1 / 26

Telling the Truth in Business Continuity

Telling the Truth in Business Continuity. Kathleen Lucey Montague Technology Management, Inc. kalucey@montaguetm.com tel: 1.516.676.9234. What is your BCM Program’s “Reason to Live”. What is the primary reason for the existence of your BCM program? Regulatory requirement

sandra_john
Download Presentation

Telling the Truth in Business Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Telling the Truth in Business Continuity Kathleen Lucey Montague Technology Management, Inc. kalucey@montaguetm.com tel: 1.516.676.9234

  2. What is your BCM Program’s “Reason to Live” • What is the primary reason for the existence of your BCM program? • Regulatory requirement • Audit requirement • Technology recovery capability • Prudent business control • An integral and ongoing part of the firm’s business

  3. Risks, Mitigation, and Scenarios • Do you know your risks and their impacts: • Infrastructure: fire, loss of power, equipment failure • Production Line Single Points of Failure • Employees • Reputation • Outsourcers and Suppliers • Climate-related regional events • Civil Disorder/Attack • Are strategies in place to lower the probability of controllable risks– and continue critical operations within tolerance levels if an interruption does occur? • Which interruption scenarios have you included?

  4. Business Continuity Supplier Outage or Transport Issue Employee Unavailability Information Security Mission-critical IT Systems Mission-Critical Physical Infrastructure Environmental Topology Civil Unrest, War Maintenance and Service Contracts Change Control Process Power Disruption “Stay In Business”Requirements Contingency Plans Audit and Reporting Functions Mission-critical IT Systems Incident Procedures and Review Processes Disaster Recovery Plans Denied Facility Access Testing and Training Insurance Policies Weather Events Regulatory Mandate © Montague Technology Management, Inc. 2006, All rights reserved.

  5. INTERRUPTION EVENTS SOLUTIONS Disaster Recovery “Worst-Case” Scenario Minor Interruptions Availability Core Business Value Chain Processes Everyday Blips Reliability Process Dysfunctions Engineering @ 2006 Montague Technology Management, Inc. All rights reserved.

  6. Interruption Scenario Characteristics • Time / day of incident • Damages type: Building infrastructure, reputation, regional infrastructure • Personnel injuries • Effects on critical operations • Area: premises, building, small area, region • Duration

  7. Business Continuity Teams Information Technology Recovery Teams INTERRUPTION MANAGEMENT MODEL Initial Crisis Management Interruption Management Team Executive Oversight Team Employee Support EMT Government Liaison Emergency Funding Media Relations Team Transportation, Communications Emergency Logistics Command Center Support Team Physical Security HAZMAT Admin. Services Damage Assessment Business Continuity Coordination Insurance Liaison Recovery Management Business Recovery Coordination IT Recovery Coordination Purchasing Site Repair or Relocate Site Relocation and Re-creation Site Repair and Restoration 2006 Montague Technology Management, Inc. All rights reserved.

  8. BCM Program Content • Does your BCM contain the following: • Crisis Communication and Management Procedures? • Business Unit Recovery Procedures? • Technology Recovery Procedures? • Supplier Failure Compensatory procedures? • Restore/Relocation procedures? • Are all involved parties trained and committed to their BC responsibilities? How do you know? • How do you know that all of these will be effective when needed?

  9. BCM Program Approvals • Is your BCM Program approved by: • Internal and External Audit? • Regulator(s)? • CIO? • Risk Committee of the Board? • You? • Which of these matters most and why?

  10. “Walking the Walk” • Can you demonstrate that your program is a successful ongoing permanent business function? • Annual budget? • Status Reporting to annual objectives? • Sufficient human and financial resources? • Inclusion of BCM in Performance Evaluations? • Appropriate Reporting Relationship?

  11. “Walking the Walk” • Achievement of high verisimilitude in test scenarios? • Proven ability to meet RPOs? Resolving all data synchronization issues? • Proven ability to meet RTOs for App service continuity in high verisimilitude scenarios? Including all interfaces? • Supplier SLAs for BCM? Penalties? • Inclusion of BCM on task forces for strategic firm actions, such as acquisitions, strategic software implementations, HR Policies, Insurance, etc. etc.?

  12. BCM Program Testing In your exercise program, do you: Test to discover inadequacies? or Test to meet achievable objectives?

  13. BCM Program Manager Objectives • What are yourrealobjectives: • Ensure your firm survives any interruption. • Keep the auditors/regulators happy. • Keep your boss happy. • Keep your job.

  14. Confirmation of Objectives • What are theobjectives of your management, board, stockholders: • Do what is necessary to proactively lower risks and protect employees, while ensuring that the firm survives any interruption with the least damage. • Meet the requirements of an external standard, such as NFPA 1600 or BS 25999. • Spend the least possible to keep the auditors/regulators off their backs. • BCM is an IT-only issue and it is the responsibility of the CIO to balance this against competing IT priorities.

  15. Discontinuity of Objectives • Clues that there are problems: • Objectives identified by inference • Underdeveloped emergency communications and procedures • No BCM Program budget or annual objectives • Testing program inadequate but “successful” • BCM function reports to IT • BCM is not discussed at Sr. Management or Board Meetings • High BCM Program Manager anxiety

  16. Identification of Gaps • Verify existence and completeness of BCM Program components: see standards • Use table-top testing to illustrate gaps • Confirm objectives of all parties • Calculate costs for BCM Program • Calculate benefits of the existing BCM Program (hint: there may be an ROI problem here.)

  17. Propose a Plan to Close Gaps • Identify priorities of stakeholders • Identify sponsors and work with them • Offer corrective plan at 3 levels: nothing, necessary improvements over time, much improvement in a short time • Present to the right audience • Document approved BCM Program objectives for the next budget period • Propose a budget; adjust to cutbacks • Document the detailed effect of budget cutbacks: don’t try to be a hero! • Improve the Cost/Benefit ratio!

  18. Implement the Approved Operating Plan and Budget • Make all costs visible • Make progress to approved operating plan visible • Document EVERY incident; do whatever possible to ensure that it does NOT happen again. • Request BCM operating plan/budget changes when priorities or conditions change; work with sponsors • Don’t try to be a hero! • Improve the Cost/Benefit ratio by calculating all costs and benefits • Measure and document all progress achieved by year-end.

  19. Keys to Success • Confirm objectives of all stakeholders and resolve discontinuities • Implement the will of Senior Management: • Help them to frame their requirements • Do the work • Make it visible • Document it • Report back to stakeholders • Insist on managing your own budget, whatever its size • Don’t try to be a hero! • If you treat this like any other permanent ongoing business function, others will eventually come around to the views of your sponsors.

  20. Keys to Success • A false sense of safety from an inadequate BCM Program is DANGEROUS. Don’t be a source of danger. • Be reliable and visible: do what you say, say what you do • Set objectives and meet them • Look for ways to improve and implement them • Be visible: Status Reports, Newsletters, Awareness Programs • Avoid surprises wherever and whenever possible • Educate and create awareness

  21. And in closing • Be reliable • Tell the truth as you know it, but be smart in how you do it. Don’t be a HERO! kalucey@montaguetm.com tel: 1.516.676.9234

More Related