Presentation on theme: "1 Kathleen Lucey Montague Technology Management, Inc. tel: 1.516.676.9234 Telling the Truth in Business Continuity."— Presentation transcript:
1 Kathleen Lucey Montague Technology Management, Inc. tel: Telling the Truth in Business Continuity
2 What is your BCM Programs Reason to Live What is the primary reason for the existence of your BCM program? –Regulatory requirement –Audit requirement –Technology recovery capability –Prudent business control –An integral and ongoing part of the firms business
3 Risks, Mitigation, and Scenarios Do you know your risks and their impacts: –Infrastructure: fire, loss of power, equipment failure –Production Line Single Points of Failure –Employees –Reputation –Outsourcers and Suppliers –Climate-related regional events –Civil Disorder/Attack Are strategies in place to lower the probability of controllable risks– and continue critical operations within tolerance levels if an interruption does occur? Which interruption scenarios have you included?
10 Worst-Case Scenario Minor Interruptions Everyday Blips Process Dysfunctions SOLUTIONS Disaster Recovery Availability Availability Reliability Engineering Core Business Value Chain Processes INTERRUPTION 2006 Montague Technology Management, Inc. All rights reserved.
11 Interruption Scenario Characteristics Time / day of incident Damages type: Building infrastructure, reputation, regional infrastructure Personnel injuries Effects on critical operations Area: premises, building, small area, region Duration
12 IT Recovery Coordination Business Recovery Coordination INTERRUPTION MANAGEMENT MODEL Business Continuity Teams Information Technology Recovery Teams Interruption Management Team Executive Oversight Team Media Relations Team Command Center Support Team Business Continuity Coordination Initial Crisis Management Recovery Management Employee Support EMT Government Liaison Emergency Funding Physical Security Transportation, Communications Site Repair and Restoration HAZMAT Admin. Services Damage Assessment Emergency Logistics Site Relocation and Re-creation Site Repair or Relocate Purchasing 2006 Montague Technology Management, Inc. All rights reserved. Insurance Liaison
13 BCM Program Content Does your BCM contain the following: –Crisis Communication and Management Procedures? –Business Unit Recovery Procedures? –Technology Recovery Procedures? –Supplier Failure Compensatory procedures? –Restore/Relocation procedures? Are all involved parties trained and committed to their BC responsibilities? How do you know? How do you know that all of these will be effective when needed?
14 BCM Program Approvals Is your BCM Program approved by: –Internal and External Audit? –Regulator(s)? –CIO? –Risk Committee of the Board? –You? Which of these matters most and why?
15 Walking the Walk Can you demonstrate that your program is a successful ongoing permanent business function? –Annual budget? –Status Reporting to annual objectives? –Sufficient human and financial resources? –Inclusion of BCM in Performance Evaluations? –Appropriate Reporting Relationship?
16 Walking the Walk –Achievement of high verisimilitude in test scenarios? –Proven ability to meet RPOs? Resolving all data synchronization issues? –Proven ability to meet RTOs for App service continuity in high verisimilitude scenarios? Including all interfaces? –Supplier SLAs for BCM? Penalties? –Inclusion of BCM on task forces for strategic firm actions, such as acquisitions, strategic software implementations, HR Policies, Insurance, etc. etc.?
17 BCM Program Testing In your exercise program, do you: Test to discover inadequacies? or Test to meet achievable objectives?
18 BCM Program Manager Objectives What are your real objectives: –Ensure your firm survives any interruption. –Keep the auditors/regulators happy. –Keep your boss happy. –Keep your job.
19 Confirmation of Objectives What are the objectives of your management, board, stockholders: –Do what is necessary to proactively lower risks and protect employees, while ensuring that the firm survives any interruption with the least damage. –Meet the requirements of an external standard, such as NFPA 1600 or BS –Spend the least possible to keep the auditors/regulators off their backs. –BCM is an IT-only issue and it is the responsibility of the CIO to balance this against competing IT priorities.
20 Discontinuity of Objectives Clues that there are problems: –Objectives identified by inference –Underdeveloped emergency communications and procedures –No BCM Program budget or annual objectives –Testing program inadequate but successful –BCM function reports to IT –BCM is not discussed at Sr. Management or Board Meetings –High BCM Program Manager anxiety
21 Identification of Gaps Verify existence and completeness of BCM Program components: see standards Use table-top testing to illustrate gaps Confirm objectives of all parties Calculate costs for BCM Program Calculate benefits of the existing BCM Program (hint: there may be an ROI problem here.)
22 Propose a Plan to Close Gaps Identify priorities of stakeholders Identify sponsors and work with them Offer corrective plan at 3 levels: nothing, necessary improvements over time, much improvement in a short time Present to the right audience Document approved BCM Program objectives for the next budget period Propose a budget; adjust to cutbacks Document the detailed effect of budget cutbacks: dont try to be a hero! Improve the Cost/Benefit ratio!
23 Implement the Approved Operating Plan and Budget Make all costs visible Make progress to approved operating plan visible Document EVERY incident; do whatever possible to ensure that it does NOT happen again. Request BCM operating plan/budget changes when priorities or conditions change; work with sponsors Dont try to be a hero! Improve the Cost/Benefit ratio by calculating all costs and benefits Measure and document all progress achieved by year-end.
24 Keys to Success Confirm objectives of all stakeholders and resolve discontinuities Implement the will of Senior Management: –Help them to frame their requirements –Do the work –Make it visible –Document it –Report back to stakeholders Insist on managing your own budget, whatever its size Dont try to be a hero! If you treat this like any other permanent ongoing business function, others will eventually come around to the views of your sponsors.
25 Keys to Success A false sense of safety from an inadequate BCM Program is DANGEROUS. Dont be a source of danger. Be reliable and visible: do what you say, say what you do –Set objectives and meet them –Look for ways to improve and implement them –Be visible: Status Reports, Newsletters, Awareness Programs –Avoid surprises wherever and whenever possible Educate and create awareness
26 And in closing Be reliable Tell the truth as you know it, but be smart in how you do it. Dont be a HERO! tel: