Transcription
Aligning Business Continuity, Disaster Recovery & CrisisManagement Programs for a More Resilient OrganizationMarch, 2013Tracey Forbes, Vice Presidentwww.sungardas.comTracey Forbes, Vice PresidentTracey Forbes is the Vice President of Software BusinessDevelopment at SunGard Availability Services.Joining SunGard Availability Services in 1998, Tracey has beenhighly involved in the continued evolution of SunGard BusinessContinuity products and services. She advises on softwarestrategy and product direction and partners with SunGardcustomers worldwide to support, evolve and enhance theirprograms. 2012 SunGard www.sungardas.com2
Your BC Program may be ineffective if BC/DR/CM programs are led by separate internal organizations andleadership – there is little or no collaboration between groups Risk Assessment (RA) and Business Impact Analysis (BIA) are not thefoundation for current Recovery Strategies Business and IT Application Recovery Time Objective (RTO) are misaligned Software tools (if in place) are not being utilized across the enterprise Lack of clarity around incident to disaster declaration and recognition of when RTO begins to be measured BC & DR policies do not align with each other BC Program does not follow industry standardsand best practice3 2012 SunGard www.sungardas.comBCI’s Business Continuity Management LifecycleUnderstanding Your cising,Maintenanceand Audit52P3Develop andImplement BCMPlans & Solution(s)Building &Embedding aBCM CultureBusiness Continuity Institute 2002 2012 SunGard www.sungardas.com4
DRII’s Generally Accepted PracticesEnsuring the continuity of your businessAssessDesignBuildSustain Risk / ThreatAssessment (RA) Develop AppropriateRecovery Strategies Business ImpactAnalysis (BIA) Disaster Recovery Maintenance Audit Response 5 (Technology)Crisis Management Continual ProcessImprovement(People/Places)Business Continuity (BC)might includeActive/Active orActive/Alternate Disaster Recovery (DR)would include RecoveryTime Objective (RTO) Crisis Communications(CM) would include StatusUpdates, EmployeeHotlines or ExternalCommunications withPress, Authorities, etc.Business Continuity Exercises(Communications)5 2012 SunGard www.sungardas.comContinual Process Improvement DefinedWhere is your organization’scurrent program maturity?Level 1Ad hoc; verylimited scope /capability /visibility; nostandards, nonexistentLevel 2Somedefinition;informal butexistent; somepolicies /processes /procedures;some metrics;limited scope /capability /visibility; somestandardsDisciplinedLevel 3Good definition;some formality;good policies /processes /procedures;solid metrics;solid scope;standards existalthough theymay needstrengtheningLevel 4Strongdefinition;formalizedpractices;broad scope;strong policies /processes /procedures;strong metrics;strongstandards;means toassessconformanceLevel 5Broad & deepdefinition /documentation;widespreadacceptance uousimprovementPredictable &comprehensiveStandard &consistentTypical Capability Maturity Model [CMM ]Source: Carnegie Mellon, SEI 2012 SunGard www.sungardas.com6
Continual Process Improvement Further DefinedDisciplinedStandard &ConsistentPredictable &ComprehensiveContinuousImprovementLevel 4Strongdefinition;formalizedpractices;broad scope;strong policies /processes /procedures;strong metrics;strongstandards;means toassessconformanceLevel 5Broad & deepdefinition /documentation;widespreadacceptance andconformance;measurementsdriveimprovementsLevel 1Ad hoc; verylimited scope /capability /visibility; nostandards, nonexistentLevel 2Somedefinition;informal butexistent; somepolicies /processes /procedures;some metrics;limited scope /capability /visibility; somestandardsLevel 3Good definition;some formality;good policies /processes /procedures;solid metrics;solid scope;standards existalthough theymay needstrengtheningLevel 1Level 2Somedepartmentalrecovery plansmay exist; tribalknowledge isthe norm!Level 3DR Plans forvariousapplicationsexist; Testingmay includetabletops andtechnicalrecovery ofapplicationsJustinTimeDR!Level 4DR Plans aretested regularfor all in-scopeDRapplications;Testing mayincludeinterdependentapplicationsand platformsLevel 5BC/DRProgram alignsrecovery ofBusinessProcessesthrough therecovery of theapplication!7 2012 SunGard www.sungardas.comConceptual Model: BC/DR/CM CooperationInformation ExchangeIntegrated Efforts Risk/Threat Assessment Analyzing Risk Business Impacts Adapting to Change Critical Dependencies ExercisingCrisisManagement(CM)Joint Decision Making Risk Priorities Risk Treatment andMitigationRecommendations Recovery Time and Point Objectives Recovery Time and Point AchievedCommon Operating Platform Terminology Policy & StandardsIntegrated Efforts Recovery & ResiliencyStrategiesInformationExchangeBusiness SoftwareContinuity ToolsCommon OperatingPlatformDisasterRecovery(DR)Joint DecisionMaking 2012 SunGard www.sungardas.comBusinessContinuity(BC)8
How can you achieve balance within your organization?Resiliency9 2012 SunGard www.sungardas.comCase Study: Integrating BC/DR/CM Effectively July 2007 Three separate teams formed into a single team90 Mission Statement & Service Descriptionsdeveloped8070 DR Plan and DR Exercise Plan Templates created6050 2008 DR Plan Template passes QA examination BC Plan Template created (due to Client requests) Pandemic Planning begins; Framework Plandeveloped Crisis Management Planning begins; Templatesdeveloped403020100 20092004-2007200820092010DR Planning DR Exercise Plan Template passes QAexamination Pandemic Plan Template created Risk Assessments Methodology developedBC PlanningCM PlanningPandemic PlanningRisk AssessmentsBIAsService Continuity Policy First BIA completed 2012 SunGard www.sungardas.com10
Benefits of BC-DR-CM Cooperation Reduced Risk Reduction in complexity of reporting mechanisms to management and to regulators Clearer risk metrics across the enterprise Reduction in “blind spots” caused by multiple departments communicating across theenterprise using different terminology or definitions Improved Capability Expansion and diversification of talent pool and greater sharing of skill sets Greater focus on analyses rather than data management Substantial lift in response activities from consolidating information across multipleproduct lines, geographies, operational systems and transaction types Cooperative initiatives not only mean systems work together, but also people Establishing effective communication channels that can be leveraged at time of crisis Cost savings Reduced time investment and process complexity for lines ofbusiness Ability to generate reports and manage staff more efficiently Streamlining of management reporting efforts, investigations,support components, and systems and data sets 2012 SunGard www.sungardas.com11Standard Methodology Set the Foundation for your Program Recovery Strategies must be based on formal RiskAssessment and Business Impact Analysis studies Recovery must include and align Business Process,Application and Infrastructure recovery holistically Develop an effective Program A single Program Office defines policy and governance BC/DR/CM all operate according to the same guidelines Committee’s represent all areas of the organization Leverage Standards and Tools effectively Plans are built as best practices/industry standard Tools are used across the enterprise to develop consistentdocumentation and repository of important data 2012 SunGard www.sungardas.com12
Integrated effort across BC, DR and CM ProgramsCrisisManagement(CM) Central repository Interdependencies Cross-functional teams Data nuity(BC) 2012 SunGard www.sungardas.com13Independent Recovery Strategies 2012 SunGard www.sungardas.com14
Challenge: Working in Silos15 2012 SunGard www.sungardas.comImplementing a Holistic Approach Cross-functional BCM committee Understand each person’s goals Foster interactive discussion utilizinginformation readily available in the CMS Project Timelines, Planning Goals, DetailedAnalysis Joint decision making is documentedwithin a centralized location Centralized management solutionpromotes a holistic approach toyour BCM program 2012 SunGard www.sungardas.comBCDRCM16
USINESS IMPACTAND RISKASSESSMENTTEST RESULTSBUSINESSCONTINUITYPLANSDISASTERRECOVERY PLANSCRISISMANAGEMENTPLANS17 2012 SunGard www.sungardas.comStandard Methodology Successful Program ImplementationBC / DR / CM SolutionsProgrammatic solutions focused on quickly mitigating risk in business-criticalareas spanning Technology, Business Continuity, and Crisis ManagementAssessDesign Risks / Threats Business impacts Vendor and WorkForce Availability Recovery strategyBuildSustainResponse plans:Crisis Management Disaster Recovery Business Continuity Programmanagement Update plans Ongoing strategy& plan testing Program ManagementBusiness Continuity Management Software ImplementationLDRPSBIA ProfessionalNotiFindIncident ManagerRisk AssessmentVendor AssessmentWork Force AssessmentTest Management 2012 SunGard www.sungardas.com18
Continuity Planning Lifecycle 2012 SunGard www.sungardas.com19Recovery Strategies based upon Risk Assessment andBusiness Impact Analysis results Identify threats forvarious sites:Proximity, Natural,Technical and Human Pinpoint consequencesand risk impact.Understand mitigationstrategies & controls. Standard reporting andanalysis for moreinformed decisionsregarding recovery. 2012 SunGard www.sungardas.com20
Recovery Strategies based upon Risk Assessment andBusiness Impact Analysis results Understand impactson your organization:Financial, Operational,Regulatory, Customers,Leadership Identify key businessfunctions and developrecovery strategies. Standard reportingand analysis for moreinformed decisionsregarding recovery. 2012 SunGard www.sungardas.com21BC/DR/CM operate according to the same guidelines CMS provides thefoundation for yourplanning program Central repositoryfor various types ofplans Business Process,Application andInfrastructurerecovery are aligned 2012 SunGard www.sungardas.com22
Integrated Solution: BC/DR/CM cooperation All areas of theorganizationrepresented Standards definedwithin the tool Integrated effortacross BC, DR andCM Programs 2012 SunGard www.sungardas.com23 2012 SunGard www.sungardas.com24Improved Capability Streamlining ofmanagement reports Repeatable andauditable process Easier to facilitateplan maintenanceover time
Program Office defines policy and governanceAnnual Business ImpactAssessment ConductedPeriodic Plan UpdatesCompletedAnnual Plan Tests and ExercisesCompletedAnnual Plan Review andApproval Conducted 2012 SunGard www.sungardas.com25 2012 SunGard www.sungardas.com26
Confidentiality StatementCopyright 2012 by SunGard Availability Services (or its subsidiaries, “SunGard”). All rights reserved. No parts of thisdocument may be reproduced, transmitted or stored electronically without SunGard’s prior written permission.This document contains SunGard's confidential or proprietary information. By accepting this document, you agreethat: (A)(1) if a pre-existing contract containing disclosure and use restrictions exists between your company andSunGard, you and your company will use this information subject to the terms of the pre-existing contract; or (2) if nosuch pre-existing contract exists, you and your Company agree to protect this information and not reproduce or disclosethe information in any way; and (B) SunGard makes no warranties, express or implied, in this document, and SunGardshall not be liable for damages of any kind arising out of use of this documentTrademark Information: SunGard and the SunGard logo are trademarks or registered trademarks of SunGard DataSystems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registeredtrademarks of their respective holders. 2012 SunGard www.sungardas.com27
Tracey Forbes is the Vice President of Software Business Development at SunGard Availability Services. Joining SunGard Availability Services in 1998, Tracey has been highly involved in the continued evolution of SunGard Business Continuity products and services. She advises on software strategy and pro
