Earthquake and Hurricane in the Northeast: Time to Rethink ... · Earthquake and Hurricane in the...

© 2012 IBM Corporation

Earthquake and Hurricane in the Northeast:Time to Rethink our Assumptions on Risk Richard Cocchiara, CTO, IBM Business Continuity & Resiliency Services

IBM Global Technology Services


IBM Business Continuityand Resiliency Services

April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona

2


Agenda for today’s session

2011 in review

The state of business resilience today

Taking a holistic approach

The future of business resilience and the role of cloud

Barriers to cloud adoption and considerations when selecting a cloud services provider

Observations and recommendations



3


Personal information leaks have cost millions of dollars, led to class action law suits, and damaged corporate reputation

The Iceland volcanic eruption cost airlines $1.7 billion with more than

10 million people affected

Visitors to Japan dropped 60% in April

Hosting provider service outages affect PaaS and SaaS for other vendors

90% of WW BT resin supply stopped

The increasingly connected world has magnified the impact on every aspect of life, including its disruptions

BT Resin Shortage Mobile Circuit Production Issue

Decreasing Tourism

Airlines Discontinuation

WW impact to Car Production

Personal Information Stolen Class Action Lawsuit

Downstream Service Provider Disruption

Car Parts Shortage

Nuclear Plant Explosion

Platform Outage

Flight Cancellation

Earthquake and Tsunami

Game site attacked by hacker

Servers shut down by human error

Volcano

WW car production was down20-30% for some major auto

manufactures during April and May

Hosting provider service outages affect PaaS and SaaS for other vendors



4


Globally and in the U.S., economic losses from all types of natural disasters are escalating rapidly; 2011 was a record year

Economic cost of natural disasters worldwide

Number of U.S. weather/climate disasters with economic impact greater than $1B

1980s(avg

per yr)

1990s(avg

per yr)

2010 2011

$115B

2005

$190B

2010

$280B

20112000s(avg

per yr)

3.8 4.6 4

1.2

12

$8B

$14B*$33B** $8B

$52B

*Hurricane Andrew $27B **Hurricane Katrina $125B; Hurricane Rita $16B; Hurricane Wilma $16; Hurricane Ike $27B Sources: National Oceanic and Atmospheric Association (NOAA); Münchener Rückversicherungs-Gesellschaft, Geo Risks Research, NatCatSERVICE



5


U.S. implications: regional disasters had national scope and large metro areas like NYC were threatened like never before

In one three-day stretch in April, 343 tornadoes struck from Alabama to Virginia

Precipitation in the Ohio Valley exceeded normal levels by 300%, causing flooding along the Mississippi River

Drought fueled wildfires burned more than a million acres (400,000 hectares) in Texas alone

Hurricane Irene made 3 landfalls, with torrential rainfall and severe flooding; evacuation orders covered 2.3M people

Photo: ISC NewsroomPhoto: Scott Olson/Getty Images

Photo: agreenliving.orgPhoto: Reuters



6


2011 saw an unprecedented number of large-scale U.S. weather-related events that cost at least $1billion each

Drought, heat wave, spring/fall

Wildfires, spring/fall$1 billion

Flooding, summer$2 billion

Flooding, spring/summer $4 billion

Tornadoes, July $1+ billion

Tornadoes, June$1+ billion

Tornadoes, April $2.2 billion

$10 billion $9.1 billion $10.2 billion

$7.3 billion

Blizzard, Jan/Feb $1.8 billion

Tornadoes, May

Tornadoes, April

Tornadoes, April$3 billion

Tornadoes, April$2.1 billion

Hurricane, August

Tropical storm, Sept. $1+ billion

Source: National Oceanic and Atmospheric Association (NOAA)



7


Orange County, NY Director of Operations Richard Mayfield described Irene's effect in one word: "Devastating"

Main St.Washingtonville

Orange County, NY



8


Protecting your business against downtime and disruptions is crucial for competing in today’s marketplace

Would your company survive a major outage?

Increasingly high volumes of data, applications Geographically-dispersed facilitiesEvolving industry and government regulationsExpectations and demands from stakeholders

Support continuous data and operational availability

Improve your competitive position and reputation

Improve operational efficiency

Reduce risk

Why you are increasingly vulnerable: Why a robust resilience solution:



9


Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment

Business resilience helps organizations maintain continuous operations and protect their market share in the face of disruptions such as natural or man-made disasters.

It requires the engagement of everyone in the organization and often means a change in corporate culture to instill awareness of risk.

Business resilience planning is distinguished from enterprise risk management (ERM) in that it is more likely to build capacity to seize opportunities created by unexpected events.

placeholder



10


The 2011 IBM risk study showed that companies value the need for risk management planning and execution

Well-crafted and communicated plan

Disagree NeitherAgree

No formal plan, but plan to develop one


No formal risk management function


Risk management on the rise:In the 2010 study, 42% said they had no formal risk management function.

53% 29% 18%

30% 53% 17%

30% 59% 11%

2011 2010

Source: 2011 IBM Global Business Resilience and Risk StudyStudy comparison: 2010 IBM Global IT Risk Study



11


From traditional challenges … … to better outcomes

Foundational capabilitiesIntegrated risk management | End-to-end security | Business continuity and resiliency

Effective risk managed requires a holistic approach to better manage risk, security and compliance across the enterprise

Ever-increasing security and resiliency threats

Security breaches and business disruptions are mitigated automatically

Unexpected downtime that throttles business performance

Continuous business operations are maintained with a responsive and highly available infrastructure

Inability to meet regulatory and industry requirements associated with security and resiliency

Regulatory and industry requirements are addressed with confidence



12


Align and integrate IT risk into the business’ enterprise risk management framework

Identify key threats and compliance mandates

Implement and enforce a risk management processand common controls framework

Execute incident management processes when crises occurs

Risk management governance methodology

Start with a plan that takes a structured approach to assessing business and IT risks



13


Organizations need a comprehensive approach to achieving resilience that extends across the enterprise

Resilience FrameworkLinks IT service delivery to business objectives with an expected level of service

Provides a holistic view of IT service delivery and links the impact of the risk to business value

Provides a model for defining and integrating IT service deliveryelements to achieve target service levels and risk tolerances

The ability to deliver total resilience is no greater than the minimum resilience capability at any one of the layers — “the weakest link in the chain”

Business driven

Data driven

Event driven

Strategy and vision

Organization

Process

Applications and data

Technology

Facilities



14


The need to protect applications and data is the overriding concern for most organizations

What constitutes an organization’s business resilience strategy?

Data and application security

Data protection

Infrastructure security

Security governance and risk management

Identity and access management

Compliance management

85%

79%

77%

75%

74%

69%

Source: 2011 IBM Global Business Resilience and Risk Study



15


Recovery Point Objectives (RPO) & Recovery Time Objective (RTO)Minutes Hours

Point-in-Time Backup to Tape / Disk

RPO > 15 min. RTO= 4+ hours, Manual PiT or SW Data Replication.

RPO=Near zero, RTO <1Hr. to 4 hours, AutomaticServer/Workload/Network/Data Automatic Site Switch

RPO=Near Zero, RTO <1Hr. to 4 hours, ManualDisk or Tape Data Mirroring

Multi-Site Failover / Fallback

RPO=near zero, RTO <1min, AutomaticServer/Workload/Network/Data SYSPLEX

Continuous Availability

RPO=4+ hours, RTO=8 to 24 hours, ManualData Base Log Replication & Host Log Apply at Remote

RPO<24 hours, RTO=8-24 hours Electronic Tape Vaulting

Active Secondary Site

Days

Of course, not all applications and data require the same levels of recovery — or the same level of investment

Hig

her

Cos

tLo

wer

RTO=>24 hours, RPO=24 hours Hot Site & Tape

RTO=Days, RPO>24 hoursTape, HW ATOD



16


Cloud computing-based resiliency offers an attractive alternative to traditional disaster recovery in terms of cost and performance

Syndicatedhardware

Dedicatedhardware

Cloudcomputing

Disasterrecovery

Shared recovery model

Businesscontinuity

Traditional recovery model

Businessresiliency

Virtualized model

IT: proactiveBusiness: proactive

Recovery time:seconds or always up

IT: proactive Business: reactive

Recovery time: minutes or hours

IT: reactiveBusiness: none

Recovery time:days or weeks



17


A range of cloud resiliency solutions are available to meet the varied needs of mission- and business-critical applications

System and Data Restore

(imported media)

System and Data Mirroring

System and Data Failover

Availability

App

licat

ion

Perf

orm

ance

Data archiving and

retrieval

RetentionD

ata

Com

plia

nce

Data backup and

recovery

Application continuity / recovery



18


In the 2010 IBM Global IT Risk Study, cloud for business resilience and risk management was viewed as risky

Study comparison: 2010 perceptions of cloud

Extremely risky/risky

Somewhat risky

Moderately/not at all risky

A full 77% of 2010 study

respondents viewed cloud as somewhat to extremely risky

42%

35%

42%

Source: 2010 IBM Global IT Risk Study



19


In our 2011 study, we’re seeing that organizations are still cautious, but that they see the value of moving to cloud

Offers promise once technical and security issues have been addressed — 28%

Benefits outweigh the risks — 21%

Data security risks are too great — 21%

Key strategicaspect of risk management — 18%

Traditional methods are best — 6%

IT execs will never give up control of data assets — 5%

Study comparison: 2011 perceptions of cloud

Source: 2011 IBM Global Business Resilience and Risk Study



20


Here are some of the potential barriers to the adoption of cloud-based disaster recovery

Concerns about security, compliance, and control issues in the cloud

Questions about whether applications will seamlessly run in a cloud environment

Perception that there isn't a trusted vendor in the market offering the service

Concerns over bandwidth requirements

Lack of buy-in from either IT or business leadership or decision-makers

To learn more, see the results of a recent study conducted by Forrester Research: Cloud-Based Disaster Recovery Barriers And Drivers



21


21

By selecting a trusted cloud-based disaster recovery service provider, you can move beyond the barriers to cloud adoption

Web portal access with fail-over and fail-back capability facilitates improved control by DR professionals

Built-in support for disaster recovery testing builds confidence and refines DR plans

Tiered service levels optimizes application recovery times

Support for mixed and virtualized server environments improves control

Global reach and local presence enables bandwidth savings

Support for migration from and co-existence with traditional disaster recovery methods eases transition



22


Observations and recommendations

Cloud computing is a disruptive change to the way IT services are delivered, backed up and restored

Without a strategy, Cloud computing can seen as a threat to the IT team

With a strategy, Cloud computing is a huge opportunity for the CIO and IT team



23


Thank You!

ibm.com/services/continuity

Earthquake and Hurricane in the Northeast: Time to Rethink ... · Earthquake and Hurricane in the...

Documents

Transcript of Earthquake and Hurricane in the Northeast: Time to Rethink ... · Earthquake and Hurricane in the...