Importance ofBusiness Continuity &Risk ManagementJorge.sebastiao@its.ws

AgendaBusiness Continuity Planning and Disaster Recovery PlanningBritish Standard on BC - BS25999BCPRisk ManagementProcess and Best PracticesBusiness Value

Views of BCP and Risk Management Business ViewService and ContinuityCustomer FocusManaging RisksOperation Risk Controls AuditingGovernance & ComplianceIT InfrastructureDisaster RecoveryHigh Availability

Business Continuity ManagementTo counteract interruptions to business activitiesTo protect critical business processes from the effects of major failures or disasters“2 out of 5 companiesthat experience a disasterwill go out of business within 5 years”- Gartner

The cost of ignoring it too high

ThreatsCyber terrorismVirusesEnvironmentalThreatsUnexpected(“OOPS” factor)NaturalDisastersIndustrialEspionage

Business RisksFinancial lossIntellectualcapitalPublicImage/TrustLitigationBusinessRisksLegislativeviolationsEmployee & customer privacy

Examples - 1

Examples - 2

Threats to AvailabilityDATA CORRUPTIONAPPLICATION FAILURECOMPONENT FAILUREHUMAN ERRORMAINTENANCESITE OUTAGE

Can you afford it?Charles Schwab & Co.24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs.Upgrades/Operator ErrorsCost: ???; Announced that it hadmade a $70 million new infrastructure investment.eBay12 June 1999 outage: 22 hrs.Operating System failureCost: $3 million to $5 million revenue hit26% decline in stock priceCauses of Unplanned Application DowntimeDev. Bank of Singapore1 July 1999 to August 1999: Processing ErrorsIncorrect debiting of POS due to a system overloadCost: Embarrassment/loss of integrity; interest chargesAT&T13 April 1998 outage: 6 to 26 hrs.Software UpgradeCost: $40 million in rebatesForced to file SLAs with the FCC (frame relay)OperatorErrors40% ApplicationFailures40%TechnologyFailures20%Hershey FoodsSeptember 1999 system failuresApplication RolloutCost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98MCIAugust 1999 frame relay outage: 10 daysSoftware UpgradeCost: Up to 20 days free service to 3,000 enterprises

Sources of DisasterSurvey of Disasters

Why should you care?Avoiding complete loss of organizationAvoidRevenue LossDamage to ReputationProductivityPerformance and GovernanceComplex Problem to SolveProtect critical business processesProtect critical supporting infrastructureProtect company data and Intellectual PropertyMeet Compliance regulations Manage People in the Process

Impact of DisasterRevenue:Direct loss, compensatory payment, lost future revenues, billing losses and investment lossesexponential increaseGovernancePerformancedamaged reputationProductivity:Number of employees x impacted x hours out x burdened hours = ?productivity/ employeesdirect financial/ customerDamaged reputation:Customers, competitors gain advantage, suppliers, financial markets, business partnersconstant increaseGovernance & performance:Revenue recognition, cash flow, credit rating, stock price, regulatory finesIndirect impact of downtime can befar more severe and unpredictable$ billions$ impact$ millionsminutesdaystime14

Importance of Critical Infrastructures

Can not be ignored by business anymore

To survive a disaster you need?A Place to GOVital DataA Plan to FollowWell Trained People

Successful implementation requiresTechnologyProcess People

Business Continuity Management overviewBusiness ContinuityManagementHUMAN RESOURCESKNOWLEDGE MANAGEMENTCOMMUNICATIONS & PREMERGENCY MANAGEMENT IT DISASTER RECOVERYFACILITIES MANAGEMENTPHYSICAL SECURITYSUPPLY CHAIN MANAGEMENTQUALITY MANAGEMENTCRISIS MANAGEMENTENVIRONMENTAL MANAGEMENTRISK MANAGEMENTSource: BSI PAS56

Business Continuity ManagementPROCESSBCMOngoing ProcessChange ManagementEducationTestingReviewTesting Risk Reduction ImplementStandby Facilities Group Plans and ProceduresBCMProjectCreate Planning OrganizationRecovery StrategyRisk AnalysisBusiness Impact AnalysisPolicyScopeResourcesOrganizationBusiness Continuity Planning Initiation

Business Continuity timelineA successful recoveryActiveBusiness

British Standard BS25999Determining BCM strategyDeveloping & implementing BCM responseEmbedding BCM in the organization's cultureUnderstanding the organizationBCM Programme ManagementExercising, maintaining & reviewingThe BCM Lifecycle: BS 25999-1 2006

Processes - Business Continuity MgmtBusiness ContinuityAssessments / AuditsRisk AnalysisBusiness ImpactAnalysisContinuity StrategiesBusiness ContinuityTestingAwareness andTraining

BCM Structure

Risk Analysis provides focus for BCMHighMediumProbability of LikelihoodArea of Major ConcernLowLowMediumHighSeverity of Consequence

Application PrioritizationApplication Priority Rating Recovery RequirementsRecovery Time ObjectiveDisaster Recovery needed: RestorationAAA0–6 Hoursat a geographically remote data center.Local Fail over should also be consideredDisaster Recovery needed: RestorationAAat a geographically remote data center. 6–12 HoursLocal Fail over should also be considered.Disaster Recovery needed: RestorationAat a geographically remote data center. 12–24 HoursLocal Fail over should also be considered. Fail over Local,B24-48 HoursDisaster RecoveryC 48–96 HoursScheduled/Delayed RecoveryDRecovery in 1 WeekScheduled/Delayed RecoveryRecovery when Resources PermitEScheduled/Delayed Recovery

Leveraging VirtualizationClientsServicesBusiness ContinuityApplicationsBest PracticesNETWORKOSHardwareStorage

Data Center Best Practices

Risk ManagementEliminationReduction/ControlsTransfer/OutsourceNot all risk can be eliminated via controlsInsuranceResidual

DR Strategies OptionsWeekly Backup and Off-site StorageOwnedCold SiteDaily Backup and Off-site StorageOwnedHot SiteVendorAgreementsWeekly Mirroring &Electronic VaultingQuick ShipAgreementsExternal Cold SiteDaily Mirroring &Electronic VaultingExternal Hot SiteReal-time Mirroring &Electronic VaultingImmediate,High-ImpactStrategiesDecision Tree contains5 x 2 x 4 = 40 strategic options

Strategy OptimizationOptimum Mitigation StrategyCost of Strategy MitigationLost RevenueTimeRecovery strategy must be optimized to business requirements

Practical Testing

Response and Risk approachCrisesImpactMonitor & resolve the “critical few” with crisis management teamCrisis ManagementProcessMonitor & resolve at appropriate level using processesIncident ManagementProcessIncidentsRisk Management and Business ControlsEventsAssess impact of events & implement appropriate controls

Crisis Management Team Organization

Response TimelineStage 1Stage 2Stage 3Stage 4Stage 5Stage 6Stage 7Recovery Point Objective (RPO)Restore TechnologySynchronizationApplicationsOp. Sys.DataLast OffsiteBackupRestore CommunicationsImmediateResponse& RelocationInterimSiteResumeBusinessReturnHomeBusinessas UsualRestore Business FunctionsFunctionalRestorationWorkareaRestorationBacklog &Lost DataRecovery Time Objective (RTO)

Comprehensive ResponseTraditional Emergency ManagementContingency PlanningDisaster RecoverySecurityBusiness Continuity Crisis Communications

Time for action is now

QuestionsJorge.sebastiao@its.ws