1. CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement FEBRUARY 18, 2016

2. 2 Disruptions to Your Business StormsFireNetwork Outage FloodEarthquakeCivil Disturbance PandemicSnow StormBomb Threat Road ClosureVendor IncidentCyber Incident

3. 3 Clients, Regulatory Agencies and Board Committees are Seeking to Mitigate Risk Organizations are having to demonstrate their abilities in the following areas:  Develop plans that will address widespread events and interruptions  Ensure personnel are trained on the plan  Store plans and critical files remotely for easy access  Communicate with clients and employees  Update plans regularly  Test regularly

4. 4 How do you react? How do you RESPOND to an incident? How do you RECOVER from an incident?

5. 5 Having a Plan to Deal with the Unexpected… A process whereby businesses can  Respond to an incident  Recover critical business operations, including services to customers when confronted with adverse events such as natural disasters, technological failures, human error or other unplanned incidents.

6. 6 Having a Plan to Deal with the Unexpected… More simply described… It is a coordinated strategy involving plans that assures your business has the ability to continually meet your customers’ needs if faced with an unplanned business disruption.

7. 7 Why Have a Plan?  Reduce reliance on key personnel  Protect assets  Increase the safety of all personnel  Minimize decision making during the recovery  Reduce delays during the recovery process  Provide a sense of security  Limit potential exposure and reduce legal liability  Provide organizational stability

8. 8 Why Have a Plan?  Maintain continuity of operations, stay in business!  Maintain customer service  Relocate critical operations quickly  Minimize financial losses  Reduce disruptions to critical operations  Achieve an orderly recovery  Comply with legal, contractual, audits, and government regulations

9. 9 Different Types of Plans  Incident Management Plan Response & Communication  Business Continuity Plan Business Recovery  IT Disaster Recovery Plan Technology Recovery  Evacuation Plan Life and Safety Procedures

10. 10 Incident Management Plan (Response)  Incident Management Team & Roles  Reference Life/Safety Procedures  Responding to an Incident-Tasks & Assignments  Damage Assessment Procedures  Declaring An Incident  Command Center/Alternate Work Site Location  Communication Planning- Notification Procedures  Initiate BCP Recovery Team

11. 11 Business Impact Analysis (BIA)  Interview key business process owners and leadership within the company to identify functions, risks and recovery objectives.  Document findings by functional areas-departments  Identify recovery strategies  Summarize approach into Business Continuity Plan

12. 12 Business Continuity Plan (Recovery)  Assigned BCP Recovery Team & Roles  Prioritized Critical Functions & Recovery Time Objectives  Critical Roles, Assignments, Backup Lead/Staff Resources  Critical IT Equipment, Systems & Data Files-Prioritized  Loss of Facility-Alternate Work Space Strategy  Loss of Vendor/Service Provider Dependencies Strategy  Loss of People Strategy  Loss of Technology Strategy

13. 13 IT Disaster Recovery Plan  IT Infrastructure Overview  Systems Overview  IT Recovery Strategies  Inventories  System Recovery Procedures  Tasks & Assignments  Technical Specifications  Vendor Dependencies

14. 14 Usability Is the implementation of the Plan easy to understand by everyone?  Can Executive Management & Crisis Team easily assess the emergency?  Do Department heads understand their roles during an incident?  Does the Plan prioritizes the most critical business functions? (Controls unnecessary documentation)  Are testing/training programs in place to review overall readiness?  Are /procedures developed for manual processing? (Is recoverability dependent on systems availability?)  Can procedures be followed by someone outside the critical function? (You cannot expect availability of all subject matter experts during an incident)

15. 15 Recoverability The most important recoverability requirements are often defined by your customers (internally and externally). What are their expectations?  Addresses requirement needs of clients and prospects – Business Continuity Planning and program maintenance is not an option with customers  Must be an ‘Actionable’ plan – continued availability of your services and support that is verifiable  Distinguishes you from your competitors

16. 16 Business Continuity Plan Life Cycle  What is in place today?  Define the Business Continuity Plan Project Objectives and Requirements, Scope, & Cost  Executive Support  Identify BCP Team Assignments  Establish Business Continuity Policies Discovery – Functional Requirements Strategies Planning Crisis Communications Exercise/Testing Maintaining/Updating Training/Awareness Project Initiation

17. 17 Business Continuity Plan Life Cycle  Identify client servicing needs and current regulation requirements  Site/Operational assessment/interviews (Business Impact Analysis)  What are the hazards/ threats/vulnerabilities? (Risk Assessment)  Key personnel interviews Strategies Planning Crisis Communications Exercise/Testing Maintaining/Updating Training/Awareness Project Initiation Discovery – Functional Requirements

18. 18 Business Continuity Plan Life Cycle  Where will we go?  How will we operate?  What will we do for our employees? Planning Crisis Communications Exercise/Testing Maintaining/Updating Training/Awareness Project Initiation Discovery – Functional Requirements Strategies

19. 19 Business Continuity Plan Life Cycle Create Business Continuity Plans:  Crisis Management-Incident Response  Site/Operational Recovery  IT/Systems Recovery Crisis Communications Exercise/Testing Maintaining/Updating Training/Awareness Project Initiation Discovery – Functional Requirements Strategies Planning

20. 20 Business Continuity Plan Life Cycle  Who approves the messages and when they are published?  How will we communicate to media?  How will we communicate with employees?  How will we communicate with customers? Exercise/Testing Maintaining/Updating Training/Awareness Project Initiation Discovery – Functional Requirements Strategies Planning Crisis Communications

21. 21 Business Continuity Plan Life Cycle  How often do we test?  Who will be involved?  What are the objectives?  Follow-up and lessons learned  Tabletop Exercise for developed plans Maintaining/Updating Training/Awareness Project Initiation Discovery – Functional Requirements Strategies Planning Crisis Communications Exercise/Testing

22. 22 Business Continuity Plan Life Cycle  Who is responsible?  How often should it be updated?  How do we communicate changes to the plan? Training/Awareness Project Initiation Discovery – Functional Requirements Strategies Planning Crisis Communications Exercise/Testing Maintaining/Updating

23. 23 Business Continuity Plan Life Cycle  Training people for preparedness  Home  Work  Understand their roles in recovery  Understand the business commitment to employees and clients Training/Awareness Project Initiation Discovery – Functional Requirements Strategies Planning Crisis Communications Exercise/Testing Maintaining/Updating

24. 24 Elements of an ‘Actionable’ BCP Program  Risk Evaluation Results and Controls  Business Continuity Defined Strategies  Emergency Response and Operational Procedures  Business Continuity Plans (Site /Dept), IT DR Plans  Testing and Exercises  Awareness & Training Program  Public Relations & Crisis Communication Procedures  Coordination with Public Authorities

25. 25 Business Continuity Planning An Ongoing Approach This is a process, not just a project.  Annual risk assessment/BIA, plus plan reveiws  Efforts for next year identified before budget cycle  Annual testing of at least some aspect of the plan  Ongoing BCP coordination

26. 26 Summary: Today (Year 1) Focus on:  Assessing impacts and risks.  Establish crisis management-response protocols to react to disruption.  Developing business recovery strategies that respond to assessed risks and impacts.  Testing strategies for viability, effectiveness, and to ensure solutions meet requirements.

27. 27 Summary: Business Continuity Tomorrow Evolve the Business Continuity Program to:  Utilize program as a way to establish risk control  Incorporate the program as part of business-as-usual and an extension of normal operations rather than reactive project.

28. 28 Thank You Mark Madar Financial Services Director CBIZ Risk & Advisory Services P: (216) 525-1956 E: mmadar@cbiz.com