Transcript Business Continuity Management: Audit And Financial Imperatives - Justification of BCM Projects Implementation approach overview - Decision Methodology: The Key Probability, Cost-Benefit, Intuitive Approaches.

Business Continuity Management:
Audit And Financial Imperatives
- Justification of BCM Projects
Implementation approach overview
- Decision Methodology: The Key
Probability, Cost-Benefit, Intuitive Approaches
Justification of BCM Projects:
An Example of Steps 1-3
1. Estimate Losses by length of outage
2. Determine length of outage by backup/
recovery scenario
3. Perform cost/benefit analysis of each
feasible scenario
4. Select and sell selected scenario
Projected Order Retention Percentage
1. Estimate Losses by length of outage: Step 1 (Losses)
An Electronics
Figure 1:
Wholesaler
Projected Order Retention Rates
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0
2
1
4
3
6
5
8
7
10
9
12
11
Days of Data Center Dow n-Time
New Orde rs (35%)
Backorders (65%)
Average
14
13
16
15
1. Estimate Losses by length of outage: Step 2 (Recovery)
Figure 2
Proje cted Orde r Re cov e ry Rate s
1
Order Percentage
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0
0.50
0.25
1
0.75
3
2
5
4
7
6
9
8
11
10
13
12
15
14
Months after Data Center Down-Time
Average Order Retention
Percentage
Hot Site Recovery
Cold Site Recovery
No Backup Recovery
16
2. Determine length of outage by backup/ recovery scenario
Masterfile
Data Offsite
Disaster
Shift
1
Day Shift
1
2
Shift
3
Backup Center
Online
Shift
1
Day Shift
2
2
Shift
3
Shift
1
Day Shift
3
2
Backup Center
in Production
Shift
3
Shift
1
Users Online
Notification and Activation Period
Movement of Personnel to
Backup Data Center
Activation of Systems and
Telecommunications Infrastructure
Load Masterfile Data
Enter Day 1 Data
Day 1 Production Processing
Enter Day 2 Data
Day 2 Production Processing
Enter Day 3 Data
Day 3 Production Processing
Day 3 Output Processing
Users Online
Day Shift
4
2
Shift
3
Recovery analysis for a large bank
3. Perform cost/benefit analysis of each feasible scenario
Typical Annual Scenario Expenses
Dual
Centers
Data Center
Annual Vendor Fees
Site Prerparation (1)
Telecommunications
Intial Installation (2)
Annnual Cost of Lines
Personnel
Duplicate Operations Staff
Testing at Other Site
Simulation Testing
Plan Maintenance
TOTAL
(1) 7 year amoritization
(2) 5 year amoritization
Vendor Hot/ Own Cold
Cold Site
Site
No
Backup
$150,000
$175,000
$100,000
$15,000
$40,000
$15,000
$60,000
$15,000
$40,000
$500,000
$5,000
$6,000
$20,000
$761,000
$5,000
$6,000
$20,000
$256,000
$6,000
$12,000
$173,000
$6,000
$8,000
$14,000
Decision Approaches
• Probability-based (used in insurance justification)
• Analysis-based (used in cost-benefit analysis)
• Intuition-based (used by most executives and
expert systems)
The analysis-based approach based on fiduciary
responsibility will be recommended, since the
probability approach and the intuition-based approach
can lead to catastrophic loss exposures.
Probability-based
(used in insurance justification)
• Mr. probability
Cost of Hot Site Backup
$500,000/year
(2% of IS budget)
Direct Losses over ten days $30,000,000
Probability of loss
.01/year
Net Direct Loss
$300,000/event
ROI -40% (Bad Investment)
Another Probability Approach
Assume a 30 year life for the Hot Site
• Cost of Backup Site over 30 years
• Direct Losses over 10 day period
Probability of 1 loss over 30 years
Net Direct Loss
ROI
$15,000,000
$30,000,000
26%
$7,800,000
-48% (Bad Investment)
Analysis-based
(used in Life-Cycle cost-benefit analysis)
• Mr. Application Analyst
Direct Impact Loss/Event (10 days) $30,000,000
Delayed Loss of Business/Event
$360,000,000
(year to recover ½ sales)
Total $ Loss/Event
$390,000,000
(½ yearly profit)
Probability of Losing our Jobs
and Stockholder Suits
100%
Intuition-based
(used by most executives and expert systems)
Step 1: Define Primary Evaluation Criteria of Key Stakeholders
Stakeholder
Evaluation Criteria
Executives
Assure continuity of a viable organization
User Management
Continue operations with minimum impact on system availability
IS Management
Continue operations with minimum impact on system availability
Auditors
Continue operations with minimum impact on financial viability
Financial Analysts
Minimize long term costs
Step 2: Perform Ranking of Backup Alternatives
using Cyert & March Methodology
Evaluation Criteria
Dual
Center
Hot
Site
Cold
Site
No
Backup
Assure continuity of a
viable organization
(ratio of loss to profit)
S
(0%)
S
(1%)
(40%)
-(70%)
Continue operations with minimum
impact on system availability
(unavailability period)
S
(Shifts)
S
(Days)
(Weeks)
-(Months)
Continue operations with minimum
impact on financial viability
(ratio of loss to profit)
S
(0%)
S
(0%)
(40%)
-(70%)
Minimize long term cost
(Cost of alternative)
S
$750,000
S
$500,000
S
$100,000
SS
$20,000
Recommendation
The authors believe that the life-cycle prudent
fiduciary approach recommended in this paper, best
represents the approach that should be used by
industry and government. The probability and
intuitive based approaches can be dangerous, since
they occasionally leads organizations to take
inappropriate risks.
BCM NOTE
The fact that two of the three approaches often select the same
commercial backup center approach is not unusual. It explains
why the Backup Data Center Industry has expanded so rapidly.
However, many organizations that require recovery in hours
rather than days are moving to the dual data center approach;
based on negative evaluations in the Hot Site column.
Many organizations that still use information technology for
support and accounting applications only, select the Cold Site
approach because of the lack of negative elements in that
column of their table.