320 likes | 609 Views
Patrick Corcoran, Global Business Development Executive Business Continuity & Resiliency Services (BCRS). Key Trends Driving Global Business Resilience and Risk. Agenda. What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy
E N D
Patrick Corcoran, Global Business Development Executive Business Continuity & Resiliency Services (BCRS) Key Trends Driving Global Business Resilience and Risk
Agenda • What is Resiliency? • Resiliency: The CIO perspective • Moving forward: Building a comprehensive business resilience strategy • Regional Event Learnings
Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment. Business resilience helps organizations maintain continuous operationsand protect their market share in the face of disruptions such as natural or man-made disasters. It requires the engagement of everyone in the organization and often means a change in corporate culture to instill awareness of risk. Business resilience planning is distinguished from enterprise risk management (ERM) in that it is more likely to build capacity to seize opportunities created by unexpected events.
As budgets shrink and service level requirements increase, our business becomes even more vulnerable to data loss. • Changing environment • Expanding risk exposures • Increased global and regional • interdependencies • Supply chain disruption • More complex regulations • Changing industry and regulatory standards • Geographic dispersal requirements • Varying regulations per country • Impact of coping with the financial turmoil • Loss of critical personnel • Loss of key knowledge • Reduction in attention to significance of risk • Reduction in testing recovery plans • Heightened impact of business disruption • Greater financial implications of downtime • Brand vulnerabilities • Data integrity requirements • Impact of coping with the financial turmoil • Loss of critical personnel • Loss of key knowledge • Reduction in attention to significance of risk • Reduction in testing recovery plans Disaster recovery and business continuity is one of the top IT spending priorities for many businesses.
The continuous flow of information is inseparable from the operational performance of the business. Information technology is often at the epicenter of how a firm interacts with its clients Information technology is always a lever to produce highly efficient supply chains, operations and workflows In combination, these two dynamics generate an explosive growth of managed data The Facts The Implications • Business resilience and information risk management are commonly on the agenda of the board of directors • Firms must assess: Are we compliant? Are we reliable? Can we be trusted? • Firms must decide how resilient they wish to be – contextualized in the availability, security and recoverability of their business operations • Firms must evaluate the extent to which competitive advantage or disadvantage is influenced by their chosen resilience standing
We see both risks and opportunities affecting firms business resilience needs Data driven Frequency of occurrences per year Viruses Data corruption Business driven Disk failures Worms 1,000 100 10 1 1/10 1/100 1/1,000 1/10,000 1/100,000 Long term preservation Data growth Frequent Application outages System availability failures Governance Audits Network problems Event driven New products Failure to meet industry standards Regulatory compliance Terrorism/civil unrest Marketing campaigns Building fires Workplace inaccessibility Regional power failures Infrequent Mergers and acquisitions Natural disasters Pandemics US$1,000 US$10,000 US$100,000 US$1,000,000 US$10,000,000 US$100,000,000 Consequences (single occurrence loss) in dollars per occurrence High Low Source: IBM
But there are many other events that have caused business disruptions/outages that don’t make headlines, but can be just as costly. Evacuation Explosion Fire Flood Fraud Frozen Pipes Hacker Hail Storm Halon Discharge Human Error Humidity Hurricane HVAC Failure H/W Error Ice Storm Insects Lightning Logic Bomb Lost Data Low Voltage Microwave Fade Network Failure Pandemic PCB Contamination Plane Crash Power Grid Outage Power Outage Power Spike Power Surge Programmer Error Raw Sewage Relocation Delay Rodents Roof Cave In Sabotage Shotgun Blast Shredded Data Sick building Smoke Damage Smoke from Restaurant A/C Failure Acid Leak Asbestos Bomb Threat Bomb Blast Brown Out Burst Pipe Cable Cut Chemical Spill CO Fire Coffee Machine Condensation Construction Coolant Leak Cooling Tower Leak Corrupted Data Diesel Generator Earthquake Electrical Short Epidemic Snow Strom Sprinkler Discharge Static Electricity Strike Action Swimming Pool Leak S/W Error S/W Ransom Terrorism Theft Toilet Overflow Tornado Train Derailment Transformer Fire UPS Failure Vandalism Vehicle Crash Virus Water (Various) Wind Storm Volcano / Volcano Ash Source: Contingency Planning Research, Inc. and IBM
Agenda • What is Resiliency? • Resiliency: The CIO perspective • Moving forward: Building a comprehensive business resilience strategy • Regional Events Learnings
Who cares about resiliency? 71 % of CIOs are concerned about risk management and compliance It takes 18months for data generated to double in size 53% of organizationswould experience significant revenue loss or other adverse business impact after 1 hour of downtime • Impact of coping with the financial turmoil • Loss of critical personnel • Loss of key knowledge • Reduction in attention to significance of risk • Reduction in testing recovery plans Technology users expect 100%availability of their applications and their information Source: Enterprise Strategy Group, April 2011
IT plays a critical role in developing resilience strategy IT plays a major part in building resilience Senior IT execs expected to play strong role in developing strategy Business resilience is joint responsibility of all C-level executives CIO collaborates with top IT strategists more frequently Risk contingency planning assigned to separate specialists IT function engaged in most decisions involving business risk CIO has overall responsibility for business resiliency strategy “IT is a big part of our risk management because nothing can be done without it these days.” Kris Wiluan, CEO, KS Energy Services Limited Business continuity seen as primarily IT issue Business resilience not seen as role of senior executives Source: 2011 Q7. Do you agree or disagree with the following statements regarding the roles of different players in your organization's risk management strategy? (Agree only.)
To date, companies have focused heavily on creating their resilience and risk plans — and putting supporting technologies and processes in place. Create a business continuity plan Invest in new risk-related IT solutions “What we’re trying to do here is preserve our culture and make money at the same time, and managing risk is what that’s all about.” Lee Garvin, Director, Risk Management, JetBlue Establish company-wide risk management team Discuss issues with supply-chain partners Assign overall responsibility to a single executive Develop communications or training program Respond to recent natural disasters by rethinking strategies Develop integrated business resilience strategy Engage external advisors 11
Risk concerns for IT leaders span a range of issues 78% IT security 63% 50% Power failure 40% Physical security Theft 28% Product quality issues 25% 22% 17% Natural disaster E-discovery requests 13% 11% Supply chain breakdown 6% Terrorism activity In 2010 and 2011, IBM surveyed 560 IT managers and CIOs about how IT continuity was evolving. In the past 12 months, what kinds of risk issues has your company dealt with? Hardware and system malfunction Matches survey results from Forrester Research. Federal compliance issues Source: 2010 IBM Global IT Risk Study: The evolving role of IT managers and CIOs 12
More companies are embracing the need for a well-crafted business resilience plan - and a risk management function. Well-crafted and communicated plan Agree Agree Agree Disagree Disagree Disagree Neither Neither Neither No formal plan, but plan to develop one No formal risk management function “What we’re trying to do here is preserve our culture and make money at the same time, and managing risk is what that’s all about.” Lee Garvin, Director, Risk Management, JetBlue Study comparison: Only 30% of respondents in this year’s study indicated they had no formal risk management function, compared to 42% in the 2010 study Source: Q1. Do you agree or disagree with the following statements regarding your organization’s IT risk management? Study comparison: 2010 IBM Global IT Risk Study 13
Compared to their competitors, respondents viewed themselves as better able to handle predictable resilience and risk events. Don’t know Stronger Same Weaker Maintain business operations in physical disaster Because of its impact on the business as a whole, a crucial area for improvement is the ability to seize unexpected opportunities An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management. Prevent unauthorized access to proprietary data Maintain operations during a pandemic Adapt rapidly to crisis Align contingency plans with changing risks Reliably retrieve archived data to meet legal requirements Seize unexpected opportunities Minimize losses from unexpected events Source: Q4. In your opinion, how does your organization compare with its closest competitors in the following areas?
Study results revealed an opportunity for companies to further hone their competitive edge by integrating business continuity and risk management. Don’t know Same Stronger Weaker IT infrastructure supports business growth Even though organizations have strategies for business resilience and risk management, they may not be integrating and leveraging those strategies for business advantage Sees value of business continuity as part of risk mgmt Profitability Market share Revenue growth “Companies with a robust ERM program have lower losses, fewer embarrassing events and a better reputation.” Yousef Valine, Chief Risk Officer, First Horizon National Corporation Source: Q9. How does your organization compare to its closest competitors in the following areas?
Agenda • What is Resiliency? • Resiliency: The CIO perspective • Moving forward: Building a comprehensive business resilience strategy • Regional Events Learnings
Organizations expect their business resilience and risk management spending will continue to increase on a par with previous increases. Next 3 years Up to now 14% Increase significantly 65% of organizations expect their business resilience and risk management spending to increase in the next three years 14% 47% Increase 51% 33% Stay the same 31% 4% “My selling pitch to them (CEO and the board) is that a robust risk management capability is a competitive advantage.” Yousef Valine, Chief Risk Officer,First Horizon National Corporation Decrease 4% 1% Decrease significantly 1% Source: Q3. How has your organization changed its degree of spending on initiatives to improve business resilience? 17
A projected increase in the role played by non-IT functions may be related to the increase in emphasis on strategy integration and training. Next 3 years Up to now “Detecting risk has to happen at the point where the behavior is occurring.” Dr. Barbara Reynolds, Senior Advisor, Risk Communication, Centers for Disease Control and Prevention (CDC) CIO IT professionals Other C-level execs Legal Board members Employees Partners Source: Q6a. Over the next three years, what is the expected level of involvement for the following people in your organization's risk management or business resilience strategy? (Very involved or involved.) Study comparison: 2010 IBM Global IT Risk Study 18
Identifying the roadblocks: Silos and budgets can impede the adoption of a holistic approach to business resilience Lack of buy-in from employees — 4% Lack of understanding about emerging technologies — 8% Lack of understanding about best practices — 9% Silos within the organization — 28% Study comparison: 2010 top challenges Lack of C-level vision and commitment — 14% Implementing necessary procedures Securing budget Obtaining full risk picture from depts Budget limitations — 20% Inability to predict ROI from improvements — 17% Source: Q10. What is the biggest single barrier to implementing a holistic approach to business resilience planning? 19
Leverage the findings of the IBM Global Business Resilience and Risk Study in your organization Recommendations • An integrated approach to business resilience and risk management offers a significant business opportunity for organizations of all sizes • Appointing a single individual with overall business resilience and risk management responsibility is essential to integration success • Input should be sought from throughout the enterprise — including employees and partners • Focus should be on the business impact and business opportunity. Recovery is a subset of the resiliency plan • Cloud technologies have matured significantly and now have the potential to deliver significant business resilience benefits • The newly integrated business resilience and risk management strategy can be levered to seize unexpected opportunities and deliver measurable business value “An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.” 2011 IBM Global Business Resilience and Risk Study report 20
Risk mitigation strategies Business driven Data driven Event driven Strategy Organization Processes Applications and Data Technology Facilities Business resilience A resilient framework helps identify areas of risks and vulnerabilities, and allows a company or organization to develop a enterprise resiliency roadmap.
What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Events Learnings Agenda 23
Headline events often mobilize our clients to pause and reflect on their current IT resilience standing. . . 24
Lessons Learned from Regional Events Events create other events … domino effect Japan: earthquake => tsunami => nuclear plant damage => power problems => supply chain problems …… Hurricanes => Flooding => Mud/Landslides => Power Outages …… • Human issues • Will people be available? How about their families? Financial assistance? • Communications issues • Communicating with, supporting and mobilizing employees, customers and suppliers, the press and the public at large • Community issues • Fulfilling responsibilities to host communities • Infrastructure issues • Anticipating how roads, travel and power supplies might be affected • Vulnerability of sites • Business issues • Keeping business processes running • Managing insurance claims • Disaster plan currency • Keeping plans up to date and well tested • Availability of data and hardware To learn more about lessons learned from regional disasters, listen to the following webinar: http://www-935.ibm.com/services/us/bcrs/html/web-seminar_hurricane-lessons-learned.html?&me=W&re=webseminars 25
IBM delivers unsurpassed geographic scope, combined with expertise of local, regional, and global needs/regulations. • Over 160 data centers globally • 100 percent recovery for IBM clients who have declared a disaster (over 800) • More than 1,875 professionals dedicated to business continuity and resiliency • More than 9,000 disaster recovery clients • More than 10,000 client rehearsals per year • More than 50 years experience helping clients with their backup and disaster recovery needs • Over 800 client declarations supported since 1989 • Scalable, end-to-end, cloud-based data backup and recovery solutions • Five million square feet of floor space for disaster recovery, with 40,000 seats 26
Business continuity and resiliency is about… • Protecting your enterprise • Mitigating business and support issues • Increasing your competitive advantage • Protecting brand reputation • Enabling seamless, continuous business transactions • Exploiting market opportunities
Questions? Jay Shah jshah@championsg.com