. First, a few effects of 9/11 on downtown Manhattan... Source: Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003
. And a few more... Madrid 3/11/2004 London 7/7/2005, 7/21/2005 Katrina: Louisiana and Gulf Coast, 8/2005 Rita: Louisiana and Texas, 9/2005 Earthquake in Pakistan and India: 10/2005 Wilma: Mexico and Florida, 10/2005 New Delhi: 10/2005
. Post-9/11 Trends Politicization of Business Continuity –Homeland Security Department includes FEMA –Patriot Act –Pre-emptive wars: Afghanistan, Iraq Results-oriented regulation –Inter-agency White Paper –NASD regs 3610, 3620 –Sarbanes-Oxley California Law 1386 (2003), NY State Information Security Breach and Notification Act (August 2005) Increased BC awareness across most non-regulated sectors, and especially SMEs
. What we have learned... Effective response is a complex issue, and much larger than data center Disaster Recovery. Small and medium-size businesses are largely unprepared, but worry. Success = BC + Emergency Management + an ongoing program External and intra-industry dependencies have been mostly ignored. Resilience is the most effective strategy...and it is an organizational, not just a technical issue.
. Trends Today EFFECTIVE RESULTS? Compliance with regulatory checklists is NOT enough. Not all responses can be planned. Tools and information are necessary but not sufficient. The most effective 9/11 responses empowered operating-level people. Testing must become MUCH more serious: greater verisimilitude. Effective emergency communication is primary: automated notification systems.
. Trends Today SMALL AND MEDIUM-SIZE BUSINESSES ARE VULNERABLE Widespread awareness and concern. Traditional BC methods are too expensive and seen as unnecessary. Tools that are effective AND well-adapted to SME needs are difficult to find. Clear need to develop SME baseline standards and techniques. Pressure from large customers and/or suppliers can be a driver.
. Trends Today INTER-DISCIPLINARY AND INTER-SECTOR WORK IS NEEDED Government sets security levels, but the private sector holds 85% of critical infrastructure. Piecemeal solutions with different mindsets and languages: –IT: D/R and Technology InfoSec –Facilities: Infrastructure, Engineering, and Physical Access Control –Emergency and Crisis Management Planning –Organizational Planning, Strategic Planning, Social Sciences –Internal Audit, External Audit –First Responders: insider jargon and procedures
. It is not an option to remain where we have been...and where we are.
. Trends Today EXTERNAL AND INTER-INDUSTRY DEPENDENCIES Few businesses accomplish all of their critical functions alone: –Communications –Transportation, supply and distribution –Outsourcing Contractual penalties are insufficient to guarantee business survival. Creativity, planning, and persuasion are all required. WORKING TOGETHER! Multiple-sector testing is difficult and expensive. Need more public sector support.
. It is not an option to remain where we have been...and where we are.
. Trends Today RESILIENCE The power or inherent property of returning to the form from which it is bent, stretched, compressed, or twisted. – of objects or substances The power or ability to recover quickly from a setback, depression, illness, overwork, or other adversity. – of people The ability of a system to keep working when one or more of its components malfunctions. Also called fault tolerance. - of systems
. Part II: Where Can SMEs Get What They Want...and What They Need?
. How do SMEs see Continuity? Ask them and they will tell you.
. SME Continuity Requires the Proper Event D N A Definition, Notification, Action SME Continuity Requires the Proper Event D N A Definition, Notification, Action
. What is DNA? Includes designed processes and tools for: Definition of events + Notification Notification and communication activities required for immediate response + Action plans to respond to events.
. Poor Definition = emergency response tragedies: Regional Blackout of August 14, 2003 Three Mile Island 9/11 Definition is key
. Tools and strategies must be: Carefully designed for feasibility Understood and rehearsed; UP-TO-DATE Cover initial interruption management + recovery + return (move) Notification
. IT Recovery Coordination Business Recovery Coordination INTERRUPTION MANAGEMENT MODEL Business Continuity Teams Information Technology Recovery Teams Interruption Management Team Executive Oversight Team Media Relations Team Command Center Support Team Business Continuity Coordination Initial Interruption Management Recovery Management Employee Support EMT Government Liaison Emergency Funding Physical Security Transportation, Communications Site Repair and Restoration HAZMAT Admin. Services Damage Assessment Emergency Logistics Site Relocation and Re-creation Site Repair or Relocate Purchasing 2005 Montague Technology Management, Inc. All rights reserved. Insurance Liaison
. Implemented Actions and strategies should: Be additive: chosen to cover the maximum number of scenarios first. Provide the best response to requirements: the right choice. Provide a continuity capability that increases measurably over time. Actions
. ALL DNA processes must be working to achieve effective continuity.
. Where are MOST of the Continuity Challenges ?? CONTINUITY ISSUES Catastrophic Interruptions Minor Interruptions Everyday Blips Process Dysfunctions BCARE SOLUTIONS Continuity Availability Reliability Engineering Core Business Value Chain Processes
. BC Jumpstart for SMEs Steps 1 thorough 4: 1.Interruption Scenario Class Definitions: Internal and External. 2.Strategies and Tools by Scenario Class: Additive continuity components and interruption avoidance / mitigation measures by scenario class. 3.Gap Analysis: The firms current capability vs. the recommended set of continuity components and avoidance / mitigation measures, by scenario class. 4.Project Plan: Timeline and cost estimates to move forward.
. Interruption Scenario Classes EXTERNAL SCENARIOS Classes: 1 - minor (a and b) to 5 - catastrophic External scenario characteristics: –Day / time (workday hours, non-working hours) –Geographic scope –Length of time –Premises infrastructure services impact –Firm premises damage –Injuries to firm personnel –Effect on workplace
. External Scenario Classes DURATION OF INTERRUPTION BY CLASS ClassLength of Interruption 1: Minor less than 1 day 2: Significant 1-3 days 3: Serious 3-5 days 4: Very serious 5-10 days 5: Catastrophic 10 or more days
. Internal Scenario Classes Specific to each firm and each site. For example: ClassDescription ALocal equipment failure BLocal PBX failure CCentral network outage DWorkplace violence ESupplier outage FDisclosure of confidential information GKey staff loss HReputational Risk
. Benefits for SMEs 1: Avoid the risk. 2: Lower the risk probability. 3: Recover, reduce damages. Implement FIRST what is needed for all interruption scenarios. Pay attention to the obvious. Spread development and costs over time by building to catastrophic, worst-case capability step-by-step. Make BC capability progress visible, measurable, understandable, and present-able.
. And so what does all of this mean for us as business continuity professionals?
. We Need to GROW! Accept that current best practices are not the only truth. Study the concepts of allied fields; stay open to new ideas. Learn! Connect to related disciplines: emergency management, InfoSec, facilities, infrastructure, equipment reliability and physical security...and organizational theory! LISTEN....LISTEN.....LISTEN....AND HEAR!
. References (1) Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Board of Governors of the Federal Reserve System; Office of the Comptroller of the Currency; and Securities and Exchange Commission. Draft (Sep 2002): http://www.sec.gov/rules/concept/34-46432.htm Final (Apr 2003): http://www.sec.gov/news/studies/34-47638.htm Report: Crisis, recovery, innovation: responsive organization after September 11, John Kelly, David Stark. Center on Organizational Innovation, Columbia University. New York, NY June 2002. http://www.coi.columbia.edu/pdf/kelly_stark_cri.pdf SEC Approval of NASD Rules 3510 and 3520, including amendments 1-8, as published in the Federal Register, April 7, 2004. http://www.nasdr.com/pdf-text/rf02_108_app.pdf
. References (2) Special Report: WTC Tenant Relocation Summary, TenantWise, Inc., 2003. http://www.tenantwise.com/wtc_relocate.asp *"A Desk on the 20 th Floor: Survival and Sense-Making in a Trading Room," Daniel Beunza, David Stark. Working Paper Series, Center on Organizational Innovation, Columbia University. Available online at http://www.coi.columbia.edu/pdf/buenza_stark_d20.pdf 5 Habits of Highly Reliable Organizations, Keith H. Hammonds, Fast Company Magazine, Issue 58, May 2002, Page 124. http://www.fastcompany.com/magazine/58/chalktalk.html *Note extensive bibliography.