1 / 45

FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services

Explore strategies for operational resiliency in the financial industry through an innovative framework. Enhance shareholder value, protect assets, ensure efficient processes, and prioritize compliance in the face of disruptions. Gain insights into enterprise and operational resiliency activities.

jclaudine
Download Presentation

FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Financial Services Technology Consortium Empowering the Industry Through Innovative Ideas FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Industry Navigators

  2. FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Resiliency Benchmarking A Case Study Industry Navigators

  3. Operational Resiliency ManagementA Benchmarking Case StudyGary DanielsRick WebbLisa YoungFSTC Annual Meeting, Sonoma CaliforniaJune 19, 2008

  4. Resiliency Management – A Strategic Approach Enhancing Shareholder Value Protecting Assets Ensuring Efficient Processes Provides Roadmap Identify & Prioritize Compliance Efficiency Adaptive Response to Business Disruptions Collaborative Endeavor Third Party Management Public - Private Sector Coordination

  5. Resiliency: Enterprise vs. Operational • Resiliency: capability to sustain the enterprise and continue achieving the mission in the presence & realization of risk • Requires agility, adaptability, evolution • Emergent property EnterpriseResiliency • Core Operational Resiliency Activities: • Security • Business Continuity • IT Operations OperationalResiliency

  6. Improvement is an evolutionary process • Necessary shifts: • Convergence • “De-complexing” • Meaningful measurement • “Rehearsing” vs. “Preparing” • Investment vs. cost

  7. Resiliency Management Product Suite Framework Appraisal Method Introductory Courses Framework training “How-to” courses Executive workshops Advanced Courses Practitioner training Appraisal leader training Instructor training EnterpriseManagement OperationsManagement ProcessManagement Engineering • 27 capability areas • 4 categories

  8. Increasing maturity Maturity in REF: 5 Capability Levels 4 • Processes are • Acculturated • Defined • Measured • Governed Continuously Improved 3 Directed 2 Managed 1 Performed Practices areperformed 0 Incomplete

  9. Supporting the resiliency engineering process RISK – Risk Management EF – Enterprise Focus COMP – Compliance Management FRM – Financial Resource Management COMM – Communications Management OTA – Organizational Training and Awareness Enterprise management capabilities

  10. Establishing resiliency for organizational assets, business processes, and services Engineering capabilities • RRD – Resiliency Requirements Development • RRM – Resiliency Requirements Management • ADM – Asset Definition & Management • SC – Service Continuity • CM – Controls Management • SSD – Secure Systems Development • ISR – Integrated Service Resiliency

  11. Managing operational aspects of resiliency VAR – Vulnerability Analysis & Resolution AM – Access Management ID – Identity Management IMC – Incident Management & Control SAP – Scenario Analysis & Planning Operations management capabilities • KIM – Knowledge & Information Management • TM – Technology Management • PM – People Management • EC – Environmental Control • HRM – Human Resources Management • EXD – External Dependencies

  12. Defining, planning, deploying, implementing, monitoring, controlling, appraising, measuring, and improving processes PM – Process Management MA – Measurement and Analysis MON – Monitoring Process management capabilities

  13. Capability areas are related, for example CM - ControlsManagement IMC - IncidentManagement & Control OTA - OrganizationalTraining & Awareness SC - ServiceContinuity RISK - RiskManagement EF - EnterpriseFocus KIM - Knowledge &Information Mgmt. ADM - Asset Definition& Management

  14. Capability levels apply to each capability area,for example Gap Status Target Service Continuity Gap Incident Mgmt& Control Status Target Gap Organizational Training& Awareness Status Target Gap Target Status Risk Management Target Status People Management Target achieved 0 1 2 3 4

  15. Model scope • Focus improvement efforts on a part or all of the framework • Pick 1 or more capability areas to start • Pick capabilities associated with one of the leading standards, e.g., NFPA 1600, ISO 27000, BS2599 • Use one of our Targeted Improvement Roadmaps 1 24

  16. Resilient Enterprise: Benchmarking for MaturityCall for Participation • Joint FSTC-CERT project beginning in June 2008 • Learn about the framework and develop skills to lead your organization’s resiliency • Attend 4 workshops, • Participate in benchmarking with maturity • Compare and learn from other org’s resiliency activities • Be in the first formal REF course • Translate knowledge into actionable and strategic improvements for your organization

  17. Benchmarking FSTC members against REF • 10 large financial institutions • Project period: September 2007 through February 2008 • Objectives: • Test REF appraisal concepts • Provide gap analysis exercise for participants • Develop summary statistics that can be used as basis for comparison by individual participants

  18. AMD ANSI Ameriprise Bank of America Carnegie Mellon Capital Group Citicorp Discover EMC DRII FSSCC R&D* IBM JPMorgan Chase Key Bank KPMG MasterCard Marshall and IIsley NY Federal Reserve Bank* PNC Bank US Bank Wachovia Resiliency Project Members *Project Advisor

  19. Benchmarking methodology • Self-assessment with guidance from CERT • Required objective, documentary evidence for practice performance • Did not address maturity concepts (yet to come) • Five REF capability areas • Service Continuity • Incident Management & Control • Organizational Training & Awareness • Risk Management • People Management

  20. Increasing maturity Benchmarking focus 4 Continuously Improved Current BenchmarkingFocus 3 Directed 2 Managed 1 Performed Practices areperformed 0 Incomplete

  21. Measuring practice implementation 1 Performed 0 Incomplete

  22. Appendix:Benchmarking Results

  23. Service Continuity Results Service Continuity(SC) is a REFcapability area Graphs are used tovisualize the summary ofbenchmarking datasubmitted

  24. 7 6 5 4 3 2 1 Service Continuity Results There are 21specific practicesin SC Whichsupport 7 goals

  25. Service Continuity Results Artifacts were usedto determine the extentto which each practicewas implemented

  26. Service Continuity Results Blocks show theaverage of reportedimplementations Bars show therange of implementationreported

  27. Service Continuity Results Identify Services Maintain Plans Exercise Plans Develop Plans Validate Plans Execute Plans Prepare

  28. Service Continuity Results Some participantsdid not executeany plans duringproject period Identify Services Maintain Plans Exercise Plans Develop Plans Validate Plans Execute Plans Prepare

  29. SC–Service Continuity • SC-1 Prepare for Service Continuity SC-1.1 Plan for Service Continuity SC-1.2 Establish Standards and Guidelines for Service Continuity • SC-2 Identify and Prioritize Essential Services SC-2.1 Identify the Organization’s Essential Services SC-2.2 Identify Internal and External Dependencies and Interdependencies SC-2.3 Identify Vital Organizational Records and Databases • SC-3 Develop Service Continuity Plans SC-3.1 Identify Plans to be Developed SC-3.2 Develop and Document Service Continuity Plans SC-3.3 Resource Service Continuity Plans SC-3.4 Store and Secure Service Continuity Plans SC-3.5 Communicate Plans to Relevant Stakeholders SC-3.6 Develop Service Continuity Plan Training

  30. SC–Service Continuity • SC-4 Validate Service Continuity Plans SC-4.1 Validate Plans to Requirements and Standards SC-4.2 Identify and Resolve Plan Conflicts • SC-5 Exercise Plans SC-5.1 Develop Testing Program and Standards SC-5.2 Develop and Document Plan Exercises SC-5.3 Exercise Plans SC-5.4 Evaluate Plan Test Results • SC-6 Execute Plans SC-6.1 Execute Plans SC-6.2 Measure the Effectiveness of the Plan in Operation • SC-7 Maintain Service Continuity Plans SC-7.1 Establish Change Criteria SC-7.2 Maintain Changes to Plans

  31. Service Continuity Results One organization’s data Identify Services Maintain Plans Exercise Plans Develop Plans Validate Plans Execute Plans Prepare

  32. Incident Management & Control Results Respond & Recover Establish Process Analyze Events Detect Events Learn

  33. IMC–Incident Management & Control • IMC-1 Establish Incident Management and Control Process IMC-1.1 Plan for Incident Management IMC-1.2 Resource Incident Management Plan • IMC-2 Detect Events IMC-2.1 Detect and Report Events IMC-2.2 Log and Track Events IMC-2.3 Collect, Document, and Preserve Event Evidence IMC-2.4 Define and Maintain Incident Validation Criteria • IMC-3 Analyze Events IMC-3.1 Triage Events IMC-3.2 Analyze Events

  34. IMC–Incident Management & Control • IMC-4 Respond to and Recover from Incidents IMC-4.1 Escalate Incidents IMC-4.2 Develop Incident Response IMC-4.3 Communicate Incidents IMC-4.4 Close Incidents • IMC-5 Establish Incident Learning IMC-5.1 Perform Post-Incident Review IMC-5.2 Integrate with Problem Management Process IMC-5.3 Translate Experience to Strategy

  35. Organizational Training & Awareness Results Establish Awareness Program Conduct Awareness Activities Establish Training Program Conduct Training

  36. OTA–Organizational Training & Awareness • OTA-1 Establish Awareness Program OTA-1.1 Establish Awareness Needs OTA-1.2 Establish Awareness Training Plan OTA-1.3 Establish Awareness Training Capability • OTA-2 Conduct Awareness Activities OTA-2.1 Perform Awareness Activities OTA-2.2 Establish Awareness Records OTA-2.3 Assess Awareness Activity Effectiveness • OTA-3 Establish Resiliency Training Capability OTA-3.1 Establish Resiliency Training Needs OTA-3.2 Establish Resiliency Training Plan OTA-3.3 Establish Resiliency Training Capability • OTA-4 Conduct Resiliency Training OTA-4.1 Deliver Resiliency Training OTA-4.2 Establish Resiliency Training Records OTA-4.3 Assess Resiliency Training Effectiveness

  37. Risk Management Results Mitigate & Control Risk Establish Parameters Use Risk Info Analyze Risk Identify Risk Prepare

  38. RISK–Risk Management • RISK-1 Prepare for Risk Management RISK-1.1 Determine Risk Sources and Categories RISK-1.2 Establish an Operational Risk Management Strategy • RISK-2 Establish Risk Parameters and Focus RISK-2.1 Define Risk Parameters RISK-2.2 Establish Risk Measurement Criteria • RISK-3 Identify Risk RISK-3.1 Identify Asset-level Risks RISK-3.2 Identify Service-level Risks

  39. RISK–Risk Management • RISK-4 Analyze Risk RISK-4.1 Evaluate Risk RISK-4.2 Categorize and Prioritize Risk RISK-4.3 Assign Risk Disposition • RISK-5 Mitigate and Control Risk RISK-5.1 Develop Risk Mitigation Plans RISK-5.2 Implement Risk Strategies • RISK-6 Utilize Risk Information to Manage Resiliency RISK-6.1 Review and Adjust Protection Strategies RISK-6.2 Review and Adjust Sustainability Strategies

  40. People Management Results Manage Risks to Availability Establish Key Personnel Manage Availability

  41. PM–People Management • PM-1 Establish Key Personnel PM-1.1 Identify Key Personnel • PM-2 Manage Risks Associated with Personnel Availability PM-2.1 Identify and Assess Personnel Risk PM-2.2 Mitigate Personnel Risk • PM-3 Manage the Availability of Personnel PM-3.1 Establish Redundancy for Key Personnel PM-3.2 Perform Succession Planning PM-3.3 Prepare for Redeployment PM-3.4 Plan to Support Personnel During Disruptive Event PM-3.5 Plan for Return-to-Work Considerations

  42. Benchmarking conclusions • Appraisal concepts work • Evidence requirement caused scrutiny & objectivity • Gradations of implementation provided insights unavailable from binary checklist approaches • Gap analysis to framework helps identify improvement opportunities • Comparative summary data is valuable • Gap analysis to peer data helps prioritize and justify improvement actions

  43. For more information Charles Wallen Charles.Wallen@fstc.org www.fstc.org Lisa Young lry@cert.org www.cert.org/resiliency_engineering

  44. The Financial Services Technology Consortium Empowering the Industry Through Innovative Ideas FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Industry Navigators

  45. FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Futurist Closing Luncheon Program:On the Horizon: The Future of Telecommunications and Banking Industry Navigators

More Related