© 2010 IBM Corporation Key Trends Driving Global Business Resilience and Risk Patrick Corcoran, Global Business Development Executive Business Continuity & Resiliency Services (BCRS)
Jan 19, 2016
© 2010 IBM Corporation
Key Trends Driving Global Business Resilience and Risk
Patrick Corcoran, Global Business Development Executive
Business Continuity & Resiliency Services (BCRS)
© 2011 IBM Corporation2
Agenda
What is Resiliency?
Resiliency: The CIO perspective
Moving forward: Building a comprehensive business resilience strategy
Regional Event Learnings
© 2011 IBM Corporation3
Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment.
Business resilience helps organizations maintain continuous operations and protect their market share
in the face of disruptions such as natural or man-made disasters. It requires the engagement
of everyone in the organization and often means a change in corporate culture to instill awareness
of risk.
Business resilience planning is distinguished fromenterprise risk management (ERM) in that it is more likely
to build capacity to seize opportunities created by unexpected events.
© 2011 IBM Corporation
Impact of coping with the financial turmoil
Loss of critical personnel Loss of key knowledge Reduction in attention to
significance of risk Reduction in testing recovery
plans
4
As budgets shrink and service level requirements increase, our business becomes even more vulnerable to data loss.
Disaster recovery and business continuity is one of the top IT spending priorities for many businesses.
Heightened impact of business disruption
Greater financial implications of downtime
Brand vulnerabilities Data integrity requirements
Changing environment Expanding risk exposures Increased global and regional
interdependencies Supply chain disruption
More complex regulations Changing industry and regulatory
standards Geographic dispersal requirements Varying regulations per country
Impact of coping with the financial turmoil
Loss of critical personnel Loss of key knowledge Reduction in attention to significance
of risk Reduction in testing recovery plans
© 2011 IBM Corporation
5
The continuous flow of information is inseparable from the operational performance of the business.
Information technology is often at the epicenter of how a firm interacts with its clients
Information technology is always a lever to produce highly efficient supply chains, operations and workflows
In combination, these two dynamics generate an explosive growth of managed data
The Facts
Business resilience and information risk management are commonly on the agenda of the board of directors
Firms must assess: Are we compliant? Are we reliable? Can we be trusted?
Firms must decide how resilient they wish to be – contextualized in the availability, security and recoverability of their business operations
Firms must evaluate the extent to which competitive advantage or disadvantage is influenced by their chosen resilience standing
The Implications
© 2011 IBM Corporation6
We see both risks and opportunities affecting firms business resilience needs
Frequency ofoccurrences
per year
1,000
100
10
1
1/10
1/100
1/1,000
1/10,000
1/100,000 US$1,000 US$10,000 US$100,000 US$1,000,000 US$10,000,000 US$100,000,000
Fre
qu
en
tIn
fre
qu
en
t
Consequences (single occurrence loss) in dollars per occurrenceLow High
Viruses
WormsDisk failures
System availability failures
Pandemics
Natural disasters
Application outages
Data corruption
Network problems
Building fires
Terrorism/civil unrest
Data driven
Event driven
Business driven
Regulatory compliance
Workplace inaccessibility
Failure to meet industry standards
Regional power failures
Governance
Source: IBM
Data growthLong term preservation
Mergers and acquisitions
New products
Marketing campaigns
Audits
© 2011 IBM Corporation
A/C FailureAcid LeakAsbestosBomb ThreatBomb BlastBrown OutBurst PipeCable CutChemical SpillCO FireCoffee MachineCondensationConstructionCoolant LeakCooling Tower LeakCorrupted DataDiesel GeneratorEarthquakeElectrical ShortEpidemic
EvacuationExplosionFireFloodFraudFrozen PipesHackerHail StormHalon DischargeHuman ErrorHumidityHurricaneHVAC FailureH/W ErrorIce StormInsectsLightningLogic BombLost DataLow Voltage
Microwave FadeNetwork FailurePandemicPCB ContaminationPlane CrashPower Grid OutagePower OutagePower SpikePower SurgeProgrammer ErrorRaw SewageRelocation DelayRodentsRoof Cave InSabotageShotgun BlastShredded DataSick buildingSmoke DamageSmoke from Restaurant
Snow StromSprinkler Discharge Static ElectricityStrike ActionSwimming Pool LeakS/W ErrorS/W RansomTerrorismTheftToilet OverflowTornadoTrain DerailmentTransformer FireUPS FailureVandalismVehicle CrashVirusWater (Various)Wind StormVolcano / Volcano Ash
Source: Contingency Planning Research, Inc. and IBM
But there are many other events that have caused business disruptions/outages that don’t make headlines, but can be just as costly.
© 2011 IBM Corporation
What is Resiliency?
Resiliency: The CIO perspective
Moving forward: Building a comprehensive business resilience strategy
Regional Events Learnings
8
Agenda
© 2011 IBM Corporation9
71 % of CIOs are
concerned about risk management and
compliance
Impact of coping with the financial turmoil
Loss of critical personnel Loss of key knowledge Reduction in attention to
significance of risk Reduction in testing recovery
plans
Technology users expect
100%availability of their applications
and their information
It takes 18months for data
generated to double in size
Who cares about resiliency?
Source: Enterprise Strategy Group, April 2011
53% of organizationswould experience
significant revenue loss or other adverse business impact after 1 hour of downtime
© 2011 IBM Corporation10
IT plays a critical role in developing resilience strategy
IT plays a major part in building resilience
Senior IT execs expected to play strong role in developing strategy
Business resilience is joint responsibility of all C-level executives
CIO collaborates with top IT strategists more frequently
Risk contingency planning assigned to separate specialists
IT function engaged in most decisions involving business risk
CIO has overall responsibility for business resiliency strategy
Business continuity seen as primarily IT issue
Business resilience not seen as role of senior executives
“IT is a big part of our risk management because nothing can be done without it these days.”
Kris Wiluan, CEO, KS Energy Services Limited
Source: 2011 Q7. Do you agree or disagree with the following statements regarding the roles of different players in your organization's risk management strategy? (Agree only.)
© 2011 IBM Corporation11
To date, companies have focused heavily on creating their resilience and risk plans — and putting supporting technologies and processes in place.
Create a business continuity plan
Invest in new risk-related IT solutions
Establish company-wide risk management team
Discuss issues with supply-chain partners
Assign overall responsibility to a single executive
Develop communications or training program
Respond to recent natural disasters by rethinking strategies
Develop integrated business resilience strategy
Engage external advisors
“What we’re trying to do here is preserve our culture and make money at the same time, and managing risk is what that’s all about.”
Lee Garvin, Director, Risk Management, JetBlue
© 2011 IBM Corporation12
Risk concerns for IT leaders span a range of issues
12
In 2010 and 2011, IBM surveyed 560 IT managers and CIOs about how IT continuity was evolving.
In the past 12 months, what kinds of risk issues has your company dealt with?
Source: 2010 IBM Global IT Risk Study: The evolving role of IT managers and CIOs
Matches survey results from Forrester Research.
IT security 78%
63%
Power failure 50%
Physical security 40%
Theft 28%
Product quality issues 25%
22%
Natural disaster 17%
E-discovery requests
13%
Supply chain breakdown
11%
Terrorism activity 6%
Hardware and system malfunction
Federal compliance issues
© 2011 IBM Corporation
1313
More companies are embracing the need for a well-crafted business resilience plan - and a risk management function.
Well-crafted and communicated plan
Disagree NeitherAgree
No formal plan, but plan to develop one
Disagree NeitherAgree
No formal risk management function
Disagree NeitherAgree
Study comparison:Only 30% of respondents in this year’s study indicated they had no formal risk management function, compared to 42% in the 2010 study
Source: Q1. Do you agree or disagree with the following statements regarding your organization’s IT risk management?Study comparison: 2010 IBM Global IT Risk Study
“What we’re trying to do here is preserve our
culture and make money at the same time, and managing risk is what
that’s all about.”Lee Garvin, Director, Risk
Management, JetBlue
© 2011 IBM Corporation14
Compared to their competitors, respondents viewed themselves as better able to handle predictable resilience and risk events.
Same WeakerStronger Don’t know
Maintain business operations in physical disaster
Prevent unauthorized access to proprietary data
Maintain operations during a pandemic
Adapt rapidly to crisis
Align contingency plans with changing risks
Reliably retrieve archived data to meet legal requirements
Seize unexpected opportunities
Minimize losses from unexpected events
Because of its impact on the business as a whole, a crucial area for
improvement is the ability to seize unexpected opportunities
An effective business resilience plan will provide a robust foundation on
which to build a long-lived competitive position supported by end-to-end risk
management.
Source: Q4. In your opinion, how does your organization compare with its closest competitors in the following areas?
© 2011 IBM Corporation15
Study results revealed an opportunity for companies to further hone their competitive edge by integrating business continuity and risk management.
Stronger Same Weaker Don’t know
IT infrastructure supports business growth
Sees value of business continuity as part of risk mgmt
Profitability
Market share
Revenue growth
Even though organizations have strategies for business resilience and
risk management, they may not be integrating and leveraging those
strategies for business advantage
“Companies with a robust ERM program have lower losses,
fewer embarrassing events and a better reputation.”Yousef Valine, Chief Risk Officer,
First Horizon National Corporation
Source: Q9. How does your organization compare to its closest competitors in the following areas?
© 2011 IBM Corporation
What is Resiliency?
Resiliency: The CIO perspective
Moving forward: Building a comprehensive business resilience strategy
Regional Events Learnings
16
Agenda
© 2011 IBM Corporation17
Organizations expect their business resilience and risk management spending will continue to increase on a par with previous increases.
Next 3 yearsUp to now
Increase significantly14%
14%
Increase47%
51%
Stay the same33%
31%
Decrease4%
4%
Decrease significantly1%1%
65% of organizations expect their business resilience and risk management spending to increase in the next three years
“My selling pitch to them (CEO and the board) is that a robust risk management capability is a competitive advantage.”
Yousef Valine, Chief Risk Officer,First Horizon National Corporation
Source: Q3. How has your organization changed its degree of spending on initiatives to improve business resilience?
© 2011 IBM Corporation18
A projected increase in the role played by non-IT functions may be related to the increase in emphasis on strategy integration and training.
Next 3 yearsUp to now
CIO
IT professionals
Other C-level execs
Legal
Board members
Employees
Partners
Source: Q6a. Over the next three years, what is the expected level of involvement for the following people in your organization's risk management or business resilience strategy? (Very involved or involved.)Study comparison: 2010 IBM Global IT Risk Study
“Detecting risk has to happen at the point where the behavior is occurring.”
Dr. Barbara Reynolds, Senior Advisor, Risk Communication,
Centers for Disease Control and Prevention (CDC)
© 2011 IBM Corporation1919
Identifying the roadblocks: Silos and budgets can impede the adoption of a holistic approach to business resilience
Silos within the organization — 28%
Budget limitations — 20%
Inability to predict ROI from improvements — 17%
Lack of C-level vision and commitment — 14%
Lack of understanding about best practices — 9%
Lack of understanding about emerging technologies — 8%
Lack of buy-in from employees — 4%
Study comparison:2010 top challengesImplementing necessary procedures
Securing budget
Obtaining full risk picture from depts
Source: Q10. What is the biggest single barrier to implementing a holistic approach to business resilience planning?
© 2011 IBM Corporation2020
Leverage the findings of the IBM Global Business Resilience and Risk Study in your organization
Recommendations
An integrated approach to business resilience and risk management offers a significant business opportunity for organizations of all sizes
Appointing a single individual with overall business resilience and risk management responsibility is essential to integration success
Input should be sought from throughout the enterprise — including employees and partners
Focus should be on the business impact and business opportunity. Recovery is a subset of the resiliency plan
Cloud technologies have matured significantly and now have the potential to deliver significant business resilience benefits
The newly integrated business resilience and risk management strategy can be levered to seize unexpected opportunities and deliver measurable business value
“An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.”
2011 IBM Global Business Resilience and Risk Study report
© 2011 IBM Corporation21
A resilient framework helps identify areas of risks and vulnerabilities, and allows a company or organization to develop a enterprise resiliency roadmap.
Risk mitigation strategiesBusiness driven Data driven Event driven
Strategy
Organization
Processes
Applications and Data
Technology
Facilities
Bu
sin
es
s re
sili
en
ce
© 2011 IBM Corporation
What is Resiliency?
Resiliency: The CIO perspective
Moving forward: Building a comprehensive business resilience strategy
Regional Events Learnings
23
Agenda
© 2011 IBM Corporation24
Headline events often mobilize our clients to pause and reflect on their current IT resilience standing. . .
© 2011 IBM Corporation25
Lessons Learned from Regional Events
Events create other events … domino effect– Japan: earthquake => tsunami => nuclear plant damage => power problems =>
supply chain problems ……– Hurricanes => Flooding => Mud/Landslides => Power Outages ……
To learn more about lessons learned from regional disasters, listen to the following webinar: http://www-935.ibm.com/services/us/bcrs/html/web-seminar_hurricane-lessons-learned.html?&me=W&re=webseminars
Human issues– Will people be available? How about their families? Financial assistance?
Communications issues– Communicating with, supporting and mobilizing employees, customers and
suppliers, the press and the public at large
Community issues– Fulfilling responsibilities to host communities
Infrastructure issues– Anticipating how roads, travel and power supplies might be affected– Vulnerability of sites
Business issues– Keeping business processes running– Managing insurance claims
Disaster plan currency– Keeping plans up to date and well tested– Availability of data and hardware
© 2011 IBM Corporation26
IBM delivers unsurpassed geographic scope, combined with expertise of local, regional, and global needs/regulations.
26
Over 160 data centers globally 100 percent recovery for IBM clients who
have declared a disaster (over 800) More than 1,875 professionals dedicated to
business continuity and resiliency More than 9,000 disaster recovery clients More than 10,000 client rehearsals per year
More than 50 years experience helping clients with their backup and disaster recovery needs
Over 800 client declarations supported since 1989
Scalable, end-to-end, cloud-based data backup and recovery solutions
Five million square feet of floor space for disaster recovery, with 40,000 seats
© 2011 IBM Corporation27
Protecting your enterprise
Mitigating business and support issues
Increasing your competitive advantage
Protecting brand reputation
Enabling seamless, continuous business transactions
Exploiting market opportunities
Business continuity and resiliency is about…