> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight

Transcription

1 > State Street An Integrated Approach to Continuity Metrics & Progress Reporting Presented to: Continuity Insights May 2007 Presented by: Chris Glebus Continuity Organizational Structure Executive Management Corporate Continuity & Client Services (CCCS) Senior Management Business Continuity Manager Business Continuity Team Leader Business Continuity Team Leader Business Continuity Team Leader 2 Program Oversight Examining & Audit Committee of the Board of Directors Annual progress report and meeting Executive Management Annual Continuity Compliance Reporting Signoff on business and application continuity requirements Major Risk Committee Enterprise Risk Management Semi-annual presentation of Continuity Program to Major Risk Committee Corporate Audit Regulatory Audits 3 1

2 Program Foundation Program Standards Business Functions Applications & Technology Facilities Incident Management Staff Business Function Downtime Tolerance Levels Level 1 (0-4 hours) Level 2 (5-8 hours) Level 3 (9-24 hours) Level 4 (25-72 hours) Level 5 (73+ hours) Incident Management Recovery Scenarios Site Interruption Technology Interruption Counterparty and Market Human Factor Application Priority Groupings Priority 1 (0-8 hours) Priority 2 (9-24 hours) Priority 3 (+24 hours) Continuity Exercises (Facilities, Staff, Technology) Stand alone System / Application Corporate-wide / Data Center Business Relocation Call Tree / Notification Client Recovery INTRA Data Center 4 Benefits of Metrics Tracking / Compliance Reporting Well defined standards and measurements reduce subjectivity in assessing current status A repeatable measurable process demonstrates progress made in enhancing continuity capabilities Demonstrated progress can assist in gaining funding for continuity solutions Executive accountability drives home visibility and importance The value proposition - information can be used for projects other than BCP and reduce associated costs of gathering and tracking redundant data mergers and acquisition, asset management, risk management, operations, risk management, facilities, corporate security, information security, etc. Provides an effective tool for internal and external audits 5 Compliance Reporting Plan Evaluation Structure comprised of: Standards Criteria Compliance Requirement Measurement Compliance Detail / Considerations Assessing the Plans initial assessment vs. ongoing reporting 80/20 split - Self Assessment / Corporate Assessment Standards integrate both Business and Technical Continuity for an overall picture Each application / system is linked to a Business Continuity Plan Ability to break out technical detail for reporting purposes 6 2

3 Compliance Reporting Business Continuity Plan must be owned at an executive level Effective Compliance / Metric Reporting should cover several levels Overall Corporate Roll-up for benchmarking and trend analysis Executive Management - overall plan status by executive, plan status by standard, overall application by executive, detail status for each application IT Executives overall summary for applications supported, detail for applications supported Business Continuity Managers - plan level by standard and criteria, detail for applications owned Controls in place for ownership and accountability Business Continuity Plan names and executive owner sign-off Business Function names, recovery requirements, and executive owner sign-off Application names, recovery requirements, and executive owner sign-off 7 Plan Evaluation Structure Business Continuity Example Standard 2 Identification and prioritization of all business functions and their recovery time objectives. Criteria Compliance Requirement Measurement Compliance Detail / Considerations 2-b Conduct a Formal Business Impact Analysis (BIA) on a Scheduled Basis and Establish a Continuity Plan 1.For existing business units, BIA must be conducted every 18 months with EVP review & sign-off 2.New business units must complete a BIA within three (3) months of inception and or change of control, with EVP review and sign-off and a Business Continuity Plan within six (6) months of inception Green:all requirements met Red:requirements not met New business units can start building components of their Business Continuity Plan at the same time that the BIA is being conducted i.e. call tree, etc. New business units may come from mergers and acquisitions Change of control is defined as the point in time at which State Street assumes control of the acquired business When naming plans for business units, utilize standardized continuity plan naming convention: [Standard Text] _ [Free form Text] _ [ Locations] Ex: GLOBAL - SVCS _ BANKING SERVICES _MAO 3.BIA final results should be included in plan, e.g. Appendix 8 Plan Evaluation Structure Technical Continuity Example Standard 3 Identification of all technology resources required to support business functions i.e. applications and systems Criteria Compliance Requirement Measurement Compliance Detail / Considerations 3-fIdentify All Applications Owned by the Executive Manager of the Plan / Business Unit and the Corresponding Recovery Information Document the following for each application owned: Application Name Executive Manager / EVP (Business Owner) Recovery Time Objective in hours Recovery Point Objective Production location of the application* Recovery location of the application* Platform 2. Map each application to a business continuity plan Composite Applications Green: information provided for all applications owned Yellow: information missing for less than 25% of applications owned Red:information missing for 25% or more of applications owned N/A:not applicable, do not own applications Individual Application Green: all information available for a given application Red:information missing for a given application owned N/A:not applicable, do not own applications The business owner of an application is defined as an Executive Manager / EVP The business owner must approve / sign-off on recovery requirements for new applications and changes in recovery requirements for existing applications Recovery Time Objective (RTO) is defined as the total elapsed time from the time an event is declared through the time when the business unit has complete functionality of the application, including the time to recover the application Recovery Point Objective (RPO) is defined as the acceptable age of the data (defined as a point in time), relative to the recovery event that is made available to the business unit when the system is recovered. For example, an application may have an RTO of 8 hours and an RPO to point of failure, which means that no data loss can occur Verify through your Application Support department that the Application Recovery Plan is located on Oasis or comparable documentation repository 3

4 > Sample Compliance Reports Business Continuity Manager Business Continuity Manager - Plan Compliance Detail Jane Doe N/A John Doe 11 > Sample Compliance Reports Business Executive Roll-up 4

5 Executive Business Owner - Plan Compliance Summary 13 Executive Business Owner - Application Compliance Summary 14 Executive Business Owner - Application Compliance Detail Note: Location Code Legend is also provided 15 5

6 > Sample Compliance Reports Corporate Roll-up State Street Corporation Overall Plan Compliance Summary by Standard 17 State Street Corporation Overall Application Compliance Summary 18 6

7 > Sample Compliance Reports Trend Analysis Trending of Annual Compliance Reporting for All Criteria 100% 27% 80% 14% 18% 5% 7% 8% 60% 40% 65% 75% 81% 20% 0% 2003 Complete Partially Complete 2005 Incomplete > Getting Started Rome Was Not Built in A Day 7

8 Getting Started Create a steering / advisory committee of executives Business and corporate support groups Define, document, and communicate standards and measurements to Business Continuity Managers and Business Executives Start with a few metrics to get the process moving forward add more later Don t need to integrate business and technology continuity metrics in first pass announcements and workshops / training for Business Continuity Managers Determine frequency of reporting Define, develop, and implement controls and processes for plan and application ownership Multiple business units using an application? Primary BU funding the application owns it Define, develop, and implement reports required by audience Corporate Roll-up, Executive Management, IT Executives, Business Continuity Managers, etc. Provide comment capabilities on BCM reports Define, develop, and implement tools to track and report on standards Microsoft products (Excel, PowerPoint) can be used to start; consider databases and on-line distribution 22 Getting Started 23 Gather Data Use any data that has already been collected and ask for validation / changes with executive sign-off Where there is no data Obtain BUSINESS plan and application ownership list by business unit Jointly assess each plan and application to establish a solid baseline for reporting with established target dates As always get sign-off Provide preliminary view of reports to one or two Business Continuity Managers and a Business Executive for feedback Before sending reports to executives, preview reports to Business Continuity Managers make necessary modifications Conduct first round of reporting and ensure executive awareness of baseline measurement Communicate ongoing maintenance process (self assessment vs. corporate assessment) Repeat! Making Program and Reporting Enhancements Work with subject matter experts in developing enhancements i.e. Global Realty, Corporate Security, Information Technology, etc. Review proposed enhancements with steering / advisory committee for feedback and approval Ease into enhancements that strengthen and or increase standards, criteria, compliance requirements, and or measurements within a plan. Slowly eliminate partials Provide enough time for Business Continuity Managers to comply with enhancements 6 month lead time between announcement and compliance Consider exception reporting for high risk items Consider trending analysis 24 8

9 Continuity Application Suite Continuity Reporting System Dependency Reporting LDPRS Envision CBCP Business Functions Global Processing Timeframes Business to Applications, Facilities, etc. Future replacement for CPD Application Repository Future replacement for Recovery Exercise Database Compliance Reporting Database (CPD) Continuity Compliance Reporting DR APP Application Repository MS Access - Not Scaleable The Conduit Corporate Feeds People Soft Location State Street Notify Automated notification tool for Incident Management 25 Legend Strategic Continuity applications Initial continuity applications to be retired > Stand Alone Recovery Exercise Database Tracks Technology Recovery Exercise Objectives, Results, and Resolution Initial continuity applications for compliance reporting Questions? 9