability The Internet has dramatically changed the “rules” Operational risk (e.g. loss of service) Security risk (e.g. denial of service, security breach related downtime) Lack of capacity (e.g. unexpected spikes in demand) Critical application failure Availability of partner or outsourcer (e.g. greater dependence on others) Loss of physical infrastructure (e.g. higher level of connectivity)
7	What is a Disaster: Distribution of 528 Disasters Supported Many companies perceive they’re immune to any long-term outage. However, more than one-fourth of companies have experienced a disruption in the last five years, averaging eight hours, or one business day.
8	Why do Disaster Recovery Planning: Cost of Downtime
9	Introduction to Business Continuity Planning What is BCP? What are the BCP Components? What should be spent on BCP?
10	What is Business Continuity Planning (BCP)? Planning for the continuation of business operations in the event of a disaster Ensure that critical business activities are maintained or restored as quickly as possible Focused on a prioritized resumption of the most critical business functions
11	Business Continuity Planning vs. Disaster Recovery Business Continuity Planning focuses on developing clear and detailed written plans to counteract interruptions to business activities and business processes from the effects of major failures or disasters. Disaster Recovery focuses on developing clear and detailed written plans to counteract interruptions to critical information systems and data from the effects of major failures or disasters.
12	Business Continuity Planning Components
13	How Much Should Be Spent on Contingency Planning?
14	Common Leadership Questions What is the state of recovery plans? Are they comprehensive? Are backups completed regularly for critical data on major systems or workstations within the business units? Have physical protection, user authentication, access control, encryption, security management for networking and communications been revisited? Do you have a command center for the management team to discuss activities and communicate? Have possible contracts for replacement equipment or shipping of assets from technology vendors been discussed? How would our customers contact you in the event of an outage? Have we redirected call traffic to an alternate number? Do all executives understand their altered role to be performed at time of disaster and their successor? How are critical non-electronic documents protected and where are they stored, or are they taken off site?
15	Preparedness What does it mean for you to be “very prepared” for disaster recovery? Are the critical parts of the agency able to function in the event of a catastrophe? Who is responsible for business continuity planning? Are line of business leaders sufficiently involved in development, testing, and maintenance of the business continuity plan? Have the business impacts of loss of mission critical systems and operations failures been assessed? Planning for the Worst Case Individual and distinct plans do not/cannot be made for every possible scenario Impossible to separate cascading effects of any one single event An impact analysis is used to determine the most critical sites with greatest risk potential; plans should be developed for these worst case events and rolled-up into an enterprise plan When does an emergency event become a business continuity issue? At the discretion of the crisis management team, on a case-by-case basis Decision will be based on severity, likelihood of recovery and time of disruption
16	Importance of Enterprise Planning If recovery plans exist in each department, why is there a need for an enterprise plan? Many events will go beyond the scope or capacity of a single department Most business processes are interdependent on other departments Enterprise view facilitates resource planning and sharing in the event of a disruption Provides executive leadership with complete visibility as to the organization’s planning process and state of readiness
17	Business Continuity Planning Process
18	Business Continuity Planning Goals Identify those processes and information system components that are critical to the business Put in place the measures necessary to recover them as quickly as possible Companies should balance overall recovery costs with acceptable risks and develop a workable recovery strategy that provides the basis for a business continuity and disaster recovery plan
19	Business Resumption Planning (BRP) Process Flow
20	Business Continuity Planning Project Initiation This project starts like most projects: Define Scope and Objectives Identify Requirements Conduct Risk Assessment Obtain Management Support Develop Detailed Project Plan.
21	The Business Impact Analysis (BIA) What and How Much Do We Have at Risk? What is the Business Impact Analysis? First step in the planning process Quantifies risks and helps to target operations and processes that require recovery planning Identifies the probable consequences of various types of disruptions Shows how the passage of time affects impacts and exposures What factors are examined during the BIA? Specific vulnerabilities, such as loss of supplies and services Financial impacts, including extraordinary expenses that may be incurred Operational impacts Vital business processes, applications and data Technology requirements for recovery Critical systems support required Interdependencies of business units for IT resources Recovery window requirements
22	The Business Impact Analysis (BIA) How is the BIA Used? Identifies which business units, operations and processes are absolutely essential Defines how quickly essential business units or processes have to be back in operation before the impacts are catastrophic Identifies which recovery alternatives are the most plausible for meeting the recovery windows Identifies which resources are needed to resume operations at a survival level for the essential parts of the business Defines which elements must be pre-positioned in order to meet the recovery windows
23	Recovery Strategies Identify Off-Site Data Backup Alternatives Vendor vs. Intra-enterprise Tapes vs. electronic vaulting Backup strategy for vital datasets Identify Backup Processing Alternatives Business Resumption Hot Site/Cold Site Vendor Intra-agency Backup Hardware Quick-Ship Internal Sweepable Shell Third-Party Vendor Network Alternatives Frame, ISDN, SMDS Dial-up, VPN
24	Plan Development
25	Testing Options Conference room simulations Departmental test of continuity plans Focused brainstorm session Cost-effective Involve large number of business unit representatives Hot site test Restoration of production at hot site More expensive, but essential
26	Developing a BRP Maintenance Process Develop an effective maintenance process Include process improvements based on test results Implement plan distribution and control procedures
27	Business Resumption Plan Structure
28	BRP Architecture
29	Integrated BRP—Putting the Pieces Together
30	Jump-Start the Planning Process Assign responsibility for business continuity planning (BCP) for the enterprise. Conduct a risk analysis to determine the enterprise's ability to recover business operations based on a complete destruction of the production facilities. A gap analysis report will result, identifying where recovery plans do not support current business operations. Establish an emergency decision-making hierarchy to address the potential that some executives may be unavailable. Be prepared to make regular and updated declarations of the steps the enterprise is taking to deal with the crisis. Draft multiple statements about the recovery process to be used when communicating to the public, shareholders, industry analysts, major customers, internal personnel and business partners. Update personnel contact lists and calling trees, including multiple forms of contact information—e.g., office, home, mobile and vacation home telephone numbers, pager numbers, and office and personal e-mail addresses. Consider the use of an outside service that can automate the contact process on notification from the enterprise during an event. Establish a personal tracking procedure so that the location of personnel is known at all times during normal business operations. Establish a personnel awareness program—i.e., a program educating personnel to potential disasters—and train personnel to react appropriately during an event, including evacuation and contact procedures.
31	Jump-Start the Planning Process (Cont) Determine what other methods of communication are available besides telephone service to establish key communications. (e.g., e-mail, instant messaging and the enterprise's Web site) Set up a toll-free telephone number that personnel and their loved ones can use to receive and disseminate information. Coordinate the use of alternate office space to be used during a disaster Review the enterprise's extra expense and business interruption insurance policies to ensure that they cover the current status of business operations. Review your backup schedule and media storage strategy to ensure that the entire information flow, including applications, connectivity and access endpoints, can be recovered, and the backup media can be easily recovered and brought to the alternate recovery site. Equip every department with the "essentials"—e.g., flashlights, blankets, emergency communication devices, water, nonperishable food items and medical supplies. Store facility floor plans in an easily accessible, off-site location.
32	Long-Term BCP Goals Establish a full-fledged business continuity plan that covers business and technology operations. Build BCP into the IT project life cycle, the human resource change process (which is especially important for maintaining personnel contact lists), and facilities and organizational changes. Establish a management succession plan to address the potential that some executives may be unavailable. Review the proximity of senior management to each other so that an entire team is not lost in the event of a disaster. Review senior management travel policies—key executives should not travel together. Cross-train personnel in different locations, if possible, so that the recovery process is not impeded by a lack of qualified staff. Consider telecommuting as an option for some personnel. If the enterprise already supports telecommuting, decide who will receive remote access priority during a disaster. Consider the use of unmanned data centers to separate IT staff and resources so that personnel remain available even if the data center is damaged. Conduct repeated and extensive testing of all business continuity plans and procedures to locate possible gaps between business operations and recovery capabilities.
33	Questions? Contact Information Scott Porter Director, Gartner Consulting +1-215-942-0455 (office) +1-215-280-9547 (mobile) scott.porter@gartner.com Mike LaFrancis Account Executive, Gartner +1-860-683-1086 (office) Michael.LaFrancis@gartner.com
34