1 Kathleen Lucey Montague Technology Management, Inc. [email protected] tel: 1.516.676.9234 Telling the Truth in Business Continuity.

1

Kathleen Lucey

Montague Technology Management, Inc.

[email protected]: 1.516.676.9234

Telling the Truth in Business Continuity

2

What is your BCM Program’s “Reason to Live”

• What is the primary reason for the existence of your BCM program?

– Regulatory requirement – Audit requirement– Technology recovery capability– Prudent business control– An integral and ongoing part of the firm’s

business

3

Risks, Mitigation, and Scenarios

• Do you know your risks and their impacts: – Infrastructure: fire, loss of power, equipment failure – Production Line Single Points of Failure– Employees– Reputation– Outsourcers and Suppliers– Climate-related regional events– Civil Disorder/Attack

• Are strategies in place to lower the probability of controllable risks– and continue critical operations within tolerance levels if an interruption does occur?

• Which interruption scenarios have you included?

4

5

6

7

8

9

Supplier Outage or Transport Issue

Employee

Unavaila

bility

Pow

erD

isru

ptio

n

Weather

Events

Regulatory

Mandate

Mission-critical IT Systems

Maintenance

and Service

Contracts

Contingency Plans

Disaster

Recovery

Plans

Insurance

Policies

Miss

ion-

Critica

l

Physic

al

Infra

stru

ctur

e Info

rmat

ion

Sec

urity

Tes

ting

and

Tra

inin

g

Incid

ent

Proce

dure

s an

d

Revie

w Pro

cess

es

Audit and Reporting

Functions

“Stay In Business”Requirements

Change Control

Process

Environmental

Topology

Mission-critical IT

System

s

Den

ied

Faci

lity

Acc

ess

Civil

Unrest, W

ar

Business

Continuity

© Montague Technology Management, Inc. 2006, All rights reserved.

10

““Worst-Case” ScenarioWorst-Case” Scenario

Minor Minor InterruptionsInterruptions

Everyday BlipsEveryday Blips

Process Process DysfunctionsDysfunctions

SOLUTIONS

Disaster RecoveryDisaster Recovery

AvailabilityAvailability

ReliabilityReliability

Engineering

Core Business Value Chain

Processes

INTERRUPTION EVENTS

@ 2006 Montague Technology Management, Inc. All rights reserved.

11

Interruption Scenario Characteristics

• Time / day of incident• Damages type: Building infrastructure,

reputation, regional infrastructure • Personnel injuries• Effects on critical operations • Area: premises, building, small area, region • Duration

12

IT Recovery Coordination

Business Recovery Coordination

INTERRUPTION MANAGEMENT MODEL

BusinessContinuity

Teams

InformationTechnology

RecoveryTeams

Interruption Management

Team

Executive Oversight Team

Media Relations Team

Command Center Support Team

Business Continuity

Coordination

Initial Crisis Management

Recovery Management

Employee Support

EMT Government

Liaison

Emergency Funding

Physical Security

Transportation, Communications

Site Repair and

Restoration

HAZMAT

Admin.Services

Damage AssessmentE

mer

gen

cy L

og

isti

csSite

Relocation and

Re-creation

Sit

e R

epai

r o

r R

elo

cate

Purchasing

2006 Montague Technology Management, Inc.All rights reserved.

InsuranceLiaison

13

BCM Program Content

• Does your BCM contain the following: – Crisis Communication and Management Procedures? – Business Unit Recovery Procedures?– Technology Recovery Procedures?– Supplier Failure Compensatory procedures? – Restore/Relocation procedures?

• Are all involved parties trained and committed to their BC responsibilities? How do you know?

• How do you know that all of these will be effective when needed?

14

BCM Program Approvals

• Is your BCM Program approved by: – Internal and External Audit? – Regulator(s)?– CIO?– Risk Committee of the Board? – You?

• Which of these matters most and why?

15

“Walking the Walk”

• Can you demonstrate that your program is a successful ongoing permanent business function?– Annual budget?– Status Reporting to annual objectives?– Sufficient human and financial resources?– Inclusion of BCM in Performance Evaluations? – Appropriate Reporting Relationship?

16

“Walking the Walk”– Achievement of high verisimilitude in test scenarios?– Proven ability to meet RPOs? Resolving all data

synchronization issues?– Proven ability to meet RTOs for App service

continuity in high verisimilitude scenarios? Including all interfaces?

– Supplier SLAs for BCM? Penalties? – Inclusion of BCM on task forces for strategic firm

actions, such as acquisitions, strategic software implementations, HR Policies, Insurance, etc. etc.?

17

BCM Program Testing

In your exercise program, do you:

Test to discover inadequacies?

or

Test to meet achievable objectives?

18

BCM Program Manager Objectives

• What are your real objectives:

– Ensure your firm survives any interruption. – Keep the auditors/regulators happy.– Keep your boss happy. – Keep your job.

19

Confirmation of Objectives

• What are the objectives of your management, board, stockholders:

– Do what is necessary to proactively lower risks and protect employees, while ensuring that the firm survives any interruption with the least damage.

– Meet the requirements of an external standard, such as NFPA 1600 or BS 25999.

– Spend the least possible to keep the auditors/regulators off their backs.

– BCM is an IT-only issue and it is the responsibility of the CIO to balance this against competing IT priorities.

20

Discontinuity of Objectives

• Clues that there are problems:

– Objectives identified by inference

– Underdeveloped emergency communications and procedures

– No BCM Program budget or annual objectives

– Testing program inadequate but “successful”

– BCM function reports to IT

– BCM is not discussed at Sr. Management or Board Meetings

– High BCM Program Manager anxiety

21

Identification of Gaps

• Verify existence and completeness of BCM Program components: see standards

• Use table-top testing to illustrate gaps

• Confirm objectives of all parties

• Calculate costs for BCM Program

• Calculate benefits of the existing BCM Program (hint: there may be an ROI problem here.)

22

Propose a Plan to Close Gaps

• Identify priorities of stakeholders

• Identify sponsors and work with them

• Offer corrective plan at 3 levels: nothing, necessary improvements over time, much improvement in a short time

• Present to the right audience

• Document approved BCM Program objectives for the next budget period

• Propose a budget; adjust to cutbacks

• Document the detailed effect of budget cutbacks: don’t try to be a hero!

• Improve the Cost/Benefit ratio!

23

Implement the Approved Operating Plan and Budget

• Make all costs visible

• Make progress to approved operating plan visible

• Document EVERY incident; do whatever possible to ensure that it does NOT happen again.

• Request BCM operating plan/budget changes when priorities or conditions change; work with sponsors

• Don’t try to be a hero!• Improve the Cost/Benefit ratio by calculating all costs and

benefits• Measure and document all progress achieved by year-end.

24

Keys to Success

• Confirm objectives of all stakeholders and resolve discontinuities

• Implement the will of Senior Management:

– Help them to frame their requirements

– Do the work

– Make it visible

– Document it

– Report back to stakeholders

• Insist on managing your own budget, whatever its size

• Don’t try to be a hero!

• If you treat this like any other permanent ongoing business function, others will eventually come around to the views of your sponsors.

25

Keys to Success• A false sense of safety from an inadequate BCM

Program is DANGEROUS. Don’t be a source of danger.

• Be reliable and visible: do what you say, say what you do– Set objectives and meet them

– Look for ways to improve and implement them

– Be visible: Status Reports, Newsletters, Awareness Programs

– Avoid surprises wherever and whenever possible

• Educate and create awareness

26

And in closing

• Be reliable

• Tell the truth as you know it, but be smart in how you do it.

Don’t be a HERO!

[email protected]: 1.516.676.9234