Post on 26-Apr-2018
Organisational ResilienceISACA Melbourne Chapter
13 August 2013
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.2
Agenda
► Emergence of Organisational Resilience (Org Res)► Our Resilience research ► Attributes of resilient organisations► Resilience and service continuity► Practical approaches to resilience
Emergence of Organisational Resilience
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.4
Emergence of Organisational ResilienceExperiences at the edge of survival
►What is Resilience?
► Is it toughness? ► Flexibility?
► Ingenuity? ► ... Or something else?
► Three experiences at the edge of survival... ...is there a pattern?
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Emergence of Organisational ResilienceVolatility, velocity, visibility
► Volatility of the economic and demographic environment
►Velocity of innovation and information
►Visibility into everything that organisations do
5
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Emergence of Organisational Resilience Economic & demographic volatility
6
Financial uncertainty and instability
Emerging middle class in developing markets
Scarcity / imbalance of resources / political instability
Complexity of networks
Intensification of global competition
Plans need to be aggressive but risk adjusted
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Emergence of Organisational Resilience Velocity of innovation and information
7
Speed to market Market awareness and responsiveness is crucial
Virtual world with access to information anywhere anytime
Innovation is expected
Brand movement
60% of global population with access to smart devices by 2030
Knowledge of alternatives
Need to be able to move quickly and carefully
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Emergence of Organisational Resilience Visibility into everything
8
Unprecedented access to information
Global village causing blurred lines
Visibility is globalFor the informed customer everything
is contextual
Need to be authentic
Accountability
Unrestricted global boundaries
Sustainability
Reputation needs to be real and managed
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Emergence of Organisational Resilience The opportunity
► These forces creates enormous opportunities and daunting challenges for government and business
► Risk and opportunities must be carefully balanced.► Grow and profit/manage costs► Protect performance► Innovate continuously► Optimise performance
► All these elements are uniquely combined in the organisational resilience approach.
► Unlike traditional approaches, OR balances these “protect” and “perform” – focused approaches and strategies
9
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Emergence of Organisational Resilience ‘Perform / Protect’ Matrix
10
► There are many strategies and approaches to select from which align with and support organisational resilience
► Selection of “perform” and “protect” focused strategies and approaches consistent with the organisational context – internal and external
Figure: The Perform / Protect Matrix
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.11
Emergence of Organisational Resilience Preparing organisations for the unforeseen
► OR helps businesses prepare for unforseen risks, or those that due to the complexity of external and internal conditions, are considered unforeseeable.
► Traditional approaches (such as risk management) tend to focus on risks that are foreseeable, even if highly unlikely.
► In this way OR deals with the universe of ‘unforeseeable’ and ‘foreseeable’ risks.
► Events of the past decade and a half have increased a sensitivity to unforeseeable risk and an appetiteto deal with it.
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.12
Emergence of Organisational Resilience Compared to Business Continuity Management
► Business Continuity Management (BCM) is a continuous, risk-based, proactive management for the continuation of critical business functions and the recovery of people, processes and technology from business disruptions, in a optimised and sustainable manner.
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.13
Emergence of Organisational Resilience Much more than preparing for disasters....
► BCM primarily focuses on enabling organisations to react – responding to operational disruptions (people, process & technology) when they occur.
► Risk management enables organisations to resist disruptive influences (internal and external) that can disrupt BAU and achieving corporate goals.
► OR focuses on all three elements of a continuum of risk and opportunity –resisting disruption to BAU, reacting to shocks, and reshaping competitive environments through disruptive innovation.
Our Resilience research
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.15
Our Organisational Resilience researchFederal and state-based initiatives for OR
► Trusted Information Sharing Network (TISN) (2001-present)
► ‘National Security Statement’ (2008)► ‘National Disaster Resilience Strategy’ (2009)► ‘Victorian Emergency Management Reform White Paper’
(2012)► Community / Collaboration / Capability► All hazards for agencies
► ‘A Roadmap for Victorian Critical Infrastructure Resilience’ (2012)
► ‘Strong and Secure – A Strategy for Australia’s National Security’ (2013)
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.16
Our Organisational Resilience researchWith the Commonwealth Attorney-General’s Department
► ‘Critical Infrastructure Resilience Strategy’ (2010) led by the Commonwealth Attorney-General’s Department
► Value proposition for OR for business and society needed
► 2012-13 research with the Commonwealth Attorney-General’s Department -‘Organisational Resilience: The relationship with risk related corporate strategies’ (2013)
Attributes of resilient organisations
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.18
Attributes of resilient organisationsLeadership | Networks | Culture | Change Readiness
► Our research identified fourkey attributes of resilient organisations ► Resilience Leadership► Resilience Networks ► Resilience Culture ► Change Readiness
Resilience and IT service continuity
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Resilience and IT service continuityThe ‘resilience continuum’
20
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.21
Resilience and IT service continuity IT service continuity and Security Program Management (SPM)
Business-level performance
Security technology enablement
Applications Data Infrastructure
Security methods and processesIdentity and access Human resources Threat and vulnerability
Asset Information, data and privacy Business continuity and disaster recovery
Incident Operations and engineering Third party
Logging and monitoring Communications Physical andenvironmental security
Mandate, people and organizationStrategy and architecture Operations and integration Awareness and training
Integratedsecurityprogram
Integratedsecurityprogram
Security risk governance & risk management
Compliance Reporting and metrics
Risk culture Policy framework
Key business driversKey business drivers
External challengesExternal challenges
Governance
Internal Audit
Integrated capabilities
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Resilience and IT service continuity IT Service Continuity Management Lifecycle
1. Identifies the current state, infrastructure readiness
2. Identifies risks, analyses and evaluates the
appropriateness of the risk controls.
4. Identifies strategies and alternate workaround to the
IT Services and systems to meet the continuity
objectives
3. Identifies the key products and services and
its critical activities.
7. Sustaining IT SCM capability through reviewing, updating, exercising, promoting and embedding a IT SCM culture.
22
5. Develops appropriate arrangements and infrastructure capabilities
6. Validates the adequacy and currency of the IT SCM plans through testing and reviewing
IT Service Continuity
Management
1. Diagnose
(needs)
2. Assess
(risks)
3. Analyse (impacts)
4. Design(solutions)
5. Build
(capability)
6.Validate(capability)
7. Sustain(Capability)
IT Service Continuity
Management
1. Diagnose
(needs)
2. Assess
(risks)
3. Analyse (impacts)
4. Design(solutions)
5. Build
(capability)
6.Validate(capability)
7. Sustain(Capability)
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Resilience and IT service continuity Business Impact Assessment (BIA)
Lost Data
Last Backup or Replication
Systems and Resources Unavailable
Recover from Last Backup and Backlog (if any)
System and Resources Recovery
RTO
Disruptive Event
RPO
Back to Operation
Acceptable Operation
Data Loss Service Loss
23
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Link the business process to the underlying application and technical infrastructure dependencies
Server pool Network pool Storage pool
Mission CriticalZero – <=24 hours
Critical>24 hours & <=120 hours
• Client Wires• Corporate Wires• Cash Settlements• Check Voids/Stops• Roll Wires• Client ACH File
Verification
A&F: Treasury
• Trade Extension Filing• Margin Call Resolution• Check and Wire Approval• Insite Reporting
Margin
• Processing checks, wires, ACH and journals from retirement accounts
• Qualified Plan Document Generation
Imaging
• Incoming Advisor Calls• Business Processing• Responding to emails
Service Center
• Advisory Performance
Advisory Account
• Advisory Fee Billing• Manager Select Account
Termination
Advisory Operations
• Advisory• Surveillance• FACS Supervision• HOS• Registration• AML
Compliance
• Statement Production• Confirmation Production• Quarterly Performance
Production• Letter Production
Client Reporting
• Statement Production• BranchNet Cost Basis
Update File• ADP Transporter
Tax Reporting
• Stock Record Reconciliation
Stock Record
Essential>120 hours
B U S I N E S S C R I T I C A L P A T H
Disa
ster
Cont
inui
ty
Resilience and IT service continuity Business Critical Path
24
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Sourcing alternatives
Technology constraints
Business strategy and impact
Disaster recovery strategy
• High-level investment
• Roadmap and timeline
Current strategy gaps
Total cost of ownership
Infrastructure strategy
Guiding principles
People constraints
Technical dependency • In-source
• Co-location• Outsourcing
• Managed hosting• Cloud services
Enterprise risk
Business constraints
Resilience and IT service continuity Service Continuity Strategy Development
25
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Resilience and IT service continuity An IT resilience approach to service continuity
26
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.
Resilience and IT service continuity Resilience through the technology stack
27
Resilience and IT service continuity
© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.29
Practical approaches to resilienceThoughts to consider, discuss and act upon
► Need for a resilience approach (volatility, velocity, visibility)
► Take a practical and pragmatic, good practice approach
► Be commercial, seek solutions that ‘leverage’► Disrupt, measure, communicate, improve► Be prepared to evangelise, within reason
Thank You
The views expressed in this presentation are those of Alex Serrano MBA MBCI, and do not necessarily represent the views of EY.