1 / 46

IT-Centric Business Continuity: IT’s Leadership Role Steve Susina January 28, 2009

IT-Centric Business Continuity: IT’s Leadership Role Steve Susina January 28, 2009. Abstract.

xantha-jefferson
Download Presentation

IT-Centric Business Continuity: IT’s Leadership Role Steve Susina January 28, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT-Centric Business Continuity: IT’s Leadership Role Steve SusinaJanuary 28, 2009

  2. Abstract Contingency planning is a broad arena that addresses a myriad of risks facing the organization. IT leaders are being called upon to develop contingency plans for their organizations as they provide critical services that extend into nearly every department. IT leadership’s role in BCP/DRP is most appropriately focused on planning for those business risks that are directly related to the provision of data center services; the parameters of this process are defined as IT-Centric Business Continuity (IT-BCP.) This process involves DR strategy development, DR restoration planning, and BC planning for critical business functions that must be maintained during an outage of IT services.

  3. Agenda • In this presentation, the Session Attendees will learn: • How Disaster Recovery and Business Continuity relate • The ideal role for IT Leadership in contingency planning efforts • How IT should engage with the greater business in determining priorities and strategies • How to determine RTO and RPO metrics for IT strategies in infrastructure planning • How to understand the trade-offs between desired level of data protection and the cost associated with it

  4. To STAY IN BUSINESS • To ensure that your business continues to serve its stakeholders • To ensure that your business meets its business objectives • To ensure your enterprise is not critically impacted by an incident (or disaster) Contingency Planning:Why Plan for an Incident?

  5. Contingency Planning is like putting an insurance policy in place to protect from losses that occur due to an incident • The planning (and resultant actions) are a risk mitigation strategy Contingency Planning:Why Plan for an Incident?

  6. Some Statistics • 35 natural disasters occur, on average, each year within the United States. (Source: FEMA) • 93%of companies that lost their data center for 10 days or more, due to a disaster, filed for bankruptcy within one year of the disaster and 50% filed for bankruptcy immediately. (Source: National Archives & Records Administration in Washington.) • 80% of companies without well-conceived data protection and recovery strategies go out of business within two years of a major disaster. (Source: National Archives & Records Administration in Washington.) Contingency Planning:Why Plan for an Incident?

  7. So what type of incidents do enterprises consider? • Weather related - (flood, storms, earthquakes, tornados) • Malicious acts - (terrorism, theft, virus attacks, denial of service) • Equipment & facilities risks - (IT outages, critical machinery, fire, security, building maintenance) • Personnel risks – (employee safety, key-man risk, strike, pandemic illness, human error) • Supplier risks - (key supply relationships, utility disruptions, communications failure) • Customer risks – (loss of key customers, customer solvency, product liability) • Financial risks– (availability and access to capital, currency risk) • Legal risk – (legislative, contract, compliance and litigation risks) • Competitive risk– (price war, IP protection, employee loss, industrial espionage) Contingency Planning:What to Plan For in the Holistic Sense? The concern is about maintaining the enterprise’soperations – not just IT

  8. “Business Continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions.” – Wikipedia Definition:Business Continuity

  9. “ Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster.” – Wikipedia Definition:Disaster Recovery (DR)

  10. Executive Responsibility • Organizational leaders are being held increasingly legally responsible for the well being of their organizations • Regulation & Compliance • The Board of Directors and enterprise executives, not just IT executives, are responsible for compliance (SOX, GLBA, Patriot Act, OSHA, EPA, HIPPA, etc.) • Data Center is Only a Piece of the Puzzle • There are separate risks that need to be considered other than loss of the data center • What Do We Do While IT is Not Operational? • Technology recovery does not address or prioritize the business requirements needed to sustain an organization’s continuing operational issues after or during a disaster Business Continuity:More than Simply an IT Initiative, Why? Enterprises are realizing that each operational unit needs to take ownership and participate in the planning.

  11. Business Continuity vs. Disaster Recovery Business Continuity Planning (BCP): Focus is on planning for recovery strategies that address continuity of the greater business under a variety of risk scenarios, inclusive of the loss of data center services Data Center Loss BCP Addresses More Risk - More Business Impact Disaster Recovery Planning (DRP): Focus is on planning for the restoration of data center services (technology recovery) Disaster Recovery focuses on data center restoration. Business Continuity centers on maintaining business process.

  12. Their role is often central to all business processes • They have more exposure to contingency planning than many other departments because of their natural thought processes toward data and systems recovery/ redundancy Why are IT Leaders Spearheading these Efforts?

  13. IT Leadership can determine a strategy in a vacuum and take a Disaster Recovery (DR) approach without much analysis of the business needs OR • IT Leadership can involve the business to determine a comprehensive Business Continuity (BC) plan and strategy What Happens When Contingency Planning is Thrown to IT Leadership? There is a role for IT Leaders in BCP. We call this IT-Centric Business Continuity.

  14. Addresses restoration of Mission Critical IT Infrastructure, LINKED TO … • The Continuation of Mission Critical Processes when a data center is lost IT-Centric Business Continuity:The Middle Ground

  15. Figure 1: The Contingency Planning Continuum The Planning Continuum

  16. Step 1 (Business Objectives) – • the capture of business goals and objectives from organizational management as well as • the determination and documentation of mission critical processes and functions • Step 2 (Inventories and Process Mapping) – • includes the review of core departmental processes and their reliance upon IT services • Step 3 (Business Risk and Impact Analysis) – • includes departmental reviews of incident scenarios, the preparedness of the business units for various types of IT-related risks, and the potential impact of data center loss should there be an interruption The Process for IT-Centric BC Planning

  17. The Process for IT-Centric BC Planning • Step 4 (Strategy Development) – • includes the establishment of RTO, RPO and prioritizations with organizational management • Step 5 (Continuity/Recovery Planning)– • includes the development of detailed IT contingency plans, effectively the operating manual for the company in a disaster scenario • also encompasses stop-gap operational procedures for functional business areas as they await the restoration of data center services • Step 6 (Testing, Audit and Maintenance)

  18. High Level Starting Point • Resumption or continuation of Business Processes is the goal • One size does not fit all • Each business, and departments within a business, have different needs • There are many different solutions each with different costs and implications • As this is about business, who should participate? Step 1: Business Objectives IT Leader Role: Assemble the Team

  19. Start with Business Discussions • Each business is different; identify the stakeholders (internal business units, customers, shareholders, etc.) • Are there any overlying principles/regulations in the organization? • Meet with business departments; determine what their needs and objectives are • What are their mission critical functions? • RPO/RTO basis for successful solution Step 1: Business Objectives IT Leader Role: Provide Systems Lists as a Basis for Discussion

  20. Involve all critical parts of the organization • Start with systems lists and equipment inventories as a basis of discussion • Determine/map key processes for critical business functions and determine their reliance upon data center services • Revenue generating processes, those that support revenue generation, or those that involve compliance initiatives typically receive priority • IT, Finance, other primary business units • Legal - regulatory and contractual obligations • Help Desk - use patterns, customer expectations • Each business unit/department uses data differently Step 2: Inventories & Process Mapping IT Leader Role: Engage a 3rd party to facilitate business process discussions

  21. Risk Analysis - Planning for the right incidents or disaster • Local companies planning for regional disaster? • International companies planning only for local disasters? • Did you remember to consider human error or supplier risks? • Perform a risk analysis of the various incidents that can cause interruptions in IT services • Determine which incidents critically impact each key business process and prioritize these in terms of risk and impact. Step 3:Business Risk & Impact Analysis IT Leader Role: Engage a 3rd party to facilitate risk analysis

  22. Step 3:Business Risk & Impact Analysis What is the impact of critical risks? • Determine impact in terms of business interruption (number of days) and in financial terms • Some analyses are Qualitative (general estimate of loss) and others Quantitative (analytical measurement of loss) • The key is getting to consensus around priority of systems, and realistic recovery requirements so that a contingency planning strategy can be developed in terms of RTO and RPO. IT Leader Role: Engage a 3rd party to facilitate impact analysis

  23. Step 4:Strategy Development Overall - Avoid Complexity • Strategy must meet the business criteria • Business owners often uninterested in technology • Transparency and clarity for intended audience; speak in terms of business (restoration of business processes to serve stakeholder needs) • At the end of the day, …. this is really about a risk trade-off between the cost of implementing a mitigation/contingency strategy vs. the cost of business losses • Money spent <= potential loss • What is the right strategy in terms of RTO, RPO, ? IT Leader Role: Use business requirements to develop a strategy for IT service restoration.

  24. Recovery Time Objective • “The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. The RTO is the unit of measurement ("e.g. duration of time") that passes before the invocation of some treatment and is not to be confused with the amount of time if takes for the treatment to take effect.”- Wikipedia • The time period after a disaster at which business functions need to be restored in order to avoid unacceptable consequences associated with a break in continuity. Strategy Development:Mapping Metrics - RTO

  25. Regulatory Requirements • HIPAA, SOX, and others • Some hard requirements, some guidelines • More applicable to RPO than RTO • Necessary, but not independently sufficient; what about the other risks? Quantifiable Financial Risks • RTO directly tied to cost of downtime ($/day, hour, minute) • Assessing costs enables effective RTO discussion Strategy Development:Determining RTO

  26. Amount of Downtime • 99.999% uptime = 365 * 24 * 60 * .00001 = 5.625 min/yr • Misleading - other factors intrude • Data Corruption • Rolling outages – lynchpin system outages cause downstream problems • Secondary system recovery follows primary system recovery • Some industry benchmarks • Financial institutions – immediate to 4 hours • Logistics organizations – hours to 1 day • Manufacturing companies – 1 to 3 days Strategy Development:Assessing Cost of Downtime

  27. Unexpected Downtime • Non-failures (eg. Human error) can lead to real failures Hard Costs • Lost revenue • Costs to restructure • Loss of customers Soft Costs • Lost reputation • Lost market position • Unproductive resource costs Strategy Development:Assessing Cost of Downtime

  28. Recovery Point Objective • “Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time.” - Wikipedia • The amount of data lost measured in time. • The maximum acceptable level of data loss following an unplanned “event” Strategy Development:Mapping Metrics - RPO

  29. Regulatory Requirements • HIPAA, SOX, and others • Some hard requirements, some guidelines • More applicable to RPO than RTO • Necessary, sometimes sufficient Quantifiable Financial Risks • RPO directly tied to value of data • Assigning value enables effective RPO discussion Strategy Development:Mapping Metrics - RPO

  30. Know your data • Don’t replicate too much • What is actually useful after restoration? • Don’t miss critical data • Including supporting data • Business owns data • Business owners know the data they need • Business owners know when they need the data • Business justifies cost. Strategy Development:Know Your Data

  31. Systems required to access data • Including supporting data & systems • Processes associated with accessing data • Resumption of business is the goal • Backups of Data • Data will change when business resumes • Resynchronization • Data at recovery site becomes primary • What happens when primary resumes? Strategy Development:Know What to do with Your Data IT Leader Role: Need to think about how you operate in the disaster scenario.

  32. Who uses the data? • Accounting, HR, Marketing, Manufacturing • Different time frames • Different use types • Different users, different requirements How is the data used? • Transactional • Reporting • Management reports • Marketing campaigns • Regulatory compliance (financial, EPI, etc) Strategy Development:Assigning Value to Data

  33. When is the data used? • Monthly, yearly, hourly What is the value of data? • Inherent value (IP) • Opportunity costs • Risk (Legal, Regulatory, Competitive) Assigning Priority • RISK = IMPACT x PROBABILITY Strategy Development:Assigning Value to Data IT Leader Role: Which Data Gets Priority?

  34. The IT-BCP process will inevitably expose business risksand consequently recommend mitigation strategies in the form of process improvements and / or new systems, or both. These systems may include security, network, storage or virtualization products among many others. The business should evaluate these expenses from a TCO and ROI perspective. Much of the information required to compute the TCO and ROI will be found in the BIA and Risk Analysis. TCO • “Total cost of ownership (TCO) is a financial estimate designed to help consumers and enterprise managers assess direct and indirect costs (for the proposed solution).” - Wikipedia ROI • “Return on investment (ROI) is the ratio of money gained or lost (realized or unrealized) on an investment relative to the amount of money invested.” – Wikipedia Strategy Development:Cost Justification IT Leader Role: Propose a cost-effective IT strategy that supports the business requirements.

  35. Figure 2: Disaster Recovery Strategy • Relationship of Time, Risk & Cost TCO < cost of downtime/data loss • Typical solution tens of thousands to millions of dollars • As RPO & RTO approaches zero, costs grow exponentially Strategy Development:Cost Justification

  36. Strategy Development:Validation Validate Solution • Utilize external resources • Error Checking, Fact Checking • Alternative Ideas Objectives Achieved? • RTO (recovery to a time window) • RPO (recovery to a data point) • Compliance • Business Objectives IT Leader Role: Engage a 3rd party to benchmark the strategy.

  37. The Plan is a living, dynamic process designed to guide the organization through its recovery and contingency efforts This must address: • Strategy • People • Communications • Policies & Processes • Data • Systems, Equipment & Facilities Step 5: Continuity / Recovery Plan Development IT Leader Role: Sponsor the development of the plan; develop the details of the IT portion of the plan.

  38. Strategy Summary: Tiered Solution Best • Not all data is equal; not all systems are equal • Must establish RTO, RPO • Non-tiered strategies fail to meet needs and/or waste money People • Executive sponsorship required • Establish roles • Executive (crisis) management team • Business unit leaders • DR teams • Determine where to put your people and what to do with them Step 5: Continuity / Recovery Plan Development

  39. Communication is key • Disaster declaration • Communications with employees, press, customers, vendors, etc. • Status updates, milestones, etc. Standards & Procedural Documentation • Process owners are required for each business function • Exercising BC Plan is high stress; increased likelihood of success if processes are documented & understood • Develop standards for acceptable restoration • What are the interim business procedures for operations awaiting the restoration of their IT services? Step 5: Continuity / Recovery Plan Development Note that Business leaders need to develop their own procedures.

  40. Data • Plan must include the prioritized tiering of data recovery • Validation of the data recovery Systems, Equipment & Facilities • Where will interim operations be housed; how do I go about restoring original facilities? • For IT & for Business Operations • What equipment/technology is required in the interim • Phones, internet connectivity, desktop computing • What good is data without the restoration of systems/applications? • When (or how) do I migrate back to my original environment? Step 5: Continuity / Recovery Plan Development

  41. Exercise the Strategy & Plan • Validation is key • If you haven’t tried it, it won’t work • If you can’t try it, it’s not a good solution Account for Changes • Are the critical business processes, workflows or systems changing? • Are the people changing? • Are the risks and impacts the same? • Is the strategy out of date?; (capacity for growth; data never shrinks) • Is the plan reflective of these dynamics and is it maintained in an area that itself is safe from a disaster? Step 6: Testing, Audit and Maintenance

  42. Who is Laurus? Laurus Technologies is a business consulting and IT servicesfirm that leverages our expertise to identify and solve business challenges. Our goal of 100% referenceable clients has resulted in Laurus becoming one of the fastest growing solution providers in the US. No other company can match our combination of business knowledge, technical talent and strong focus on customer business objectives. 42

  43. The Laurus Advantage: Our Technical & Engineering Team Consultants & Engineers fill our ranks Steady and Substantial Revenue Growth Laurus Technologies invests to build and retain the best team of consultants and engineers in the industry. 43

  44. Laurus Technologies: Aligned to meet your needs Business Consulting Business Applications • ERP Optimization • Master Data Services • SAP & Oracle Consulting Talent Solutions -(IT Recruiting, Staff Augmentation, Contract for Hire) Managed Services • e-Mail Hosting - Data Center Outsourcing • Managed Backup - Managed Security Services • Managed Storage - Remote Infrastructure Management Systems Integration • Assessment Services - Applications Services • Integration Services - Datacenter TCO • Archiving / Data Deduplication - Consolidation & Capacity Planning • Support Services - Virtualization (Server, Desktop & Storage) • System Architecture & Design - Business Continuity/Disaster Recovery • - PMO Services - Performance Tuning 12/17/2009 Laurus Technologies - Proprietary & Confidential

  45. Thank You! For further information contact: Steve Susina ssusina@laurustech.com1.877.LAURUS.1 (1.877.528.7871) Questions and Answers

More Related