Beyond Disaster Recovery: The Business Transformation Methodology Richard Cocchiara Chief Technology Officer for Business IBM Global Services (845) 496-1478
Agenda A definition of resiliency Trends in the marketplace results in a new approach Regulations and impacts on continuity What should we do from here? 2
The evolution of our industry has been led by advancements in technology, and businesses dependency on that technology. As the embedded use, and pervasive adoption of information technology has intensified, IT has become inseparable from the operational performance of the business. Management awareness of this is on the rise. As such, information based risk is being added as a focus item in corporate risk management programs. Business Resiliency Business Continuity Business Recovery Traditional Disaster Recovery 1970 1980 1990 2000 2003 Future 3
What is business resilience? Business resilience is the ability to rapidly adapt and respond to risks, as well as opportunities, in order to maintain continuous business operations, be a more trusted partner, and enable growth. 4
is a shift from short-term reactions to a long-term commitment to the business from reactive recovery to proactive adaptability. How prepared is your business to scale up or down when something unexpected happens? How do you train your staff to handle this? When was the last time you tested this ability? How would your business results be impacted if your company could reconfigure their business processes and infrastructure on demand to respond to changing market dynamics? To what degree are your business and technology infrastructures capable of supporting and protecting current and future business strategies and initiatives? How confident are you that your business processes and technology infrastructure are aligned with your company s strategy and organization? 5
IBM Global Services Based on our experience, we have identified six key layers of enterprises that must be addressed to achieve business resilience Organization Processes Applications and Data Technology Business Strategy and Vision Facilities 6
Various stressors can test the resiliency of your business Environmental Natural Disasters Workplace Issues Contaminations / Fuel Spills Technological IT Infrastructure Technology Adoption Innovation and Trends 24x7 Expectations Economic Global Marketplace Partners/Suppliers Demand Elasticity Social Terrorism Cyber Attacks Biological Threats Employee Sabotage Industrial Espionage Political Regulation Deregulation Incentives Legal 7
Regardless of the catalyst, the impacts can be extreme and can affect your entire extended enterprise. Revenue Market share Customer loyalty Reputation and brand equity Competitiveness Productivity Security Credit Goodwill and trust 8
We re seeing new events that are challenging our traditional perspective of unplanned outages. Tsunami hits Asia Event Chinese government takes action to stop SARs epidemic Malicious computer worm hits 13,000 ATMs at Bank of America Disintegration of Enron Toronto Dominion loses ABM network due to system malfunction Terrorist attacks of September 11th Victoria s Secret internet website problems during the Super Bowl Date 2004 2003 2003 2001 2001 2001 1999 Impact Over 200 thousand people die and tests the governments ability to respond Scores of businesses affected when government quarantines buildings Bank unable to process customer transactions; impacted Internet traffic worldwide Affects energy markets worldwide, leads to new regulations on corporate financial reporting Major disruption to retail sales during start of holiday season Impacts the local economy of Lower Manhattan, travel and hospitality industry, financial markets worldwide for over 6 months; leads to war on terrorism and to war in Iraq Systems crash when capacity unavailable to keep up with user demands resulting in very public outage 9
Those events have driven trends which are affecting customer needs for business resilience solutions. Awareness of interdependencies, both infrastructure and business based Developing strategies for dealing with the data explosion Anticipating a primary facility loss Designing an architecture that is flexible with ample capacity for growth Planning contingencies for the potential loss or unavailability of personnel Integrating dedicated solutions into the strategy Impacts of an Internet outage Complying with industry regulations Satisfying customer expectations for 24x7 availability Integration of recovery, continuity, high availability and security 10
The importance of these trends has evolved with experience. Factors Interdependencies Data Availability Primary Facility Loss Staff Available The Internet and Cyber Attacks (24x7 availability) Regulations Dedicated Solutions Discipline Integration Anticipated Importance Not an Issue Before High Low Medium Low Low Low Low Realized Importance Crucial High Medium High High High Medium Medium 11
To address these trends, businesses are now integrating 4 disciplines: recovery, continuity, availability and security - to achieve business resilience in an on demand world. Customer Data Center IBM Recovery Center Networks Business Today and Tomorrow Customer Business Center Internal Recovery Center 5 Years Ago Customer Data Center IBM Recovery Center Business Continuity 15 Years Ago Customer Data Center IBM Recovery Center IT Recovery 12
IBM has distilled these trends down to a core set of requirements necessary to achieve resilience. Continuity of business operations Regulatory compliance Security, privacy and data protection Integrated risk management Knowledge, expertise and skills Market readiness Improves your ability to maintain continuous business operations by building processes and infrastructures that are responsive, highly available and scalable. Helps you comply with government and industry regulations and standards. Helps you protect and manage the existence, integrity, accessibility, privacy and confidentiality of data, critical information, systems and physical resources. Increases the effectiveness of your overall risk management programs by taking a unified and governed approach. Improves the resilience of your business through the transfer of IBM knowledge and skills, or by utilizing IBM resources. Enhances your ability to sense and respond to changes in customer demands or market opportunities to stay competitive and grow. 13
In each industry, business resilience helps address specific issues. Banking Retail Insurance Industry Transportation Electronics Pharma- Life Sciences Consumer Products Media & Entertainment Healthcare Providers Financial Markets Industry Specific Messages For Transportation, Business is the ability to maintain continuous passenger and cargo operations that deliver to the right destination, safely, profitably, and on-time. For Electronics Manufacturers, Business is the ability to maintain continuous manufacturing and service operations, protect their designs/ software, incorporate new technologies, and avoid commoditization. For Banking, Business is the ability to maintain customer trust, compliance, and continuous Banking operations. For Retail, Business is the ability to maintain continuous supply chain and store operations. For Pharma/ Life Sciences, Business is the ability to maintain continuous and compliant drug discovery, and high quality manufacturing. For Consumer Products, Business is the ability to maintain an operational supply chain, brand value, and product quality. For Media and Entertainment, Business is the ability to maintain continuous production operations for editorial, broadcasting, and publishing. For Healthcare Providers, Business is the ability to reduce medical errors, comply with regulations, maintain continuous Hospital operations, control costs, and attract patients. For Insurance, Business is the ability to maintain continuous business operations at central, regional, and thousands of agent offices. For the Securities Brokerages, Business is the ability to maintain continuous trading, settlement, and customer service operations. Sources: IDC 28649, December 2002; IDC 2003 Spending in Vertical, Jan 9, 2003; IDC 29066, March 2003 14
But no matter what industry, a step-by-step approach to understanding risks and developing an integrated transformation program is required to help a company become more resilient. Prioritize business resilience needs Establish risk tolerance Evaluate resiliency capabilities Rehearse and review resilience program Plan for business resilience Design a resilient architecture Manage to resilience objectives Implement the architecture 15
The transformation begins with identifying critical resources and a thorough impact assessment to help frame what portions of the business need to be secured. Business Lifecycle Assess Plan Execute Identify Resource/ Asset Inventory Reach & Prioritize Business Resource Needs Impact of Actual Outage Range Report Establish Risk Impact of Presumed Outage Tolerance Strategy, Design & Implement Manage and Rehearse 16
The next step is to identify and assess risks to those functions deemed critical to the business. Business Lifecycle Assess Plan Execute Identify Threats & Security Risks Risk & Vulnerability Establish Risk Tolerance Validate the Information Report Evaluate Analyze Responses Capabilities Strategy, Design & Implement Manage and Rehearse 17
A typical starter list of threats that should be analyzed include the following: Earthquake Volcanic Activity Major Landslide/Mudslide Subsidence Faulting Upstream Dam/Reservoir Failure Seasonal/Local Flooding Tidal Flooding Tsunami (Tidal Wave) Tornado Hurricane/Typhoon Tropical Storm Snow/Ice Storm/Blizzard High Winds (70+mph) Sand Storm Meteor Impact Act of War: Conventional Act of War: Nuclear Sabotage: Internal Physical Sabotage: Internal & External Data Software Sabotage: External Physical Market Epidemic Medical Emergency Radioactive Contamination Fire: Internal - Catastrophic Fire: Internal - Major Fire: Internal - Minor Aircraft Crash Toxic Contamination Plumbing Failure Water Leakage Fire: External Accidental Explosion: Off-site Accidental Explosion: On-site Power Outage: External Power Outage: Internal Power Fluctuation Vandalism Labor Dispute/Strike Riot/Civil Disorder Bomb Threat & Bombing Arson Hostage Taking HVAC Failure Transient Inadequacy Central Computer Equipment Failure Ancillary Equipment Failure Telecommunications Failure (Data) Voice Communications Equipment Failure Media Failure Purchased Software Failure Human Error: Operations & Prgmers Human Error: Users Human Error: Maintenance Loss of Resources Theft: Data Theft: Physical Assets ($250+) Fraud/Embezzlement People Safety Measures Suspicious Package Handling Bio-terrorism Capacity Planning Operational Regulatory 18
After understanding what threats may apply to your critical business functions, a thorough examination of your current capabilities to mitigate those threats or risks is required. Business Lifecycle Assess Plan Execute Select Risks to be Mitigated Evaluate Capabilities Evaluate Using the BR Layers Compare Assessment Report Strategy, Design & Implement Manage and Rehearse To Best-in-class 19
We have identified six key Business layers that expand into over 130 components in an enterprises. Each must be addressed to achieve business resilience. Governance strategy Financial strategy Security strategy Availability strategy Communications strategy New product/services strategy Risk management Business Process Sales order Finance and accounting Enterprise resource planning Customer relationship management Supply chain management Quality management Research and development IT Process Change management Problem management Incident management Availability management Strategy and Vision Organization Processes Applications and Data Technology Facilities Business Physical and logical security Access controls Power protection Environmental considerations Roles and responsibilities Structures Human resource management Skills Cross-organizational cooperation Data and application security Data storage Application architecture and design Backup and recovery Hardware architectures System software Middleware Networks 20
Following a complete analysis and assessment of current capabilities, a plan is then designed that sets a roadmap for achieving Business. Business Lifecycle Assess Plan Execute Initial Strategy Strategy Needs, Risks & Capabilities Plan for Business Alternative Strategies Plan Business Architecture Manage and Rehearse Business Design Roadmap 21
After a strategy is chosen, a solution architecture is designed that meets the Business needs of the enterprise. Business Lifecycle Assess Plan Execute Conceptual Design Resilient Architecture Needs, Risks & Capabilities Resilient Architecture Design Solution Design Implement the solution Manage and Rehearse Solution Design 22
To build a resilient architecture, specific issues should be addressed Governance Program Execution Business Justification Resilient Architecture Design Solution Design Systems Management Business and Financial Justification - Concurrence among business executives - Explanation to internal and external audit groups Governance / Authority / Policies - Communication, mission, discipline Solution Design - Related IT functions (e.g., service desk) - Unrelated business functions Maturity of Systems Management Disciplines - Problem, change, configuration, incident Security - Physical and logical Applications Facilities Security Application - Data protection, backup, restart, synchronization Program Execution - Reporting, roles and responsibilities, public relations, business integration, plan invocation Facilities - Location, management, security, availability 23
The implementation phase of the methodology may select from many different solutions, all designed to meet the needs of the overall architecture design and ensure business resilience. Business Lifecycle Assess Plan Execute Strategy Solutions Organization Solutions Needs, Risks & Capabilities Implement Enterprise Solution Process Solutions Apps & Data Solutions Technology Solutions Implementation Project Plan Manage and Rehearse Facility Solutions 24
A resilient architecture must accommodate multiple characteristics across the six layers of your enterprise Strategy & Vision Crisis management process Executive knowledge of resilience capabilities Change management process Articulated governance model Supplier awareness of requirements used as competitive advantage Clearly articulated security policy Organization Geographic diversity of staff Call trees and notification Backups of workstation data Articulated roles and responsibilities Identified command center Processes Applications & Data Technology Facilities Identification of most critical processes Integrated contingencies Split of phone support/call center Mirroring for critical data Remote backup for 2 nd tier Regular audit of backup Mirror login and authentication GDPS for mainframe High availability cluster multiprocessing Diverse power sources Diverse network access points UPS with 2+ hours Diesel generator Split of functions Key links with external companies ITIL and CobiT standards implemented Integration into help desk/monitoring Information Life Cycle Management Database (DB2, Oracle) failover & standby Identity management E-mail filtering and recovery Blade servers dynamic configuration Availability extra components Grid computing for high-intensity apps 24x7 monitoring of IDS logs Secondary location +50 miles Managed 24x7 physical security Biometrics 25
After implementation, managing the solution architecture becomes critical to execution and continued business resilience. Business Lifecycle Assess Plan Execute Needs, Risks & Capabilities Plan, Design & Implement Manage the Solution Business Program Business Reporting Rehearse & Review the Program 26
Program Management Report Hierarchy Provides executives the insight into the program in a concise and succinct manner. Management Briefing Booklet Year-to-year comparison of results Next Quarter Program Objectives Intra-Division Benchmarks Test Results Application Report Cards Technology Review Report Initiatives projected for next year ramifications of initiatives Suggested focus areas of program Strategy Definition Report Summary of technical resilience requirements Recommended resilience strategies Cost estimate for recommendations Criticality Analysis Summary Report Priority of business processes Rationale for priority # of applications by recovery tier Program Status Report Prior week s achievements Issues or problems Future week s activities Post Exercise Summary Report Tasks completed during test Duration of tasks vs. estimates Problem log Suggestions for efficiencies 27
Part of any effective Business Program is testing it to ensure it will work when you need it. Business Lifecycle Assess Plan Execute Exercise Planning Needs, Risks & Capabilities Plan, Design & Implement Rehearse & Review the Program Technical Procedure Review Business Testing Report Exercise Execution 28
Since so much is at stake, businesses cannot afford to wait. The old paradigm was Experience and React - Things happen - We react - The organization is affected The new way of thinking must be to Anticipate and Adjust - Things still happen, but their effect is neutralized - The organization sees or feels no effect 29
Thank you