How to Derive Value from Business Continuity Planning

Transcription

1 How to Derive Value from Continuity Planning Presented by Randall J. Till, Principal Till Continuity Group Spring World 2011 Disaster Recovery Journal March 28, BCM Challenges BCM funding is limited or shrinking BCM doesn t have organizational commitment BCM is targeted for reductions Economic Downturn Continuity 2

2 BCM Drivers Release Cycle/ Change Process Development Testing Prod. Implementation DR Exercise Y/ Y DR Exercise Cycle 2. Recovery System Risk Exposure BCM Drivers BCM updates tied to tests or exercises BCM managed as an annual project 2-4+ weeks Plan Update Exercise Publication Risks: services and systems s are always ays changing g BC/DR plans and environments remain unchanged waiting for a an exercise date or a project deliverable 3 BCM Approach Plan To Pass Audits & Meet Regulatory Compliance Poor Investment Embrace Audits & Exceed Regulatory Compliance Valuable Investment 4

3 Plans BCM Approach - Siloed Practices Risk Crisis Disaster Recovery Continuity Disjointed Lacks Integration Enbroiled in Politics 5 Plan Execution and Coordination Planning is focused on How to build the plan We don t focus on How to execute the plan Execute on the Fly Chaos Stress Impacts 6

4 Continuity (BCM) Program Risk (RM) BCM BC Program Governance and Continuity (BC - work area recovery) Crisis/ Emergency (CM/EM) Disaster Recovery (DR - system recovery) Each organization is unique Different levels of responsibly Each BCM Program is at a different level of maturity BCM is a long journey 7 Continuity Planning Cycle Maintain Assess Maintain Readiness Test/Exercise BCM Planning Cycle Prioritize Address Changes Implement Approve Plan Train Personnel 8

5 Focus of Today's Discussion D 2011 BCM Governance J F M A M J J A S O D 2012 J D Oversight of BCM Program Sets Direction and Expectations Buy-in and Endorsement 2011 BCM Planning Cycles BCM Planning Cycles 1.Pre-Cycle 2.Planning Cycle 3.Post-Cycle J F M A M J J A S O D 2012 J Planning Processes and Procedures Deliverables and Time Tables Planning Cycles for BCM (CM, BC, DR) 96 Continuity Pre-Cycle 10

6 BCM Program Governance BCM Governance Continuity Steering Committee Ownership Responsibility Commitment BCM Strategic Direction Educate Metrics Reporting Structure 11 BCM Ownership and Execution Ownership Corporate IT Headquarters Headquarters Europe Asia Pacific Latin America Finance Coordination Regional Coordinators (Secondary) Marketing Sales Customer Services HR Legal IT Division Coordinators (Primary) Facilitation Continuity Planners Continuity Planners BC Plans CM Plans DR Plans Continuity 12

7 Continuity Pre- Cycle Timeline D 2011 Continuity Oversight J F M A M J J A S O D 2012 J BC Steering BCM Objectives 2011 Cycle Deliverables 2011 Cycle Communication D 2011 Continuity Planning Cycles J F M A M J J A S O D 2012 J Develop 2011 Cycle Def. Cycle Kickoff Objectives Processes Meetings with Develop Coordinators Tools Planning Strategies Templates Metrics 13 Continuity Planning Cycle 14

8 Crisis/Emergency (CM/EM) Crisis/Emergenc y (CM/EM) of incident Assessment perspective otification & Assembly Communications Decisions - Activation Life Safety - First Response Crisis 15 Value of Crisis/Emergency CM Organization & Plans Enterprise-wide Assign responsibilities Setup Command Centers Train people Practice roles and procedures ational Incident System (IMS) 16

9 Crisis Planning Strategies Office Type Corporate and Core Offices Regional and Select Offices (Offices with significant # of people/operations) Crisis Team Assigned* - Corporate Incident Response Team (CIRT) - Local Incident Response Teams (LIRT) - Initial Assessment Teams (IAT) - Local Incident Response Teams (LIRT) - Initial Assessment Teams (IAT) Smaller Offices Initial Assessment Teams (IAT) * Based on ICS Structure 17 Crisis Cycle Matrix Deliverables Corporate/Co re CIRT/LIRTs Regional/Selec t LIRTs Smaller IATs Due Dates CIRT/LIRT otification Tests During exercises CIRT/LIRT Functional Group Training CIRT/LIRT Scenario Based Exercise Apr Sept Y 8 30 Dallas 04/15 SF 10/20 LIRT Self Exercise May Aug IAT otification Tests Mar, Jun, Sept IAT Training Mar Jul IAT Exercises/Self Exercises May Sept 18

10 Continuity Planning (BC) Continuity (BC - work area recovery) service function Department People Processes & procedures Information Function Function Function Function Service DR System DR System DR System Systems/applications Technology Dependencies Customers 3rd parties/vendors 19 Value of Continuity Protection of critical assets Access to critical Customer information Continuity communications (BC - work area recovery) Interdependencies Recovery locations process analysis Process improvement Office Infrastructure 20

11 BC Planning Strategies Office Type Corporate/Core Offices BC Planning Levels BC planning at business function level Regional and Select Offices BC planing at department level Smaller Offices Plan Criticality Essential Plans Deferred Plans BC planing at office level Recovery Times and Facilities Critical business functions RTO < 7 days Recovery facilities pre-established Less critical business functions >7 days) o recovery facilities established 21 Continuity Planning Cycle Deliverables Core Key Small Start Date End Date Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-Mar BIA Sign-off by Senior Leader Y Y Y 1-Mar 31-Mar Plan Review/Update (Ess/Def) Y Y /A 1-Apr 30-Jun Continuity Manual Review/Update /A Y Y 1-Apr 30-Sep Plan Roster Review/Update (Ess/Def - Qrtly) Y Y Y Jan, Apr, Jul, Oct Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-Jul Team Activation Exercise (Ess/Def) Y Y Y 1-Apr 30-Sep Plan Walkthrough Exercise (Ess/Def) Y Y /A 1-Apr 30-Sep Recovery Site Exercise (Ess only) Y /A /A Office-1: Jun 21/Sep 13 Office-2: May 17/Aug 7 Office-3: Jun 1/ ov

12 Continuity Planning Cycle Continuity Planning Cycle M A M J J A S O BIA Reviews BIA Sign-offs Plan Review/Updates BC Manual Review/Updates W-F-H Validation Alternate Site Functional Exercise Team otification Tests Plan Walkthrough Exercises Alternate Site Functional Exercise Roster Updates Quarterly End-user Training 23 Disaster Recovery (DR) Planning Disaster Recovery (DR - system recovery) Primary Site Cost Reductions Alternate Site DR Strategy Shared Disk Shared Disk DR Testing etworks Data Backup 24

13 Value of Disaster Recovery Reduce recovery objectives Reduce loss of data Primary Site DB Live Switches Less Planned Outages Co-processing Virtualization Cloud Computing Alternate Site DB Improve Utilize DR system design resources Enhance operating flexibility 25 DR Planning Strategies Data Centers Planning & Exercises Primary Data Center (Internal Control) Co-location Data Center Outsourced Processing DR Plan Criticality Tier 1 Systems Tier 2 Systems Tier 3 Systems - Full DR plans Tier 1& 2 systems - Full functional exercises Tier 1 systems - DR plans for Tier 1&2 systems - Coordinated DR exercises with provider - DR plans oversight and evaluation Recovery Times and Facilities Critical systems RTO = 0-3 days Hot recovery site established Critical systems RTO = 4-14 days DR plans developed, Warm recovery site Critical systems RTO = >14 days o recovery site established 26

14 Disaster Recovery Planning Cycle Deliverables Tier 1 Tier 2-3 Start Date End Date System Impact Analysis (BIA) Review (Tier 1, 2 & 3) Y Y 1-Mar 31-Jul BIA Sign-off by Tech Owner and Owner Y Y 1-Mar 31-Jul Recovery Plan Reviews 1-Apr 31-Oct Y Y Technical Recovery Manual Review/Update Y Y 1-Sept 31-Oct Plan Roster Review/Update (Quarterly) Y Y Jan, Apr, Jul, Oct Team Activation Exercise Y Y 1-Apr 30-Sep Plan Walkthrough h Exercise Y Y 1-Apr 30-Sep Disaster Recovery Exercise (Tier 1) Y /A Primary DC: Jun /Sep Secondary DC: May/Aug Secondary DC: Jul/ Oct Remote DC: Aug Remote DC: July 27 Continuity Cycle Timeline D Continuity Oversight 2011 J F M A M J J A S O D 2012 J BC Steering ew Requirements Escalations to D Continuity Planning Cycles 2011 J F M A M J J A S O D 2012 J Manage CM, BC, DR Planning Cycles 2012 Budgets and Plans Crisis Planning Cycle Continuity Planning Cycle Technical Recovery "DR" Planning Cycle 28

15 Continuity Planning Post-Cycle 29 BCM Metrics Gain commitment Show readiness Meet compliance Below Expectations < 6.0 Partially Meets Expectations 6.0 to < 8.0 Meets Expectations

16 Build Measurements into Cycle Action plan underway: Establish BRP Ownership Build management relationships Enhance Continuity it Plans Practice & test plans Below Expectations < 6.0 Partially till Meets Expectations tti t to < Meets Expectations Measurements Based on BCM Cycles Crisis Cycle Matrix Deliverables Corporate/C ore CIRT/LIRTs Regional/Sel ect LIRTs Smaller IATs Due Dates Continuity it Cycle Matrix CIRT/LIRT otification i Tests During exercises CIRT/LIRT Functional Group Deliverables 1 Core 1 Key 0 Small Apr Sept Start Date End D Training Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-M CIRT/LIRT BIA Sign-off Scenario by Senior Based Leader Disaster Recovery Y Y Cycle Y 1-Mar Matrix May & Oct 31-M Exercise Deliverables Tier 1 Tier 2-3 Start Date Plan Review/Update System Impact (Ess/Def) Analysis (BIA) Review (Tier 1, 2 & 3) Y Y /A Y 1-Mar 1-Apr 30-J Continuity BIA Sign-off Manual by Tech Review/Update Owner and Owner /A Y Y 1-Mar 1-Apr 30-S LIRT Self Exercise May Aug IAT otification Tests Mar, Jun, Sept Plan Roster Recovery Review/Update Plan Reviews (Ess/Def - Qrtly) Y Y Y 1-AprJan, Apr, Jul, Oct Technical Recovery Manual Review/Update Y Y 1-Sept IAT Training Mar Jul Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-J IAT Exercises/Self Exercises May Sept Team Activation Plan Exercise Roster Review/Update (Ess/Def) (Quarterly) Y Y Y Jan, 1-Apr, Jul, Oct 30-S Plan Walkthrough Exercise (Ess/Def) Y Y /A 1-Apr 30-S Recovery 32 Team Activation Site Exercise Exercise (Ess only) Y /A Y /A Y 1-Apr Office-1: Jun 21/Sep

17 BCM Inculcation System Project Define Requirements Design and Develop System Perform System and Integration Testing Implement Production System Continue to Maintain the Recovery System & Environment Perform BIA Update Recovery Matrix Design and Develop Recovery Capabilities Implement Recovery Capabilities Contingency Exercise Suite Perform Exercise Assessment Integrate into Contingency Exercises Test Recovery Capabilities and Develop Plans Assimilation Repeatability Reduces Politics 33 Redesign Testing & Exercise Requirements Redesign Testing Requirements System Release Cycle Requirements Design Development Testing Production Recovery System Analysis Plan Update System Update Process Recovery Test Recovery System Update Process Modify Exercise Program Recovery System Analysis Meetings Recovery Plan Updates Procedure Validation Owner sign-off on recovery status Modify exercise approach to focus on Core Services Conduct Ad-hoc DR Exercises (limit size and scope) Test DR Plans for Deferred Systems 34

18 Maintenance Processes and Cycles Reliable information EtblihShdl Establish Schedule Define responsibilities Dynamic Significant Volume of Data Automate Reuse data - single source Develop Streamline Processes 35 Continuity Post-Cycle Timeline D 2011 Continuity Oversight J F M A M J J A S O D 2012 J BC Steering BOD Endorsement D 2011 Continuity Planning Cycles J F M A M J J A S O D 2012 J Develop 2011 Reports Develop 2012 Objectives Emergency Planning Cycle Recovery Planning Cycle Technical Recovery "DR" Planning Cycle Maintenance Cycles Plan and Exercise Evaluations 36

19 Value of BCM Planning Cycle Continuity Program Defines measurable BCM requirements Inculcates BCM practices into business culture Provides mechanism to educate BCM Sets BCM deliverables into business cycles Makes BCM processes consistent & repeatable Leads to BCM Program Maturity 37 Continuity Cycle - Full Timeline D Continuity Oversight 2011 J F M A M J J A S O D 2012 J BC Steering 2011 Objectives 2011 Cycle Deliverables 2011 Cycle Communication ew Requirements BC Steering BC Steering BOD Endorsement Escalations to D Continuity Planning Cycles 2011 J F M A M J J A S O D 2012 J Develop 2011 Cycle Def. Cycle Kickoff Objectives Processes Develop Tools Planning Strategies Templates Metrics Manage CM, BC, DR Planning Cycles 2012 Budgets & Plans Emergency Planning Cycle Recovery Planning Cycle Technical Recovery "DR" Planning Cycle Maintenance Cycles Develop 2011 Reports Develop 2012 Objectives Plan and Exercise Evaluations 38

20 Randall J. Till, MBCP Till Continuity Group