Brian Stoner Services Business Continuity Manager Cisco Systems 3530 Hyland Avenue Costa Mesa, CA (714)

Transcription

1 Brian Stoner Services Business Continuity Manager Cisco Systems 3530 Hyland Avenue Costa Mesa, CA (714) Brian spent the early part of his career in manufacturing and quality engineering in the computer peripherals industry. With over 30-years of experience in compliance management under his belt, he draws upon a diverse set of skills and experience to solve today s business continuity challenges. After spending 17 years in manufacturing engineering and quality management at MTI Technology Corporation, Brian joined the Linksys division of Cisco Systems in 2005 to manage compliance requirements and drive operational excellence. He was recruited by the Global Service Delivery Excellence (GSDE) organization of Cisco Services in 2014 and is currently responsible for managing all aspects of a business continuity management system (BCMS) that supports over 40 individual service teams covering ~20% of Cisco s global business and $49B revenue. Brian is a Certified Business Continuity Planner, Certified Business Continuity Auditor, and Associate Risk Management Professional. 1

2 Do you periodically look at the recovery strategies your organization is depending upon in case on a business interruption? Strategies can become unsuitable as a result of shifts in your business, organizational changes, technology advancements, etc. 2

3 Use this space to write down what you hope to get out of this presentation. We ll come back to this slide at the end of the presentation. 3

4 This is the lifecycle Cisco Services follow for over 50 separate teams in our division. We choose to identify risks in four categories: Loss/unavailability of facilities Loss/unavailability of essential personnel Interruption in tools or technologies Unavailability of key suppliers An all-hazards approach to BC Planning is in place. Recovery strategies are identified for all four categories of risk. 4

5 You can define a strategy with the statement if we lose access to a facility, we can In this case, viable strategies might include work from home, transfer operations to another theater, or relocate to an available facility. Clearly, there can be (and should be) more than one strategy defined for each risk category. 5

6 It will dramatically simplify your planning efforts to define recovery strategies based on risk categories. Try to avoid developing a recovery strategy specific to an individual risk. Each recovery strategy has it s own suitability and effectiveness. Costs and benefits can vary widely. Do any of these strategies jump out as less desirable to the organization? 6

7 Often a business interruption involves MORE THAN ONE concurrent negative circumstance. The combined impact of these circumstances should be considered when identifying viable recovery strategies. Take a minute to scan through the scenario. How many different bad things can you see in this situation? 7

8 Change is continuous and inevitable. Small changes to your organization, products, suppliers, etc. can create small cracks in your recovery strategy. Combined, they can degrade the effectiveness of a strategy enough to impact customer experience. You should consider developing processes to identify and react to changes. 8

9 It s okay to be proud of your BCMS, but don t let your confidence prevent you from seeing weaknesses forming A strategy that seems to make sense today may not serve your needs next week, next month, or next year. Exercises help, but will NOT identify all the small cracks forming as a result of change. The only defense is periodic review of the strategies to make sure they will have their intended result. 9

10 Consider adding periodic strategy review between BIA and plan maintenance Strategy review does not have to occur every cycle. Consider alternating between deep-dives and cursory reviews. 10

11 A fairly simple process will suffice Meet with stakeholders in the organization and review the strategies they already have documented in their BC Plans. Place emphasis on determining if the recovery strategy will allow the process to resume to meet its RTO. Assess the level of capability you can reach (as a percent of the standard process capability) and estimate the length of time the recovery strategy can be sustained. Strategies that cannot be sustained for at least 72 hours should probably be eliminated. Make sure your BC Plan documents list the available strategies. Important because you may have to use more than one in complex situations. GET MANAGEMENT SIGN-OFF on such documents. You want them to have skin in the game! 11

12 Benefits you can expect: Increased confidence knowing every BC Plan addresses all four risk categories with at least one recovery strategy Greater awareness achieved through management approval of the planning documents Better understanding and acknowledgement of the risks and exposures that your organization chooses to tolerate If you are fighting uphill battles with management resistant to being accountable for risk tolerance, you may find this process makes it easier to get funding for mitigations since there is a record of acceptance of residual risks. 12

13 Recovery strategies must be suitable and appropriate. They have to do the job they re intended for and be sustainable. A strategy that cannot maintain the required volume or deliver acceptable quality cannot be considered viable. It s good to have a strategy that will keep your critical processes rolling for 3- days in the event of a network outage or a power failure. However, an active shooter situation could leave your facility (or even your WHOLE CAMPUS) closed to anyone except investigators for weeks or even months! Important to assess the sustainability of your strategies from this angle as well. 13

14 Big organizational changes usually cause us to re-look at our strategies. Don t underestimate the impact from an accumulation of SMALLER changes. Acquisitions can take months or even years to fully integrate. Your brand and reputation are at stake the minute the ink hits the page. We ALWAYS reassess the recovery strategies for organizations affected by acquisition integrations. Supplier management teams are perpetually qualifying new sources, consolidating vendors, renegotiating contracts, etc. This can open big gaps. We tend to look at the big volume operations. Don t overlook the little specialized teams that sometimes are responsible for high-touch operations with BIG customers. 14

15 Hours of coverage are a really easy place to have gaps form. This can happen through contract negotiations, new supplier qualifications, new product introductions, etc. Watch the weekends! Collaboration is key. Make your stakeholders aware of these potential gaps and they ll develop a sensitivity to them. 15

16 Use this area to write down some questions for Brian. You can also questions to him at: 16

17 17

18 18

19 Federal Executive Board is a resource you should consider Chapters all over the country EXCELLENT content and presentations Contact me if you want more information 19