Embed Size (px)
Citation preview
BCP & SDLC INTEGRATION
Enhancing Business ResiliencySuccessful Strategies
for Complex Decisions
Cheryl Bieson, CBCP, MBCIMarch 28, 2011
The Forzani Group Ltd. (FGL) is Canada's largest and only national retailer of sporting goods apparel and foot ear
Corporate Background
goods, apparel and footwear.Toronto Stock Exchange (FGL)2010 revenue 1.36B14,000 employees334 corporate stores213 franchise stores
03/28/11 2
213 franchise stores
Corporate Background
Corporate Banners
Franchise Banners
03/28/11 3
Charities and Corporate Giving
Corporate Background
03/28/11 4
Corporate BackgroundPrimary Business Units
Finance and AdministrationInvestor RelationsInvestor RelationsHuman ResourcesInformation TechnologyCorporate Store OperationsFranchise Store OperationsSupply Chain and MerchandisingCorporate MarketingFranchise Purchasing and Marketing
03/28/11 5
Franchise Purchasing and MarketingPurchasing (Hardgoods, Softgoods, Footwear)Loss PreventionInternal AuditReal EstateLegal
Corporate BackgroundIT Infrastructure
120140160
nt
AIX/Linux Server Counts
250
300
350
nt
Microsoft Server Count
250000
Raw Storage45000
Structured Data (GB)
020406080
100
1-Jan-06
1-May-06
1-Sep-06
1-Jan-07
1-May-07
1-Sep-07
1-Jan-08
1-May-08
1-Sep-08
1-Jan-09
1-May-09
1-Sep-09
1-Jan-10
1-May-10
1-Sep-10
Server Coun
AIX/Linux
0
50
100
150
200
250
1-Jan-06
1-May-06
1-Sep-06
1-Jan-07
1-May-07
1-Sep-07
1-Jan-08
1-May-08
1-Sep-08
1-Jan-09
1-May-09
1-Sep-09
1-Jan-10
1-May-10
1-Sep-10
Server Coun
Total Servers
03/28/11 6
0
50000
100000
150000
200000
1-Jan-06
1-Jul-06
1-Jan-07
1-Jul-07
1-Jan-08
1-Jul-08
1-Jan-09
1-Jul-09
1-Jan-10
1-Jul-10
Gigabytes
Gigabytes Storage
05000
10000150002000025000300003500040000
1-Jan-06
1-Jun-06
1-Nov-06
1-Apr-07
1-Sep-07
1-Feb-08
1-Jul-08
1-Dec-08
1-May-09
1-Oct-09
1-Mar-10
1-Aug-10
Gigabytes
Structured Data(GB)
Corporate BackgroundIT Systems Consideration
03/28/11 7
Information SystemsERP Software ImplementationJDA Retail - Case Study Benefits
Sales goals attainmentIncreased annual sales 5 to 30%Increased annual sales 5 to 30%Improved selling pattern analysis by location and channelImproved conversion rates, revenue and loyaltyRevitalized marketing and promotional pricing Experienced margin gains that exceeded initial expectations
Scalability to satisfy growth objectives
03/28/11 8
Scalability to satisfy growth objectivesIntroduced new retail concepts, grew store count and expanded online footprint – all without significant staffing increases or scalability concernsConverted existing stores and website to JDA infrastructure in an aggressive timeframe
Information SystemsERP Software ImplementationCase Study Benefits (cont`d)
Optimized inventory investmentDecreased inventory levels 10-30 percentReduced operating expenses due to lower inventory control and carrying costs, higher inventory turns and decreased help desk supportConsolidated inventory from multiple channels to cut buyers’ workload in half
Cost savings with improved processesTransformed receiving from a two to three day
03/28/11 9
Transformed receiving from a two to three day process into a one-hour processMinimized mistakes and delays by transitioning from heavily manual processes to automated, streamlined processes
Information SystemsERP Software ImplementationCase Study Benefits (cont`d)
Ready access to enterprise intelligenceEnabled efficient response to consumer demand with up-to-the-minute information for more intelligent decisions and controlTransformed business data into meaningful information and actionable insightsReduced time digging for data and increased time for numeric analysis to optimize
03/28/11 10
y pmerchandise availability
Conceptual model used in project management that describes the stages involved in an information s stem de elopment project
Project ManagementSystems Development Lifecycle
information system development project. Predominant Systems Development Lifecycle (SDLC) models include the following:
WaterfallRapid application development (RAD)Joint application development (JAD)
03/28/11 11
Joint application development (JAD)FountainSpiralAgile, etc.
Project ManagementWaterfall Model
Easy to understand, easy to useProvides structure to inexperienced staffMilestones are well understoodSets requirements stabilityStronger management controls M h i
03/28/11 12
More emphasis on quality than cost or schedule
Project ManagementAgile Model
Iterative approach allows system to grow incrementally.Partial solutions delivered that satisfy immediate business need.Rework built into iterative approach which expedites development. Reduces the need for controls and gateways that slow down the development process.
03/28/11 13
Project ManagementPMO Flexible Framework
03/28/11 14
BCP ProgramFoundational Elements
People
Crisis Management
IT Disaster Recovery
ProcessTechnology
BUSINESSCONTINUITYPLANNING
PlansPlans
03/28/11 15
Facility Business Continuity
PlansEmergency Response
Plans
BCP ProgramFoundational Elements
03/28/11 16
Software DevelopmentSDLC Hybrid
03/28/11 17
Software DevelopmentBCP in ‘Plan Phase’
Consider a few overarching questions with respect to your organizations project management approach at the onset of the project.
Will the new system meet the definition of a business-critical system?Are critical systems typically delivered to that meet business continuity and IT disaster recovery requirements?If not, can you identify specific gaps in the design or build stages that will create roadblocks to eventual solutions?
03/28/11 18
solutions? What is your organizations ability to overcome the roadblocks and ensure that an appropriate capability is implemented during deployment?Does the business understand and accept the level of risk? If not, how will you proceed?
Software Development BCP in ‘Design Phase’
As part of the business requirements analysis answer the following questions:
What is the business unit’s tolerance to an extended system outage?What is the anticipated transaction volume during peak processing periods? How difficult will it be to reproduce lost transactions or data? What is the tolerance for data loss?Are manual procedures viable for offsetting extended
03/28/11 19
p goutages? If so, what percentage of work would be possible and for how long would they be effective? Based on the answers above what is the anticipated recovery time objective (RTO) in the event of a total systems loss due to a major incident or disaster event?
Software Development BCP in ‘Develop Phase’
The recovery solutions should build upon, or leverage existing BCP/DRP capabilities whenever possible so consider the following questions:
Is it possible to leverage current DRP capabilities, and if so, what steps are needed. If not, what is the most appropriate yet cost-effective recovery strategy that meets the business need?What is the requirement for off-site storage rotation and retention of database/system backups based on the RTO/RPO? Will proposed functionality and existing backup frequency meet this requirement?
03/28/11 20
g p q y qAre application verification and data integrity procedures available for clients to validate their systems after a major recovery has taken place?Are we prepared to monitor the efficacy of the plan and any program changes that may require modifications over time?
Software Development BCP in ‘Deploy (Deliver)’ Phase
Have BCP/DRP capabilities been further developed to address any deviations from original specifications that may have occurred during design and development? Have the system and data backup, retention, offsite storage specifications and restoration capabilities been established? Have we identified any additional responsibilities for personnel at time of disaster or in support of establishing and sustaining BCP/IT DRP capabilities?Has documentation pertaining to application specific recovery processes been provided with the operational system procedures?
03/28/11 21
system procedures?Has the potential for application and data synchronization issues between dependent systems during a multiple system recovery effort been considered?When will we conduct a DRP test and/or has the new capability been integrated into existing DRP/BCP exercise schedules?
Software DevelopmentBCP Integration Points
03/28/11 22
BCP Integration PointsTrusted System Requirements
03/28/11 23
PERFORMANCE
BCP Integration PointsTrusted System RequirementsWill a loss of confidentiality, integrity, accountability or availability impact any of the following? If so, how severeand within what timeframe?1. Financial - impact to the financial well being of the
organization including lost or delayed sales revenue, cash flow impacts, reduced profitability, lost investment income, decreased profitability, depletion of asset holdings.
2. Management - impacts from being unable to effectively manage the organization. This would include the inability to make or implement decisions,
03/28/11 24
y pprovide leadership, and/or conduct the business of the company.
3. Production - impacts to day-to-day sales operations; includes inability to complete sales transactions, inability to track and/or replenish inventory. Includes the loss and/or a significant impact to website retail services with inability to communicate with online customers.
BCP Integration PointsTrusted System Requirements4. Productivity – the loss of time and efficiencies within
functional areas including the potential for idle staff and contractors, training delays for new or reallocated staff, d l i t ti l i d i ddelays in transactional processing and increased manual processes.
5. Market Value - impacts to corporate value as a result of negative media coverage and public perception problems; measured by loss of market share, market valuation, market capitalization, or stock value.
6. Public Confidence - impacts to brand equity and image after a business interruption resulting from
03/28/11 25
image after a business interruption resulting from negative media coverage, negative public perception, and reduced shareholder confidence.
7. Partner and Suppliers - compromised vendor relations, vendor retaliation, reduced sales channel volume, reduced partner profitability, inventory shortages and/or surpluses
BCP Integration PointsTrusted System Requirements8. Customer Loyalty - this would include the loss of
existing customers and the loss of prospective customers. It would also include customer di ti f ti th t t ti b ddissatisfaction that generates negative brand messaging.
9. Employee Wellness and Morale - The anticipated impact to the health, safety, and well being of employees both physically and economically.
10. Regulatory and Legal Impacts - Unable to comply with regulatory requirements and legal/contractual obligations High likelihood of fines penalties or
03/28/11 26
obligations. High likelihood of fines, penalties, or consequences associated with missed filing deadlines.
BCP Integration PointsBusiness Impact Attributes
CORPORATE IMPACT AREAS TYPE OF IMPACT LEVEL OF IMPACT(< 72 Hours)
LEVEL OF IMPACT(> 10 Days)
1. FINANCIAL IMPACT: The anticipated impact to the financial well being of the organization including lost or delayed sales revenue, cash flow impacts, reduced profitability, lost investment income, decreased profitability, depletion of asset holdings.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ SIGNIFICANT
_____ SOME
_____ NONEp y, p g
_____ NOT APPLICABLE _____ UNKNOWN _____ UNKNOWN
2. MANAGEMENT IMPACT: The anticipated impacts from being unable to effectively manage the organization. This would include the inability to make or implement decisions, provide leadership, and/or conduct the business of the company.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
3. PRODUCTION IMPACT: The anticipated impacts to day-to-day sales operations; includes inability to complete sales transactions, inability to track and/or replenish inventory. Includes the loss and/or a significant impact to website retail services with inability to communicate with online customers.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
03/28/11 27
4. PRODUCTIVITY IMPACT: The anticipated loss of time and efficiencies within functional areas including the potential for idle staff and contractors, training delays for new or reallocated staff, delays in transactional processing and increased manual processes.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
5. MARKET VALUE: The anticipated impacts to corporate value as a result of negative media coverage and public perception problems; measured by loss of market share, market valuation, market capitalization, or stock value.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
BCP Integration PointsBusiness Impact Attributes
CORPORATE IMPACT AREAS(continued)
TYPE OF IMPACT LEVEL OF IMPACT(< 72 Hours)
LEVEL OF IMPACT(> 10 Days)
6. PUBLIC CONFIDENCE: The anticipated impacts to brand equity and image after a business interruption resulting from negative media coverage, negative public perception, and reduced shareholder confidence.
_____ DIRECT
_____ INDIRECT
UNKNOWN
_____ SIGNIFICANT
_____ SOME
NONE
_____ SIGNIFICANT
_____ SOME
NONE_____ UNKNOWN
_____ NOT APPLICABLE
_____ NONE
_____ UNKNOWN
_____ NONE
_____ UNKNOWN
7. PARTNERS AND SUPPLIERS: The compromised vendor relations, vendor retaliation, reduced sales channel volume, reduced partner profitability, inventory shortages and/or surpluses.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
8. CUSTOMER LOYALTY: This would include the loss of existing customers and the loss of prospective customers. It would also include customer dissatisfaction that generates negative brand messaging.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
03/28/11 28
9. EMPLOYEE WELLNESS AND MORALE: The anticipated impact to the health, safety, and well being of employees both physically and economically.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
10. REGULATORY AND LEGAL IMPACTS: Unable to comply with regulatory requirements and legal/contractual obligations. High likelihood of fines, penalties, or consequences associated with missed filing deadlines.
_____ DIRECT
_____ INDIRECT
_____ UNKNOWN
_____ NOT APPLICABLE
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
_____ SIGNIFICANT
_____ SOME
_____ NONE
_____ UNKNOWN
BCP & SDLC IntegrationConclusions and Wrap-Up
Ask your software engineers, solution architects and business analysts the following questions:
Should utility company engineers plan transport mechanisms to survive sub zero degree temperatures and ice storms in Alaskasurvive sub-zero degree temperatures and ice storms in Alaska, the Yukon and Siberia? Should municipal engineers plan bridges, levy systems and flood walls to withstand hurricane force winds and tsunami/storm surges in coastal cities i.e., New Orleans, Hong Kong?Should architects, builders and building owners plan a safe windowless substructure/basement when building offices in tornado prone areas i.e. Oklahoma City or Topeka, Kansas?If yes, shouldn’t business processes and the IT systems that enable them be designed to withstand outages that extend beyond
03/28/11 29
enable them be designed to withstand outages that extend beyond an acceptable maximum business tolerance?
Improve your organizations’ business resiliency by meeting trusted system requirements during the plan, design, develop and deploy phases of the SDLC.
QUESTIONS - COMMENTS ???For any questions or follow-up after the session contact:
cbieson@ forzani.com OR [email protected]
