Most companies have business continuity and IT disaster recovery programs, but are they positioned to keep up with
changes constantly affecting the organization?
Presenter
Presentation Notes
Simple message of the silo’d compliance processes… Highlight the main enablers are office tools, Highlight that multiple parties are part of the compliance picture. Key message: Obligations are going up Requiring more effort Costs then go up But we still see violations (or the potential for violations) and negative impacts going up…
Domino effect from globalization and highly complex supply chains
More complex and frequent disruptive events lead to a need for better crisis management
– Operational incidents– IT disruptions– Security breaches
We believe organizations today face inevitable and almost constant disruptions but are not prepared to deal with the
variety, speed or impact of events.
Presenter
Presentation Notes
Generic slide Key message is to build the “Why” of the Golden Circle. This is our belief statement slide. We believe: Organizations should be able to comply by natural actions rather than reactions. All companies in the industry have to comply and those that do it better and CHEAPER gain a competitive advantage.
We must build resiliency into the way business is done - through business priority, end-to-end
approaches and on collaboration
The New World of Business ResiliencyThe magnitude and impact of today’s disruptions are driving businesses to realize that business recovery is not enough.
Presenter
Presentation Notes
Statistics give credence to our claim that velocity of laws and regulations is building. Therefore, companies have to find efficiencies in their programs. Focusing on priority (what matters the most), the incoming REAL obligations and automating/sharing compliance processes and data is what will lead a company to achieve this competitive advantage.
To be prepared now for the inevitable and develop a strategy for resiliency.
Presenter
Presentation Notes
Without a BCM tool Little knowledge of which processes, technologies and other infrastructure components are priority for recovery based on their criticality to the business with no accountability assigned for business-critical components Little communication among BC, DR and crisis teams, with no visibility into new/emerging IT or LOB risks that may impact continuity or resilience of the company Uncoordinated, ad hoc processes for creating, approving, maintaining and testing BC/DR plans Static plan documentation is captured using multiple tools and inflexible systems that are costly to customize and upgrade Difficult to report/prove to senior management that current BC/DR plans are in place and will work as planned With RSA Archer BCM BC/DR plans are linked to the company’s repository of processes, assets, facilities and contacts, enabling plans to be aligned with the organization’s business priorities and establishing accountability Crisis personnel can efficiently respond to a crisis event with documented, step-by-step procedures Consistent processes provide visibility into current state of the organization’s plan statuses, review dates, test results, test remediation statuses and crisis tasks, enabling collaboration across BC, DR and crisis teams Automated, up-to-date BC/DR plans for the organization’s latest environments and business processes that can be easily accessed during a disruption of service Senior management has an understanding of the continuity risks, insight into needed budget requirements and a level of confidence that a plan is in place if a crisis occurs Additional Pain Points that you can ask questions about: Significant risk of continuity-related impacts is present. Business interruptions, ranging from isolated infrastructure failures through regional events, have the potential to cause serious financial harm and/or reputational impairment. The organization relies on “force majeure” clauses to minimize contractual violations. Recovery efforts are chaotic and ad hoc, typically relying on “heroic measures”. The organization lacks confidence in its ability to survive following a business interruption. There is non-existent business and IT management support or high-level sponsorship, and no or minimal participation by key groups, such as operations, finance, IT, risk or security. Business continuity accountability and responsibility remain unassigned. There is a reluctance to make necessary investments in BCM. There is no discipline, desire or plan to comply with BCM-related regulations, methodologies or best practices. BCP goals and expectations (if there are any) were derived without a risk assessment or BIA. Business continuity strategies are ad hoc; documented BCP plans do not exist. Business continuity testing and training and awareness processes have not been designed, or management relies on untested or under-tested continuity-related processes to manage the effects of business interruptions. IT DR is often the most mature aspect of the continuity process, although some organizations emphasize either Crisis Management or BCM planning. Employees have limited knowledge regarding their roles during recovery, potentially impacting the likelihood of a successful response effort. The organization’s BCM strategy addresses crisis management, business recovery or IT DR. If these disciplines exist, they are designed and developed separately and lack integration.
[Animation 0:Compliance] Organizations in the Compliance Siloes category are stuck in the most elementary approaches that attack individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees. Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate. They are hunkered down in the trenches too scared to move forward or relying on old fashioned approaches that may get the job done but will never keep pace with today’s market. These companies need to take “Compliance” off the table and solve the regulatory and industry needs in the most efficient and effective manner. This requires automating compliance and building a cohesive strategy to deal with the ‘basic requirements’ of doing business. [Animation 1: Risk] In order to move from Compliance Siloes to Risk Managed, the organizations needs to: Reduce compliance costs through automation Reallocate budgets to gain resources and risk visibility Companies in the Risk Managed category have solved (or are considerably on their way to solving) the ‘advanced requirements’ of Compliance. They have common policies, standards and controls, an effective control infrastructure and efficient methods to measure, monitor and report compliance state. Companies in this state need to become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. The business needs to understand the risks in its landscape and should be navigating (or at least identifying changes) to avoid major issues. This progress is being fueled more and more by visibility into risk through metrics and analysis capabilities. [Animation 2: Opportunity] In order to move from Risk Managed to Opportunity Advantaged, the organizations needs to: Manage known and unknown risk Identify new business opportunities The Opportunity Advantaged company has mapped out and conquered the risk landscape and are poised to explore the Opportunity Landscape. These companies are now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line. Companies in this phase focus on speaking “business language” instead of “risk language”. They are able to identify and respond to emerging risks ahead of the curve – using common taxonomies, common approaches, finely-tuned decision making processes and most importantly DATA to support their conclusions.
Test BC/DR and Crisis Management Plans, Automate Plan Maintenance and Train Key
Resources
Establish Business Context for Resiliency
Manage Crisis Events, Activate Plans and Notify Key Parties
Perform Risk Assessments and Business Impact Analyses to determine recovery
prioritiesManage Operational
Incidents, Catalog, Resolve and Trend
Document BC/DR Recovery Plans, Strategies and Tasks
Improving the Lifecycle…
Presenter
Presentation Notes
This is a typical BCM lifecycle approach. Archer BCM follows this approach. The following describes each point on the wheel. Align BCM Program with Business Strategies and Objectives. In ITScore for Business Continuity Management: Results Through January 2012, Gartner states that “BCM requires business and IT management support, and needs high-level sponsorship. Assign the responsibility to the chief operating, risk or financial officer, along with continued oversight by the CEO and the board of directors.” These requirements entail not only having management support, but also BCM being driven by or alongside other related strategic initiatives such as Governance, Risk and Compliance (GRC) and Enterprise Risk Management (ERM) initiatives. The newly released ISO 22301 standard mentions this extensively. Perform Risk Assessments and Business Impact Analyses to determine recovery priorities. Entails identifying and evaluating the risks to and criticality of business processes and supporting infrastructure, as well as determining their Recovery Time Objectives (RTOs – required time in which to recover the process) and Recovery Point Objectives (RPOs – amount of tolerable data loss). Ensuring that RTOs, recovery strategies, and tasks align with the strategies, objectives, and operating needs of the business, and that BCM planning is not done in a vacuum is critical. Document BC/DR Recovery Plans, Strategies and Tasks. Entails determining the most cost-effective, efficient, practical, and holistic recovery strategies that align with business requirements and other strategic imperatives. This process also includes documenting the detailed recovery plans and tasks that support recovery strategies and enabling the organization to recover critical business processes from a disruption. Test BC/DR and Crisis Management Plans, Automate Plan Maintenance and Train Key Resources. Entails testing recovery strategies and plans on a periodic basis against realistic and varied disruption scenarios. Tests should increase in difficulty, complexity, and realism over time. Plans are updated and maintained as a result of the testing. Training people ensures that all who have a part in business or IT recovery understand their roles, the overall recovery strategies, and the detailed recovery objectives and plans. Training also ensures that the overall business organization understands recovery objectives and how they relate to company strategies. Manage Crisis Events, Activate Plans, and Notify Key Parties. Entails tracking and monitoring risks and crisis events by integrating with reporting sources and enabling crisis management. Determining which plans to activate, activating those plans, and notifying people through call trees or automated notifications is also part of crisis management. Self-Audit and Comply with Authoritative Sources. Entails ensuring that all aspects of the BCM program align with applicable regulatory and audit requirements..
Establishing Business Context and Priority for Resiliency
Catalog business hierarchy establishing organizational structure for resiliency reporting
Catalog business processes, products and services, IT assets, information, facilities and contacts
Measure, decompose and track business criticality of relationships
Understand and manage relationships between business and IT infrastructure
Presenter
Presentation Notes
A new BCM Risk Register helps customers to identify, evaluate and mitigate risks that may impact their organization, locations, processes or partners. The new Business Impact Analysis (BIA) is leveraged by both the RSA Archer Enterprise Management and BCM Solutions. The BIA enables customers to evaluate the criticality of their processes and determine recovery objectives (RTO and RPO) that are coordinated across supporting infrastructure. RSA provides templates to perform Business Impact Analyses and Risk Analyses at any level of the business hierarchy or enterprise infrastructure, and tie to other risk assessments
A new BCM Risk Register helps customers to identify, evaluate and mitigate risks that may impact their organization, locations, processes or partners. The new Business Impact Analysis (BIA) is leveraged by both the RSA Archer Enterprise Management and BCM Solutions. The BIA enables customers to evaluate the criticality of their processes and determine recovery objectives (RTO and RPO) that are coordinated across supporting infrastructure. RSA provides templates to perform Business Impact Analyses and Risk Analyses at any level of the business hierarchy or enterprise infrastructure, and tie to other risk assessments
Associate plans to business processes, risks, BIAs, and IT assets
Leverage call trees and specific recovery strategies and tasks
Document results of BC/DR plan ownership, workflow and testing
Presenter
Presentation Notes
Business Continuity and Disaster Recovery plans are now centrally managed, allowing customers to develop detailed recovery plans for business processes or IT assets, utilizing automated workflow for plan testing, activation and approval. Document Business Continuity and IT Disaster Recovery Plans Ensure the consistency of plan documentation across your organization using fully configurable web-based forms Testing plans Test your business continuity and disaster recovery plans to identify process gaps Estimate recovery task and procedure completion time and roll estimates up to the plan level to determine the overall testing and plan execution duration Track testing gaps and remediation efforts
BCM Mobile Application for iPhone and iPadenables users to view business continuity or disaster recovery plans and associated strategies, tasks, calling trees, and requirements
Reduces reliance on hard copies
Key technical features:– Secure authentication– Off-line availability of encrypted data– Click to call, email, and text functionality from the app– Regular data synchronization– URI convenience
Presenter
Presentation Notes
The RSA Archer Business Continuity Management mobile application for the iPhone and iPad enables users to view BC or DR plans and associated strategies, tasks, calling trees, and requirements. The BCM mobile application supplements hard copy plans and in the event of a crisis users will have access to their plans and be ready to take action. A Business Continuity Officer at a Fortune 500 Telecommunications Company said, “As a major wireless telecommunications provider, having a mobile application is high on our list of features for our Business Continuity and Disaster Recovery Planning solution. The Archer BCM mobile app gives us one more option for quickly accessing contact and plan data while we are away from our computers.”
Report crisis events that occur anywhere you do business
Quickly capture the details of a crisis, including the time of occurrence, event location, type and severity
Communicate crisis information and leverage emergency notifications and call trees
Manage activated BC/DR plans
Presenter
Presentation Notes
Crisis Management and Response is enhanced to enable customers to report and manage crisis events, send emergency notifications to communicate crisis information to appropriate personnel, and activate BC/DR plans to recover disrupted business operations, facilities or IT infrastructure. Report crisis situations that occur anywhere you do business Quickly capture the details of a crisis, including the time of occurrence, event location, type and severity Integrate the solution with calling trees and emergency notification tools such as Everbridge Track and manage emergency operations assistance based on the DHS NIMS Framework Manage activated BC/DR plans
Manage the investigation and resolution process end-to-end
Report on incident management, trends, status and impact
Relate incidents with crisis events for better causal analysis
Presenter
Presentation Notes
Crisis Management and Response is enhanced to enable customers to report and manage crisis events, send emergency notifications to communicate crisis information to appropriate personnel, and activate BC/DR plans to recover disrupted business operations, facilities or IT infrastructure. Report crisis situations that occur anywhere you do business Quickly capture the details of a crisis, including the time of occurrence, event location, type and severity Integrate the solution with calling trees and emergency notification tools such as Everbridge Track and manage emergency operations assistance based on the DHS NIMS Framework Manage activated BC/DR plans
