Challenges and Direction of Business Continuity

Transcription

1 Challenges and Direction of Business Continuity Don DeMarco Vice President IBM Business Resilience & Security Services Let s go back to mid-2000 The Future State of Our Industry: Business Process Continuity Can you imagine if... we could: Establish linkage between business requirement, business process and IT delivery Extend single enterprise central systems management to multi-enterprise monitoring Observe system performance and throughput at key intersection points between the business process and the IT fabric that supports it Offer e-business infrastructure component failover capacity to support continuous operation and continuous performance Create a proactive management capability which continuously tunes and optimizes systems behavior Allow for the data mining of business process performance results for the purposes of business optimization Source: IBM Predictions in 2000 Integrated Business Continuity Align Continuity Programs with Business Priorities Address The New Threats Adapt To the Forces of Change in IT Accelerate e-business and ERP Continuity Endeavors Source: IBM Predictions in

2 Since 2000, the issue of Business Continuity has been magnified and amplified Integrated Business Continuity Comply with Regulatory Requirements Communicate with Clients, Partners, Employees Conform with Industry Ecosystem Requirements Collaborate Multi-Enterprise Business and IT Three fundamental questions being posed by Senior Management Are we compliant? Can we be trusted? Are we reliable? 2

3 Senior Management Question 1: Are We Compliant? Are we compliant? Complying with industry regulations Satisfying client expectations for 24x7 availability Assuring the security and privacy of critical assets Can we be trusted? Are we reliable? Impact of regulatory regimes on firm s business continuity plans Regulatory Impact FSA (UK Based) White Paper (SEC, FED, OCC) FSA (US Based) NASD FFIEC Basel-II NYSE Sarbanes-Oxley DHA Insignificant Slight Moderate High Significant Sources: TABB Group, Crisis in Continuity: Financial Market Firms Tackle the 100 km Question, June 2005 Service providers must understand the industry regulations & the potential risks to our clients & the industry. According to the FFIEC, in recent years, many of the country's larger depository organizations have outsourced their operations which has increased further the industry's dependence on outside service bureaus. Most vendors service institutions through regional data centers. The institutions depend on the quality and continuity of these services to conduct their business. Disruptions in services at a single vendor, as a result of either financial or operational conditions, could cause substantial systemic risk in the industry. It should further be noted that both, the Council of European Banking Supervisors (CEBS), and the Risk Management Group of the Basel Committee for Banking Supervision have issued guidelines for the financial services industry to manage and mitigate concentration / systemic risk posed by large service providers. 3

4 Senior Management Question 2: Can We be Trusted? Are we in compliant? Can we be trusted? Addressing the potential impact of an Internet or power grid outage Developing strategies for protecting critical data Managing massive amounts of data Are we reliable? North America Disk Storage Systems $/GB and Capacity Trends PB (petabyte) Shipments 6,000 5,000 4,000 3,000 2,000 YTY Growth Rate is projected to be between 50% to 60%. 997 $16.00 $14.00 $12.00 $10.00 $8.00 $6.00 $4.00 $/GB 1,000 $2.00 Source: IDC, WorldWide Disk Storage Systems Forecast and Analysis, IDC#33477, June, PB $/GB $0.00 Senior Management Question 3: Are We Reliable? Are we in compliant? Can we be trusted? Are we reliable? Recognizing interdependencies between in house applications AND other companies Planning for the potential loss or unavailability or personnel Anticipating a primary facility loss Integrating management of continuity, recovery, high availability and security disciplines 4

5 To Whom Does the BCM Program Report? CEO CIO COO CFO Board of Directors Line/Division Managers CRO (Chief Risk Officer) Site/Facility Managers Financial Audit Management CISO; Info security management 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 2.9% 2.2% 8.8% 5.9% 5.1% 5.1% 13.2% 9.6% 21.3% 21.3% Other 4.4% N = 136 Emergency management reporting: 24 percent and 22 percent report to COO and BCM program manager, respectively Gartner Presentation, "Gartner and DRJ 2005 BCM/DR Survey Results" by Roberta J. Witty. December 2005 Disaster Recovery Budget as a Percentage of Data Center Budget: 2003 to 2006 (projected) 44 percent of 117 survey participants have a separate BCM budget % 32% 15% 11% 7% % 29% 20% 14% 9% % 25% 26% 17% 16% Projected % 23% 19% 21% 25% 0% 20% 40% 60% 80% 100% Less than 1% 1-3% 4-7% 8-10% More than 10% 72 percent growth in high-availability budgets 2003 to 2006: 3 percent to 4 percent and above (N = 94) n=102 Gartner Presentation, "Gartner and DRJ 2005 BCM/DR Survey Results" by Roberta J. Witty. December 2005 The Business Challenge More business online More applications & data Increasing cost of information unavailability Ability to deliver through traditional recovery planning The Widening Gap More complex systems Less window to recover Requires continuous information availability BY DESIGN 5

6 The Business Continuity Methodology Business processes drive strategies and they are integral to the Continuity of Business Operations. A company cannot be resilient without having strategies for alternate workspace, staff members, call centers and communications channels. Policy Formulation Regular Validation, Change Management, Executive Reporting Program Management Risk Assessment Business Impact Analysis Program Assessment Program Design Strategy Design Implement Program Validation Crisis team Business Resumption Disaster Recovery Information Security People Procedures Infrastructure Facilities IBM's Enterprise Business Continuity Framework defines seven Critical Success Areas & management system within a formal corporate governance model. Enterprise Risk Mgmt Identify, mitigate, and control threats to the business in order to protect the enterprise in a consistent manner Value Assurance Quantify, track, and communicate the EBC program value inside and outside the enterprise Program Execution Assure that the EBC program is executing as designed, is consistently implemented throughout the enterprise, and is frequently exercised Governance Provide clarity, definition, and guidance for the EBC program at the Enterprise level to ensure that the initiatives are carried out. Company Culture Position the corporate mission and values within the continuity and recovery program to ensure that the EBC program can adapt to business change Technology Solutions Identify and implement technology solutions to support business integration and availability to protect against interruptions and/or outages Business Integration Integrate all lines of business into the EBC program to provide endto-end availability and protection of business processes across the organization View of business continuity maturity levels Tolerance for Risk Low Medium High Each one of these maturity levels has different characteristics, techniques that are used and approaches. No strategies or plans. Little if any awareness. Focused on technology. Aware and acknowledge the need. DR plans documented. Strategies developed for some systems. Cross enterprise recovery requirements understood. Business Continuity Program in Place. Business alignment Executive focus Crisis Mgt. Process Regular testing Multi point RTO / RPO Regulatory and Supply Chain compliance Value Derived with Customers Business Requirement Validated Monitored Executive Dashboard Unfocused Aware Capable Mature World Class Maturity Level 6

7 A business continuity strategy should address and integrate requirements across key business layers. Crisis Management Governance Strategy & Vision Processes Applications & Data Technology Geographic Diversity Notification Process Business Continuity Organization Identify Processes Split Call Centers Mirror Critical Data Audits of Backups Redundant Infra. 2nd Site Environment Diverse Network Biometric Security Facilities Close the gap with business continuity capabilities Business process Each business process requires a specific level of business continuity at each affected layer Level 1 Level 2 Level 3 Level 4 Unfocused Aware Capable Mature Level 5 World Class Strategy and Vision Organization Processes Applications and Data Technology Facilities Target Level Current Level The GAP Benefits of a mature, multi-enterprise business continuity program Maximized business availability produces Enhanced Customer Loyalty Lessened economic consequences of potential business disruptions An organization favorably positioned against less resilient competitors More effective risk management by reducing business disruptions, providing greater predictability in performance Improved resilience and agility of critical business functions and underlying technology 7

8 Can we really predict the future? I think there is a world market for maybe five computers. Thomas Watson, chairman of IBM, 1943 Computers in the future may weigh no more than 1.5 tons. Popular Mechanics, 1949 There is no reason anyone would want a computer in their home. Ken Olsen, founder of DEC, K ought to be enough for anybody. Bill Gates, 1981 Prediction is difficult, especially about the future Yogi Berra Appendix Additional slides representing each of the five business continuity maturity levels. 8

9 Leading Health Care provider Level 1 Unfocused Critical Success Processes have not been addressed by the organization. Company has little or no focus on Resilience. Challenge Provide for availability of critical business processes to achieve service levels regardless of location or architecture of the supporting infrastructure Increase level of awareness for critical success processes Sustain performance of critical business processes in the event of the loss of either processing site Solution An extensive Business Impact Analysis to identify existing and future state business process and recovery strategies Strategy and implementation: Server consolidation, ported applications Disaster recovery program that is integrated throughout the enterprise Benefits Increase IT automation, decrease RTO/TCO Enhanced overall availability of systems and data, and transparency of IT interruptions to clients, business partners and end users Awareness of critical business processes/enhance proactive support Public Sector Level 2 Aware Organization has an awareness of the critical success process with little or no action taken to address it. Resilience only addressed within IT environment. Some levels of automation. Challenge Improve customer service through easier access to information Existing court system records management extremely labor-intensive Maintain high levels of information security Solution Automation of records-management system with focus on Security and Availability Recovery program to seamlessly address automated, cost-effective failover Web-based inquiry and online payment system for common fines Benefits Increase access to court system even during off-hours Decrease labor costs by 50% Exponential boost in revenue offset all information system costs Information availability leads to increased innovation Retail SMB Level 3 Capable Organization has a clear understanding of the requirements to be successful within the critical process and has taken steps to begin addressing requirements. Integration between IT and business units has been initiated. Automation instigated with manual intervention. Challenge Eroding customer loyalty, aging technology Regain market share by improving customer shopping experience. Integrate retail environment with information systems to respond to customer needs Solution Creation of a scalable, flexible, open retail infrastructure 600 store POS system within one year Integration of people, processes and data to enhance customer service Benefits On Demand architecture benefits flexibility, ROI, open standards, stability, efficiency Seamless integration of business information and data Rapid deployment of newer technology tied to business needs (e.g. RFID) Improved daily operations and customer service 9

10 Telecommunications Level 4 Mature Critical Success Process requirements are understood, communicated and measured throughout the organization. Integration between IT and business units validated. Lines of Business lead business program. Automation reduces manual intervention. Challenge Business processes to respond seamlessly to any customer demand, market opportunity or external threat Provide customer-serviced focus to outpace competition Flexibility without high cost Solution Integration of IT architecture with business strategy Enterprise risk management, holistic view of risk and opportunity Outsource of IT environment concentration on key lines of business Best use of resources and skills Benefits Proactively scale IT infrastructure to customer service delivery Deployment of new functionality to enhance competitive advantage IT costs are predictable and directly linked to revenue intake More timely business decisions and targeted marketing campaigns Financial Services Level 5 World Class Organization has automated tools to support the success of process. True end-toend requirements have been defined and solutions implemented. Executive management leads Challenge Faced with the need to comply with Federal Reserve Board guidelines regarding its Recovery Time Objectives and Recovery Point Objectives, this large financial institution sought the help for supporting compliance requirements. As a business continuity partner for years, IBM worked directly with both the client and the Federal Reserve Board in coming up with a solution that met the board's guidelines. Solution The solution utilized a hybrid approach to recovery, leveraging limited syndication and dedicated assets with data replication for recovering critical Tier 1 applications in less than 4 hours, combined with commodity Hot Site assets for areas that could be recovered in more traditional time frames Benefits Leveraging a combined dedicated infrastructure with a traditional hot-site solution provided the financial institution with an out of region recovery capability that satisfies their business recovery objectives while adhering to the regulatory guidance put forth by the federal agencies in driving greater resiliency across their resilient core banking applications. ibm.com/services/continuity 10