ibm global technology services time to rethink our ...… · personal information leaks have cost...
TRANSCRIPT
© 2012 IBM Corporation
Time to Rethink our Assumptions about Risk and Resiliency Approaches
Business Continuity and Disaster Resiliency Forum Manila, Philippines
Patrick Corcoran, Global Business Development Executives IBM Business Continuity & Resiliency Services
IBM Global Technology Services
© 2012 IBM Corporation
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
2
Headline events often mobilize our clients to pause and reflect on their current IT resilience standing. . .
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
3
3
Personal information leaks have cost millions of dollars, led to class action
law suits, and damaged corporate reputation
The Iceland volcanic eruption cost airlines $1.7 billion with more than
10 million people affected
Hosting provider service outages affect PaaS and SaaS for other vendors
90% of WW BT resin supply stopped
Visitors to Japan dropped 60% in April
The increasingly connected world has magnified the impact on every aspect of life, including its disruptions.
BT Resin Shortage Mobile Circuit Production Issue
Decreasing Tourism
Airlines Discontinuation
WW impact to Car Production
Personal Information Stolen Class Action Lawsuit
Downstream Service Provider Disruption
Car Parts Shortage
Nuclear Plant Explosion
Platform Outage
Flight Cancellation
Earthquake and Tsunami
Game site attacked by hacker
Servers shut down by human error
Volcano
WW car production was down20-30% for some major auto
manufactures during April and May
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
4
2011 World Wide Disasters – One of the Costliest Years on Record
Wildfires, Canada14-22 May
Hurricane Irene, USA, Caribbean22 Aug – 2 Sep
Flash Floods, Italy, Spain, France4-9 Nov
Winter Storm Joachim, France,Switzerland, German
15-17 December
Cyclone Yasi, Australia2-7 Feb
Floods, PakistanAug - Sep
Drought, SomaliaOct 2010 –Sep 2011
Source: Munich RE
Climatalogical Events – extreme temperatures, drought, wildfires
Meterologic Events - storms
Hydrological Events – floods, mass movement
Geophysical Events – earthquake, tsunami, volcanic activity
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
5
Japan: March 11, 2011 – Earthquake and Tsunami
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
6
Concerns
• Aftershocks
• Nuclear reactors down
• Planned Power outage
3/11 14:46 The earthquake of magnitude 9.0 occurs at 24km in Miyagi Prefecture offing 130km depth.
Tsunami exceeded 10m as a result of the earthquake had a big influence on Iwate Prefecture, Miyagi Prefecture, Fukushima Prefecture, and Ibaraki Prefecture. 13,392 dead, 15,133 missing, and 150,000 or more victim as of April 14.
The Fukushima nuclear plant lost cooling function due to Tsunami, then generated core meltdown, and the government declares INES level 7.
A wide-ranging power failure occurs and it influences the society's infrastructure and the information technology operation greatly.
Since 3/11, 400 times or more aftershock with magnitude 5.0 or more occurred.
Damage is assumed to become 100 trillion yen scale according to the report of CNN.
Outline of East Japan huge earthquake
Huge loss of infrastructure due to earthquake and Tsunami.
①
②Fukushima nuclear plant #1 radiation leak
Even the metropolitan areaBig confusion by rolling blackout
③
①
①
①
①:Affected area by earthquake and Tsunami②:Affected area by nuclear plant accident③:Affected area by earthquake
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
7
What follows is IBM's history of involvement in humanitarian disaster response since 2001. Incidents …
Gujarat, India, earthquake, Jan 2001
New York City, September 11, 2001
Tsunami - Sri Lanka, Dec 2004
Tsunami - India, Dec 2004
Tsunami - Indonesia, Dec 2004
Tsunami - Thailand, Dec 2004
Mexico, Hurricanes/flooding 2005
US Gulf Coast Hurricanes Katrina and Rita, August 2005
Pakistan earthquake, October 2005
Philippines Guinsaugon landslides Feb 2006
Indonesia - Mt. Merapi (Jogja) volcano/quake, June 2006
Peru earthquake, Aug 2007
San Diego, wildfires, October 2007
Mexico, Tabasco flooding, November 2007
Bangladesh, cyclone, November 2007
Indonesia mud slides, December 2007
Sri Lanka - flooding December 2007
Sichuan Province, China, earthquake, May 2008
Myanmar, Cyclone Nargis, May 2008
Bihar, India, flooding, August 2008
Australian bush fires, Victoria Feb 09
H1N1 response - Centers for Disease Control (U.S.) server donation
Italy earthquake, April 2009
Mexico - H1N1 response August 2009
Taiwan typhoon - August 2009 - Kidsmart donation, investigation of Sahana
Philippines typhoon Ketsana/Ondoy - September 2009
Indonesia earthquakes - September 2009
Vietnam flooding - September 2009
India flooding - Kamataka and Andhra Pradesh - September 2009
Haiti earthquake - January 2010
Chile earthquake - February 2010
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
8
Hindsight is 20/20—where traditional IT disaster plans often fall short
Most disaster plans fail to account for:
Disasters create other disasters … domino effect– Japan: earthquake => tsunami => nuclear plant damage => power problems =>
supply chain problems ……
Human issues– Will people be available? How about their families? Financial assistance?
Communications issues– Communicating with, supporting and mobilizing employees, customers and
suppliers, the press and the public at large
Community issues– Fulfilling responsibilities to host communities
Infrastructure issues– Anticipating how roads, travel and power supplies might be affected– Vulnerability of sites
Business issues– Keeping business processes running– Managing insurance claims
Disaster plan currency– Keeping plans up to date and well tested– Availability of data and hardware
To learn more about lessons learned from regional disasters, listen to the following webinar:http://www-935.ibm.com/services/us/bcrs/html/web-seminar_hurricane-lessons-learned.html?&me=W&re=webseminars
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
9
Key areas to consider when creating or updating your business continuity plans.
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
10
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
Availability of employee
Conflicts with families and spouse conflicts
How people respond to different disaster scenarios
Who and where are decision makers during disaster
Employees safety
Emergency loans / funds for employees
Problems encountered…
Consider employees prior, during and after event– Roles during and after disaster, safety, trauma, transportation,
housing and funding– Consider addressing employees’ families in BCP
Include IT, lines of business, HR and auditors in BCP
Consider having alternate teams available
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
11
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
No centralized number for employees/customers/partners
Cell phones didn’t work
No power for cordless phones
Limited access to internet for email
No or limited plans to address media
No or limited communications with public sector agencies
Problems encountered…
Create centralized number, email address and/or web site
Consider alternate communication tools: satellite phones, cell phones outside of affected region, common email address, wireless cards for laptops, text messaging
Create an external communications plan
Actions to consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
12
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
People did not follow local agencies directions
Limited or no availability of fuel
Limited or no air transportation
Limited or no availability of rental vehicles
Heavy traffic, long delays
Vehicles disabled due to high temperatures
Problems encountered…
Work with local government agencies
Understand and follow evacuations guidelines
Anticipate, move key employees (and families) and data out of the affected area
Consider availability of hotel and car rental
Have extra supply of fuel for travel
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
13
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
Outdated or non-existent plan
Plans were not available
Plans were not linked to change management
No Crisis Management Team
Problems Encountered…
Keep plan current
Integrate plan with IT and business change management
Keep DR vendor contract current
Test plan annually or more often
Create crisis team to manage crisis
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
14
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
Unknown, poor and/or inadequate coverage
Did not know what disaster scenarios were covered
No inventory or documentation of activities for claims adjuster
Problems Encountered…
Understand your risks and ensure adequate insurance coverage
Understand and test different disaster scenarios
Keep an inventory of all assets
Document all activities throughout the disaster event
Obtain independent review of insurance coverage
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
15
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
Location in high risk areas
Mold, contaminants
Structural damage
Storage / location of critical assets (i.e., Basement)
Mobile solution didn’t work in affected area
Problems Encountered…
Understand risk and vulnerabilities of facility location(s)
Consider security and accessibility of facility
Conduct a vulnerability assessment of facility
Have vendor contacts ahead of time to fix or clean facility if required
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
16
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
No power or fluctuating time estimates for restoration
No/limited redundant power supplies (i.e diesel generators)
Poor location of generators / UPS (basement, roof)
No inadequate supply of fuel
Problems Encountered…
Ensure redundant power supplies are tested
Consider location of redundant power supplies
Have contacts for acquisition of generators
Ensure adequate fuel supply
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
17
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
Hardware was damaged
No power for equipment to repair
No plans to relocate equipment to alternate location
No plans to dispose of damaged equipment
Incomplete coverage on service contracts
Problems Encountered…
Consider a contract for equipment acquisition
Have vendor(s) lined up for equipment relocation
Understand methods and procedures for removing and moving equipment
Understand methods and procedures for disposing of damaged equipment.
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
18
people
communications
travel / transportation
plan currency
insurance
infrastructure
power
hardware replacement
data availability
Tapes were stored in affected areas or at office
Tapes/DASD/documents were destroyed or damaged
Tapes were lost in transport
Tapes could not be shipped because of travel restrictions
Restoration processes were unknown or untested
Problems Encountered…
Utilize electronic media
Set up multiple locations for backups, one set near your recovery location
Store critical documents on electronic media in remote locations
Ensure restoration procedures are part of your BCP and tested
Actions to Consider…
Key areas to consider when creating or updating your business continuity plans.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
1919
Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment.
Business resilience helps organizations maintain continuous operations and protect their market share
in the face of disruptions such as natural or man-made disasters. It requires the engagement
of everyone in the organization and often means a change in corporate culture to instill awareness
of risk.
Business resilience planning is distinguished fromenterprise risk management (ERM) in that it is more likely
to build capacity to seize opportunities created by unexpected events.
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
20
A resilient framework helps identify areas of risks and vulnerabilities, and allows a company or organization to develop a enterprise resiliency roadmap.
Risk mitigation strategiesBusiness driven Data driven Event driven
Strategy
Organization
Processes
Applications and Data
Technology
Facilities
Bus
ines
s re
silie
nce
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
21
A business resilience program should utilize a methodology that encourages a continuous monitoring and improvement.
Improve the efficiencyand cost effectiveness of
our program
Develop solutions to increaseResiliency objectives
Understand the organization requirements and risks
ProgramManagement
Awareness, Regular Validation, Change Management, Executive Reporting
StrategyDesign
ProgramAssessment
Program Design
Crisis team
Business Resumption
Disaster Recovery
InformationSecurity
Program Validation
Develop &
Implement
People
Procedures
Infrastructure
Facilities
PolicyFormulation /
Committee
Business Impact
AnalysisRisk
Assessment
ManageImplementPlanAssess
RisksVulnerabilitiesThreats
Organization objectivesTangible (financial) Intangible (brand image)
Current capabilities
DocumentedActionableMeasureable
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
22
IBM delivers unsurpassed geographic scope combined with a thorough knowledge of local, regional and global regulations.
22
Over 160 data centers globally
100 percent recovery for IBM clients who have declared a disaster (over 800)
More than 1,875 professionals dedicated to business continuity and resiliency
More than 9,000 disaster recovery clients
More than 10,000 client rehearsals per year
More than 50 years experience helping clients with their backup and disaster recovery needs
Over 800 client declarations supported since 1989
Scalable, end-to-end, cloud-based data backup and recovery solutions
Five million square feet of floor space for disaster recovery, with 40,000 seats
© 2012 IBM Corporation© 2012 IBM Corporation
IBM Business Continuityand Resiliency Services
2323
Any questions, contact mePatrick Corcoran
Thank You!