Aligning Disaster Recovery and Business Continuity to Business Objectives. Session E7 John Jackson Fusion Risk Management, Inc.

Transcription

1 Aligning Disaster Recovery and Business Continuity to Business Objectives Session E7 John Jackson Fusion Risk Management, Inc. Topics Business Drivers Resilience Defined Your RPO is zero (or close to it!) Risk Management Framework Business Impact Analysis retooled Communicating Risk vs. Capability Keys to Success

2 What s Happening Now? Ignorance Apathy Confusion About half of the companies say they can tolerate a maximum recovery time of less than 24 hours for their critical applications. 47% <= 1 h. 2 h. 4 h. 8 h. 12 h. 24h. 36 h. 48 h. 72 h. > 72 h. Don t know Respondents = 101 Q. What is the maximum allowable downtime (recovery time) that you can tolerate for the top five business-critical applications? 2% 8% 14% 3% 8% 14% 17% 15% 7% 4% 9% Over time, recovery time has shifted dramatically toward a sub-24 hour requirement. This dramatically impacts the solutions customers require to meet that objective. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% % of companies

3 Risk/Business Chaos Risk Management Focus Business Focus What I want to do. Create Business Value Competitive Advantage Drive Quality Enhance the Brand What I should do. Policies and Standards Customer Expectations Reasonable and Prudent What I have to do. Regulations Service Level Commitments Audit Findings Suppliers Employees Services Products Customers Shareholders Business Resilience Impact Business As Usual Operating Conditions Duration Depth The Resilient enterprise has a clear understanding of the depth and duration of impact and the capability to limit both, within acceptable business impact limits. Time Dead in the Water!

4 Reality: Business Discontinuity Impact Business As Usual Operating Conditions Unknown Duration Unknown Depth Dead in the Water! Time Your RPO is Zero! (or close to it!) Systems Applications Data Vital Records Lost Data Notifications Restore Technology Capability Resume Business Move to Alternate Site Return Home Recovery Point Objective Restore Communications Restore Business Functions Data Synchronization Relocate Office Equipment / Supplies Work Flow Recovery Time???

5 RPO drives RTO more than most people understand! Transactions Not Captured Declaration Data Retrieval Transit System Restore IPL & Network Database Restore Transaction Recreation Traditional Recovery - *Compute Utility Protection Data Staging - *Ability to Commence Restoration Immediately Standby Op. Sys. - *Ability to Boot Systems Immediately Electronic Vaulting - *Simplified Logistics Transact. Protection - Automated Remote Journaling (includes limited Electronic Vaulting) Data Shadowing - *Eliminates Data Recovery Exposures (includes Transaction Protection) Internal Solution - *Eliminates risk, accelerates recovery time Resilient Enterprise Guiding Principles Vulnerabilities and threats are endless the funds to address them are not! which requires that decisions must be made and risks must be mitigated or accepted, and then continuously managed. Fragmented, ad-hoc programs can be wasteful and dangerous! which requires that a single truth is established and risks are defined and managed proactively. Traditional approaches are expensive, inefficient, and ineffective! which requires an innovative thought to accelerate human effort, simplify the risk management program and align it with other programs that work.

6 Resiliency Management Why do traditional BIA s fail to make the case? Traditional BIA s focus too much on financial loss and not enough on operational impact! They present wants as requirements with little or no accountability for inputs! They convey recommendations in terms of what will be achieved, not what will be lost. They don t quantify risk versus investment in terms that have been proven to work in other risk management disciplines. They don t make a business case based on how things break because they don t lay out how things really work in the first place!!! The Inconvenient Truth Unintended Consequences Your program is not as good as your senior management thinks it is. It may not be as good as you think it is. We have made DR and BCP too complicated our insurance brethren have outmaneuvered us! Risk managers and business advisors will survive. DR/BCP practitioners will falter!

7 Unmanaged Program Profile????? Resiliency Management Solution Requirements Comprehensive FRAMEWORK for managing your program. METHODOLOGY and TOOLS to gather actionable data. Repository to ORGANIZE information. Method to MEASURE capabilities and gaps. Process to objectively set PRIORITIES and set your ROADMAP. Tools to EVALUATE, REPORT and COMMUNICATE. Platform to MAINTAIN and SUSTAIN your program over time.

8 Mature Program Profile IT Services Business Ops Mgmt/Governance Typical Program Profile

9 Measure & Prioritize Risk Management Quadrants

10 What Would Your CEO Say? We re just fine. We have a plan. We back up our data so we re covered. We have a recovery site and we test. It s all good! Actually I don t really know and I m not interested in problems.? What... me worry? What Would Your CEO Say? We re in control! We have a firm grasp on our capabilities and risks. We have accepted the risk of losing up to 1 day s worth of data and being down for up to 3 days. The business unit plans are based on validated assumptions for IT and vice versa. We manage what we re doing and what we re not doing!

11 Business Value Keys to Success Understand how the business operates...how it works...and therefore how it breaks. Embrace a framework to measure yourself against. Identify and prioritize gaps focus on what is really important. Define acceptable loss and impact thresholds accept risk. Focus on risk and impact when communicating, not on capabilities. Simplify your message. Find ways to cut costs before you are asked to. Don t beg present your case and transfer accountability. Don t compromise on RPO someone has to be able to recreate transaction data. Parting Thoughts Business Value Vulnerabilities and Threats are endless. The funds to address them are not! Business is the art and science of exchanging risk for profit. Resilience does not imply being invincible. Resilience does not imply you emerge unscathed. Resilience is simply the ability of the organization to bounce back from adversity as a matter of course and plan.

12 Fusion Risk Management, Inc. John Jackson Executive Vice President phone: (847) x502 website: