Upload
ryan-mchugh
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
1
Kathleen Lucey
Montague Technology Management, Inc.
[email protected]: 1.516.676.9234
Telling the Truth in Business Continuity
2
What is your BCM Program’s “Reason to Live”
• What is the primary reason for the existence of your BCM program?
– Regulatory requirement – Audit requirement– Technology recovery capability– Prudent business control– An integral and ongoing part of the firm’s
business
3
Risks, Mitigation, and Scenarios
• Do you know your risks and their impacts: – Infrastructure: fire, loss of power, equipment failure – Production Line Single Points of Failure– Employees– Reputation– Outsourcers and Suppliers– Climate-related regional events– Civil Disorder/Attack
• Are strategies in place to lower the probability of controllable risks– and continue critical operations within tolerance levels if an interruption does occur?
• Which interruption scenarios have you included?
4
5
6
7
8
9
Supplier Outage or Transport Issue
Employee
Unavaila
bility
Pow
erD
isru
ptio
n
Weather
Events
Regulatory
Mandate
Mission-critical IT Systems
Maintenance
and Service
Contracts
Contingency Plans
Disaster
Recovery
Plans
Insurance
Policies
Miss
ion-
Critica
l
Physic
al
Infra
stru
ctur
e Info
rmat
ion
Sec
urity
Tes
ting
and
Tra
inin
g
Incid
ent
Proce
dure
s an
d
Revie
w Pro
cess
es
Audit and Reporting
Functions
“Stay In Business”Requirements
Change Control
Process
Environmental
Topology
Mission-critical IT
System
s
Den
ied
Faci
lity
Acc
ess
Civil
Unrest, W
ar
Business
Continuity
© Montague Technology Management, Inc. 2006, All rights reserved.
10
““Worst-Case” ScenarioWorst-Case” Scenario
Minor Minor InterruptionsInterruptions
Everyday BlipsEveryday Blips
Process Process DysfunctionsDysfunctions
SOLUTIONS
Disaster RecoveryDisaster Recovery
AvailabilityAvailability
ReliabilityReliability
Engineering
Core Business Value Chain
Processes
INTERRUPTION EVENTS
@ 2006 Montague Technology Management, Inc. All rights reserved.
11
Interruption Scenario Characteristics
• Time / day of incident• Damages type: Building infrastructure,
reputation, regional infrastructure • Personnel injuries• Effects on critical operations • Area: premises, building, small area, region • Duration
12
IT Recovery Coordination
Business Recovery Coordination
INTERRUPTION MANAGEMENT MODEL
BusinessContinuity
Teams
InformationTechnology
RecoveryTeams
Interruption Management
Team
Executive Oversight Team
Media Relations Team
Command Center Support Team
Business Continuity
Coordination
Initial Crisis Management
Recovery Management
Employee Support
EMT Government
Liaison
Emergency Funding
Physical Security
Transportation, Communications
Site Repair and
Restoration
HAZMAT
Admin.Services
Damage AssessmentE
mer
gen
cy L
og
isti
csSite
Relocation and
Re-creation
Sit
e R
epai
r o
r R
elo
cate
Purchasing
2006 Montague Technology Management, Inc.All rights reserved.
InsuranceLiaison
13
BCM Program Content
• Does your BCM contain the following: – Crisis Communication and Management Procedures? – Business Unit Recovery Procedures?– Technology Recovery Procedures?– Supplier Failure Compensatory procedures? – Restore/Relocation procedures?
• Are all involved parties trained and committed to their BC responsibilities? How do you know?
• How do you know that all of these will be effective when needed?
14
BCM Program Approvals
• Is your BCM Program approved by: – Internal and External Audit? – Regulator(s)?– CIO?– Risk Committee of the Board? – You?
• Which of these matters most and why?
15
“Walking the Walk”
• Can you demonstrate that your program is a successful ongoing permanent business function?– Annual budget?– Status Reporting to annual objectives?– Sufficient human and financial resources?– Inclusion of BCM in Performance Evaluations? – Appropriate Reporting Relationship?
16
“Walking the Walk”– Achievement of high verisimilitude in test scenarios?– Proven ability to meet RPOs? Resolving all data
synchronization issues?– Proven ability to meet RTOs for App service
continuity in high verisimilitude scenarios? Including all interfaces?
– Supplier SLAs for BCM? Penalties? – Inclusion of BCM on task forces for strategic firm
actions, such as acquisitions, strategic software implementations, HR Policies, Insurance, etc. etc.?
17
BCM Program Testing
In your exercise program, do you:
Test to discover inadequacies?
or
Test to meet achievable objectives?
18
BCM Program Manager Objectives
• What are your real objectives:
– Ensure your firm survives any interruption. – Keep the auditors/regulators happy.– Keep your boss happy. – Keep your job.
19
Confirmation of Objectives
• What are the objectives of your management, board, stockholders:
– Do what is necessary to proactively lower risks and protect employees, while ensuring that the firm survives any interruption with the least damage.
– Meet the requirements of an external standard, such as NFPA 1600 or BS 25999.
– Spend the least possible to keep the auditors/regulators off their backs.
– BCM is an IT-only issue and it is the responsibility of the CIO to balance this against competing IT priorities.
20
Discontinuity of Objectives
• Clues that there are problems:
– Objectives identified by inference
– Underdeveloped emergency communications and procedures
– No BCM Program budget or annual objectives
– Testing program inadequate but “successful”
– BCM function reports to IT
– BCM is not discussed at Sr. Management or Board Meetings
– High BCM Program Manager anxiety
21
Identification of Gaps
• Verify existence and completeness of BCM Program components: see standards
• Use table-top testing to illustrate gaps
• Confirm objectives of all parties
• Calculate costs for BCM Program
• Calculate benefits of the existing BCM Program (hint: there may be an ROI problem here.)
22
Propose a Plan to Close Gaps
• Identify priorities of stakeholders
• Identify sponsors and work with them
• Offer corrective plan at 3 levels: nothing, necessary improvements over time, much improvement in a short time
• Present to the right audience
• Document approved BCM Program objectives for the next budget period
• Propose a budget; adjust to cutbacks
• Document the detailed effect of budget cutbacks: don’t try to be a hero!
• Improve the Cost/Benefit ratio!
23
Implement the Approved Operating Plan and Budget
• Make all costs visible
• Make progress to approved operating plan visible
• Document EVERY incident; do whatever possible to ensure that it does NOT happen again.
• Request BCM operating plan/budget changes when priorities or conditions change; work with sponsors
• Don’t try to be a hero!• Improve the Cost/Benefit ratio by calculating all costs and
benefits• Measure and document all progress achieved by year-end.
24
Keys to Success
• Confirm objectives of all stakeholders and resolve discontinuities
• Implement the will of Senior Management:
– Help them to frame their requirements
– Do the work
– Make it visible
– Document it
– Report back to stakeholders
• Insist on managing your own budget, whatever its size
• Don’t try to be a hero!
• If you treat this like any other permanent ongoing business function, others will eventually come around to the views of your sponsors.
25
Keys to Success• A false sense of safety from an inadequate BCM
Program is DANGEROUS. Don’t be a source of danger.
• Be reliable and visible: do what you say, say what you do– Set objectives and meet them
– Look for ways to improve and implement them
– Be visible: Status Reports, Newsletters, Awareness Programs
– Avoid surprises wherever and whenever possible
• Educate and create awareness
26
And in closing
• Be reliable
• Tell the truth as you know it, but be smart in how you do it.
Don’t be a HERO!
[email protected]: 1.516.676.9234