Strategic Business Continuity Management Steven J. Ross Deloitte & Touche New York Prospering in the Secure Economy Leading organizations must confront the new realities of today s uncertain economy The emerging regulatory environment and new standards are shaping industry s vision of acceptable recoverability The business case for recoverability investments must become strategic in order to move beyond the cost impact Prospering in the secure economy requires better risk management, improved response, integrated strategy, and extended supply chain protection Government is a source of information and best practices for industry Protecting and even creating greater shareholder value demands a strategic, proactive approach at the CEO leadership level Prosperity Security/ Availability 2 High Level Indicators World Economic Forum Annual Meeting Survey By a ratio of more than two-to-one, members believe the next generation is more likely to live in a prosperous (59%) rather than safe (27%) world Members tend to believe the outlook for their personal security looks better now (65% assign positive ratings) than it will in 10 years time (only 41% assign positive ratings) A majority of members believe 40% or more of their company s market capitalization is represented by brand/reputation Conclusion: Perception and resulting risk to shareholder value is a greater economic threat than loss of specific assets 3 1
Five Strategic Realities for the Future Rapid Change The global business climate has been nothing if not tumultuous in recent years. New Regulatory requirements Organizations are confronting a host of new security requirements. Heightened threats and greater uncertainty Organizations remain unclear about what kinds of threats warrant the greatest concern Complex and interdependent risks Interdependent supply chains put organizations at greater risk due to the multiple partners and handoffs involved in production and distribution. Globalization and the 24/7 news cycle Organizations now have only minutes not hours or days to respond proactively to an incident before risking possible damage to their reputation. 4 The Evolution of Business Continuity Disaster Recovery (DR) Business Continuity Planning Business Continuity Management Organizational Focus on Risk Mitigation DR hit the corporate agenda in the mid 80s as businesses began to increasingly rely on mainframe computers The enthusiasm for The terrorist attacks of the DR started to wane early to mid 90s made firms as it became realize that DR did not evident that a more effectively mitigate risks. BC proactive approach evolved as a result. to risk mitigation was required 9/11 Tokyo Subway Attack Oklahoma Bombing With the technology boom and roaring economy of the late 90s, BC, although a standard business practice, was given little attention WTC Bombing Bishopsgate Bombing Tower Group estimates that the North American Security Industry spend on Business Resiliency will increase to over $1 billion in 2003 from $633 million in 2001 9/11 highlighted that risk mitigation plans had to protect against events previously considered unimaginable. Combined with a struggling economy, BC had to evolve Late 80s Early 90s Mid 90s Late 90s Early 00s Mid 00s Preparations for crises have evolved from disaster recovery and business continuity planning into a more comprehensive approach called Business Continuity Management. 5 Management Perspectives Disaster Recovery Plan I have a data center, I might need a data center Business Continuity Plan I do business in one place, I might have to it somewhere else Business Continuity Management I do business in one place, AND I have to it somewhere else, too The recognition of the inevitability of disruption makes business continuity a strategic concern 6 2
7 8 9 3
10 Madrid Bombing 11 12 4
13 14 15 5
Northeast Blackout 16 Hackers Northeast Blackout 17 Chicago Fire Hackers Northeast Blackout 18 6
Civil Disturbance Chicago Fire Hackers Northeast Blackout 19 Computer Viruses Civil Disturbance Chicago Fire Hackers Northeast Blackout 20 Floods Computer Viruses Civil Disturbance Chicago Fire Hackers Northeast Blackout 21 7
Tsunami Floods Computer Viruses Civil Disturbance Chicago Fire Hackers Northeast Blackout 22 Earthquake Tsunami Floods Computer Viruses Civil Disturbance Chicago Fire Hackers Northeast Blackout 23 Earthquake Hurricanes Tsunami Floods Computer Viruses Civil Disturbance Chicago Fire Hackers Northeast Blackout 24 8
Tsunami Earthquake Hurricanes Tornado Floods Computer Viruses Civil Disturbance Chicago Fire Hackers Northeast Blackout 25 Tsunami Earthquake Hurricanes Tornado Floods Computer Viruses Civil Disturbance Chicago Fire Hackers Mudslide Northeast Blackout 26 Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Cash Management Manufacturing Human Resources Accounting/ Reporting Payroll A typical business contains a number of distinct but interacting processes 27 9
Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Cash Management Manufacturing Human Resources Accounting/ Reporting Payroll A typical business contains a number of distinct but interacting processes 28 Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Cash Management Manufacturing Human Resources Accounting/ Reporting Payroll With varying tolerances for interruption (RTO). 29 Recognizing the Business Exposure Orders Supply Chain Manufacturing When each process entailed a separate application set, they could be recovered over time. 30 10
Recognizing the Business Exposure Inventory Orders Supply Chain Purchasing Manufacturing When each process entailed a separate application set, they could be recovered over time. 31 Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Manufacturing Human Resources When each process entailed a separate application set, they could be recovered over time. 32 Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Cash Management Manufacturing Human Resources Accounting/ Reporting Payroll When each process entailed a separate application set, they could be recovered over time. 33 11
Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Cash Management Manufacturing Human Resources Accounting/ Reporting Payroll But ERP systems have integrated all (or at least many) applications into one application 34 Recognizing the Business Exposure Sales & Marketing Inventory Orders Supply Chain Purchasing Cash Management Manufacturing Human Resources Accounting/ Reporting Payroll And therefore the most critical process dictates the recoverability requirement for all. 35 Thinking Strategically What business are we in? Who are our competitors? How do we make money? How do we approach the market? How much risk can we afford? How much cost can we afford to reduce the risk? What do our regulators want? 36 12
Thinking Strategically about BCM What business are we in? Can we stay in that business if we fail to serve our customers? Are we part of the critical infrastructure? Are we a merger target? Is our industry growing? Are we growing? How deep are our capital reserves? 37 Thinking Strategically about BCM What business are we in? Who are our competitors? Can they promise a higher level of availability? Would they take market share if we could not produce? Would they increase their visibility with our key customers? Are we ahead of or behind industry norms? 38 Thinking Strategically about BCM What business are we in? Who are our competitors? How do we make money? How leveraged are we? How long can we sustain interrupted cash flow? What are the choke points in our ability to realize revenues? Do we have alternatives? Can we re-capture lost sales when we recover? What responsibility do we have to our customers? 39 13
Thinking Strategically about BCM What business are we in? Who are our competitors? How do we make money? How do we approach the market? Do we sell to consumers or other businesses? Do we sell on the Internet? Do our customers come to us or do we reach out to them? Do we sell through intermediaries who depend on us for products? 40 Thinking Strategically about BCM What business are we in? Who are our competitors? How do we make money? How do we approach the market? How much risk can we afford? Have we experienced losses? Are we in a target business or location? Will better controls mitigate our risk? Have our auditors or the Board expressed concern? What does insurance cover? 41 Thinking Strategically about BCM What business are we in? Who are our competitors? How do we make money? How do we approach the market? How much risk can we afford? How much cost can we afford to reduce the risk? How much can we accomplish with limited expenditure? Can we leverage existing assets? Can we accomplish availability goals with business as usual solutions? Is there a current ROI on our investment in availability? 42 14
Thinking Strategically about BCM What business are we in? Who are our competitors? How do we make money? How do we approach the market? How much risk can we afford? How much cost can we afford to reduce the risk? What do our regulators want? Is improved availability a necessary cost of doing business? How much criticism can we absorb? Have we been cooperative with the regulators in the past? Whose job is at risk? 43 The Strategic Imperatives Recovery 44 The Strategic Imperatives Recovery Resilience 45 15
The Strategic Imperatives Recovery Resilience Compliance 46 The Strategic Imperatives Recovery Compliance Resilience Preservation 47 The Strategic Imperatives Recovery Compliance Resilience Preservation Response 48 16
The Strategic Imperatives Recovery Compliance Response Resilience Preservation Anticipation 49 The Strategic Imperatives Recovery Compliance Response Resilience Preservation Anticipation Trust 50 The Strategic Imperatives Recovery Compliance Response Trust Resilience Preservation Anticipation Validation 51 17
The Strategic Imperatives Recovery Compliance Response Trust Resilience Preservation Anticipation Validation Operations 52 The Strategic Imperatives Recovery Compliance Response Trust Operations Resilience Preservation Anticipation Validation The business, itself 53 Tactical vs. Strategic Business Continuity Planning has historically been tactical Establishing alternative resources Deploying personnel after a disaster To make Business Continuity Management more strategic, it is necessary to think beyond the hot site Re-thinking the way a company does business Incorporating recoverability into business as usual (BAU) Accepting disruption as a condition of doing business, without accepting that disruptions must cause an interruption in service Incorporating resilience into cost models 54 18
Beyond the Hot Site Re-deployment Deconstructing the enterprise so that no critical activity can be halted by a regional outage May be active-active or mirrored staffs Entails significant shifts in technology Requires shared databases and transaction flows Highly resilient networks are essential Triage and backlog become major issues 55 Beyond the Hot Site Active - Active Transactions Function A Function A Data Mirror Staffs Transactions Transactions Function A Function B Data 56 Beyond the Hot Site Contingent Outsourcing Relying on a third party during an emergency Requires extensive training and recurrent testing Optimum solution is to outsource some positions/functions on a permanent basis Involves recovery staff in routine operations Core of the recovery capability Mitigates turnover in normal times 57 19
Beyond the Hot Site Large Scale Data Replication Extending high availability beyond critical data and applications to all, or most, of the enterprise database Assumes that the complexity of integrated businesses makes it impossible to disentangle critical and non-critical data Huge costs in storage and networks can be mitigated by more intelligent design 58 Beyond the Hot Site Supply Chain Redundancy Dual sources of required resources Balance of effectiveness Multiple suppliers Single supplier with guaranteed redundancy (telco, power) Consideration not only of materials but data and tools as well 59 Accepting Ownership A strategic view of Business Continuity Management engages senior management and the Board of Directors Surely as valid a concern as share price and financial statements Reflects the regulatory viewpoint In the integrated, Internet era, resilience equals market share 60 20
Resilience = Market Share 61 Resilience = Market Share 62 Resilience = Market Share 63 21
Resilience = Market Share 64 Resilience = Market Share 65 Resilience = Market Share 66 22
Resilience = Market Share 67 Strategic Business Continuity Management Recoverability + BAU = Resilience Business Continuity Management is so much more than developing a continuity plan It must comprehend a much broader, proactive view of recoverability, availability and resilience Effective Business Continuity Management must be a way of thinking about businesses and providing solutions on an organizational basis address the need for the business to continue and grow under routine circumstances, not just recover from a disaster 68 Steven Ross stross@deloitte.com 69 23