Elevate your DR Program from the Backroom to the Boardroom

Size: px

Start display at page:

Download "Elevate your DR Program from the Backroom to the Boardroom"

Corey Hutchinson
5 years ago
Views:

1 Elevate your DR Program from the Backroom to the Boardroom David Halford Managing Consultant Enterprise Risk Management, BCDR Forsythe Solutions Group 1 2

2 3 4

3 5 6

4 7 Elevate your DR Program Discussion Topics Why should you care Methods & tools to Help Elevate Program Conclusion Q & A 8

5 Elevate your DR Program Discussion Topics Why should you care Understand how to get airtime & visibility for your DR Program Critical to getting the support and funding needed to advance your program Methods & tools to Help Elevate Program Conclusion Q & A 9 Today, corporate leaders are assessing how changes to IT can help them address some of the key business issues they are facing Leadership Role Key Business Issues CEO CFO o o o o Faster and more uncertain business change Need for competitive advantage and speed to market Need for improved profitability, CAPEX preservation New governance and risk management requirements CIO/CTO o More flexible, adaptable, and lower-cost systems o Increase user accountability for resource usage o Maximize, exploit, repurpose asset value where possible 10

6 CIO s Top 10 Business & Technology Priorities in 2010 Top 10 Business Priorities Top 10 Technology Priorities Business Process Improvement 1 Virtualization Reducing Enterprise Costs 2 Cloud Computing Increasing the use of Information/Analytics 3 Web 2.0 Improving Enterprise Workforce Effectiveness 4 Networking, Voice & Data Communications Attracting & Retaining new Customers 5 Business Intelligence Managing Change Initiatives 6 Mobile Technologies Creating new Products or Services 7 Data / Document Management & Storage Target Customers or Markets more effectively 8 Service-Oriented Applications & Architecture Consolidating Business Operations 9 Security Technologies Expanding current customer relationships 10 IT Management (tools & processes) Source: Gartner EXP (January 2010) State CIO Priorities Strategies, Management Processes & Solutions Budget & Cost Control 1 Virtualization by Technologies, Applications, Tools Consolidation 2 Networking, Voice & Data Communications Shared Services 3 Document/Content/Records/ management Broadband Connectivity 4 Cloud Computing, Software as a service American Recovery & Reinvestment Act 5 Security Enhancement tools Security 6 Enterprise Resource Planning (ERP) / Legacy application modernization-renovation Transparency 7 Geospatial analysis and Geographic Information Systems (GIS) Infrastructure 8 Business Intelligence (BI) and Business Analytics (BA) applications Health Information 9 Security Technologies Governance 10 IT Management (tools & processes) 12

To Get Support, Program Recognition & Funding Simplify your Approach and Initiatives to Align with Executive Priorities Connect or Unify with other Key Initiatives Amplify what your doing with

7 To Get Support, Program Recognition & Funding Simplify your Approach and Initiatives to Align with Executive Priorities Connect or Unify with other Key Initiatives Amplify what your doing with improved communication & Awareness activities 13 Elevate your DR Program Discussion Topics Why should you care Methods & tools to Help Elevate Program Validation Program Emerging Technology (i.e. Cloud Computing) ERM & S&P rating process Solution agreement optimization Conclusion 14

Validation Program Annual Exercise program can help Elevate program 15 Overview of Validation Phases Plan Prepare Conduct Report Define high-level parameters of the project/event to obtain Sr.

plan Analyze event, feedback, debrief session & lessons learned Identification of scope and scenario Named Event Preparation Team Approval to conduct exercise Exercise Directive Memo Invitation memo

8 Validation Program Annual Exercise program can help Elevate program 15 Overview of Validation Phases Plan Prepare Conduct Report Define high-level parameters of the project/event to obtain Sr. management approval & support Prep team works together to develop detailed exercise materials and logistics Discuss activities for a given scenario to enable participants to effectively implement the plan Analyze event, feedback, debrief session & lessons learned Identification of scope and scenario Named Event Preparation Team Approval to conduct exercise Exercise Directive Memo Invitation memo to participants Comprehensive exercise packet for participants Exercise materials and logistics Understanding of roles and responsibilities Awareness & rehearsal of response dynamics Necessary updates to capabilities Published After- Action Report 16

9 Validation Program Communication Plan Communication & Awareness o Annual Test Calendar Include as part of Annual Planning Process Include IT Mgmt & ERM / Corporate Risk Management o Formal Report within 2 weeks o Communicate Success, issues, actions, & owners (in business terms) 1 Annual Assess & Pre Execute Plan Event Validation 2 Program 2 4 Communication Lifecycle Post Event 3 Event Day o Management Approval Request (30-45 days in advance) Include Scope, required business testers, resource request, & success criteria Communicate outage in BIA terms Indicate Change Management approval required o Change Management Request o Event Kickoff o Scheduled Management Status calls o Event Log (ongoing ) o Management Closeout (including success/fail approval 17 Validation Exercise Types Discussion-based Structured Walkthrough Review and understand d plan structure and content for your role and other roles Update obvious errors & omissions Tabletop Exercise Review and understand the actions team members would take, as documented in the plan Response to specific scenario Can be single team, but is best with multiple teams Operations-based Notification Drill Verify content t info is accurate and complete Validate personnel have immediate access to plan Functional Rehearsals Evacuation drills Relocation Physical relocation of personnel and/or technology to an alternate site 18

10 Recommendation Validation Program Maximize the benefit & elevate your overall Program!! Just do it! Conduct multiple l annual exercises of various types Ensure Business Participation Establishing & communicating scope Involvement in the exercise Involved in approval & sign-off Communicate Communicate Communicate Simple, direct, & concise Utilize internal processes to improve visibility (i.e. Change Management & Annually Planning) Note: Not for those who want the easy way or to fly under the Radar!! 19 Cloud Computing. What is it and how does it Impact Disaster Recovery? How can you take advantage of the movement to Elevate DR Program? Cloud Computing?? 20

Cloud Computing is the most talked about IT capacity sourcing alternative today Cloud Computing is a user experience and computing model where computing resources are abstracted from

Services Technology Applications Infrastructure User In the Cloud computing model, organizations may or may not own the IT infrastructure providing these services.

11 Cloud Computing is the most talked about IT capacity sourcing alternative today Cloud Computing is a user experience and computing model where computing resources are abstracted from users and delivered as a service using internet technologies. Services Technology Applications Infrastructure User In the Cloud computing model, organizations may or may not own the IT infrastructure providing these services. 21 Cloud Computing architectures have a specific set of characteristics which are enabled by a combination of hardware, software, and processes The goal is to have the right amount of IT resources available, at the right time, from anywhere, at the lowest possible cost, to the right users Source: Tier1 Research Cloud Codex,

In the Cloud Computing model, there are generally three categories of service provided to users Categories of Service (and example service providers) 1 Infrastructure as a Service (IaaS) 2 Platform

12 In the Cloud Computing model, there are generally three categories of service provided to users Categories of Service (and example service providers) 1 Infrastructure as a Service (IaaS) 2 Platform as a Service (PaaS) 3 Software as a Service (SaaS) Security Server Storage Data Protection Infrastructure Development Environment Infrastructure Application Environment 23 Who delivers these services to the users? The Cloud computing model may be implemented as either a Public (external) or Private (internal) Cloud Public Domain A public cloud: Services over the Internet. Internet Corporate Net Company s Domain (Private) A private cloud (Corporate Cloud) Behind the firewall Corporate Datacenter Private network Cloud User Public-cloud providers may also offer a Virtual Private Cloud service. 24

13 Recommendation Emerging Technology Engage & participate!! Disaster Recovery Solution options Look for opportunity to utilize as a point DR Program Volunteer to evaluate for Production Consider 3 rd party assessment to evaluate options Engage Application Development team Understand Application Development direction Determine how you can link with DR Program Influence & participate in future roadmap Communicate interest you want to be at the Table! Note: Not for those who want the easy way or to fly under the Radar!! 25 Enterprise Risk Management Rating Agencies Applying Risk Analysis to Corporate Ratings 26

The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source.

Requires 6 year file retention on all ACH transactionsx Non-compliant fines Automated not more than $10,000 Clearinghouse An ACH transaction is a batch-processed, value-dated or imprisoned not

14 The followig content was compiled by volunteers, and is as accurate as possible. The content is subject to change without notice. For the most timely information please go directly to the source. Significant Title Governing Body Summary Dates, Fines, Penalties 2002 ACH Rules Book Regulation ACH (Federal Reserve s U.S.A. Requires 6 year file retention on all ACH transactionsx Non-compliant fines Automated not more than $10,000 Clearinghouse An ACH transaction is a batch-processed, value-dated or imprisoned not Association) electronic funds transfer between originating and receiving more than ten years, financial institutions or both 6 CFR Part 29: Regulation CFR (Code of Federal U.S.A. Procedures for Regulations) Handling Critical Infrastructure Information (Interim, Feb 2004) ANAO Better Practice Standard ANAO (Australian Australia, Guide: Business National Audit Office) New Continuity Zealand Management- Keeping the Wheels in Motion ANSI/ARMA Vital Records Programs Regulation ANSI (American National Standards Institute) / ARMA (Association of Records Managers and Administrators) U.S.A. Continuity of operations for Critical Infrastructure Disclosure of critical information to the government Presents a structured approach to business continuity management. The approach involves identifying preventative treatments for continuity risks that can be routinely managed Managers should have an ongoing focus on business continuity Sets requirements for establishing a vital records program by: - Identifying and protecting vital records - Assessing and analyzing their vulnerability - Determining the impact of their loss on the organization I W E Notes /Comments gov/ach/interim_2003. pdf (Treasury Department decision) (order form) s.gpo.gov/cgi-bin/getcfr.cgi Addresses the development and implementation of a vital records program within the context of a formal records management program. Vital records are defined as records containing information essential to the survival of an organization in the event of a disaster. Infrastructu What s driving the ERM focus. Business Requirements Corporate Governance Growing regulations Competitive advantage Quality, efficiency & dependence on supply chain ERM and Credit ratings impact Changing Business Values/Needs Business Models Reliance on IT (7 x 24 operations) Planned downtime no longer acceptable Smaller recovery windows SLA penalties Resilient operations Business Protection Revenue Productivity Fines and penalties Brand Goodwill Employee morale Due diligence Reputation 27 Current Situation Enterprise Risk Management (ERM) is generating significant interest, frequently making it to the board room agenda. Information Technology ERM continues to see impact from Regulations and other compliance related factors. At last count 150+ Regulation titles Governing bodies (depending on how you count it ) 17+ countries Regulation / Standard Country Detail list available DRJ.com Rating agencies including ERM analysis in the rating process is increasing the stakes. Category (E, A, W, I) Banking & Finance Public Health & Healthcare Transportation & Shipping Energy (including nuclear) W To be provided 28

Enterprise Risk Management Ratings Agencies (i.

Corporate ratings process for Financial & Non

Why viewed as Important Recognizes the need for

supporting the business Objective Evaluate approach

process for ERM Evaluation, Managing, & Communicating

impact of an effective Enterprise Risk Management

Risk Management Framework S&P is using consists of

15 Enterprise Risk Management Ratings Agencies (i.e Moody's & S&P) are including ERM analysis in the Corporate ratings process for Financial & Non Financial companies. Why viewed as Important Recognizes the need for sharing critical information regarding key areas of risks. Recognizes requirement for solid ERM processes supporting the business Objective Evaluate approach to ERM from a corporate perspective Understand process for ERM Evaluation, Managing, & Communicating Impact Elevates overall importance and business impact of an effective Enterprise Risk Management Program 29 Example - S&P Framework The Enterprise Risk Management Framework S&P is using consists of three broad components based on their existing PIM model Policies & Governance Framework Components Policies & Governance Methodology Infrastructure Infrastructure Methodology 30

S&P Assessment Framework Policy & Governance Component evaluates the Level of Importance the Risk

Corporate reporting relationship Understand Reporting lines Level of independence and internal

Impact on strategic decision making Methodology Risk Communication & disclosure Communication

Methodology Component evaluates the organization s Enterprise Risk Management Program Methodology

Governance Measurement System used for Tracking purposes What measures are used Do they generate

16 S&P Assessment Framework Policy & Governance Component evaluates the Level of Importance the Risk Management function has within your organization. Corporate reporting relationship Understand Reporting lines Level of independence and internal influence Policies & Governance Risk assessment & define Tolerances How Risk tolerances are defined Impact on strategic decision making Methodology Risk Communication & disclosure Communication methods, regularity Types and level of communications Infrastructure 31 S&P Assessment Framework Methodology Component evaluates the organization s Enterprise Risk Management Program Methodology Tools & technology utilized Quality & level of systems How are the systems integrated Policies & Governance Measurement System used for Tracking purposes What measures are used Do they generate meaningful, quantitative conclusions Testing & Validation Stress Testing & what-if analysis Validate risk definitions & ranges are accurate Infrastructure Methodology 32

S&P Assessment Framework Infrastructure Component evaluates organization s risk architecture, quality of data,

Disaster Recovery Process Has a recovery process for critical business process infrastructure been identified

critical business processes, workflow, & people Are BC Plans documented, current, and tested Infrastructure

management & technical back office personnel Expertise, training levels, & years of experience 33

Identify timeframe & status of ratings evaluation When was it last completed Results?

17 S&P Assessment Framework Infrastructure Component evaluates organization s risk architecture, quality of data, and backroom operations. Disaster Recovery Process Has a recovery process for critical business process infrastructure been identified Are DR Plans documented, current and tested regularly Business Continuity Planning Do BC Plans cover all critical business processes, workflow, & people Are BC Plans documented, current, and tested Infrastructure Policies & Governance Methodology Staff background Technical skill levels and educational qualifications Risk management & technical back office personnel Expertise, training levels, & years of experience 33 Recommendation How can you be prepared. Identify timeframe & status of ratings evaluation When was it last completed Results? Establish level of importance Communicate process to Executive Management Solicit support from CIO, CFO, CSO, etc. Conduct Enterprise Risk Management Program Assessment 3 rd party review of ERM Program Executive level summary with ratings process incorporated Improvement recommendations and Elevate DR Program 34

18 3 rd Party BCDR Solution Agreements Time to consider options.. 35 Survey Snapshot How many of you have a 3 rd party service solution? How many see the value equal to solution cost? How many are confident solution will work if you need to invoke? 36

19 Recommendation Solution Agreements Aggressively Evaluate options!! DR Strategy Assessment & requirements Validation Provides executive communication and critical vendor service requirements. Validate & optimize technical approach DR Services RFP / RFI Seriously evaluate regional, non traditional players Target SLA & service solutions versus traditional inventory approach Expect 20-40% savings OR significant improvement in services Consider 3 rd party support to ensure all options are considered Vendors are hungry & there are more options than you think.. 37 Elevate your DR Program Conclusion your Approach and Initiatives to Align with Executive Priorities g Connect or Initiatives with other Key program with improved communication & Awareness activities 38

20 39 40