ITSCM

1 / 33

About This Presentation

Title:

ITSCM

Description:

Business Continuity works across IT and the business ... Plan rehearsals smartly (in terms of timing, risk) Monitor ownership/loyalty ... – PowerPoint PPT presentation

Number of Views:140

Avg rating:3.0/5.0

Slides: 34

Provided by: rinskege

more less

Transcript and Presenter's Notes

Title: ITSCM

1
ITSCM... is it just the tip of the iceberg?
Rinske Geerlings Director of business as
usual Former DR and Business Continuity Manager
at Rabobank
2
Why this presentation?

Risk awareness, regulations
Business Continuity works across IT and the
business
Specific practical knowledge required to manage
it well
Need to make sensible investment decisions
Deepen knowledge of BCM in order to improve ITSCM

3
Agenda

Terminology - DR, BCP, BCM, ITSCM...
Business Continuity in eight steps
So... is ITSCM just the tip of the iceberg?
Tips for consultants and DR/BC planners

4
Do you recognise this?

When suggesting a Disaster Recovery test, IT and
business staff always seem to be busy with
higher priority activities.
Emergency procedures are published on the
Intranet, but hardly any staff seem to know what
to do if they came back from lunch and couldnt
enter the building due to a fire.
When presenting a proposal to optimise your
off-site facility, the Board wonders why to
invest money in a dead site.

5
Other mistakes and misconceptions

Everyones in the same boat when it comes to
disasters like Pandemics and Terrorism
Our external suppliers will rapidly deliver
everything we need - we have put it in the
contract
Our organisation has planned for anything but
people issues

6
About me
7
Whats in a name... DR

Disaster
A sudden, unplanned calamitous event causing
great damage or loss. In the business
environment, any event that creates an inability
on an organisations part to provide the critical
business functions for some predetermined period
of time
DR Disaster Recovery
Activities and programs designed to return the
organisation to an acceptable condition. Tends
to have a technical (IT/systems) focus, but also
includes other provisions like accommodation,
phone/fax and workstations.

8
What about BCP?

BCP Business Continuity Planning
The process of ensuring an organisations
viability and continuation of business
operations (services, support processes)
before, during and after a disruption.
Holistic process, end-to-end
IT, HR, Marketing, Premises other support units
to provide recovery plans and provisions,
together with business units

9
BCM? ITSCM?

BCM Business Continuity Management
Generally used as term that encompasses BCP, DR
(including IT recovery) as well as broader
aspects (e.g. Risk Control, Business Impact
Analysis, Crisis Management and Damage
Assessment)
ITSCM IT Service Continuity Management (ITIL)
Managing an organisations ability to continue to
provide a pre-determined and agreed level of IT
Services to support minimum business requirements
following an interruption to the business

10
RelationshipsBCM BCP DR ITSCM
11
Importance of understanding these processes

Improved recovery technologies
Increased focus on continuity rather than just
recovery ? broadening of scope from technology
towards people and processes
Third party supplier responsibilities/contracts
Regulation, standards and audits
Reputation, market share, staff/investor
confidence
Increasing risk awareness
Business Continuity is not a luxury - its a
necessity

12
Standards in Business Continuity

DRII DR/BCP
Australian Standards BCM
APRA BCM
BCI PAS56 (British) BCM

13
Business Continuity in eight steps

Business Continuity process objectives
Risk management (including risk controls)
BCP organisational structure buy-in from all
levels
Key business processes (and interfaces,
activities, resources)
Operational financial Business Impact Analysis
(BIA)
Develop and implement Continuity
treatments/controls
Develop and maintain the BC Plan
Crisis Management, emergency response, damage
assessment,
team/technical recovery, notification plans,
plan maintenance
BC Plan exercises and training

Business Continuity process objectives
Risk management (including risk controls)
BCP organisational structure buy-in from all
levels
Key business processes (and interfaces,
activities, resources)
Operational financial Business Impact Analysis
(BIA)
Develop and implement Continuity
treatments/controls
Develop and maintain the BC Plan
Crisis Management, emergency response, damage
assessment,
team/technical recovery, notification plans,
plan maintenance
BC Plan exercises and training

14
Approach and specific best practice measures
for each of these areas
15
1) BC process objectives

Agree on objective, deliverables, approach,
terminology
Staff safety and job security are key drivers
Discuss how to keep BC and business strategy
aligned
Agree on a budget for Business Continuity
Agree on a timeframe to achieve milestones

16
2) Risk management

Identify each threat and current
controls/workarounds
Determine effect, duration and likelihood
(scores)
Rate each threat Risk (effect x duration)
x likelihood
Use internal and external information sources
Risk analysis to include unavailability of key
staff!
Possible to keep it simple
Assess cost of countermeasures and risk reduction
measures
Make investment decision and implement controls
Example Regular check-ups to reduce
effect/likelihood

Regular review of risk analysis

17
3) BCP organisation - structure buy-in

How to achieve management buy-in?
Present success/failure stories from the industry
Emphasise need for BCP for regulatory compliance
Emphasise competitive advantage(recovery
capability, reputation, integrity)
Impact on bottom line - do they know?
Insurance premium discounts
Presentation by external expert
Teams motivating other teams
Regular update papers (momentum)
Run workshops using topical scenario or apparent
threats

18
3) BCP organisation - structure buy-in
(continued)
19
4) Key business processes

High level rating of business processes in terms
of criticality
Highlight any interfaces/dependencies
Identify key activities and resources
Check for bottlenecks and single points of
failure
Dependency on certain people (internal/external)
Reliance upon key (parts of) premises
Outsourced services (re-think or form true BC
partnership)
Determine minimum staff levels to continue
operations
Determine key processes that can be run from home
or o/s
Brainstorm with managers about reducing scale of
services
Regular review of business process analysis

20
5) Business Impact Analysis

If its not worth protecting, is it worth doing?

21
5) Business Impact Analysis - example
Maximum Tolerable Outage Times
22
6) Implement Continuity treatments

Use results of BIA (recovery priority listing,
MTOT, RTO, RPO)
Assess cost of available continuity measures to
minimise/ manage disruption to normal business
Decide on most sensible investments considering
budget
Implement preliminary controls, develop
workarounds, optimise policies and plan future
projects
Regular review of Continuity treatments

23
6) Continuity treatments - examples

Remote desktop access (Citrix, Broadband) for
staff
Decentralise operations and use load-balanced
data centres
Remote hosting of Internet/e-mail/other critical
services
Cross-skilling, geographic dispersion, succession
(key staff)
Insurance for (in)voluntary business closure
income loss
(Globally) diversify client base and
distribution/sales process
Offsite storage/replication of critical documents
Contract multiple telecommunications/other
suppliers in dispersed (international) areas and
confirm their priorities
Check third party BCPs and results of their
(regular!) tests
Reconsider policies of just-in-time inventory
Set-up relation with emergency services
Procedure documentation (for alternate staff
training)
Disaster Recovery Site provisions (accommodation,
systems)

24
7) The Business Continuity Plan

Emergency response and operations (First Aid,
evacuation, crisis stabilisation, emergency
Control Centre set-up)
DR team roles and responsibilities
Damage assessment procedures
Notification/communication plans
HR policies - trauma, counselling
Crisis Management decision-making
Team and systems recovery, including
accommodation (DR site)
External agency liaison
Regular review of the Business Continuity Plan

25
8) BC Plan exercises and training

Aim for end-to-end process testing
Regularly train DR team members
Full BCP exercises, walk-throughs etc
Use topical scenario like pandemic
eg. 30 of staff absent, local transport outage
and no travel
Rehearse team decision-making based on little
information
Rehearse absence of key functions (dependencies)
Practical exercises/training
Sensibly use surprise elements
Involve external agencies where appropriate
Provide exercise results (Intranet) and ensure
follow-up

26
So, yesITSCM is just the tip of the iceberg!
27
Too much information?

Key points to get you (or your client
organisation) started
Team gt Threats gt Scenarios gt Bottlenecks
Controls gt Plans
Exercises
Use of standard templates

28
Whats in it for your organisation whether large
or small?

It is possible to tailor conceptsto suit your
needs
It is possible to efficiently plan for and
manage a disruption
Case study Macquarie Bank
Case study Lehman brothers

29
Tips for consultants DR/BC managers

Obtain management commitment
Reverse the perception of DR being a cost centre
Plan rehearsals smartly (in terms of timing,
risk)
Monitor ownership/loyalty
Build a Business Continuity culture
Part of corporate strategic plan (include in
budget)
Ensure documentation can be trusted
Formal review and sign-off of plans
Keep it simple! Quick wins first.

30
Think about it

Continuity issue wont go away
Threats are changing Power and IT issues ?
Pandemics and bomb scares
Risk of not doing it IT could be blamed for
unsuccessful recovery, or over/under investment
Consultants this is an opportunity!
Higher entry level into client organisation
(Board level)
BC as follow-on project from other (ITIL)
projects
ITIL as follow-on from Business Continuity
optimisation
ITIL BC Similar skill sets required (process
improvement)
You dont have to re-invent the wheel!