aligning business continuity, disaster recovery & crisis ... forbes... · aligning business...
TRANSCRIPT
www.sungardas.com
Aligning Business Continuity, Disaster Recovery & Crisis Management Programs for a More Resilient Organization
March, 2013
Tracey Forbes, Vice President
© 2012 SunGard | www.sungardas.com 2
Tracey Forbes, Vice President
Tracey Forbes is the Vice President of Software Business Development at SunGard Availability Services.
Joining SunGard Availability Services in 1998, Tracey has been highly involved in the continued evolution of SunGard Business Continuity products and services. She advises on software strategy and product direction and partners with SunGard customers worldwide to support, evolve and enhance their programs.
© 2012 SunGard | www.sungardas.com
Your BC Program may be ineffective if…
� BC/DR/CM programs are led by separate internal organizations and leadership – there is little or no collaboration between groups
� Risk Assessment (RA) and Business Impact Analysis (BIA) are not the foundation for current Recovery Strategies
� Business and IT Application Recovery Time Objective (RTO) are misaligned
� Software tools (if in place) are not being utilized across the enterprise
� Lack of clarity around incident to disaster declaration and recognition of when RTO begins to be measured
� BC & DR policies do not align with each other
� BC Program does not follow industry standards
and best practice
3
�
�
�
�
�
�
�
© 2012 SunGard | www.sungardas.com
Business Continuity Institute 2002
2
P
5
3
Understanding Your Business
Business
Continuity
Management
Strategies
Develop and
Implement BCM
Plans & Solution(s)
Building &
Embedding a
BCM Culture
Exercising,
Maintenance
and Audit
BCI’s Business Continuity Management Lifecycle
4
© 2012 SunGard | www.sungardas.com
5
DRII’s Generally Accepted Practices
Ensuring the continuity of your businessEnsuring the continuity of your business
Assess
� Risk / Threat Assessment (RA)
� Business Impact Analysis (BIA)
Design Build Sustain
� Develop Appropriate Recovery Strategies
� Business Continuity (BC) might include Active/Active or Active/Alternate
� Disaster Recovery (DR) would include Recovery Time Objective (RTO)
� Crisis Communications (CM) would include Status Updates, Employee Hotlines or External Communications with Press, Authorities, etc.
� Business Continuity
(People/Places)
� Disaster Recovery
(Technology)
� Crisis Management
(Communications)
� Exercises
� Maintenance
� Audit Response
� Continual Process Improvement
5
© 2012 SunGard | www.sungardas.com 6
Level 1
Ad hoc; very limited scope /
capability / visibility; no
standards, non-existent
Level 2
Some definition;
informal but existent; some
policies / processes / procedures;
some metrics; limited scope /
capability / visibility; some
standards
Level 3
Good definition; some formality; good policies /
processes / procedures; solid metrics; solid scope;
standards exist although they
may need strengthening
Level 4
Strong definition; formalized practices;
broad scope; strong policies /
processes / procedures;
strong metrics; strong
standards; means to assess
conformance
Level 5
Broad & deep definition /
documentation; widespread
acceptance and conformance; measurements
drive improvements
Disciplined
Standard &consistent
Predictable &comprehensive
Continuousimprovement
Typical Capability Maturity Model [CMM®]Source: Carnegie Mellon, SEI
Where is your organization’s
current program maturity?
Where is your organization’s
current program maturity?
Continual Process Improvement Defined
© 2012 SunGard | www.sungardas.com 7
Level 1
Ad hoc; very limited scope /
capability / visibility; no
standards, non-existent
Level 2
Some definition;
informal but existent; some
policies / processes / procedures;
some metrics; limited scope /
capability / visibility; some
standards
Level 3
Good definition; some formality; good policies /
processes / procedures; solid metrics; solid scope;
standards exist although they
may need strengthening
Level 4
Strong definition; formalized practices;
broad scope; strong policies /
processes / procedures;
strong metrics; strong
standards; means to assess
conformance
Level 5
Broad & deep definition /
documentation; widespread
acceptance and conformance; measurements
drive improvements
DisciplinedStandard &Consistent
Predictable &Comprehensive
ContinuousImprovement
Continual Process Improvement Further Defined
Level 1
Just
in
Time
DR!
Level 2
Some departmental
recovery plans may exist; tribal
knowledge is the norm!
Level 3
DR Plans for various
applications exist; Testing may include
tabletops and technical
recovery of applications
Level 4
DR Plans are tested regular for all in-scope
DR applications; Testing may
include interdependent
applications and platforms
Level 5
BC/DR Program aligns
recovery of Business
Processes through the
recovery of the application!
© 2012 SunGard | www.sungardas.com
Conceptual Model: BC/DR/CM Cooperation
8
Information Exchange
• Risk/Threat Assessment
• Business Impacts
• Critical Dependencies
• Recovery Time and Point Objectives
• Recovery Time and Point Achieved
Integrated Efforts
• Analyzing Risk
• Adapting to Change
• Exercising
Business Continuity
Crisis Management
(CM)
Business Continuity
(BC)
Disaster Recovery
(DR)
Integrated Efforts
Information
Exchange
Common Operating
Platform
Joint Decision
Making
Joint Decision Making
• Risk Priorities
• Risk Treatment and Mitigation Recommendations
• Recovery & Resiliency Strategies
Common Operating Platform
• Terminology
• Policy & Standards
• Software
• Tools
© 2012 SunGard | www.sungardas.com
How can you achieve balance within your organization?
Resiliency
9
© 2012 SunGard | www.sungardas.com 10
Case Study: Integrating BC/DR/CM Effectively
• July 2007
• Three separate teams formed into a single team
• Mission Statement & Service Descriptions
developed
• DR Plan and DR Exercise Plan Templates created
• 2008
• DR Plan Template passes QA examination
• BC Plan Template created (due to Client requests)
• Pandemic Planning begins; Framework Plan
developed
• Crisis Management Planning begins; Templates
developed
• 2009
• DR Exercise Plan Template passes QA
examination
• Pandemic Plan Template created
• Risk Assessments Methodology developed
• First BIA completed
0
10
20
30
40
50
60
70
80
90
2004-2007 2008 2009 2010
DR Planning
BC Planning
CM Planning
Pandemic Planning
Risk Assessments
BIAs
Service Continuity Policy
© 2012 SunGard | www.sungardas.com
Benefits of BC-DR-CM Cooperation� Reduced Risk
• Reduction in complexity of reporting mechanisms to management and to regulators
• Clearer risk metrics across the enterprise
• Reduction in “blind spots” caused by multiple departments communicating across the enterprise using different terminology or definitions
� Improved Capability
• Expansion and diversification of talent pool and greater sharing of skill sets
• Greater focus on analyses rather than data management
• Substantial lift in response activities from consolidating information across multiple product lines, geographies, operational systems and transaction types
• Cooperative initiatives not only mean systems work together, but also people
• Establishing effective communication channels that can be leveraged at time of crisis
� Cost savings
• Reduced time investment and process complexity for lines of
business
• Ability to generate reports and manage staff more efficiently
• Streamlining of management reporting efforts, investigations,
support components, and systems and data sets
11
© 2012 SunGard | www.sungardas.com
Standard Methodology
� Set the Foundation for your Program
• Recovery Strategies must be based on formal Risk
Assessment and Business Impact Analysis studies
• Recovery must include and align Business Process,
Application and Infrastructure recovery holistically
� Develop an effective Program
• A single Program Office defines policy and governance
• BC/DR/CM all operate according to the same guidelines
• Committee’s represent all areas of the organization
� Leverage Standards and Tools effectively
• Plans are built as best practices/industry standard
• Tools are used across the enterprise to develop consistent
documentation and repository of important data
12
© 2012 SunGard | www.sungardas.com
Integrated effort across BC, DR and CM Programs
13
Crisis Management
(CM)
Business Continuity
(BC)
Disaster Recovery
(DR)
Tool
• Central repository
• Interdependencies
• Cross-functional teams
• Data relationships
© 2012 SunGard | www.sungardas.com
Independent Recovery Strategies
14
© 2012 SunGard | www.sungardas.com
Challenge: Working in Silos
15
© 2012 SunGard | www.sungardas.com
� Cross-functional BCM committee
• Understand each person’s goals
• Foster interactive discussion utilizing
information readily available in the CMS
� Project Timelines, Planning Goals, Detailed
Analysis
• Joint decision making is documented
within a centralized location
� Centralized management solution promotes a holistic approach to your BCM program
16
Implementing a Holistic Approach
BCDRCM
© 2012 SunGard | www.sungardas.com
BUSINESS IMPACT AND RISK
ASSESSMENT
BUSINESS CONTINUITY
PLANS DISASTER RECOVERY PLANS
TEST RESULTS
EMPLOYEE DATABASE
APPLICATIONINVENTORY
CRISIS MANAGEMENT
PLANS
VENDOR LISTING
17
© 2012 SunGard | www.sungardas.com 18
BC / DR / CM Solutions
Programmatic solutions focused on quickly mitigating risk in business-critical
areas spanning Technology, Business Continuity, and Crisis Management
Assess
�Risks / Threats
�Business impacts
�Vendor and Work Force Availability
Design Build Sustain
�Recovery strategy � Response plans:
� Crisis Management
� Disaster Recovery
� Business Continuity
�Programmanagement
�Update plans
�Ongoing strategy& plan testing
Incident Manager
BIA Professional
Risk AssessmentVendor Assessment
Work Force Assessment
Program Management
Business Continuity Management Software Implementation
LDRPS
NotiFind
Test Management
Standard Methodology = Successful Program Implementation
© 2012 SunGard | www.sungardas.com 19
Continuity Planning Lifecycle
© 2012 SunGard | www.sungardas.com
Recovery Strategies based upon Risk Assessment and Business Impact Analysis results
� Identify threats for various sites: Proximity, Natural, Technical and Human
� Pinpoint consequences and risk impact. Understand mitigation strategies & controls.
� Standard reporting and analysis for more informed decisions regarding recovery.
20
© 2012 SunGard | www.sungardas.com
Recovery Strategies based upon Risk Assessment and Business Impact Analysis results
� Understand impacts on your organization: Financial, Operational, Regulatory, Customers, Leadership
� Identify key business functions and develop recovery strategies.
� Standard reporting and analysis for more informed decisions regarding recovery.
21
© 2012 SunGard | www.sungardas.com
BC/DR/CM operate according to the same guidelines
� CMS provides the foundation for your planning program
� Central repository for various types of plans
� Business Process, Application and Infrastructure recovery are aligned
22
© 2012 SunGard | www.sungardas.com
Integrated Solution: BC/DR/CM cooperation
� All areas of the organization represented
� Standards defined within the tool
� Integrated effort across BC, DR and CM Programs
23
© 2012 SunGard | www.sungardas.com
Improved Capability
� Streamlining of management reports
� Repeatable and auditable process
� Easier to facilitate plan maintenance over time
24
© 2012 SunGard | www.sungardas.com
Program Office defines policy and governance
Periodic Plan Updates
Completed
Periodic Plan Updates
Completed
Annual Plan Tests and Exercises
Completed
Annual Plan Tests and Exercises
Completed
Annual Plan Review and
Approval Conducted
Annual Plan Review and
Approval Conducted
Annual Business Impact
Assessment Conducted
Annual Business Impact
Assessment Conducted
25
© 2012 SunGard | www.sungardas.com 26
© 2012 SunGard | www.sungardas.com 27
Confidentiality Statement
Copyright ©2012 by SunGard Availability Services (or its subsidiaries, “SunGard”). All rights reserved. No parts of this document may be reproduced, transmitted or stored electronically without SunGard’s prior written permission.
This document contains SunGard's confidential or proprietary information. By accepting this document, you agree that: (A)(1) if a pre-existing contract containing disclosure and use restrictions exists between your company and SunGard, you and your company will use this information subject to the terms of the pre-existing contract; or (2) if no such pre-existing contract exists, you and your Company agree to protect this information and not reproduce or disclose the information in any way; and (B) SunGard makes no warranties, express or implied, in this document, and SunGard shall not be liable for damages of any kind arising out of use of this document
Trademark Information: SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders.