Upload
geoffrey-carr
View
212
Download
0
Embed Size (px)
Citation preview
BYHUSSEIN K. ISINGOMA
CISA,CISM,CRISC,CIA,FCCA,CPA,MSC,BBS
AG. ASSISTANT COMMISSIONER,INTERNAL AUDIT
MINISTRY OF FINANCE,PLANNING AND ECONOMIC DEVELOPMENT
A PRAGMATIC AND EFFECTIVE APPROACH TO BUSINESS CONTINUITY AND RECOVERY PLANNING
July 2011
1
Presentation Plan
Introduction and Background
Understanding Business Continuity and Disaster Recovery Planning
The Need for BC/DR Planning and Management
BC/DR Planning Tasks/Processes
Achieving effective BC/DR Planning; Key Issues
BCP resiliency: Thinking Cloud ?
Conclusions
2
Introduction and Background
The World is still fresh with shock and memories of the recent events and impact of the march 2011 Japanese earthquake/tsunami that has had devastating destruction on infrastructure and mainly on the Fukushima Nuclear Plant
The Fukushima disaster is being termed as probably the biggest industrial catastrophe in history of mankind
The Nuclear plant was run by the Tokyo Electric Power Company(TEPCO) which supplied 1/3 of Japan’s electricity before and until the quake.
The seawall that was designed to mitigate the impact of a tsunami was only 5.7 metres high and all previous assessments had never put a possibility of the tsunami going beyond the 5.7 metres. It was wrong; the 03/11 tsunami rose to 15metres !!!!!! just 45 minutes after the earthquake
BBC news report and the Economist newspaper of 28th June 2011 reported a fall in share price of TEPCO by 85%, faced a prospect of $100 billion compensation, 23,000 died or were missing , 80,000 evacuated
The company’s Tsunami safety plan was only one page and had been last updated in 2001 The 9/11 World Trade Centre terrorist attack took out a total of 13,000 servers and
estimated cost of replacement of IT for the effected Securities firms stood at $ 3.2 billion. Some of the other disasters or near disasters occasioned by IT failures include; loss of 25
million records of the Child Benefit Recipients' in the UK, failure of the former Soviet Union Early warning System in 1983 that almost drew the World to the prospect of World War III.
3
Business Continuity/Disaster Recovery Planning
The purpose of Business Continuity is to ensure that core business functions continue with minimal or no interruption.
The objective is to ensure that the organization will survive and continue to generate revenue.
Disaster recovery is about rebuilding
Clients and investors alike are notorious for abandoning organizations during their rebuilding phases
It doesn’t take much effort to cause layoffs, fall in stock or share prices or even permanent shutdowns
The above realities lead us to the evolution from disaster recovery to business continuity
4
What do organizations or Businesses need ?What do organizations or Businesses need ?
News of the World !!!! Did they ever plan for the phone hacking scandal that led to its closure ???
News of the World !!!! Did they ever plan for the phone hacking scandal that led to its closure ???
In the aftermath of recent natural disasters, terrorism, equipment breakdown, businesses have recognized more than ever the need for ever to be prepared
Firms/companies are striving to meet demand for continuous service
The growth of e-commerce has pushed the need for systems availability expectations toward 24x365
It is important that a BCP adequately supported throughout the organization, embodies the strategic framework for a corporate culture to mitigate risks that might cause Business process failure Asset loss Regulatory liability Customer service failure Damage to reputation
Business survival necessitates planning for every type of business interruption.
The Need for BC/DR Planning and Management
5
Part of the Risk Response Strategies
Part of the Risk Response Strategies Risk Management Risk Management
BC/DR Planning: The Risk Management Perspective
6
BC/DR Planning Tasks/Processes
7
BC/DR Planning Enablers
8
Rationale for BC/DR Planning; the Business Value case
Value delivery. Coping with severe impacts to business arising out of
interruptions makes businesses more valuable, reliable and dependable
Survival. A well designed, exercised and maintained plan lies between a
business’s ability to continue as a going concern or going bust !
Risk Management maturity enhancement
Competitive advantage ; case for offshore soft ware development
initiatives/vendors
Staff and client confidence
Compliance
Insurance costs/premiums
Diagnosing organizational efficiency
9
Business Contingency Planning General Procedures
10
Disaster
1st Person on scene calls BC Manager
Call Recovery Management Team
Recovery Mgt Team report to Command Centre
Recovery Team report to Disaster Scene
Will Orgn. be out >
72hrs
Report status to Recovery Mgt Team
Inform COO/CTO
Invoke BCP?
Return to Normal Operations
Invoke BCP
NoYes
No
Yes
Call Business Continuity Coordinator
Inform HQ’s
Achieving effective BC/DR Planning; Key Issues
Top or Senior Management Sponsorship. Consensus ought to be established to: Guide which aspects of business to stay operational in case of disruptions The level of protection needed; risk appetite synchronize BC/DR plans with overall business strategy
Risk Analysis Risk identification should consider a wide range of possible scenarios. More often than not, BCP’s consider the most likely scenario’s Although focusing on big events is desirable, a narrow focus on risk could lead to potentially
disastrous events
Business Impact Analysis Organizations' have limited resources. There is need to focus on key processes that need to
be recovered in case of a disaster Focus on key business processes and critical dependencies BIA need to kept updated as the business changes or subject to periodic review Identify process specific Recovery time objectives(RTO’s) Prioritise recovery efforts based on agreed RTO’s Review service level agreements with service providers
11
Contd……
BC/DR organization Roles and responsibilities need to be defined BC/DR requires organization, coordination, and execution How and when is a disaster declared and by who ? Criteria for disaster definition and therefore declaration
Plan exercising/testing If a BC/DR plan is not tested, it could fail under the stress of real disaster The ability of the BCP to execute when a disaster is declared is key Annual testing of the plan is desirable Look at ways of integrating of testing into normal business operations Opportunity to test failover/redundancies
Scoping Over concentration on resumption of business at the expense of people and processes Personnel can be incredibly inventive and innovative as opposed to systems in times of
disaster People issues tend to be the more difficult of challenges to resolve during disaster
12
Contd…..
Funding of BC/DR activities Many organizations consider BC/DR as good but not essential Many plans are unfunded; posing further risks to the organization's business continuity There is need to develop formal business cases for BC/DR for funding Projects need to take into consideration continuity issues before implementation
Communication plan There is need to have a well documented communication plan Employees call trees, supplier and vendor contacts need to be constantly updated Consider multi vendor support for key means of communication
Media Management/Public relations Need to mitigate reputation loss through effective media management Clients and the public need reassurance and faith that the situation is not as bad as perceived
and is under control Its about winning the Hearts and Minds of stakeholders Staff members or employees need not give their own view of the situation to the media Prepare public statements in advance to prevent the media from turning the situation into a
Public relations nightmare
13
Contd….
Security The time the organization is most vulnerable to security threats is in time of disaster The propensity to ignore security procedures is very high Incident Management team and structure must include appropriate IT security staff to stem all
possible anomalies
Inventory Management Review inventory list continuously A comprehensive list of equipment needed for recovery and resumption activities should be
maintained
Role of insurance Need to ensure that insurance provisions address timely re-imbursements in case of losses
accruing from disaster Internal organizational policies need to address the accounting treatment of assets and related
depreciation Clear definition of scope covered under insurance is critical Insurance policies need to be constantly monitored so as to reflect the new realities, risks or
challenges to business
14
Complacency !
BCP requires constant updating
Business risks and related potential impacts are constantly changing
15
Amazon EC2 Amazon EC2 Lessons Lessons
Whilst it is easy to be critical of Amazon, for many who
have used its EC2 Cloud, the benefits to their performance,
business continuity and resilience have been significant.
Many have been able to achieve higher levels of uptime
and reduce costs whilst managing higher demands.
The April 2011 AWS (Amazon EC2) "failure" has probably
caused their customers to take a hard look at their
business continuity plans
Challenges related to security responsibility, information
residence, data ownership and confidentiality remain in
the cloud
A well structured service level agreement(SLA) that
includes the rights to audit is key in assisting the
organization in data mgt in stored, transit or processed
data in the cloud
Think through the going Cloud Business carefully
and thoroughly
Understand the infrastructure upon which the
cloud operates; do you need internal IT
resources ???
How robust are your cloud SLA’s as regards
compensation for downtime. Are they worth the
cost of the downtime?
Remember too well that :
You fate is in the hands of the service provider
whose fate is in the hands of …….?????
BCP resiliency: Thinking Cloud ?
16
Crossroads or an epitome of science?
Crossroads or an epitome of science? Balancing the Act !!! Balancing the Act !!!
The greatest joy of living is not in never falling but getting up every time you fall –
Nelson Mandela
BCP; Which Way to go ???
17
References: BCP standards
Control objective for information and related technology (CoBIT)
Federal Emergency Management Association(FEMA)
National Institute of Standards and Technology(NIST)
Disaster Recovery Institute International(DRII)
18
Conclusion!
BCP is about managing and mitigating the potential impact change
Remember !
‘When trying to predict future organizational environments, it seems that our only certainty is that things will change’
(Kotler,1998)
19