ServiceNow knowledge 2016

Transcription

1 ServiceNow knowledge 2016 Resiliency Navigator: an integrated approach to resiliency point of view May 2016

2 Agenda Introduction to resiliency Integrated solution to resiliency Aligning the business from end to end EY and ServiceNow s Resiliency Navigator EY resiliency team s culture of helping clients Getting started with the Resiliency Navigator Business and information technology (IT) executives see value Appendix A: EY resiliency case studies Appendix B: Team biographies Appendix C: Enablers and accelerators Page 1 ServiceNow knowledge 2016

3 Introduction to resiliency Resiliency is the process of making sure that critical infrastructure elements are designed to minimize disruption to business functions and mitigate the productivity impact. Unfortunately, resiliency methodologies may contain significant gaps, thereby increasing operational risk. As a result, regulatory focus has shifted to include both business and technology resiliency capabilities to better identify the risk of dependencies across resources, assets and technology. Industry risk trends Enterprise risk definitions and severity ratings are not consistently applied Inconsistent method to understand resiliency, such as misaligned top-tier application RTOs Inability to confirm validity of severity rating changes Resiliency testing and analysis reports with insufficient confirmation data Regulatory community focus Response plans: Businesses invest in developing documentation to support the response process rather than testing operating documents Response plan and testing appear to occur in silos within the line of business or function Impact analysis does not reveal the severity of dependencies across resources, assets and technology Proof of capability: Businesses (environments) do not conduct true integrated testing that forces business, operations and technology to come together simultaneously to determine gaps and risks Tests seem to focus on short timelines (0 4 days) and not on tiered 0 30 business days to understand impact on productivity, consumers, and resiliency of the enterprise Page 2 ServiceNow knowledge 2016

4 Integrated solution to resiliency Effective resiliency management involves a shift from isolated technology focal areas to a broader, enterprise-wide operational effort, incorporating critical key business functions. Regulatory and industry resiliency challenges call for a more robust, integrated solution, that leverages existing configuration management databases (CMDB), enabling risk identification with the enterprise resiliency framework. Challenge Integrated resiliency solution Value add Making certain resiliency processes remain aligned with business rules Applying a consistent resiliency riskrating methodology Providing document confirmation for each resiliency rating High business impact to execute resiliency testing and reporting Business rules are systematically integrated across all resiliency calculations through an easy-to-use dashboard Risk rating definition and thresholds are set at the enterprise level and automated during resiliency testing and reporting Risk ratings require supporting documentation and management rating approval signatures Reduced resource requirements due to automated testing and reporting functionality Business risk alignment Accuracy of resiliency planning Entry management Bidirectional validation capabilities Consistent and repeatable resiliency methodology and processes Page 3 ServiceNow knowledge 2016

5 Aligning the business from end to end Effective technology and business resiliency management requires defined linkages between all business functions and the technology service provider to support that function. Insufficient mapping of business functions with the technical counterparts could result in resiliency being defined vertically, with the potential of incorrect reporting of varying risk-rating methodologies. As displayed below, an integrated resiliency solution can enable an organization to understand more than just its risk exposure, including its operational risk. People Procedures Assets Technology Business continuity information Governance, risk and compliance information Skill Quantity Location Requirements Manual Procedures Operating Methods Communications Facilities Transport Equipment Service Operations Application Services Infrastructure Criticality Rating Criticality Rating Criticality Rating Criticality Rating Disaster recovery information Technical configuration information Governance, risk and compliance information Business continuity information Disaster recovery information Technical configuration information Various solutions providing risk ratings under differing methodologies Systems produce reports and dashboards in silos based on the solution s ability to integrate with other systems Provides a view into the technology enablement layer as a service composite that provides an end-to-end service Ability easily to integrate leading practices, such as ITIL V3, COBIT 5 and quality-of-service concepts Page 4 ServiceNow knowledge 2016

6 EY and ServiceNow s Resiliency Navigator The Resiliency Navigator analyzes service, application, technology, financial, governance, risk and compliance information based on customizable business rules and draws meaningful conclusions to help organizations strengthen and manage their IT environment. The Resiliency Navigator, coupled with the powerful visualization and scenario modeling capabilities of ServiceNow, can help you reduce the complexity of your IT infrastructure. Page 5 ServiceNow knowledge 2016

7 EY resiliency team s culture of helping clients Our team understands that resiliency comes down to maintaining a minimal business impact from unusual business conditions. Our approach is collaborative in nature working with business lines to determine their goals, while assessing technology capabilities to confirm the goals are achievable across all interdependencies, both internal and external to the organization regardless of the industry. Understand the health of your risk programs Industries Automotive Financial Health care Insurance Review the programs that enable response capability including business continuity, disaster recovery, incident response and crisis management Link the risk definitions and business function exposures with the program and compliance and standards guidelines (regulatory and industry leading practices) Review response capability with respect to unusual business conditions Operational and technology resiliency mapping and analysis Establish clear linkage between a business function and the services provided to support that function: Establish risk and resiliency index Map the people, assets and resource needs, and the interdependencies Identify operational endurance to sustain productivity Identify the technology application service suites: Identify the application services and underlying components Map all interdependencies and validate resiliency variables Perform scoring and identify mismatch of components across tiers Continuous improvement and validation Iterative reconciliation of service performance against resiliency ratings Integrate disaster recovery failover test results to identify desired to achievable recovery timeline challenges Map failure mode probability Implement resiliency improvements How ServiceNow can help you Provides a single solution to enter all of the risk ratings of all service provided components Allows for all business areas to rate their risk under a consistent methodology Iterative updates allow for users to see how changes affect overall risk ratings immediately Automated ranking of critical components Identification of resource risks associated with high-riskranked assets Customizable mapping of dependencies across resources, assets and business functions Immediately integrate lessons learned from reporting findings Conduct preliminary reports to identify regulatory and operational gaps Provides increased accountability for improvement integration Page 6 ServiceNow knowledge 2016

8 Getting started with the Resiliency Navigator The Resiliency Navigator is able seamlessly to integrate with existing ServiceNow functions and leverage existing data to execute a consistent risk-rating methodology. Identifying critical key business functions is the first step to getting started, followed by collecting business requirements based on enterprise-level risk rating definitions. The Resiliency Navigator then uses all of this information through the CMBD platform for provide risk ratings to all components, which then can be leveraged to map resource and asset requirements based on business needs or risk criticality. Map business functions to operating structures and assets Business functions identify risk ratings of their components Business continuity information Disaster recovery information Identify resiliency score and dependencies Map resources and asset requirements based on need People Resources Configuration information Performance dashboard and reports Governance, risk and compliance Page 7 ServiceNow knowledge 2016

9 Business and IT executives see value Value to CIO Accuracy of data entry and risk rating accountability Certainty or providing consistent functionality to business functions Ability to seize benefits in technology breakthroughs to reduce IT costs Consistent risk-rating framework for managing resiliency reviews and reporting Value to C-suite Regulatory compliance and increased internal reporting functionality Centralized methodology with a standardized resiliency definition and risk-rating process Alignment of business rules with the resiliency program Improved response capability of the business environment Value to CFO Long-term saving opportunities through consecutive improvement Shortened analysis and reporting schedules with increased accountability Centralized mechanism to measure resiliency improvement results and value Ability to better understand return on investment of resiliency funding and technology investments Page 8 ServiceNow knowledge 2016

10 Appendix A EY resiliency case studies Page 9 ServiceNow knowledge 2016

11 Case study Disaster recovery program, application services resiliency, and operational endurance review Client Client issue Key elements of work Benefits to client American multinational financial services corporation While this was a disaster recovery program review, the focus was on resiliency and maturity of the environment, specifically the inscope application services. Absence of application and infrastructure dependency mapping to provide end-to-end resiliency and recoverability Complex and mature environment with HA across sites Application in formation stored in multiple repositories but data quality and currency remain a big challenge Lack of consistency, completeness and quality of existing technical recovery documentation across the landscape Lack of a more granular and robust BIA process, including capturing the requirements for recovery point objectives Disaster recovery program, application services resiliency and operational endurance review EY used resiliency mapping methodology as the base to evaluate the resiliency and improvement opportunities for the application services environment across data centers Mapped the end-to-end application service, along with upstream and downstream dependencies, via a series of cross-functional meetings that included application service owners Used the EY BURN Enabler Tool to analyze data from TAI, SIMS, DNA and other sources, and Operations data based on interviews to perform a resiliency analysis Mapped the entire technology stack to HA configurations to identify gaps and opportunities Conducted a resiliency analysis of 23 applications and identified potential risk of not being able to meet the desired RTO of the primary application, based on the dependency mapping analysis and recovery tier mismatches Identified opportunities for improvement but found several that need to be executed by teams or areas other than enterprise disaster recovery, but impact the resiliency and recovery capabilities Established a governance and oversight mechanism that enables the clear articulation of requirements, raises concerns for discussion, and obtains direct feedback from key stakeholders about resiliency and operational endurance issues Established a framework to link critical business applications and supporting risk and severity ratings through to the technical components Page 10 ServiceNow knowledge 2016

12 Case study Business resiliency mapping Client Client issue Key elements of work Benefits to client Top 20 global bank No central repository, categorization or catalog of assets (including type, function and dependency) Business owners did not identify dependencies or productivity loss impacts over time to understand true risk exposure Resource requirements (facility, seating, equipment) were not maintained by area and relocation, causing oversubscription or critical assets were not identified due to assumptions that another group would make the asset available Business resiliency mapping Employed our proprietary Resiliency Analysis Model to map the four critical lines of business and conducted an analysis Mapped the business process value chain and supporting people, resource and asset requirements Mapped the recovery timeline to the asset availability, volumes and dependencies to calculate variances and establish resiliency scores and validated against data collected by the BIA Established a framework to conduct tabletop tests to confirm gaps and areas of risk exposure Defined options to provide effective staffing and resource (facilities, transport, equipment, etc.) availability in tiered timeline to support resiliency for 30 business days Client had a prioritized risk-andresiliency-rated matrix of business functions with recovery or asset gaps and potential risk exposure points Business owners were able to understand workload transfer capability and corresponding productivity changes over the duration of planned for outage serving as a resource shortage guide Business was able to focus on specific business functions to bolster access to asset and resource requirements and options based on tiered timeline through 30 days Client was unable to effectively identify areas of deficiency Page 11 ServiceNow knowledge 2016

13 Case study Business resiliency capability assessment Client Client issue Key elements of work Benefits to client Top 10 insurance firm Operations in each region and country worked in isolation, managing and contracting their own resources and assets No single program structure to support and promote consistency across the global enterprise Heavy investment in real estate and supporting equipment, forcing the business to rely on moving people instead of the workload across the landscape Regional operations center did not communicate with local offices to define workload volumes and absorption needs Each region and location performed testing in isolation Business resiliency capability assessment EY performed program assessment review based on a resiliency framework, culminating in two country-level tabletop tests Mapped critical business functions and corresponding risk exposures Reviewed information and granularity of the BIA and identified desired recovery timelines, which were then validated against the asset launch to operability timelines Established a resiliency framework to identify recovery variances and exposures by function and asset, including incremental requirements based on a tiered timeline Established a framework for a table-top test and conducted test to verify and confirm gaps in the current program Established an opportunities for improvement road map Risk office had a stratified opportunities for improvement and a resiliency improvement deployment road map used to obtain funding and support from the board of directors Business owners became aware of major gaps and specific actions to take to make certain there was adequate support for high risk locations, based on the resiliency index Enterprise crisis management was provided a single view of all asset requirements, forecasted utilization, and associated productivity loss rates for a 35-day business cycle Program was extended to mapping the technology resiliency supporting the business functions reviewed Page 12 ServiceNow knowledge 2016

14 Appendix B Team biographies Page 13 ServiceNow knowledge 2016

15 Biographies Paul Sussex Principal Technology Strategy Tel: Dan Stavola Executive Director Enterprise Service Automation Tel: Background Paul Sussex is a principal in the IT Advisory Services practice of Ernst & Young LLP. Paul works on complex IT transformation programs, helping clients improve how their IT capability adds value to their business, delivers efficiently and manages risk. Paul has extensive experience in IT infrastructure and operations, identity and access management (IAM), IT service management and IT risk management disciplines. Paul has more than 20 years of professional services experience working with Fortune 100 companies in the financial services industry. Selected experience: Engagement lead for an IT Service Management transformation program for a major financial service company resulting in more than $250 million in cost savings. Paul led a global team to identify business and technical requirements and defined an IT strategy to transform the IT organization from a product-orientated to a services-oriented provider. Developed a leading practice IT process framework and supporting metrics to promote standardized processes, tool consolidations and operational efficiencies. Engagement leader for a post-merger IT integration program for a major financial services company integrating IT infrastructure and operations. Designed, help implement and led program management functions to manage network, desktop and application integration (with zero client interruption) of more than 120,000 end-user devices in five countries. Led a project team to assess IAM infrastructure, processes and capabilities. The team also defined the future state operating model and multiyear road map to achieve maturity objectives, decrease risk and reduce overall cost. Background Dan Stavola is an executive director in Ernst & Young LLP s Strategic Technology Advisory Services practice, where he is responsible for the design and delivery of infrastructure and operations-based advisory services. As a practice leader and IT operations professional with more than 24 years of experience, Dan has worked with leading global financial services firms in the design and delivery of IT performance improvement programs, leveraging his deep industry knowledge and the pragmatic application of industry standards and leading practices. Selected experience: Served as the engagement lead and principal architect of a multiyear major IT transformation program. Focused on improving IT operations performance, the program consisted of current state operational assessment and base line, rationalization of all dimensions of IT resulting in cost rationalization, operating model redesign, IT optimization across the IT organization and a governing continuous improvement program. Served as the engagement lead in a data center consolidation of a banking and capital markets firm acquisition. The project included pre- and post-merger support, rationalization of technology and investment governance, as well as migration and consolidation of IT operations and application and infrastructure technologies. Served as the engagement lead and principal architect of a program risk management office for a highly complex data center separation for a banking and capital markets firm divestiture. The project included both project risk governance, investment protection and post-separation operational risk management Page 14 ServiceNow knowledge 2016

16 Biographies Nazir Vellani Senior Manager Tel: Luke Miller Manager Financial Services Advisory Tel: Background Nazir Vellani is a senior manager in Ernst & Young LLP s Advisory Services practice and has more than 22 years of technology and business consulting experience with a proven ability in business process reengineering, risk and resiliency, business continuity, disaster recovery strategy and planning, IT strategies and transformation, cost optimization and cloud computing focusing on leveraging current and emerging technologies for the financial and high-tech service industries. Selected experience: His recent project work includes teaming with the CIO and the senior executive team at a multinational financial services company to design and develop the enterprise level risk and resiliency operating model and business continuity program in alignment with the objectives set by the risk office. Provided program oversight for the development of the enterprise business continuity program strategy to obtain regulatory and audit compliance in Latin America and Asia- Pacific. Nazir has experience as a program director responsible for evaluating, developing and advising on an enterprise-level resiliency program focused on establishing operational endurance and designing supporting applications and infrastructure environments for resiliency, including responding to extreme cybersecurity breaches and events. He has served as an engagement director responsible for evaluating and establishing a strategy for a three-year $48 million operational resiliency program with a focus on linking the business process risk index with the underlying application services technology architecture. Background Luke Miller is a manager in Ernst & Young LLP s Advisory Services practice with more than 13 years of industry experience with a focus on technology strategy and transformation, risk and resiliency, and business continuity and disaster recovery planning and deployment. His career has spanned multiple lines of business within the financial services environments, where he has participated in disaster recovery failover tests, risk and resiliency assessments. In addition, Luke is able to combine his background and experience in infrastructure and data center architecture to deploy effective risk and resiliency models. Selected experience: Senior consultant responsible for assisting a global bank with the most extensive branch network in the US designing and developing a strategy for a data center facilities risk and resiliency model and framework. Primary focus was on developing the framework, scoring methods, and designing the operational model to be used by the global business continuity and risk group. Senior consultant for several private equity firms performing IT audits with specific focus on disaster recovery strategy and planning, including scripting and auditing the test failover of the environment. Performed IT audit according to the EY disaster recovery audit and fail-over risk and resiliency methodology using a 40-point validation program. Developed all required audit scoring and management reports for review and sign-off by the applicable risk and audit associates. Supported the design and development of an operating model focused on improving the overall resiliency of shared services to mitigate risks and failure points. Developed the operating model processes and subprocesses, including the deployment and sustainability guide. Page 15 ServiceNow knowledge 2016

17 Biographies Ben Winfrey Manager FSO Technology Strategy Tel: Background Ben Winfrey is a manager in Ernst & Young LLP s Financial Services Organization with more than eight years of industry experience in technology strategy and transformation, business continuity and disaster recovery planning and deployment, and isolated recovery services. Ben has participated across multiple industry lines including Insurance, retail banking, and the trading environments, where he has participated in IT audits, disaster recovery failover tests, and risk and resiliency reviews and assessments. Using his prior infrastructure and operations experience, Ben has participated in design for resiliency exercises using regulatory and industry leading standards including FFIEC, OCC, FINRA, ISO 27001, 22301, ITIL V3, and COBIT5. Selected experience: Leading a project to design, develop and deploy a framework to evaluate capital markets test criteria to meet and respond to a current MRA from the OCC to include governance, policies, collateral and an enablement tool to determine test criteria For a top-five retail bank, supported the design and development of an IT resiliency operating model to establish a tiered quality of service framework to support and enable overall service delivery and operations. Focused on defining the target state resiliency thresholds and developing the standard operating procedures and supporting process guides. Supported IT and business continuity and disaster recovery audit exercises, including the review and development of the risk control matrix, scoring method and validation of effective test controls aligned with the GAAS principles. Supported the development of a standard audit toolkit and business continuity and disaster recovery audit operating model and methodology for a large insurance firm located in Peoria, IL Designing an isolated recovery services strategy framework to prove the sequencing and certification method required to restore T0 and T1 enablement layers from an extreme data loss condition Page 16 ServiceNow knowledge 2016

18 Appendix C Enablers and accelerators Page 17 ServiceNow knowledge 2016

19 EY s resiliency enablers Resiliency accelerator Business function alignment Resources and technology supporting component alignment Six Sigma mapping and FMEA methodologies EY and ServiceNow Resiliency Navigator Page 18 ServiceNow knowledge 2016

20 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US Ernst & Young LLP. All Rights Reserved ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com