Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June 12 2013 Chitra Gopalakrishnan Director KPMG LLP
Agenda Introduction Business Continuity / Disaster Recovery - A Brief Background Continuity / Recovery Risk Considerations KPMG / Continuity Insights 2011/2012 Global Benchmark Survey Highlights Closing Remarks and Q&A Throughout this document, KPMG [ we, our, and us ] refers to KPMG International Cooperative ( KPMG International ), a Swiss entity, and/or to any one or more of the member firms of the KPMG network of independent firms affiliated with KPMG International. KPMG International provides no client services.
Opening Remarks and Introductions Chitra Gopalakrishnan, Advisory Director Over 15 years of IT, Security, Business Resiliency, PMO Advisory, Governance, Risk and Compliance consulting experience. Business Continuity / Disaster Recovery experience includes leading and establishing BCM program, business impact analysis, application recovery interdependency analysis and recovery strategy development, and audits and assessments of resiliency strategies. 2
Business Continuity Management A Brief Background
If we are not planning for Disasters, We d be in Trouble http://scienceblogs.com/startswithabang/ 4
Disasters Aren t Always Natural http://www.sharenator.com/more_pics_and_gifs/ 5
Major Business Continuity Program Components Business Continuity Management Emergency Response Crisis Management IT/Disaster Recovery Business Continuity Business Continuity Management Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the program stays current and up to date. 6
BC/DR at Many Organizations http://www.cloudtweaks.com/category/blogs/ 7
A Brief History of BC/DR 8
Why Business Resiliency is More Important Than Ever The past twelve months have been awash with natural disasters. Earthquakes, tsunamis, flooding, volcanic eruptions, and uncharacteristic weather patterns have created large scale business impacts. Changes in technology, workforce expectations and unforeseen challenges are causing many companies to rethink their traditional approaches to Business Continuity and Disaster Recovery. The largest trends are less reliance on document-intensive plans and more attention to crisis management and effective communication. http://www.wired.com/dangerroom/2007/10/the-softer-side/ http://www.disasterrecoverywhitepaper.com/disaster-recovery-exercises/ Leading organizations are evaluating legacy approaches to Business Continuity and Disaster Recovery to find the right balance between effective risk management and efficient response. 9
Continuity / Recovery Risk Considerations
Risk Considerations 11
Risk Type and Treatment Overview At the highest level, there are four things that can be done with Risk: Mitigate Transfer Plan Accept Types of risk to be considered: Compliance Financial Operational Strategic Technical Contractual Lost/Deferred Revenue People Market Share Cybercrime Regulatory Opportunity Production Partnerships E-Business Service Level Agreements Shareholder Equity Supply Chain Reputational Infrastructure Failure 12
Emerging IT Risks The pace of technology change and innovation continues to gain momentum, with profound implications for how organizations operate whether it s increased adoption of mobile devices, cloud computing, or the increasing amounts and varieties of data to which organizations have access. Capabilities Business Imperatives Growth/strategy Efficiency Compliance Risk and Governance Game-changing Technology Mobile computing Big data /analytics Cloud computing Knowledge & Data 13
Enterprise Risk Coordination Business Continuity and Disaster Recovery Planning, Testing and Execution don t function in a vacuum. Information Technology Information Security Compliance Privacy Legal Risk Mgmt. Records Mgmt. BCM Physical Security / Facilities 14
Regulations, Standards, and Guidelines (Global and North America) Regulations: Federal Financial Institutions Examination Council (FFIEC) Financial Industry Regulatory Authority - FINRA Federal Energy Regulatory Commission (FERC)/ North American Electric Reliability Corporation (NERC) Common Standards/Guidelines: NFPA 1600 BS 25999 / ISO 22301 ASIS BCM.1/ASIS SPC.1 NIST SP 800 DRII/BCI COBIT ITIL ISO 27002 Australia HB 221:2004 Business Continuity Management India RBI BC Circulars Singapore MAS Business Continuity Management Guidelines UK Financial Services Authority Handbook. Commonalities Oversight Board/Reporting Program Structure Assessments Recovery Plans Training Exercising Maintenance 15
Developing a Plan: Top 5 Reasons BCP and DRP Are Not Successful Failure to Adequately / Realistically Capture Availability Needs (BIA) (and Reconcile to Associated Costs!) Lack of Understanding of Application / System Interdependencies Failure to Define and Track Metrics and Critical Success Factors Lack of Integration with Other ERM Focus Areas Failure to Obtain Top Level Support (Funding and Resources) for Business Resiliency as an Ongoing Strategic Priority / Enabler 16
KPMG / Continuity Insights 2011/2012 Global Benchmark Survey Highlights
Benchmark Highlights Key Industries Represented: Financial Services 53% Technology/Telecom 18% Professional Services 18% Insurance 11% Geographic Breakdown: US 67% Canada 8% Europe 8% South America 6% Rest of World 13% Some Other Key Statistics: 40% are Public Companies 45% are Global, Multi-Site Companies 25% have more than 20,000 Employees 17% are greater than $10B in Revenue 18
Benchmark Highlights (continued) Comparison 2006 vs. 2011/12 - Types of Events Resulting in Plan Activation 2006: 2012: Power Outage 59% 46.9% Hardware Failure 51% 30.5% Natural Disaster 46.8% 50.4% Telecom / Network Failure 41% 31% Software Failure 39.97% 30.5% KEY TAKEAWAY Companies are getting better at managing known risks, at least the risks *THEY* control! 19
Benchmark Highlights (continued) Comparison 2006 vs. 2011 - Estimate Business Disruptions have Cost Company in Past 12 Months: 2006: 2012: < $100,000 58.59% 31.7% $100,000 to $499,999 22.63% 11.7% $500,000 to $999,999 6.74% 4.9% $1 million to $5 million 7.22% 2.1% > $5 million 4.82% 2.6% Approximately 47% of the respondents that answered the question responded they Do Not Know. NOTE: Do Not Know was not an option on the 2006 Benchmark Survey. KEY TAKEAWAY Ability to measure impact of a disruption and the cost basis is improving but still a large percentage aren t comfortable in tracking/estimated these impacts. 20
Benchmark Highlights (continued) Comparison 2006 versus 2011 - Primary Reason Why Company is Using BC Program: 2006: 2012: Continuity of business operation and timely recovery when business is interrupted 72.23% 84.2% Unique competitive advantage 1.77% 14.7% Customer request or requirement 5.62% 22.0% Industry standard 8.51% 33.5% Reputation * 39.7% Address Audit Findings * 31.6% * Not part of the Benchmark Survey for a particular year KEY TAKEAWAY BCM impacts are evolving from back office to front office concerns with an increased understanding of BCM value to customers and business partners. 21
Benchmark Highlights (continued) Comparison 2006 versus 2011 Allocation of Funds for BC Initiatives 2006: 2012: Case-by Case Basis 46.87% 28.4% % of IT Budget 14.77% 10.6% % of Risk Management Budget 9.15% 7.8% % of Individual Functional 2.41% 6.0% Importance of Data & Systems at Risk 18.30% * Other 8.51% 6.8% Hybrid Chargeback Basis with Base Fee and Usage Charge * 4.2% Do Not Know * 23.0% * Not part of the Benchmark Survey for a particular year KEY TAKEAWAY BCM/DR funding is still inconsistent across organizations with a trend toward more strategic focus and less project oriented focus. 22
Benchmark Highlights (continued) Newer technologies currently implemented within your organization: 90% All Respondents 80% 60% 54% 30% 34% 0% Cloud Applications Mobile Applications Social Media KEY TAKEAWAY For these new approaches, BCM is less mature. 42% have BCM plans for Mobile Apps, 28% have BCM plans for Cloud, and 18% have plans for Social Media. 23
Impact of Cloud on Business Operations Adopting cloud has a big impact on IT, but it doesn t stop there. Critical business operations are also affected. Organizations need an enterprise-wide approach that takes in the crossfunctional effects of cloud The approach may vary, depending on the chosen cloud service model, deployment model, and the maturity of existing business and IT processes Lessons learned from outsourcing apply in the cloud As Cloud Service Providers (CSPs) practices evolve and mature, enterprise processes need to keep pace with the changing landscape. Business Operations Financial Management and Tax Security and Privacy Operational Data & Technology Regulatory and Compliance Vendor Management 24
Trends in Leveraging Cloud for Business Resiliency Cloud for Disaster Recovery (DR) continues to be a discussion for many of our clients. Cloudbased recovery services offer a way to achieve the recovery capabilities of advanced DR services at a more affordable, subscription-based price. There are concerns over security of the cloud but over time it will be a key component of disaster recovery program. The use of data replication technology continues to increase and Recovery Point Objectives (RPO) continue to lessen as end users tolerance for data loss diminishes Companies are reevaluating their DR plans for the virtual and cloud environments to address recovery complexity of applications and data spanning multiple architectures Organizations are starting to use cloud computing services to manage disaster recovery Cloud services promise to save organizations money and accelerate the recovery time 25
Leveraging Mobile for Crisis Management http://www.emc.com/collateral/data-sheet/rsa-archer-business-continunity-mgmt-mobile-app-ds.pdf http://www.microsoft.com/about/corporatecitizenship/en-us/nonprofits/helpbridge.aspx http://teamstudio.com/continuity.aspx https://play.google.com/store/apps/details?id=gov.fema.mobile.android 26
Leveraging Social Media for Crisis Management 27
Closing Remarks
Closing Remarks We see BCM remaining an organizational top priority for the next several years. The unexpected impact of natural disasters, geo-political instability, and continued interconnectivity of value chains will drive needs for BCM to evolve and improve. Embedding Business Continuity culture in the form of Operational Resiliency Customer facing processes are being prioritized Vendor resiliency continues to be an area of focus Business Continuity integration with other disciplines Cloud transformation of Disaster Recovery 29
Thank You! Chitra Gopalakrishnan Director KPMG Advisory Services chitragopalakrishnan@kpmg.com 425-533-3431