Resilience: Internal Audit s role in Strengthening Business Continuity Capabilities

Transcription

1 Resilience: Internal Audit s role in Strengthening Business Continuity Capabilities Mark P. Ruppert, Cedars-Sinai Health System Bruce B. Daly, Deloitte & Touche, LLP AHIA 33 rd Annual Conference - September, 2014

2 Agenda What is resilience? 3 What does a resilience program look like? 9 Internal Audit considerations 16 Common findings and trends 26 Questions 29 1 Copyright 2014 Deloitte Development LLC. All rights reserved.

3 What is resilience?

4 What is resilience? The capacity to recover quickly from difficulties; toughness (Oxford English Dictionary) Capable of withstanding shock without permanent deformation or rupture (Merriam-Webster) Resilience is the safety net designed to support an organization s ability to bounce back from adversity (any event - natural disaster, cyber attack, terrorist attack, financial crisis, product recall, reputational event and more). Enterprise Resilience describes the strategies and processes to plan for and respond to significant disruptions while minimizing downtime and restoring operations and supporting applications within acceptable timeframes. An organization needs to work to place recovery capabilities are in place, i.e., you are not just secure and vigilant, but also resilient. Building Resilience is Your Final Play to protect the enterprise! 3 Copyright 2014 Deloitte Development LLC. All rights reserved.

5 Resilient to what? An incident / disruption timeline 4 Copyright 2014 Deloitte Development LLC. All rights reserved.

6 Enterprise resilience: from reactive, recovery-based practice to a proactive, risk-based capability The Past Disaster Recovery (DR) Business Continuity (BC) Planning Business Continuity Management (BCM) Enterprise Resilience The Future Reactive Technology centric Focused on recovery Asset-based One-time project Responsibility of IT* DR hit corporate agenda Enthusiasm for DR started to wane since more proactive approaches were needed Lessons from terrorist attacks DR was not enough Beginning of BC Global events drove awareness for not only physical threats BC become part of risk management program Pressure to deliver 24x7x365 led to techniques to identify threads and to mobilize resources Disruption handing has become a corporate capability Late 1980s Mid 1990s Early 2000s Late 2000s 2010s Pro-active Business-centric Focused on mitigation Process-based Continuous monitoring Responsibility of board * IT Information Technology Early 1990s Late 1990s Mid 2000s 5 Copyright 2014 Deloitte Development LLC. All rights reserved.

7 Why is it important? Reputation Impact and Regulatory Scrutiny Resume critical functions Work with outside vendors during the recovery period Improve life safety Enterprise Resilience Reduce confusion during a crisis Provide a specific and appropriate response to an emergency Get up and running quickly after a disaster Increase the opportunity for long term recovery 6 Copyright 2014 Deloitte Development LLC. All rights reserved.

8 Resilience requires these components to be in sync Human Resource Public / Investor Relations Systems Business Impact Focus Business Continuity Disaster Recovery Program Governance & Operating Model Emergency Response Crisis Management Incident Impact Focus Finance Brand Facilities Legal / Regulatory Life & Safety/ Community Partnerships 7 Copyright 2014 Deloitte Development LLC. All rights reserved.

9 What does a resilience program look like?

10 Know what you re protecting an asset approach BETH3 TAP (Total Asset Protection) is a practical model for classifying, estimating the value of and protecting organizational assets with physical and logical security mechanisms as well as business and disaster recovery strategies. Each asset can be evaluated individually and in a combined manner, making practical protection and recovery possible. By utilizing an asset-based approach such as BETH3 throughout the assessment process, you are able to better evaluate your current capabilities breadth of coverage, level of detail in your risk and business impact analyses, granularity of strategies and plan. 9 Copyright 2014 Deloitte Development LLC. All rights reserved.

11 Example an asset approach Business Process Process Number Division Building (Location) Equipment Technology (Applications) Human Resources 3rd Parties MTPD (hours) Process Payroll HR-180 ABC & Talent New York, NY Time Capture, Time Cards Kronos, SAP, XZY 100 ADP, Time Equip 2 Develop IT Strategy IT-010 GIT Phoenix, AZ None None 200 None 48 Develop IT Products & Services IT-040 GIT Phoenix, AZ Custom Laptops Dev Pro, QA Check, Code Mgmt None 16 Deploy IT Products & Services IT-050 GIT Phoenix, AZ Custom Laptops v2 Change Man, Code Control 350 IBM 24 Monitor/Manage Physical Assets PE-040 FAC Denver, CO Environ Control System, Security Equip Environ 101, Security Sys Pro 110 Tyco 8 Execute Plant Maintenance PE-090 FAC Denver, CO Maint. Equip PM of SAP 75 PP&E Special 40 Manage Collections O-150 FIN Nashville, TN None SAP FI,CO 50 Collect Pro 8 10 Copyright 2014 Deloitte Development LLC. All rights reserved.

12 Have a clear approach - Deloitte s resilience methodology Program Governance/Project Management Analyze (Define and Protect) Develop (Prepare) Implement (Readiness) Capabilities Assessment & Process Definitions (Industry Print TM ) Resiliency/Availability/Recovery Strategies Activities/Procedures (Plan) Development Resource Acquisition and Implementation Crisis Management Emergency Response Total Asset Protection (Risk Map TM / Catastrophic Risk) Operational Continuity (BETH3 TM ) Training and Awareness Building (Facilities) Recovery Equipment Recovery Technology (Disaster) Recovery Human Resource (Workforce) Continuity Third-Party (Supply Chain) Resilience Impact Analysis Validation Exercising and Testing Continuous Improving and Quality Assurance Our methodology is founded upon ISO22301, the leading global standard for business continuity and is aligned with related industry guidance/other standards including: those supporting PS-Prep (ASIS SPC , BS25999, NFPA 1600), ITIL, NIST, ISO27001 as well as U.S. Federal government requirements of FCD1 and Copyright 2014 Deloitte Development LLC. All rights reserved.

13 Start with an honest capabilities assessment A clear framework such as Deloitte s CARR framework - is a smart place to start. It can also serve as a measurement tool to capture progress, position within your industry, etc. An assessment or internal audit can cover any or all of the following components: The maturity level of ABC Company s BCM program was measured in following 11 categories Program Governance Strategies Resource Acquisition Process Mapping Plan Development and Validation Training and Awareness Total Asset Protection Disaster Recovery Exercising and Testing Impact Analysis Crisis Management and Emergency Response Continuous Improvement / Quality Assurance (QA) Maturity Levels Non-existent Initial / Ad-Hoc Repeatable / Intuitive Managed / Measureable Optimized 12 Copyright 2014 Deloitte Development LLC. All rights reserved.

14 Capabilities assessment sample results - executive summary BC Activity / Category Non-Existent Initial / Ad-Hoc Repeatable / Intuitive Managed / Measureable Optimized Program Governance / Process Mapping C G I Total Asset Protection C G I Impact Analysis C G I Strategies C G Plan Development and Validation C G I Disaster Recovery C G I Crisis Management and Emergency Response C G I Resource Acquisition** C G I Training and Awareness** C I Exercising and Testing C G I Continuous Improvement / QA C G I C Current Capability G Goal State I Industry Average 13 Copyright 2014 Deloitte Development LLC. All rights reserved.

15 Select program results program governance/process mapping C Current Capability G Goal State I Industry Average Rating: C G 2 3 I 4 Non-Existent Initial/Ad-Hoc Repeatable/Intuitive Managed/Measurable Optimized Current State Observations Risk / Impact A BCM policy with defined objectives and mission statement does not exist, but one has been created as part of this effort ABC Company has identified various teams to support BCM efforts across the organization Though there are various documents that highlight the establishment of BCM teams and their roles and responsibilities, the roles and responsibilities are high level and not actionable to uninitiated or untrained members of the BCM team There is no evidence substantiating a process for ABC Company to set and review the goals or objectives of the BCM program in a periodic and consistent manner There is no formal policy to guide the centralized storage, distribution, maintenance and review of continuity plans A generic set of goals and objectives is defined to guide business continuity activities While goals and objectives exist, these are limited in scope and do not explicitly account for all aspects of a robust BCM program ABC Company has determined the extent of business interruption insurance coverage that is required to sustain its critical processes, and the insurance covers expenses incurred to continue operations at hot site or alternate sites as well as equipment replacement values The lack of BCM policy results in limited and uncoordinated implementation of an effective BCM program and program activities become ad-hoc over time which affects the quality and substance of BCM capabilities Inconsistent execution of BCM related activities hampers ABC Company s overall preparedness to deal with business disruptions Formalized roles and responsibilities at the different BCM levels planning, preparation, response, and recovery are critical in facilitating a coordinated and timely response during a disaster. Clarified roles and responsibilities will be more critical as the organization changes and expands Senior management oversight, guidance and strategic considerations for continuity management activities across the company are constrained by the lack of a clearly defined set of roles and responsibilities The lack of a formal policy to guide the central storage, distribution and access control of continuity planning and recovery documents results in potentially outdated plans as well as difficulty in obtaining the most recent versions for reference in times of crisis. It also limits the importance of these documents and potentially leads to unauthorized access of sensitive information Inadequate definition of business continuity metrics limits management awareness and understanding of enterprise continuity risks and challenges and therefore constrains timely decision-making toward the protection of enterprise assets and resources A limited set of objectives constrain the entrenchment of a mature business continuity program and will ultimately limit ABC Company s ability to respond to and recover from unexpected disruptions or disasters 14 Copyright 2014 Deloitte Development LLC. All rights reserved.

16 Internal Audit considerations

17 Internal Audit s special role Four key reasons for Internal Audit to push the Resilience challenge: 1. Internal Audit clearly has the clear responsibility to assess and call-out risks and associated exposure, which may be identified through to a direct risk assessment of the organizational emergency response and business continuity (resilience) effort and/or through specific internal audit observations requiring management action; 2. Internal Audit is positioned to have the board and senior management understand and respond/react these risks and exposure; 3. Internal Audit has the opportunity to help articulate how a Resilience program can be implemented. 4. Once implemented or as implemented, Internal Audit can assess progress and desired outcomes through ongoing audit efforts and/or assisting management in developing such monitoring efforts. 16 Copyright 2014 Deloitte Development LLC. All rights reserved.

18 Some key questions Are your continuity plans out of date? How do you measure your return on the BCM investments? Are emergency response procedures in place? Does your staff know how to respond to a disaster? Are you aligning your costs with your business growth? Have you considered all your resource requirements? Do you have proper crisis communication capabilities? How effective is your program? Do you adopt a piecemeal approach to testing? Is your staff testing only under ideal conditions? Are your vital data and applications protected from the harm that a disaster could cause? Does your plan address processes that really matter? Is your business tolerant to impact? How do you plan to sustain your BCM investments? 17 Copyright 2014 Deloitte Development LLC. All rights reserved.

19 Aspects to assess Strategy People Process Technology Governance & Project Sponsorship Includes Crisis Response Strategic Approach Compliance Some key considerations Program Sponsors Enterprise Resiliency governance, policies, and procedures Definition of roles & responsibilities Program metrics Monitoring of changes to regulatory environment Definition of crisis level (tactical vs. strategic) Communication tools or protocols Board/Executive Buy-In/Support 18 Copyright 2014 Deloitte Development LLC. All rights reserved.

20 Aspects to assess Strategy People Process Technology Emergency Response Includes Training & Awareness Resiliency Roles Identification Some key considerations Resiliency team knowledge & expertise Unity of command Integration of cross-functional groups Resilience funding & executive sponsorship Frequency and depth of training sessions Resilience program awareness 19 Copyright 2014 Deloitte Development LLC. All rights reserved.

21 Aspects to assess Strategy People Process Technology Risk Assessment Business Impact Analysis Business Continuity Plan Includes Third Party Continuity Exercise & Testing Feedback Analysis Some key considerations Risk to Asset Types Integration of risk assessments into recovery procedures Scheduling/frequency of exercising and testing Use of triggers to update plans Recovery Threshold Values Awareness of critical third party vendors Frequency and depth of training sessions Formal exercise/testing feedback analysis loop. 20 Copyright 2014 Deloitte Development LLC. All rights reserved.

22 Aspects to assess Strategy People Process Technology Disaster Recovery Plans Telecommunication Includes Infrastructure Data/ Vital Records Some key considerations Identification and classification of critical applications Disaster Recovery Plans for critical applications Cohesion between business requirements and application recoverability Inclusion of telecommunications in Disaster Recovery Plans Data retention policies To support cohesion, must have coordination between operations and information technology leadership and teams 21 Copyright 2014 Deloitte Development LLC. All rights reserved.

23 Reporting For each element being assessed, use a pre-defined ranking scale in a continuum graph and indicate the rating for the assessed area by a C for the current state and G for goal state. The example below is illustrative of the pre-defined ranking scale. Rating Definitions Non-Existent Initial or Ad-Hoc Repeatable & Intuitive Managed & Measurable Optimized Complete lack of any recognizable processes or strategies. There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are however, no standardized documented processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-bycase basis. The overall approach to management is disorganized. Processes have developed to the stage where similar procedures are followed by different people when developing BCM/DR documentation. There is no formal training or communication or testing of BCM/DR procedures. High degree of reliance on the knowledge of individuals. Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Testing is performed with a "siloed" approach without including internal/external dependencies. Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with business continuity standards and practices. Cross functional coordination has led to better integration of BC/DR plans to improve resilience and recovery in the event of a business disruption. 22 Copyright 2014 Deloitte Development LLC. All rights reserved.

24 Reporting Alternatively, consider grading each BCM component and share with senior management and other members of the organization. An illustrative example: Governance Regulatory/Industry Compliance D C Exercising and Testing D Disaster Recovery Plans D- Telecommunications C Crisis Management D Data/Vital Records D Business Impact Analysis D Facilities/Infrastructure C Business Continuity Plans D Crisis Management Plans A- Third Party Continuity D Emergency Response A- Training and Awareness D OVERALL GRADE: D+ 23 Copyright 2014 Deloitte Development LLC. All rights reserved.

25 Trends Resilience and the related disciplines of Crisis Management, Business Continuity and Disaster Recovery have not made the major strides that some might have thought. While we have witnessed innovations in mobile computing, data analytics, geographic information systems and learning...most resilience programs have been stuck in older methods and models. Some of the trends we have seen include: Mobility companies are finally moving away from paper-based plans that are not actionable. They are realizing their lack of operational benefit. They are trying to leverage mobile devices, more dynamic decision-making and more internet-based decision making. Executive Dashboards the most senior executives need transparency into the resilience program (e.g., measurement, metrics). They need to understand the Key Risk Indicators and Key Performance Indicators for their resilience program. Social Media organizations are more aware that social media can be used to monitor crisis events and it can be a very valuable tool in communicating with stakeholders. Data Analytics risk analysis and business impact analysis data can all be very valuable immediately proceeding and during a disruption. This data can be managed and be used for more analytics around strategies and actual response to events. 24 Copyright 2014 Deloitte Development LLC. All rights reserved.

26 Common findings and trends

27 Some top Internal Audit findings 1. Lack of centralized structure program elements work in SILO 2. Lack of support from Senior Management 3. Recovery and Restoration are after thought 4. Disconnect between Senior Leadership s perception of IT recoverability and actual recovery capabilities reported by technical staff 5. Mismatch between application s criticality to the business and IT recovery investments 6. Piece-meal approach to testing 7. Lack of integration between emergency response, business continuity plans and IT disaster recovery plans 26 Copyright 2014 Deloitte Development LLC. All rights reserved.

28 Some top Internal Audit findings 8. Lack of up-to-date documentation on recovery procedures dependence on a limited number of key personnel for recovery 9. Underestimation of effort & time required to recover from tape backups 10. Key vendors and service providers not included in recovery planning or testing 11. Lack of business participation in recovery testing and verification activities 12. Business-supported systems and key desktop systems lack recovery plans 13. Lack of a formal budget across the organization to support resiliency 14. Lack of a feedback loop ensuring that lessons learned from exercises and testing are incorporated into update resiliency policy, procedure and process. 27 Copyright 2014 Deloitte Development LLC. All rights reserved.

29 Some things to look for in your organization Executive visibility is limited on the quality of their capabilities No or failed CM/BC/DR Testing Poor or slow response capabilities to a real event Significant or consistent IT failures of any size IT outsourcing with insufficient contractual commitments around DR Complex supply chains with single points of failure Compliance concerns Enterprise Risk Management integration or lack thereof Resilience does not come in a bottle - maybe it does!) 28 Copyright 2014 Deloitte Development LLC. All rights reserved.

30 Questions?

31 Contact Us Bruce Daly ERS Principal Deloitte & Touche LLP 350 South Grand Los Angeles, CA Office: Mobile: Mark P. Ruppert CPA, CIA, CISA, CHFP, CHC Director, Internal Audit Cedars-Sinai Health System 6500 Wilshire Boulevard Suite 600 Los Angeles, CA Office : ruppertm@cshs.org 30 Copyright 2014 Deloitte Development LLC. All rights reserved.

32 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.