420 likes | 755 Views
Enterprise Resilience What it is and why you need it. June 5, 2014. Rod Ratsma. Head of Resilience Advisory. Resilience and Introduction to BCM. Resilience – some definitions (Oxford English Dictionary). “The ability of a substance or object to spring back into shape”
E N D
Enterprise ResilienceWhat it is and why you need it June 5, 2014 Rod Ratsma Head of Resilience Advisory
Resilience – some definitions(Oxford English Dictionary) “The ability of a substance or object to spring back into shape” “The capacity to recover quickly from difficulties; toughness”
Resilience – why it’s important to you If your responsibility lies in IT recovery, • then you’re here because you understand the importance that IT as a dependency has to your organisation • BUT information technology is just one of many dependencies, and IT recovery on its own isn’t enough to protect the entire set of business processes needed by an organisation If your responsibility lies in business continuity management, • you already understand the importance of full business process recovery • BUT process recovery on its own isn’t enough, what about customers, brand, reputation, dependencies, supply chain If you are a leader in your organisation, • you understand that your business is subject to a number of risks • you have options about how you can treat those risks, and your stakeholders have a (limited) tolerance for making your problems into their problems; • AND it might well be you that has to deal with the fallout, both in terms of responsibility and (legal) consequences It’s better that you are informed and seen as proactive
Enterprise resilience C-level execs: Disaster recovery is more than just an IT problem One of the most challenging issues CIOs face is developing disaster recovery (DR) plans that go beyond system recovery and focus on overall business continuity. Is there a difference? If you're a corporate shareholder, the (ITDR) process doesn't work that way. You want to know the business can continue, and if you serve on the company's board, you want to be able to assure people that the company is not in ruins. The mouthpiece for this process is the CEO and, in some cases, the public relations director -- not IT. In the beginning stages of DR, nothing is more important to the public and the stakeholders than communications Source: Tech Republic May 2014 Some thoughts from the media…
Enterprise resilience “Cyber security is no longer sufficient to ensure business sustainability. Yes, organizations need to defend themselves against potential attack, but they must accept that some attacks will inevitably succeed. Therefore, an organization’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place.” “Business continuity is unequivocally a boardroom responsibility, so directors will have to increase the attention and resources they devote to information security and resilience. For example, spending just 10 percent of the IT budget on security is no longer adequate to keep your organization in business.” Source: Alan Calder, Executive Chairman of IT Governance, May 2014 Some thoughts from the media
Enterprise resilience “Recovery capabilities are stagnating” One of the biggest challenges in DR today is the pressure between business expectations for recovery objectives and technology management’s ability to deliver on them. In fact, 35% of companies in the 2013 Forrester/DRJ survey responded that mismatched business expectations with technology capabilities was one of the biggest challenges they faced when recovering from their most recent disaster or major business disruption. Source: Forrester Research Inc. “The State of Business technology Resiliency Q2 2014. Some thoughts from the media
Context.. Your IT is resilient, but is your business resilient? Work area recovery Systems and data recovery
A test for the unbelievers “ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about. Who said this?
A test for the unbelievers “ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” Who said this?
A test for the unbelievers “ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” E. J. Smith, 1907, Captain, RMS Titanic Who said this?
Business Continuity Management The ability to respond to the cause(s) of an incident, and to recover from the effect(s) of an incident What is business continuity management?
Business Continuity Management What is business continuity management? The ability to respond to the cause(s) of an incident, and to recover from the effect(s) of an incident (and doing what you can to stop an incident from happening in the first place)
Business continuity management The anatomy of an incident
Business continuity management The anatomy of an incident Let’s imagine an incident right now!
Business continuity management Emergency response • Incident identification • Initial escalation • Initial assessment • Initial actions • First point of contact 24x7 • Contact with Emergency Services • Evacuation and crowd control • Safety of staff and other people • Protection of assets • Liaison and escalation to crisis management
Business continuity management Crisis management • Manage the organisation while it is in distress • Protect the business, its reputation and its market share • Make critical decisions regarding response and recovery • Deal with stakeholders, the authorities and the media • Internal and external communications • Invoke and manage business recovery
Business continuity management Business and operational recovery strategies • Continue most critical activities • Maintain market share • Workarounds • Most critical customers • Alternative locations • Alternative methods • Pre-event actions • Funding • Access to data and systems • Get back to normal
Business continuity management The vision ‘A clear action plan that tells a senior manager exactly what needs to be done when he or she is standing in a car park at 6.30 in the morning looking at the spot where the building / plant / asset used to be …’
Recovery planning Methodology
Recovery planning Business impact analysis (BIA) • What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
Recovery planning Recovery strategy development • What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? • What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?
Recovery planning Plan development • What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? • What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? • Develop recovery plans in accordance with these strategies
Recovery planning Maintain, update, rehearse • What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? • What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? • Develop recovery plans in accordance with these strategies • Rehearse and maintain the plans
Recovery planning Programme management • What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? • What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? • Develop recovery plans in accordance with these strategies • Rehearse and maintain the plans • Establish a BCM oversight / policy / framework programme
Recovery planning Culture and awareness • What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? • What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? • Develop recovery plans in accordance with these strategies • Rehearse and maintain the plans • Establish a BCM oversight / policy / framework programme • Embed BCM into company management systems and culture and increase staff awareness
Resilience Why we all need it! Resilience Performance Lucky escape Failure! Time
Enterprise Resilience Does your organisationhave a fully tested and robust framework of business continuity management in place today? • Site/scenario-based response plans • Business-based crisis management plans • Process- / value chain-based recovery strategies and plans If you arrived at your normal place of work after this meeting, or after lunch, or tomorrow, and it was inaccessible, damaged or destroyed – would you know what to do? If your building was evacuated tomorrow, people were hurt, and you found yourself in charge, would you know what to do? What would be the effect on your business and its ownership of a significant disruption to production or supply of goods or services? Is there a recent analysis to confirm that your regime of IT disaster recovery can fully support the needs of the business following a major incident? Some questions to think about….
Enterprise Resilience How would an inability to supply your customers for an extended period affect your brand, reputation and market share? How bad would it be for your business if an incident made national or international news and it was perceived to be your fault? Do you know which of your suppliers can affect your business the most? Do you know which of your customers can affect your business the most? Do you understand how your internal production and business units depend upon each other? Is there somebody in your board room / management team / c-suite that has overall responsibility for risk management? Does your organisation test its plans at least annually? Some questions to think about….
Resilience IT infrastructure is just part of the puzzle Work area recovery Systems and data recovery
Resilience The bigger picture? Infosec, cyber Incident response Brand and market share Supply chain Work area recovery Crisis management Risk management Business recovery Operational recovery Systems and data recovery Insurance Drivers, benefits, ROI
Value chain and impact analysis Gap analysis / benchmark / health check Risk analysis (process / site) Recovery strategy design Recovery plan creation Crisis management planning Testing and rehearsing Desktop / simulation Crisis / recovery Resilience framework design Training and awareness IT recovery planning Information security risk IT risk analysis Supply chain risk management Emergency response planning BCMS software and automation – Shadow-Planner Phoenix's capabilities How can we help you?
Thank you Rod.Ratsma@phoenix.co.uk 01604 419 402