aligning business continuity, disaster recovery & crisis ... forbes... · aligning business...

www.sungardas.com

Aligning Business Continuity, Disaster Recovery & Crisis Management Programs for a More Resilient Organization

March, 2013

Tracey Forbes, Vice President

© 2012 SunGard | www.sungardas.com 2

Tracey Forbes, Vice President

Tracey Forbes is the Vice President of Software Business Development at SunGard Availability Services.

Joining SunGard Availability Services in 1998, Tracey has been highly involved in the continued evolution of SunGard Business Continuity products and services. She advises on software strategy and product direction and partners with SunGard customers worldwide to support, evolve and enhance their programs.

© 2012 SunGard | www.sungardas.com

Your BC Program may be ineffective if…

� BC/DR/CM programs are led by separate internal organizations and leadership – there is little or no collaboration between groups

� Risk Assessment (RA) and Business Impact Analysis (BIA) are not the foundation for current Recovery Strategies

� Business and IT Application Recovery Time Objective (RTO) are misaligned

� Software tools (if in place) are not being utilized across the enterprise

� Lack of clarity around incident to disaster declaration and recognition of when RTO begins to be measured

� BC & DR policies do not align with each other

� BC Program does not follow industry standards

and best practice

3

�

�

�

�

�

�

�


Business Continuity Institute 2002

2

P

5

3

Understanding Your Business

Business

Continuity

Management

Strategies

Develop and

Implement BCM

Plans & Solution(s)

Building &

Embedding a

BCM Culture

Exercising,

Maintenance

and Audit

BCI’s Business Continuity Management Lifecycle

4


5

DRII’s Generally Accepted Practices

Ensuring the continuity of your businessEnsuring the continuity of your business

Assess

� Risk / Threat Assessment (RA)

� Business Impact Analysis (BIA)

Design Build Sustain

� Develop Appropriate Recovery Strategies

� Business Continuity (BC) might include Active/Active or Active/Alternate

� Disaster Recovery (DR) would include Recovery Time Objective (RTO)

� Crisis Communications (CM) would include Status Updates, Employee Hotlines or External Communications with Press, Authorities, etc.

� Business Continuity

(People/Places)

� Disaster Recovery

(Technology)

� Crisis Management

(Communications)

� Exercises

� Maintenance

� Audit Response

� Continual Process Improvement

5


Level 1

Ad hoc; very limited scope /

capability / visibility; no

standards, non-existent

Level 2

Some definition;

informal but existent; some

policies / processes / procedures;

some metrics; limited scope /

capability / visibility; some

standards

Level 3

Good definition; some formality; good policies /

processes / procedures; solid metrics; solid scope;

standards exist although they

may need strengthening

Level 4

Strong definition; formalized practices;

broad scope; strong policies /

processes / procedures;

strong metrics; strong

standards; means to assess

conformance

Level 5

Broad & deep definition /

documentation; widespread

acceptance and conformance; measurements

drive improvements

Disciplined

Standard &consistent

Predictable &comprehensive

Continuousimprovement

Typical Capability Maturity Model [CMM®]Source: Carnegie Mellon, SEI

Where is your organization’s

current program maturity?

Where is your organization’s

current program maturity?

Continual Process Improvement Defined


Level 1

Ad hoc; very limited scope /

capability / visibility; no

standards, non-existent

Level 2

Some definition;

informal but existent; some

policies / processes / procedures;

some metrics; limited scope /

capability / visibility; some

standards

Level 3

Good definition; some formality; good policies /

processes / procedures; solid metrics; solid scope;

standards exist although they

may need strengthening

Level 4

Strong definition; formalized practices;

broad scope; strong policies /

processes / procedures;

strong metrics; strong

standards; means to assess

conformance

Level 5

Broad & deep definition /

documentation; widespread

acceptance and conformance; measurements

drive improvements

DisciplinedStandard &Consistent

Predictable &Comprehensive

ContinuousImprovement

Continual Process Improvement Further Defined

Level 1

Just

in

Time

DR!

Level 2

Some departmental

recovery plans may exist; tribal

knowledge is the norm!

Level 3

DR Plans for various

applications exist; Testing may include

tabletops and technical

recovery of applications

Level 4

DR Plans are tested regular for all in-scope

DR applications; Testing may

include interdependent

applications and platforms

Level 5

BC/DR Program aligns

recovery of Business

Processes through the

recovery of the application!


Conceptual Model: BC/DR/CM Cooperation

8

Information Exchange

• Risk/Threat Assessment

• Business Impacts

• Critical Dependencies

• Recovery Time and Point Objectives

• Recovery Time and Point Achieved

Integrated Efforts

• Analyzing Risk

• Adapting to Change

• Exercising

Business Continuity

Crisis Management

(CM)

Business Continuity

(BC)

Disaster Recovery

(DR)

Integrated Efforts

Information

Exchange

Common Operating

Platform

Joint Decision

Making

Joint Decision Making

• Risk Priorities

• Risk Treatment and Mitigation Recommendations

• Recovery & Resiliency Strategies

Common Operating Platform

• Terminology

• Policy & Standards

• Software

• Tools


How can you achieve balance within your organization?

Resiliency

9


Case Study: Integrating BC/DR/CM Effectively

• July 2007

• Three separate teams formed into a single team

• Mission Statement & Service Descriptions

developed

• DR Plan and DR Exercise Plan Templates created

• 2008

• DR Plan Template passes QA examination

• BC Plan Template created (due to Client requests)

• Pandemic Planning begins; Framework Plan

developed

• Crisis Management Planning begins; Templates

developed

• 2009

• DR Exercise Plan Template passes QA

examination

• Pandemic Plan Template created

• Risk Assessments Methodology developed

• First BIA completed

0

10

20

30

40

50

60

70

80

90

2004-2007 2008 2009 2010

DR Planning

BC Planning

CM Planning

Pandemic Planning

Risk Assessments

BIAs

Service Continuity Policy


Benefits of BC-DR-CM Cooperation� Reduced Risk

• Reduction in complexity of reporting mechanisms to management and to regulators

• Clearer risk metrics across the enterprise

• Reduction in “blind spots” caused by multiple departments communicating across the enterprise using different terminology or definitions

� Improved Capability

• Expansion and diversification of talent pool and greater sharing of skill sets

• Greater focus on analyses rather than data management

• Substantial lift in response activities from consolidating information across multiple product lines, geographies, operational systems and transaction types

• Cooperative initiatives not only mean systems work together, but also people

• Establishing effective communication channels that can be leveraged at time of crisis

� Cost savings

• Reduced time investment and process complexity for lines of

business

• Ability to generate reports and manage staff more efficiently

• Streamlining of management reporting efforts, investigations,

support components, and systems and data sets

11


Standard Methodology

� Set the Foundation for your Program

• Recovery Strategies must be based on formal Risk

Assessment and Business Impact Analysis studies

• Recovery must include and align Business Process,

Application and Infrastructure recovery holistically

� Develop an effective Program

• A single Program Office defines policy and governance

• BC/DR/CM all operate according to the same guidelines

• Committee’s represent all areas of the organization

� Leverage Standards and Tools effectively

• Plans are built as best practices/industry standard

• Tools are used across the enterprise to develop consistent

documentation and repository of important data

12


Integrated effort across BC, DR and CM Programs

13

Crisis Management

(CM)

Business Continuity

(BC)

Disaster Recovery

(DR)

Tool

• Central repository

• Interdependencies

• Cross-functional teams

• Data relationships


Independent Recovery Strategies

14


Challenge: Working in Silos

15


� Cross-functional BCM committee

• Understand each person’s goals

• Foster interactive discussion utilizing

information readily available in the CMS

� Project Timelines, Planning Goals, Detailed

Analysis

• Joint decision making is documented

within a centralized location

� Centralized management solution promotes a holistic approach to your BCM program

16

Implementing a Holistic Approach

BCDRCM


BUSINESS IMPACT AND RISK

ASSESSMENT

BUSINESS CONTINUITY

PLANS DISASTER RECOVERY PLANS

TEST RESULTS

EMPLOYEE DATABASE

APPLICATIONINVENTORY

CRISIS MANAGEMENT

PLANS

VENDOR LISTING

17


BC / DR / CM Solutions

Programmatic solutions focused on quickly mitigating risk in business-critical

areas spanning Technology, Business Continuity, and Crisis Management

Assess

�Risks / Threats

�Business impacts

�Vendor and Work Force Availability

Design Build Sustain

�Recovery strategy � Response plans:

� Crisis Management

� Disaster Recovery

� Business Continuity

�Programmanagement

�Update plans

�Ongoing strategy& plan testing

Incident Manager

BIA Professional

Risk AssessmentVendor Assessment

Work Force Assessment

Program Management

Business Continuity Management Software Implementation

LDRPS

NotiFind

Test Management

Standard Methodology = Successful Program Implementation


Continuity Planning Lifecycle


Recovery Strategies based upon Risk Assessment and Business Impact Analysis results

� Identify threats for various sites: Proximity, Natural, Technical and Human

� Pinpoint consequences and risk impact. Understand mitigation strategies & controls.

� Standard reporting and analysis for more informed decisions regarding recovery.

20


Recovery Strategies based upon Risk Assessment and Business Impact Analysis results

� Understand impacts on your organization: Financial, Operational, Regulatory, Customers, Leadership

� Identify key business functions and develop recovery strategies.

� Standard reporting and analysis for more informed decisions regarding recovery.

21


BC/DR/CM operate according to the same guidelines

� CMS provides the foundation for your planning program

� Central repository for various types of plans

� Business Process, Application and Infrastructure recovery are aligned

22


Integrated Solution: BC/DR/CM cooperation

� All areas of the organization represented

� Standards defined within the tool

� Integrated effort across BC, DR and CM Programs

23


Improved Capability

� Streamlining of management reports

� Repeatable and auditable process

� Easier to facilitate plan maintenance over time

24


Program Office defines policy and governance

Periodic Plan Updates

Completed

Periodic Plan Updates

Completed

Annual Plan Tests and Exercises

Completed

Annual Plan Tests and Exercises

Completed

Annual Plan Review and

Approval Conducted

Annual Plan Review and

Approval Conducted

Annual Business Impact

Assessment Conducted

Annual Business Impact

Assessment Conducted

25



Confidentiality Statement

Copyright ©2012 by SunGard Availability Services (or its subsidiaries, “SunGard”). All rights reserved. No parts of this document may be reproduced, transmitted or stored electronically without SunGard’s prior written permission.

This document contains SunGard's confidential or proprietary information. By accepting this document, you agree that: (A)(1) if a pre-existing contract containing disclosure and use restrictions exists between your company and SunGard, you and your company will use this information subject to the terms of the pre-existing contract; or (2) if no such pre-existing contract exists, you and your Company agree to protect this information and not reproduce or disclose the information in any way; and (B) SunGard makes no warranties, express or implied, in this document, and SunGard shall not be liable for damages of any kind arising out of use of this document

Trademark Information: SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders.

aligning business continuity, disaster recovery & crisis ... forbes... · aligning business...

Documents