The Revere Group - Making A Case For Disaster Recovery

© 2008—The Revere Group, an NTT Data Company. All rights reserved.

This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.© 2008—The Revere Group, an NTT Data Company. All rights reserved.

This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes.

Making a Case for Disaster RecoveryBusiness Continuity & Disaster Recovery Planning

Chris A. Davis

Greg Clotfelter

Business Continuity & Security Management Practice

http://www.cfits.org/

http://www.cfits.org/




This proposal contains proprietary and confidential information and is being submitted solely for client evaluation purposes. 2

Agenda

1. Revere Overview

2. Introduction to BC & DR

3. BCP Objectives

4. Business Impact Analysis

5. Open Discussion and Q & A





A History of Revere Growth

CHICAGO

BOSTON

CHARLOTTE

MILWAUKEE

ORLANDO

1992

1999

1996

1994

2005

DENVER 2007

LOS ANGELES 2007

2007SAN FRANCISCO





The Revere Group’s Services

Operational Efficiency Interactive

Analytics and Collaboration

Enterprise Platforms Managed Services

IT StrategyOrganizational Change ManagementProcess OptimizationBusiness Continuity SecurityPlanningSupply Chain ManagementGovernance Compliance

Web StrategyInteractive DesignUsabilityWeb and InteractiveDevelopmentSocial Media E-CommerceCMSSEO

BusinessIntelligencePortals Workflow

LawsonMicrosoftOracle I PeopleSoftSAPJava/J2EEOpen Source

Application Management Infrastructure Management Database SupportManaged HostingIT DepartmentalOutsourcing





Trusted Advisor to Hundreds of Clients

Bank of America BB&TChase Bank CNL FinancialEquity InvestmentsFifth Third BankFort Dearborn Associates GunnAllen FinancialLexis NexisMitsubishi UFJ Securities The Northern Trust Company Trustco BankU.S. Bank Wachovia

Angus PalmAIT Worldwide LogisticsDB AviationFocus Products GroupHaworth Hub Group Kawasaki Masco CorporationNITCOPampered Chef PepsiAmericas, Inc. Rockwell CollinsSanta’s Best SPX CorporationToyota Motor Sales TTX WMS GamingZebra Technologies

AJ Gallagher AON BCBS Association BCBS of North Carolina BCBS of Tennessee CNA Insurance CUNA MutualFirst Penn Hannover Life ReHUB InternationalMarkel Insurance SUA InsuranceUnited HealthcareZurich Life/Chase

AuroraBellin HospitalBrookdale Senior LivingBriggs Medical Services CompanyCuraScriptsEvanston Northwestern HealthcareExtendicare Health ServicesFather Martin AshleyFlorida HospitalFroedtertGlobal Health DirectLoyola Physicians Foundation Memorial Healthcare SystemsNorthwestern Medical Faculty FoundationSt. Mary's HospitalThedacare University of Wisconsin Hospital & Clinics

Manufacturing, Distribution & Trade

InsuranceHealthcare Financial Services

Arch Communications Ameritech AnixterDuke Energy NicorSantee CooperSprint

Utilities

Ascent Media CBSLionsgate FilmsNBC UniversalNew Regency FilmsPlayboyScholastic Book PublishingScreen Actors GuildSony Pictures EntertainmentSun TimesUniversal Music Group

Media and Entertainment

Coca-Cola Company Culver's Family Dollar Stores Follett Kohl's Corporation Kraft Foods, Inc. Land of Nod Peapod ShopKo

Consumer Products

CoAdvantage Grant Thornton H & R Block Hewitt Associates, Inc. Illinois Facilities FundJefferson Wells International Lettuce Entertain You Enterprises Starcom MediaVest Group The BECO Group Verio

Services





Today’s Reality

“Only 38% of Fortune 1000 C-level executives surveyed in an independent study believe their companies are „very effective‟ at identifying and managing all potentially significant risks that could negatively impact business, operational or financial performance.” – based upon a survey commissioned by Protivity

Many enterprises mistakenly view business continuity management as an insurance

policy that they will never need to place a claim against because of their “it won‟t

happen to me” mentality.

Not all disasters are caused by external uncontrollable factors in fact 80% of all

declared disasters are internal to the organization.

“Well managed companies manage risk well.”

High-profile events such as the Sept. 11 attacks, the failures of firms such as Enron

and WorldCom, and the 14 August 2003 blackout in the U.S. Northeast and Canada

are focusing government and regulatory attention on changes in corporate

governance, transparency and wider issues of enterprise risk management. This

attention and these changes will affect business continuity management.





Early 1990’s and before… seen as synonymous

with IT Disaster Recovery

Fast forward to the evolution of e-commerce and

the real-time enterprise …. greater demands on

business continuity management, often driven by

external factors such as regulations

The Evolution of Business Continuity





Disaster Recovery and Business Continuity Perspective

Disaster Recovery

Planning

A comprehensive statement of

consistent actions to be taken

before, during, and after a disruptive

event that causes a significant loss

of information system resources

Just one part of…

Business Continuity

Planning

The process of making plans that will

ensure the critical business

functions can withstand a variety of

emergencies, hazards, and

vulnerabilities

Not just information technology, but all core

business functions

Not just catastrophic disasters, but all potential

causes of damage





Shift from Disaster Recovery to Business

Continuity Management

Business Continuity Management is a critical

concern for high level enterprise managers

Business Continuity Management is vital to

maintaining business reputation and investor

confidence

Business Continuity Management Today



10

DRJ 2007 Trends in Business Continuity Survey



11

―Well Managed Companies Manage Risk Well‖

0%

25%

50%

75%

100%

% of Firms With No

Disaster Plan Who

Survive Catastrophe

40% Never

Reopen40% Fail

Within 5 YearsOnly 20%

Survive!

Into Which

Category

Could Your

Firm Fall?



12

Billion Dollar US Weather Disasters 1980-2007





Business Continuity Objectives

The objectives of the BCP are to:1. Ensure that the organization and IT is prepared to:

Respond to emergencies or disruptive events

Recover from them in a timely manner

Mitigate their impacts before and after an event

2. Assure that each datacenter is prepared to activate the resumption and support of critical IT services.

3. Continue/resume time-sensitive business operations for the critical and essential application systems required to support business operations.

Business Continuity Planning is the advance preparation necessary to facilitate

executive command and control to minimize loss and ensure continuity of critical

business functions of the organization in the event of a disaster.





The objectives of the BCP Project are to:4. Provide ability to initiate restoration procedures of critical

computer processing and data communications capabilitiesquickly following a declared disaster.

5. Restore critical operating systems, application systems, businessfunctions and data communications according to the recoverytime objectives.

6. Achieve each of the above objectives in a timely, efficient, andcost effective manner.

7. Return to a permanent operating environment as quickly as possible.

8. Comply with Sarbanes-Oxley Section 404:

Requires companies to establish an infrastructure design to preserve and protect records from destruction, loss and unauthorized alteration or other misuse.

Business Continuity Objectives





Business and IT Relationships Relative to BCP

The Role of IT

Create adequate data quality and backup

processes, including offsite storage, or

hot-sites.

Establish adequate physical security

mechanisms to preserve vital network and

hardware components.

Set up methodologies (authentication,

authorization, etc.) for treatment of

sensitive data.

Administer systems, including up-to-date

inventory, software versions and patches,

and media storage.

Take leadership of the BCMP effort.

The Role of

the Business

Contribute important information about

criticality, tolerance, vulnerability

Establish how core business processes

can be performed at an alternative

location or using alternative systems

Make sure disaster communications

processes are in place, e.g., phone trees,

alerts, etc.

Ensure that BC liaisons have been

established.

Nominate 1st Response Team, Recovery

Team, Process Owners, and Reserve

Team Members.





Conducting a Business Impact AnalysisAn 11 step process…

1. To start, we need to collect information:

a) Identify Business Unit and IT Participants

b) Develop the questionnaire. The BIA is not an exercise in

“Yes” and “No” answers; the purpose is to draw information

from the source that is useful to the stated objectives.

c) Obtain updated organizational charts, workflow

diagrams, operating procedures, etc. that may assist in

establishing organizational structure and business unit

recovery priority.

d) Conduct interviews and collate questionnaire submissions






2. Identify the impact categories that are important to your

organization. It is important to capture both the quantitative (i.e. tangible) and

the qualitative (i.e. intangible) impacts. Choose impact levels

using the most significant peak period for each business

process/function. This may be at the end of a month, quarter or

year, or according to seasonal trends.

Establish a scale for quantifying the operational impacts. For

example, a scale of 1 – 4 could be used with the following

definitions: 1 = no impact, 2 = moderate impact, 3= serious impact

and 4 = severe impact. Another scale to consider would be using a

Low (L), Medium (M) or High (H) Impact scale for quantifying

the impacts over each time period.






3. Determine recovery point objectives (RPO’s). The

RPO is the amount of data required to recover to a

known point in time.

4. Determine recovery time objectives (RTO’s). Based

upon the financial and operational impacts, determine

the RTO. RTO’s are used as the basis for the

development of recovery strategies, and risk mitigation

techniques

5. Determine the recovery capacity objectives (RCO’s).

The RCO is the percentage of total capacity required to

resume operations at a minimal or temporary basis






6. Identify the intangible impacts that make up the

significant risk exposures to the organization. One

intangible impact may be that the organization will lose

employees and jeopardize recovery efforts if employees

aren’t paid in a timely manner.

7. Where possible, contracted service level agreements and

any associated penalties should be identified, along with

legal or regulatory penalties. Force majeure clauses

should be reviewed as well, as some insurance carriers

have specific guidelines designed to protect

organization.






8. Financial impacts to the organization as a result of process

unavailability can be applied to each function. The BIA seeks

to identify both direct and indirect financial impacts. Consider

the many types of revenue loss for the organization as some

may not truly be a loss but deferred income.






9. Develop the potential financial loss exposure: a) First, get the REVENUE figures for the last year by month. Take

the biggest revenue generating month and divide by the number of

work days.

b) Second, get the figures on EXPENSES per month (wages, rent,

fixed expenses, etc) and do the same thing.

c) Third, add in any potential REGULATORY FINES or anything else

that could be added. Understand that some revenue may be

recouped at different times, and some expenses will be higher

(especially if employees have to go to overtime to make up the

backlog for example), but it at least gives an example of a starting

point from which to further refine.

More on this in a moment, but first…






10. Analyze and document results, impact categories and

potential financial loss to confirm recovery priorities and

business unit recovery sequence.

11. Conduct workshops to gain consensus and validate responses,

especially the RTO’s, and communicate any ancillary benefits

to executive management, for example: streamlining

operations, identifying outdated technologies, unrealistic

spending, business process improvement, outsourcing

opportunities, single points of failure, etc.





“Back of the Envelope” Sample Loss Exposure

Taken from the 2007* Annual Report

REVENUE ≈ $6.15M

EXPENSES ≈ $6.91M

Annualized Loss Exposure ≈ $13M

Monthly ≈ $1.08M

Daily (assume 30 days) ≈ $ 36,000

Hourly (assume 24 hours) ≈ $1,500

Potential Financial Loss Exposures…

Average Loss/Hr

! Retail: $1.1M

! Insurance: $1.2M

! Financial: $1.3M

! Manufacturing: $1.5M

! Telecommunications: $2.0M



24

How to Get Started A FEW WAYS AN ORGANIZATION CAN START A SUCCESSFUL BUSINESS CONTINUITY MANAGEMENT PROGRAM

• Achieve Senior Management Buy-in - Enterprises with best business continuity and disaster recovery practices have a corporate culture espousing availability, an understanding of the costs associated with business process outages, and a realization that following a well-defined process when disaster strikes is significantly better (resulting in less downtime and costs) than trying to respond to an incident in crisis mode without the benefit of planning, coordination and testing.

• Perform an Informal Business Impact Analysis and Risk Assessment - Business continuity and disaster recovery planners should interview line-of-business (LOB) managers to determine the impact on business processes if specific sites or resources should become unavailable.

• Understand Current Efforts – Your organization may currently have a DR plan in place, or all too often, recovery procedures exist inside the heads of administrators. either of these is the case, it is important to understand several key characteristics of the current efforts, such as: when the last time a drill was executed, who ran the drill, was it successful, what were the lessons learned, and has it had any continued impact on the organization.

• Establish a BCP Strategy - Develop a go-forward roadmap for a successful process, business unit, IT, and executive sponsored initiatives. The strategy includes frameworks for methodology, information architecture, key performance indicators and project management.





Seasoned and Certified Project Team

John Janachowski

• BCP Project Manager: CBCP certified

• Infrastructure & Risk Mitigation

Mark Poytinger

• BCP Lead: MBCP certified

Meg Hall

• Project Management Office

• BCP

All Consultants have extensive experience planning and implementing BCP Projects and15-

25 years of industry experience

The Revere Group is an active corporate member of the Business Resumption Planners

Association

Dedicated Business Continuity Services practice with highly seasoned professionals

Ability to create a customized approach based on the ―best managed reality‖ – challenging

the status quo but realistic and achievable

The team has worked on numerous engagements together – proven team work, familiarity

and collaboration

Experience in both corporate and field settings

Our expertise extends beyond disaster recovery and business continuity planning to business

transformation

Mike Hughes

• Quality Assurance

Kelly McCann

• BCP

• Risk Assessment

Janet Dagys

• BCP & Security

• Certified Auditor





BCP Selected Clients

Bank of New York

Mortgage Guaranty Insurance Company

West Bend Mutual Insurance

National Specialty Insurance

HUB International

Froedert Hospital

ProVantage Health

ProHealth Care

American Dental Association

Schwarz Pharma

American National Power

Aqua America

Autoweb

Benz Metal Products

Chris Hansen Labs

GE Medical Systems

Charter Manufacturing

Mitsubishi Electric Automation

Uline Shipping Supply

ShopKo

Milwaukee Bucks

Idaho Dept. of Fish & Game

Claretians Missionaries

Financial Services Insurance

Healthcare

Utility

Technology Innovation

Manufacturing

Retail and Consumer

Government/Non-Profit





Conclusion – Q&A SessionDisasters Happen! Are you ready?

Questions ???

The Revere Group Contact Information:

Greg Clotfelter – [email protected]

Chris A. Davis – [email protected]

John Janachowski, Certified Business Continuity Professional

[email protected]

mailto:[email protected]



The Revere Group - Making A Case For Disaster Recovery

Business

Transcript of The Revere Group - Making A Case For Disaster Recovery