5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls

1

© Copyright 2016 EMC Corporation. All rights reserved. Please write to us if you would like to get in touch with the speaker

BUSINESS RESILIENCY

PITFALLS M A H A A B U R U M M A N

3

© Copyright 2016 EMC Corporation. All rights reserved.

Growing number of disasters

Multiplying regulatory

requirements

Highly complex supply chains

24/7 delivery requirements

Cyber Breaches

Business Resiliency Drivers

TICKING THE COMPLIANCE

BOX

5


5

Standards and Regulations

Regulation Summary

Sarbanes-Oxley Auditors are increasing scrutiny of all areas of internal control, including security and business

continuity controls.

ISO 22301:2014 – Societal

Security – Business

Continuity Management

Systems – Requirements

Requirements to plan, establish, implement, operate, monitor, review, maintain and continually

improve a documented management system to protect against, reduce the likelihood of occurrence,

prepare for, respond to, and recover from disruptive incidents when they arise.

ITIL v.3 (international) – IT

Infrastructure Library

Global standard in the area of service management. ITIL® (IT Infrastructure Library®) is the most

widely accepted approach to IT service management in the world. ITIL provides a cohesive set of

best practice, drawn from the public and private sectors internationally.

Business Continuity

Standard and Guide

AE/HSE/NCEMA

7000:2012

Developed to help entities systematically build their business continuity capability during and after an

emergency, disaster or crisis. Initiatives are aimed at ensuring ongoing performance of essential

functions and services in both the public and private sectors, for the purpose of enhancing the UAE’s

national stability.

Source: BCM Legislation and regulations, Jan 2016. BCI

PARALYSIS BY ANALYSIS

7


Expansive approach to BIA

Undefined and unlimited scope

Excessive analysis of results

What is a BIA?

“A business impact analysis (BIA) is a process that identifies and evaluates the potential effects

(financial, life/safety, regulatory, legal/contractual, reputation and so forth) of natural and man-made

events on business operations.” Gartner IT Glossary

8


Criticality Assessment

Prioritization

The Goals of a BIA

SILOED FUNCTIONS

10


10

Challenges

The organization does

not fully understand the

criticality of business

processes, risks or

impacts of crises on the

organization

The organization

does not focus on

building resiliency

into processes,

operations, IT, etc.

Executives do not have

an understanding of the

residual risk of being or

not being prepared

Are we prepared

for the next big

disaster?

- CxO

“

” Business continuity, IT

disaster recovery and

crisis management are

driven by separate,

unconnected groups

Visibility Collaboration Accountability Automation Efficiency

Plan smarter by

integrating BCM, IT DR

and Crisis Management

Leverage technologies

to their full potential with

workflow and controls

Establish

governance and

ownership across the

BCM spectrum

Get IT, Crisis

Management and

the business on the

same page

Understand recovery

priorities and make

better planning

decisions

11


11

Gaps and Overlaps

Many functions in the organization are repetitive and inefficient. Information is

not being shared across functions resulting in duplicate efforts and fractured

visibility.

CIO Risk Ownership

Reporting

Business Assets

Issue and Remediation

Ownership

BCM COO

Risk Identification

Risk Assessment

ERM

Metrics & Reporting

Issue Generation

Risk Assessment

Evaluate Controls

Reporting

Issue Generation

Control Testing

Compliance Checklist

Reporting

Issue Generation

CCO CRO

IT Assets

Security Risk

IT Controls

Issue Generation

EXPAND CONTINUITY TO

RESILIENCY

13


Common business context

Capture and resolve incidents

Prepare for and exercise business

recovery strategies

Prepare for and recover from IT

system outages

Manage crisis events and

communications

Evaluate 3rd party readiness

What Is Business Resiliency?

Incident

Management

Business

Continuity IT Disaster

Recovery

Business Operations

Crisis

Management

3rd Party Governance

“A holistic management process that identifies potential threats to an organization and the impacts to

business operations those threats, if realized, might cause.” ISO 22301

14


Questions

Comments

The End

EMC, RSA, the EMC logo and the RSA logo are registered trademarks of EMC Corporation in the U.S. and other countries.

Leadership & Management

5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls