Presentation on theme: "Business Continuity Risk: Mitigation and Contingency Planning An ounce of prevention…… ….and what to do when that's not enough Discussion Leader:Moderator."— Presentation transcript:
Business Continuity Risk: Mitigation and Contingency Planning An ounce of prevention…… ….and what to do when that's not enough Discussion Leader:Moderator and Q&A: Andrew Gansler, Senior ManagerLawrence Baye, Principal Management Consulting ServicesManagement Consulting Services N ovember 6, 2001
2 What is Business Continuity Risk? Grant Thornton LLP defines business continuity risk as... …the threat of any incident that may cause an extended disruption of business functions or impact the ongoing integrity of the firm.
3 What are the risks to business continuity? Traditional Concerns –Fire –Storm –Flood –Hurricane Less publicized but emerging trends –Intrusion (physical or logical) –Control failures –Sabotage –Terrorist activity –Earthquake –Power outage –Equipment failure
4 Some statistics… 2 out of 5 businesses that experience a major disaster will cease to exist within 2-5 years (Gartner, 2001) Some believe that as many as 80% of businesses suffering a major disaster will cease to exist as a direct or indirect result (BCC, 2001) The average bank robbery yields $2,500; average computer crime nets $500,000 (CSI/FBI 2001 Survey) Less than 50% of existing business continuity plans meet their firms recovery objectives (KPMG)
5 What's at stake for you? Assets "at risk" Customer confidence Fiduciary responsibility Regulatory and other compliance Insurance 'out' clauses Trading partner relationships
6 Key considerations for Professional Services firms Fractionalization of firm –Reduced cohesion for collaboration –Controls breakdown Paper morass –drawings, transcripts, contracts, discovery materials, etc. –replacement issues Intellectual capital Confidence level of employees Availability of mission-critical information Insurance exclusions
7 Key trends and challenges for real estate management companies Increased insurance premiums Security costs –Security/operation balance –Cost cutting environment/static budgets Loss of tenants New service expectations –Full backup power –Redundant/enhanced telecommunications Availability of investment capital Tenant diversification Prospective tenant's risk assessment
8 How to manage and mitigate business continuity risk Risk Mitigation –Emphasis on safeguarding your assets Physical Logical (information) Contingency Planning –Quickly returning your business to a functional state after an unavoidable and significant incident
9 Framework PreventionDetection Recovery
10 The information security problem Securing the server and its data Securing information while in transit Securing the user’s computer
11 Methods of intentional attack on information resources… Logical / Hacking –Passwords –Port/packet sniffing –Demon dialers –Spoofing –Home Users Virus threats –89% of respondents reported a problem (IS Magazine) –Platform specific –Easy to engineer
12 The neglected areas Physical restriction Data backup –Frequency –Completeness –Testing
13 What can be done?
14 Three Ds of security policy
15 Tools, methodologies and best practices Control management –CPA WebTrust/Systrust –SAS 70 Encryption and Authentication –Digital ID's- SSL –VeriSign® - PPTP Intrusion prevention, detection and monitoring –Configuration –Firewalls / Proxy servers –Detection/monitoring software –Intrusion testing TrueSecure GrantGuard
16 Tools, methodologies and best practices (cont.) Strict backup procedures –Full backups –Client backups –Documentation –Off-site rotation –Periodic recovery tests Virus updates –Footprints –Push to users
17 Framework PreventionDetection Recovery
18 An unavoidable threat to business continuity has occurred…..What’s at stake? Customers move to "more reliable" competitors Idle time of non-productive employees Loss of customer service satisfaction Cost of rebuilding lost data (errors/rework) Additional staff needed to resolve problems Fines and penalties imposed by regulatory agencies Fines and penalties associated with existing contracts Breakdown of internal controls
19 Emergency Procedures vs. Disaster Recovery vs. Business Continuity Emergency Procedures –Focus on tactical steps to be performed by operations staff on an event-by- event basis –Heavy emphasis on minutes/hours following onset of an emergency –Facility schematics (HVAC, plumbing, etc), service providers Disaster Recovery –Focus on technology resumption (or, traditional Disaster Recovery) –Restoration of ‘mission-critical’ technology, communications infrastructure, centralized applications –Contact lists, notification schedules, 're-start' procedures Business Continuity –Focus on restoring critical business processes and ‘normal’ operations …inventory and prioritize –Technology is critical, but so are 'essential' business processes ……e.g., rent receipt processing
20 Some recent examples Global Investment Bank –On a Saturday in August, a steam pipe ruptured in NYC. Areas affected: equity trading, equity sales, equity research, equity capital markets, private wealth management and legal departments; 1,100 staff –Result: Initiated business continuity plan; relocated staff to six alternative locations. Resumed trading operations Monday morning Major Financial Publisher –September 11, Staff were displaced by tragic events. Publishing capability was at risk. –Result: After the 1990 power blackouts in lower Manhattan, company had developed an elaborate business continuity plan. They executed this plan, which included activation of a hot-site in NJ, which was ready for use by the time staff arrived there.
21 Some recent examples Key Processing / Clearing Bank –September 11, Bank executes its disaster recovery plan in response to terrorist attack. Trade processing and other core functions are re- routed to backup systems. As a result of prioritization, continuity was restored for some systems and processes (e.g., trade processing, clearing, settlement), while areas deemed non-essential (e.g., ATM network) were not restored. –Result: Many of the backup systems worked. But some did not (e.g., government bond processing). Bank believes they were successful in implementation of their plan. Some of their customers may disagree. Major Law Firm –September 11, relocated WTC staff to 7 other NYC law firms using borrowed space –Result: Scattered people, fragmented operations, collaboration/coordination issues
22 The Cost of Business Continuity Cost components –Consultants –Internal resources –Service Providers (recurring) –Time Who pays? –Company-wide project with an IT component But consider the cost of doing nothing…
23 What you should be doing now Review your plan… Do you have a comprehensive plan? 80% of NY-based companies are lacking, missing, or obsolete If YES: Review it –Changes since last review: new systems, infrastructure changes –Are responsible individuals still with your firm? –Does it provide for restoration of core business functions? –Are your critical resources centralized? –Service contracts Get a 3rd party perspective –Will your plan work in today's environment? Test it Maintain it * Source: GT
24 What you should be doing now Develop a plan… Do you have a comprehensive plan? If NO: Get management buy-in – expensive, time consuming, no immediate ROI Form a team Define your approach Perform a business impact analysis Cover the essentials Develop the plan Train your employees Test the plan Maintain and update the plan
25 What you should be doing now Consider remote site operation… Do you have an alternate location available for technology and people? Hot SiteCold SiteMobile-Site or Hybrid If YES: –Review the terms of your agreement. Does the contracted service still meet your current needs? If NO: –Consider an outsourcing services provider (SunGard, IBM, etc.) as one part of a comprehensive solution. Considerations –Exclusion zones-- Competitive bidding –Service guarantees-- Complex pricing structures –Duration-- Termination clauses –Test Time
26 What you should be doing now Review your insurance coverage… Do you have all the necessary insurance? General commercial coverage (e.g., liability, property, etc.) Business interruption insurance OEM insurance /quick ship If YES: – Review your policies. E&O, terrorism and other exclusions If NO: – Get some!
27 What you should be doing now Review important processes… Are your critical processes paper intensive? Next to people, paper records are the most difficult component of any business to replace –What are my vital records? What are the retention requirements? –What would happen if my vital paper records were destroyed? Consider document imaging and workflow automation –Re-think current processes –Automate paper-intensive processes –Provide an electronic record of important documents Confirm legal admissibility –ROI very high - usually pays for itself
28 What else can I do? Review your outsourced services –Does your service provider have a disaster recovery plan? –Are they viable over the long term? Many recent ASP, ISP, and carrier failures –What controls are in place to prevent unauthorized access to your data? Have these controls been tested by an independent third party? Form alliances –Is there a business partner, or even competitor that I would be willing to team with? –Is there a company that has similar equipment to mine, whose technology resources (e.g. data center) can be made available to me if necessary?