Enterprise Resilience What it is and why you need it June 5, 2014 Rod Ratsma Head of Resilience...
37
Enterprise Resilience What it is and why you need it June 5, 2014 Rod Ratsma Head of Resilience Advisory
-
Upload
lilliana-stray -
Category
Documents
-
view
214 -
download
0
Transcript of Enterprise Resilience What it is and why you need it June 5, 2014 Rod Ratsma Head of Resilience...
Enterprise ResilienceWhat it is and why you need it
June 5, 2014
Rod RatsmaHead of Resilience Advisory
Resilience and Introduction to BCM
“The ability of a substance or object to
spring back into shape”
“The capacity to recover quickly from
difficulties; toughness”
Resilience – some definitions(Oxford English Dictionary)
If your responsibility lies in IT recovery, − then you’re here because you understand the importance that IT as a dependency
has to your organisation− BUT information technology is just one of many dependencies, and IT recovery on its
own isn’t enough to protect the entire set of business processes needed by an organisation
If your responsibility lies in business continuity management, − you already understand the importance of full business process recovery− BUT process recovery on its own isn’t enough, what about customers, brand,
reputation, dependencies, supply chain
If you are a leader in your organisation, − you understand that your business is subject to a number of risks − you have options about how you can treat those risks, and your stakeholders have a
(limited) tolerance for making your problems into their problems;− AND it might well be you that has to deal with the fallout, both in terms of
responsibility and (legal) consequences
Resilience – why it’s important to you
It’s better that you are informed and seen as proactive
C-level execs: Disaster recovery is more than just an IT problem
One of the most challenging issues CIOs face is developing disaster recovery (DR) plans that go beyond system recovery and focus on overall business continuity. Is there a difference?
If you're a corporate shareholder, the (ITDR) process doesn't work that way. You want to know the business can continue, and if you serve on the company's board, you want to be able to assure people that the company is not in ruins. The mouthpiece for this process is the CEO and, in some cases, the public relations director -- not IT. In the beginning stages of DR, nothing is more important to the public and the stakeholders than communications
Source: Tech Republic May 2014
Enterprise resilience
Some thoughts from the media…
“Cyber security is no longer sufficient to ensure business sustainability. Yes, organizations need to defend themselves against potential attack, but they must accept that some attacks will inevitably succeed. Therefore, an organization’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place.”
“Business continuity is unequivocally a boardroom responsibility, so directors will have to increase the attention and resources they devote to information security and resilience. For example, spending just 10 percent of the IT budget on security is no longer adequate to keep your organization in business.”
Source: Alan Calder, Executive Chairman of IT Governance, May 2014
Enterprise resilience
Some thoughts from the media
“Recovery capabilities are stagnating”
One of the biggest challenges in DR today is the pressure between business expectations for recovery objectives and technology management’s ability to deliver on them. In fact, 35% of companies in the 2013 Forrester/DRJ survey responded that mismatched business expectations with technology capabilities was one of the biggest challenges they faced when recovering from their most recent disaster or major business disruption.
Source: Forrester Research Inc. “The State of Business technology Resiliency Q2 2014.
Enterprise resilience
Some thoughts from the media
Your IT is resilient, but is your business resilient?
Context..
Systems and data recovery
Work area recovery
Who said this?
“ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about.
A test for the unbelievers
Who said this?
“ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about.
I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.”
A test for the unbelievers
Who said this?
“ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about.
I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.”
E. J. Smith, 1907, Captain, RMS Titanic
A test for the unbelievers
BCM – Main Components
What is business continuity management?
The ability to respond to the cause(s) of an incident, and to recover from the effect(s) of an
incident
Business Continuity Management
What is business continuity management?
The ability to respond to the cause(s) of an incident, and to recover from the effect(s) of an
incident
Business Continuity Management
(and doing what you can to stop an incident from happening in
the first place)
Business continuity managementThe anatomy of an incident
Activity
Time
Incident response
Crisis management
Business and operational recovery
Business continuity managementThe anatomy of an incident
Activity
Time
Incident response
Crisis management
Business and operational recovery
Let’s imagine an incident right now!
Emergency response
Business continuity management
• Incident identification• Initial escalation• Initial assessment• Initial actions• First point of contact 24x7• Contact with Emergency
Services• Evacuation and crowd control• Safety of staff and other people• Protection of assets• Liaison and escalation to crisis
management
Crisis management
Business continuity management
• Manage the organisation while it is in distress
• Protect the business, its reputation and its market share
• Make critical decisions regarding response and recovery
• Deal with stakeholders, the authorities and the media
• Internal and external communications
• Invoke and manage business recovery
Business and operational recovery strategies
Business continuity management
• Continue most critical activities• Maintain market share• Workarounds• Most critical customers• Alternative locations• Alternative methods• Pre-event actions• Funding• Access to data and systems• Get back to normal
The vision
Business continuity management
‘A clear action plan that tells a senior manager exactly what needs to be done when he or she is standing in a car park at 6.30 in the morning looking at the spot where the building / plant / asset used to be …’
Recovery planning
Methodology
Recovery planning
Business impact analysis (BIA)
Recovery planning
• What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
Recovery strategy development
Recovery planning
• What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
• What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?
Plan development
Recovery planning
• What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
• What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?
• Develop recovery plans in accordance with these strategies
Maintain, update, rehearse
Recovery planning
• What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
• What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?
• Develop recovery plans in accordance with these strategies
• Rehearse and maintain the plans
Programme management
Recovery planning
• What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
• What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?
• Develop recovery plans in accordance with these strategies
• Rehearse and maintain the plans
• Establish a BCM oversight / policy / framework programme
Culture and awareness
Recovery planning
• What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?
• What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?
• Develop recovery plans in accordance with these strategies
• Rehearse and maintain the plans
• Establish a BCM oversight / policy / framework programme
• Embed BCM into company management systems and culture and increase staff awareness
Why we all need it!
Resilience
Resilience
Lucky escape
Failure!
Time
Per
form
ance
Some questions for you…
Some questions to think about….
Does your organisation have a fully tested and robust framework of business continuity management in place today?
− Site/scenario-based response plans
− Business-based crisis management plans
− Process- / value chain-based recovery strategies and plans
If you arrived at your normal place of work after this meeting, or after lunch, or tomorrow, and it was inaccessible, damaged or destroyed – would you know what to do?If your building was evacuated tomorrow, people were hurt, and you found yourself in charge, would you know what to do?What would be the effect on your business and its ownership of a significant disruption to production or supply of goods or services? Is there a recent analysis to confirm that your regime of IT disaster recovery can fully support the needs of the business following a major incident?
Enterprise Resilience
Some questions to think about….
How would an inability to supply your customers for an extended period affect your brand, reputation and market share?How bad would it be for your business if an incident made national or international news and it was perceived to be your fault?Do you know which of your suppliers can affect your business the most?Do you know which of your customers can affect your business the most?Do you understand how your internal production and business units depend upon each other?Is there somebody in your board room / management team / c-suite that has overall responsibility for risk management?Does your organisation test its plans at least annually?
Enterprise Resilience
Our capabilities
IT infrastructure is just part of the puzzle
Resilience
Systems and data recovery
Work area recovery
Incident response
Work area recovery
Insurance
Crisis management
Systems and data recovery
Drivers, benefits,
ROI
Risk management
The bigger picture?
Resilience
Operational recovery
Business recovery
Supply chain
Brand and market share
Infosec, cyber
How can we help you?
Phoenix's capabilities
Value chain and impact analysis
Gap analysis / benchmark / health check
Risk analysis (process / site)
Recovery strategy design
Recovery plan creation
Crisis management planning
Testing and rehearsing− Desktop / simulation− Crisis / recovery
Resilience framework design
Training and awareness
IT recovery planning
Information security risk
IT risk analysis
Supply chain risk management
Emergency response planning
BCMS software and automation – Shadow-Planner
