elevate your dr program from the backroom to the boardroom...a public cloud: services over the...
TRANSCRIPT
David Halford
Elevate your DR Program from the Backroom to the Boardroom
1
Managing ConsultantEnterprise Risk Management, BCDR
Forsythe Solutions Group
2
3
4
5
6
7
Elevate your DR Program
• Why should you care…Discussion Topics
• Methods & tools to Help Elevate Program
• Conclusion
8
• Q & A
Elevate your DR Program
• Why should you care…– Understand how to get airtime & visibility for
Discussion Topics
your DR Program– Critical to getting the support and funding
needed to advance your program
• Methods & tools to Help Elevate Program
• Conclusion
9
• Q & A
Today, corporate leaders are assessing how changes to IT can help them address some of the key business issues they are facing
Leadership Role Key Business Issues
CEO o Faster and more uncertain business changeo Need for competitive advantage and speed
to market
CFO o Need for improved profitability, CAPEX preservationNew governance and risk management
10
CIO/CTO o More flexible, adaptable, and lower-cost systemso Increase user accountability for resource usageo Maximize, exploit, repurpose asset value
where possible
o New governance and risk management requirements
CIO’s Top 10 Business & Technology Priorities in 2010
Top 10 Business Priorities Top 10 Technology PrioritiesBusiness Process Improvement 1 VirtualizationBusiness Process Improvement 1 Virtualization
Reducing Enterprise Costs 2 Cloud Computing
Increasing the use of Information/Analytics 3 Web 2.0
Improving Enterprise Workforce Effectiveness 4 Networking, Voice & Data Communications
Attracting & Retaining new Customers 5 Business Intelligence
Managing Change Initiatives 6 Mobile Technologies
Creating new Products or Services 7 Data / Document Management & Storage
11
Creating new Products or Services 7 Data / Document Management & Storage
Target Customers or Markets more effectively 8 Service-Oriented Applications & Architecture
Consolidating Business Operations 9 Security Technologies
Expanding current customer relationships 10 IT Management (tools & processes)
Source: Gartner EXP (January 2010)
2010 State CIO PrioritiesStrategies, Management Processes & Solutions
Technologies, Applications, Tools
Budget & Cost Control 1 Virtualization
by
Budget & Cost Control 1 Virtualization
Consolidation 2 Networking, Voice & Data Communications
Shared Services 3 Document/Content/Records/E-mail management
Broadband Connectivity 4 Cloud Computing, Software as a service
American Recovery & Reinvestment Act 5 Security Enhancement tools
Security 6 Enterprise Resource Planning (ERP) / Legacy application modernization-renovation
12
Transparency 7 Geospatial analysis and Geographic Information Systems (GIS)
Infrastructure 8 Business Intelligence (BI) and Business Analytics (BA) applications
Health Information 9 Security Technologies
Governance 10 IT Management (tools & processes)
To Get Support, Program Recognition & Funding
• Simplify your Approach and Initiatives to Align with Executive Priorities
• Connect or Unify with other Key Initiatives
• Amplify what your doing with improved communication & Awareness activities
13
Awareness activities
Elevate your DR Program
• Why should you care…
M th d & t l t H l El t P
Discussion Topics
• Methods & tools to Help Elevate Program– Validation Program– Emerging Technology (i.e. Cloud Computing)– ERM & S&P rating process– Solution agreement optimization
• Conclusion
14
Validation Program
Annual Exercise program can help Elevate program
15
Overview of Validation Phases
Plan Prepare Conduct Report
Analyze event, Analyze event, Define high-level Define high-level Prep team works Prep team works Discuss activities Discuss activities yfeedback, debrief session & lessons learned
yfeedback, debrief session & lessons learned
gparameters of the project/event to obtain Sr. management approval & support
gparameters of the project/event to obtain Sr. management approval & support
together to develop detailed exercise materials and logistics
together to develop detailed exercise materials and logistics
for a given scenario to enable participants to effectively implement the plan
for a given scenario to enable participants to effectively implement the plan
• Published After-Action Report
• Published After-Action Report
• Identification of scope and scenario
• Identification of scope and scenario
• Invitation memo to participants
• Comprehensive
• Invitation memo to participants
• Comprehensive
• Understanding of roles and responsibilities
• Understanding of roles and responsibilities
16
scenario• Named Event
Preparation Team• Approval to
conduct exercise• Exercise
Directive Memo
scenario• Named Event
Preparation Team• Approval to
conduct exercise• Exercise
Directive Memo
• Comprehensive exercise packet for participants
• Exercise materials and logistics
• Comprehensive exercise packet for participants
• Exercise materials and logistics
responsibilities• Awareness &
rehearsal of response dynamics
• Necessary updates to capabilities
responsibilities• Awareness &
rehearsal of response dynamics
• Necessary updates to capabilities
Validation Program – Communication Plan
o Annual Test Calendar– Include as part of Annual
Planning Process
o Management Approval Request (30-45 days in advance)– Include Scope, required business
testers, resource request, & success criteriaCommunicate outage in BIA
Communication & Awareness
Validation Program
Communication Lifecycle
Assess & Plan
Assess & Plan
1
ExecuteExecute
2
4
Annual Plan
1
Pre Event
2
g– Include IT Mgmt & ERM /
Corporate Risk Management
– Communicate outage in BIA terms
– Indicate Change Management approval required
o Change Management Request
o Event Kickoffo Scheduled Management
17
Event Day
3
Post Event
o Scheduled Management Status calls
o Event Log (ongoing Email)o Management Closeout
(including success/fail approval
o Formal Report within 2 weeks
o Communicate Success, issues, actions, & owners(in business terms)
Validation Exercise Types
Discussion-based Operations-based
Structured WalkthroughR i d d t d l
Notification DrillV if t t i f i t d• Review and understand plan
structure and content for your role and other roles
• Update obvious errors & omissions
• Verify content info is accurate and complete
• Validate personnel have immediate access to plan
Tabletop Exercise• Review and understand the actions t b ld t k
Functional Rehearsals• Evacuation drills
18
team members would take, as documented in the plan
• Response to specific scenario• Can be single team, but is best with multiple teams
• Relocation– Physical relocation of personnel
and/or technology to an alternate site
Recommendation – Validation Program
Maximize the benefit & elevate your overall Program !!
• Just do it !C d t lti l l i f i t Conduct multiple annual exercises of various types
• Ensure Business Participation Establishing & communicating scope Involvement in the exercise Involved in approval & sign-off
• Communicate Communicate CommunicateSimple direct & concise
19
Simple, direct, & concise Utilize internal processes to improve visibility
(i.e. Change Management & Annually Planning)
Note: Not for those who want the easy way or to fly under the Radar!!
Cloud Computing….
• What is it and how does it Impact Disaster Recovery ?• What is it and how does it Impact Disaster Recovery ?
• How can you take advantage of the movement to Elevate DR Program ?
20
Cloud Computing
??
Cloud Computing is the most talked about IT capacity sourcing alternative today
“Cloud Computing” is a user experience and computing model where computing resources are abstracted from users and delivered as a service using internet technologies.
ServicesUser
21
ApplicationsInfrastructure
TechnologyIn the Cloud computing model, organizations may or may not own the IT infrastructure providing these services.
Cloud Computing architectures have a specific set of characteristics which are enabled by a combination of hardware, software, and processes
The goal is to havethe right amount of IT resources available, at the right time, from anywhere,
22Source: Tier1 Research Cloud Codex, 2009
at the lowest possible cost, to the right users
In the Cloud Computing model, there are generally three categories of service provided to users
Platform as a Service (PaaS)
• Infrastructure
2Infrastructure as a Service (IaaS)
• Security
1Software as a Service (SaaS)
• Infrastructure
3
Categories of Service (and example service providers)
23
• Infrastructure• Development
Environment
y• Server• Storage• Data Protection
• Infrastructure • Application
Environment
Who delivers these services to the users?
The Cloud computing model may be implemented as either a “Public” (external) or “Private” (internal) Cloud( ) ( )
A public cloud:
Services over the Internet.
Company’s Domain (Private)Public DomainCorporate Net
Internet
A private cloud (Corporate Cloud)
• Behind the firewall• Corporate Datacenter• Private network
24
Cloud User
• Private network
Public-cloud providers may also offer a “Virtual Private Cloud” service.
Recommendation – Emerging Technology
Engage & participate !!
• Disaster Recovery Solution optionsLook for opportunity to utilize as a point DR Program Look for opportunity to utilize as a point DR Program
‘Volunteer’ to evaluate for Production Consider 3rd party assessment to evaluate options
• Engage Application Development team Understand Application Development direction Determine how you can link with DR Program Influence & participate in future roadmap
25
• Communicate interest…you want to be at the Table !
Note: Not for those who want the easy way or to fly under the Radar!!
Enterprise Risk ManagementRating Agencies Applying Risk Analysis to Corporate Ratings
26
What’s driving the ERM focus….
Business Requirements• Corporate Governance
Business Models• Reliance on IT (7 x 24 operations)• Planned downtime no longer acceptable• Smaller recovery windows• SLA penalties• Resilient operations
• Growing regulations• Competitive advantage• Quality, efficiency & dependence on supply chain• ERM and Credit ratings impact• Changing Business Values/Needs
27
Business Protection
• Revenue• Productivity• Fines and
penalties• Brand
• Goodwill• Employee morale• Due diligence• Reputation
Current Situation
• Enterprise Risk Management (ERM) is generating significant interest, frequently making it to the board room agenda.
• Information Technology ERM continues to see impact from• Information Technology ERM continues to see impact from Regulations and other compliance related factors.
– At last count…• 150+ Regulation titles• 100 – 110 Governing bodies
(depending on how you count it…)• 17+ countries
Title
Reg
ulat
ion
/ St
anda
rd
Governing Body
Coun
try
SummarySignificant
Dates, Fines, Penalties C
ateg
ory
(E,
A, W
, I)
Notes /Comments
Ban
king
& F
inan
ce
Pub
lic H
ealth
&
Hea
lthca
re
Tran
spo
rtatio
n &
Sh
ippi
ng
Ene
rgy
(incl
udin
g n
ucle
ar)
2002 ACH Rules Book Regulation ACH (Federal Reserve’s Automated Clearinghouse Association)
U.S.A. · Requires 6 year file retention on all ACH transactionsx
· An ACH transaction is a batch-processed, value-dated electronic funds transfer between originating and receiving financial institutions
Non-compliant fines not more than $10,000 or imprisoned not more than ten years, or both
I http://www.fms.treas.gov/ach/interim_2003.pdf
(Treasury Department decision)
(order form)
6 CFR Part 29: Procedures for Handling Critical Infrastructure Information (Interim, Feb 2004)
Regulation CFR (Code of Federal Regulations)
U.S.A. · Continuity of operations for Critical Infrastructure
· Disclosure of critical information to the government
W http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi
ANAO Better Practice Guide: Business Continuity Management- Keeping the Wheels in Motion
Standard ANAO (Australian National Audit Office)
Australia, New
Zealand
· Presents a structured approach to business continuity management. The approach involves identifying preventative treatments for continuity risks that can be routinely managed · Managers should have an ongoing focus on business continuity
W To be provided
ANSI/ARMA 5-2003 Vital Records Programs
Regulation ANSI (American National Standards Institute) / ARMA (Association of
Records Managers and Administrators)
U.S.A. Sets requirements for establishing a vital records program by: - Identifying and protecting vital records- Assessing and analyzing their vulnerability- Determining the impact of their loss on the organization
E Addresses the development and implementation of a vital records program within the context of a formal records management program. Vital records are defined as records containing information essential to the survival of an organization in the event of a disaster.
The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.
Infrastructu
D t il li t il bl
28
• Rating agencies including ERM analysis in the rating process is increasing the stakes.
Detail list availableDRJ.com
Enterprise Risk Management
• Why viewed as Important• Recognizes the need for sharing critical information regarding key areas of
i k
Ratings Agencies (i.e Moody's & S&P) are including ERM analysis in the Corporate ratings process for Financial & Non Financial companies.
risks.• Recognizes requirement for solid ERM processes supporting the business
• Objective• Evaluate approach to ERM from a corporate perspective• Understand process for ERM Evaluation, Managing, & Communicating
29
• Impact• Elevates overall importance and business impact of an effective
Enterprise Risk Management Program
Example - S&P Framework
The Enterprise Risk Management Framework S&P is using consists of three broad components based on their existing ‘PIM’ model
Policies & Governance
Methodology
Framework Components
•Policies & Governance
•Infrastructure
30
Infrastructure•Methodology
S&P Assessment Framework
Component evaluates the ‘Level of Importance’ the Risk Management function has within your organization.
Policy & Governance
• Corporate reporting relationship• Understand Reporting lines• Level of independence and internal influence
• Risk assessment & define Tolerances• How Risk tolerances are defined• Impact on strategic decision making
Policies & Governance
Methodology
31
• Risk Communication & disclosure• Communication methods, regularity• Types and level of communications
Infrastructure
Methodology
S&P Assessment Framework
Component evaluates the organization’s Enterprise Risk Management Program Methodology
T l & t h l tili d
Methodology
• Tools & technology utilized• Quality & level of systems• How are the systems integrated
• Measurement System used for Tracking purposes• What measures are used• Do they generate meaningful, quantitative
conclusions
Policies & Governance
Methodology
32
conclusions
• Testing & Validation• Stress Testing & ‘what-if’ analysis• Validate risk definitions & ranges are accurate
Infrastructure
S&P Assessment Framework
Component evaluates organization’s risk architecture, quality of data, and backroom operations.
• Disaster Recovery Process
Infrastructure
• Has a recovery process for critical businessprocess infrastructure been identified
• Are DR Plans documented, current andtested regularly
• Business Continuity Planning• Do BC Plans cover all critical business
processes, workflow, & people
Infrastructure
Policies & Governance
Methodology
33
• Are BC Plans documented, current, and tested
• Staff background• Technical skill levels and educational qualifications• Risk management & technical back office personnel • Expertise, training levels, & years of experience
Recommendation
• Identify timeframe & status of ratings evaluation– When was it last completed– Results ?
How can you be prepared….
• Establish level of importance– Communicate process to Executive Management– Solicit support from CIO, CFO, CSO, etc.
34
• Conduct Enterprise Risk Management Program Assessment– 3rd party review of ERM Program – Executive level summary with ratings process incorporated– Improvement recommendations
… and Elevate DR Program
3rd Party BCDR Solution AgreementsTime to consider options…..
35
Survey Snapshot
• How many of you have a 3rd party service solution?
• How many see the value equal to solution cost?
• How many are confident solution willwork if you need to invoke?
36
work if you need to invoke?
Recommendation – Solution Agreements
Aggressively Evaluate options!!
• DR Strategy Assessment & requirements Validation Provides executive communication and critical vendor
service requirementsservice requirements. Validate & optimize technical approach
• DR Services RFP / RFI Seriously evaluate regional, non traditional players Target SLA & service solutions versus traditional inventory
approach Expect 20-40% savings OR significant improvement in
37
Expect 20 40% savings OR significant improvement in services
Consider 3rd party support to ensure all options are considered
Vendors are hungry & there are more options than you think…..
Elevate your DR Program
Conclusion
• your Approach and Initiatives to Align with Executive Prioritiesg
• Connect or with other Key Initiatives
38
• program with improved communication & Awareness activities
39
40