TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com
Session Objectives and Outcomes Objectives Share the key aspects of BCDR Business Impact Analysis Service Walkthrough Risk Assessment Service Walkthrough Outcomes Common Understanding on: Business Impact Analysis Risk Assessment Existing delivery capabilities Next Steps
Agenda 1 Industry Outlook and Challenges 2 3 HPE Transformation Area 2 Point of View Business Continuity Management Key Aspects 4 Business Impact Analysis 5 6 7 Risk Assessment GFS Capability Overview HPE Value Differentiation & Next Steps
Industry Outlook & Challenges
Gartner Predicts 2015: Business Continuity Management and IT Disaster Recovery Management Demand over legacy backup applications In 2015, focus on improving operational resilience with more automation By 2018, 50% of organizations will use managed failovers By year-end 2020, 15% of organizations will fail due to inadequate protection Source: Gartner Predict 2015
Why we should focus on BCDR Market Forecasts and Analysis Business Potential According to Research and Markets agency, the GRC solutions and services market including BC & DR will grow at a 14.7% CAGR to $31.77 billion through 2020 approximately three times the growth rate of the overall GRC market from 2015 How much we can get here? BIA & RA Services are critical steps to generate more and more BCDR opportunities Source : http://www.businesswire.com/news/home/20150625005495/en/research- Markets-Enterprise-Governance-Risk-Compliance-Market#.Vd6la_mqqko
Gaps in Today s BC & DR Arrangements Market Demand Lack of DR Planning, testing and resources 60+% do not have a fully documented DR plan Remaining 40% DR plans did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario. Almost 65% enterprises are failing in DR testing Financial Impact due to service outage 36% organizations lost one or more critical applications, VMs, or critical data files for hours at a time over the past year 20% organizations indicated losses of more than $50000 to over $5Mn Major causes of outages 50% software failure + network failure 23.5% human error 24% power failure 2.5% weather Source : Disaster Recovery Preparedness Benchmark Survey (DRP)
Let s hear your voice! Open HPE Events App, and answer the following question to participate Do you leverage automation and orchestration in your disaster recovery plans in order to improve business outcomes?
HPE Transformation Area 2 Point of View
Transform to a hybrid infrastructure Protect your digital enterprise Protect your most prized digital assets whether they are on premise, in the cloud or in between. Enable workplace productivity Empower the data-driven organization
Protect your digital enterprise Protect Detect & Respond Recover Build it in Identify the threats you face, assess your organization s capabilities to protect your enterprise, Harden your applications, protect your users, and encrypt your most important data Proactively detect and manage breaches Help reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration. Establish situational awareness to find and shut down threats at scale Safeguard continuity and compliance Drive resilience and business continuity across your IT environments, systems, and applications. Reduce risk with enterprise-wide governance, risk & compliance strategies BIA and RA Services fall under Recover
HPE Business Continuity Management Key Aspects
HPE Business Continuity 5 Step Approach Global Best Practices & Standards Alignment Business Continuity Program Management 5 Exercising, Maintenance & Audit Building & Embedding BCM Culture 4 1 Understanding your Business BC Program Management Building Resiliency & Continuity Strategies Develop & Implement BCM Response HPE BCM Framework 3 2 Business & Compliance Requirements 1. Understanding the Business Criticality, Compliance mandate, data center operations, support services to identify continuity & recovery requirements. 2. Building Resilience and Continuity Strategies basis the continuity related Risks identified in BIA and RA. 3. Developing and Implementing a Response Plan to Respond to and Manage Service Disruptions. 4. Institutionalizing Business Continuity framework & processes as part of operations to build Business Continuity Maturity. 5. Exercising Business Continuity readiness; Updating of BC Plans and Independent Audit.
Business Continuity Management Framework BCM Governance Policies & Standards Roles & Responsibility guide BCM Program Management Office Management Review Policies & Standards Roles & Responsibility guide BCM Program Management Office Management Review Understand Business Requirements Business Process Identification, priority & criticality Compliance Statement Planning Structure Business Impact Analysis Risk Assessment Interdependencies Third Party Independencies Risk Assessment Recovery requirements IT Dependencies Service Level Agreements (SLAs) Interruption Insurance Business Continuity Strategies BC Plan, Design & Implementation People and Process Alternative strategies against the results of BIA exercise Third Party continuity strategies IT Operational Process Requirements Single Point of Failures mapping IT Resiliency & Recovery strategy Business Continuity Plans Crisis Management Plans Crisis Communication Plans Command Center Plan Pandemic Response Plan Emergency Response Plan Business Resumption Work area recovery (Facilities) Plan Return to Home Plan Technology Disaster Recovery Plans Incident Management Plan Recovery Strategy Design Failover and Failback strategy design Data Backup and restoration plan design Plan Administration Post Mortem analysis and reporting DR Testing and simulations Post Mortem Process Audit & Compliance Exercise and Testing On-going improvements Plan Maintenance Align newly Training and Awareness designed/revised Plan Audit strategy/plans with regulatory requirements Compliance report as per legal, regulatory and contractual requirements On-going improvements Align newly designed/revised strategy/plans with regulatory requirements HPE BCM Framework is aligned to ISO 22301 Standard
Business Impact Analysis Service
Objectives Challenges Identify operational and financial impacts due to business disruptions Identify minimum operating requirements Lack of knowledge of financial, reputation and legal impact on the organization No process classification to document the criticalities of organizational assets Associated process interdependencies not identified No established acceptable downtime and recovery level of critical processes Identifying operating requirements is only Resource aiming requirements at minimising necessary financial at and the operational time of a disruption impacts not identified
How an incident is managed BCP is a set of advance arrangements to increase organizational resilience through availability of critical processes at acceptable levels and downtimes Level of Operations Normal Level Incident Normal Level Disruption MOR Level RTO (e.g. 2 wd) Crisis duration (e.g. 7 wd) MOR delivery (e.g. 5 wd) Time RTO Recovery Time Objective MOR Minimum Operating Requirements
Key Terminologies BIA is the process to predict and review the consequences of disruption of a business function / activities and gathers information needed to develop appropriate recovery strategies BIA helps to identify: Process classification (Critical / Key / Others) Minimum operating requirements (RTO, MOR and RPO) Key resources (People, IT and Infrastructure, 3rd party vendors, documentation) BIA output drives necessary recovery strategies (backup plan) for the following outage scenarios: Site, City, Country, People and Technology RTO (Recovery Time Objective) Duration of time by which a business process / activity must be resumed MOR (Minimum Operating Requirements) MOR (expressed as Head Count) to ensure recovery of operations to predefined service level RPO (Recovery Point Objective) Duration of time of acceptable data loss Process Cluster of activities which produce a defined outcome. Unified processes and not multiple processes with similar name (eg. Budgeting, Payroll management, Event Management within Marketing) Functions Is an entity or team which is typically characterized by a special area of knowledge or experience (HR org wide function, Payroll org wide function, Marketing function)
Proven risk assessment methodology aligned to ISO 31000 BIA Concepts BIA defines the priorities for recovery of critical operations Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies. Evaluate the potential business impact on a process not being performed: Tangible Impacts Financial Exposure Intangible Impacts Brand / Reputation Legal and Regulatory Customer Satisfaction
Business Impact Analysis Methodology Comprehensive impact analysis to determine critical recovery requirements Understand Assess Establish Document Structured and targeted focus reviews Process understanding Process Mapping SPOC Identification BIA workshop Questionnaire response Moderation and review Establish RTO and RPO Identify dependencies Identify resource requirements Document BIA workbook Prepare BIA report Management signoff Classification of in-scope processes into criticality continuum Knowledge of recovery requirements Establishing internal & external dependencies Independent review with SMEs Alignment to organization s strategic goals Interviews, workshops, templates
Deliverables # Deliverables 1 Kick off Presentation 2 BIA Walkthrough Presentation 3 BIA Template 4 BIA Summary Report 5 Closing Presentation
How can we help Customers? Facilitating information gathering and reviewing relevant documentation Developing process flow diagrams, mapping key internal and external dependencies Determining recovery parameters and critical activities for business processes Establishing the correct sequence of recovery activities Determining the critical resource requirements We re certified within our profession, and we re certified by our alliance partners We re experienced, we re present, and we re trusted
What Benefits Customers can get?
Risk Assessment Service
Objectives Challenges Holistic view of all business continuity-related risks Minimize organizational losses Ensure risks are within the organization s risk appetite Implement effective governance Lack of knowledge of key continuity risks Lack of visibility around potential threat sources to the business Residual risks not identified and evaluated Non standard mitigation plan against risks to their business Inadequate / outdated risk assessment documentation Managing risk is about creating value out of uncertainty
Risk Assessment Methodology Proven risk assessment methodology aligned to ISO 31000
Key Terminologies RA is a process that identifies risks, ranks them by likelihood + impact & implements plans to mitigate these risks RA helps to identify: Key Terms Key risks to the organization Strength of existing controls New controls for implementation Effective governance structure RA output drives necessary mitigation plans to be implemented Low Risks The risk merits management awareness, but does not require remedial action Medium Risks Overall risk is manageable with some senior management intervention and remediation High Risks Risk is significant and strong remediation is required
Proven risk assessment methodology aligned to ISO 31000 Risk Concepts Risk is the effect of uncertainty on objectives Organizational objectives can be Strategic, Tactical or Operational Effect : Deviation from the expected Positive / Negative Often expressed in terms of combination of the Consequences of an event and the likelihood of occurrence High / Medium risks can be treated, transferred, terminated or tolerated
Risk Assessment Methodology Clear deliverables Understand Assess Mitigate Document Structured methodology Process understanding Process Mapping SPOC Identification Defining risk methodology and risk appetite Evaluating risks Computing residual risks Define mitigation plan Assign timelines and owners Prioritize mitigation actions Document risk register Prepare risk report Management signoff Aligned to best practices Compliance to industry standard Independent review with SMEs Alignment to organization s strategic goals Interviews, workshops, templates Long term governance centric
Deliverables # Deliverables 1 Kick off Presentation 2 RA Walkthrough Presentation 3 RA Questionnaire 4 Risk Register 5 RA Summary Report 6 Closing Presentation
How can we help? Facilitating information gathering and reviewing relevant documentation Developing process flow diagrams, mapping key internal and external dependencies Determining residual risk for business processes, sites and the organization Establishing necessary mitigation plans for various identified risks in line with the risk appetite Assisting in the closure and ongoing evaluation of continuity risks We re certified within our profession, and we re certified by our alliance partners We re experienced, we re present, and we re trusted
What Benefits Customers can get?
HPE Value Differentiation
Our Value Differentiation Help to identify Single Point of Failures Assurance to reduce cost of operations Drive customer satisfaction enhance brand value, drive top line growth & reduce cost of non performance Drive consistent customer experience Support to Improve Service Availability Reduce Service disruptions Help to provide Regulatory Compliance Assurance
Let s hear your voice! Open HPE Events App, and answer the following question to participate State 2 of the building blocks to achieve the BCDR
Questions
Thank You Mohamed Ashmawy Mohamed.ashmawy@hpe.com HPE TSC Pursuit Saudi Lead