Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Transcription

1 Resiliency Model A Holistic Approach to Risk Management Discussion Outline Defining the Challenges and Solutions The Underlying Concepts of Our Approach Outlining the Resiliency Model (RM) Next Steps The Resiliency Model has been developed in collaboration with the Software Engineering Institute of the Carnegie Mellon University -- Network Survivability Program Group 2. Defining the Challenges and Solutions Resiliency Model A Holistic Approach to Risk Management 3. 1

2 What are the challenges? Increasingly complex business processes Escalating risk environments Regulatory compliance challenges Lack of good measurement tools Growing interdependency exposures 4. Solution A Resiliency Model Framework & Tool Kit Developing a consensus view of WHAT we should be doing to manage risk efficiently Compiling a taxonomy of terms to facilitate better communication Taking a systematic process improvement approach to risk management Identifying metrics and a benchmarking tools 5. Justifying the Resiliency Investment Organizations must be able to systematically evaluate their ability to respond to potential threats Provides companies with tools to understand how best to direct resiliency spending Technology vendors gain a clear picture of how to deliver products and services in a manner that supports bank risk-management needs Evolution of resiliency standards will help to address the concerns of regulators and shareholders 6. 2

3 The Underlying Concepts of The Approach Resiliency Model A Holistic Approach to Risk Management 7. Resiliency - the ability of an enterprise to adaptively respond to potentially disruptive events. Traverses every part of an enterprise: People Technology Facilities Business processes Third-party relationships etc. Resiliency increases the value of an enterprise - as long as you don t overspend trying to achieve it! 8. Balancing the Approach No Prescriptive Solutions Unique Organizational Drivers Source Carnegie Mellon Software Engineering Institute Managing Cost 9. 3

4 What Does Resiliency require? A structured approach and framework A common language to talk about the concept and practice of resiliency A standard means to measure an organization s resiliency An enterprise view In the past organizations have relied on a hodge-podge of expensive, potentially ineffective, and disconnected attempts to achieve resiliency -- that could fail at any critical juncture. 10. The Overlap of Practices Security Business Continuity IT Operations ITIL BS7799 DRII/DRJ COBIT Origin/primary area Complimentary area Source Carnegie Mellon Software Engineering Institute 11. Why process over practices? Process Describes the what Set and achieve process goals Actively manage process to performance requirements Select practices based on process goals, not on other factors Practice Prescribes the how Are there practice goals? Tends toward set and forget mentality Reinforce domain-driven approach One size does NOT fit all Often the vehicle for regulation 12. 4

5 Bringing the Pieces Together A Key Objective Source Carnegie Mellon Software Engineering Institute 13. Resiliency Model Framework Specific Practices & Activities Regulations & standards IT service & operations practices Capability Framework Ability to determine the capabilities and to identify the process and interaction between them Ability to look at the intersection to derive what needs to be done to sustain the business and address resiliency objectives Source Carnegie Mellon Software Engineering Institute 14. Resiliency Management - Three of the Significant Elements: 1. Managing resiliency is managing risk A shift of focus to a comprehensive view of risk Examining an enterprise s level of risk tolerance as a strategic issue and based on core mission 15. 5

6 Resiliency Management Quality Approach 2. Achieving resiliency goals requires process improvement Encouraging a structured approach to establishing resiliency goals, process based, measuring performance, and creating the most value 16. Resiliency Management Capabilities Based 3. Resiliency derives from many specific capabilities Doing many things well A resiliency model identifies the capabilities that contribute to resiliency, and guides the efforts to develop and improve them 17. Resiliency Model Capability Areas The Outline is divided into 8 Categories Enterprise People Technology Assets and Infrastructure Information and Data Physical Plant Resiliency Relationship Management Resiliency Delivery Sustaining Resiliency Key Resiliency Capabilities Defined for each Category 42 capabilities documented with characteristics/goals 18. 6

7 Toward continuous improvement Source Carnegie Mellon Software Engineering Institute 19. Outlining the Resiliency Model Resiliency Model A Holistic Approach to Risk Management` 20. FSTC Resiliency Model Project Built on the foundation of the FSTC Compliance Project Phase 1 began in April, 2005 and concluded in September Phase 2 is scheduled to be completed in mid-2006 Project Team: FSTC member institutions Leading industry vendors Software Engineering Institute of the Carnegie Mellon University -- Network Survivability Program Group (a leader in developing methodologies for maturity modeling) 21. 7

8 FSTC Resiliency Model Project Team Ameriprise Financial Bank of America Capital Group Citigroup Discover Financial DRII DRJ Federal Res Bank of NY Interisle Consulting IBM JPMorgan Chase Key Bank KPMG Marshall & Ilsley MasterCard SunGard Trizak USBank Wachovia 22. RM Project Phase 2 Activities: Finalize and freeze the Resiliency Framework Questionnaires to gather data for model refinement Conduct pilots at participant organizations field testing Conduct a robust exploration of metrics with base set of measurements required to institutionalize the model Release of a full Resiliency Framework to the industry/public 23. Resiliency Model will help... Identify a level of adequate resiliency, attain it and learn to sustain it Provide a continuous improvement process to drive down cost and improve efficiency - consistently Facilitate an ability to measure the resiliency process and know it is efficient Provide a benchmark to assess capabilities for attaining and sustaining resiliency relative to peers, industry & third parties Support regulatory compliance through a structured process rather than a reactive, ad-hoc process 24. 8

9 Resiliency model -- what it will not do... Prescribe a solution Each organization determines and defines its approach based on its unique perspective and cost/risk appetite Provide a one time project or activity The model uses a continuous process improvement approach Provide the best practice for resiliency The focus is on what needs to be done versus how-to 25. Resiliency model -- Structure Capability area broad categories that define high level building blocks of the Framework 1 Capability a competency that contributes to an organization s resiliency 1.1 Major Goals defines the intent and target of the capability Significant Activities and Tasks 26. Resiliency Model Capability Areas The Outline is divided into 8 Categories Enterprise People Technology Assets and Infrastructure Information and Data Physical Plant Resiliency Relationship Management Resiliency Delivery Sustaining Resiliency Key Resiliency Capabilities Defined for each Category 42 capabilities documented with characteristics/goals 27. 9

10 Enterprise Capability Area Enterprise Focus Strategic View Resiliency Governance Resiliency Standards and Policies Resiliency Planning Resiliency Requirements Management Risk Foundation for Resiliency Compliance Management Business Process Management Resiliency Resource Management 28. People Capability Area Workforce Competencies Resiliency Workforce Training Resiliency Workforce Management Human Resources Management Resiliency Awareness and Outreach 29. Technology Asset & Infrastructure Capability Area Technology Asset Management IT Operational Resiliency Software and Systems Resiliency Management

11 Information and Data Capability Area Information Asset Management Physical Plant Capability Area Resiliency Facility Management Enterprise Facilities Management 31. Resiliency Relationship Management Capability Area Internal Partnerships Business Partner Management Stakeholder Relationship Management Resiliency Partner Management Public Authority Relationship Management Contract Management 32. Resiliency Delivery Capability Area Resiliency Support Technology Continuity Planning Continuity Planning Validation Recovery Planning Restoration Planning Communications Event Identification and Analysis Crisis management

12 Sustaining Resiliency Capability Area Inter-Group Coordination Resiliency Process Management Quality Assurance Resiliency Services Definition Resiliency Service Delivery Auditing and Monitoring 34. Next Steps Our Vision Resiliency Model A Holistic Approach to Risk Management 35. Next Steps First version of the Resiliency Model Framework to be released mid-summer 2006 Gather feedback and multi-industry input Distribution of a notional assessment methodology Institutionalize the model via wide-spread usage Development of course training materials to accompany the framework Resiliency Model Vision Setting a New Standard

13 Resiliency Model Vision Setting a New Standard Resiliency Concept 3Q 04 Roundtable Phase 1 3Q 05 Exploration Framework Outline Taxonomy Self Assessment Whitepaper Phase 2 3Q 06 Maturation & Testing Framework Version 1 Capability Levels Metrics Exploration Empirical Validation Process Improvement Methodology 37. Phase 3 & Beyond Institutionalization Multi- industry Usage Multi-national Usage Benchmarking Database Ongoing Resiliency Model Management Infrastructure 37 Questions? 38. Additional Information or Interest in Becoming Involved In Project Charles Wallen Managing Executive Business Continuity Standing Committee charles.wallen@fstc.org (972)