1 / 31

Governance and Risk Management Live

Governance and Risk Management Live. 5 June 2007 Emirates Stadium, London. Business Continuity and Resiliency. Robin Gaddum IBM Business Continuity & Resiliency Services Managing Consultant gaddumr@uk.ibm.com. Agenda. Higher!. IBM’s best kept secret..?

tmccormick
Download Presentation

Governance and Risk Management Live

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Governance and Risk Management Live 5 June 2007Emirates Stadium, London Template Documentation

  2. Business Continuity and Resiliency Robin Gaddum IBM Business Continuity & Resiliency Services Managing Consultant gaddumr@uk.ibm.com Template Documentation

  3. Agenda Higher! • IBM’s best kept secret..? • The real-life challenges of incident management • Technology demonstration • The governance and risk management challenge • Case studies • Introducing Data Continuity Deeper?

  4. IBM BC&RS is one of the largest and most capable full-spectrum Business Continuity Providers in the world today • Over 150 recovery locations serving more than 75 countries • +5,000,000 ft2 facility space • +40,000 work area positions • And growing

  5. 22 recovery locations in the UK alone Consulting and Tools Workplaces for Critical Business Datacenter facilities

  6. IBM’s comprehensive set of services & solutions address the market’s advancing continuity management & resiliency needs Consulting and Tools Workplaces for Critical Business Datacenter facilities

  7. IBM’s Crisis Response Team has responded to over 70 major disasters including earthquakes, hurricanes, tsunami, volcanoes, floods and 9/11 “The IBM Crisis Response Team played a key role in our recovery” President Flores, El Salvador, January 2001

  8. The current focus of the business continuity and security market is on deliberate attack, accident and natural disaster • Threat of liquid explosives on airplanes (transport infrastructure) • 7 July 2005 suicide bombings • Buncefield oil depot explosion • Avian and Pandemic influenza • Hot dry summers, flooding and severe weather Natural disaster Deliberate attack Accident

  9. Recent event experience has highlighted failings in crisis management and Business Continuity planning • Failure to plan for the most probable worst-case scenario • Communications is key: • Surge in capacity utilisation leading to localised service losses (mobile networks and in-house switches) • Accounting for staff (9/11 and 7/7) • Reassuring relatives and supporting families (specialist HR cell) • Situational awareness (facts still emerging) • Assessing staff availability for work and tasking • ‘Slow burn’ situations like the Pandemic threat present different challenges • People as an essential resource is generally overlooked or there is an implicit assumption that people will be available • Some crises are ‘PR only’

  10. Hurricane Katrina was the most probable worst-case scenario that should have been planned for New Orleans and wasn’t “Communications was a major issue. That was a complete surprise. The first challenge we had was that we could not find people because the cell phone systems came down.” “IBM provided support in areas that we never thought of and weren't even in our contract. For example, more than 250 of our employees lost their homes and all their possessions. IBM provided access to trauma [counsellors]. They also helped us set up insurance and claims assistance for employees. It wasn't contractual. But we had a good working relationship with IBM before this happened, and this was an extension of that.” Tom Oreck, CEO of Oreck Corp. in an interview for CIO Magazine “Cleaning Up After Katrina”, 15 March 2006

  11. IBM Virtual Workplace ContinuityHelping you plan for a significant workforce disruption Nan Abelson IBM Business Continuity & Resiliency Services Business Development Manager nabelson@us.ibm.com Template Documentation

  12. IBM’s comprehensive set of services & solutions address the market’s governance and risk management needs Consulting and Tools Workplaces for Critical Business Datacenter facilities

  13. Governance and Risk Management is complex and CIOs are doing their own version in parallel with CXOs Dashboards and reporting Incident/Loss Management Policy Metrics Policy Policy Area Section Reports ! Risk and compliance Risk Analytics Area Section Process management Financial Distribution Controls Asset management Sales R&D Business Part Manufacturing Information Processes Controls Int. Property Relationships Physical Users Industry regulations Industry guidance Regulations Industry standards SOX, Basel, FCPA, Privacy, GxP COSO, AUS/NZ4360, OCEG, COBIT, ISO Source: Michael Rasmussen, VP, Forrester Research, March 2006

  14. A range of existing and emerging standards continue to advise good practice in business continuity management and ‘the bar’ continues to rise over time BS7799 COBIT FFIEC IT Handbook BCI DRII • BS25999 (BSI British Standard 25999, part one published) describes a framework and process for a Business Continuity Manager to use and offers a range of good practice recommendations based upon the Business Continuity Institute’s Good Practice Guide • ITIL (IT Infrastructure Library) provides a cohesive set of best practice in IT service management, drawn from the public and private sectors internationally and complementing BS15000. ITIL includes advice on best practices in service availability and continuity. OGC and itSMF are working on an update to ITIL during 2006, which IBM is actively contributing towards • COSO Enterprise Risk Management Framework (The Committee of Sponsoring Organisations of the Treadway Commission) defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. Led by PriceWaterhouseCoopers. PWC Consulting was acquired by IBM in 2002

  15. A creeping legislation of good practice continues to drive ever-increasing minimum requirements in BC/DR and Emergency Management • The Civil Contingencies Act 2004 supersedes all previous legislation related to emergencies and civil protection including the recently unused Emergency Powers Acts. Requires Category One organisations to have their own BC/DR. • Sarbanes-Oxley Act 2002 (US) establishes new or enhanced standards for corporate accountability and financial reporting in the US and also affects UK companies with US subsidiaries. The European Commission’s changes to Company Law introduces similar requirements for companies otherwise unaffected by SOX. • Industry-specific regulations/legislation: • FSA and overseas financial sector regulatory bodies • FDA for pharmaceutical supply • COMAH / SEVESO for hazardous activities (think Buncefield) • Industry regulators and statutes for utility supply • and so on … • Plus Data Protection, International Financial Reporting Standards, …

  16. Risk Exposure Review MUST FIX, E.G. FOR REGULATORY COMPLIANCE REASONS? Tactical Risk Reduction (Quick Wins) ACCEPTABLE LEVEL OF RISK TODAY AND AT PEER GROUP STANDARDS TO REMAIN COMPETITIVE Business Resilience Transformation Phase BEST PRACTICE, MEETS FUTURE COMPETITIVE AND LIKELY REGULATORY REQUIREMENTS Today + 12 weeks + 12 months? Time + 36 months? IBM’s aim is to add value by assisting clients in identifying and reducing risk over time and increasing business resilience to enable future growth

  17. Case Study; A response planning “Heat map” for a global organisation • A global manufacturing organisation had a reactive BC programme with sites responding to audit findings • Only one site had dedicated subject matter experts in BCM • Requests for assistance came following audits, and often did not represent best value from the SME’s time • Exposure of the heat map to a senior audience resulted, (over time), in four other sites hiring staff, with the five BCMs co-ordinating efforts to serve all sites • Accountability remained with Site Heads, who were now motivated to engage with the BCMs High level of assurance of viability of response plans Some issues identified with effectiveness Major concerns identified with effectiveness Improvement plan in place to achieve outcome required in <12 months

  18. A Business Impact Analysis and Risk Assessment are useful helping to strike a balance and construct a business case An organisation’s risk appetite is pragmatically defined by its willingness to spend money on safeguards Business Impact Mitigation or safeguard investment $$ Investment versus impact window Cost $ t+min t+mnths t+hrs Reaction Time t+week t+day S+++++ S+ S++++ Safeguard Level S++ S+++

  19. We need to start with business processes to understand our required success criteria

  20. Case study – prioritising remedial action based on business impacts of disruption

  21. Case study – use of risk analytics to show residual risk in IT DR

  22. IBM’s comprehensive set of services & solutions address the market’s data continuity needs Consulting and Tools Workplaces for Critical Business Datacenter facilities

  23. The consequences of failure are high; are you ‘betting the farm’ without knowing it? “40% of companies that go more than 24 hours without access to their data go out of business.” Eagle Rock Alliance Ltd / Contingency Planning and Management survey “93 percent of businesses that suffer more than 10 days of system downtime will file for bankruptcy within a year.” National Archives & Records Administration, Washington “Only 8% of companies test their continuity plans.” Department of Trade and Industry

  24. IBM’s Data Protection Roadmap offers a range of solutions to match your recovery requirements and budget + HIGH Costs vs. Value of Data . . . . . . . High Availability Replication Services (now a broader range) Value of Data Costs Vaulting Managed Media Services Tape Recovery - Recovery Objective LOW LOW HIGH Days Hours Minutes Immediate

  25. Demonstrations featured in the Royal Oak suitePlease take a few moments to visit them • Consul Insight Suite • Tape Data Encryption • IBM Electronic Data Management • IBM FileNet Enterprise Content Management • Service Management-Demonstration • TIDE environment-Demonstration

  26. IBM Electronic Data Management An efficient, low-cost alternative to tape-based processing • EDM combines data backup, replication and recovery into one online, disk-based process: • Operational efficiency • Simplifies the backup process and reduces the impact on the production window • Requires fewer staff hours for testing and invocations • Security • Builds in data safeguards with encryption and encoded storage formats • Helps eliminate physical media movement and associated risks • Compliance • Protects current and historical data and supports data availability throughout its retention lifecycle • Business continuity • Is designed to support data availability for operational restores, disaster recovery and business resumptions • Cost reduction • Enables reduced operational backup costs when compared with traditional tape-based systems Examples Move and store more than 95 percent less data—3.5TB instead of 80TB Improved backup success rate from 73 percent with tape to 98 percent with disk Enhanced restore success rate from 65 percent with tape to better than 99 percent with the IBM solution

  27. IBM FileNet Enterprise Content ManagementLeveraging automation to reduce risk and compliance costs • An Enterprise-wide Risk & Compliance management platform that enables: • Process automation with clear definition of roles, enforced regulatory control, reducing risk & compliance costs within operational processes • Fully audit trailed information and process execution, reduces control testing and auditing requirements • Secure information repository with full records and email management capability manages the complete lifecycle management and discovery of unstructured content • Continuous operational process monitoring and optimisation environment, allows the measurement and real-time reporting of key indicators • Support for multiple risk & compliance frameworks using a unified architecture, provides aggregated risk visibility and removes auditing silos • Multi-channel information capture, including paper and documentation production, management and distribution (including policies and procedures) • Highly scalable platform with full integration support for SOA architectures “Enterprises that choose one-off solutions for each regulatory challenge that they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach.” Gartner - 2006

  28. No fuss, no fanfare, just quietly and effectively getting on with helping to keep your business safe and secure • IBM’s best kept secret..? • You’ve seen a small snapshot – now come and talk to us if you want to know more.

  29. Q & A Template Documentation

  30. Thank you Robin Gaddum IBM Business Continuity & Resiliency Services Managing Consultant gaddumr@uk.ibm.com Template Documentation

  31. Governance and Risk Management Live Template Documentation

More Related