WIXLIB

BUSINESS CONTINUITY FOR “DUMMIES”– aka Business Continuity Planning 101NEDRIX ConferenceBraintree, MAJune 23, 2004Victoria M. Denault, CBCPNEDRIX Conference June 20041

AgendaPeople Welcome! How to Build aRobust BusinessContinuity Program Execution Quick StartRecovery EmergencyResponseDisaster Protecting YourEmployeesseonspRecyenergEm IntroductionBusinessOurApproachContinuityto s ResumptionNEDRIX Conference June 20042

INTRODUCTIONWelcome to Business Continuity Planning!!!BCPBusiness ImpactEmergency ResponseAAA,AA,A,B,C,D?RisksRecovery PlansEmergency Notification ListsAlternate SitesBusiness FunctionsTestingFeeling Overwhelmed?NEDRIX Conference June 20043

It’s Not Magic!!NEDRIX Conference June 20044

Qualities of a Business Continuity Planner Inquisitive Ability to think “outside the box” Relentless Doesn’t need to be “liked” by everyone Doesn’t get “rattled” easily Available 24x7 Business knowledgeable Not afraid to open “Pandora’s Box” Enjoys challenges Insane!NEDRIX Conference June 20045

Why is Business Continuity Management Important? Safeguard human life Minimize critical decisions in a time of crisis Reduce dependency on specific personnel Minimize loss of data Facilitate timely recovery of business functions Minimize loss of revenue/customers Maintain public image and reputation Other ideas?NEDRIX Conference June 20046

BCM Roles & Responsibilities: Safeguard the Trust Setting the strategic direction and plans for all business unitsto ensure business continuity and effective emergencymanagement. Integrating the contingency planning process across businessunits when the nature of the business requires it. Providing consulting services and direction to seniormanagement. Coordinating and integrating the activation of emergencyresponse organizations with the business units. Provide period management reporting and status. Ensure executive management compliance with thecontingency planning program. Ensure the identification and maintenance of all criticalbusiness functions and requirements. Develop, implement, and maintain policy and guidelines for allbusiness units to follow.NEDRIX Conference June 20047

BCM Roles & Responsibilities: Safeguard the Trust(cont’d) Develop and maintain testing and maintenance programs for allcontingency planning functions. Provide primary contact for your company to handle acoordinated response during a business interruption. Act as a resource for contingency planning efforts with thecompany area of responsibility. Secure appointment, training, and back-up of all contingencyplanning and response teams. Assist in the design and maintenance of alternate sites. Maintain current contingency planning documentation.NEDRIX Conference June 20048

Business Continuity Terminology Critical Business Functions– Those functions considered essential to the ongoingoperation of the Company or Business Unit.– If these functions could not operate, there wouldbe a significant adverse impact upon theproducts/services provided.– Includes anything that might significantly impairthe financial integrity or reputation of theCompany.NEDRIX Conference June 20049

Business Continuity Terminology(cont’d) Command Center– Location set up for Management andBCP to operate from duringemergency situation.– Maintain Contingency Plan Documentand other needed resources atCommand Center.NEDRIX Conference June 2004“Command Center”10

Business Continuity Terminology(cont’d) Alternate Site– A location where critical business functions can resumeprocessing in the event of a business interruption.Relocation(Primary Location)NEDRIX Conference June 2004(Alternate Site)11

Business Continuity Terminology (cont’d) Vital Records– All data and information required to support a businessfunction (i.e., historical, regulatory requirements)– Includes: Policy and Procedures Manuals Input documents or data Manuals for software and other applications Vendor/Customer List Telephone/Rolodex Backup tape files– Should be maintained off site at third-party vendor orCommand CenterNEDRIX Conference June 200412

PROTECTING YOUR EMPLOYEESNEDRIX Conference June 200413

Life/Safety is #1 Access control Alarm monitoring Floor Warden program Evacuation drills conducted annually Shelter-in-Place drills conducted annually Background checks Procedures for emergency response in place Workplace Violence ProgramsNEDRIX Conference June 200414

What to do if there is a FIRE What to do if.there is aFIRExxand you find it:1) Call Corporate Security.2) Activate the nearest building firealarm.3) Follow the evacuation instructionsgiven by the Floor Wardens, who willbe wearing orange arm bands andcarrying flags.and you hear the public addresssystem or fire alarm:1) Follow the instructions given over thepublic address system.2) Follow the evacuation instructionsgiven by the Floor Wardens, (wearingorange arm bands and carrying flags).EMERGENCYNumbers:

What to do if there is a BOMB THREAT What to do if.you receive aBOMBTHREAT1) TAKE NOTES -- location and type ofdevice, time of detonation, sex andage of caller, quality of voice, accent,background noise(s), etc. -- this isVERY IMPORTANT!2) Immediately call Corporate Security.3) Notify your supervisor/manager.4) Wait for instructions from yourmanager or the Floor Warden, or tobe broadcast over the public addresssystem.EMERGENCYNumbers:

What to do if there is an EVACUATION What to do if.EVACUATIONOF YOURAREA ISANNOUNCED1) Prepare to evacuate, but wait for specific instructions viathe public address system, telephone, a Floor Warden ora Security Officer. Some routes may not be safe.2) Follow the Floor Warden out of the building.3) DO NOT use elevators for emergency evacuation.4) Walk quickly when directed to do so, but do not run.5) DO NOT go back for any reason.6) Proceed to the Evacuation Site for your building.7) Wait for further instructions from Corporate Security oryour company's Contingency Planner.EMERGENCYNumbers:

What to do if there is SEVERE WEATHER What to do if.there isSEVEREWEATHERwhile you are at home:1) Call the Contingency Information Line,1-xxx-xxx-xxxx, for up-to-dateinformation.2) Check your local radio and TV stationsfor announcements.NOTE: Remember, property damage may require thatyou report to work at a different location. Contact yourmanager or call the Contingency Information Line.while you are at work:1) Follow the instructions given over thepublic address system, SYMON*, by yourmanager or the Contingency InformationLine.*SYMON is a customized electronic message boarddisplaying system status and market and criticalbusiness information. SYMON boards are located in keybusiness areas throughout Fidelity.EMERGENCYNumbers

What if someone needs MEDICAL ASSISTANCE 1)2)3)What to do if.someone needsMEDICALASSISTANCE4)5)DO NOT PANIC -- REMAIN CALM.IMMEDIATELY call Corporate Security.Provide your name, location, mail zone, call-backnumber and any information about the illness orinjury. Don't hang up until the dispatcher confirmsthe information.Keep someone with the injured person at all times.If possible:have someone stay at the call-back number. have someone meet the emergency team at theentrance.Don't try to apply first aid if you are not qualified. It could causefurther injury.If you need medical assistance, call CorporateSecurity and stay at your original location untilhelp arrives .NOTE:(The injured employee or his or her manager must complete anoccupational injury/illness report form within 24 hours of theincident and submit it to HR.)EMERGENCY

EMERGENCY RESPONSENEDRIX Conference June 200420

What Should I Do in an Emergency?What do I tell my customers?How do I contact my employees and tell them where to report?My house is destroyed; I can’t go to work!Where do I go?what to do in an emergency?I need supplies and a PC to start working again.The Press keeps asking me all of these questions. Whatdo I tell them?How do I contact my customers?NEDRIX Conference June 200421

Take a Deep Breath.All You Need is a Business Continuity Plan! What is a Business Continuity Plan?– The plan describes the pre-planned sequenceof events that allows for thecontinuation/recovery of business functions,computer resources, networks, and facilities.– The documented process forcontinuation/recovery of business functions inthe event of an unexpected disruption ofservice.NEDRIX Conference June 200422

Don’t end up like this Guy!

How Ready is Your Business? If you were evacuated from your building and youwere standing in the evacuation area and theyannounced that you could not work at that site for atleast the next 2 weeks,Do you know what to do next?Does your staff?NEDRIX Conference June 200424

Emergency Response Checklist Write Down Information– Who Called– Building Location– Area of Impact– Expected Duration Relay Facts to Others– Escalate to Senior Management As Appropriate– Contact Teams As Needed Communicate– Inform Management– Inform Emergency Response Teams– Inform Corporate Contingency Respond and RecoverNEDRIX Conference June 200425

WHAT NEXT?When disaster strikes, the mostimportant thing --- after assuringthe safety and welfare of employees--is to get vital support services functioningto the best of our ability.NEDRIX Conference June 200426

How to Build a RobustBusiness Continuity ProgramTraining &Awareness#8#7#6#5#4#3#2#1Maintain The PlanExercise The PlanDevelop The PlanRecovery StrategiesBusiness Impact AnalysisRisk Analysis/MitigationProject Initiation & ManagementNEDRIX Conference June 200427

Don’t get caught without a Plan!If you are reading your plan for the first time and you are in themiddle of a disaster . .you are in trouble .NEDRIX Conference June 200428

Example of Business Continuity Support OrganizationCorporate Emergency ManagementOrganizationReal EstateRiskManagementEnterprise ness ContinuityProgram ManagerBusiness UnitBusiness UnitBusiness UnitHumanResourcesSystemsMarketingNEDRIX Conference June 2004Business UnitFinance29

Project Initiation & Management#1: Project Initiation & Management Define Project– Scope – document what the Plan will cover– Objectives – Document what is to be achieved with this project– Assumptions – Document the assumptions you are making regardingthe project, i.e. Commitment from management, phone linesoperational, no regional outage Estimate Project Resources– Document the resources you will need to complete the project includinghuman resources as well as physical & financial resources Obtain Management Commitment– Management should have a documented responsibility to the companyin the development & testing of a viable business recovery plan –without it, the project will fail– Require management sign-off and approvals at each major milestone ofthe projectNEDRIX Conference June 200430

Project Initiation & Management (cont’d)Define Project Timeline, Major Milestones, and Deliverables– Define major steps toward plan development– Estimate how long each step will take– Identify the critical path– Document what will be produced from each step– Estimate when the project will be completed– Example of Phased Approach:q Emergency Notification Lists: Immediatelyq Vital Records Program in Place: Immediatelyq Risk Analysis/Business Impact Analysis: 1st 3 monthsq Define Recovery Strategies: 1-6 monthsq Select and Develop Alternate Sites: 1-12 monthsq Develop and Document Contingency Plan: 1-12 monthsq Testing, Maintenance, Periodic Audit: Annual or when significant changes occurNEDRIX Conference June 200431

Emergency Notification Identify the different types of recovery you will plan for Identify who would have the authority to declare adisaster depending upon the scenario Identify who would be part of the recovery effort Build your notification lists based on this informationNEDRIX Conference June 200432

Sample ERT NEDRIX Conference June 200433