Business Continuity Planning - Fundamentals

Business Continuity Planning (BCP) Fundamentals

t BCP Fundamentals n e m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Definition of a Business Continuity Plan (BCP)

A plan that focuses on continuity of delivery of product and services to customers in the aftermath of a catastrophic event.

An event does not need to include physical damage to be catastrophic. Loss of a key sole-source supplier or product performance issues can also be catastrophic.

Results of being unprepared • • • • • •

Facility closings Loss of Revenue Loss of Market Share Erosion of Stock Prices Regulatory Intervention Impugned Reputation

(impacts employees) (impacts employees/stakeholders) (impacts employees/stakeholders) (impacts investors) (impacts customers/investors) (impacts community at large)

t

BCP Fundamentals n e

m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Overall Scope ‰

An effective BCP should address as many exposures as possible:

9 9

9 9

9

Fire, Explosion Tornado, Flood, Hurricane, Earthquake Terrorism/Bio-terrorism Contingent Interruption (e.g. vendor, supplier, partner, regulator) IM Interruption

9

9 9 9 9 9

Product Contamination/Recall Hazardous Material Spill Widespread Medical Crisis Theft, Vandalism Bomb Threat Deranged Individual

t

BCP Fundamentals n e

m u c o e Elements of the BCP ProgramD s u d e e t t 9Emergency Response c a e v t i r o r p 9Incident Management p r t o f h g y i l 9Business Recovery r n y p O o C

t

BCP Fundamentals n e

m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C PLANNING, PLANNING,

RISK CONTROL

RISK CONTROL

Incident Crisis

RISK ASSESSMENT RISK CONTROL (Mitigation) PLANNING,

Hours

Days

EMERGENCY EMERGENCY RESPONSE RESPONSE

INCIDENT CRISIS MANAGEMENT MANAGEMENT

Weeks - Months

OPERATIONS BUSINESS RECOVERY RECOVERY

t

BCP Fundamentals n e

m u c o Overall Scope, e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C continued

The entire “value chain” should be addressed:

The Extended Enterprise

KEY

KEY SUPPLIER SUPPLIER

EXTERNAL CUSTOMER CUSTOMER

SUB SUPPLIER SUB VENDOR

KEY CONTRACTOR

KEY KEY VENDOR CONTRACTOR

PRIMARY PRIMARY FACILITY FACILITY

nd PARTY 2INTERNAL ‘CUSTOMER’ CUSTOMER

(e.g., warehouse)

EXTERNAL CUSTOMER

SUB CONTRACTOR

PARTNER

EXTERNAL CUSTOMER CUSTOMER

t

BCP Fundamentals n e

m u c o e Overall Scope, D s u d Key vulnerabilities should be identified and used as a basis e e t t for developing a recoverycstrategy for: a e v t i r o r p p r t o f h g y i l r n y p O o C continued

1. Loss of manufacturing operations 2. Loss of logistics operations

3. Loss of information management

4. Loss of a key sole - or single - source vendor or supplier

t

BCP Fundamentals n e

m u c o Overall Scope, e D s u d An effective BCP should consider: e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C continued

9 Revenue-generating operations 9 Facilities Management

9 Voice/Data Communications (IM) 9 Vital Records

9 Quality Control 9 Security

9 Regulatory Requirements 9 Public/Media Relations

t BCP Fundamentals n e m u c Objectives and Goals o e D s Business continuity should:d u e e t t c a e v t i r o r p p r t o f h g y i l r n y The end product should: p O o C ‰

9

9 9

9

Be an action-oriented process responding to a range of catastrophic events Search out and address all significant exposures Focus on quickly restoring functionality, not necessarily on restoring a facility Be described in a plan that is concise, easily used and has substance

‰

9 9 9 9

Be integrated in overall business strategy Be leveraged as a support for growth Be precommunicated to site managers Be kept up-to-date

t

BCP Fundamentals n e

m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Benefits of having a BCP Process ‰

‰

Functional recovery: 9

Continue meeting customer needs

9

Sustain market share/revenue flow

9

Retain advantage from R&D activities

Favorable underwriting positions (re: Property and Business Interruption

Insurance)

‰

Managed risk (e.g. reduced severity): 9

Identify significant existing exposures

9

Define and act on mitigation steps where practical

‰

A stable and/or strengthened reputation

‰

Enhanced due diligence: 9 9

Part of management’s fiduciary responsibility Preventing shareholder/stakeholder suits

t

BCP Fundamentals n e

m u c Possible Solutions o e D s Continuity of products andd services u to customers can be achieved by a number of mechanisms, including e e t t c but not limited to: a e v t i r o r p p r t o f h g y i l r n y p O Some solutions could contradict the way in which o C some Company teams have become accustomed to ‰

1. 2. 3. 4.

Use of buffer inventory Use of alternative capacity Restoration of impaired operations Aggressive protection

‰

thinking.

t

n BCP Fundamentals e

m u c o Possible Solutions e D s u d Whatever the appropriate solution, regulatory agency e e t t c involvement adds another important a e rivespecially in setting t parameter to beoconsidered, r p recovery timelines. p r t o f h g Temporary loss of healthcare related products such as y i l r n Pharmaceuticals and Medical Devices would have a y p O greater negative impact on customers, and thus would o C necessitate more detailed and robust BCPs. , continued

‰

(the FDA in the US)

‰

t

BCP Fundamentals n e

m u c Criteria for Success o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C • • • • • • • • • • •

Involve senior managers throughout (it’s their plan) Don’t start until senior management buys into the process View business continuity plan as a pyramid – start at the top Build high-level action plans first (flowcharts are best) Collect supporting information and data as a second step Set a limit on size – this involves usefulness as well as perception Do not mimic the New York City or London Telephone Book Be realistic in designing the plan – don’t over design!! Do not get bogged down in minutia Test the results Do not focus exclusively on IM.

t

BCP Fundamentals n e

m u c Support for Plan Development o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C

During plan development, each Company should have a seniorlevel steering committee for BCP: 9 9 9

The committee provides overall philosophical and strategic guidance Key issues addressed are recovery time and critical exposures Membership should consist of Operations, Customer Service, Finance, Legal, etc.

After a BCP has been completed: 3

3 3 3

A manager should be tasked as the keeper of the BCP The plan should be a controlled document (both paper and electronic formats) Periodic updates should be scheduled (annually?)

3

Periodic tabletop tests should be conducted (annually?)

t

BCP Fundamentals n e

m u c o e BCP Emphasis D s u d e e Ensure Business Continuity Planstare certified for critical t c a operations worldwidee v t i r o Ensure the following steps in the BCP process are r p p understood and communicated: r t o f h g y i l r n y p O o C •

•

– – – – –

Alignment Meetings Draft BCP Document Table-top Exercise Validation Revalidation

t

BCP Fundamentals n e

m u c o e D s u d e e t t c a e v t i r o r p p r t o f h g y i l r n y p O o C Company Strategic Plan

Workshop (Training)

Corporate BCP Review/Assessment

Plan Development

Sector Alignment Meeting

Draft BCP

Tabletop Exercise

Validation

Critical Suppliers & External Mfgs.

Revalidation Process

BCP Review (Periodic/Change)

Update BCP

Tabletop Exercise

Revalidation

Implement BCP