The Revere Group - Making A Case For Disaster Recovery
Transcript of The Revere Group - Making A Case For Disaster Recovery
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
Making a Case for Disaster RecoveryBusiness Continuity & Disaster Recovery Planning
Chris A. Davis
Greg Clotfelter
Business Continuity & Security Management Practice
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 2
Agenda
1. Revere Overview
2. Introduction to BC & DR
3. BCP Objectives
4. Business Impact Analysis
5. Open Discussion and Q & A
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 3
A History of Revere Growth
CHICAGO
BOSTON
CHARLOTTE
MILWAUKEE
ORLANDO
1992
1999
1996
1994
2005
DENVER 2007
LOS ANGELES 2007
2007SAN FRANCISCO
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 4
The Revere Group’s Services
Operational Efficiency Interactive
Analytics and Collaboration
Enterprise Platforms Managed Services
IT StrategyOrganizational Change ManagementProcess OptimizationBusiness Continuity SecurityPlanningSupply Chain ManagementGovernance Compliance
Web StrategyInteractive DesignUsabilityWeb and InteractiveDevelopmentSocial Media E-CommerceCMSSEO
BusinessIntelligencePortals Workflow
LawsonMicrosoftOracle I PeopleSoftSAPJava/J2EEOpen Source
Application Management Infrastructure Management Database SupportManaged HostingIT DepartmentalOutsourcing
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 5
Trusted Advisor to Hundreds of Clients
Bank of America BB&TChase Bank CNL FinancialEquity InvestmentsFifth Third BankFort Dearborn Associates GunnAllen FinancialLexis NexisMitsubishi UFJ Securities The Northern Trust Company Trustco BankU.S. Bank Wachovia
Angus PalmAIT Worldwide LogisticsDB AviationFocus Products GroupHaworth Hub Group Kawasaki Masco CorporationNITCOPampered Chef PepsiAmericas, Inc. Rockwell CollinsSanta’s Best SPX CorporationToyota Motor Sales TTX WMS GamingZebra Technologies
AJ Gallagher AON BCBS Association BCBS of North Carolina BCBS of Tennessee CNA Insurance CUNA MutualFirst Penn Hannover Life ReHUB InternationalMarkel Insurance SUA InsuranceUnited HealthcareZurich Life/Chase
AuroraBellin HospitalBrookdale Senior LivingBriggs Medical Services CompanyCuraScriptsEvanston Northwestern HealthcareExtendicare Health ServicesFather Martin AshleyFlorida HospitalFroedtertGlobal Health DirectLoyola Physicians Foundation Memorial Healthcare SystemsNorthwestern Medical Faculty FoundationSt. Mary's HospitalThedacare University of Wisconsin Hospital & Clinics
Manufacturing, Distribution & Trade
InsuranceHealthcare Financial Services
Arch Communications Ameritech AnixterDuke Energy NicorSantee CooperSprint
Utilities
Ascent Media CBSLionsgate FilmsNBC UniversalNew Regency FilmsPlayboyScholastic Book PublishingScreen Actors GuildSony Pictures EntertainmentSun TimesUniversal Music Group
Media and Entertainment
Coca-Cola Company Culver's Family Dollar Stores Follett Kohl's Corporation Kraft Foods, Inc. Land of Nod Peapod ShopKo
Consumer Products
CoAdvantage Grant Thornton H & R Block Hewitt Associates, Inc. Illinois Facilities FundJefferson Wells International Lettuce Entertain You Enterprises Starcom MediaVest Group The BECO Group Verio
Services
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 66
Today’s Reality
“Only 38% of Fortune 1000 C-level executives surveyed in an independent study believe their companies are „very effective‟ at identifying and managing all potentially significant risks that could negatively impact business, operational or financial performance.” – based upon a survey commissioned by Protivity
Many enterprises mistakenly view business continuity management as an insurance
policy that they will never need to place a claim against because of their “it won‟t
happen to me” mentality.
Not all disasters are caused by external uncontrollable factors in fact 80% of all
declared disasters are internal to the organization.
“Well managed companies manage risk well.”
High-profile events such as the Sept. 11 attacks, the failures of firms such as Enron
and WorldCom, and the 14 August 2003 blackout in the U.S. Northeast and Canada
are focusing government and regulatory attention on changes in corporate
governance, transparency and wider issues of enterprise risk management. This
attention and these changes will affect business continuity management.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 7
Early 1990’s and before… seen as synonymous
with IT Disaster Recovery
Fast forward to the evolution of e-commerce and
the real-time enterprise …. greater demands on
business continuity management, often driven by
external factors such as regulations
The Evolution of Business Continuity
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 8
Disaster Recovery and Business Continuity Perspective
Disaster Recovery
Planning
A comprehensive statement of
consistent actions to be taken
before, during, and after a disruptive
event that causes a significant loss
of information system resources
Just one part of…
Business Continuity
Planning
The process of making plans that will
ensure the critical business
functions can withstand a variety of
emergencies, hazards, and
vulnerabilities
Not just information technology, but all core
business functions
Not just catastrophic disasters, but all potential
causes of damage
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 9
Shift from Disaster Recovery to Business
Continuity Management
Business Continuity Management is a critical
concern for high level enterprise managers
Business Continuity Management is vital to
maintaining business reputation and investor
confidence
Business Continuity Management Today
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
10
DRJ 2007 Trends in Business Continuity Survey
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
11
―Well Managed Companies Manage Risk Well‖
0%
25%
50%
75%
100%
% of Firms With No
Disaster Plan Who
Survive Catastrophe
40% Never
Reopen40% Fail
Within 5 YearsOnly 20%
Survive!
Into Which
Category
Could Your
Firm Fall?
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
12
Billion Dollar US Weather Disasters 1980-2007
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 13
Business Continuity Objectives
The objectives of the BCP are to:1. Ensure that the organization and IT is prepared to:
Respond to emergencies or disruptive events
Recover from them in a timely manner
Mitigate their impacts before and after an event
2. Assure that each datacenter is prepared to activate the resumption and support of critical IT services.
3. Continue/resume time-sensitive business operations for the critical and essential application systems required to support business operations.
Business Continuity Planning is the advance preparation necessary to facilitate
executive command and control to minimize loss and ensure continuity of critical
business functions of the organization in the event of a disaster.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 14
The objectives of the BCP Project are to:4. Provide ability to initiate restoration procedures of critical
computer processing and data communications capabilitiesquickly following a declared disaster.
5. Restore critical operating systems, application systems, businessfunctions and data communications according to the recoverytime objectives.
6. Achieve each of the above objectives in a timely, efficient, andcost effective manner.
7. Return to a permanent operating environment as quickly as possible.
8. Comply with Sarbanes-Oxley Section 404:
Requires companies to establish an infrastructure design to preserve and protect records from destruction, loss and unauthorized alteration or other misuse.
Business Continuity Objectives
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 15
Business and IT Relationships Relative to BCP
The Role of IT
Create adequate data quality and backup
processes, including offsite storage, or
hot-sites.
Establish adequate physical security
mechanisms to preserve vital network and
hardware components.
Set up methodologies (authentication,
authorization, etc.) for treatment of
sensitive data.
Administer systems, including up-to-date
inventory, software versions and patches,
and media storage.
Take leadership of the BCMP effort.
The Role of
the Business
Contribute important information about
criticality, tolerance, vulnerability
Establish how core business processes
can be performed at an alternative
location or using alternative systems
Make sure disaster communications
processes are in place, e.g., phone trees,
alerts, etc.
Ensure that BC liaisons have been
established.
Nominate 1st Response Team, Recovery
Team, Process Owners, and Reserve
Team Members.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 16
Conducting a Business Impact AnalysisAn 11 step process…
1. To start, we need to collect information:
a) Identify Business Unit and IT Participants
b) Develop the questionnaire. The BIA is not an exercise in
“Yes” and “No” answers; the purpose is to draw information
from the source that is useful to the stated objectives.
c) Obtain updated organizational charts, workflow
diagrams, operating procedures, etc. that may assist in
establishing organizational structure and business unit
recovery priority.
d) Conduct interviews and collate questionnaire submissions
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 17
Conducting a Business Impact AnalysisAn 11 step process…
2. Identify the impact categories that are important to your
organization. It is important to capture both the quantitative (i.e. tangible) and
the qualitative (i.e. intangible) impacts. Choose impact levels
using the most significant peak period for each business
process/function. This may be at the end of a month, quarter or
year, or according to seasonal trends.
Establish a scale for quantifying the operational impacts. For
example, a scale of 1 – 4 could be used with the following
definitions: 1 = no impact, 2 = moderate impact, 3= serious impact
and 4 = severe impact. Another scale to consider would be using a
Low (L), Medium (M) or High (H) Impact scale for quantifying
the impacts over each time period.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 18
Conducting a Business Impact AnalysisAn 11 step process…
3. Determine recovery point objectives (RPO’s). The
RPO is the amount of data required to recover to a
known point in time.
4. Determine recovery time objectives (RTO’s). Based
upon the financial and operational impacts, determine
the RTO. RTO’s are used as the basis for the
development of recovery strategies, and risk mitigation
techniques
5. Determine the recovery capacity objectives (RCO’s).
The RCO is the percentage of total capacity required to
resume operations at a minimal or temporary basis
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 19
Conducting a Business Impact AnalysisAn 11 step process…
6. Identify the intangible impacts that make up the
significant risk exposures to the organization. One
intangible impact may be that the organization will lose
employees and jeopardize recovery efforts if employees
aren’t paid in a timely manner.
7. Where possible, contracted service level agreements and
any associated penalties should be identified, along with
legal or regulatory penalties. Force majeure clauses
should be reviewed as well, as some insurance carriers
have specific guidelines designed to protect
organization.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 20
Conducting a Business Impact AnalysisAn 11 step process…
8. Financial impacts to the organization as a result of process
unavailability can be applied to each function. The BIA seeks
to identify both direct and indirect financial impacts. Consider
the many types of revenue loss for the organization as some
may not truly be a loss but deferred income.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 21
Conducting a Business Impact AnalysisAn 11 step process…
9. Develop the potential financial loss exposure: a) First, get the REVENUE figures for the last year by month. Take
the biggest revenue generating month and divide by the number of
work days.
b) Second, get the figures on EXPENSES per month (wages, rent,
fixed expenses, etc) and do the same thing.
c) Third, add in any potential REGULATORY FINES or anything else
that could be added. Understand that some revenue may be
recouped at different times, and some expenses will be higher
(especially if employees have to go to overtime to make up the
backlog for example), but it at least gives an example of a starting
point from which to further refine.
More on this in a moment, but first…
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 22
Conducting a Business Impact AnalysisAn 11 step process…
10. Analyze and document results, impact categories and
potential financial loss to confirm recovery priorities and
business unit recovery sequence.
11. Conduct workshops to gain consensus and validate responses,
especially the RTO’s, and communicate any ancillary benefits
to executive management, for example: streamlining
operations, identifying outdated technologies, unrealistic
spending, business process improvement, outsourcing
opportunities, single points of failure, etc.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 23
“Back of the Envelope” Sample Loss Exposure
Taken from the 2007* Annual Report
REVENUE ≈ $6.15M
EXPENSES ≈ $6.91M
Annualized Loss Exposure ≈ $13M
Monthly ≈ $1.08M
Daily (assume 30 days) ≈ $ 36,000
Hourly (assume 24 hours) ≈ $1,500
Potential Financial Loss Exposures…
Average Loss/Hr
! Retail: $1.1M
! Insurance: $1.2M
! Financial: $1.3M
! Manufacturing: $1.5M
! Telecommunications: $2.0M
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
24
How to Get Started A FEW WAYS AN ORGANIZATION CAN START A SUCCESSFUL BUSINESS CONTINUITY MANAGEMENT PROGRAM
• Achieve Senior Management Buy-in - Enterprises with best business continuity and disaster recovery practices have a corporate culture espousing availability, an understanding of the costs associated with business process outages, and a realization that following a well-defined process when disaster strikes is significantly better (resulting in less downtime and costs) than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing.
• Perform an Informal Business Impact Analysis and Risk Assessment - Business continuity and disaster recovery planners should interview line-of-business (LOB) managers to determine the impact on business processes if specific sites or resources should become unavailable.
• Understand Current Efforts – Your organization may currently have a DR plan in place, or all too often, recovery procedures exist inside the heads of administrators. either of these is the case, it is important to understand several key characteristics of the current efforts, such as: when the last time a drill was executed, who ran the drill, was it successful, what were the lessons learned, and has it had any continued impact on the organization.
• Establish a BCP Strategy - Develop a go-forward roadmap for a successful process, business unit, IT, and executive sponsored initiatives. The strategy includes frameworks for methodology, information architecture, key performance indicators and project management.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 25
Seasoned and Certified Project Team
John Janachowski
• BCP Project Manager: CBCP certified
• Infrastructure & Risk Mitigation
Mark Poytinger
• BCP Lead: MBCP certified
Meg Hall
• Project Management Office
• BCP
All Consultants have extensive experience planning and implementing BCP Projects and15-
25 years of industry experience
The Revere Group is an active corporate member of the Business Resumption Planners
Association
Dedicated Business Continuity Services practice with highly seasoned professionals
Ability to create a customized approach based on the ―best managed reality‖ – challenging
the status quo but realistic and achievable
The team has worked on numerous engagements together – proven team work, familiarity
and collaboration
Experience in both corporate and field settings
Our expertise extends beyond disaster recovery and business continuity planning to business
transformation
Mike Hughes
• Quality Assurance
Kelly McCann
• BCP
• Risk Assessment
Janet Dagys
• BCP & Security
• Certified Auditor
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 26
BCP Selected Clients
Bank of New York
Mortgage Guaranty Insurance Company
West Bend Mutual Insurance
National Specialty Insurance
HUB International
Froedert Hospital
ProVantage Health
ProHealth Care
American Dental Association
Schwarz Pharma
American National Power
Aqua America
Autoweb
Benz Metal Products
Chris Hansen Labs
GE Medical Systems
Charter Manufacturing
Mitsubishi Electric Automation
Uline Shipping Supply
ShopKo
Milwaukee Bucks
Idaho Dept. of Fish & Game
Claretians Missionaries
Financial Services Insurance
Healthcare
Utility
Technology Innovation
Manufacturing
Retail and Consumer
Government/Non-Profit
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.
© 2008—The Revere Group, an NTT Data Company. All rights reserved.
This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 27
Conclusion – Q&A SessionDisasters Happen! Are you ready?
Questions ???
The Revere Group Contact Information:
Greg Clotfelter – [email protected]
Chris A. Davis – [email protected]
John Janachowski, Certified Business Continuity Professional