Transcript Enterprise Resilience

Enterprise Resilience
What it is and why you need it
June 5, 2014
Rod Ratsma
Head of Resilience Advisory
Resilience and Introduction to BCM
Resilience – some definitions
(Oxford English Dictionary)
“The ability of a
substance or object to
spring back into
shape”
“The capacity to
recover quickly from
difficulties;
toughness”
Resilience – why it’s important to you
 If your responsibility lies in IT recovery,
− then you’re here because you understand the importance that IT as a dependency has
to your organisation
− BUT information technology is just one of many dependencies, and IT recovery on its
own isn’t enough to protect the entire set of business processes needed by an
organisation
 If your responsibility lies in business continuity management,
− you already understand the importance of full business process recovery
− BUT process recovery on its own isn’t enough, what about customers, brand,
reputation, dependencies, supply chain
 If you are a leader in your organisation,
− you understand that your business is subject to a number of risks
− you have options about how you can treat those risks, and your stakeholders have a
(limited) tolerance for making your problems into their problems;
− AND it might well be you that has to deal with the fallout, both in terms of responsibility
and (legal) consequences
It’s better that you are informed and seen as proactive
Enterprise resilience
Some thoughts from the media…
C-level execs: Disaster recovery is more than just an IT problem
One of the most challenging issues CIOs face is developing disaster
recovery (DR) plans that go beyond system recovery and focus on
overall business continuity. Is there a difference?
If you're a corporate shareholder, the (ITDR) process doesn't work that
way. You want to know the business can continue, and if you serve on
the company's board, you want to be able to assure people that the
company is not in ruins. The mouthpiece for this process is the CEO
and, in some cases, the public relations director -- not IT. In the
beginning stages of DR, nothing is more important to the public and the
stakeholders than communications
Source: Tech Republic May 2014
Enterprise resilience
Some thoughts from the media
“Cyber security is no longer sufficient to ensure business sustainability.
Yes, organizations need to defend themselves against potential attack,
but they must accept that some attacks will inevitably succeed.
Therefore, an organization’s cyber resilience is now the critical survival
factor – its ability to recover quickly once an attack has taken place.”
“Business continuity is unequivocally a boardroom responsibility, so
directors will have to increase the attention and resources they devote to
information security and resilience. For example, spending just 10
percent of the IT budget on security is no longer adequate to keep your
organization in business.”
Source: Alan Calder, Executive Chairman of IT Governance, May 2014
Enterprise resilience
Some thoughts from the media
“Recovery capabilities are stagnating”
One of the biggest challenges in DR today is the pressure between
business expectations for recovery objectives and technology
management’s ability to deliver on them. In fact, 35% of companies in
the 2013 Forrester/DRJ survey responded that mismatched business
expectations with technology capabilities was one of the biggest
challenges they faced when recovering from their most recent disaster
or major business disruption.
Source: Forrester Research Inc. “The State of Business technology Resiliency Q2 2014.
Context..
Your IT is resilient, but is your business resilient?
Work area
recovery
Systems and
data recovery
A test for the unbelievers
Who said this?
“ When anyone asks me how I can best describe my experience in
nearly forty years at sea, I merely say, uneventful. Of course there have
been winter gales, and storms and fog and the like. But in all my
experience, I have never been in any accident... of any sort worth
speaking about.
A test for the unbelievers
Who said this?
“ When anyone asks me how I can best describe my experience in
nearly forty years at sea, I merely say, uneventful. Of course there have
been winter gales, and storms and fog and the like. But in all my
experience, I have never been in any accident... of any sort worth
speaking about.
I have seen but one vessel in distress in all my years at sea. I never
saw a wreck and never have been wrecked nor was I ever in any
predicament that threatened to end in disaster of any sort.”
A test for the unbelievers
Who said this?
“ When anyone asks me how I can best describe my experience in
nearly forty years at sea, I merely say, uneventful. Of course there have
been winter gales, and storms and fog and the like. But in all my
experience, I have never been in any accident... of any sort worth
speaking about.
I have seen but one vessel in distress in all my years at sea. I never
saw a wreck and never have been wrecked nor was I ever in any
predicament that threatened to end in disaster of any sort.”
E. J. Smith, 1907, Captain, RMS Titanic
BCM – Main Components
Business Continuity Management
What is business continuity management?
The ability to respond to the
cause(s) of an incident, and to
recover from the effect(s) of an
incident
Business Continuity Management
What is business continuity management?
The ability to respond to the
cause(s) of an incident, and to
recover from the effect(s) of an
incident
(and doing what you can to stop
an incident from happening in
the first place)
Business continuity management
The anatomy of an incident
A
c
t
i
v
i
t
y
Incident response
Crisis management
Business and
operational
recovery
Time
Business continuity management
The anatomy of an incident
Let’s imagine an incident right
now!
A
c
t
i
v
i
t
y
Incident response
Crisis management
Business and
operational
recovery
Time
Business continuity management
Emergency response
•
•
•
•
•
•
•
•
•
•
Incident identification
Initial escalation
Initial assessment
Initial actions
First point of contact 24x7
Contact with Emergency
Services
Evacuation and crowd control
Safety of staff and other people
Protection of assets
Liaison and escalation to crisis
management
Business continuity management
Crisis management
•
•
•
•
•
•
Manage the organisation while it
is in distress
Protect the business, its
reputation and its market share
Make critical decisions regarding
response and recovery
Deal with stakeholders, the
authorities and the media
Internal and external
communications
Invoke and manage business
recovery
Business continuity management
Business and operational recovery strategies
•
•
•
•
•
•
•
•
•
•
Continue most critical activities
Maintain market share
Workarounds
Most critical customers
Alternative locations
Alternative methods
Pre-event actions
Funding
Access to data and systems
Get back to normal
Business continuity management
The vision
‘A clear action plan that tells a senior manager
exactly what needs to be done when he or she
is standing in a car park at 6.30 in the morning
looking at the spot where the building / plant /
asset used to be …’
Recovery planning
Recovery planning
Methodology
Recovery planning
Business impact analysis (BIA)
•
What are the key business processes and value chains in
your organisation? What and who do they depend upon?
What are the impacts of failures of the value chains over
time? What are the threats? What is the MTPoD / MAO of
each value chain?
Recovery planning
Recovery strategy development
•
What are the key business processes and value chains in
your organisation? What and who do they depend upon?
What are the impacts of failures of the value chains over
time? What are the threats? What is the MTPoD / MAO of
each value chain?
•
What strategies can be selected to recover a value chain if
it fails for any reason in order to deliver MTPoD / MAO?
Recovery planning
Plan development
•
What are the key business processes and value chains in
your organisation? What and who do they depend upon?
What are the impacts of failures of the value chains over
time? What are the threats? What is the MTPoD / MAO of
each value chain?
•
What strategies can be selected to recover a value chain if
it fails for any reason in order to deliver MTPoD / MAO?
•
Develop recovery plans in accordance with these
strategies
Recovery planning
Maintain, update, rehearse
•
What are the key business processes and value chains in
your organisation? What and who do they depend upon?
What are the impacts of failures of the value chains over
time? What are the threats? What is the MTPoD / MAO of
each value chain?
•
What strategies can be selected to recover a value chain if
it fails for any reason in order to deliver MTPoD / MAO?
•
Develop recovery plans in accordance with these
strategies
•
Rehearse and maintain the plans
Recovery planning
Programme management
•
What are the key business processes and value chains in
your organisation? What and who do they depend upon?
What are the impacts of failures of the value chains over
time? What are the threats? What is the MTPoD / MAO of
each value chain?
•
What strategies can be selected to recover a value chain if
it fails for any reason in order to deliver MTPoD / MAO?
•
Develop recovery plans in accordance with these
strategies
•
Rehearse and maintain the plans
•
Establish a BCM oversight / policy / framework programme
Recovery planning
Culture and awareness
•
What are the key business processes and value chains in
your organisation? What and who do they depend upon?
What are the impacts of failures of the value chains over
time? What are the threats? What is the MTPoD / MAO of
each value chain?
•
What strategies can be selected to recover a value chain if
it fails for any reason in order to deliver MTPoD / MAO?
•
Develop recovery plans in accordance with these
strategies
•
Rehearse and maintain the plans
•
Establish a BCM oversight / policy / framework programme
•
Embed BCM into company management systems and
culture and increase staff awareness
Resilience
Why we all need it!
Performance
Resilience
Lucky escape
Failure!
Time
Some questions for you…
Enterprise Resilience
Some questions to think about….
 Does your organisation have a fully tested and robust framework of business
continuity management in place today?
− Site/scenario-based response plans
− Business-based crisis management plans
− Process- / value chain-based recovery strategies and plans
 If you arrived at your normal place of work after this meeting, or after lunch,
or tomorrow, and it was inaccessible, damaged or destroyed – would you know
what to do?
 If your building was evacuated tomorrow, people were hurt, and you found
yourself in charge, would you know what to do?
 What would be the effect on your business and its ownership of a significant
disruption to production or supply of goods or services?
 Is there a recent analysis to confirm that your regime of IT disaster recovery
can fully support the needs of the business following a major incident?
Enterprise Resilience
Some questions to think about….
 How would an inability to supply your customers for an extended period
affect your brand, reputation and market share?
 How bad would it be for your business if an incident made national or
international news and it was perceived to be your fault?
 Do you know which of your suppliers can affect your business the most?
 Do you know which of your customers can affect your business the most?
 Do you understand how your internal production and business units depend
upon each other?
 Is there somebody in your board room / management team / c-suite that has
overall responsibility for risk management?
 Does your organisation test its plans at least annually?
Our capabilities
Resilience
IT infrastructure is just part of the puzzle
Work area
recovery
Systems and
data recovery
Resilience
The bigger picture?
Infosec,
cyber
Incident
response
Brand and
market share
Work area
recovery
Supply
chain
Crisis
management
Risk
management
Operational
recovery
Systems and
data recovery
Business
recovery
Insurance
Drivers,
benefits,
ROI
Phoenix's capabilities
How can we help you?
•
Value chain and impact analysis
•
Resilience framework design
•
Gap analysis / benchmark / health
check
•
Training and awareness
•
IT recovery planning
•
Information security risk
•
IT risk analysis
•
Supply chain risk management
•
Emergency response planning
•
BCMS software and automation –
Shadow-Planner
•
Risk analysis (process / site)
•
Recovery strategy design
•
Recovery plan creation
•
Crisis management planning
•
Testing and rehearsing
–
–
Desktop / simulation
Crisis / recovery
Thank you
[email protected]
01604 419 402