Transcription
Disasters haveincreased.Essential fororganizations and students inBusiness Management,Business Continuity, DisasterRecovery, Information Security,Risk Management, ProjectManagement, Audit,Compliance, and IT. Unlikeother books, this book teachesthrough stories, practicalapplications, and yes, bulletpointed checklists, too.Mastering Business Continuity Managementby Dr Michael C Redmond PhDOrder the complete book from the /books/9923.html?s pdfor from your favorite neighborhoodor online bookstore.
Copyright 2018 Dr. Michael C Redmond, PhDHardcover ISBN: 978-1-63491-533-5Paperback ISBN: 978-1-63491-421-5All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted inany form or by any means, electronic, mechanical,recording or otherwise, without the prior writtenpermission of the author.Published by BookLocker.com, Inc., St. Petersburg,Florida.Printed on acid-free paper.BookLocker.com, Inc.2018First Editioni
DisclaimerThis book details the author's personal experiences withand opinions about Business Continuity Management.The author and publisher are providing this book and itscontents on an “as is” basis and make no representations orwarranties of any kind with respect to this book or itscontents. The author and publisher disclaim all suchrepresentations and warranties. In addition, the author andpublisher do not represent or warrant that the informationaccessible via this book is accurate, complete or current.The statements made have not been evaluated by anyGovernment. Please consult with your own RiskManagement/Compliance professional regarding thesuggestions and recommendations made in this book.Except as specifically stated in this book, neither the authoror publisher, nor any reviewers or other representativeswill be liable for damages arising out of or in connectionwith the use of this book. This is a comprehensivelimitation of liability that applies to all damages of anykind, including (without limitation) compensatory; direct,indirect or consequential damages; loss of data, income orprofit; loss of or damage to property and claims of thirdparties.This book is not intended as a substitute for consultationwith a Risk Management/Compliance professional.This book provides content related to topics of RiskManagement. As such, use of this book implies youracceptance of this disclaimer.iii
Table of ContentsAbout the Author . ixReviewers. xxixChapter One - Project Management. 1Overview . 1Consider the Required Resources . 5Laying the Groundwork . 6Funding Strategies. 7Determining the Scope . 8Legislation and Applicable Authorities . 9The Phases of Business Continuity Plan . 10Program Coordinator andAdvisory Committee . 11Review what is in place . 14Performance Objectives . 15Recapping. 16Planning Action Plans . 17Recap. 21Complex Institution . 23Project Planning Elements of a GoodDisaster Recovery Plan. 24Communication Planning. 24xv
Dr. Michael C Redmond, PhDChapter Two - Risk Evaluation and Control .27Overview .27Why Do A Risk Assessment? .29The Human Factor .32Organizational Operational Functionality .34Conducting the Risk Assessment .36Resource Management Objectives .37Examining Threat Scenarios .45Determining Vulnerability to Loss .49Working with Outside Agenciesand Services .54Review the Findings and Controls .55The Risk Assessment Report.60Chapter Three - Business Impact Analysis .65Overview .65Recovery Timelines .66Assessing the Impacts .67Risks to Consider.67Details to include in Management Reports .69Program Coordination .71Impacts on Resources .72Key Questions .73xvi
Mastering Business Continuity ManagementThink About Strategies to Deal withthe Impacts. 74Impacts on Logistics and Facilities . 75Process . 76Organizational Functions . 79Interviewees . 79Structure . 80Qualitative and Quantitative . 82Insurance . 84Interdependencies within Departments . 84Criticality . 86The Business Impact Analysis Report . 88Document Control . 88Final Review of Your BusinessImpact Analysis . 90Final Review of the BIA . 91Compliance . 92Chapter Four - BusinessContinuity Strategies . 95Overview . 95Pre-Strategy Development/Review . 95Advisory Committee and Records Review . 97Records Protection . 99Strategy Brainstorming . 100xvii
Dr. Michael C Redmond, PhDCommunication With Your Team .102Consider Your Culture .103Documentation .105Cost Analysis .106Document Control .107Funding and Legal Issues .108Hazard Mitigation.108Assessing Strategies .112Mutual Aid .114Strategic Plans .116Crisis Communication, Teams, andReporting Relationships .117Recovery Strategies .119Review .120Usage of Vendors/Consultants .122Presenting Strategies to Management .123Chapter Five - Emergency Response andOperations .129Overview .129Emergency Response vs. EmergencyManagement Plans .129Response Procedures .131External Support and Involvement .132xviii
Mastering Business Continuity ManagementProgram Coordinator andAdvisory Committee . 133Subcategories for Emergency Responseand Operations . 134Key Thoughts . 134Control and Coordination. 135Communications and Warnings . 137Operations and Procedures. 138Know Your Team Members . 139Common Documentation . 139Summary . 141Chapter Six - Documentation Requirements . 143Overview . 143Controlling the Documentation Process . 144Basic Requirements of Documentation. 149Strategies . 155Documentation of Logistics . 158Imperative Records . 159For Use in an Emergency . 160Keep it Simple . 161Mitigation of Hazards . 163Clarify Lines of Authority. 165Areas of Documentation . 167xix
Dr. Michael C Redmond, PhDTraining and exercising . 168Crisis Communication . 168Finance and administration . 169Plan structure . 169Documentation for your HotSites Procedures .173Backup sites .175Data Recovery .177Keys to Your Business Recovery .178Summary .181Chapter Seven - Awareness andTraining Programs .185Overview .185Organizations.186Methodology .189Service Level Agreements.191Corporate Awareness and Standards .194Budgetary Considerations .195Goals of your Training .197Important Considerations in your Trainingand Awareness Programs .198Coordination with Outside Entities .201Communications and Warning System .203Logistic and Facilities Considerations .204xx
Mastering Business Continuity ManagementCrisis Communication andPublic Information . 205Finance and Administration . 206Recommended Training Topics . 208Evacuation. 209Information Security . 210Logistics and Transportation Training . 210Conducting an Exercise . 211Final Check List . 212Summary . 213Chapter Eight - Maintaining and Exercisingyour Plans . 215Overview . 215Maintain and Exercise Plans . 216Testing/Exercising your plans . 218Improvement . 219Regulations and Best Practices . 220Evaluating your plans. 221Pre-Plan . 222Testing Considerations. 223Unplanned Tests. 224Test/Exercise Strategy. 228Exercise Scenarios . 228xxi
Dr. Michael C Redmond, PhDTesting/Exercising 360 Degrees .229Maintenance and Reporting Procedures .231Outsource Test/Exercise .232Service Level Agreements.234Create Awareness .237Identifying Shortfalls .237Summary .240Chapter Nine - Public Relations andCrisis Coordination .245Overview .245Be Proactive .246Proactive Public Relations.247Developing your Team .248Only Authorized Personnel .251Crisis Management and PublicRelations Triage .253Social Media in Crisis Management andPublic Relations .254Stop Gap Measures .255Addressing the Media .256Press and the First Day .257Interface with the IncidentCommand System .259Senior Management .261xxii
Mastering Business Continuity ManagementPublic Relations Team Members . 262Vendors . 263Types of Questions for other entities . 265Key Elements in Plans . 267Key Questions . 268Team Requirements . 269External Agencies . 273Summary . 275Action Steps . 276Chapter Ten - Coordination withPublic Authorities . 279Overview . 279Emergency Preparations . 279Laws and Regulations . 281Planning . 284Public Authorities Support . 285Grants . 289FEMA Emergency Support Functions . 291Emergency Support Functions . 293Summary . 302Chapter Eleven - Gap Analysis . 307Overview . 307Gap Analysis vs. Audit . 307xxiii
Dr. Michael C Redmond, PhDPreparing Questions and Score Sheetfor Evaluation.310Evaluating .312Gap Analysis Scope.315Crisis Communications .316Sample Check List.317How to Conduct the Gap Analysis .318Verification .319Key Thinking Process .320Important Test/Exercise Factors .320Mapping.322Business Continuity .324Controls .327Strategies .329Communications .331Training .331Succession Planning .332Summary .332Sample Final GAP Analysis ResultsPresentation to Leadership .333Chapter Twelve - Restoration Planning.335Overview .335Restoration Considerations.336xxiv
Mastering Business Continuity ManagementHistory of Restoration . 336Restoration Lists and Resources . 337Which Vendor or Restore Internally . 338Areas of Restoration. 339Document Restoration. 344Physical Building . 346Technology Restoration . 347Consider damage control . 349Carefully Planning Restoration . 349When Not to Destroy and Not Records . 350Vendor Considerations. 352Disaster Experience. 353Company Expertise . 353Longevity . 354Insurance . 354Insurance Funded Work . 354Financial Strength . 355Size of Staff. 355Equipment . 356Survivability . 356Number of Office Locations . 356Number of Company Owned Offices . 356Contact Methods & Timing . 357xxv
Dr. Michael C Redmond, PhDCompany Expertise .358Longevity.358Insurance .358Insurance Funded Work .359Financial Strength.359Number of Office Locations.359Number of Company Owned Offices .359Choosing a Consultant.360Restoration Vendors .363Summary .365Chapter Thirteen - Final Recap of Key Areas.367Overview .367Setting Up Risk Assessment and BusinessImpact Analysis .368Vulnerabilities and Threats .368Risk Focus .370Communicating .372Documentation .372Considerations .373Change Management .374Strategies .375Scope .377Methodologies Decisions .378xxvi
Mastering Business Continuity ManagementCost Benefit Analysis. 379Dependencies . 380Scenarios . 381Restoration and Backups. 382Mitigation . 383A summary of scenarios to consider ata minimum . 383Tying it All Together . 385Contact the Author . 389Continued Learning with Dr. Michael C.Redmond, PhD . 390Sections of Audio Training . 391xxvii
Chapter Four - Business ContinuityStrategiesOverviewRegardless of the definition given, there will alwaysbe another best practice out there or anotherprofessional practice or standard that uses a differentdefinition, but they have the same meaning.Determine and guide the selection of alternativebusiness recovery operating strategies, includingeverything needed to keep the organization inbusiness. Equipment People ResourcesPre-Strategy Development/ReviewBefore you develop or implement a strategy toeliminate a hazard, or to mitigate the effect of ahazard that cannot be eliminated, review your RiskAssessment again, and your impacts. You absolutelymust have covered in detail the Risk Assessment andthe Business Impact Analysis. You cannot skip thosesections.If you know you have a poor roof,you can probably mitigate theproblem by fixing the roof.95
Dr. Michael C Redmond, PhDHowever, the fact remains that in some cases, evenwith proper planning, things happen that theorganization is not prepared for and may need torecover from.That is why you do the Business Impact Analysis.Once you know the impact of something then you candecide whether you are going to develop a strategy tomitigate it, or whether you are going to develop astrategy to recover from it.A previous example was having an old car. You may choose to mitigate anaccident by putting in new brakesbecause you decide the impact is toohigh not to.You may choose not to mitigatemaking it rustproof; because it’s so old,it probably will not make it anotherfew months anyway.You may decide just to recover byfixing any holes that appear.It depends on what the impact and the cost associatedwill be. Base the mitigation strategy on Business Impact Analysis Cost Benefit Analysis Hazard Identification Risk Assessment96
Mastering Business Continuity Management Your operational experienceAdvisory Committee and Records ReviewWhen your Risk Assessment and Business ImpactAnalysis are complete, have a Strategies introductorymeeting with your Advisory Committee.Remember that your advisory committee shouldalready have committee members on it including Engineering Environment Finance Health and Safety Information Technology Legal Maintenance Personnel Plant operations Public Relations Risk Management Security TransportationIt should include someone from the stakeholders, fireand rescue, public works and maybe even the National97
Dr. Michael C Redmond, PhDGuard. It might even include Homeland Security,stakeholders, and the military. Add members based onwhomever you think you are going to need asadvisors.Every phase in Business Continuity planning shouldinvolve meetings with the key players including youradvisory committee. At this meeting, you will reviewall of the risks that came up in your Risk Assessment,and you will review all of the impacts from theBusiness Impact Analysis. Ensure you do a completerecords review prior to this meeting so that youremember everything. Sometimes, a few months mayhave passed before you actually start working on thestrategies, and although you think you will rememberall the impacts, you may have forgotten something. Somake certain you review the facilities. What were the impacts to the structure? What were the impacts to personnel, theprophecies for every risk? What about the products, activities, equipment,and materials?Take many photographs during your Risk Assessmentphase, so that now in the strategy development phase,you can depict some of the areas requiring shoring up.Put together your “maybe” list of things you couldpossibly do for each area at this point. This is abrainstorming session. Consider everything you might98
Mastering Business Continuity Managementdo to mitigate situations, or recover from them. Youmay choose to do both a mitigation strategy andrecovery strategy areas to present to Management.Then they can make the informed determinationwhich way they would like to go, depending on howcostly each strategy is.Records ProtectionDevelop strategies for protecting vital records.Unfortunately, there were many companies that usedan Off Site Storage Vendor to store their records, andof course, they believed them to be safe because thatwas the Off Site Storage Vendor’s core business.However, the Off Site Storage Vendor did not have agood Business Continuity Plan, and all thesecorporations’ plans, all of their documents, all of theirvital records were destroyed. Worse still, the back-upcopies were destroyed in some cases. In other cases,the originals were destroyed because the off-sitevendor that they chose did not have a good BusinessContinuity Plan.Ensure that the vendors you are using have a BusinessContinuity Plan in place. You should absolutelyrequire that they have an audit done ahead of time, aGap Analysis by an independent third party, and thatthey can show you the results. Perhaps your recordshappen to be all in one room. Consider splitting thevital records up into different rooms or differentbuildings. Consider taking your Data Center andsplitting it up into two or three different locations.99
Dr. Michael C Redmond, PhDInclude a provision for protected systems orequipment. Remember, you cannot forget yoursecurity, particularly your Information Security.Cyber Security is critical in a recovery mode. It isvery simple for someone to set your building on fire tohave everybody evacuate the building, hoping to leaveyou vulnerable.So far You have already ensured detailed controlpractices in the prior phases. You know what compliance documents youneed pertaining to records. You have documented all of your interviewsso if you have additional questions you can goback to the same person that you spoke to inthe risk section or in the impact section. You are going to review your working papersjust one last time.This sounds repetitive and just common sense, butmany entities failed to go back and double check, withnegative results.Strategy BrainstormingA great deal of “pre-thinking” goes into strategydevelopment. If more entities would spend two weeksjust brainstorming they would save a fortune inrecovery costs, a fortune! This is the phase that mostcompanies, most entities, most government agencies,100
Mastering Business Continuity Managementrace through. It is especially important just tobrainstorm. Sometimes a simple idea can come fromsomebody on the line who works with it every singleday. When you are coming up with strategies, try tospeak to people about it. “These are the situations weare considering, these are the impacts, and doesanybody have any ideas?” Do not make the mistake ofthinking that you know all the ideas or strategies. Thegreatest ideas have not even been considered yet!Once you have some different strategies you arecontemplating, you may want to have a vendor daywhere you bring one vendor in for each strategy andhave them educate you. Tell the vendors ahead of timethat you may not end up using their services, butcertainly do let them bid in exchange for coming inand educating you.Before you even decide on corrective actions for thestrategies, you’ll need to decide the resources neededfor each strategy. How do you get approval for compliance, if infact, you are going to miss deadlines? How is training done? Do you have a strategyon how you are going to exercise, evaluate,and do corrective actions during your testing? How much additional equipment or facilitiesare needed.101
Dr. Michael C Redmond, PhD In terms of Finance and Administration, howare you going to deal with strategies forpayroll, strategies for accounting systems, andtracking documents cost? Think through nowevery strategy that you are going to beutilizing later on in the plan. What if you are a trading firm and you cannotclear? Will additional personnel be needed? Will additional training be required?Communication With Your TeamConduct daily briefings with everybody on yourdifferent teams. These briefings can be shortphone conference calls. Just make sureeverybody’s strategies are consistent.This is important when you have differentdepartments and one department is saying, “If Xhappens, we are just going to work at home. It’snot a problem.” The other department is saying,“If X happens, we need to be co-located with thisdepartment in order for our strategies to work.”Now you have two different strategies and whatoften happens is that you wind up with verydifferent approaches. Coordinate to ensureeveryone is working towards the same goal. You will want to find a system fordocumenting your findings. There are102
Mastering Business Continuity Managementcommercial software packages available thatare great, but you can also use Word or Excelif you have a small organization. It does notmatter so much what software you use, as longas you are documenting all of your findings ina simple format that everyone will be able touse. Establish an agenda of exactly how you aregoing to approach the strategies and how touse your time wisely. Strategies often takeyears to put together, but they should take nomore than months. Keep a balance bet
Mastering Business Continuity Management 97 Your operational experience Advisory Committee and Records Review When your Risk Assessment and Business Impact Analysis are complete, have a Strategies introductory meeting with your Advisory Committee. Remember that your advisory committee should already have committee members on it including
