BCP & Risk Management Banktech Asia V2


Published on

Presentation on Business Continuity Planning and Risk Management at BankTech Asia. Focus on Banking sector issues in both BCP and Risk.

Published in: Business

BCP & Risk Management Banktech Asia V2

  1. 1. Importance of Business Continuity & Risk Management Jorge.sebastiao@its.ws
  2. 2. Agenda Business Continuity Planning and Disaster Recovery Planning British Standard on BC - BS25999 BCP Risk Management Process and Best Practices Business Value
  3. 3. Views of BCP and Risk Management Business View Service and Continuity Customer Focus Managing Risks Operation Risk Controls Auditing Governance & Compliance IT Infrastructure Disaster Recovery High Availability
  4. 4. Business Continuity Management To counteract interruptions to business activities To protect critical business processes from the effects of major failures or disasters “2 out of 5 companies that experience a disaster will go out of business within 5 years” - Gartner
  5. 5. The cost of ignoring it too high
  6. 6. Threats Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats Industrial Espionage
  7. 7. Business Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  8. 8. Examples - 1
  9. 9. Examples - 2
  11. 11. Can you afford it? eBay 12 June 1999 outage: 22 hrs. Operating System failure Cost: $3 million to $5 million revenue hit 26% decline in stock price AT&T 13 April 1998 outage: 6 to 26 hrs. Software Upgrade Cost: $40 million in rebates Forced to file SLAs with the FCC (frame relay) MCI August 1999 frame relay outage: 10 days Software Upgrade Cost: Up to 20 days free service to 3,000 enterprises Hershey Foods September 1999 system failures Application Rollout Cost: delayed shipments; 12% decrease in 3Q99 sales; 19% drop in net income from 3Q98 Dev. Bank of Singapore 1 July 1999 to August 1999: Processing Errors Incorrect debiting of POS due to a system overload Cost: Embarrassment/loss of integrity; interest charges Charles Schwab & Co. 24 February 1999 through 21 April 1999: 4 outages of at least 4 hrs. Upgrades/Operator Errors Cost: ???; Announced that it had made a $70 million new infrastructure investment. Causes of Unplanned Application Downtime Operator Errors 40% Application Failures 40% Technology Failures 20%
  12. 12. Sources of Disaster Survey of Disasters
  13. 13. Why should you care? Avoiding complete loss of organization Avoid Revenue Loss Damage to Reputation Productivity Performance and Governance Complex Problem to Solve Protect critical business processes Protect critical supporting infrastructure Protect company data and Intellectual Property Meet Compliance regulations Manage People in the Process
  14. 14. Impact of Disaster 14 Productivity: Number of employees x impacted x hours out x burdened hours = ? productivity/ employees $millions minutes daystime $impact$billions Revenue: Direct loss, compensatory payment, lost future revenues, billing losses and investment losses direct financial/ customer Damaged reputation: Customers, competitors gain advantage, suppliers, financial markets, business partners damaged reputation Governance & performance: Revenue recognition, cash flow, credit rating, stock price, regulatory fines Governance Performance constant increase Indirect impact of downtime can be far more severe and unpredictable exponential increase
  15. 15. Importance of Critical Infrastructures
  16. 16. Can not be ignored by business anymore
  17. 17. To survive a disaster you need? A Place to GO Vital Data A Plan to Follow Well Trained People
  18. 18. Successful implementation requires Technology ProcessPeople
  20. 20. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
  21. 21. Business Continuity timeline Active Business A successful recovery
  22. 22. British Standard BS25999 The BCM Lifecycle: BS 25999-1 2006 BCM Programme Management Understanding the organization Determining BCM strategy Developing & implementing BCM response Exercising, maintaining & reviewing
  23. 23. Processes - Business Continuity Mgmt Business Continuity Assessments / Audits Risk Analysis Business Impact Analysis Continuity Strategies Business Continuity Testing Awareness and Training
  24. 24. BCM Structure
  25. 25. Risk Analysis provides focus for BCM High Medium Low Low Medium High Area of Major Concern
  26. 26. Application Prioritization Application Priority Rating Recovery RequirementsRecovery Time Objective AAA 0–6 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered AA 6–12 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. A 12–24 Hours Disaster Recovery needed: Restoration at a geographically remote data center. Local Fail over should also be considered. B 24-48 Hours Fail over Local, Disaster Recovery C 48–96 Hours Scheduled/Delayed Recovery D Recovery in 1 Week Scheduled/Delayed Recovery E Recovery when Resources Permit Scheduled/Delayed Recovery
  27. 27. Leveraging Virtualization Hardware OS Applications Services Storage NETWORK BusinessContinuity Clients BestPractices
  28. 28. Data Center Best Practices
  29. 29. Risk Management Elimination Reduction/Controls Transfer/Outsource Insurance Residual Not all risk can be eliminated via controls
  30. 30. DR Strategies Options Immediate, High-Impact Strategies Weekly Backup and Off-site Storage Daily Backup and Off-site Storage Weekly Mirroring & Electronic Vaulting Daily Mirroring & Electronic Vaulting Real-time Mirroring & Electronic Vaulting Vendor Agreements Quick Ship Agreements Owned Cold Site Owned Hot Site External Cold Site External Hot Site Decision Tree contains 5 x 2 x 4 = 40 strategic options
  31. 31. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
  32. 32. Practical Testing
  33. 33. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
  34. 34. Crisis Management Team Organization
  35. 35. Response Timeline Last Offsite Backup Recovery Point Objective (RPO) Stage 1 Immediate Response & Relocation Business as Usual Stage 2 Op. Sys. Restore Technology Workarea Restoration Stage 3 Applications Functional Restoration Stage 4 Data Synchronization Backlog & Lost Data Stage 5 Resume Business Recovery Time Objective (RTO) Stage 6 Interim Site Stage 7 Retur n Home Restore Communications Restore Business Functions
  36. 36. Comprehensive Response Contingency Planning Disaster Recovery Security Business Continuity Crisis Communications Traditional Emergency Management
  37. 37. Time for action is now
  38. 38. Questions Jorge.sebastiao@its.ws