Download - Staying Ahead of the Curve: The Latest Stressors

April 12-14, 2010Sheraton New Orleans

Staying Ahead of the Curve: The Latest Stressors, Methodologies,

Trends and Directions in Business Resilience

Richard Cocchiara, IBM Distinguished Engineer

Chief Technology Officer for IBM BCRS

[email protected] or 1-845-759-2043


There are several factors driving company resilience service architectures & solutions over the next few years

• Shift in focus from IT Continuity to Service Continuity• Global economic crisis forces cost re-examination • Increased virtualization of technology• Movement towards a Cloud Computing Model• Increased Regulatory Compliance needs• Need for longer term storage• Realization of human capital components• Green - power and water considerations• Improved integration of business continuity tools


Focus is shifting from disaster recovery to service resilience

Past

Companies are more focused on disaster recovery.

Reactive response to catastrophic events

Investments in IT recovery and workforce recovery were seen as expensive insurance policies.

Downtime is measured in hours to days.

Lack of focus on day-to-day events that cause the majority of downtime

Poor planning, reporting, and metrics

Today

Companies are more focused on services continuity.

Limit downtime (unplanned and planned) as much as possible.

Achieving continuous availability is seen as competitive advantage.

Downtime is measured in minutes to hours.

Focus on all causes of downtime, not just catastrophic events.

Emphasis on planning, preparedness, and adoption of standards


4

Overall Goldman’s IT spending index suggests modest growth; Capital spending implies a stronger recovery due to pent-up demand

Source: IBM GTS Market Insights Analysis based on Goldman Sachs, “Mapping 2010: Key Tech Trends to Watch”, January 10, 2010

Goldman Sachs IT Spending Indices, 2002-Present Goldman Sachs IT spending Growth Estimates, 1990-2010E


5

As an IT spending priority, BC/DR fared well in 2009 behind growing concerns of downtime and stakeholder expectations

“How much of a priority is purchasing or upgrading your BC/DR capabilities over the next 12 months?”

Goldman Sach survey of top IT spending priorities

Source: Goldman Sachs IT Spending Survey, March 2009

Source: Enterprise and SMB Hardware Survey, NA and Europe, Q3 2009

Top reasons why BC/DR has been a priority during the downturn

Increasing sensitivity to downtime and data loss

Expanded focus of DR to include all sources of downtime (i.e., not just catastrophic events)

Increasing pressure from internal and external stakeholders

Source: “How the Cloud Will Transform DR Services”, Forrester, July 2009 and “Predicts 2010


Virtualization technology will be the single biggest Virtualization technology will be the single biggest disruptor in the data center over the next few yearsdisruptor in the data center over the next few years

Source: Goldman Sachs Investment Research – October 2007

Goldman Sachs estimates that:

60% of servers can be virtualized but that only 10% are already.

The Virtualization market is enormous: 50% of servers

Goldman Sachs estimates that:

60% of servers can be virtualized but that only 10% are already.

The Virtualization market is enormous: 50% of servers

Production Servers % of Total Servers

Potential for Consolidation

1. High-end compute servers 10-15% Not likely

2. Large Application servers

(DB, ERP, SAP, Oracle, SAS, DB2, SQL, …)

25-30% Could be slowly virtualized

3. Non-critical servers (including Mail, Web, Java, File and Print servers)

50-65% Quickest candidate workload

Development & Test Servers 100% Virtualized


Rise of social networking and social computing

Globalization and Globally Available Resources

Real-timedata streams and information sharing

Billions of mobile devices accessing the World Wide Web

Cloud Computing

Evolving technologies will help businesses continue to innovate and change how we service clients


Cloud Computing will change business models and deliver services to clients faster and at lower costs then before

Cloud Computing Management Services

WorkloadManagement Provisioning Monitoring

Virtualized PhysicalServers(Ensembles)

System z, System x, System p, BladeCenter

Software Development

Deploys development tools for immediate use

Resilience

Provides dynamic storage and servers

Innovation Enablement

Expands sources of innovation, increases

competitiveness

Large Scale Information Processing

Optimizes emerging Internet scale

workloads

Self-serviceAdmin Portal

Workload PatternTemplates

SLA andCapacity Planning

AdministrationWorkflows

Workload Solution Patterns


Any cloud implementation must have some key resilience characteristics

• Device and location independence enables users to access systems regardless of their location or what device they are using, e.g., PC, mobile.

• Multi-tenancy enables sharing of resources, and costs, among a large pool of users, allowing for: – Centralization of infrastructure in areas with lower costs, e.g., real estate, electricity, etc. – Peak-load capacity increases (users need not engineer for highest possible load levels) – Utilization and efficiency improvements for systems that are often only 10-20% utilized.

• On-demand allocation and de-allocation of CPU, storage and network bandwidth • Performance is monitored and consistent, but can be affected by insufficient bandwidth or high

network load. • Reliability is enhanced by way of multiple redundant sites, which makes it suitable for

business continuity and disaster recovery, however IT and business managers are able to do little when an outage hits them.

• Scalability meets changing user demands, e.g., Flash crowds, quickly without users having to engineer for peak loads. Massive scalability and large user bases are common, but not an absolute requirement.

• Security typically improves due to centralization of data, increased security-focused resources, etc., but raises concerns about loss of control over certain sensitive data. Accesses are typically logged but accessing the audit logs themselves can be difficult or impossible.

• Sustainability is achieved through improved resource utilization, more efficient systems, and carbon neutrality. Nonetheless, computers and associated infrastructure are majorconsumers of energy.


Expect more Complex International Legislation and Accords

Basel I

Basel IA

Basel II

Solvency II

European Privacy Acts

Statute of the European System of Central Banks

Commission of European Communities OECD Principles

Markets in Financial Instruments Directive (MiFID)

UCIITS (EU)

Council of European Banking Supervisors (C-EBS)

United States Sarbanes-Oxley Act (SOX), Sections 302, 401, 403, 404, 406, 408, 409,…….(US)

United States Federal Reserve Regulations

UK’s Financial Services Authority Combined Code, includes Turnbull Guidance and COSO

Australia’s Stock Exchange (ASX) Principles

Japan’s J-SOX

India’s Clause 49, Right of Information Act 2002

Germany’s KonTraG 1999

Public Company Accounting Oversight Board (PCAOB)

France’s LSF

Canada’s 52-109 and 52-111

Islamic Banking Law

Autsralian Prudential Regulatory Authority (APRA)


Multiple and Diverse Best Practice Frameworks International Risk Governance Council (IRGC)

Federation of European Risk Management Associations (FERMA)

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

• 1992, Internal Control Framework

• 2004, Enterprise Risk Management Framework (ERM)

Information Systems Audit and Control Association (ISACA)

• Control Objectives for Information and related Technology (COBIT)

Business Continuity Institute

IT Governance Institute (ITGI)

International Organization for Standardization (ISO)

• ISO/IEC 17799, ISO/IEC 27002:2005 expected to be renamed ISO/IEC 27002:2007

• ISO 31000 (new risk management standards under development)

• AS/NZS 4360:2004: Australia and New Zealand Risk management standard

British Standards Institute (BSI), BS 7799-1:1999, BS 7799-2:2002, BS 7799:2005, BS 25999

BITS

Generally Accepted Accounting Principals (GAAP) – Financial Reporting Standards (FRS)

• International Accounting Standards (IAS) – International GAAP

• Financial Accounting Standards Board (FASB) - US GAAP

• Local Reporting Standards – Local GAAP

Extensible Business Reporting Language (XBRL)


Information will need to retained and organized to meet compliance requirements

No Control – High Operational Costs – High Information Risk – No Visibility

InformationExplosion

Increasingly Punitive Legal & Regulatory Environment

Increasing Criticality of Producing Information

Rising Compliance &Litigation Costs

Information is out of control and piling up everywhere … paper too

Manual policies and processes that no one follows

No confidence our electronic information is accurate, trustworthy and admissible

Existing storage silos are costly and prevent efficiency

Required information can’t be found or analyzed

No visibility into key operational or legal risk areas


Backup is not the same as archive and companies will need to have an archive strategy that links the two

Backup

• For recovery

• Copies information

• Improves availability

• Short term in nature

• Data typically overwritten

• Not for regulatory compliance

Archive

• For retrieval

• Moves information

• Adds operational efficiencies

• Long-term in nature

• Data typically maintained

• Useful for compliance


An archive must ensure ALL types of information are properly stored and indexed in offsite locations

Content Management

Storage Management• Offline and offsite archival• Disk, tape

CollaborationArchiving

Application & DatabaseArchiving

Classification Search &Discovery

Taxonomy Analytics

Index(Metadata & Text)

FileArchivingArchiving

Intelligence

Online Repository

Key Drivers

Archiving InfrastructureStorage PolicyManagement

File System Extensions

Policy Management

• Compliance• Storage Efficiency

• Application/DB Performance• Information Security

ContentArchiving

Index(Metadata & Text)

GPFSScalable file systemArchiving

Infrastructure &Storage Hierarchy


As business models change, the human capital portion of a business becomes more important and at risk.

Critical assumptions:• A new flu pandemic could break

out soon.• It is expected to have global

impact and all countries need to be prepared.

• The flu virus could become highly transmissible and cause widespread sickness and death.

• There may be significant shortages of vaccines and antiviral medications.

• Significant disruption to economies, international and national infrastructures, and society in general, may occur.

An influenza pandemic is caused by the global outbreak of a new virus that causes illness and spreads easily from person to person, and for which people have no immunity and there are no vaccines immediately available.


So what is IBM doing about all this?


IBM’s approach to meeting these challenges includes a combination of methods, tools, reporting and services

• Resilience Maturity Assessment Framework (RMAF)– Use by business resilience teams for assessing customer resiliency– Developed jointly by IBM Research and IBM Business Continuity & Resiliency

Services teams

• Resiliency Assessment Methodology (RAM)– Used by BCRS consultants for assessing overall client business resilience– Used by IBM service delivery teams and IBM Research for assessing Global

Service Delivery Centers

• Resilience Maturity Index (RMI)– Computational index of specific components to help identify potential areas of

concern

• Business Continuity & Resiliency Services– Consulting Services– Managed Services– Recovery Services


Over time, IBM has developed a Resilience Maturity Assessment Framework (RMAF) to comprehensively analyze a company’s resilience

Six layers of client’s enterprise

STRATEGY

PROCESS

PEOPLE

APPLICATIONS & DATA

TECHNOLOGY

FACILITIES

• A holistic approach to evaluate all aspects of business resilience

– Object oriented framework for risk assessment and supporting method for use in initial phase of business resilience engagements

• The layers are broken down into IT and Business objects; objects are refined by attributes

– 250+ objects and over 4000 attributes

– Linked across layers to provide different resilience views like continuity, compliance, security etc.

– Evaluated for their current and target levels of business resiliency maturity


The IBM Resilience Maturity Assessment Framework (RMAF) uses a 5 level maturity rating model to assess client resilience

These attributes or features have the fundamental automation tools necessary to manage a disruption or opportunity when it occurs.

These attributes or features are centered on establishing thresholds and advanced warning systems that allow the company to take preemptive actions to prevent disruption.

These attributes or features focus on the organizations ability to sense and respond to unforeseen circumstances by using contingency plans and adaptive technologies or processes found in On Demand Business resources to maintain operations.

These capabilities focus on the business model itself and leverage the innovation, optimization and capacity management characteristics of an On Demand Operating Environment.

BasicBasic ManagedManaged PredictivePredictive AdaptiveAdaptive ResilientResilient

These attributes or features are ad-hoc in nature and constitute the most basic levels of capability. Little planning for redundancy, failover capability or security are evident and rely heavily on staff expertise.

1 = Basic 2 =Managed 3=Predictive 4=Adaptive 5=Resilient

Some or all of this activity is slow, manual and/or problematic.

Major changes usually have the outcomes documented,

Change process is monitored and is effective for major changes.

Change process is monitored and is effective for all changes.

Change results are always documented, follow consistent codes to indicate the results, and are continually used to improve the process.

LayerObject Group Object

Attribute Group

Attribute

ProcessProcess Change Management

Change Management

ActivitiesActivities Monitor & Report

Monitor & Report

IT Processes

IT Processes

Example:


Manage

Set

Design

Dep

loy

Plan

Implem

ent

ControlMonitor

Evaluate

Ana

lyze

Ass

ess

The framework is used as part of an overall continuous improvement Resilience Assessment Methodology (RAM) to help manage risk, improve governance and enable compliance.

Information Risk Management

Regulatory Compliance

Corporate Governance

Business Imperatives

Inputs: Business objectives, goals, priorities, policies & current capabilities

Outputs: Reduced Risk, Improved governance and enabled compliance

Objectives

Risk Supervision

and Control

Mon

itor

ing

and

Sur

veill

a nce

Reliable and ResilientInfrastructure

Efficient Flex ibly

Integrated Processes

Protection and

Contingency

STRATEGY

PROCESS

PEOPLE

APPLICATIONS & DATA

TECHNOLOGY

FACILITIES

Inte

gra

ted

Pla

nn

ing

Kno

wled

ge S

ha

ring


When IBM attempted to apply our framework and method to our Global Service Delivery Centers, there were several goals

• Goal: Validate and extend the RMAF based on our own experience– Identify new objects/attributes and modifications (can be generic for use elsewhere)– Define resiliency maturity levels for relevant attributes

• Goal: Derive a specialized view of RMAF for infrastructure service delivery– Identify objects/attributes relevant for service delivery operations of IBM– Develop a composite metric – Resiliency Maturity Index for infrastructure service delivery

• Benefits– Robust framework for assessing the resiliency of Global Service Delivery Centers

• A tool to understand how varying the resiliency of specific objects in the model affects the overall resiliency of the Global Service Delivery Centers

– IBM differentiator – metric for comparison with competitors– Common framework for BCRS customers and internal use


Specialized view of RMAF for GDC Resiliency Assessment

Service availability view for remote delivery of IT infrastructure services

“Features concerned with maintaining uninterrupted services to remote customer (internal or external) as per agreement”

Feature relevance indicated by 1s and 0s in the ‘Service Availability’ column

Feature relevance indicated by 1s and 0s in the ‘Service Availability’ column

The features are marked with a maturity level from 1 to 5

The maturity values are aggregated into a resiliency maturity index


Model for computing Resiliency Maturity Index (RMI)

FacilitiesFacilitiesFacilities

TechnologyTechnologyTechnology

Applications & DataApplications & DataApplications & Data

People (O

rganization)P

eople (Organization)

People (O

rganization)

Organizational resilience is an orthogonal entity that cuts across all layers.

Organizational resilience is an orthogonal entity that cuts across all layers.

ProcessProcessProcess

BusinessBusinessBusinessITITIT

People -Facilities

People – IT & Bus. Processes

People -Technology

People – Applications & Data

SubstitutionRelation

Main facility, backup facility

Home Office

Voice networkUtilities

Network

Computing Systems

Degree of substitution = 80%

…

…

Email

Operational Process

…Remote Connectivity

Degree of substitution = 30%

Overall GDC Resiliency

Business Processes

DependenceRelation


Sample: Application of model to one Global Service Delivery Center

Object Raw Net Reason

Main facility, backup facility

3.7 4.1 Dependence on People-Facilities

80% substitution of home office by main facility

20% substitution of voice by email

Home office 3 4.1

Utilities 4.5 4.5

Network 2.7 2.7

Voice network 3 3

Total Score 3.3 3.5


Network 5 4 Dependence on main facility, utilities and network, People-Technology

Computing sys. 5 4

Mgmt sys. 5 4

Security sys. 5 4

Total Score 5 4


Remote connectivity

4 4 Dependency on n/w, computing – mgmt –security systems, People-App & Data

30% substitution of Email by voice

40% substitution of Collaboration by voice

Remote Infra Mgmt

2.2 3.6

Email 2 3.9

Collaboration Tools

5 4.4

Skills DB 2 3.6

Total Score 4.1 4


Operational Processes

5 4 Dependency on Applications and Data layer objects, People-Process

Business Processes

3.4 3.5

Total

Score

3.9

Facilities Layer

Process LayerTechnology Layer

Applications and Data Layer

Overall GDSC Score = 80% IT-process score + 20% Business-process score = 3.9


We help globally deliver resilience solutions through resiliency centers and delivery and consulting experts

around the globe.

A unique infrastructure and skill set designed for flexibility and responsiveness in a resilience situation, from simple to complex environments

Support for over 12,000 clients with over 15,000 contracts

Our depth and breadth of resources include:

A business model based onrisk and syndication ofresource at a machine level

Options for dedicated orlimited shared resource

Successful support for over750 client recoveries.


Thank You!

Richard Cocchiara – CTO & Distinguished Engineer845.759.2043 - [email protected]

IBM Business Continuity & Resiliency Services

For more information visit: www.ibm.com/services/continuity


Copyright information

© Copyright IBM Corporation 2010

IBM Global ServicesRoute 100Somers, NY 10589 U.S.A.

Produced in the United States of America02-08All Rights Reserved

IBM, the IBM logo, DB2, GDPS and Geographically Dispersed Parallel Sysplex are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.

ITIL is a registered trademark, and a registered community trademark, of the Office of Government Commerce and is registered in the U.S. Patent and Trademark Office.

Other company, product and service names may be trademarks or service marks of others.

Use of the information herein is at the recipient's own risk. Information herein may be changed or updated without notice. IBM may also make improvements and/or changes in the products and/or the programs described herein at any time without notice.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

BUP03005-USEN-00


Trademarks and notes

IBM Corporation 2010

• IBM, the IBM logo, ibm.com, Express, iSeries and pSeries are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information”at www.ibm.com/legal/copytrade.shtml

• Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows, Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under “Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special

• Other company, product and service names may be trademarks or service marks of others.

• References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

Download - Staying Ahead of the Curve: The Latest Stressors

Top Related