"Principal Internal Auditor"
A PRAGMATIC AND EFFECTIVE APPROACH TO BUSINESS CONTINUITY AND RECOVERY PLANNING 1 BY HUSSEIN K. ISINGOMA CISA,CISM,CRISC,CIA,FCCA,CPA,MSC,BBS AG. ASSISTANT COMMISSIONER,INTERNAL AUDIT MINISTRY OF FINANCE,PLANNING AND ECONOMIC DEVELOPMENT July 2011 Presentation Plan 2 Introduction and Background Understanding Business Continuity and Disaster Recovery Planning The Need for BC/DR Planning and Management BC/DR Planning Tasks/Processes Achieving effective BC/DR Planning; Key Issues BCP resiliency: Thinking Cloud ? Conclusions Introduction and Background 3 The World is still fresh with shock and memories of the recent events and impact of the march 2011 Japanese earthquake/tsunami that has had devastating destruction on infrastructure and mainly on the Fukushima Nuclear Plant The Fukushima disaster is being termed as probably the biggest industrial catastrophe in history of mankind The Nuclear plant was run by the Tokyo Electric Power Company(TEPCO) which supplied 1/3 of Japan’s electricity before and until the quake. The seawall that was designed to mitigate the impact of a tsunami was only 5.7 metres high and all previous assessments had never put a possibility of the tsunami going beyond the 5.7 metres. It was wrong; the 03/11 tsunami rose to 15metres !!!!!! just 45 minutes after the earthquake BBC news report and the Economist newspaper of 28th June 2011 reported a fall in share price of TEPCO by 85%, faced a prospect of $100 billion compensation, 23,000 died or were missing , 80,000 evacuated The company’s Tsunami safety plan was only one page and had been last updated in 2001 The 9/11 World Trade Centre terrorist attack took out a total of 13,000 servers and estimated cost of replacement of IT for the effected Securities firms stood at $ 3.2 billion. Some of the other disasters or near disasters occasioned by IT failures include; loss of 25 million records of the Child Benefit Recipients' in the UK, failure of the former Soviet Union Early warning System in 1983 that almost drew the World to the prospect of World War III. Business Continuity/Disaster Recovery Planning 4 The purpose of Business Continuity is to ensure that core business functions continue with minimal or no interruption. The objective is to ensure that the organization will survive and continue to generate revenue. Disaster recovery is about rebuilding Clients and investors alike are notorious for abandoning organizations during their rebuilding phases It doesn’t take much effort to cause layoffs, fall in stock or share prices or even permanent shutdowns The above realities lead us to the evolution from disaster recovery to business continuity The Need for BC/DR Planning and Management 5 News of the World !!!! Did they ever plan for the What do organizations or phone hacking scandal that led to its closure ??? Businesses need ? In the aftermath of recent natural disasters, terrorism, equipment breakdown, businesses have recognized more than ever the need for ever to be prepared Firms/companies are striving to meet demand for continuous service The growth of e-commerce has pushed the need for systems availability expectations toward 24x365 It is important that a BCP adequately supported throughout the organization, embodies the strategic framework for a corporate culture to mitigate risks that might cause Business process failure Asset loss Regulatory liability Customer service failure Damage to reputation Business survival necessitates planning for every type of business interruption. BC/DR Planning: The Risk Management Perspective 6 Part of the Risk Response Risk Management Strategies •High Impact •High Impact •Low likelihood •High likelihood Contingency Manage Plan Actively Periodic Good Reviews Housekeeping •Low Impact •Low Impact •Low •High Likelihood Likelihood BC/DR Planning Tasks/Processes 7 Process Management • Define BC/DR Management Objectives • BC/DR Management Steering Committee • Formal Risk Assessment definition(Impact and Likelihood Risk Assessment criteria definition) • Key legislation and Industry Codes of Practice • Identify key Business Processes and critical dependencies Business Impact Assessment • Impacts of potential business interruptions and recovery time objectives(RTO’s) • Vendor contracting procedures Recovery Strategies definition • Alternate site identification • Cost Benefit Analysis of recovery strategies • Standards for recovery, restoration and communication plan BCM Procedures • BC/DR crisis management organization Training and Awareness • Document training plans Plan Exercise • Roles and responsibilities definition for BCP testing • Types of testing Plan Maintenance • Timelines for plan updates • Onsite and offsite plan storage BC/DR Planning Enablers 8 Process and Risk Management Maturity Top Management support Business Strategy Rationale for BC/DR Planning; the Business Value case 9 Value delivery. Coping with severe impacts to business arising out of interruptions makes businesses more valuable, reliable and dependable Survival. A well designed, exercised and maintained plan lies between a business’s ability to continue as a going concern or going bust ! Risk Management maturity enhancement Competitive advantage ; case for offshore soft ware development initiatives/vendors Staff and client confidence Compliance Insurance costs/premiums Diagnosing organizational efficiency Business Contingency Planning General Procedures 10 Disaster 1st Person on scene calls BC Manager Call Business Continuity Coordinator Call Recovery Management Team Inform HQ’s Recovery Mgt Team report to Command Centre Recovery Team report to Disaster Scene Report status to Recovery Mgt Team Will Orgn. No Yes Return to Normal Inform COO/CTO be out > Operations 72hrs Invoke No BCP? Yes Invoke BCP Achieving effective BC/DR Planning; Key Issues 11 Top or Senior Management Sponsorship. Consensus ought to be established to: Guide which aspects of business to stay operational in case of disruptions The level of protection needed; risk appetite synchronize BC/DR plans with overall business strategy Risk Analysis Risk identification should consider a wide range of possible scenarios. More often than not, BCP’s consider the most likely scenario’s Although focusing on big events is desirable, a narrow focus on risk could lead to potentially disastrous events Business Impact Analysis Organizations' have limited resources. There is need to focus on key processes that need to be recovered in case of a disaster Focus on key business processes and critical dependencies BIA need to kept updated as the business changes or subject to periodic review Identify process specific Recovery time objectives(RTO’s) Prioritise recovery efforts based on agreed RTO’s Review service level agreements with service providers Contd…… 12 BC/DR organization Roles and responsibilities need to be defined BC/DR requires organization, coordination, and execution How and when is a disaster declared and by who ? Criteria for disaster definition and therefore declaration Plan exercising/testing If a BC/DR plan is not tested, it could fail under the stress of real disaster The ability of the BCP to execute when a disaster is declared is key Annual testing of the plan is desirable Look at ways of integrating of testing into normal business operations Opportunity to test failover/redundancies Scoping Over concentration on resumption of business at the expense of people and processes Personnel can be incredibly inventive and innovative as opposed to systems in times of disaster People issues tend to be the more difficult of challenges to resolve during disaster Contd….. 13 Funding of BC/DR activities Many organizations consider BC/DR as good but not essential Many plans are unfunded; posing further risks to the organization's business continuity There is need to develop formal business cases for BC/DR for funding Projects need to take into consideration continuity issues before implementation Communication plan There is need to have a well documented communication plan Employees call trees, supplier and vendor contacts need to be constantly updated Consider multi vendor support for key means of communication Media Management/Public relations Need to mitigate reputation loss through effective media management Clients and the public need reassurance and faith that the situation is not as bad as perceived and is under control Its about winning the Hearts and Minds of stakeholders Staff members or employees need not give their own view of the situation to the media Prepare public statements in advance to prevent the media from turning the situation into a Public relations nightmare Contd…. 14 Security The time the organization is most vulnerable to security threats is in time of disaster The propensity to ignore security procedures is very high Incident Management team and structure must include appropriate IT security staff to stem all possible anomalies Inventory Management Review inventory list continuously A comprehensive list of equipment needed for recovery and resumption activities should be maintained Role of insurance Need to ensure that insurance provisions address timely re-imbursements in case of losses accruing from disaster Internal organizational policies need to address the accounting treatment of assets and related depreciation Clear definition of scope covered under insurance is critical Insurance policies need to be constantly monitored so as to reflect the new realities, risks or challenges to business 15 Complacency ! BCP requires constant updating Business risks and related potential impacts are constantly changing BCP resiliency: Thinking Cloud ? 16 Amazon EC2 Lessons Whilst it is easy to be critical of Amazon, for many who Think through the going Cloud Business carefully have used its EC2 Cloud, the benefits to their performance, and thoroughly business continuity and resilience have been significant. Understand the infrastructure upon which the Many have been able to achieve higher levels of uptime and cloud operates; do you need internal IT resources reduce costs whilst managing higher demands. ??? The April 2011 AWS (Amazon EC2) "failure" has probably How robust are your cloud SLA’s as regards caused their customers to take a hard look at their compensation for downtime. Are they worth the cost business continuity plans of the downtime? Challenges related to security responsibility, information Remember too well that : residence, data ownership and confidentiality remain in the You fate is in the hands of the service provider whose cloud fate is in the hands of …….????? A well structured service level agreement(SLA) that includes the rights to audit is key in assisting the organization in data mgt in stored, transit or processed data in the cloud BCP; Which Way to go ??? 17 Crossroads or an epitome of Balancing the Act !!! science? The greatest joy of living is not in never falling but getting up every time you fall – Nelson Mandela References: BCP standards 18 Control objective for information and related technology (CoBIT) Federal Emergency Management Association(FEMA) National Institute of Standards and Technology(NIST) Disaster Recovery Institute International(DRII) Conclusion! 19 BCP is about managing and mitigating the potential impact change Remember ! ‘When trying to predict future organizational environments, it seems that our only certainty is that things will change’ (Kotler,1998)