RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Transcription

1 RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief INTRODUCTION Now more than ever, organizations depend on services, business processes and technologies to generate revenue and meet their objectives. Investors, customers and Boards of Directors are becoming more interested in management's capability to continue operations through a disruption and their ability to carry on the mission of the organization. Companies must have a central repository of real-time decision support tools that allow personnel to react quickly and effectively when crises occur that impact their employees, customers, operations or brand reputation. AT A GLANCE Leverage a pre-configured 3-in-1 integrated solution -- Risk and Impact Analysis, BC/DR Planning and Crisis Management Document standardized BC and DR plan Automate plan maintenance and testing with workflows, notifications and issue management Analyze criticality and risks of processes with integrated risk assessment and BIA Manage crisis events with phased notification plans; integrate with BC and DR plans Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause. BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creating activities. An increasing number of organizations are recognizing BCM as a mission-critical function. Many governmental and virtually all regulatory bodies around the world have incorporated some level of BCM requirements. There are three main drivers for this broad awareness of the importance of BCM: o 24/7 service delivery requirements that put greater pressure on business and IT resource availability o Globalization and an ever-expanding and increasingly complex supply chain o Increasing operations risk due to more frequent disruptive events CHALLENGES IN BUSINESS CONTINUITY AND DISASTER RECOVERY BCM is a top-level concern for enterprises, and it is vital to maintaining financial confidence and the reputation of the business. The growing number of terrorist attacks (starting with Sept. 11), 2003 power outages, the 2005 London bombings, the 2005 U.S. hurricanes, shootings at higher education institutions, floods in the U.K. and U.S., earthquakes in Haiti and Chile, volcanic ash in Iceland, the 2010 BP oil spill, the 2011 Japan earthquake/tsunami/nuclear radiation event, and other incidents are driving expanded scenario planning, coordination of public and private sectors, and an increased focus on legislating business continuity into business operations. Lack of effective continuity planning or inefficient recovery efforts can be extremely costly, resulting in unknown or unacceptable losses. Inefficient planning can also be costly, while not ensuring the organization can recover after an event. For example, a company that determines all their processes are critical and must be recovered SOLUTION OVERVIEW

2 immediately is expending effort and money that may not be needed. Conversely, the company that doesn t plan at all doesn t know what they don t know. Effective planning can do much to limit the financial losses resulting from a crisis. Regardless of events that occur, the organization must continue to function. Waiting for an event to occur to see how the organization reacts is a recipe for disaster. Organizations always learn from actual crises, but learning should be against plans that were put in place as opposed to the beginning of the process. The organization that takes measured proactive steps, and tests their plans will have a much more efficient and effective recovery effort. Adequately trained recovery personnel with comprehensive plans can take much of the worry and load off of management so they can continue to focus on running the business. However, even as organizations increasingly recognize BCM as a critical function, many of them face a myriad of challenges in implementing and maintaining business continuity (BC) and disaster recovery (DR) plans. Typically, static plan documentation is captured using multiple tools and inflexible systems that are costly to customize and upgrade. In addition, the processes for creating, approving, maintaining and testing BC/DR plans are uncoordinated. Compounding this lack of coordination, communication among BC, DR and crisis teams is minimal, providing limited shared visibility into new and emerging IT or LOB (line of business) risks that may impact the continuity or resilience of the company. There is little knowledge of which processes, technologies and other infrastructure components are highest priority for recovery based on their criticality to the business, with no accountability assigned for recovery. These issues make it difficult to report or prove to senior management that current BC/DR plans will work as planned. It also puts organizations at significant risk of continuity-related impacts. Business interruptions, ranging from isolated infrastructure failures to regional events, have the potential to cause serious financial harm and/or reputational impairment. Most organizations legacy business recovery strategies have considerable holes, with BCM strategies that address crisis management, business recovery or IT disaster recovery. However, if these disciplines exist, they are designed and developed separately and lack integration, with non-existent business and IT management support or high-level sponsorship, and minimal, if any, participation by key groups, such as operations, finance, IT, risk or security. BC accountability and responsibility remain unassigned.

3 An organization s recovery efforts are typically chaotic and ad hoc, relying on heroic measures. The organization lacks confidence in its ability to survive following a business interruption. Recovery goals, priorities and expectations were derived without risk assessments or BIAs. Business continuity strategies are ad hoc and documented BC plans do not exist. Testing, training and awareness processes have not been implemented, and management relies on untested or under-tested continuity-related processes to manage the effects of business interruptions. IT DR is often the most mature aspect of the continuity process, yet it is rarely wellcoordinated with BC or Crisis Management planning. Employees have limited knowledge regarding their roles during recovery, potentially impacting the likelihood of a successful response effort. BC or IT DR planning and testing does not evolve with the changing direction and priorities of the business. As changes occur in the organizations, processes, priorities and needs of the organization, risk assessments, BIAs and BC/DR plans need to evolve as well. THE IMPACT OF REGULATIONS ON BCM PROGRAMS Many industries and their regulations require some level of BCM governance, including publicly-traded companies and organizations involved in healthcare, government, finance and utilities. There are well over 100 regulations, methodologies, maturity models, guidelines and laws that have something to say about BC or DR. These authoritative sources can be regional, country-specific, industry-specific, topic-specific, offer practical advice, supply best practices and much more. One of the newest BCM standards is the long-awaited International Organization for Standardization (ISO) standard, which specifies requirements for setting up and managing an effective Business Continuity Management System (BCMS). This standard represents an improvement in areas such as disaster response and crisis communications. It also makes executive governance the focal point of a BCM program, and this may make it more rigorous for some organizations to implement. As a result, many organizations are left with more questions than answers: which sources do we comply with and why? And once we figure that out, how do we handle conflicts between the sources and how do we prioritize them? Further to that point, how do we institute these requirements into our existing program? And if we do, will these authoritative sources provide us with good guidance or are they just a checklist of requirements? What if we re audited -- how do we prove our program is compliant? Finally, how do we explain and justify this to executives and business partners? These questions are being asked in BC/DR programs of all levels of maturity. In today s global business world, the one thing that is certain is change. Organizations must be vigilant for changes in the authoritative sources they follow, as well as new sources that emerge and related implications on their business and BCM program. Companies must also be aware of changes to their business, such as acquisitions which may require additional authoritative sources, divestitures which may reduce sources that need to comply with, or other business changes that may have downstream effects on their BCM program.

4 MOVING BC AND DR MANAGEMENT TO THE NEXT LEVEL In order for organizations to move their BC and DR management forward the following key areas need to be considered: Bringing business context into BC and DR planning: How do you know what s important without knowing the criticality of your business? Which processes are most critical? What are the right recovery objectives? What IT assets support which business processes and, as a result, inherit the same recovery needs? These are all questions that need to be answered in the course of determining recovery priorities, strategies, testing and activation. A centralized business process and asset repository tied to the supporting IT assets enables management to catalog and organize their infrastructure to determine what there is to recover and how they re associated. Align BC and DR planning with the business priorities The ISO standard recommends that BCM be aligned to the business priorities and strategic objectives of the organization in a flexible enough way to adapt and react to changing priorities. Businesses are fluid. Things change. Priorities are evaluated on a regular basis why shouldn t BCM planning and execution follow that pattern? Recovery strategies that fit in one part of the world or in a particular situation may not in another. The question must be asked do our recovery priorities and strategies address the true risks and potentially disruptive events? If not, then BCM is no more than a paper exercise but won t necessarily enable the organization to survive through a true disaster. Management can then take that business process listing and asset catalog and begin to determine criticality and recovery priorities, such as Recovery Time Objective (RTO). Separate groups that want to define these priorities will have a central methodology, approach and tool to do so. The results of the BIAs can be used for a myriad of activities, such as Threat Management, Risk Management and Compliance. Integrate Crisis Management and BC/DR Planning It s one thing to muddle through a crisis event, being saved by heroic efforts, and quite another to have adequately planned and proactively managed the event through to resolution, and then activated the right BC/DR plans and recovered disrupted processes and assets within recovery objectives. This is a monumental challenge for most organizations. It is critical to have the right toolset and operational processes that blend together to enable crisis management to happen effectively. Testing, testing and more testing not only BC/DR plans but also crisis management leads to a better chance of success. Manage the overall program Bringing it all together, from planning to testing to execution, and then reporting on it, improving it and doing it all again. Keeping the BCM program in line with changes in the organization, regulations, new business and other internal and external factors is critical. An effective BCM program requires executive attention and prioritization. This occurs through having an effective and reportable BCM program in place that is proven to understand and respond to the needs of the organization and that can especially recover after a disruption.

5 Crisis Management Communications Activation Event Management BC/DR Planning Recovery Plans Resources Plan Testing Plan Maintenance Operations Program Monitoring Enterprise Management Visibility Business and IT Context Business Assets IT Assets Prioritization, Criticality, Recovery Objectives Risk and Impact Analysis Business Impact Analysis BC Risk Assessment WHY RSA ARCHER FOR BCM AND OPERATIONS? RSA Archer Business Continuity Management (BCM) offers a three-in-one approach to business continuity, disaster recovery and crisis management in a single management system. It allows organizations to respond swiftly in crisis situations to protect ongoing operations, assess the criticality of their business processes and supporting technologies, and then develop detailed business continuity and disaster recovery plans, utilizing automated workflow for plan testing and approval. RSA Archer BCM was developed through collaboration with Fortune 1000 clients and operational risk experts from Accenture, Deloitte & Touche, E&Y, KPMG and Wipro. With RSA Archer Business Continuity Management, continuity planning is aligned with the organization s priorities and business objectives, and recovery strategies and plans are welldesigned and tested utilizing a consistent BC/DR process and methodology so appropriate personnel know what to do in crisis situations. Organizations can manage plan execution and communication in crisis situations to minimize harm to employees, customers, reputation and business operations.

6 RSA Archer BCM enables automated, up-to-date BC/DR plans for the organization s latest environments and business processes to be easily accessed during a disruption of service. Consistent processes provide visibility into the current state of the organization s plan statuses, review dates, test results, test remediation statuses and crisis tasks, enabling collaboration across BC, DR and crisis teams. Crisis personnel can efficiently respond to a crisis event with documented, step-by-step procedures. BC/DR plans are linked to the company s repository of processes, assets, facilities and contacts, enabling plans to be aligned with the organization s business priorities and establishing accountability. Senior management has an understanding of the continuity risks, insight into needed budget requirements and a level of confidence that a plan is in place if a crisis occurs. RSA Archer provides out-of-the-box expertise in regulations, threats and best practices that come with the RSA Archer BCM solution, saving customers significant time and resources managing security, risk and compliance. Mobile capabilities to access BC, DR and CM plans and recovery tasks from any location during a crisis A user-friendly interface that allows business users to make changes with no custom code Integration of business continuity into an organization s larger GRC program enabling consistent measurement and reporting of risk across the enterprise Centralize and coordinate risk assessment, BIAs, business continuity and IT disaster recovery plans, and crisis management RISK AND IMPACT ANALYSIS The BCM Risk Register enables customers to identify, evaluate and plan for risks that may impact their business. The Business Impact Analysis collects information on each business process related to its criticality, recovery time objective (RTO) and recovery point objective (RPO), and shares it among interdependent teams in a simple, consistent format.

7 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Develop detailed recovery plans for business processes or IT assets, utilizing automated workflow for plan testing and approval. The application provides a method to document the results of BC/DR plan tests, ownership and workflow. CRISIS MANAGEMENT AND RESPONSE Report and manage crisis events, send emergency notifications to communicate crisis information to appropriate personnel, and activate BC/DR plans to recover disrupted business operations, facilities or IT infrastructure. OPERATIONAL COLLABORATION ACROSS THE BUSINESS Integrate RSA Archer BCM with RSA Archer Enterprise Management to relate BCM components such as risks, BIAs, recovery plans or crises to organizational units (e.g., divisions, business units) and infrastructure (e.g., processes, facilities, IT applications or vital records) for visibility, ownership and reporting. Tie BC/DR plans directly to a repository of business hierarchy and enterprise infrastructure. Integrate with other GRC processes, such as enterprise risk management, incident management or third party management to align recovery efforts with organizational objectives and priorities. Assess recovery readiness and determine compliance with key authoritative sources or methodologies. BCM MOBILE APPLICATION Organizations can leverage the RSA Archer BCM mobile application to view BC/DR plans, strategies, calling trees and requirements according to user role. This supplements hard copy plans for availability at any location during a crisis event to enable rapid response. The mobile application enables organizations to obtain true high availability for BC/DR plans via offline access in the event that the data center is not available.

8 EGRC PLATFORM The RSA Archer egrc Platform supports business-level management of governance, risk and compliance. As the foundation for all RSA Archer egrc Solutions, the Platform can be adapted to an organization s requirements and integrated with other systems without touching a single line of code. It is a common, flexible platform for process automation, integration and reporting, enabling business users to administer their BC/DR/Crisis business processes. The Platform provides a consistent, easy to use workflow and notifications, with real-time reporting and dashboards providing visibility into BC/DR/Crisis activities and statuses. EGRC CONTENT LIBRARY The RSA Archer egrc Content Library provides the industry s most comprehensive knowledgebase of enterprise governance risk, and compliance (egrc) content. The Library includes best-practice policies, control standards, control procedures, assessment questions and authoritative sources, pre-mapped to jump-start your reporting. EGRC COMMUNITY The Archer egrc Community provides an online network with a membership of more than 9,500 governance, risk and compliance professionals enabling members to collaborate on egrc and BCM challenges, trends and provide guidance for future product enhancements. RSA ARCHER PROFESSIONAL SERVICES AND EMC CONSULTING SERVICES RSA Archer offers BC, DR and CM process consulting from RSA Archer egrc implementation consultants and EMC BC/DR experts. CONCLUSION Successful BCM programs begin with central program management; incorporate a basic methodology or approach; integrate people that are part of a central program as well as throughout the business and IT; and leverage toolsets that facilitate and make the process more efficient and seamless. With RSA s Business Continuity Management and Operations solution, organizations can deploy a holistic management process to prepare for possible disruptions to business processes, manage crises and manage risks to business operations. Organizations can automate their approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution. CONTACT US To learn more about how EMC products, services, and solutions can help solve your business and IT challenges, contact your local representative or authorized reseller or visit us at EMC 2, EMC, the EMC logo and RSA Archer are registered trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2012 EMC Corporation. All rights reserved. Published in the USA. 01/13 EMC Perspective EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice.