1 Business Continuity Management Presenters: Miloš Kilibarda, Head of Security Department Igor Kutlača, CISSP, Head of BCM Unit Maj 2009
2 WHY BCM? Gartner estimates that two out of five enterprises that experience a disaster will go out of business within five years. Enterprises can improve those odds – but only if they take the necessary measures before and after the disaster. Aftermath: Disaster Recovery, Gartner, September 2001
3 BSI Code of practice “Holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.” BCM Deadline for BCP/DRP set by the NBS is end June ‘09 WHAT IS BCM? Business continuity management could be defined as an holistic management process that identifies potential threats and the impacts to business operations those threats, if realized, might cause, thus addressing the implementation of specific measures, mainly organisational, infrastructural and technological ones, that might guarantee the Organisation survival, even if all, or just a part, of the assets supporting its operation capability are lost.
4 BCM OBJECTIVES Provide an immediate and appropriate response to emergency situations Protect lives and ensure safety Reduce business impact Resume critical business functions Work with outside vendors during recovery period Reduce confusion during a crisis Ensure survivability of the business Get “up and running” quickly after a disaster Fulfill the legal and regulatory requirements
5 BEFORE YOU START BCM PROGRAM - FAMILIAR EXCUSES It will never happen to us. I’m sure that we could cope. You can’t plan for the unforeseen. There are so many potential problems that it is impossible to have an effective plan. If we don’t have a disaster we’ve wasted money. Isn’t that why we have insurance? We are used to things going wrong. It really doesn’t matter because in an emergency everyone will rally round and get things sorted out. I don’t have the time – there are more important things to do.
6 BCM PROJECT Project initiation Business Impact Analysis Design of Continuity Solutions Solutions Implementation Test and Verify PHASE 1PHASE 3 PHASE 2 PHASE 4 PHASE 6PHASE 5 RISK ANALYSIS AND SOLUTIONS DESIGN SOLUTIONS BUILDING AND MAINTENANCE Process mapping and analysis identification of vital and critical processes Assessment of economic, regulation and reputation impact Estimates of vulnerability and disaster probability Definition of priority/relevance list of involved processes Definition of continuity solutions in relation to crisis scenarios Cost/benefit evaluation of investment alternatives Final report Map of processes - applications - technologies Development of recovery processes Definition of Crisis Management Model Selection of suppliers and outsourcers Divulge Continuity Plans and Crisis Management Plans Staff training and creation of BC culture Activation of periodic verification processes Test Planning and execution Assess efficiency / effectiveness of Solutions Analysis of critical states discovered in test process Evaluation of new critical processes Update or modify Plans Continuous training of personnel staff Maintenance & Development Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the necessary roles to carry out these tasks. Top Mgmt Approval
7 High Availability of Infrastructures Test & Certification Maintenance Crisis Management Organizational Model Technological Solutions Organizational Solutions Infrastructural solutions BCM Policy BUSINESS CONTINUITY FRAMEWORK Disaster Recovery High-Reliability Systems Disaster Recovery High-Reliability Systems Business Continuity Plan and Contingency Plan Business Continuity Plan and Contingency Plan
8 GOALS OF BCM Documents and procedures which describe how to activate the business continuity solutions, how to manage crisis situations and how to return to standard operations Model which describes roles, criterions and rules to address, coordinate and manage the emergencies; it must guarantee, in case of a crisis occur, the information and decisions escalation to all the Organisation levels assuring a coordinated control, both managerial and operational, of the crisis Delineates all the technical and organizational procedures needed to overcome an interruption of IT services, applications, communications or data losses, through recovering of systems in alternative sites Business Continuity Plan (BCP) Crisis Management Organisational Model Disaster Recovery Plan The Main deliverables needed to meet the Regulatory requirements
9 RISK vs BCM
10 RTO, RPO Recovery Time Objective is: –How long can I afford to be without my systems and business- critical applications ? Recovery Point Objective is: –How much data can I afford to recreate (or lose)? Denotes the time interval between outage and when last good copy of data was made Applications may be down until some/all of data recreated.
11 Through the Business Impact Score we can correctly define the RTO (Recovery Time Objective), that is the maximum acceptable time for the reactivation of the process Return to normal operations Time RTO Correctly Estimated = lower cost of realization Critical Event Solutions Activation End of crisis Level of Operations RTO
12 Operational Risk (Basel II) Business Continuity Management is focused on mitigating risks deriving from low-probability, high-loss events High Probability Low Loss (Control) High Probability High Loss (Prevent) Low Probability Low Loss (Accept) Low Probability High Loss (PLAN) Probability HIGH LOW HIGH Business Impact Risks/Events targeted by BCM - Operational Risk and Business Continuity - Operational Risk is defined by Basel II Agreement as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” OPERATIONAL RISK
13 Destruction / unavailability of buildings Interruption of IT Systems (internal/outsourced) Interruption of infrastructure systems Unavailability of essential workforce Loss of documentation or specific equipment BUSINESS CONTINUITY SCENARIOS & SOLUTIONS BCM approach considers all risk scenarios defined by standard guidelines, defining different typologies of solutions: technological, organizational and infrastructural. The BCM is not only Disaster Recovery, but it manages all the assets that support business (Human Resources, Processes, Infrastructures,...) Technological Organizational Crisis Scenarios Category of solutions Solutions Disaster Recovery (DR) and Dealing Rooms Campus Technological solutions that guarantee the continuity of Information Systems Infrastructural Business Continuity Plan (BCP) Organizational solutions that manage every single scenario (also to support the technological solutions) High Availability of infrastructures / critical services Solutions that manage the interruption of infrastructure systems (e.i.: power supply, conditioning systems, etc.) For natural causes (e.g. earthquake) or human action (e.g. terrorist attack) (e.g. malfunctions, hacking) (e.g.: black out, TLC outage) (e.g. strikes, epidemic) (e.g. theft, fire, flooding)
14 Use of back-up data Contingency procedure/ Use of Back-up data Mitigation and damage adjustment Damage adjustment Preventive training of alternative resources Transfer of operation to other structure within the Bank/Quick Guides Support of staff of the same office/service Support by staff of the same office/service Contingency procedure Mitigation and damage adjustment Damage adjustment Transfer of operation to other structure within the Bank or to alternative back-up site Mitigation and damage adjustment Damage adjustment Contingency procedure Mitigation and damage adjustment Damage adjustment Emergency 1 Ordinary Event Emergency 2 Extraordinary Simple Event Emergency 3 Extraordinary Severe Event Emergency 4- Crisis Disaster Event BCM THE SCOPE OF BCM ACTIVITIES The combination of two dimensions determines the BCM Coverage matrix, which is focalized on cases of higher impact Interruption of IT Systems (internal/outsourced) Destruction / unavailability of buildings Interruption of infrastructure systems Unavailability of essential workforce Loss of data or specific equipment Disaster Recovery
15 RECOVERY SOLUTIONS Asynchronous replication Asynchronous replication Tape Backup Recovery Time Time to restore Business Operations Continuous availability Rapid recovery Cost / compexsity Recovery Minutes HoursDays The recovery mechanism depends on your acceptable level of downtime anb budget Synchronous replication
16 RECOVERY SOLUTIONS Cost to recover Cost of disruption Recovery Time Objective Cost Time The BCM team must balance the cost to recover against the cost of the disruption. The balancing point becomes the recovery time objective.
17 TECHNOLOGICAL SOLUTIONS – DISASTER RECOVERY.. Banca Intesa, according to the approach described, is consolidating within the global BCM framework a technological and organizational solution in order to ensure the full recovery of IT services, which is based on a reciprocal backup between the four IT sites Italy Site A-B and Serbia Site A-B BIB DR Serbia Site A Serbia Site B High Availability Campus “Dual-site” ITALY Site AITALY Site B
18 BUSINESS CONTINUITY LIFE CYCLE
19 WEAKNESSES IN BCM Inadequate senior management support. Insufficient financial support. Failure to take a holistic approach. Lack of clear understanding of the responsibilities for the initiation, development, implementation and ongoing management/maintenance of the plans and the process. Inappropriate ownership – BC manager- rather than by line management. Failure to involve all relevant parties – (for example internal audit.) Inadequate contact with, and understanding of, the role of the emergency services. Poor risk analysis/business impact analysis. Insufficient or inadequate training/awareness. Insufficient or inadequate testing/exercising. Not right balance between clear action plans and detailed operational plans. Inappropriate mechanism for keeping the plans current – documentation out of date. Plans do not reflect latest organizational, systems, process or technological changes. Plans not held in a place where they are readily accessible when required.
20 ARE YOU READY FOR BCM ? Do you have an active BCM programme? Is there a responsible person for managing the programme? Has a risk management/BCM culture been established? Has a risk analysis or BIA been done and has management endorsed the priorities and criticality which that process has defined? Is there an crisis management team? If there is a serious incident, are you aware of your role? Do key executives know their roles in a crisis? Are you familiar with the basics of the business continuity plan? Have key executives got a copy of the plan at a location where it would be quickly accessible? Is the plan tested regularly? Does the plan deal with how to handle the media? Do contracts with key suppliers require that these organisations have a BCP? Are you aware of the arrangements for moving to alternative sites? Have the plans and processes been audited/appraised by external experts?
21 Thanks Q & A