Business Continuity Planning (BCP) Fundamentals
t BCP Fundamentals n e m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Definition of a Business Continuity Plan (BCP)
A plan that focuses on continuity of delivery of product and services to customers in the aftermath of a catastrophic event.
An event does not need to include physical damage to be catastrophic. Loss of a key sole-source supplier or product performance issues can also be catastrophic.
Results of being unprepared • • • • • •
Facility closings Loss of Revenue Loss of Market Share Erosion of Stock Prices Regulatory Intervention Impugned Reputation
(impacts employees) (impacts employees/stakeholders) (impacts employees/stakeholders) (impacts investors) (impacts customers/investors) (impacts community at large)
t
BCP Fundamentals n e
m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Overall Scope
An effective BCP should address as many exposures as possible:
9 9
9 9
9
Fire, Explosion Tornado, Flood, Hurricane, Earthquake Terrorism/Bio-terrorism Contingent Interruption (e.g. vendor, supplier, partner, regulator) IM Interruption
9
9 9 9 9 9
Product Contamination/Recall Hazardous Material Spill Widespread Medical Crisis Theft, Vandalism Bomb Threat Deranged Individual
t
BCP Fundamentals n e
m u c o e Elements of the BCP ProgramD s u d e e t t 9Emergency Response c a e v t i r o r p 9Incident Management p r t o f h g y i l 9Business Recovery r n y p O o C
t
BCP Fundamentals n e
m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C PLANNING, PLANNING,
RISK CONTROL
RISK CONTROL
Incident Crisis
RISK ASSESSMENT RISK CONTROL (Mitigation) PLANNING,
Hours
Days
EMERGENCY EMERGENCY RESPONSE RESPONSE
INCIDENT CRISIS MANAGEMENT MANAGEMENT
Weeks - Months
OPERATIONS BUSINESS RECOVERY RECOVERY
t
BCP Fundamentals n e
m u c o Overall Scope, e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C continued
The entire “value chain” should be addressed:
The Extended Enterprise
KEY
KEY SUPPLIER SUPPLIER
EXTERNAL CUSTOMER CUSTOMER
SUB SUPPLIER SUB VENDOR
KEY CONTRACTOR
KEY KEY VENDOR CONTRACTOR
PRIMARY PRIMARY FACILITY FACILITY
nd PARTY 2INTERNAL ‘CUSTOMER’ CUSTOMER
(e.g., warehouse)
EXTERNAL CUSTOMER
SUB CONTRACTOR
PARTNER
EXTERNAL CUSTOMER CUSTOMER
t
BCP Fundamentals n e
m u c o e Overall Scope, D s u d Key vulnerabilities should be identified and used as a basis e e t t for developing a recoverycstrategy for: a e v t i r o r p p r t o f h g y i l r n y p O o C continued
1. Loss of manufacturing operations 2. Loss of logistics operations
3. Loss of information management
4. Loss of a key sole - or single - source vendor or supplier
t
BCP Fundamentals n e
m u c o Overall Scope, e D s u d An effective BCP should consider: e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C continued
9 Revenue-generating operations 9 Facilities Management
9 Voice/Data Communications (IM) 9 Vital Records
9 Quality Control 9 Security
9 Regulatory Requirements 9 Public/Media Relations
t BCP Fundamentals n e m u c Objectives and Goals o e D s Business continuity should:d u e e t t c a e v t i r o r p p r t o f h g y i l r n y The end product should: p O o C
9
9 9
9
Be an action-oriented process responding to a range of catastrophic events Search out and address all significant exposures Focus on quickly restoring functionality, not necessarily on restoring a facility Be described in a plan that is concise, easily used and has substance
9 9 9 9
Be integrated in overall business strategy Be leveraged as a support for growth Be precommunicated to site managers Be kept up-to-date
t
BCP Fundamentals n e
m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Benefits of having a BCP Process
Functional recovery: 9
Continue meeting customer needs
9
Sustain market share/revenue flow
9
Retain advantage from R&D activities
Favorable underwriting positions (re: Property and Business Interruption
Insurance)
Managed risk (e.g. reduced severity): 9
Identify significant existing exposures
9
Define and act on mitigation steps where practical
A stable and/or strengthened reputation
Enhanced due diligence: 9 9
Part of management’s fiduciary responsibility Preventing shareholder/stakeholder suits
t
BCP Fundamentals n e
m u c Possible Solutions o e D s Continuity of products andd services u to customers can be achieved by a number of mechanisms, including e e t t c but not limited to: a e v t i r o r p p r t o f h g y i l r n y p O Some solutions could contradict the way in which o C some Company teams have become accustomed to
1. 2. 3. 4.
Use of buffer inventory Use of alternative capacity Restoration of impaired operations Aggressive protection
thinking.
t
n BCP Fundamentals e
m u c o Possible Solutions e D s u d Whatever the appropriate solution, regulatory agency e e t t c involvement adds another important a e rivespecially in setting t parameter to beoconsidered, r p recovery timelines. p r t o f h g Temporary loss of healthcare related products such as y i l r n Pharmaceuticals and Medical Devices would have a y p O greater negative impact on customers, and thus would o C necessitate more detailed and robust BCPs. , continued
(the FDA in the US)
t
BCP Fundamentals n e
m u c Criteria for Success o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C • • • • • • • • • • •
Involve senior managers throughout (it’s their plan) Don’t start until senior management buys into the process View business continuity plan as a pyramid – start at the top Build high-level action plans first (flowcharts are best) Collect supporting information and data as a second step Set a limit on size – this involves usefulness as well as perception Do not mimic the New York City or London Telephone Book Be realistic in designing the plan – don’t over design!! Do not get bogged down in minutia Test the results Do not focus exclusively on IM.
t
BCP Fundamentals n e
m u c Support for Plan Development o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C
During plan development, each Company should have a seniorlevel steering committee for BCP: 9 9 9
The committee provides overall philosophical and strategic guidance Key issues addressed are recovery time and critical exposures Membership should consist of Operations, Customer Service, Finance, Legal, etc.
After a BCP has been completed: 3
3 3 3
A manager should be tasked as the keeper of the BCP The plan should be a controlled document (both paper and electronic formats) Periodic updates should be scheduled (annually?)
3
Periodic tabletop tests should be conducted (annually?)
t
BCP Fundamentals n e
m u c o e BCP Emphasis D s u d e e Ensure Business Continuity Planstare certified for critical t c a operations worldwidee v t i r o Ensure the following steps in the BCP process are r p p understood and communicated: r t o f h g y i l r n y p O o C •
•
– – – – –
Alignment Meetings Draft BCP Document Table-top Exercise Validation Revalidation
t
BCP Fundamentals n e
m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Company Strategic Plan
Workshop (Training)
Corporate BCP Review/Assessment
Plan Development
Sector Alignment Meeting
Draft BCP
Tabletop Exercise
Validation
Critical Suppliers & External Mfgs.
Revalidation Process
BCP Review (Periodic/Change)
Update BCP
Tabletop Exercise
Revalidation
Implement BCP