OSU Enterprise Continuity Planning

1
All content (except for those slides with the
Strohl Systems logo) is the intellectual
property of The Ohio State University.
2
Agenda

• Continuity Planning Overview
• Program Methodology
• Phases 1 3 Overview
• LDRPS Software
• Potential Next Steps

3
Continuity Planning Overview
4
Continuity Planning Objective
Somewhere in Time. a Disaster Lurks !
Its A Race Against Time
RTO
Respond Recover Quickly
DANGER ZONE Lose Lives Lose Students Lose
Revenues
Plan Prepare
5
What is Business Continuity Planning?
Process of developing advance arrangements and
procedures that enable an organization to respond
to an event in such a manner that critical
business functions continue with planned levels
of interruption or essential change. --
Disaster Recovery Journal / DRIIs Business
Continuity Glossary
6
Dont Get Stuck on the Name

• Business can be
• Research
• Patient care
• IT system management
• Classroom teaching
• Operations
• Service offerings
• Lines of business
• (Basically, whatever you do)

7
Flow of Incident Response
Emergency Response (Fire Dept., Public Safety,
EHS, Others)
University Emergency Operations Center (EOC) if
needed (University Leadership)
ACTION ( Owner)
Evacuation / Shelter-in-Place (All Affected)
Business Continuity (Individual Units /
Departments)
Time
Comprehensive Emergency Management Plan
(Emergency Management Coordinator)
Continuity Plans (Individual Units / Departments)
Federal, State, Local, and OSU Guidelines
Building Emergency Action Plan formerly EOEP
(EHS)
Guiding Document
8
Continuity versus Disaster Recovery

• What is the difference between Business
  Continuity and Disaster Recovery?
• Business Continuity typically deals with
  identifying key business processes and figuring
  out how to maintain them in times of disaster
• Disaster Recovery typically deals with the
  recovery of key IT systems or data
• We will focus on continuity planning, while still
  leaving room for you to develop disaster recovery
  plans

9
Central Program Office Integration
Risk Management
A
Reputation Management
Emergency Management
E
B
ECM Program Continuity Management
D
C
Stakeholder Management
Disaster Recovery
10
Primary Objectives

• Save lives, revenue, reputation
• Control chaos improve reactions
• Limit negative effect of damages
• Reduce recovery time / costs
• Bottom line Keep the University operational
• 43 of businesses experiencing a major disruption
  never resume
• 51 shut down within 2 years

Aero Med helicopter crashed into the roof of
Spectrum Health (Grand Rapids)
Source U.S. Bureau of Labor and Statistics
11
Potential Secondary Benefits

• Closer alignment with business goals
• Increased credibility
• Improved customer service / loyalty
• Quality improvements
• Expense reduction
• Transparency of costs and benefits
• Team building
• Eliminated / mitigated risks
• Improved budget planning / justification

Source Continuity Insights and HPs Executive
Business Continuity Study (2005)
12
Current Industry Drivers

• Federal Legislation
• Public Law 110-53
• Sarbanes-Oxley
• USA Patriot Act
• HIPAA
• (Higher Education Opportunity Act of Public Law
  110-315)
• (Federal Grant / Endowment Regulations)
• Attacks / Natural Disasters
• Virginia Tech, DSU, NIU
• Northeastern seaboard power outage
• West coast forest fires
• Hurricanes
• 9/11
• Business Strategy
• Secondary Benefits

13
Program Methodology
Putnam County 2007 OSU Extension Office Flood
Pictures
14
Brief ECM Program History

• External auditors OSU must undertake enterprise
  continuity planning
• 2004 Planning software (LDRPS) customized
• 2004 Pilot groups started
• 2005 Key operational units started
• 2006 Pandemic flu planning initiated
• 2007 Presidents Cabinet made recommendation
• Current governance
• BCP Advisory Board 70 cross-university members
• BCP Steering Committee 15 major area
  coordinators

On October 4, 2006, the Presidents Cabinet
Senior Management Council recommended that a
schedule be established for all non-academic
units to complete a business continuity plan to
begin January 1, 2007 A target of 4 years
should be established for all departments / units
to complete plans.
15
High Level Status
16
Anticipated Planning Lifecycle
FOUNDATION SEM Plan (Phase 1)
BUSINESS PROCESSES (Phase 2)
ASSETS, RISKS, EXERCISE (Phase 3)
2-6 sessions
1-3 sessions
2-6 sessions
Dedicated planning session (1.5 hrs) every two
weeks

• Ongoing Maintenance
• Department owns and maintains plan(s)
• Department updates plan every six months and
  runs yearly exercises
• ECM Program sends update reminders and provides
  support as needed

17
Phase One Focus

• Site Event Management (SEM) plan
• Concentrates on the first 4 hours (approximately)
  following an incident
• Localized (not regional) incident
• Focus
• Rolodex of contact information
• Teams and tasks to effectively manage the
  situation
• Alternate locations

18
Phase Two Focus

• Continuity of business processes
• Concentrates on identifying and continuing key
  business processes
• Focus
• Business Impact Analysis (BIA)
• Continuity tasks (three scenarios)

19
Phase Three Focus

• Asset requirements
• Risk identification
• Exercise preparation

2008 Windstorm
20
Pandemic Flu and Continuity Planning Convergence
Contact Information (Used by both)
Continuity Planning (only)
Process Information (Used by both)
Pandemic Preparation (only)

• Call Tree
• Internal Staff
• Vendors
• OSU Depts / Agencies
• Key OSU Staff

• List of essential services offered specifically
  during outbreak
• Approach to flu vaccination and education
• (Any additional preparation / mitigation
  activities specific to pandemic flu scenario)

• Prioritized list of all processes / functions

• Emergency Response teams and tasks
• Scored list of all processes / functions
• Continuity tasks for key processes
• List of critical assets
• (Exercises)

Consider whether it is beneficial to capture
general v. pandemic-specific information in
separate lists. E.g., obtaining additional
supplies preparing work-at-home options
undertaking awareness and education initiatives
drafting HR, security, sanitation, and
communication policies and procedures.
21
LDRPS Software
Georgia-Pacific, Columbus, 1997
22
LDRPS and Strohl Systems

• LDRPS Living Disaster Recovery Planning
  System
• Strohl Systems
• Used by over half of Fortune 500 companies (and 9
  of top 10)
• 26 of top 30 insurance companies
• 12 of top 15 commercial banks
• 7 of top 9 aerospace and defense companies
• World-wide industry representation
• Recently acquired by SunGard

23
LDRPSs Easy Approach to Plan Building
1) Database / Dictionaries
2) Plans
3) Reports
2
24
BCP Federation

• Cleveland State University
• NEOUCOM
• Office of Budget Management
• Shawnee State University
• The Ohio Board of Regents
• The Ohio State University
• The University of Akron
• Wright State University
• Youngstown State University

For the State of Ohio
25
Potential Next Steps
26
Next Steps

• Examine additional existing documentation
• Develop a roll-out strategy

2008 Ag Admin Building Pipe Burst
27
Typical Work Group Process

• Schedule a dedicated meeting
• 1.5 2 hours
• Every two weeks
• Identify persons for the following roles
• Plan owner responsible for content
• Plan manager administers / maintains plan
• Alternate plan manager alternate
• Coordinator (optional) coordinates people and
  meetings
• Invite others to meeting as needed

28
THANK YOU!!!

• Questions?
• Comments?

29
Appendix A Additional Statistics

• Around half of all businesses experiencing a
  disaster with no effective plans for recovery
  fail within the following 12 months
• Banks, investors, insurers, customers and
  suppliers will take a company that has a business
  continuity plan much more seriously
• 20 of small to medium size businesses suffer a
  major disaster every five (5) years
• 93 of companies that suffer a significant data
  loss are out of business within five (5)
  years
• In the decade after Columbine, the U.S. saw 80
  more school shootings

http//www.londonprepared.gov.uk/businesscontinui
ty/essentialdocs/ http//www.londonprepared.gov.
uk/businesscontinuity/faqs/4 Richmond House
Group US Bureau of Labor James, Susan
Donaldson, Surviving Columbine What We Got
Wrong, abcnews.go.com/Health/MindMoodNews/story?i
d7363898page1
30
Appendix B Higher Education Major Disasters,
1999-2008
31
Appendix C Katrinas Effect on Universities

• Higher Education Totals
• 1.2 billion in estimated physical damage to the
  campuses
• Potential losses of 230 million in tuition
• Hundreds of millions more in salaries and
  benefits paid to faculty and staff not working

Source Recovering by Degrees by Kathy Gray,
Columbus Dispatch, 6/18/06 Source Adding up
the Damage, Inside Higher Ed, 11/14/05