Embed Size (px)
Citation preview
17/03/2014
1
What works: Services andWhat works: Services and service supply chain business continuity risk management Don Hall, CBCPCisco Systems, Inc.
March 31, 2014
Cisco Public Information 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
(Business Continuity Institute, 2012)
17/03/2014
2
Agenda
The Challenge The Solution Scope Methodology Metrics and Reporting
Supporting Contracts
Cisco Public Information 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Lessons Learned Questions & Answers
Cisco Public Information 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
17/03/2014
3
“If I always appear prepared, it is becausebefore entering an undertaking, I have meditated long and have foreseen what gmight occur. It is not genius where reveals to me suddenly and secretly what I should do in circumstances unexpected by others; it is thought and
Cisco Public Information 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
(Napoleon Bonaparte)
unexpected by others; it is thought and preparation.”
“If you wish to be a ysuccess in the world, promise everything, d li thi ”
Cisco Public Information 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
(Napoleon Bonaparte)
deliver nothing.”
17/03/2014
4
About Cisco ServicesTypes of Services
• Professional (Advanced) Services: assist customers in transforming their businesses for today’s competitive marketplace
• Technical Support Services: speed issue resolution, ensure business continuity, maintain network performance and improve
• Phone Support• Email Support• Field/On-Site Support• Web Chat Support• Web Self-Service• Support Community
Types of Support
operational efficiency• Smart Service capabilities: provide actionable intelligence gained
from secure visibility into the health of a customer’s network.
Cisco Public Information 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Global Technical Assistance Center (TAC) locations: San Jose, CA (USA); Richardson, TX (USA); Raleigh, NC (USA); Boxborough, MA (USA); San Jose, Costa Rica; Brussels, Belgium; Krakow, Poland; Amman, Jordan; New Delhi, India; Bangalore, India; Sydney, Australia
• Regional TAC locations: San Bruno, CA (USA); Houston, TX (USA); Mexico City, Mexico; Rio De Janeiro, Brazil; London, UK; Oslo, Norway; Munich, Germany; Kortrijk, Belgium; Moscow, Russia; Istanbul, Turkey; Seoul, Korea; Tokyo, Japan; Beijing, China
• TAC Support Capabilities: 180+ countries, 24 TAC facilities, 17+ languages
Support Community
Support Center Locations
This presentation represents the Supplier Business Continuity Risk methodologies employed by Cisco Services and does not include
Cisco Services Business Continuity Team
methodologies employed by Cisco Services and does not include manufacturing or other business functions within Cisco Systems, Inc. Small team to provide: Business Continuity Program Management Business Continuity Training
Subject matter expertise for Services Business Continuity teams
Cisco Public Information 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Subject matter expertise for Services Business Continuity teams… and Supplier Business Continuity Risk Management.
Business Continuity Plans are managed using “in-house” templates and document management controls.
17/03/2014
5
Cisco Services Suppliers
Cisco Services employs Suppliers in virtually every b i f tibusiness function. There are hundreds of contracts
for Suppliers ranging from temporary workers to “fully outsourced services”.M f h S li
Cisco Public Information 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Many of these Suppliers support “critical” business processes.
Cisco Services has a large global Supplier network to ensure resiliency of operations and this program augments those capabilities
Supporting Programs
operations and this program augments those capabilities. Other programs within Cisco perform periodic “on-site” visits, such as Business teams (Cisco Vendor Managers) Trade-compliance and other “auditing” teams
These teams can be helpful for Raising additional areas of concern from site visits
Cisco Public Information 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Validating key business continuity elements during site visits Raising awareness of the Supplier Business Continuity Risk Assessment Identifying Supplier service outages that may indicate “gaps” in plans
17/03/2014
6
Cisco Public Information 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Solution
Cisco Public Information 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
17/03/2014
7
Goal: Ensure the continuity of “critical” business processes
Scope
One Assessment per Supplier (not coupled to contracts) Excluded temporary worker contracts (covered by Cisco BCP) Scope Guidance: Minimum Annual Contract Value Minimum Time Remaining on Contract
Cisco Public Information 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Minimum Time Remaining on Contract Representative sample of locations Exceptions are made when deemed essential to operations Cisco Vendor Managers must approve Suppliers removed from scope
Assessment Methodology
<10%
Supplier• Sites• Questionnaire• Evidence Files
Initial Report• Tool generated• Provides focus
Verify Evidence
Open a dialog• Supplier• Vendor Manager
Validated Assessment
Cisco Public Information 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Perceived risk
17/03/2014
8
All questions are based on “best practices” for Business Continuity
Questionnaire
5 Corporate governance questions Does the Supplier have a comprehensive Business Continuity program?
14 Site-specific questions (identical for each site) Has the Supplier completed a Business Impact Analysis (BIA)? Does the Supplier have a current Business Continuity Plan (BCP)?
Cisco Public Information 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Has the Supplier conducted a BCP exercise within the past year?
Note: The specific question language is included in the handouts
Evidence is required to support responses and prioritize risk dialogue.
Evidence Requirements
Corporate governance questions The BCM policy
Site-specific questions BIA (within 2 years) BCP (within 12 months)
Cisco Public Information 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Exercised (within 12 months)
17/03/2014
9
Third-party web-portal based solution to gather dataCi S i d fi d Q i S
Delivery & Reporting Tools
Cisco Services defined Question Set Cisco Services defined Evidence Requirements Tool-generated “initial” assessment report Provides a number of reports, that can be exported to Excel
Excel spreadsheetT ki Ci V d M i f i
Cisco Public Information 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tracking Cisco Vendor Manager contact information Track history of interactions with Supplier Historical tracking of assessment scores and status “In-house” reporting
The tool provides a risk status for each Supplier
Assessment Tool Scoring and Status
each Supplier. The combination of site risk levels,
corporate governance risk, and supporting evidence determines the overall Supplier’s risk status.Cisco Services uses the risk status to
Site 2
Site 1
Corp
Cisco Public Information 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Services uses the risk status to focus Supplier risk discussions. Risk Status
17/03/2014
10
Balance the need to verify a Business Continuity program and plans against the needs of an organization to protect sensitive and
Evidence Validation - General
against the needs of an organization to protect sensitive and proprietary information.
Generally we accept a minimum level of evidence that a document exist, is current, and meets the standards.
Cisco Public Information 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public Information 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
17/03/2014
11
Goals of dialogC ll b i h h S li lid d l l f i k
Risk Dialog with Suppliers
Collaborate with the Supplier to validate responses and level of risk Identify gaps in Business Continuity practices or plans Have Supplier provide timeline to close identified gaps Track and monitor progress to plan
The risk dialog is always conducted by an experienced Business Continuity
Cisco Public Information 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The risk dialog is always conducted by an experienced Business Continuity practitioner as the responses to questions may raise other concerns.
Monthly and Quarterly risk status reporting to management team.
Assessment Reporting and Metrics
Metrics tracked include: Assessments completed by Supplier Evidence validated Evidence gaps identified and closed Risk status improvements
Cisco Public Information 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
17/03/2014
12
Assessment Reporting and Metrics
Cisco Public Information 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Vendor shall implement and maintain a business continuity program designed to ensure the continued availability of essential business functions during any event that would otherwise materially affect Vendor’s ability to deliver services.
Supporting Contract Language
Vendor shall implement and maintain a Business Continuity Plan (“BCP”). The BCP shall be documented in writing and shall include, without limitation, evidence of a Business Impact Analysis (BIA) that identifies essential business functions and establishes their Recovery Time Objectives (RTO), Crisis Management Plans (CMP) to coordinate and communicate appropriate continuity actions, and Disaster Recovery Plans (DRP) for all essential business functions necessary to meet contractual obligations with Cisco under this Agreement and all SOWs. The BCP shall be reviewed, revised and tested/exercised by Vendor at least once every twelve (12) months. Vendor shall provide evidence of the BCP within ten (10) business days of the Effective Date.
Cisco Public Information 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Vendor agrees to complete a Vendor BCP assessment using the tools and processes prescribed by Cisco within thirty (30) days of a written request, not to exceed two (2) assessments within a twelve (12) month period.
17/03/2014
13
Lessons Learned
Cisco Public Information 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
A significant effort will be required in the first quarter. We had to assist 80-90% f th S li l t th
Lessons Learned
90% of the Suppliers complete the assessment.
Validating evidence files for self-reporting “low risk” Suppliers is as important as validating higher risk categories.
Evidence gaps in 70-80% of assessments over the past 2 years
Cisco Public Information 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Evidence gaps in 70 80% of assessments over the past 2 years. Adjust risk status when evidence files do not support a response. Supplier risk metrics will drop as you validate evidence – prepare your
management team for the changes in status.
17/03/2014
14
Cisco Public Information 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Gather Supplier data to obtain an initial risk status
Summary
Use the risk status to focus efforts on highest risk Suppliers first Validate all critical Suppliers including “low risk” Have an open risk dialog with the Supplier Keep the Vendor Management team informed and engaged
Cisco Public Information 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
17/03/2014
15
Results Achieved
Cisco Public Information 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Thank you.
